2 * SPDX-License-Identifier: BSD-3-Clause
4 * Copyright (c) 1999-2009 Apple Inc.
5 * Copyright (c) 2016-2017 Robert N. M. Watson
8 * Portions of this software were developed by BAE Systems, the University of
9 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
10 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
11 * Computing (TC) research program.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
22 * its contributors may be used to endorse or promote products derived
23 * from this software without specific prior written permission.
25 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
33 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
34 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35 * POSSIBILITY OF SUCH DAMAGE.
38 #include <sys/cdefs.h>
39 __FBSDID("$FreeBSD$");
41 #include <sys/param.h>
42 #include <sys/vnode.h>
45 #include <sys/malloc.h>
46 #include <sys/mutex.h>
47 #include <sys/socket.h>
48 #include <sys/extattr.h>
49 #include <sys/fcntl.h>
51 #include <sys/systm.h>
53 #include <bsm/audit.h>
54 #include <bsm/audit_internal.h>
55 #include <bsm/audit_record.h>
56 #include <bsm/audit_kevents.h>
58 #include <security/audit/audit.h>
59 #include <security/audit/audit_private.h>
61 #include <netinet/in_systm.h>
62 #include <netinet/in.h>
63 #include <netinet/ip.h>
65 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
67 static void audit_sys_auditon(struct audit_record *ar,
68 struct au_record *rec);
71 * Initialize the BSM auditing subsystem.
82 * This call reserves memory for the audit record. Memory must be guaranteed
83 * before any auditable event can be generated. The au_record structure
84 * maintains a reference to the memory allocated above and also the list of
85 * tokens associated with this record.
87 static struct au_record *
90 struct au_record *rec;
92 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
94 TAILQ_INIT(&rec->token_q);
102 * Store the token with the record descriptor.
105 kau_write(struct au_record *rec, struct au_token *tok)
108 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
110 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
111 rec->len += tok->len;
115 * Close out the audit record by adding the header token, identifying any
116 * missing tokens. Write out the tokens to the record memory.
119 kau_close(struct au_record *rec, struct timespec *ctime, short event)
123 token_t *cur, *hdr, *trail;
126 struct auditinfo_addr ak;
129 audit_get_kinfo(&ak);
131 switch (ak.ai_termid.at_type) {
133 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
134 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
137 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
138 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
139 AUDIT_HEADER_EX_SIZE(&ak);
142 panic("kau_close: invalid address family");
144 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE;
145 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
147 tm.tv_usec = ctime->tv_nsec / 1000;
148 tm.tv_sec = ctime->tv_sec;
149 if (hdrsize != AUDIT_HEADER_SIZE)
150 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
152 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
153 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
155 trail = au_to_trailer(tot_rec_size);
156 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
158 rec->len = tot_rec_size;
160 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
161 memcpy(dptr, cur->t_data, cur->len);
167 * Free a BSM audit record by releasing all the tokens and clearing the audit
168 * record information.
171 kau_free(struct au_record *rec)
173 struct au_token *tok;
175 /* Free the token list. */
176 while ((tok = TAILQ_FIRST(&rec->token_q))) {
177 TAILQ_REMOVE(&rec->token_q, tok, tokens);
178 free(tok->t_data, M_AUDITBSM);
179 free(tok, M_AUDITBSM);
184 free(rec->data, M_AUDITBSM);
185 free(rec, M_AUDITBSM);
189 * XXX: May want turn some (or all) of these macros into functions in order
190 * to reduce the generated code size.
192 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
193 * caller are OK with this.
