The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/security/audit/audit_bsm.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*
    2  * Copyright (c) 1999-2009 Apple Inc.
    3  * All rights reserved.
    4  *
    5  * Redistribution and use in source and binary forms, with or without
    6  * modification, are permitted provided that the following conditions
    7  * are met:
    8  * 1.  Redistributions of source code must retain the above copyright
    9  *     notice, this list of conditions and the following disclaimer.
   10  * 2.  Redistributions in binary form must reproduce the above copyright
   11  *     notice, this list of conditions and the following disclaimer in the
   12  *     documentation and/or other materials provided with the distribution.
   13  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
   14  *     its contributors may be used to endorse or promote products derived
   15  *     from this software without specific prior written permission.
   16  *
   17  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
   18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   20  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
   21  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
   25  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
   26  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
   27  * POSSIBILITY OF SUCH DAMAGE.
   28  */
   29 
   30 #include <sys/cdefs.h>
   31 __FBSDID("$FreeBSD$");
   32 
   33 #include <sys/param.h>
   34 #include <sys/vnode.h>
   35 #include <sys/ipc.h>
   36 #include <sys/lock.h>
   37 #include <sys/malloc.h>
   38 #include <sys/mutex.h>
   39 #include <sys/socket.h>
   40 #include <sys/extattr.h>
   41 #include <sys/fcntl.h>
   42 #include <sys/user.h>
   43 #include <sys/systm.h>
   44 
   45 #include <bsm/audit.h>
   46 #include <bsm/audit_internal.h>
   47 #include <bsm/audit_record.h>
   48 #include <bsm/audit_kevents.h>
   49 
   50 #include <security/audit/audit.h>
   51 #include <security/audit/audit_private.h>
   52 
   53 #include <netinet/in_systm.h>
   54 #include <netinet/in.h>
   55 #include <netinet/ip.h>
   56 
   57 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
   58 
   59 static void     audit_sys_auditon(struct audit_record *ar,
   60                     struct au_record *rec);
   61 
   62 /*
   63  * Initialize the BSM auditing subsystem.
   64  */
   65 void
   66 kau_init(void)
   67 {
   68 
   69         au_evclassmap_init();
   70 }
   71 
   72 /*
   73  * This call reserves memory for the audit record.  Memory must be guaranteed
   74  * before any auditable event can be generated.  The au_record structure
   75  * maintains a reference to the memory allocated above and also the list of
   76  * tokens associated with this record.
   77  */
   78 static struct au_record *
   79 kau_open(void)
   80 {
   81         struct au_record *rec;
   82 
   83         rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
   84         rec->data = NULL;
   85         TAILQ_INIT(&rec->token_q);
   86         rec->len = 0;
   87         rec->used = 1;
   88 
   89         return (rec);
   90 }
   91 
   92 /*
   93  * Store the token with the record descriptor.
   94  */
   95 static void
   96 kau_write(struct au_record *rec, struct au_token *tok)
   97 {
   98 
   99         KASSERT(tok != NULL, ("kau_write: tok == NULL"));
  100 
  101         TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
  102         rec->len += tok->len;
  103 }
  104 
  105 /*
  106  * Close out the audit record by adding the header token, identifying any
  107  * missing tokens.  Write out the tokens to the record memory.
  108  */
  109 static void
  110 kau_close(struct au_record *rec, struct timespec *ctime, short event)
  111 {
  112         u_char *dptr;
  113         size_t tot_rec_size;
  114         token_t *cur, *hdr, *trail;
  115         struct timeval tm;
  116         size_t hdrsize;
  117         struct auditinfo_addr ak;
  118         struct in6_addr *ap;
  119 
  120         audit_get_kinfo(&ak);
  121         hdrsize = 0;
  122         switch (ak.ai_termid.at_type) {
  123         case AU_IPv4:
  124                 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
  125                     AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
  126                 break;
  127         case AU_IPv6:
  128                 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
  129                 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
  130                     AUDIT_HEADER_EX_SIZE(&ak);
  131                 break;
  132         default:
  133                 panic("kau_close: invalid address family");
  134         }
  135         tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE;
  136         rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
  137 
  138         tm.tv_usec = ctime->tv_nsec / 1000;
  139         tm.tv_sec = ctime->tv_sec;
  140         if (hdrsize != AUDIT_HEADER_SIZE)
  141                 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
  142         else
  143                 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
  144         TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
  145 
  146         trail = au_to_trailer(tot_rec_size);
  147         TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
  148 
  149         rec->len = tot_rec_size;
  150         dptr = rec->data;
  151         TAILQ_FOREACH(cur, &rec->token_q, tokens) {
  152                 memcpy(dptr, cur->t_data, cur->len);
  153                 dptr += cur->len;
  154         }
  155 }
  156 
  157 /*
  158  * Free a BSM audit record by releasing all the tokens and clearing the audit
  159  * record information.
  160  */
  161 void
  162 kau_free(struct au_record *rec)
  163 {
  164         struct au_token *tok;
  165 
  166         /* Free the token list. */
  167         while ((tok = TAILQ_FIRST(&rec->token_q))) {
  168                 TAILQ_REMOVE(&rec->token_q, tok, tokens);
  169                 free(tok->t_data, M_AUDITBSM);
  170                 free(tok, M_AUDITBSM);
  171         }
  172 
  173         rec->used = 0;
  174         rec->len = 0;
  175         free(rec->data, M_AUDITBSM);
  176         free(rec, M_AUDITBSM);
  177 }
  178 
  179 /*
  180  * XXX: May want turn some (or all) of these macros into functions in order
  181  * to reduce the generated code size.
  182  *
  183  * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
  184  * caller are OK with this.
