1 /*
2 * Copyright (c) 1999-2009 Apple Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32
33 #include <sys/param.h>
34 #include <sys/vnode.h>
35 #include <sys/ipc.h>
36 #include <sys/lock.h>
37 #include <sys/malloc.h>
38 #include <sys/mutex.h>
39 #include <sys/socket.h>
40 #include <sys/extattr.h>
41 #include <sys/fcntl.h>
42 #include <sys/user.h>
43 #include <sys/systm.h>
44
45 #include <bsm/audit.h>
46 #include <bsm/audit_internal.h>
47 #include <bsm/audit_record.h>
48 #include <bsm/audit_kevents.h>
49
50 #include <security/audit/audit.h>
51 #include <security/audit/audit_private.h>
52
53 #include <netinet/in_systm.h>
54 #include <netinet/in.h>
55 #include <netinet/ip.h>
56
57 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
58
59 static void audit_sys_auditon(struct audit_record *ar,
60 struct au_record *rec);
61
62 /*
63 * Initialize the BSM auditing subsystem.
64 */
65 void
66 kau_init(void)
67 {
68
69 au_evclassmap_init();
70 }
71
72 /*
73 * This call reserves memory for the audit record. Memory must be guaranteed
74 * before any auditable event can be generated. The au_record structure
75 * maintains a reference to the memory allocated above and also the list of
76 * tokens associated with this record.
77 */
78 static struct au_record *
79 kau_open(void)
80 {
81 struct au_record *rec;
82
83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
84 rec->data = NULL;
85 TAILQ_INIT(&rec->token_q);
86 rec->len = 0;
87 rec->used = 1;
88
89 return (rec);
90 }
91
92 /*
93 * Store the token with the record descriptor.
94 */
95 static void
96 kau_write(struct au_record *rec, struct au_token *tok)
97 {
98
99 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
100
101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
102 rec->len += tok->len;
103 }
104
105 /*
106 * Close out the audit record by adding the header token, identifying any
107 * missing tokens. Write out the tokens to the record memory.
108 */
109 static void
110 kau_close(struct au_record *rec, struct timespec *ctime, short event)
111 {
112 u_char *dptr;
113 size_t tot_rec_size;
114 token_t *cur, *hdr, *trail;
115 struct timeval tm;
116 size_t hdrsize;
117 struct auditinfo_addr ak;
118 struct in6_addr *ap;
119
120 audit_get_kinfo(&ak);
121 hdrsize = 0;
122 switch (ak.ai_termid.at_type) {
123 case AU_IPv4:
124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
126 break;
127 case AU_IPv6:
128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
130 AUDIT_HEADER_EX_SIZE(&ak);
131 break;
132 default:
133 panic("kau_close: invalid address family");
134 }
135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE;
136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
137
138 tm.tv_usec = ctime->tv_nsec / 1000;
139 tm.tv_sec = ctime->tv_sec;
140 if (hdrsize != AUDIT_HEADER_SIZE)
141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
142 else
143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
145
146 trail = au_to_trailer(tot_rec_size);
147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
148
149 rec->len = tot_rec_size;
150 dptr = rec->data;
151 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
152 memcpy(dptr, cur->t_data, cur->len);
153 dptr += cur->len;
154 }
155 }
156
157 /*
158 * Free a BSM audit record by releasing all the tokens and clearing the audit
159 * record information.
160 */
161 void
162 kau_free(struct au_record *rec)
163 {
164 struct au_token *tok;
165
166 /* Free the token list. */
167 while ((tok = TAILQ_FIRST(&rec->token_q))) {
168 TAILQ_REMOVE(&rec->token_q, tok, tokens);
169 free(tok->t_data, M_AUDITBSM);
170 free(tok, M_AUDITBSM);
171 }
172
173 rec->used = 0;
174 rec->len = 0;
175 free(rec->data, M_AUDITBSM);
176 free(rec, M_AUDITBSM);
177 }
178
179 /*
180 * XXX: May want turn some (or all) of these macros into functions in order
181 * to reduce the generated code size.
182 *
183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
184 * caller are OK with this.
185 */
186 #define ATFD1_TOKENS(argnum) do { \
187 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \
188 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \
189 kau_write(rec, tok); \
190 } \
191 } while (0)
192
193 #define ATFD2_TOKENS(argnum) do { \
194 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \
195 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \
196 kau_write(rec, tok); \
197 } \
198 } while (0)
199
200 #define UPATH1_TOKENS do { \
201 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
202 tok = au_to_path(ar->ar_arg_upath1); \
203 kau_write(rec, tok); \
204 } \
205 } while (0)
206
207 #define UPATH2_TOKENS do { \
208 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
209 tok = au_to_path(ar->ar_arg_upath2); \
210 kau_write(rec, tok); \
211 } \
212 } while (0)
213
214 #define VNODE1_TOKENS do { \
215 if (ARG_IS_VALID(kar, ARG_ATFD)) { \
216 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \
217 kau_write(rec, tok); \
218 } \
219 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
220 tok = au_to_attr32(&ar->ar_arg_vnode1); \
221 kau_write(rec, tok); \
222 } \
223 } while (0)
224
225 #define UPATH1_VNODE1_TOKENS do { \
226 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
227 UPATH1_TOKENS; \
228 } \
229 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
230 tok = au_to_attr32(&ar->ar_arg_vnode1); \
231 kau_write(rec, tok); \
232 } \
233 } while (0)
234
235 #define VNODE2_TOKENS do { \
236 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
237 tok = au_to_attr32(&ar->ar_arg_vnode2); \
238 kau_write(rec, tok); \
239 } \
240 } while (0)
241
242 #define FD_VNODE1_TOKENS do { \
243 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
244 if (ARG_IS_VALID(kar, ARG_FD)) { \
245 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
246 kau_write(rec, tok); \
247 } \
248 tok = au_to_attr32(&ar->ar_arg_vnode1); \
249 kau_write(rec, tok); \
250 } else { \
251 if (ARG_IS_VALID(kar, ARG_FD)) { \
252 tok = au_to_arg32(1, "non-file: fd", \
253 ar->ar_arg_fd); \
254 kau_write(rec, tok); \
255 } \
256 } \
257 } while (0)
258
259 #define PROCESS_PID_TOKENS(argn) do { \
260 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
261 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
262 tok = au_to_process32_ex(ar->ar_arg_auid, \
263 ar->ar_arg_euid, ar->ar_arg_egid, \
264 ar->ar_arg_ruid, ar->ar_arg_rgid, \
265 ar->ar_arg_pid, ar->ar_arg_asid, \
266 &ar->ar_arg_termid_addr); \
267 kau_write(rec, tok); \
268 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
269 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
270 kau_write(rec, tok); \
271 } \
272 } while (0)
273
274 #define EXTATTR_TOKENS(namespace_argnum) do { \
275 if (ARG_IS_VALID(kar, ARG_VALUE)) { \
276 switch (ar->ar_arg_value) { \
277 case EXTATTR_NAMESPACE_USER: \
278 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
279 break; \
280 case EXTATTR_NAMESPACE_SYSTEM: \
281 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
282 break; \
283 default: \
284 tok = au_to_arg32((namespace_argnum), \
285 "attrnamespace", ar->ar_arg_value); \
286 break; \
287 } \
288 kau_write(rec, tok); \
289 } \
290 /* attrname is in the text field */ \
291 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
292 tok = au_to_text(ar->ar_arg_text); \
293 kau_write(rec, tok); \
294 } \
295 } while (0)
296
297 /*
298 * Not all pointer arguments to system calls are of interest, but in some
299 * cases they reflect delegation of rights, such as mmap(2) followed by
300 * minherit(2) before execve(2), so do the best we can.
