2 * Copyright (c) 1999-2009 Apple Inc.
3 * Copyright (c) 2016-2017 Robert N. M. Watson
6 * Portions of this software were developed by BAE Systems, the University of
7 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
8 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
9 * Computing (TC) research program.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include <sys/param.h>
40 #include <sys/vnode.h>
43 #include <sys/malloc.h>
44 #include <sys/mutex.h>
45 #include <sys/socket.h>
46 #include <sys/extattr.h>
47 #include <sys/fcntl.h>
49 #include <sys/systm.h>
51 #include <bsm/audit.h>
52 #include <bsm/audit_internal.h>
53 #include <bsm/audit_record.h>
54 #include <bsm/audit_kevents.h>
56 #include <security/audit/audit.h>
57 #include <security/audit/audit_private.h>
59 #include <netinet/in_systm.h>
60 #include <netinet/in.h>
61 #include <netinet/ip.h>
63 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
65 static void audit_sys_auditon(struct audit_record *ar,
66 struct au_record *rec);
69 * Initialize the BSM auditing subsystem.
80 * This call reserves memory for the audit record. Memory must be guaranteed
81 * before any auditable event can be generated. The au_record structure
82 * maintains a reference to the memory allocated above and also the list of
83 * tokens associated with this record.
85 static struct au_record *
88 struct au_record *rec;
90 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
92 TAILQ_INIT(&rec->token_q);
100 * Store the token with the record descriptor.
103 kau_write(struct au_record *rec, struct au_token *tok)
106 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
108 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
109 rec->len += tok->len;
113 * Close out the audit record by adding the header token, identifying any
114 * missing tokens. Write out the tokens to the record memory.
117 kau_close(struct au_record *rec, struct timespec *ctime, short event)
121 token_t *cur, *hdr, *trail;
124 struct auditinfo_addr ak;
127 audit_get_kinfo(&ak);
129 switch (ak.ai_termid.at_type) {
131 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
132 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
135 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
136 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
137 AUDIT_HEADER_EX_SIZE(&ak);
140 panic("kau_close: invalid address family");
142 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE;
143 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
145 tm.tv_usec = ctime->tv_nsec / 1000;
146 tm.tv_sec = ctime->tv_sec;
147 if (hdrsize != AUDIT_HEADER_SIZE)
148 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
150 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
151 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
153 trail = au_to_trailer(tot_rec_size);
154 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
156 rec->len = tot_rec_size;
158 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
159 memcpy(dptr, cur->t_data, cur->len);
165 * Free a BSM audit record by releasing all the tokens and clearing the audit
166 * record information.
169 kau_free(struct au_record *rec)
171 struct au_token *tok;
173 /* Free the token list. */
174 while ((tok = TAILQ_FIRST(&rec->token_q))) {
175 TAILQ_REMOVE(&rec->token_q, tok, tokens);
176 free(tok->t_data, M_AUDITBSM);
177 free(tok, M_AUDITBSM);
182 free(rec->data, M_AUDITBSM);
183 free(rec, M_AUDITBSM);
187 * XXX: May want turn some (or all) of these macros into functions in order
188 * to reduce the generated code size.
190 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
191 * caller are OK with this.