  185  */
  186 #define ATFD1_TOKENS(argnum) do {                                       \
  187         if (ARG_IS_VALID(kar, ARG_ATFD1)) {                             \
  188                 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \
  189                 kau_write(rec, tok);                                    \
  190         }                                                               \
  191 } while (0)
  192 
  193 #define ATFD2_TOKENS(argnum) do {                                       \
  194         if (ARG_IS_VALID(kar, ARG_ATFD2)) {                             \
  195                 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \
  196                 kau_write(rec, tok);                                    \
  197         }                                                               \
  198 } while (0)
  199 
  200 #define UPATH1_TOKENS do {                                              \
  201         if (ARG_IS_VALID(kar, ARG_UPATH1)) {                            \
  202                 tok = au_to_path(ar->ar_arg_upath1);                    \
  203                 kau_write(rec, tok);                                    \
  204         }                                                               \
  205 } while (0)
  206 
  207 #define UPATH2_TOKENS do {                                              \
  208         if (ARG_IS_VALID(kar, ARG_UPATH2)) {                            \
  209                 tok = au_to_path(ar->ar_arg_upath2);                    \
  210                 kau_write(rec, tok);                                    \
  211         }                                                               \
  212 } while (0)
  213 
  214 #define VNODE1_TOKENS do {                                              \
  215         if (ARG_IS_VALID(kar, ARG_ATFD)) {                              \
  216                 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd);         \
  217                 kau_write(rec, tok);                                    \
  218         }                                                               \
  219         if (ARG_IS_VALID(kar, ARG_VNODE1)) {                            \
  220                 tok = au_to_attr32(&ar->ar_arg_vnode1);                 \
  221                 kau_write(rec, tok);                                    \
  222         }                                                               \
  223 } while (0)
  224 
  225 #define UPATH1_VNODE1_TOKENS do {                                       \
  226         if (ARG_IS_VALID(kar, ARG_UPATH1)) {                            \
  227                 UPATH1_TOKENS;                                          \
  228         }                                                               \
  229         if (ARG_IS_VALID(kar, ARG_VNODE1)) {                            \
  230                 tok = au_to_attr32(&ar->ar_arg_vnode1);                 \
  231                 kau_write(rec, tok);                                    \
  232         }                                                               \
  233 } while (0)
  234 
  235 #define VNODE2_TOKENS do {                                              \
  236         if (ARG_IS_VALID(kar, ARG_VNODE2)) {                            \
  237                 tok = au_to_attr32(&ar->ar_arg_vnode2);                 \
  238                 kau_write(rec, tok);                                    \
  239         }                                                               \
  240 } while (0)
  241 
  242 #define FD_VNODE1_TOKENS do {                                           \
  243         if (ARG_IS_VALID(kar, ARG_VNODE1)) {                            \
  244                 if (ARG_IS_VALID(kar, ARG_FD)) {                        \
  245                         tok = au_to_arg32(1, "fd", ar->ar_arg_fd);      \
  246                         kau_write(rec, tok);                            \
  247                 }                                                       \
  248                 tok = au_to_attr32(&ar->ar_arg_vnode1);                 \
  249                 kau_write(rec, tok);                                    \
  250         } else {                                                        \
  251                 if (ARG_IS_VALID(kar, ARG_FD)) {                        \
  252                         tok = au_to_arg32(1, "non-file: fd",            \
  253                             ar->ar_arg_fd);                             \
  254                         kau_write(rec, tok);                            \
  255                 }                                                       \
  256         }                                                               \
  257 } while (0)
  258 
  259 #define PROCESS_PID_TOKENS(argn) do {                                   \
  260         if ((ar->ar_arg_pid > 0) /* Reference a single process */       \
  261             && (ARG_IS_VALID(kar, ARG_PROCESS))) {                      \
  262                 tok = au_to_process32_ex(ar->ar_arg_auid,               \
  263                     ar->ar_arg_euid, ar->ar_arg_egid,                   \
  264                     ar->ar_arg_ruid, ar->ar_arg_rgid,                   \
  265                     ar->ar_arg_pid, ar->ar_arg_asid,                    \
  266                     &ar->ar_arg_termid_addr);                           \
  267                 kau_write(rec, tok);                                    \
  268         } else if (ARG_IS_VALID(kar, ARG_PID)) {                        \
  269                 tok = au_to_arg32(argn, "process", ar->ar_arg_pid);     \
  270                 kau_write(rec, tok);                                    \
  271         }                                                               \
  272 } while (0)
  273 
  274 #define EXTATTR_TOKENS(namespace_argnum) do {                           \
  275         if (ARG_IS_VALID(kar, ARG_VALUE)) {                             \
  276                 switch (ar->ar_arg_value) {                             \
  277                 case EXTATTR_NAMESPACE_USER:                            \
  278                         tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
  279                         break;                                          \
  280                 case EXTATTR_NAMESPACE_SYSTEM:                          \
  281                         tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
  282                         break;                                          \
  283                 default:                                                \
  284                         tok = au_to_arg32((namespace_argnum),           \
  285                             "attrnamespace", ar->ar_arg_value);         \
  286                         break;                                          \
  287                 }                                                       \
  288                 kau_write(rec, tok);                                    \
  289         }                                                               \
  290         /* attrname is in the text field */                             \
  291         if (ARG_IS_VALID(kar, ARG_TEXT)) {                              \
  292                 tok = au_to_text(ar->ar_arg_text);                      \
  293                 kau_write(rec, tok);                                    \
  294         }                                                               \
  295 } while (0)
  296 
  297 /*
  298  * Not all pointer arguments to system calls are of interest, but in some
  299  * cases they reflect delegation of rights, such as mmap(2) followed by
  300  * minherit(2) before execve(2), so do the best we can.
  301  */
  302 #define ADDR_TOKEN(argnum, argname) do {                                \
  303         if (ARG_IS_VALID(kar, ARG_ADDR)) {                              \
  304                 if (sizeof(void *) == sizeof(uint32_t))                 \
  305                         tok = au_to_arg32((argnum), (argname),          \
  306                             (uint32_t)(uintptr_t)ar->ar_arg_addr);      \
  307                 else                                                    \
  308                         tok = au_to_arg64((argnum), (argname),          \
  309                             (uint64_t)(uintptr_t)ar->ar_arg_addr);      \
  310                 kau_write(rec, tok);                                    \
  311         }                                                               \
  312 } while (0)
  313 
  314 
  315 /*
  316  * Implement auditing for the auditon() system call. The audit tokens that
  317  * are generated depend on the command that was sent into the auditon()
  318  * system call.
  319  */
  320 static void
  321 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
  322 {
  323         struct au_token *tok;
  324 
  325         tok = au_to_arg32(3, "length", ar->ar_arg_len);
  326         kau_write(rec, tok);
  327         switch (ar->ar_arg_cmd) {
  328         case A_OLDSETPOLICY:
  329                 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
  330                         tok = au_to_arg64(2, "policy",
  331                             ar->ar_arg_auditon.au_policy64);
  332                         kau_write(rec, tok);
  333                         break;
  334                 }
  335                 /* FALLTHROUGH */
  336 
  337         case A_SETPOLICY:
  338                 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
  339                 kau_write(rec, tok);
  340                 break;
  341 
  342         case A_SETKMASK:
  343                 tok = au_to_arg32(2, "setkmask:as_success",
  344                     ar->ar_arg_auditon.au_mask.am_success);
  345                 kau_write(rec, tok);
  346                 tok = au_to_arg32(2, "setkmask:as_failure",
  347                     ar->ar_arg_auditon.au_mask.am_failure);
  348                 kau_write(rec, tok);
  349                 break;
  350 
  351         case A_OLDSETQCTRL:
  352                 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
  353                         tok = au_to_arg64(2, "setqctrl:aq_hiwater",
  354                             ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
  355                         kau_write(rec, tok);
  356                         tok = au_to_arg64(2, "setqctrl:aq_lowater",
  357                             ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
  358                         kau_write(rec, tok);
  359                         tok = au_to_arg64(2, "setqctrl:aq_bufsz",
  360                             ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
  361                         kau_write(rec, tok);
  362                         tok = au_to_arg64(2, "setqctrl:aq_delay",
  363                             ar->ar_arg_auditon.au_qctrl64.aq64_delay);
  364                         kau_write(rec, tok);
  365                         tok = au_to_arg64(2, "setqctrl:aq_minfree",
  366                             ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
  367                         kau_write(rec, tok);
  368                         break;
  369                 }
  370                 /* FALLTHROUGH */
  371 
  372         case A_SETQCTRL:
  373                 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
  374                     ar->ar_arg_auditon.au_qctrl.aq_hiwater);
  375                 kau_write(rec, tok);
  376                 tok = au_to_arg32(2, "setqctrl:aq_lowater",
  377                     ar->ar_arg_auditon.au_qctrl.aq_lowater);
  378                 kau_write(rec, tok);
  379                 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
  380                     ar->ar_arg_auditon.au_qctrl.aq_bufsz);
  381                 kau_write(rec, tok);
  382                 tok = au_to_arg32(2, "setqctrl:aq_delay",
  383                     ar->ar_arg_auditon.au_qctrl.aq_delay);
  384                 kau_write(rec, tok);
  385                 tok = au_to_arg32(2, "setqctrl:aq_minfree",
  386                     ar->ar_arg_auditon.au_qctrl.aq_minfree);
  387                 kau_write(rec, tok);
  388                 break;
  389 
  390         case A_SETUMASK:
  391                 tok = au_to_arg32(2, "setumask:as_success",
  392                     ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
  393                 kau_write(rec, tok);
  394                 tok = au_to_arg32(2, "setumask:as_failure",
  395                     ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
  396                 kau_write(rec, tok);
  397                 break;
  398 
  399         case A_SETSMASK:
  400                 tok = au_to_arg32(2, "setsmask:as_success",
  401                     ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
  402                 kau_write(rec, tok);
  403                 tok = au_to_arg32(2, "setsmask:as_failure",
  404                     ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
  405                 kau_write(rec, tok);
  406                 break;
  407 
  408         case A_OLDSETCOND:
  409                 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
  410                         tok = au_to_arg64(2, "setcond",
  411                             ar->ar_arg_auditon.au_cond64);
  412                         kau_write(rec, tok);
  413                         break;
  414                 }
  415                 /* FALLTHROUGH */
  416 
  417         case A_SETCOND:
  418                 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
  419                 kau_write(rec, tok);
  420                 break;
  421 
  422         case A_SETCLASS:
  423                 kau_write(rec, tok);
  424                 tok = au_to_arg32(2, "setclass:ec_event",
  425                     ar->ar_arg_auditon.au_evclass.ec_number);
  426                 kau_write(rec, tok);
  427                 tok = au_to_arg32(2, "setclass:ec_class",
  428                     ar->ar_arg_auditon.au_evclass.ec_class);
  429                 kau_write(rec, tok);
  430                 break;
  431 
  432         case A_SETPMASK:
  433                 tok = au_to_arg32(2, "setpmask:as_success",
  434                     ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
  435                 kau_write(rec, tok);
  436                 tok = au_to_arg32(2, "setpmask:as_failure",
  437                     ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
  438                 kau_write(rec, tok);
  439                 break;
  440 
  441         case A_SETFSIZE:
  442                 tok = au_to_arg32(2, "setfsize:filesize",
  443                     ar->ar_arg_auditon.au_fstat.af_filesz);
  444                 kau_write(rec, tok);
  445                 break;
  446 
  447         default:
  448                 break;
  449         }
  450 }
  451 
  452 /*
  453  * Convert an internal kernel audit record to a BSM record and return a
  454  * success/failure indicator. The BSM record is passed as an out parameter to
  455  * this function.