195 #define ATFD1_TOKENS(argnum) do { \
196 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \
197 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \
198 kau_write(rec, tok); \
202 #define ATFD2_TOKENS(argnum) do { \
203 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \
204 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \
205 kau_write(rec, tok); \
209 #define UPATH1_TOKENS do { \
210 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
211 tok = au_to_path(ar->ar_arg_upath1); \
212 kau_write(rec, tok); \
216 #define UPATH2_TOKENS do { \
217 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
218 tok = au_to_path(ar->ar_arg_upath2); \
219 kau_write(rec, tok); \
223 #define VNODE1_TOKENS do { \
224 if (ARG_IS_VALID(kar, ARG_ATFD)) { \
225 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \
226 kau_write(rec, tok); \
228 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
229 tok = au_to_attr32(&ar->ar_arg_vnode1); \
230 kau_write(rec, tok); \
234 #define UPATH1_VNODE1_TOKENS do { \
236 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
237 tok = au_to_attr32(&ar->ar_arg_vnode1); \
238 kau_write(rec, tok); \
242 #define VNODE2_TOKENS do { \
243 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
244 tok = au_to_attr32(&ar->ar_arg_vnode2); \
245 kau_write(rec, tok); \
249 #define FD_VNODE1_TOKENS do { \
250 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
251 if (ARG_IS_VALID(kar, ARG_FD)) { \
252 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
253 kau_write(rec, tok); \
255 tok = au_to_attr32(&ar->ar_arg_vnode1); \
256 kau_write(rec, tok); \
258 if (ARG_IS_VALID(kar, ARG_FD)) { \
259 tok = au_to_arg32(1, "non-file: fd", \
261 kau_write(rec, tok); \
266 #define PROCESS_PID_TOKENS(argn) do { \
267 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
268 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
269 tok = au_to_process32_ex(ar->ar_arg_auid, \
270 ar->ar_arg_euid, ar->ar_arg_egid, \
271 ar->ar_arg_ruid, ar->ar_arg_rgid, \
272 ar->ar_arg_pid, ar->ar_arg_asid, \
273 &ar->ar_arg_termid_addr); \
274 kau_write(rec, tok); \
275 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
276 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
277 kau_write(rec, tok); \
281 #define EXTATTR_TOKENS(namespace_argnum) do { \
282 if (ARG_IS_VALID(kar, ARG_VALUE)) { \
283 switch (ar->ar_arg_value) { \
284 case EXTATTR_NAMESPACE_USER: \
285 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
287 case EXTATTR_NAMESPACE_SYSTEM: \
288 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
291 tok = au_to_arg32((namespace_argnum), \
292 "attrnamespace", ar->ar_arg_value); \
295 kau_write(rec, tok); \
297 /* attrname is in the text field */ \
298 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
299 tok = au_to_text(ar->ar_arg_text); \
300 kau_write(rec, tok); \
305 * Not all pointer arguments to system calls are of interest, but in some
306 * cases they reflect delegation of rights, such as mmap(2) followed by
307 * minherit(2) before execve(2), so do the best we can.
309 #define ADDR_TOKEN(argnum, argname) do { \
310 if (ARG_IS_VALID(kar, ARG_ADDR)) { \
311 if (sizeof(void *) == sizeof(uint32_t)) \
312 tok = au_to_arg32((argnum), (argname), \
313 (uint32_t)(uintptr_t)ar->ar_arg_addr); \
315 tok = au_to_arg64((argnum), (argname), \
316 (uint64_t)(uintptr_t)ar->ar_arg_addr); \
317 kau_write(rec, tok); \
323 * Implement auditing for the auditon() system call. The audit tokens that
324 * are generated depend on the command that was sent into the auditon()
328 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
330 struct au_token *tok;
332 tok = au_to_arg32(3, "length", ar->ar_arg_len);
334 switch (ar->ar_arg_cmd) {
336 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
337 tok = au_to_arg64(2, "policy",
338 ar->ar_arg_auditon.au_policy64);
345 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
350 tok = au_to_arg32(2, "setkmask:as_success",
351 ar->ar_arg_auditon.au_mask.am_success);
353 tok = au_to_arg32(2, "setkmask:as_failure",
354 ar->ar_arg_auditon.au_mask.am_failure);
359 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
360 tok = au_to_arg64(2, "setqctrl:aq_hiwater",
361 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
363 tok = au_to_arg64(2, "setqctrl:aq_lowater",
364 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
366 tok = au_to_arg64(2, "setqctrl:aq_bufsz",
367 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
369 tok = au_to_arg64(2, "setqctrl:aq_delay",
370 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
372 tok = au_to_arg64(2, "setqctrl:aq_minfree",
373 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
380 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
381 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
383 tok = au_to_arg32(2, "setqctrl:aq_lowater",
384 ar->ar_arg_auditon.au_qctrl.aq_lowater);
386 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
387 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
389 tok = au_to_arg32(2, "setqctrl:aq_delay",
390 ar->ar_arg_auditon.au_qctrl.aq_delay);
392 tok = au_to_arg32(2, "setqctrl:aq_minfree",
393 ar->ar_arg_auditon.au_qctrl.aq_minfree);
398 tok = au_to_arg32(2, "setumask:as_success",
399 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
401 tok = au_to_arg32(2, "setumask:as_failure",
402 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
407 tok = au_to_arg32(2, "setsmask:as_success",
408 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
410 tok = au_to_arg32(2, "setsmask:as_failure",
411 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
416 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
417 tok = au_to_arg64(2, "setcond",
418 ar->ar_arg_auditon.au_cond64);
425 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
430 tok = au_to_arg32(2, "setclass:ec_event",
431 ar->ar_arg_auditon.au_evclass.ec_number);
433 tok = au_to_arg32(2, "setclass:ec_class",
434 ar->ar_arg_auditon.au_evclass.ec_class);
439 tok = au_to_arg32(2, "setpmask:as_success",
440 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
442 tok = au_to_arg32(2, "setpmask:as_failure",
443 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
448 tok = au_to_arg32(2, "setfsize:filesize",
449 ar->ar_arg_auditon.au_fstat.af_filesz);
459 * Convert an internal kernel audit record to a BSM record and return a
460 * success/failure indicator. The BSM record is passed as an out parameter to
464 * BSM_SUCCESS: The BSM record is valid
465 * BSM_FAILURE: Failure; the BSM record is NULL.