193 #define ATFD1_TOKENS(argnum) do { \
194 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \
195 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \
196 kau_write(rec, tok); \
200 #define ATFD2_TOKENS(argnum) do { \
201 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \
202 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \
203 kau_write(rec, tok); \
207 #define UPATH1_TOKENS do { \
208 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
209 tok = au_to_path(ar->ar_arg_upath1); \
210 kau_write(rec, tok); \
214 #define UPATH2_TOKENS do { \
215 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
216 tok = au_to_path(ar->ar_arg_upath2); \
217 kau_write(rec, tok); \
221 #define VNODE1_TOKENS do { \
222 if (ARG_IS_VALID(kar, ARG_ATFD)) { \
223 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \
224 kau_write(rec, tok); \
226 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
227 tok = au_to_attr32(&ar->ar_arg_vnode1); \
228 kau_write(rec, tok); \
232 #define UPATH1_VNODE1_TOKENS do { \
234 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
235 tok = au_to_attr32(&ar->ar_arg_vnode1); \
236 kau_write(rec, tok); \
240 #define VNODE2_TOKENS do { \
241 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
242 tok = au_to_attr32(&ar->ar_arg_vnode2); \
243 kau_write(rec, tok); \
247 #define FD_VNODE1_TOKENS do { \
248 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
249 if (ARG_IS_VALID(kar, ARG_FD)) { \
250 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
251 kau_write(rec, tok); \
253 tok = au_to_attr32(&ar->ar_arg_vnode1); \
254 kau_write(rec, tok); \
256 if (ARG_IS_VALID(kar, ARG_FD)) { \
257 tok = au_to_arg32(1, "non-file: fd", \
259 kau_write(rec, tok); \
264 #define PROCESS_PID_TOKENS(argn) do { \
265 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
266 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
267 tok = au_to_process32_ex(ar->ar_arg_auid, \
268 ar->ar_arg_euid, ar->ar_arg_egid, \
269 ar->ar_arg_ruid, ar->ar_arg_rgid, \
270 ar->ar_arg_pid, ar->ar_arg_asid, \
271 &ar->ar_arg_termid_addr); \
272 kau_write(rec, tok); \
273 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
274 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
275 kau_write(rec, tok); \
279 #define EXTATTR_TOKENS(namespace_argnum) do { \
280 if (ARG_IS_VALID(kar, ARG_VALUE)) { \
281 switch (ar->ar_arg_value) { \
282 case EXTATTR_NAMESPACE_USER: \
283 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
285 case EXTATTR_NAMESPACE_SYSTEM: \
286 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
289 tok = au_to_arg32((namespace_argnum), \
290 "attrnamespace", ar->ar_arg_value); \
293 kau_write(rec, tok); \
295 /* attrname is in the text field */ \
296 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
297 tok = au_to_text(ar->ar_arg_text); \
298 kau_write(rec, tok); \
303 * Not all pointer arguments to system calls are of interest, but in some
304 * cases they reflect delegation of rights, such as mmap(2) followed by
305 * minherit(2) before execve(2), so do the best we can.
307 #define ADDR_TOKEN(argnum, argname) do { \
308 if (ARG_IS_VALID(kar, ARG_ADDR)) { \
309 if (sizeof(void *) == sizeof(uint32_t)) \
310 tok = au_to_arg32((argnum), (argname), \
311 (uint32_t)(uintptr_t)ar->ar_arg_addr); \
313 tok = au_to_arg64((argnum), (argname), \
314 (uint64_t)(uintptr_t)ar->ar_arg_addr); \
315 kau_write(rec, tok); \
321 * Implement auditing for the auditon() system call. The audit tokens that
322 * are generated depend on the command that was sent into the auditon()
326 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
328 struct au_token *tok;
330 tok = au_to_arg32(3, "length", ar->ar_arg_len);
332 switch (ar->ar_arg_cmd) {
334 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
335 tok = au_to_arg64(2, "policy",
336 ar->ar_arg_auditon.au_policy64);
343 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
348 tok = au_to_arg32(2, "setkmask:as_success",
349 ar->ar_arg_auditon.au_mask.am_success);
351 tok = au_to_arg32(2, "setkmask:as_failure",
352 ar->ar_arg_auditon.au_mask.am_failure);
357 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
358 tok = au_to_arg64(2, "setqctrl:aq_hiwater",
359 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
361 tok = au_to_arg64(2, "setqctrl:aq_lowater",
362 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
364 tok = au_to_arg64(2, "setqctrl:aq_bufsz",
365 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
367 tok = au_to_arg64(2, "setqctrl:aq_delay",
368 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
370 tok = au_to_arg64(2, "setqctrl:aq_minfree",
371 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
378 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
379 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
381 tok = au_to_arg32(2, "setqctrl:aq_lowater",
382 ar->ar_arg_auditon.au_qctrl.aq_lowater);
384 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
385 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
387 tok = au_to_arg32(2, "setqctrl:aq_delay",
388 ar->ar_arg_auditon.au_qctrl.aq_delay);
390 tok = au_to_arg32(2, "setqctrl:aq_minfree",
391 ar->ar_arg_auditon.au_qctrl.aq_minfree);
396 tok = au_to_arg32(2, "setumask:as_success",
397 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
399 tok = au_to_arg32(2, "setumask:as_failure",
400 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
405 tok = au_to_arg32(2, "setsmask:as_success",
406 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
408 tok = au_to_arg32(2, "setsmask:as_failure",
409 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
414 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
415 tok = au_to_arg64(2, "setcond",
416 ar->ar_arg_auditon.au_cond64);
423 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
429 tok = au_to_arg32(2, "setclass:ec_event",
430 ar->ar_arg_auditon.au_evclass.ec_number);
432 tok = au_to_arg32(2, "setclass:ec_class",
433 ar->ar_arg_auditon.au_evclass.ec_class);
438 tok = au_to_arg32(2, "setpmask:as_success",
439 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
441 tok = au_to_arg32(2, "setpmask:as_failure",
442 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
447 tok = au_to_arg32(2, "setfsize:filesize",
448 ar->ar_arg_auditon.au_fstat.af_filesz);
458 * Convert an internal kernel audit record to a BSM record and return a
459 * success/failure indicator. The BSM record is passed as an out parameter to
463 * BSM_SUCCESS: The BSM record is valid
464 * BSM_FAILURE: Failure; the BSM record is NULL.