  456  *
  457  * Return conditions:
  458  *   BSM_SUCCESS: The BSM record is valid
  459  *   BSM_FAILURE: Failure; the BSM record is NULL.
  460  *   BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
  461  */
  462 int
  463 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
  464 {
  465         struct au_token *tok, *subj_tok;
  466         struct au_record *rec;
  467         au_tid_t tid;
  468         struct audit_record *ar;
  469         int ctr;
  470 
  471         KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
  472 
  473         *pau = NULL;
  474         ar = &kar->k_ar;
  475         rec = kau_open();
  476 
  477         /*
  478          * Create the subject token.
  479          */
  480         switch (ar->ar_subj_term_addr.at_type) {
  481         case AU_IPv4:
  482                 tid.port = ar->ar_subj_term_addr.at_port;
  483                 tid.machine = ar->ar_subj_term_addr.at_addr[0];
  484                 subj_tok = au_to_subject32(ar->ar_subj_auid,  /* audit ID */
  485                     ar->ar_subj_cred.cr_uid, /* eff uid */
  486                     ar->ar_subj_egid,   /* eff group id */
  487                     ar->ar_subj_ruid,   /* real uid */
  488                     ar->ar_subj_rgid,   /* real group id */
  489                     ar->ar_subj_pid,    /* process id */
  490                     ar->ar_subj_asid,   /* session ID */
  491                     &tid);
  492                 break;
  493         case AU_IPv6:
  494                 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
  495                     ar->ar_subj_cred.cr_uid,
  496                     ar->ar_subj_egid,
  497                     ar->ar_subj_ruid,
  498                     ar->ar_subj_rgid,
  499                     ar->ar_subj_pid,
  500                     ar->ar_subj_asid,
  501                     &ar->ar_subj_term_addr);
  502                 break;
  503         default:
  504                 bzero(&tid, sizeof(tid));
  505                 subj_tok = au_to_subject32(ar->ar_subj_auid,
  506                     ar->ar_subj_cred.cr_uid,
  507                     ar->ar_subj_egid,
  508                     ar->ar_subj_ruid,
  509                     ar->ar_subj_rgid,
  510                     ar->ar_subj_pid,
  511                     ar->ar_subj_asid,
  512                     &tid);
  513         }
  514 
  515         /*
  516          * The logic inside each case fills in the tokens required for the
  517          * event, except for the header, trailer, and return tokens.  The
  518          * header and trailer tokens are added by the kau_close() function.
  519          * The return token is added outside of the switch statement.
  520          */
  521         switch(ar->ar_event) {
  522         case AUE_ACCEPT:
  523         case AUE_BIND:
  524         case AUE_LISTEN:
  525         case AUE_CONNECT:
  526         case AUE_RECV:
  527         case AUE_RECVFROM:
  528         case AUE_RECVMSG:
  529         case AUE_SEND:
  530         case AUE_SENDFILE:
  531         case AUE_SENDMSG:
  532         case AUE_SENDTO:
  533                 /*
  534                  * Socket-related events.
  535                  */
  536                 if (ARG_IS_VALID(kar, ARG_FD)) {
  537                         tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
  538                         kau_write(rec, tok);
  539                 }
  540                 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
  541                         tok = au_to_sock_inet((struct sockaddr_in *)
  542                             &ar->ar_arg_sockaddr);
  543                         kau_write(rec, tok);
  544                 }
  545                 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
  546                         tok = au_to_sock_unix((struct sockaddr_un *)
  547                             &ar->ar_arg_sockaddr);
  548                         kau_write(rec, tok);
  549                         UPATH1_TOKENS;
  550                 }
  551                 /* XXX Need to handle ARG_SADDRINET6 */
  552                 break;
  553 
  554         case AUE_SOCKET:
  555         case AUE_SOCKETPAIR:
  556                 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
  557                         tok = au_to_arg32(1, "domain",
  558                             ar->ar_arg_sockinfo.so_domain);
  559                         kau_write(rec, tok);
  560                         tok = au_to_arg32(2, "type",
  561                             ar->ar_arg_sockinfo.so_type);
  562                         kau_write(rec, tok);
  563                         tok = au_to_arg32(3, "protocol",
  564                             ar->ar_arg_sockinfo.so_protocol);
  565                         kau_write(rec, tok);
  566                 }
  567                 break;
  568 
  569         case AUE_SETSOCKOPT:
  570         case AUE_SHUTDOWN:
  571                 if (ARG_IS_VALID(kar, ARG_FD)) {
  572                         tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
  573                         kau_write(rec, tok);
  574                 }
  575                 break;
  576 
  577         case AUE_ACCT:
  578                 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
  579                         UPATH1_VNODE1_TOKENS;
  580                 } else {
  581                         tok = au_to_arg32(1, "accounting off", 0);
  582                         kau_write(rec, tok);
  583                 }
  584                 break;
  585 
  586         case AUE_SETAUID:
  587                 if (ARG_IS_VALID(kar, ARG_AUID)) {
  588                         tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
  589                         kau_write(rec, tok);
  590                 }
  591                 break;
  592 
  593         case AUE_SETAUDIT:
  594                 if (ARG_IS_VALID(kar, ARG_AUID) &&
  595                     ARG_IS_VALID(kar, ARG_ASID) &&
  596                     ARG_IS_VALID(kar, ARG_AMASK) &&
  597                     ARG_IS_VALID(kar, ARG_TERMID)) {
  598                         tok = au_to_arg32(1, "setaudit:auid",
  599                             ar->ar_arg_auid);
  600                         kau_write(rec, tok);
  601                         tok = au_to_arg32(1, "setaudit:port",
  602                             ar->ar_arg_termid.port);
  603                         kau_write(rec, tok);
  604                         tok = au_to_arg32(1, "setaudit:machine",
  605                             ar->ar_arg_termid.machine);
  606                         kau_write(rec, tok);
  607                         tok = au_to_arg32(1, "setaudit:as_success",
  608                             ar->ar_arg_amask.am_success);
  609                         kau_write(rec, tok);
  610                         tok = au_to_arg32(1, "setaudit:as_failure",
  611                             ar->ar_arg_amask.am_failure);
  612                         kau_write(rec, tok);
  613                         tok = au_to_arg32(1, "setaudit:asid",
  614                             ar->ar_arg_asid);
  615                         kau_write(rec, tok);
  616                 }
  617                 break;
  618 
  619         case AUE_SETAUDIT_ADDR:
  620                 if (ARG_IS_VALID(kar, ARG_AUID) &&
  621                     ARG_IS_VALID(kar, ARG_ASID) &&
  622                     ARG_IS_VALID(kar, ARG_AMASK) &&
  623                     ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
  624                         tok = au_to_arg32(1, "setaudit_addr:auid",
  625                             ar->ar_arg_auid);
  626                         kau_write(rec, tok);
  627                         tok = au_to_arg32(1, "setaudit_addr:as_success",
  628                             ar->ar_arg_amask.am_success);
  629                         kau_write(rec, tok);
  630                         tok = au_to_arg32(1, "setaudit_addr:as_failure",
  631                             ar->ar_arg_amask.am_failure);
  632                         kau_write(rec, tok);
  633                         tok = au_to_arg32(1, "setaudit_addr:asid",
  634                             ar->ar_arg_asid);
  635                         kau_write(rec, tok);
  636                         tok = au_to_arg32(1, "setaudit_addr:type",
  637                             ar->ar_arg_termid_addr.at_type);
  638                         kau_write(rec, tok);
  639                         tok = au_to_arg32(1, "setaudit_addr:port",
  640                             ar->ar_arg_termid_addr.at_port);
  641                         kau_write(rec, tok);
  642                         if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
  643                                 tok = au_to_in_addr_ex((struct in6_addr *)
  644                                     &ar->ar_arg_termid_addr.at_addr[0]);
  645                         if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
  646                                 tok = au_to_in_addr((struct in_addr *)
  647                                     &ar->ar_arg_termid_addr.at_addr[0]);
  648                         kau_write(rec, tok);
  649                 }
  650                 break;
  651 
  652         case AUE_AUDITON:
  653                 /*
  654                  * For AUDITON commands without own event, audit the cmd.