466 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
469 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
471 struct au_token *tok, *subj_tok, *jail_tok;
472 struct au_record *rec;
474 struct audit_record *ar;
477 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
484 * Create the subject token. If this credential was jailed be sure to
485 * generate a zonename token.
487 if (ar->ar_jailname[0] != '\0')
488 jail_tok = au_to_zonename(ar->ar_jailname);
491 switch (ar->ar_subj_term_addr.at_type) {
493 tid.port = ar->ar_subj_term_addr.at_port;
494 tid.machine = ar->ar_subj_term_addr.at_addr[0];
495 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
496 ar->ar_subj_cred.cr_uid, /* eff uid */
497 ar->ar_subj_egid, /* eff group id */
498 ar->ar_subj_ruid, /* real uid */
499 ar->ar_subj_rgid, /* real group id */
500 ar->ar_subj_pid, /* process id */
501 ar->ar_subj_asid, /* session ID */
505 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
506 ar->ar_subj_cred.cr_uid,
512 &ar->ar_subj_term_addr);
515 bzero(&tid, sizeof(tid));
516 subj_tok = au_to_subject32(ar->ar_subj_auid,
517 ar->ar_subj_cred.cr_uid,
527 * The logic inside each case fills in the tokens required for the
528 * event, except for the header, trailer, and return tokens. The
529 * header and trailer tokens are added by the kau_close() function.
530 * The return token is added outside of the switch statement.
532 switch(ar->ar_event) {
534 if (ARG_IS_VALID(kar, ARG_FD)) {
535 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
538 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
539 tok = au_to_sock_inet((struct sockaddr_in *)
540 &ar->ar_arg_sockaddr);
543 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
544 tok = au_to_sock_unix((struct sockaddr_un *)
545 &ar->ar_arg_sockaddr);
561 * Socket-related events.
563 if (ARG_IS_VALID(kar, ARG_FD)) {
564 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
567 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
568 tok = au_to_sock_inet((struct sockaddr_in *)
569 &ar->ar_arg_sockaddr);
572 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
573 tok = au_to_sock_unix((struct sockaddr_un *)
574 &ar->ar_arg_sockaddr);
578 /* XXX Need to handle ARG_SADDRINET6 */
584 if (ARG_IS_VALID(kar, ARG_FD)) {
585 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
588 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
589 tok = au_to_sock_unix((struct sockaddr_un *)
590 &ar->ar_arg_sockaddr);
598 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
599 tok = au_to_sock_inet((struct sockaddr_in *)
600 &ar->ar_arg_sockaddr);
603 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
604 tok = au_to_sock_unix((struct sockaddr_un *)
605 &ar->ar_arg_sockaddr);
609 /* XXX Need to handle ARG_SADDRINET6 */
614 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
615 tok = au_to_arg32(1, "domain",
616 ar->ar_arg_sockinfo.so_domain);
618 tok = au_to_arg32(2, "type",