465 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
468 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
470 struct au_token *tok, *subj_tok, *jail_tok;
471 struct au_record *rec;
473 struct audit_record *ar;
476 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
483 * Create the subject token. If this credential was jailed be sure to
484 * generate a zonename token.
486 if (ar->ar_jailname[0] != '\0')
487 jail_tok = au_to_zonename(ar->ar_jailname);
490 switch (ar->ar_subj_term_addr.at_type) {
492 tid.port = ar->ar_subj_term_addr.at_port;
493 tid.machine = ar->ar_subj_term_addr.at_addr[0];
494 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
495 ar->ar_subj_cred.cr_uid, /* eff uid */
496 ar->ar_subj_egid, /* eff group id */
497 ar->ar_subj_ruid, /* real uid */
498 ar->ar_subj_rgid, /* real group id */
499 ar->ar_subj_pid, /* process id */
500 ar->ar_subj_asid, /* session ID */
504 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
505 ar->ar_subj_cred.cr_uid,
511 &ar->ar_subj_term_addr);
514 bzero(&tid, sizeof(tid));
515 subj_tok = au_to_subject32(ar->ar_subj_auid,
516 ar->ar_subj_cred.cr_uid,
526 * The logic inside each case fills in the tokens required for the
527 * event, except for the header, trailer, and return tokens. The
528 * header and trailer tokens are added by the kau_close() function.
529 * The return token is added outside of the switch statement.
531 switch(ar->ar_event) {
533 if (ARG_IS_VALID(kar, ARG_FD)) {
534 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
537 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
538 tok = au_to_sock_inet((struct sockaddr_in *)
539 &ar->ar_arg_sockaddr);
542 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
543 tok = au_to_sock_unix((struct sockaddr_un *)
544 &ar->ar_arg_sockaddr);
560 * Socket-related events.
562 if (ARG_IS_VALID(kar, ARG_FD)) {
563 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
566 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
567 tok = au_to_sock_inet((struct sockaddr_in *)
568 &ar->ar_arg_sockaddr);
571 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
572 tok = au_to_sock_unix((struct sockaddr_un *)
573 &ar->ar_arg_sockaddr);
577 /* XXX Need to handle ARG_SADDRINET6 */
583 if (ARG_IS_VALID(kar, ARG_FD)) {
584 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
587 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
588 tok = au_to_sock_unix((struct sockaddr_un *)
589 &ar->ar_arg_sockaddr);
597 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
598 tok = au_to_sock_inet((struct sockaddr_in *)
599 &ar->ar_arg_sockaddr);
602 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
603 tok = au_to_sock_unix((struct sockaddr_un *)
604 &ar->ar_arg_sockaddr);
608 /* XXX Need to handle ARG_SADDRINET6 */
613 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
614 tok = au_to_arg32(1, "domain",
615 ar->ar_arg_sockinfo.so_domain);
617 tok = au_to_arg32(2, "type",