301 */
302 #define ADDR_TOKEN(argnum, argname) do { \
303 if (ARG_IS_VALID(kar, ARG_ADDR)) { \
304 if (sizeof(void *) == sizeof(uint32_t)) \
305 tok = au_to_arg32((argnum), (argname), \
306 (uint32_t)(uintptr_t)ar->ar_arg_addr); \
307 else \
308 tok = au_to_arg64((argnum), (argname), \
309 (uint64_t)(uintptr_t)ar->ar_arg_addr); \
310 kau_write(rec, tok); \
311 } \
312 } while (0)
313
314
315 /*
316 * Implement auditing for the auditon() system call. The audit tokens that
317 * are generated depend on the command that was sent into the auditon()
318 * system call.
319 */
320 static void
321 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
322 {
323 struct au_token *tok;
324
325 tok = au_to_arg32(3, "length", ar->ar_arg_len);
326 kau_write(rec, tok);
327 switch (ar->ar_arg_cmd) {
328 case A_OLDSETPOLICY:
329 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
330 tok = au_to_arg64(2, "policy",
331 ar->ar_arg_auditon.au_policy64);
332 kau_write(rec, tok);
333 break;
334 }
335 /* FALLTHROUGH */
336
337 case A_SETPOLICY:
338 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
339 kau_write(rec, tok);
340 break;
341
342 case A_SETKMASK:
343 tok = au_to_arg32(2, "setkmask:as_success",
344 ar->ar_arg_auditon.au_mask.am_success);
345 kau_write(rec, tok);
346 tok = au_to_arg32(2, "setkmask:as_failure",
347 ar->ar_arg_auditon.au_mask.am_failure);
348 kau_write(rec, tok);
349 break;
350
351 case A_OLDSETQCTRL:
352 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
353 tok = au_to_arg64(2, "setqctrl:aq_hiwater",
354 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
355 kau_write(rec, tok);
356 tok = au_to_arg64(2, "setqctrl:aq_lowater",
357 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
358 kau_write(rec, tok);
359 tok = au_to_arg64(2, "setqctrl:aq_bufsz",
360 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
361 kau_write(rec, tok);
362 tok = au_to_arg64(2, "setqctrl:aq_delay",
363 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
364 kau_write(rec, tok);
365 tok = au_to_arg64(2, "setqctrl:aq_minfree",
366 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
367 kau_write(rec, tok);
368 break;
369 }
370 /* FALLTHROUGH */
371
372 case A_SETQCTRL:
373 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
374 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
375 kau_write(rec, tok);
376 tok = au_to_arg32(2, "setqctrl:aq_lowater",
377 ar->ar_arg_auditon.au_qctrl.aq_lowater);
378 kau_write(rec, tok);
379 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
380 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
381 kau_write(rec, tok);
382 tok = au_to_arg32(2, "setqctrl:aq_delay",
383 ar->ar_arg_auditon.au_qctrl.aq_delay);
384 kau_write(rec, tok);
385 tok = au_to_arg32(2, "setqctrl:aq_minfree",
386 ar->ar_arg_auditon.au_qctrl.aq_minfree);
387 kau_write(rec, tok);
388 break;
389
390 case A_SETUMASK:
391 tok = au_to_arg32(2, "setumask:as_success",
392 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
393 kau_write(rec, tok);
394 tok = au_to_arg32(2, "setumask:as_failure",
395 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
396 kau_write(rec, tok);
397 break;
398
399 case A_SETSMASK:
400 tok = au_to_arg32(2, "setsmask:as_success",
401 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
402 kau_write(rec, tok);
403 tok = au_to_arg32(2, "setsmask:as_failure",
404 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
405 kau_write(rec, tok);
406 break;
407
408 case A_OLDSETCOND:
409 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
410 tok = au_to_arg64(2, "setcond",
411 ar->ar_arg_auditon.au_cond64);
412 kau_write(rec, tok);
413 break;
414 }
415 /* FALLTHROUGH */
416
417 case A_SETCOND:
418 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
419 kau_write(rec, tok);
420 break;
421
422 case A_SETCLASS:
423 kau_write(rec, tok);
424 tok = au_to_arg32(2, "setclass:ec_event",
425 ar->ar_arg_auditon.au_evclass.ec_number);
426 kau_write(rec, tok);
427 tok = au_to_arg32(2, "setclass:ec_class",
428 ar->ar_arg_auditon.au_evclass.ec_class);
429 kau_write(rec, tok);
430 break;
431
432 case A_SETPMASK:
433 tok = au_to_arg32(2, "setpmask:as_success",
434 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
435 kau_write(rec, tok);
436 tok = au_to_arg32(2, "setpmask:as_failure",
437 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
438 kau_write(rec, tok);
439 break;
440
441 case A_SETFSIZE:
442 tok = au_to_arg32(2, "setfsize:filesize",
443 ar->ar_arg_auditon.au_fstat.af_filesz);
444 kau_write(rec, tok);
445 break;
446
447 default:
448 break;
449 }
450 }
451
452 /*
453 * Convert an internal kernel audit record to a BSM record and return a
454 * success/failure indicator. The BSM record is passed as an out parameter to
455 * this function.