619 ar->ar_arg_sockinfo.so_type);
621 tok = au_to_arg32(3, "protocol",
622 ar->ar_arg_sockinfo.so_protocol);
629 if (ARG_IS_VALID(kar, ARG_FD)) {
630 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
636 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
637 UPATH1_VNODE1_TOKENS;
639 tok = au_to_arg32(1, "accounting off", 0);
645 if (ARG_IS_VALID(kar, ARG_AUID)) {
646 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
652 if (ARG_IS_VALID(kar, ARG_AUID) &&
653 ARG_IS_VALID(kar, ARG_ASID) &&
654 ARG_IS_VALID(kar, ARG_AMASK) &&
655 ARG_IS_VALID(kar, ARG_TERMID)) {
656 tok = au_to_arg32(1, "setaudit:auid",
659 tok = au_to_arg32(1, "setaudit:port",
660 ar->ar_arg_termid.port);
662 tok = au_to_arg32(1, "setaudit:machine",
663 ar->ar_arg_termid.machine);
665 tok = au_to_arg32(1, "setaudit:as_success",
666 ar->ar_arg_amask.am_success);
668 tok = au_to_arg32(1, "setaudit:as_failure",
669 ar->ar_arg_amask.am_failure);
671 tok = au_to_arg32(1, "setaudit:asid",
677 case AUE_SETAUDIT_ADDR:
678 if (ARG_IS_VALID(kar, ARG_AUID) &&
679 ARG_IS_VALID(kar, ARG_ASID) &&
680 ARG_IS_VALID(kar, ARG_AMASK) &&
681 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
682 tok = au_to_arg32(1, "setaudit_addr:auid",
685 tok = au_to_arg32(1, "setaudit_addr:as_success",
686 ar->ar_arg_amask.am_success);
688 tok = au_to_arg32(1, "setaudit_addr:as_failure",
689 ar->ar_arg_amask.am_failure);
691 tok = au_to_arg32(1, "setaudit_addr:asid",
694 tok = au_to_arg32(1, "setaudit_addr:type",
695 ar->ar_arg_termid_addr.at_type);
697 tok = au_to_arg32(1, "setaudit_addr:port",
698 ar->ar_arg_termid_addr.at_port);
700 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
701 tok = au_to_in_addr_ex((struct in6_addr *)
702 &ar->ar_arg_termid_addr.at_addr[0]);
703 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
704 tok = au_to_in_addr((struct in_addr *)
705 &ar->ar_arg_termid_addr.at_addr[0]);
712 * For AUDITON commands without own event, audit the cmd.
714 if (ARG_IS_VALID(kar, ARG_CMD)) {
715 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
720 case AUE_AUDITON_GETCAR:
721 case AUE_AUDITON_GETCLASS:
722 case AUE_AUDITON_GETCOND:
723 case AUE_AUDITON_GETCWD:
724 case AUE_AUDITON_GETKMASK:
725 case AUE_AUDITON_GETSTAT:
726 case AUE_AUDITON_GPOLICY:
727 case AUE_AUDITON_GQCTRL:
728 case AUE_AUDITON_SETCLASS:
729 case AUE_AUDITON_SETCOND:
730 case AUE_AUDITON_SETKMASK:
731 case AUE_AUDITON_SETSMASK:
732 case AUE_AUDITON_SETSTAT:
733 case AUE_AUDITON_SETUMASK:
734 case AUE_AUDITON_SPOLICY:
735 case AUE_AUDITON_SQCTRL:
736 if (ARG_IS_VALID(kar, ARG_AUDITON))
737 audit_sys_auditon(ar, rec);
741 UPATH1_VNODE1_TOKENS;
745 if (ARG_IS_VALID(kar, ARG_EXIT)) {
746 tok = au_to_exit(ar->ar_arg_exitretval,
747 ar->ar_arg_exitstatus);
753 case AUE_CLOCK_SETTIME:
757 case AUE_GETAUDIT_ADDR:
767 case AUE_NTP_ADJTIME:
769 case AUE_POSIX_OPENPT:
778 case AUE_SETTIMEOFDAY:
782 * Header, subject, and return tokens added at end.