618 ar->ar_arg_sockinfo.so_type);
620 tok = au_to_arg32(3, "protocol",
621 ar->ar_arg_sockinfo.so_protocol);
628 if (ARG_IS_VALID(kar, ARG_FD)) {
629 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
635 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
636 UPATH1_VNODE1_TOKENS;
638 tok = au_to_arg32(1, "accounting off", 0);
644 if (ARG_IS_VALID(kar, ARG_AUID)) {
645 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
651 if (ARG_IS_VALID(kar, ARG_AUID) &&
652 ARG_IS_VALID(kar, ARG_ASID) &&
653 ARG_IS_VALID(kar, ARG_AMASK) &&
654 ARG_IS_VALID(kar, ARG_TERMID)) {
655 tok = au_to_arg32(1, "setaudit:auid",
658 tok = au_to_arg32(1, "setaudit:port",
659 ar->ar_arg_termid.port);
661 tok = au_to_arg32(1, "setaudit:machine",
662 ar->ar_arg_termid.machine);
664 tok = au_to_arg32(1, "setaudit:as_success",
665 ar->ar_arg_amask.am_success);
667 tok = au_to_arg32(1, "setaudit:as_failure",
668 ar->ar_arg_amask.am_failure);
670 tok = au_to_arg32(1, "setaudit:asid",
676 case AUE_SETAUDIT_ADDR:
677 if (ARG_IS_VALID(kar, ARG_AUID) &&
678 ARG_IS_VALID(kar, ARG_ASID) &&
679 ARG_IS_VALID(kar, ARG_AMASK) &&
680 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
681 tok = au_to_arg32(1, "setaudit_addr:auid",
684 tok = au_to_arg32(1, "setaudit_addr:as_success",
685 ar->ar_arg_amask.am_success);
687 tok = au_to_arg32(1, "setaudit_addr:as_failure",
688 ar->ar_arg_amask.am_failure);
690 tok = au_to_arg32(1, "setaudit_addr:asid",
693 tok = au_to_arg32(1, "setaudit_addr:type",
694 ar->ar_arg_termid_addr.at_type);
696 tok = au_to_arg32(1, "setaudit_addr:port",
697 ar->ar_arg_termid_addr.at_port);
699 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
700 tok = au_to_in_addr_ex((struct in6_addr *)
701 &ar->ar_arg_termid_addr.at_addr[0]);
702 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
703 tok = au_to_in_addr((struct in_addr *)
704 &ar->ar_arg_termid_addr.at_addr[0]);
711 * For AUDITON commands without own event, audit the cmd.
713 if (ARG_IS_VALID(kar, ARG_CMD)) {
714 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
719 case AUE_AUDITON_GETCAR:
720 case AUE_AUDITON_GETCLASS:
721 case AUE_AUDITON_GETCOND:
722 case AUE_AUDITON_GETCWD:
723 case AUE_AUDITON_GETKMASK:
724 case AUE_AUDITON_GETSTAT:
725 case AUE_AUDITON_GPOLICY:
726 case AUE_AUDITON_GQCTRL:
727 case AUE_AUDITON_SETCLASS:
728 case AUE_AUDITON_SETCOND:
729 case AUE_AUDITON_SETKMASK:
730 case AUE_AUDITON_SETSMASK:
731 case AUE_AUDITON_SETSTAT:
732 case AUE_AUDITON_SETUMASK:
733 case AUE_AUDITON_SPOLICY:
734 case AUE_AUDITON_SQCTRL:
735 if (ARG_IS_VALID(kar, ARG_AUDITON))
736 audit_sys_auditon(ar, rec);
740 UPATH1_VNODE1_TOKENS;
744 if (ARG_IS_VALID(kar, ARG_EXIT)) {
745 tok = au_to_exit(ar->ar_arg_exitretval,
746 ar->ar_arg_exitstatus);
752 case AUE_CLOCK_SETTIME:
756 case AUE_GETAUDIT_ADDR:
766 case AUE_NTP_ADJTIME:
768 case AUE_POSIX_OPENPT:
776 case AUE_SETTIMEOFDAY:
780 * Header, subject, and return tokens added at end.