456 *
457 * Return conditions:
458 * BSM_SUCCESS: The BSM record is valid
459 * BSM_FAILURE: Failure; the BSM record is NULL.
460 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
461 */
462 int
463 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
464 {
465 struct au_token *tok, *subj_tok;
466 struct au_record *rec;
467 au_tid_t tid;
468 struct audit_record *ar;
469 int ctr;
470
471 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
472
473 *pau = NULL;
474 ar = &kar->k_ar;
475 rec = kau_open();
476
477 /*
478 * Create the subject token.
479 */
480 switch (ar->ar_subj_term_addr.at_type) {
481 case AU_IPv4:
482 tid.port = ar->ar_subj_term_addr.at_port;
483 tid.machine = ar->ar_subj_term_addr.at_addr[0];
484 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
485 ar->ar_subj_cred.cr_uid, /* eff uid */
486 ar->ar_subj_egid, /* eff group id */
487 ar->ar_subj_ruid, /* real uid */
488 ar->ar_subj_rgid, /* real group id */
489 ar->ar_subj_pid, /* process id */
490 ar->ar_subj_asid, /* session ID */
491 &tid);
492 break;
493 case AU_IPv6:
494 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
495 ar->ar_subj_cred.cr_uid,
496 ar->ar_subj_egid,
497 ar->ar_subj_ruid,
498 ar->ar_subj_rgid,
499 ar->ar_subj_pid,
500 ar->ar_subj_asid,
501 &ar->ar_subj_term_addr);
502 break;
503 default:
504 bzero(&tid, sizeof(tid));
505 subj_tok = au_to_subject32(ar->ar_subj_auid,
506 ar->ar_subj_cred.cr_uid,
507 ar->ar_subj_egid,
508 ar->ar_subj_ruid,
509 ar->ar_subj_rgid,
510 ar->ar_subj_pid,
511 ar->ar_subj_asid,
512 &tid);
513 }
514
515 /*
516 * The logic inside each case fills in the tokens required for the
517 * event, except for the header, trailer, and return tokens. The
518 * header and trailer tokens are added by the kau_close() function.
519 * The return token is added outside of the switch statement.
520 */
521 switch(ar->ar_event) {
522 case AUE_ACCEPT:
523 case AUE_BIND:
524 case AUE_LISTEN:
525 case AUE_CONNECT:
526 case AUE_RECV:
527 case AUE_RECVFROM:
528 case AUE_RECVMSG:
529 case AUE_SEND:
530 case AUE_SENDFILE:
531 case AUE_SENDMSG:
532 case AUE_SENDTO:
533 /*
534 * Socket-related events.
535 */
536 if (ARG_IS_VALID(kar, ARG_FD)) {
537 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
538 kau_write(rec, tok);
539 }
540 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
541 tok = au_to_sock_inet((struct sockaddr_in *)
542 &ar->ar_arg_sockaddr);
543 kau_write(rec, tok);
544 }
545 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
546 tok = au_to_sock_unix((struct sockaddr_un *)
547 &ar->ar_arg_sockaddr);
548 kau_write(rec, tok);
549 UPATH1_TOKENS;
550 }
551 /* XXX Need to handle ARG_SADDRINET6 */
552 break;
553
554 case AUE_SOCKET:
555 case AUE_SOCKETPAIR:
556 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
557 tok = au_to_arg32(1, "domain",
558 ar->ar_arg_sockinfo.so_domain);
559 kau_write(rec, tok);
560 tok = au_to_arg32(2, "type",
561 ar->ar_arg_sockinfo.so_type);
562 kau_write(rec, tok);
563 tok = au_to_arg32(3, "protocol",
564 ar->ar_arg_sockinfo.so_protocol);
565 kau_write(rec, tok);
566 }
567 break;
568
569 case AUE_SETSOCKOPT:
570 case AUE_SHUTDOWN:
571 if (ARG_IS_VALID(kar, ARG_FD)) {
572 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
573 kau_write(rec, tok);
574 }
575 break;
576
577 case AUE_ACCT:
578 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
579 UPATH1_VNODE1_TOKENS;
580 } else {
581 tok = au_to_arg32(1, "accounting off", 0);
582 kau_write(rec, tok);
583 }
584 break;
585
586 case AUE_SETAUID:
587 if (ARG_IS_VALID(kar, ARG_AUID)) {
588 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
589 kau_write(rec, tok);
590 }
591 break;
592
593 case AUE_SETAUDIT:
594 if (ARG_IS_VALID(kar, ARG_AUID) &&
595 ARG_IS_VALID(kar, ARG_ASID) &&
596 ARG_IS_VALID(kar, ARG_AMASK) &&
597 ARG_IS_VALID(kar, ARG_TERMID)) {
598 tok = au_to_arg32(1, "setaudit:auid",
599 ar->ar_arg_auid);
600 kau_write(rec, tok);
601 tok = au_to_arg32(1, "setaudit:port",
602 ar->ar_arg_termid.port);
603 kau_write(rec, tok);
604 tok = au_to_arg32(1, "setaudit:machine",
605 ar->ar_arg_termid.machine);
606 kau_write(rec, tok);
607 tok = au_to_arg32(1, "setaudit:as_success",
608 ar->ar_arg_amask.am_success);
609 kau_write(rec, tok);
610 tok = au_to_arg32(1, "setaudit:as_failure",
611 ar->ar_arg_amask.am_failure);
612 kau_write(rec, tok);
613 tok = au_to_arg32(1, "setaudit:asid",
614 ar->ar_arg_asid);
615 kau_write(rec, tok);
616 }
617 break;
618
619 case AUE_SETAUDIT_ADDR:
620 if (ARG_IS_VALID(kar, ARG_AUID) &&
621 ARG_IS_VALID(kar, ARG_ASID) &&
622 ARG_IS_VALID(kar, ARG_AMASK) &&
623 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
624 tok = au_to_arg32(1, "setaudit_addr:auid",
625 ar->ar_arg_auid);
626 kau_write(rec, tok);
627 tok = au_to_arg32(1, "setaudit_addr:as_success",
628 ar->ar_arg_amask.am_success);
629 kau_write(rec, tok);
630 tok = au_to_arg32(1, "setaudit_addr:as_failure",
631 ar->ar_arg_amask.am_failure);
632 kau_write(rec, tok);
633 tok = au_to_arg32(1, "setaudit_addr:asid",
634 ar->ar_arg_asid);
635 kau_write(rec, tok);
636 tok = au_to_arg32(1, "setaudit_addr:type",
637 ar->ar_arg_termid_addr.at_type);
638 kau_write(rec, tok);
639 tok = au_to_arg32(1, "setaudit_addr:port",
640 ar->ar_arg_termid_addr.at_port);
641 kau_write(rec, tok);
642 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
643 tok = au_to_in_addr_ex((struct in6_addr *)
644 &ar->ar_arg_termid_addr.at_addr[0]);
645 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
646 tok = au_to_in_addr((struct in_addr *)
647 &ar->ar_arg_termid_addr.at_addr[0]);
648 kau_write(rec, tok);
649 }
650 break;
651
652 case AUE_AUDITON:
653 /*
654 * For AUDITON commands without own event, audit the cmd.