  655                  */
  656                 if (ARG_IS_VALID(kar, ARG_CMD)) {
  657                         tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
  658                         kau_write(rec, tok);
  659                 }
  660                 /* FALLTHROUGH */
  661 
  662         case AUE_AUDITON_GETCAR:
  663         case AUE_AUDITON_GETCLASS:
  664         case AUE_AUDITON_GETCOND:
  665         case AUE_AUDITON_GETCWD:
  666         case AUE_AUDITON_GETKMASK:
  667         case AUE_AUDITON_GETSTAT:
  668         case AUE_AUDITON_GPOLICY:
  669         case AUE_AUDITON_GQCTRL:
  670         case AUE_AUDITON_SETCLASS:
  671         case AUE_AUDITON_SETCOND:
  672         case AUE_AUDITON_SETKMASK:
  673         case AUE_AUDITON_SETSMASK:
  674         case AUE_AUDITON_SETSTAT:
  675         case AUE_AUDITON_SETUMASK:
  676         case AUE_AUDITON_SPOLICY:
  677         case AUE_AUDITON_SQCTRL:
  678                 if (ARG_IS_VALID(kar, ARG_AUDITON))
  679                         audit_sys_auditon(ar, rec);
  680                 break;
  681 
  682         case AUE_AUDITCTL:
  683                 UPATH1_VNODE1_TOKENS;
  684                 break;
  685 
  686         case AUE_EXIT:
  687                 if (ARG_IS_VALID(kar, ARG_EXIT)) {
  688                         tok = au_to_exit(ar->ar_arg_exitretval,
  689                             ar->ar_arg_exitstatus);
  690                         kau_write(rec, tok);
  691                 }
  692                 break;
  693 
  694         case AUE_ADJTIME:
  695         case AUE_CLOCK_SETTIME:
  696         case AUE_AUDIT:
  697         case AUE_DUP2:
  698         case AUE_GETAUDIT:
  699         case AUE_GETAUDIT_ADDR:
  700         case AUE_GETAUID:
  701         case AUE_GETCWD:
  702         case AUE_GETFSSTAT:
  703         case AUE_GETRESUID:
  704         case AUE_GETRESGID:
  705         case AUE_KQUEUE:
  706         case AUE_MODLOAD:
  707         case AUE_MODUNLOAD:
  708         case AUE_MSGSYS:
  709         case AUE_NTP_ADJTIME:
  710         case AUE_PIPE:
  711         case AUE_POSIX_OPENPT:
  712         case AUE_PROFILE:
  713         case AUE_RTPRIO:
  714         case AUE_SEMSYS:
  715         case AUE_SHMSYS:
  716         case AUE_SETPGRP:
  717         case AUE_SETRLIMIT:
  718         case AUE_SETSID:
  719         case AUE_SETTIMEOFDAY:
  720         case AUE_SYSARCH:
  721 
  722                 /*
  723                  * Header, subject, and return tokens added at end.
  724                  */
  725                 break;
  726 
  727         case AUE_CHDIR:
  728         case AUE_CHROOT:
  729         case AUE_FSTATAT:
  730         case AUE_FUTIMESAT:
  731         case AUE_GETATTRLIST:
  732         case AUE_JAIL:
  733         case AUE_LUTIMES:
  734         case AUE_NFS_GETFH:
  735         case AUE_LSTAT:
  736         case AUE_LPATHCONF:
  737         case AUE_PATHCONF:
  738         case AUE_READLINK:
  739         case AUE_READLINKAT:
  740         case AUE_REVOKE:
  741         case AUE_RMDIR:
  742         case AUE_SEARCHFS:
  743         case AUE_SETATTRLIST:
  744         case AUE_STAT:
  745         case AUE_STATFS:
  746         case AUE_SWAPON:
  747         case AUE_SWAPOFF:
  748         case AUE_TRUNCATE:
  749         case AUE_UNDELETE:
  750         case AUE_UNLINK:
  751         case AUE_UNLINKAT:
  752         case AUE_UTIMES:
  753                 ATFD1_TOKENS(1);
  754                 UPATH1_VNODE1_TOKENS;
  755                 break;
  756 
  757         case AUE_ACCESS:
  758         case AUE_EACCESS:
  759         case AUE_FACCESSAT:
  760                 ATFD1_TOKENS(1);
  761                 UPATH1_VNODE1_TOKENS;
  762                 if (ARG_IS_VALID(kar, ARG_VALUE)) {
  763                         tok = au_to_arg32(2, "mode", ar->ar_arg_value);
  764                         kau_write(rec, tok);
  765                 }
  766                 break;
  767 
  768         case AUE_FHSTATFS:
  769         case AUE_FHOPEN:
  770         case AUE_FHSTAT:
  771                 /* XXXRW: Need to audit vnode argument. */
  772                 break;
  773 
  774         case AUE_CHFLAGS:
  775         case AUE_LCHFLAGS:
  776                 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
  777                         tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
  778                         kau_write(rec, tok);
  779                 }
  780                 UPATH1_VNODE1_TOKENS;
  781                 break;
  782 
  783         case AUE_CHMOD:
  784         case AUE_LCHMOD:
  785                 if (ARG_IS_VALID(kar, ARG_MODE)) {
  786                         tok = au_to_arg32(2, "new file mode",
  787                             ar->ar_arg_mode);
  788                         kau_write(rec, tok);
  789                 }
  790                 UPATH1_VNODE1_TOKENS;
  791                 break;
  792 
  793         case AUE_FCHMODAT:
  794                 ATFD1_TOKENS(1);
  795                 if (ARG_IS_VALID(kar, ARG_MODE)) {
  796                         tok = au_to_arg32(3, "new file mode",
  797                             ar->ar_arg_mode);
  798                         kau_write(rec, tok);
  799                 }
  800                 UPATH1_VNODE1_TOKENS;
  801                 break;
  802 
  803         case AUE_CHOWN:
  804         case AUE_LCHOWN:
  805                 if (ARG_IS_VALID(kar, ARG_UID)) {
  806                         tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
  807                         kau_write(rec, tok);
  808                 }
  809                 if (ARG_IS_VALID(kar, ARG_GID)) {
  810                         tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
  811                         kau_write(rec, tok);
  812                 }
  813                 UPATH1_VNODE1_TOKENS;
  814                 break;
  815 
  816         case AUE_FCHOWNAT:
  817                 ATFD1_TOKENS(1);
  818                 if (ARG_IS_VALID(kar, ARG_UID)) {
  819                         tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid);
  820                         kau_write(rec, tok);
  821                 }
  822                 if (ARG_IS_VALID(kar, ARG_GID)) {
  823                         tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid);
  824                         kau_write(rec, tok);
  825                 }
  826                 UPATH1_VNODE1_TOKENS;
  827                 break;
  828 
  829         case AUE_EXCHANGEDATA:
  830                 UPATH1_VNODE1_TOKENS;
  831                 UPATH2_TOKENS;
  832                 break;
  833 
  834         case AUE_CLOSE:
  835                 if (ARG_IS_VALID(kar, ARG_FD)) {
  836                         tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
  837                         kau_write(rec, tok);
  838                 }
  839                 UPATH1_VNODE1_TOKENS;
  840                 break;
  841 
  842         case AUE_CLOSEFROM:
  843                 if (ARG_IS_VALID(kar, ARG_FD)) {
  844                         tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
  845                         kau_write(rec, tok);
  846                 }
  847                 break;
  848 
  849         case AUE_CORE:
  850                 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
  851                         tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
  852                         kau_write(rec, tok);
  853                 }
  854                 UPATH1_VNODE1_TOKENS;
  855                 break;
  856 
  857         case AUE_EXTATTRCTL:
  858                 UPATH1_VNODE1_TOKENS;
  859                 if (ARG_IS_VALID(kar, ARG_CMD)) {
  860                         tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
  861                         kau_write(rec, tok);
  862                 }
  863                 /* extattrctl(2) filename parameter is in upath2/vnode2 */
  864                 UPATH2_TOKENS;
  865                 VNODE2_TOKENS;
  866                 EXTATTR_TOKENS(4);
  867                 break;
  868 
  869         case AUE_EXTATTR_GET_FILE:
  870         case AUE_EXTATTR_SET_FILE:
  871         case AUE_EXTATTR_LIST_FILE:
  872         case AUE_EXTATTR_DELETE_FILE:
  873         case AUE_EXTATTR_GET_LINK:
  874         case AUE_EXTATTR_SET_LINK:
  875         case AUE_EXTATTR_LIST_LINK:
  876         case AUE_EXTATTR_DELETE_LINK:
  877                 UPATH1_VNODE1_TOKENS;
  878                 EXTATTR_TOKENS(2);
  879                 break;
  880 
  881         case AUE_EXTATTR_GET_FD:
  882         case AUE_EXTATTR_SET_FD:
  883         case AUE_EXTATTR_LIST_FD:
  884         case AUE_EXTATTR_DELETE_FD:
  885                 if (ARG_IS_VALID(kar, ARG_FD)) {
  886                         tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
  887                         kau_write(rec, tok);
  888                 }
  889                 EXTATTR_TOKENS(2);
  890                 break;
  891 
  892         case AUE_FEXECVE:
  893                 if (ARG_IS_VALID(kar, ARG_FD)) {
  894                         tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
  895                         kau_write(rec, tok);
  896                 }
  897                 /* FALLTHROUGH */
  898 
  899         case AUE_EXECVE:
  900         case AUE_MAC_EXECVE:
  901                 if (ARG_IS_VALID(kar, ARG_ARGV)) {
  902                         tok = au_to_exec_args(ar->ar_arg_argv,
  903                             ar->ar_arg_argc);
  904                         kau_write(rec, tok);
  905                 }
  906                 if (ARG_IS_VALID(kar, ARG_ENVV)) {
  907                         tok = au_to_exec_env(ar->ar_arg_envv,
  908                             ar->ar_arg_envc);
  909                         kau_write(rec, tok);
  910                 }
  911                 UPATH1_VNODE1_TOKENS;
  912                 break;
  913 
  914         case AUE_FCHMOD:
  915                 if (ARG_IS_VALID(kar, ARG_MODE)) {
  916                         tok = au_to_arg32(2, "new file mode",
  917                             ar->ar_arg_mode);
  918                         kau_write(rec, tok);
  919                 }
  920                 FD_VNODE1_TOKENS;
  921                 break;
  922 
  923         /*
  924          * XXXRW: Some of these need to handle non-vnode cases as well.
  925          */
  926         case AUE_FCHDIR:
  927         case AUE_FPATHCONF:
  928         case AUE_FSTAT:
  929         case AUE_FSTATFS:
  930         case AUE_FSYNC:
  931         case AUE_FTRUNCATE:
  932         case AUE_FUTIMES:
  933         case AUE_GETDIRENTRIES:
  934         case AUE_GETDIRENTRIESATTR:
  935         case AUE_LSEEK:
  936         case AUE_POLL:
  937         case AUE_READ:
  938         case AUE_READV:
  939         case AUE_WRITE:
  940         case AUE_WRITEV:
  941                 FD_VNODE1_TOKENS;
  942                 break;
  943 
  944         case AUE_FCHOWN:
  945                 if (ARG_IS_VALID(kar, ARG_UID)) {
  946                         tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
  947                         kau_write(rec, tok);
  948                 }
  949                 if (ARG_IS_VALID(kar, ARG_GID)) {
  950                         tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
  951                         kau_write(rec, tok);
  952                 }
  953                 FD_VNODE1_TOKENS;
  954                 break;
  955 
  956         case AUE_FCNTL:
  957                 if (ARG_IS_VALID(kar, ARG_CMD)) {
  958                         tok = au_to_arg32(2, "cmd",
  959                             au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
  960                         kau_write(rec, tok);
  961                 }
  962                 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK ||
  963                     ar->ar_arg_cmd == F_SETLKW) {
  964                         FD_VNODE1_TOKENS;
  965                 }
  966                 break;
  967 
  968         case AUE_FCHFLAGS:
  969                 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
  970                         tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
  971                         kau_write(rec, tok);
  972                 }
  973                 FD_VNODE1_TOKENS;
  974                 break;
  975 
  976         case AUE_FLOCK:
  977                 if (ARG_IS_VALID(kar, ARG_CMD)) {
  978                         tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
  979                         kau_write(rec, tok);
  980                 }
  981                 FD_VNODE1_TOKENS;
  982                 break;
  983 
  984         case AUE_RFORK:
  985                 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
  986                         tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
  987                         kau_write(rec, tok);
  988                 }
  989                 /* FALLTHROUGH */
  990 
  991         case AUE_FORK:
  992         case AUE_VFORK:
  993                 if (ARG_IS_VALID(kar, ARG_PID)) {
  994                         tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
  995                         kau_write(rec, tok);
  996                 }
  997                 break;
  998 
  999         case AUE_IOCTL:
 1000                 if (ARG_IS_VALID(kar, ARG_CMD)) {
 1001                         tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
 1002                         kau_write(rec, tok);
 1003                 }
 1004                 if (ARG_IS_VALID(kar, ARG_VNODE1))
 1005                         FD_VNODE1_TOKENS;
 1006                 else {
 1007                         if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
 1008                                 tok = kau_to_socket(&ar->ar_arg_sockinfo);
 1009                                 kau_write(rec, tok);
 1010                         } else {
 1011                                 if (ARG_IS_VALID(kar, ARG_FD)) {
 1012                                         tok = au_to_arg32(1, "fd",
 1013                                             ar->ar_arg_fd);
 1014                                         kau_write(rec, tok);
 1015                                 }
 1016                         }
 1017                 }
 1018                 break;
 1019 
 1020         case AUE_KILL:
 1021         case AUE_KILLPG:
 1022                 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
 1023                         tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
 1024                         kau_write(rec, tok);
 1025                 }
 1026                 PROCESS_PID_TOKENS(1);
 1027                 break;
 1028 
 1029         case AUE_KTRACE:
 1030                 if (ARG_IS_VALID(kar, ARG_CMD)) {
 1031                         tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
 1032                         kau_write(rec, tok);
 1033                 }
 1034                 if (ARG_IS_VALID(kar, ARG_VALUE)) {
 1035                         tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
 1036                         kau_write(rec, tok);
 1037                 }
 1038                 PROCESS_PID_TOKENS(4);
 1039                 UPATH1_VNODE1_TOKENS;
 1040                 break;
 1041 
 1042         case AUE_LINK:
 1043         case AUE_LINKAT:
 1044         case AUE_RENAME:
 1045         case AUE_RENAMEAT:
 1046                 ATFD1_TOKENS(1);
 1047                 UPATH1_VNODE1_TOKENS;
 1048                 ATFD2_TOKENS(3);
 1049                 UPATH2_TOKENS;
 1050                 break;
 1051 
 1052         case AUE_LOADSHFILE:
 1053                 ADDR_TOKEN(4, "base addr");
 1054                 UPATH1_VNODE1_TOKENS;
 1055                 break;
 1056 
 1057         case AUE_MKDIR:
 1058         case AUE_MKDIRAT:
 1059         case AUE_MKFIFO:
 1060         case AUE_MKFIFOAT:
 1061                 ATFD1_TOKENS(1);
 1062                 if (ARG_IS_VALID(kar, ARG_MODE)) {
 1063                         tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
 1064                         kau_write(rec, tok);
 1065                 }
 1066                 UPATH1_VNODE1_TOKENS;
 1067                 break;
 1068 
 1069         case AUE_MKNOD:
 1070         case AUE_MKNODAT:
 1071                 ATFD1_TOKENS(1);
 1072                 if (ARG_IS_VALID(kar, ARG_MODE)) {
 1073                         tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
 1074                         kau_write(rec, tok);
 1075                 }
 1076                 if (ARG_IS_VALID(kar, ARG_DEV)) {
 1077                         tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
 1078                         kau_write(rec, tok);
 1079                 }
 1080                 UPATH1_VNODE1_TOKENS;
 1081                 break;
 1082 
 1083         case AUE_MMAP:
 1084         case AUE_MUNMAP:
 1085         case AUE_MPROTECT:
 1086         case AUE_MLOCK:
 1087         case AUE_MUNLOCK:
 1088         case AUE_MINHERIT:
 1089                 ADDR_TOKEN(1, "addr");
 1090                 if (ARG_IS_VALID(kar, ARG_LEN)) {