784 case AUE_ACL_DELETE_FD:
785 case AUE_ACL_DELETE_FILE:
786 case AUE_ACL_CHECK_FD:
787 case AUE_ACL_CHECK_FILE:
788 case AUE_ACL_CHECK_LINK:
789 case AUE_ACL_DELETE_LINK:
791 case AUE_ACL_GET_FILE:
792 case AUE_ACL_GET_LINK:
794 case AUE_ACL_SET_FILE:
795 case AUE_ACL_SET_LINK:
796 if (ARG_IS_VALID(kar, ARG_VALUE)) {
797 tok = au_to_arg32(1, "type", ar->ar_arg_value);
801 UPATH1_VNODE1_TOKENS;
808 case AUE_GETATTRLIST:
820 case AUE_SETATTRLIST:
831 UPATH1_VNODE1_TOKENS;
838 UPATH1_VNODE1_TOKENS;
839 if (ARG_IS_VALID(kar, ARG_VALUE)) {
840 tok = au_to_arg32(2, "mode", ar->ar_arg_value);
848 /* XXXRW: Need to audit vnode argument. */
853 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
854 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
857 UPATH1_VNODE1_TOKENS;
862 if (ARG_IS_VALID(kar, ARG_MODE)) {
863 tok = au_to_arg32(2, "new file mode",
867 UPATH1_VNODE1_TOKENS;
872 if (ARG_IS_VALID(kar, ARG_MODE)) {
873 tok = au_to_arg32(3, "new file mode",
877 UPATH1_VNODE1_TOKENS;
882 if (ARG_IS_VALID(kar, ARG_UID)) {
883 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
886 if (ARG_IS_VALID(kar, ARG_GID)) {
887 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
890 UPATH1_VNODE1_TOKENS;
895 if (ARG_IS_VALID(kar, ARG_UID)) {
896 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid);
899 if (ARG_IS_VALID(kar, ARG_GID)) {
900 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid);
903 UPATH1_VNODE1_TOKENS;
906 case AUE_EXCHANGEDATA:
907 UPATH1_VNODE1_TOKENS;
912 if (ARG_IS_VALID(kar, ARG_FD)) {
913 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
916 UPATH1_VNODE1_TOKENS;
920 if (ARG_IS_VALID(kar, ARG_FD)) {
921 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
927 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
928 tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
931 UPATH1_VNODE1_TOKENS;
935 UPATH1_VNODE1_TOKENS;
936 if (ARG_IS_VALID(kar, ARG_CMD)) {
937 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
940 /* extattrctl(2) filename parameter is in upath2/vnode2 */
946 case AUE_EXTATTR_GET_FILE:
947 case AUE_EXTATTR_SET_FILE:
948 case AUE_EXTATTR_LIST_FILE:
949 case AUE_EXTATTR_DELETE_FILE:
950 case AUE_EXTATTR_GET_LINK:
951 case AUE_EXTATTR_SET_LINK:
952 case AUE_EXTATTR_LIST_LINK:
953 case AUE_EXTATTR_DELETE_LINK:
954 UPATH1_VNODE1_TOKENS;
958 case AUE_EXTATTR_GET_FD:
959 case AUE_EXTATTR_SET_FD:
960 case AUE_EXTATTR_LIST_FD:
961 case AUE_EXTATTR_DELETE_FD:
962 if (ARG_IS_VALID(kar, ARG_FD)) {
963 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
970 if (ARG_IS_VALID(kar, ARG_FD)) {
971 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
978 if (ARG_IS_VALID(kar, ARG_ARGV)) {
979 tok = au_to_exec_args(ar->ar_arg_argv,
983 if (ARG_IS_VALID(kar, ARG_ENVV)) {
984 tok = au_to_exec_env(ar->ar_arg_envv,
988 UPATH1_VNODE1_TOKENS;
992 if (ARG_IS_VALID(kar, ARG_MODE)) {
993 tok = au_to_arg32(2, "new file mode",
1001 * XXXRW: Some of these need to handle non-vnode cases as well.
1010 case AUE_GETDIRENTRIES:
1011 case AUE_GETDIRENTRIESATTR:
1014 case AUE_POSIX_FALLOCATE:
1025 if (ARG_IS_VALID(kar, ARG_UID)) {
1026 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
1027 kau_write(rec, tok);
1029 if (ARG_IS_VALID(kar, ARG_GID)) {
1030 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
1031 kau_write(rec, tok);
1037 if (ARG_IS_VALID(kar, ARG_CMD)) {
1038 tok = au_to_arg32(2, "cmd",
1039 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
1040 kau_write(rec, tok);
1046 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1047 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1048 kau_write(rec, tok);
1054 if (ARG_IS_VALID(kar, ARG_CMD)) {
1055 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1056 kau_write(rec, tok);
1062 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1063 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
1064 kau_write(rec, tok);
1070 if (ARG_IS_VALID(kar, ARG_PID)) {
1071 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1072 kau_write(rec, tok);
1077 if (ARG_IS_VALID(kar, ARG_CMD)) {
1078 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1079 kau_write(rec, tok);
1081 if (ARG_IS_VALID(kar, ARG_VNODE1))
1084 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
1085 tok = kau_to_socket(&ar->ar_arg_sockinfo);
1086 kau_write(rec, tok);
1088 if (ARG_IS_VALID(kar, ARG_FD)) {
1089 tok = au_to_arg32(1, "fd",
1091 kau_write(rec, tok);
1099 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1100 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1101 kau_write(rec, tok);
1103 PROCESS_PID_TOKENS(1);
1107 if (ARG_IS_VALID(kar, ARG_CMD)) {
1108 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
1109 kau_write(rec, tok);