655 */
656 if (ARG_IS_VALID(kar, ARG_CMD)) {
657 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
658 kau_write(rec, tok);
659 }
660 /* FALLTHROUGH */
661
662 case AUE_AUDITON_GETCAR:
663 case AUE_AUDITON_GETCLASS:
664 case AUE_AUDITON_GETCOND:
665 case AUE_AUDITON_GETCWD:
666 case AUE_AUDITON_GETKMASK:
667 case AUE_AUDITON_GETSTAT:
668 case AUE_AUDITON_GPOLICY:
669 case AUE_AUDITON_GQCTRL:
670 case AUE_AUDITON_SETCLASS:
671 case AUE_AUDITON_SETCOND:
672 case AUE_AUDITON_SETKMASK:
673 case AUE_AUDITON_SETSMASK:
674 case AUE_AUDITON_SETSTAT:
675 case AUE_AUDITON_SETUMASK:
676 case AUE_AUDITON_SPOLICY:
677 case AUE_AUDITON_SQCTRL:
678 if (ARG_IS_VALID(kar, ARG_AUDITON))
679 audit_sys_auditon(ar, rec);
680 break;
681
682 case AUE_AUDITCTL:
683 UPATH1_VNODE1_TOKENS;
684 break;
685
686 case AUE_EXIT:
687 if (ARG_IS_VALID(kar, ARG_EXIT)) {
688 tok = au_to_exit(ar->ar_arg_exitretval,
689 ar->ar_arg_exitstatus);
690 kau_write(rec, tok);
691 }
692 break;
693
694 case AUE_ADJTIME:
695 case AUE_CLOCK_SETTIME:
696 case AUE_AUDIT:
697 case AUE_DUP2:
698 case AUE_GETAUDIT:
699 case AUE_GETAUDIT_ADDR:
700 case AUE_GETAUID:
701 case AUE_GETCWD:
702 case AUE_GETFSSTAT:
703 case AUE_GETRESUID:
704 case AUE_GETRESGID:
705 case AUE_KQUEUE:
706 case AUE_MODLOAD:
707 case AUE_MODUNLOAD:
708 case AUE_MSGSYS:
709 case AUE_NTP_ADJTIME:
710 case AUE_PIPE:
711 case AUE_POSIX_OPENPT:
712 case AUE_PROFILE:
713 case AUE_RTPRIO:
714 case AUE_SEMSYS:
715 case AUE_SHMSYS:
716 case AUE_SETPGRP:
717 case AUE_SETRLIMIT:
718 case AUE_SETSID:
719 case AUE_SETTIMEOFDAY:
720 case AUE_SYSARCH:
721
722 /*
723 * Header, subject, and return tokens added at end.
724 */
725 break;
726
727 case AUE_CHDIR:
728 case AUE_CHROOT:
729 case AUE_FSTATAT:
730 case AUE_FUTIMESAT:
731 case AUE_GETATTRLIST:
732 case AUE_JAIL:
733 case AUE_LUTIMES:
734 case AUE_NFS_GETFH:
735 case AUE_LSTAT:
736 case AUE_LPATHCONF:
737 case AUE_PATHCONF:
738 case AUE_READLINK:
739 case AUE_READLINKAT:
740 case AUE_REVOKE:
741 case AUE_RMDIR:
742 case AUE_SEARCHFS:
743 case AUE_SETATTRLIST:
744 case AUE_STAT:
745 case AUE_STATFS:
746 case AUE_SWAPON:
747 case AUE_SWAPOFF:
748 case AUE_TRUNCATE:
749 case AUE_UNDELETE:
750 case AUE_UNLINK:
751 case AUE_UNLINKAT:
752 case AUE_UTIMES:
753 ATFD1_TOKENS(1);
754 UPATH1_VNODE1_TOKENS;
755 break;
756
757 case AUE_ACCESS:
758 case AUE_EACCESS:
759 case AUE_FACCESSAT:
760 ATFD1_TOKENS(1);
761 UPATH1_VNODE1_TOKENS;
762 if (ARG_IS_VALID(kar, ARG_VALUE)) {
763 tok = au_to_arg32(2, "mode", ar->ar_arg_value);
764 kau_write(rec, tok);
765 }
766 break;
767
768 case AUE_FHSTATFS:
769 case AUE_FHOPEN:
770 case AUE_FHSTAT:
771 /* XXXRW: Need to audit vnode argument. */
772 break;
773
774 case AUE_CHFLAGS:
775 case AUE_LCHFLAGS:
776 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
777 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
778 kau_write(rec, tok);
779 }
780 UPATH1_VNODE1_TOKENS;
781 break;
782
783 case AUE_CHMOD:
784 case AUE_LCHMOD:
785 if (ARG_IS_VALID(kar, ARG_MODE)) {
786 tok = au_to_arg32(2, "new file mode",
787 ar->ar_arg_mode);
788 kau_write(rec, tok);
789 }
790 UPATH1_VNODE1_TOKENS;
791 break;
792
793 case AUE_FCHMODAT:
794 ATFD1_TOKENS(1);
795 if (ARG_IS_VALID(kar, ARG_MODE)) {
796 tok = au_to_arg32(3, "new file mode",
797 ar->ar_arg_mode);
798 kau_write(rec, tok);
799 }
800 UPATH1_VNODE1_TOKENS;
801 break;
802
803 case AUE_CHOWN:
804 case AUE_LCHOWN:
805 if (ARG_IS_VALID(kar, ARG_UID)) {
806 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
807 kau_write(rec, tok);
808 }
809 if (ARG_IS_VALID(kar, ARG_GID)) {
810 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
811 kau_write(rec, tok);
812 }
813 UPATH1_VNODE1_TOKENS;
814 break;
815
816 case AUE_FCHOWNAT:
817 ATFD1_TOKENS(1);
818 if (ARG_IS_VALID(kar, ARG_UID)) {
819 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid);
820 kau_write(rec, tok);
821 }
822 if (ARG_IS_VALID(kar, ARG_GID)) {
823 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid);
824 kau_write(rec, tok);
825 }
826 UPATH1_VNODE1_TOKENS;
827 break;
828
829 case AUE_EXCHANGEDATA:
830 UPATH1_VNODE1_TOKENS;
831 UPATH2_TOKENS;
832 break;
833
834 case AUE_CLOSE:
835 if (ARG_IS_VALID(kar, ARG_FD)) {
836 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
837 kau_write(rec, tok);
838 }
839 UPATH1_VNODE1_TOKENS;
840 break;
841
842 case AUE_CLOSEFROM:
843 if (ARG_IS_VALID(kar, ARG_FD)) {
844 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
845 kau_write(rec, tok);
846 }
847 break;
848
849 case AUE_CORE:
850 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
851 tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
852 kau_write(rec, tok);
853 }
854 UPATH1_VNODE1_TOKENS;
855 break;
856
857 case AUE_EXTATTRCTL:
858 UPATH1_VNODE1_TOKENS;
859 if (ARG_IS_VALID(kar, ARG_CMD)) {
860 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
861 kau_write(rec, tok);
862 }
863 /* extattrctl(2) filename parameter is in upath2/vnode2 */
864 UPATH2_TOKENS;
865 VNODE2_TOKENS;
866 EXTATTR_TOKENS(4);
867 break;
868
869 case AUE_EXTATTR_GET_FILE:
870 case AUE_EXTATTR_SET_FILE:
871 case AUE_EXTATTR_LIST_FILE:
872 case AUE_EXTATTR_DELETE_FILE:
873 case AUE_EXTATTR_GET_LINK:
874 case AUE_EXTATTR_SET_LINK:
875 case AUE_EXTATTR_LIST_LINK:
876 case AUE_EXTATTR_DELETE_LINK:
877 UPATH1_VNODE1_TOKENS;
878 EXTATTR_TOKENS(2);
879 break;