 1091                         tok = au_to_arg32(2, "len", ar->ar_arg_len);
 1092                         kau_write(rec, tok);
 1093                 }
 1094                 if (ar->ar_event == AUE_MMAP)
 1095                         FD_VNODE1_TOKENS;
 1096                 if (ar->ar_event == AUE_MPROTECT) {
 1097                         if (ARG_IS_VALID(kar, ARG_VALUE)) {
 1098                                 tok = au_to_arg32(3, "protection",
 1099                                     ar->ar_arg_value);
 1100                                 kau_write(rec, tok);
 1101                         }
 1102                 }
 1103                 if (ar->ar_event == AUE_MINHERIT) {
 1104                         if (ARG_IS_VALID(kar, ARG_VALUE)) {
 1105                                 tok = au_to_arg32(3, "inherit",
 1106                                     ar->ar_arg_value);
 1107                                 kau_write(rec, tok);
 1108                         }
 1109                 }
 1110                 break;
 1111 
 1112         case AUE_MOUNT:
 1113         case AUE_NMOUNT:
 1114                 /* XXX Need to handle NFS mounts */
 1115                 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
 1116                         tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
 1117                         kau_write(rec, tok);
 1118                 }
 1119                 if (ARG_IS_VALID(kar, ARG_TEXT)) {
 1120                         tok = au_to_text(ar->ar_arg_text);
 1121                         kau_write(rec, tok);
 1122                 }
 1123                 /* FALLTHROUGH */
 1124 
 1125         case AUE_NFS_SVC:
 1126                 if (ARG_IS_VALID(kar, ARG_CMD)) {
 1127                         tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
 1128                         kau_write(rec, tok);
 1129                 }
 1130                 break;
 1131 
 1132         case AUE_UMOUNT:
 1133                 if (ARG_IS_VALID(kar, ARG_VALUE)) {
 1134                         tok = au_to_arg32(2, "flags", ar->ar_arg_value);
 1135                         kau_write(rec, tok);
 1136                 }
 1137                 UPATH1_VNODE1_TOKENS;
 1138                 if (ARG_IS_VALID(kar, ARG_TEXT)) {
 1139                         tok = au_to_text(ar->ar_arg_text);
 1140                         kau_write(rec, tok);
 1141                 }
 1142                 break;
 1143 
 1144         case AUE_MSGCTL:
 1145                 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
 1146                 /* Fall through */
 1147 
 1148         case AUE_MSGRCV:
 1149         case AUE_MSGSND:
 1150                 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
 1151                 kau_write(rec, tok);
 1152                 if (ar->ar_errno != EINVAL) {
 1153                         tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
 1154                         kau_write(rec, tok);
 1155                 }
 1156                 break;
 1157 
 1158         case AUE_MSGGET:
 1159                 if (ar->ar_errno == 0) {
 1160                         if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
 1161                                 tok = au_to_ipc(AT_IPC_MSG,
 1162                                     ar->ar_arg_svipc_id);
 1163                                 kau_write(rec, tok);
 1164                         }
 1165                 }
 1166                 break;
 1167 
 1168         case AUE_RESETSHFILE:
 1169                 ADDR_TOKEN(1, "base addr");
 1170                 break;
 1171 
 1172         case AUE_OPEN_RC:
 1173         case AUE_OPEN_RTC:
 1174         case AUE_OPEN_RWC:
 1175         case AUE_OPEN_RWTC:
 1176         case AUE_OPEN_WC:
 1177         case AUE_OPEN_WTC:
 1178         case AUE_CREAT:
 1179                 if (ARG_IS_VALID(kar, ARG_MODE)) {
 1180                         tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
 1181                         kau_write(rec, tok);
 1182                 }
 1183                 /* FALLTHROUGH */
 1184 
 1185         case AUE_OPEN_R:
 1186         case AUE_OPEN_RT:
 1187         case AUE_OPEN_RW:
 1188         case AUE_OPEN_RWT:
 1189         case AUE_OPEN_W:
 1190         case AUE_OPEN_WT:
 1191                 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
 1192                         tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
 1193                         kau_write(rec, tok);
 1194                 }
 1195                 UPATH1_VNODE1_TOKENS;
 1196                 break;
 1197 
 1198         case AUE_OPENAT_RC:
 1199         case AUE_OPENAT_RTC:
 1200         case AUE_OPENAT_RWC:
 1201         case AUE_OPENAT_RWTC:
 1202         case AUE_OPENAT_WC:
 1203         case AUE_OPENAT_WTC:
 1204                 if (ARG_IS_VALID(kar, ARG_MODE)) {
 1205                         tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
 1206                         kau_write(rec, tok);
 1207                 }
 1208                 /* FALLTHROUGH */
 1209 
 1210         case AUE_OPENAT_R:
 1211         case AUE_OPENAT_RT:
 1212         case AUE_OPENAT_RW:
 1213         case AUE_OPENAT_RWT:
 1214         case AUE_OPENAT_W:
 1215         case AUE_OPENAT_WT:
 1216                 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
 1217                         tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
 1218                         kau_write(rec, tok);
 1219                 }
 1220                 ATFD1_TOKENS(1);
 1221                 UPATH1_VNODE1_TOKENS;
 1222                 break;
 1223 
 1224         case AUE_PTRACE:
 1225                 if (ARG_IS_VALID(kar, ARG_CMD)) {
 1226                         tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
 1227                         kau_write(rec, tok);
 1228                 }
 1229                 if (ARG_IS_VALID(kar, ARG_VALUE)) {
 1230                         tok = au_to_arg32(4, "data", ar->ar_arg_value);
 1231                         kau_write(rec, tok);
 1232                 }
 1233                 PROCESS_PID_TOKENS(2);
 1234                 break;
 1235 
 1236         case AUE_QUOTACTL:
 1237                 if (ARG_IS_VALID(kar, ARG_CMD)) {
 1238                         tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
 1239                         kau_write(rec, tok);
 1240                 }
 1241                 if (ARG_IS_VALID(kar, ARG_UID)) {
 1242                         tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
 1243                         kau_write(rec, tok);
 1244                 }
 1245                 if (ARG_IS_VALID(kar, ARG_GID)) {
 1246                         tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
 1247                         kau_write(rec, tok);
 1248                 }
 1249                 UPATH1_VNODE1_TOKENS;
 1250                 break;
 1251 
 1252         case AUE_REBOOT:
 1253                 if (ARG_IS_VALID(kar, ARG_CMD)) {
 1254                         tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
 1255                         kau_write(rec, tok);
 1256                 }
 1257                 break;
 1258 
 1259         case AUE_SEMCTL:
 1260                 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
 1261                 /* Fall through */
 1262 
 1263         case AUE_SEMOP:
 1264                 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
 1265                         tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
 1266                         kau_write(rec, tok);
 1267                         if (ar->ar_errno != EINVAL) {
 1268                                 tok = au_to_ipc(AT_IPC_SEM,
 1269                                     ar->ar_arg_svipc_id);
 1270                                 kau_write(rec, tok);
 1271                         }
 1272                 }
 1273                 break;
 1274 
 1275         case AUE_SEMGET:
 1276                 if (ar->ar_errno == 0) {
 1277                         if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
 1278                                 tok = au_to_ipc(AT_IPC_SEM,
 1279                                     ar->ar_arg_svipc_id);
 1280                                 kau_write(rec, tok);
 1281                         }
 1282                 }
 1283                 break;
 1284 
 1285         case AUE_SETEGID:
 1286                 if (ARG_IS_VALID(kar, ARG_EGID)) {
 1287                         tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
 1288                         kau_write(rec, tok);