1111 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1112 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
1113 kau_write(rec, tok);
1115 PROCESS_PID_TOKENS(4);
1116 UPATH1_VNODE1_TOKENS;
1124 UPATH1_VNODE1_TOKENS;
1129 case AUE_LOADSHFILE:
1130 ADDR_TOKEN(4, "base addr");
1131 UPATH1_VNODE1_TOKENS;
1139 if (ARG_IS_VALID(kar, ARG_MODE)) {
1140 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1141 kau_write(rec, tok);
1143 UPATH1_VNODE1_TOKENS;
1149 if (ARG_IS_VALID(kar, ARG_MODE)) {
1150 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1151 kau_write(rec, tok);
1153 if (ARG_IS_VALID(kar, ARG_DEV)) {
1154 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
1155 kau_write(rec, tok);
1157 UPATH1_VNODE1_TOKENS;
1166 ADDR_TOKEN(1, "addr");
1167 if (ARG_IS_VALID(kar, ARG_LEN)) {
1168 tok = au_to_arg32(2, "len", ar->ar_arg_len);
1169 kau_write(rec, tok);
1171 if (ar->ar_event == AUE_MMAP)
1173 if (ar->ar_event == AUE_MPROTECT) {
1174 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1175 tok = au_to_arg32(3, "protection",
1177 kau_write(rec, tok);
1180 if (ar->ar_event == AUE_MINHERIT) {
1181 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1182 tok = au_to_arg32(3, "inherit",
1184 kau_write(rec, tok);
1191 /* XXX Need to handle NFS mounts */
1192 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1193 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1194 kau_write(rec, tok);
1196 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1197 tok = au_to_text(ar->ar_arg_text);
1198 kau_write(rec, tok);
1203 if (ARG_IS_VALID(kar, ARG_CMD)) {
1204 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
1205 kau_write(rec, tok);
1210 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1211 tok = au_to_arg32(2, "flags", ar->ar_arg_value);
1212 kau_write(rec, tok);
1214 UPATH1_VNODE1_TOKENS;
1215 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1216 tok = au_to_text(ar->ar_arg_text);
1217 kau_write(rec, tok);
1222 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1227 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1228 kau_write(rec, tok);
1229 if (ar->ar_errno != EINVAL) {
1230 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1231 kau_write(rec, tok);
1236 if (ar->ar_errno == 0) {
1237 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1238 tok = au_to_ipc(AT_IPC_MSG,
1239 ar->ar_arg_svipc_id);
1240 kau_write(rec, tok);
1245 case AUE_RESETSHFILE:
1246 ADDR_TOKEN(1, "base addr");
1256 if (ARG_IS_VALID(kar, ARG_MODE)) {
1257 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1258 kau_write(rec, tok);
1268 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1269 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1270 kau_write(rec, tok);
1272 UPATH1_VNODE1_TOKENS;
1276 case AUE_OPENAT_RTC:
1277 case AUE_OPENAT_RWC:
1278 case AUE_OPENAT_RWTC:
1280 case AUE_OPENAT_WTC:
1281 if (ARG_IS_VALID(kar, ARG_MODE)) {
1282 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1283 kau_write(rec, tok);
1290 case AUE_OPENAT_RWT:
1293 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1294 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1295 kau_write(rec, tok);
1298 UPATH1_VNODE1_TOKENS;
1302 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1303 tok = au_to_arg32(1, "idtype", ar->ar_arg_value);
1304 kau_write(rec, tok);
1306 if (ARG_IS_VALID(kar, ARG_CMD)) {
1307 tok = au_to_arg32(2, "com", ar->ar_arg_cmd);
1308 kau_write(rec, tok);
1310 PROCESS_PID_TOKENS(3);
1314 if (ARG_IS_VALID(kar, ARG_CMD)) {
1315 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1316 kau_write(rec, tok);
1318 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1319 tok = au_to_arg32(4, "data", ar->ar_arg_value);
1320 kau_write(rec, tok);
1322 PROCESS_PID_TOKENS(2);
1326 if (ARG_IS_VALID(kar, ARG_CMD)) {
1327 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1328 kau_write(rec, tok);
1330 if (ARG_IS_VALID(kar, ARG_UID)) {
1331 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1332 kau_write(rec, tok);
1334 if (ARG_IS_VALID(kar, ARG_GID)) {
1335 tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
1336 kau_write(rec, tok);
1338 UPATH1_VNODE1_TOKENS;
1342 if (ARG_IS_VALID(kar, ARG_CMD)) {
1343 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1344 kau_write(rec, tok);
1349 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1353 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1354 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1355 kau_write(rec, tok);
1356 if (ar->ar_errno != EINVAL) {
1357 tok = au_to_ipc(AT_IPC_SEM,
1358 ar->ar_arg_svipc_id);
1359 kau_write(rec, tok);
1365 if (ar->ar_errno == 0) {
1366 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1367 tok = au_to_ipc(AT_IPC_SEM,