880
881 case AUE_EXTATTR_GET_FD:
882 case AUE_EXTATTR_SET_FD:
883 case AUE_EXTATTR_LIST_FD:
884 case AUE_EXTATTR_DELETE_FD:
885 if (ARG_IS_VALID(kar, ARG_FD)) {
886 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
887 kau_write(rec, tok);
888 }
889 EXTATTR_TOKENS(2);
890 break;
891
892 case AUE_FEXECVE:
893 if (ARG_IS_VALID(kar, ARG_FD)) {
894 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
895 kau_write(rec, tok);
896 }
897 /* FALLTHROUGH */
898
899 case AUE_EXECVE:
900 case AUE_MAC_EXECVE:
901 if (ARG_IS_VALID(kar, ARG_ARGV)) {
902 tok = au_to_exec_args(ar->ar_arg_argv,
903 ar->ar_arg_argc);
904 kau_write(rec, tok);
905 }
906 if (ARG_IS_VALID(kar, ARG_ENVV)) {
907 tok = au_to_exec_env(ar->ar_arg_envv,
908 ar->ar_arg_envc);
909 kau_write(rec, tok);
910 }
911 UPATH1_VNODE1_TOKENS;
912 break;
913
914 case AUE_FCHMOD:
915 if (ARG_IS_VALID(kar, ARG_MODE)) {
916 tok = au_to_arg32(2, "new file mode",
917 ar->ar_arg_mode);
918 kau_write(rec, tok);
919 }
920 FD_VNODE1_TOKENS;
921 break;
922
923 /*
924 * XXXRW: Some of these need to handle non-vnode cases as well.
925 */
926 case AUE_FCHDIR:
927 case AUE_FPATHCONF:
928 case AUE_FSTAT:
929 case AUE_FSTATFS:
930 case AUE_FSYNC:
931 case AUE_FTRUNCATE:
932 case AUE_FUTIMES:
933 case AUE_GETDIRENTRIES:
934 case AUE_GETDIRENTRIESATTR:
935 case AUE_LSEEK:
936 case AUE_POLL:
937 case AUE_READ:
938 case AUE_READV:
939 case AUE_WRITE:
940 case AUE_WRITEV:
941 FD_VNODE1_TOKENS;
942 break;
943
944 case AUE_FCHOWN:
945 if (ARG_IS_VALID(kar, ARG_UID)) {
946 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
947 kau_write(rec, tok);
948 }
949 if (ARG_IS_VALID(kar, ARG_GID)) {
950 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
951 kau_write(rec, tok);
952 }
953 FD_VNODE1_TOKENS;
954 break;
955
956 case AUE_FCNTL:
957 if (ARG_IS_VALID(kar, ARG_CMD)) {
958 tok = au_to_arg32(2, "cmd",
959 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
960 kau_write(rec, tok);
961 }
962 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK ||
963 ar->ar_arg_cmd == F_SETLKW) {
964 FD_VNODE1_TOKENS;
965 }
966 break;
967
968 case AUE_FCHFLAGS:
969 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
970 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
971 kau_write(rec, tok);
972 }
973 FD_VNODE1_TOKENS;
974 break;
975
976 case AUE_FLOCK:
977 if (ARG_IS_VALID(kar, ARG_CMD)) {
978 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
979 kau_write(rec, tok);
980 }
981 FD_VNODE1_TOKENS;
982 break;
983
984 case AUE_RFORK:
985 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
986 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
987 kau_write(rec, tok);
988 }
989 /* FALLTHROUGH */
990
991 case AUE_FORK:
992 case AUE_VFORK:
993 if (ARG_IS_VALID(kar, ARG_PID)) {
994 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
995 kau_write(rec, tok);
996 }
997 break;
998
999 case AUE_IOCTL:
1000 if (ARG_IS_VALID(kar, ARG_CMD)) {
1001 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1002 kau_write(rec, tok);
1003 }
1004 if (ARG_IS_VALID(kar, ARG_VNODE1))
1005 FD_VNODE1_TOKENS;
1006 else {
1007 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
1008 tok = kau_to_socket(&ar->ar_arg_sockinfo);
1009 kau_write(rec, tok);
1010 } else {
1011 if (ARG_IS_VALID(kar, ARG_FD)) {
1012 tok = au_to_arg32(1, "fd",
1013 ar->ar_arg_fd);
1014 kau_write(rec, tok);
1015 }
1016 }
1017 }
1018 break;
1019
1020 case AUE_KILL:
1021 case AUE_KILLPG:
1022 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1023 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1024 kau_write(rec, tok);
1025 }
1026 PROCESS_PID_TOKENS(1);
1027 break;
1028
1029 case AUE_KTRACE:
1030 if (ARG_IS_VALID(kar, ARG_CMD)) {
1031 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
1032 kau_write(rec, tok);
1033 }
1034 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1035 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
1036 kau_write(rec, tok);
1037 }
1038 PROCESS_PID_TOKENS(4);
1039 UPATH1_VNODE1_TOKENS;
1040 break;
1041
1042 case AUE_LINK:
1043 case AUE_LINKAT:
1044 case AUE_RENAME:
1045 case AUE_RENAMEAT:
1046 ATFD1_TOKENS(1);
1047 UPATH1_VNODE1_TOKENS;
1048 ATFD2_TOKENS(3);
1049 UPATH2_TOKENS;
1050 break;
1051
1052 case AUE_LOADSHFILE:
1053 ADDR_TOKEN(4, "base addr");
1054 UPATH1_VNODE1_TOKENS;
1055 break;
1056
1057 case AUE_MKDIR:
1058 case AUE_MKDIRAT:
1059 case AUE_MKFIFO:
1060 case AUE_MKFIFOAT:
1061 ATFD1_TOKENS(1);
1062 if (ARG_IS_VALID(kar, ARG_MODE)) {
1063 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1064 kau_write(rec, tok);
1065 }
1066 UPATH1_VNODE1_TOKENS;
1067 break;
1068
1069 case AUE_MKNOD:
1070 case AUE_MKNODAT:
1071 ATFD1_TOKENS(1);
1072 if (ARG_IS_VALID(kar, ARG_MODE)) {
1073 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1074 kau_write(rec, tok);
1075 }
1076 if (ARG_IS_VALID(kar, ARG_DEV)) {
1077 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
1078 kau_write(rec, tok);
1079 }
1080 UPATH1_VNODE1_TOKENS;
1081 break;
1082
1083 case AUE_MMAP:
1084 case AUE_MUNMAP:
1085 case AUE_MPROTECT:
1086 case AUE_MLOCK:
1087 case AUE_MUNLOCK:
1088 case AUE_MINHERIT:
1089 ADDR_TOKEN(1, "addr");
1090 if (ARG_IS_VALID(kar, ARG_LEN)) {
1091 tok = au_to_arg32(2, "len", ar->ar_arg_len);
1092 kau_write(rec, tok);
1093 }
1094 if (ar->ar_event == AUE_MMAP)
1095 FD_VNODE1_TOKENS;
1096 if (ar->ar_event == AUE_MPROTECT) {