 1289                 }
 1290                 break;
 1291 
 1292         case AUE_SETEUID:
 1293                 if (ARG_IS_VALID(kar, ARG_EUID)) {
 1294                         tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
 1295                         kau_write(rec, tok);
 1296                 }
 1297                 break;
 1298 
 1299         case AUE_SETREGID:
 1300                 if (ARG_IS_VALID(kar, ARG_RGID)) {
 1301                         tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
 1302                         kau_write(rec, tok);
 1303                 }
 1304                 if (ARG_IS_VALID(kar, ARG_EGID)) {
 1305                         tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
 1306                         kau_write(rec, tok);
 1307                 }
 1308                 break;
 1309 
 1310         case AUE_SETREUID:
 1311                 if (ARG_IS_VALID(kar, ARG_RUID)) {
 1312                         tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
 1313                         kau_write(rec, tok);
 1314                 }
 1315                 if (ARG_IS_VALID(kar, ARG_EUID)) {
 1316                         tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
 1317                         kau_write(rec, tok);
 1318                 }
 1319                 break;
 1320 
 1321         case AUE_SETRESGID:
 1322                 if (ARG_IS_VALID(kar, ARG_RGID)) {
 1323                         tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
 1324                         kau_write(rec, tok);
 1325                 }
 1326                 if (ARG_IS_VALID(kar, ARG_EGID)) {
 1327                         tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
 1328                         kau_write(rec, tok);
 1329                 }
 1330                 if (ARG_IS_VALID(kar, ARG_SGID)) {
 1331                         tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
 1332                         kau_write(rec, tok);
 1333                 }
 1334                 break;
 1335 
 1336         case AUE_SETRESUID:
 1337                 if (ARG_IS_VALID(kar, ARG_RUID)) {
 1338                         tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
 1339                         kau_write(rec, tok);
 1340                 }
 1341                 if (ARG_IS_VALID(kar, ARG_EUID)) {
 1342                         tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
 1343                         kau_write(rec, tok);
 1344                 }
 1345                 if (ARG_IS_VALID(kar, ARG_SUID)) {
 1346                         tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
 1347                         kau_write(rec, tok);
 1348                 }
 1349                 break;
 1350 
 1351         case AUE_SETGID:
 1352                 if (ARG_IS_VALID(kar, ARG_GID)) {
 1353                         tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
 1354                         kau_write(rec, tok);
 1355                 }
 1356                 break;
 1357 
 1358         case AUE_SETUID:
 1359                 if (ARG_IS_VALID(kar, ARG_UID)) {
 1360                         tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
 1361                         kau_write(rec, tok);
 1362                 }
 1363                 break;
 1364 
 1365         case AUE_SETGROUPS:
 1366                 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
 1367                         for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
 1368                         {
 1369                                 tok = au_to_arg32(1, "setgroups",
 1370                                     ar->ar_arg_groups.gidset[ctr]);
 1371                                 kau_write(rec, tok);
 1372                         }
 1373                 }
 1374                 break;
 1375 
 1376         case AUE_SETLOGIN:
 1377                 if (ARG_IS_VALID(kar, ARG_TEXT)) {
 1378                         tok = au_to_text(ar->ar_arg_text);
 1379                         kau_write(rec, tok);
 1380                 }
 1381                 break;
 1382 
 1383         case AUE_SETPRIORITY:
 1384                 if (ARG_IS_VALID(kar, ARG_CMD)) {
 1385                         tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
 1386                         kau_write(rec, tok);
 1387                 }
 1388                 if (ARG_IS_VALID(kar, ARG_UID)) {
 1389                         tok = au_to_arg32(2, "who", ar->ar_arg_uid);
 1390                         kau_write(rec, tok);
 1391                 }
 1392                 PROCESS_PID_TOKENS(2);
 1393                 if (ARG_IS_VALID(kar, ARG_VALUE)) {
 1394                         tok = au_to_arg32(3, "priority", ar->ar_arg_value);
 1395                         kau_write(rec, tok);
 1396                 }
 1397                 break;
 1398 
 1399         case AUE_SETPRIVEXEC:
 1400                 if (ARG_IS_VALID(kar, ARG_VALUE)) {
 1401                         tok = au_to_arg32(1, "flag", ar->ar_arg_value);
 1402                         kau_write(rec, tok);
 1403                 }
 1404                 break;
 1405 
 1406         /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
 1407         case AUE_SHMAT:
 1408                 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
 1409                         tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
 1410                         kau_write(rec, tok);
 1411                         /* XXXAUDIT: Does having the ipc token make sense? */
 1412                         tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
 1413                         kau_write(rec, tok);
 1414                 }
 1415                 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
 1416                         tok = au_to_arg32(2, "shmaddr",
 1417                             (int)(uintptr_t)ar->ar_arg_svipc_addr);
 1418                         kau_write(rec, tok);
 1419                 }
 1420                 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
 1421                         tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
 1422                         kau_write(rec, tok);
 1423                 }
 1424                 break;
 1425 
 1426         case AUE_SHMCTL:
 1427                 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
 1428                         tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
 1429                         kau_write(rec, tok);
 1430                         /* XXXAUDIT: Does having the ipc token make sense? */
 1431                         tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
 1432                         kau_write(rec, tok);
 1433                 }
 1434                 switch (ar->ar_arg_svipc_cmd) {
 1435                 case IPC_STAT:
 1436                         ar->ar_event = AUE_SHMCTL_STAT;
 1437                         break;
 1438                 case IPC_RMID:
 1439                         ar->ar_event = AUE_SHMCTL_RMID;
 1440                         break;
 1441                 case IPC_SET:
 1442                         ar->ar_event = AUE_SHMCTL_SET;
 1443                         if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
 1444                                 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
 1445                                 kau_write(rec, tok);
 1446                         }
 1447                         break;
 1448                 default:
 1449                         break;  /* We will audit a bad command */
 1450                 }
 1451                 break;
 1452 
 1453         case AUE_SHMDT:
 1454                 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
 1455                         tok = au_to_arg32(1, "shmaddr",
 1456                             (int)(uintptr_t)ar->ar_arg_svipc_addr);
 1457                         kau_write(rec, tok);
 1458                 }
 1459                 break;
 1460 
 1461         case AUE_SHMGET:
 1462                 /* This is unusual; the return value is in an argument token */
 1463                 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
 1464                         tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
 1465                         kau_write(rec, tok);
 1466                         tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
 1467                         kau_write(rec, tok);
 1468                 }
 1469                 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