1368 ar->ar_arg_svipc_id);
1369 kau_write(rec, tok);
1375 if (ARG_IS_VALID(kar, ARG_EGID)) {
1376 tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
1377 kau_write(rec, tok);
1382 if (ARG_IS_VALID(kar, ARG_EUID)) {
1383 tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
1384 kau_write(rec, tok);
1389 if (ARG_IS_VALID(kar, ARG_RGID)) {
1390 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1391 kau_write(rec, tok);
1393 if (ARG_IS_VALID(kar, ARG_EGID)) {
1394 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1395 kau_write(rec, tok);
1400 if (ARG_IS_VALID(kar, ARG_RUID)) {
1401 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1402 kau_write(rec, tok);
1404 if (ARG_IS_VALID(kar, ARG_EUID)) {
1405 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1406 kau_write(rec, tok);
1411 if (ARG_IS_VALID(kar, ARG_RGID)) {
1412 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1413 kau_write(rec, tok);
1415 if (ARG_IS_VALID(kar, ARG_EGID)) {
1416 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1417 kau_write(rec, tok);
1419 if (ARG_IS_VALID(kar, ARG_SGID)) {
1420 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1421 kau_write(rec, tok);
1426 if (ARG_IS_VALID(kar, ARG_RUID)) {
1427 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1428 kau_write(rec, tok);
1430 if (ARG_IS_VALID(kar, ARG_EUID)) {
1431 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1432 kau_write(rec, tok);
1434 if (ARG_IS_VALID(kar, ARG_SUID)) {
1435 tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1436 kau_write(rec, tok);
1441 if (ARG_IS_VALID(kar, ARG_GID)) {
1442 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1443 kau_write(rec, tok);
1448 if (ARG_IS_VALID(kar, ARG_UID)) {
1449 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1450 kau_write(rec, tok);
1455 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1456 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1458 tok = au_to_arg32(1, "setgroups",
1459 ar->ar_arg_groups.gidset[ctr]);
1460 kau_write(rec, tok);
1466 if (ARG_IS_VALID(kar, ARG_LOGIN)) {
1467 tok = au_to_text(ar->ar_arg_login);
1468 kau_write(rec, tok);
1472 case AUE_SETPRIORITY:
1473 if (ARG_IS_VALID(kar, ARG_CMD)) {
1474 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1475 kau_write(rec, tok);
1477 if (ARG_IS_VALID(kar, ARG_UID)) {
1478 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1479 kau_write(rec, tok);
1481 PROCESS_PID_TOKENS(2);
1482 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1483 tok = au_to_arg32(3, "priority", ar->ar_arg_value);
1484 kau_write(rec, tok);
1488 case AUE_SETPRIVEXEC:
1489 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1490 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1491 kau_write(rec, tok);
1495 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1497 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1498 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1499 kau_write(rec, tok);
1500 /* XXXAUDIT: Does having the ipc token make sense? */
1501 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1502 kau_write(rec, tok);
1504 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1505 tok = au_to_arg32(2, "shmaddr",
1506 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1507 kau_write(rec, tok);
1509 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1510 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1511 kau_write(rec, tok);
1516 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1517 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1518 kau_write(rec, tok);
1519 /* XXXAUDIT: Does having the ipc token make sense? */
1520 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1521 kau_write(rec, tok);
1523 switch (ar->ar_arg_svipc_cmd) {
1525 ar->ar_event = AUE_SHMCTL_STAT;
1528 ar->ar_event = AUE_SHMCTL_RMID;
1531 ar->ar_event = AUE_SHMCTL_SET;
1532 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1533 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1534 kau_write(rec, tok);
1538 break; /* We will audit a bad command */
1543 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1544 tok = au_to_arg32(1, "shmaddr",
1545 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1546 kau_write(rec, tok);
1551 /* This is unusual; the return value is in an argument token */
1552 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1553 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1554 kau_write(rec, tok);
1555 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1556 kau_write(rec, tok);
1558 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1559 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1560 kau_write(rec, tok);