1097 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1098 tok = au_to_arg32(3, "protection",
1099 ar->ar_arg_value);
1100 kau_write(rec, tok);
1101 }
1102 }
1103 if (ar->ar_event == AUE_MINHERIT) {
1104 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1105 tok = au_to_arg32(3, "inherit",
1106 ar->ar_arg_value);
1107 kau_write(rec, tok);
1108 }
1109 }
1110 break;
1111
1112 case AUE_MOUNT:
1113 case AUE_NMOUNT:
1114 /* XXX Need to handle NFS mounts */
1115 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1116 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1117 kau_write(rec, tok);
1118 }
1119 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1120 tok = au_to_text(ar->ar_arg_text);
1121 kau_write(rec, tok);
1122 }
1123 /* FALLTHROUGH */
1124
1125 case AUE_NFS_SVC:
1126 if (ARG_IS_VALID(kar, ARG_CMD)) {
1127 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
1128 kau_write(rec, tok);
1129 }
1130 break;
1131
1132 case AUE_UMOUNT:
1133 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1134 tok = au_to_arg32(2, "flags", ar->ar_arg_value);
1135 kau_write(rec, tok);
1136 }
1137 UPATH1_VNODE1_TOKENS;
1138 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1139 tok = au_to_text(ar->ar_arg_text);
1140 kau_write(rec, tok);
1141 }
1142 break;
1143
1144 case AUE_MSGCTL:
1145 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1146 /* Fall through */
1147
1148 case AUE_MSGRCV:
1149 case AUE_MSGSND:
1150 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1151 kau_write(rec, tok);
1152 if (ar->ar_errno != EINVAL) {
1153 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1154 kau_write(rec, tok);
1155 }
1156 break;
1157
1158 case AUE_MSGGET:
1159 if (ar->ar_errno == 0) {
1160 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1161 tok = au_to_ipc(AT_IPC_MSG,
1162 ar->ar_arg_svipc_id);
1163 kau_write(rec, tok);
1164 }
1165 }
1166 break;
1167
1168 case AUE_RESETSHFILE:
1169 ADDR_TOKEN(1, "base addr");
1170 break;
1171
1172 case AUE_OPEN_RC:
1173 case AUE_OPEN_RTC:
1174 case AUE_OPEN_RWC:
1175 case AUE_OPEN_RWTC:
1176 case AUE_OPEN_WC:
1177 case AUE_OPEN_WTC:
1178 case AUE_CREAT:
1179 if (ARG_IS_VALID(kar, ARG_MODE)) {
1180 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1181 kau_write(rec, tok);
1182 }
1183 /* FALLTHROUGH */
1184
1185 case AUE_OPEN_R:
1186 case AUE_OPEN_RT:
1187 case AUE_OPEN_RW:
1188 case AUE_OPEN_RWT:
1189 case AUE_OPEN_W:
1190 case AUE_OPEN_WT:
1191 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1192 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1193 kau_write(rec, tok);
1194 }
1195 UPATH1_VNODE1_TOKENS;
1196 break;
1197
1198 case AUE_OPENAT_RC:
1199 case AUE_OPENAT_RTC:
1200 case AUE_OPENAT_RWC:
1201 case AUE_OPENAT_RWTC:
1202 case AUE_OPENAT_WC:
1203 case AUE_OPENAT_WTC:
1204 if (ARG_IS_VALID(kar, ARG_MODE)) {
1205 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1206 kau_write(rec, tok);
1207 }
1208 /* FALLTHROUGH */
1209
1210 case AUE_OPENAT_R:
1211 case AUE_OPENAT_RT:
1212 case AUE_OPENAT_RW:
1213 case AUE_OPENAT_RWT:
1214 case AUE_OPENAT_W:
1215 case AUE_OPENAT_WT:
1216 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1217 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1218 kau_write(rec, tok);
1219 }
1220 ATFD1_TOKENS(1);
1221 UPATH1_VNODE1_TOKENS;
1222 break;
1223
1224 case AUE_PTRACE:
1225 if (ARG_IS_VALID(kar, ARG_CMD)) {
1226 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1227 kau_write(rec, tok);
1228 }
1229 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1230 tok = au_to_arg32(4, "data", ar->ar_arg_value);
1231 kau_write(rec, tok);
1232 }
1233 PROCESS_PID_TOKENS(2);
1234 break;
1235
1236 case AUE_QUOTACTL:
1237 if (ARG_IS_VALID(kar, ARG_CMD)) {
1238 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1239 kau_write(rec, tok);
1240 }
1241 if (ARG_IS_VALID(kar, ARG_UID)) {
1242 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1243 kau_write(rec, tok);
1244 }
1245 if (ARG_IS_VALID(kar, ARG_GID)) {
1246 tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
1247 kau_write(rec, tok);
1248 }
1249 UPATH1_VNODE1_TOKENS;
1250 break;
1251
1252 case AUE_REBOOT:
1253 if (ARG_IS_VALID(kar, ARG_CMD)) {
1254 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1255 kau_write(rec, tok);
1256 }
1257 break;
1258
1259 case AUE_SEMCTL:
1260 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1261 /* Fall through */
1262
1263 case AUE_SEMOP:
1264 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1265 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1266 kau_write(rec, tok);
1267 if (ar->ar_errno != EINVAL) {
1268 tok = au_to_ipc(AT_IPC_SEM,
1269 ar->ar_arg_svipc_id);
1270 kau_write(rec, tok);
1271 }
1272 }
1273 break;
1274
1275 case AUE_SEMGET:
1276 if (ar->ar_errno == 0) {
1277 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1278 tok = au_to_ipc(AT_IPC_SEM,
1279 ar->ar_arg_svipc_id);
1280 kau_write(rec, tok);
1281 }
1282 }
1283 break;
1284
1285 case AUE_SETEGID:
1286 if (ARG_IS_VALID(kar, ARG_EGID)) {
1287 tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
1288 kau_write(rec, tok);
1289 }
1290 break;
1291
1292 case AUE_SETEUID:
1293 if (ARG_IS_VALID(kar, ARG_EUID)) {
1294 tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
1295 kau_write(rec, tok);
1296 }
1297 break;
1298
1299 case AUE_SETREGID:
1300 if (ARG_IS_VALID(kar, ARG_RGID)) {
1301 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1302 kau_write(rec, tok);
1303 }
1304 if (ARG_IS_VALID(kar, ARG_EGID)) {
1305 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1306 kau_write(rec, tok);
1307 }
1308 break;
1309
1310 case AUE_SETREUID:
1311 if (ARG_IS_VALID(kar, ARG_RUID)) {
1312 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1313 kau_write(rec, tok);
1314 }
1315 if (ARG_IS_VALID(kar, ARG_EUID)) {
1316 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1317 kau_write(rec, tok);
1318 }
1319 break;
1320
1321 case AUE_SETRESGID:
1322 if (ARG_IS_VALID(kar, ARG_RGID)) {
1323 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1324 kau_write(rec, tok);
1325 }
1326 if (ARG_IS_VALID(kar, ARG_EGID)) {
1327 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1328 kau_write(rec, tok);
1329 }
1330 if (ARG_IS_VALID(kar, ARG_SGID)) {
1331 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1332 kau_write(rec, tok);
1333 }
1334 break;
1335
1336 case AUE_SETRESUID:
1337 if (ARG_IS_VALID(kar, ARG_RUID)) {
1338 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1339 kau_write(rec, tok);
1340 }
1341 if (ARG_IS_VALID(kar, ARG_EUID)) {
1342 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1343 kau_write(rec, tok);
1344 }
1345 if (ARG_IS_VALID(kar, ARG_SUID)) {
1346 tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1347 kau_write(rec, tok);
1348 }
1349 break;
1350
1351 case AUE_SETGID:
1352 if (ARG_IS_VALID(kar, ARG_GID)) {
1353 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1354 kau_write(rec, tok);
1355 }
1356 break;
1357
1358 case AUE_SETUID:
1359 if (ARG_IS_VALID(kar, ARG_UID)) {
1360 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1361 kau_write(rec, tok);
1362 }
1363 break;
1364
1365 case AUE_SETGROUPS:
1366 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1367 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1368 {
1369 tok = au_to_arg32(1, "setgroups",
1370 ar->ar_arg_groups.gidset[ctr]);
1371 kau_write(rec, tok);
1372 }
1373 }
1374 break;
1375
1376 case AUE_SETLOGIN:
1377 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1378 tok = au_to_text(ar->ar_arg_text);
1379 kau_write(rec, tok);
1380 }
1381 break;
1382
1383 case AUE_SETPRIORITY:
1384 if (ARG_IS_VALID(kar, ARG_CMD)) {
1385 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1386 kau_write(rec, tok);
1387 }
1388 if (ARG_IS_VALID(kar, ARG_UID)) {
1389 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1390 kau_write(rec, tok);
1391 }
1392 PROCESS_PID_TOKENS(2);
1393 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1394 tok = au_to_arg32(3, "priority", ar->ar_arg_value);
1395 kau_write(rec, tok);
1396 }
1397 break;
1398
1399 case AUE_SETPRIVEXEC:
1400 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1401 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1402 kau_write(rec, tok);
1403 }
1404 break;
1405
1406 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1407 case AUE_SHMAT:
1408 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1409 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1410 kau_write(rec, tok);
1411 /* XXXAUDIT: Does having the ipc token make sense? */
1412 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1413 kau_write(rec, tok);
1414 }
1415 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1416 tok = au_to_arg32(2, "shmaddr",
1417 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1418 kau_write(rec, tok);
1419 }
1420 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1421 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1422 kau_write(rec, tok);
1423 }
1424 break;
1425
1426 case AUE_SHMCTL:
1427 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1428 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1429 kau_write(rec, tok);
1430 /* XXXAUDIT: Does having the ipc token make sense? */
1431 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1432 kau_write(rec, tok);
1433 }
1434 switch (ar->ar_arg_svipc_cmd) {
1435 case IPC_STAT:
1436 ar->ar_event = AUE_SHMCTL_STAT;
1437 break;
1438 case IPC_RMID:
1439 ar->ar_event = AUE_SHMCTL_RMID;
1440 break;
1441 case IPC_SET:
1442 ar->ar_event = AUE_SHMCTL_SET;
1443 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1444 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1445 kau_write(rec, tok);
1446 }
1447 break;
1448 default:
1449 break; /* We will audit a bad command */
1450 }
1451 break;
1452
1453 case AUE_SHMDT:
1454 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1455 tok = au_to_arg32(1, "shmaddr",
1456 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1457 kau_write(rec, tok);
1458 }
1459 break;
1460
1461 case AUE_SHMGET:
1462 /* This is unusual; the return value is in an argument token */
1463 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1464 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1465 kau_write(rec, tok);
1466 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1467 kau_write(rec, tok);
1468 }
1469 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1470 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1471 kau_write(rec, tok);
1472 }
1473 break;
1474
1475 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1476 * and AUE_SEMUNLINK are Posix IPC */
1477 case AUE_SHMOPEN:
1478 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1479 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1480 kau_write(rec, tok);
1481 }
1482 if (ARG_IS_VALID(kar, ARG_MODE)) {
1483 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1484 kau_write(rec, tok);
1485 }
1486 /* FALLTHROUGH */
1487
1488 case AUE_SHMUNLINK:
1489 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1490 tok = au_to_text(ar->ar_arg_text);
1491 kau_write(rec, tok);
1492 }
1493 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1494 struct ipc_perm perm;
1495
1496 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1497 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1498 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1499 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1500 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1501 perm.seq = 0;
1502 perm.key = 0;
1503 tok = au_to_ipc_perm(&perm);
1504 kau_write(rec, tok);
1505 }
1506 break;
1507
1508 case AUE_SEMOPEN:
1509 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1510 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1511 kau_write(rec, tok);
1512 }
1513 if (ARG_IS_VALID(kar, ARG_MODE)) {
1514 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1515 kau_write(rec, tok);
1516 }
1517 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1518 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1519 kau_write(rec, tok);
1520 }
1521 /* FALLTHROUGH */
1522
1523 case AUE_SEMUNLINK:
1524 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1525 tok = au_to_text(ar->ar_arg_text);
1526 kau_write(rec, tok);
1527 }
1528 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1529 struct ipc_perm perm;
1530
1531 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1532 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1533 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1534 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1535 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1536 perm.seq = 0;
1537 perm.key = 0;
1538 tok = au_to_ipc_perm(&perm);
1539 kau_write(rec, tok);
1540 }
1541 break;
1542
1543 case AUE_SEMCLOSE:
1544 if (ARG_IS_VALID(kar, ARG_FD)) {
1545 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1546 kau_write(rec, tok);
1547 }
1548 break;
1549
1550 case AUE_SYMLINK:
1551 case AUE_SYMLINKAT:
1552 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1553 tok = au_to_text(ar->ar_arg_text);
1554 kau_write(rec, tok);
1555 }
1556 ATFD1_TOKENS(1);
1557 UPATH1_VNODE1_TOKENS;
1558 break;
1559
1560 case AUE_SYSCTL:
1561 case AUE_SYSCTL_NONADMIN:
1562 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1563 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1564 tok = au_to_arg32(1, "name",
1565 ar->ar_arg_ctlname[ctr]);
1566 kau_write(rec, tok);
1567 }
1568 }
1569 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1570 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1571 kau_write(rec, tok);
1572 }
1573 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1574 tok = au_to_text(ar->ar_arg_text);
1575 kau_write(rec, tok);
1576 }
1577 break;
1578
1579 case AUE_UMASK:
1580 if (ARG_IS_VALID(kar, ARG_MASK)) {
1581 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1582 kau_write(rec, tok);
1583 }
1584 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1585 kau_write(rec, tok);
1586 break;
1587
1588 case AUE_WAIT4:
1589 PROCESS_PID_TOKENS(1);
1590 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1591 tok = au_to_arg32(3, "options", ar->ar_arg_value);
1592 kau_write(rec, tok);
1593 }
1594 break;
1595
1596 case AUE_CAP_NEW:
1597 /*
1598 * XXXRW/XXXJA: Would be nice to audit socket/etc information.
1599 */
1600 FD_VNODE1_TOKENS;
1601 if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
1602 tok = au_to_arg64(2, "rights", ar->ar_arg_rights);
1603 kau_write(rec, tok);
1604 }
1605 break;
1606
1607 case AUE_CAP_GETRIGHTS:
1608 if (ARG_IS_VALID(kar, ARG_FD)) {
1609 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1610 kau_write(rec, tok);
1611 }
1612 break;
1613
1614 case AUE_CAP_ENTER:
1615 case AUE_CAP_GETMODE:
1616 break;
1617
1618 case AUE_NULL:
1619 default:
1620 printf("BSM conversion requested for unknown event %d\n",
1621 ar->ar_event);
1622
1623 /*
1624 * Write the subject token so it is properly freed here.
1625 */
1626 kau_write(rec, subj_tok);
1627 kau_free(rec);
1628 return (BSM_NOAUDIT);
1629 }
1630
1631 kau_write(rec, subj_tok);
1632 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
1633 kau_write(rec, tok); /* Every record gets a return token */
1634
1635 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1636
1637 *pau = rec;
1638 return (BSM_SUCCESS);
1639 }
1640
1641 /*
1642 * Verify that a record is a valid BSM record. This verification is simple
1643 * now, but may be expanded on sometime in the future. Return 1 if the
1644 * record is good, 0 otherwise.
1645 */
1646 int
1647 bsm_rec_verify(void *rec)
1648 {
1649 char c = *(char *)rec;
1650
1651 /*
1652 * Check the token ID of the first token; it has to be a header
1653 * token.
1654 *
1655 * XXXAUDIT There needs to be a token structure to map a token.
1656 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1657 */
1658 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1659 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))
1660 return (0);
1661 return (1);
1662 }
Cache object: 584d9f013e6f61212d80fdd3affe9779
|