 1470                         tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
 1471                         kau_write(rec, tok);
 1472                 }
 1473                 break;
 1474 
 1475         /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
 1476          * and AUE_SEMUNLINK are Posix IPC */
 1477         case AUE_SHMOPEN:
 1478                 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
 1479                         tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
 1480                         kau_write(rec, tok);
 1481                 }
 1482                 if (ARG_IS_VALID(kar, ARG_MODE)) {
 1483                         tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
 1484                         kau_write(rec, tok);
 1485                 }
 1486                 /* FALLTHROUGH */
 1487 
 1488         case AUE_SHMUNLINK:
 1489                 if (ARG_IS_VALID(kar, ARG_TEXT)) {
 1490                         tok = au_to_text(ar->ar_arg_text);
 1491                         kau_write(rec, tok);
 1492                 }
 1493                 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
 1494                         struct ipc_perm perm;
 1495 
 1496                         perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
 1497                         perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
 1498                         perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
 1499                         perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
 1500                         perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
 1501                         perm.seq = 0;
 1502                         perm.key = 0;
 1503                         tok = au_to_ipc_perm(&perm);
 1504                         kau_write(rec, tok);
 1505                 }
 1506                 break;
 1507 
 1508         case AUE_SEMOPEN:
 1509                 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
 1510                         tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
 1511                         kau_write(rec, tok);
 1512                 }
 1513                 if (ARG_IS_VALID(kar, ARG_MODE)) {
 1514                         tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
 1515                         kau_write(rec, tok);
 1516                 }
 1517                 if (ARG_IS_VALID(kar, ARG_VALUE)) {
 1518                         tok = au_to_arg32(4, "value", ar->ar_arg_value);
 1519                         kau_write(rec, tok);
 1520                 }
 1521                 /* FALLTHROUGH */
 1522 
 1523         case AUE_SEMUNLINK:
 1524                 if (ARG_IS_VALID(kar, ARG_TEXT)) {
 1525                         tok = au_to_text(ar->ar_arg_text);
 1526                         kau_write(rec, tok);
 1527                 }
 1528                 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
 1529                         struct ipc_perm perm;
 1530 
 1531                         perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
 1532                         perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
 1533                         perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
 1534                         perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
 1535                         perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
 1536                         perm.seq = 0;
 1537                         perm.key = 0;
 1538                         tok = au_to_ipc_perm(&perm);
 1539                         kau_write(rec, tok);
 1540                 }
 1541                 break;
 1542 
 1543         case AUE_SEMCLOSE:
 1544                 if (ARG_IS_VALID(kar, ARG_FD)) {
 1545                         tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
 1546                         kau_write(rec, tok);
 1547                 }
 1548                 break;
 1549 
 1550         case AUE_SYMLINK:
 1551         case AUE_SYMLINKAT:
 1552                 if (ARG_IS_VALID(kar, ARG_TEXT)) {
 1553                         tok = au_to_text(ar->ar_arg_text);
 1554                         kau_write(rec, tok);
 1555                 }
 1556                 ATFD1_TOKENS(1);
 1557                 UPATH1_VNODE1_TOKENS;
 1558                 break;
 1559 
 1560         case AUE_SYSCTL:
 1561         case AUE_SYSCTL_NONADMIN:
 1562                 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
 1563                         for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
 1564                                 tok = au_to_arg32(1, "name",
 1565                                     ar->ar_arg_ctlname[ctr]);
 1566                                 kau_write(rec, tok);
 1567                         }
 1568                 }
 1569                 if (ARG_IS_VALID(kar, ARG_VALUE)) {
 1570                         tok = au_to_arg32(5, "newval", ar->ar_arg_value);
 1571                         kau_write(rec, tok);
 1572                 }
 1573                 if (ARG_IS_VALID(kar, ARG_TEXT)) {
 1574                         tok = au_to_text(ar->ar_arg_text);
 1575                         kau_write(rec, tok);
 1576                 }
 1577                 break;
 1578 
 1579         case AUE_UMASK:
 1580                 if (ARG_IS_VALID(kar, ARG_MASK)) {
 1581                         tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
 1582                         kau_write(rec, tok);
 1583                 }
 1584                 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
 1585                 kau_write(rec, tok);
 1586                 break;
 1587 
 1588         case AUE_WAIT4:
 1589                 PROCESS_PID_TOKENS(1);
 1590                 if (ARG_IS_VALID(kar, ARG_VALUE)) {
 1591                         tok = au_to_arg32(3, "options", ar->ar_arg_value);
 1592                         kau_write(rec, tok);
 1593                 }
 1594                 break;
 1595 
 1596         case AUE_CAP_NEW:
 1597                 /*
 1598                  * XXXRW/XXXJA: Would be nice to audit socket/etc information.
 1599                  */
 1600                 FD_VNODE1_TOKENS;
 1601                 if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
 1602                         tok = au_to_arg64(2, "rights", ar->ar_arg_rights);
 1603                         kau_write(rec, tok);
 1604                 }
 1605                 break;
 1606 
 1607         case AUE_CAP_GETRIGHTS:
 1608                 if (ARG_IS_VALID(kar, ARG_FD)) {
 1609                         tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
 1610                         kau_write(rec, tok);
 1611                 }
 1612                 break;
 1613 
 1614         case AUE_CAP_ENTER:
 1615         case AUE_CAP_GETMODE:
 1616                 break;
 1617 
 1618         case AUE_NULL:
 1619         default:
 1620                 printf("BSM conversion requested for unknown event %d\n",
 1621                     ar->ar_event);
 1622 
 1623                 /*
 1624                  * Write the subject token so it is properly freed here.
 1625                  */
 1626                 kau_write(rec, subj_tok);
 1627                 kau_free(rec);
 1628                 return (BSM_NOAUDIT);
 1629         }
 1630 
 1631         kau_write(rec, subj_tok);
 1632         tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
 1633         kau_write(rec, tok);  /* Every record gets a return token */
 1634 
 1635         kau_close(rec, &ar->ar_endtime, ar->ar_event);
 1636 
 1637         *pau = rec;
 1638         return (BSM_SUCCESS);
 1639 }
 1640 
 1641 /*
 1642  * Verify that a record is a valid BSM record. This verification is simple
 1643  * now, but may be expanded on sometime in the future.  Return 1 if the
 1644  * record is good, 0 otherwise.
 1645  */
 1646 int
 1647 bsm_rec_verify(void *rec)
 1648 {
 1649         char c = *(char *)rec;
 1650 
 1651         /*
 1652          * Check the token ID of the first token; it has to be a header
 1653          * token.
 1654          *
 1655          * XXXAUDIT There needs to be a token structure to map a token.
 1656          * XXXAUDIT 'Shouldn't be simply looking at the first char.
 1657          */
 1658         if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
 1659             (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))
 1660                 return (0);
 1661         return (1);
 1662 }

Cache object: 584d9f013e6f61212d80fdd3affe9779


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.