1564 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1565 * and AUE_SEMUNLINK are Posix IPC */
1567 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1568 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1569 kau_write(rec, tok);
1571 if (ARG_IS_VALID(kar, ARG_MODE)) {
1572 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1573 kau_write(rec, tok);
1579 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1580 struct ipc_perm perm;
1582 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1583 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1584 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1585 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1586 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1589 tok = au_to_ipc_perm(&perm);
1590 kau_write(rec, tok);
1595 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1596 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1597 kau_write(rec, tok);
1599 if (ARG_IS_VALID(kar, ARG_MODE)) {
1600 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1601 kau_write(rec, tok);
1603 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1604 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1605 kau_write(rec, tok);
1610 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1611 tok = au_to_text(ar->ar_arg_text);
1612 kau_write(rec, tok);
1614 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1615 struct ipc_perm perm;
1617 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1618 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1619 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1620 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1621 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1624 tok = au_to_ipc_perm(&perm);
1625 kau_write(rec, tok);
1630 if (ARG_IS_VALID(kar, ARG_FD)) {
1631 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1632 kau_write(rec, tok);
1638 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1639 tok = au_to_text(ar->ar_arg_text);
1640 kau_write(rec, tok);
1643 UPATH1_VNODE1_TOKENS;
1647 case AUE_SYSCTL_NONADMIN:
1648 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1649 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1650 tok = au_to_arg32(1, "name",
1651 ar->ar_arg_ctlname[ctr]);
1652 kau_write(rec, tok);
1655 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1656 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1657 kau_write(rec, tok);
1659 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1660 tok = au_to_text(ar->ar_arg_text);
1661 kau_write(rec, tok);
1666 if (ARG_IS_VALID(kar, ARG_MASK)) {
1667 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1668 kau_write(rec, tok);
1670 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1671 kau_write(rec, tok);
1676 PROCESS_PID_TOKENS(1);
1677 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1678 tok = au_to_arg32(3, "options", ar->ar_arg_value);
1679 kau_write(rec, tok);
1683 case AUE_CAP_RIGHTS_LIMIT:
1685 * XXXRW/XXXJA: Would be nice to audit socket/etc information.
1688 if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
1689 tok = au_to_rights(&ar->ar_arg_rights);
1690 kau_write(rec, tok);
1694 case AUE_CAP_FCNTLS_GET:
1695 case AUE_CAP_IOCTLS_GET:
1696 case AUE_CAP_IOCTLS_LIMIT:
1697 case AUE_CAP_RIGHTS_GET:
1698 if (ARG_IS_VALID(kar, ARG_FD)) {
1699 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1700 kau_write(rec, tok);
1704 case AUE_CAP_FCNTLS_LIMIT:
1706 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) {
1707 tok = au_to_arg32(2, "fcntlrights",
1708 ar->ar_arg_fcntl_rights);
1709 kau_write(rec, tok);
1714 case AUE_CAP_GETMODE:
1719 printf("BSM conversion requested for unknown event %d\n",
1723 * Write the subject token so it is properly freed here.
1725 if (jail_tok != NULL)
1726 kau_write(rec, jail_tok);
1727 kau_write(rec, subj_tok);
1729 return (BSM_NOAUDIT);
1732 if (jail_tok != NULL)
1733 kau_write(rec, jail_tok);
1734 kau_write(rec, subj_tok);
1735 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
1736 kau_write(rec, tok); /* Every record gets a return token */
1738 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1741 return (BSM_SUCCESS);
1745 * Verify that a record is a valid BSM record. This verification is simple
1746 * now, but may be expanded on sometime in the future. Return 1 if the
1747 * record is good, 0 otherwise.
1750 bsm_rec_verify(void *rec)
1752 char c = *(char *)rec;
1755 * Check the token ID of the first token; it has to be a header
1758 * XXXAUDIT There needs to be a token structure to map a token.
1759 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1761 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1762 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))