786 case AUE_ACL_DELETE_FD:
787 case AUE_ACL_DELETE_FILE:
788 case AUE_ACL_CHECK_FD:
789 case AUE_ACL_CHECK_FILE:
790 case AUE_ACL_CHECK_LINK:
791 case AUE_ACL_DELETE_LINK:
793 case AUE_ACL_GET_FILE:
794 case AUE_ACL_GET_LINK:
796 case AUE_ACL_SET_FILE:
797 case AUE_ACL_SET_LINK:
798 if (ARG_IS_VALID(kar, ARG_VALUE)) {
799 tok = au_to_arg32(1, "type", ar->ar_arg_value);
803 UPATH1_VNODE1_TOKENS;
810 case AUE_GETATTRLIST:
823 case AUE_SETATTRLIST:
834 UPATH1_VNODE1_TOKENS;
841 UPATH1_VNODE1_TOKENS;
842 if (ARG_IS_VALID(kar, ARG_VALUE)) {
843 tok = au_to_arg32(2, "mode", ar->ar_arg_value);
851 /* XXXRW: Need to audit vnode argument. */
857 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
858 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
861 UPATH1_VNODE1_TOKENS;
866 if (ARG_IS_VALID(kar, ARG_MODE)) {
867 tok = au_to_arg32(2, "new file mode",
871 UPATH1_VNODE1_TOKENS;
876 if (ARG_IS_VALID(kar, ARG_MODE)) {
877 tok = au_to_arg32(3, "new file mode",
881 UPATH1_VNODE1_TOKENS;
886 if (ARG_IS_VALID(kar, ARG_UID)) {
887 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
890 if (ARG_IS_VALID(kar, ARG_GID)) {
891 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
894 UPATH1_VNODE1_TOKENS;
899 if (ARG_IS_VALID(kar, ARG_UID)) {
900 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid);
903 if (ARG_IS_VALID(kar, ARG_GID)) {
904 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid);
907 UPATH1_VNODE1_TOKENS;
910 case AUE_EXCHANGEDATA:
911 UPATH1_VNODE1_TOKENS;
916 if (ARG_IS_VALID(kar, ARG_FD)) {
917 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
920 UPATH1_VNODE1_TOKENS;
924 if (ARG_IS_VALID(kar, ARG_FD)) {
925 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
931 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
932 tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
935 UPATH1_VNODE1_TOKENS;
939 UPATH1_VNODE1_TOKENS;
940 if (ARG_IS_VALID(kar, ARG_CMD)) {
941 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
944 /* extattrctl(2) filename parameter is in upath2/vnode2 */
950 case AUE_EXTATTR_GET_FILE:
951 case AUE_EXTATTR_SET_FILE:
952 case AUE_EXTATTR_LIST_FILE:
953 case AUE_EXTATTR_DELETE_FILE:
954 case AUE_EXTATTR_GET_LINK:
955 case AUE_EXTATTR_SET_LINK:
956 case AUE_EXTATTR_LIST_LINK:
957 case AUE_EXTATTR_DELETE_LINK:
958 UPATH1_VNODE1_TOKENS;
962 case AUE_EXTATTR_GET_FD:
963 case AUE_EXTATTR_SET_FD:
964 case AUE_EXTATTR_LIST_FD:
965 case AUE_EXTATTR_DELETE_FD:
966 if (ARG_IS_VALID(kar, ARG_FD)) {
967 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
974 if (ARG_IS_VALID(kar, ARG_FD)) {
975 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
982 if (ARG_IS_VALID(kar, ARG_ARGV)) {
983 tok = au_to_exec_args(ar->ar_arg_argv,
987 if (ARG_IS_VALID(kar, ARG_ENVV)) {
988 tok = au_to_exec_env(ar->ar_arg_envv,
992 UPATH1_VNODE1_TOKENS;
996 if (ARG_IS_VALID(kar, ARG_MODE)) {
997 tok = au_to_arg32(2, "new file mode",
1005 * XXXRW: Some of these need to handle non-vnode cases as well.
1014 case AUE_GETDIRENTRIES:
1015 case AUE_GETDIRENTRIESATTR:
1018 case AUE_POSIX_FALLOCATE:
1029 if (ARG_IS_VALID(kar, ARG_UID)) {
1030 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
1031 kau_write(rec, tok);
1033 if (ARG_IS_VALID(kar, ARG_GID)) {
1034 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
1035 kau_write(rec, tok);
1041 if (ARG_IS_VALID(kar, ARG_CMD)) {
1042 tok = au_to_arg32(2, "cmd",
1043 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
1044 kau_write(rec, tok);
1050 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1051 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1052 kau_write(rec, tok);
1058 if (ARG_IS_VALID(kar, ARG_CMD)) {
1059 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1060 kau_write(rec, tok);
1066 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1067 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
1068 kau_write(rec, tok);
1074 if (ARG_IS_VALID(kar, ARG_PID)) {
1075 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1076 kau_write(rec, tok);
1081 if (ARG_IS_VALID(kar, ARG_CMD)) {
1082 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1083 kau_write(rec, tok);
1085 if (ARG_IS_VALID(kar, ARG_VNODE1))
1088 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
1089 tok = kau_to_socket(&ar->ar_arg_sockinfo);
1090 kau_write(rec, tok);
1092 if (ARG_IS_VALID(kar, ARG_FD)) {
1093 tok = au_to_arg32(1, "fd",
1095 kau_write(rec, tok);
1103 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1104 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1105 kau_write(rec, tok);
1107 PROCESS_PID_TOKENS(1);
1111 if (ARG_IS_VALID(kar, ARG_CMD)) {
1112 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
1113 kau_write(rec, tok);
1115 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1116 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
1117 kau_write(rec, tok);
1119 PROCESS_PID_TOKENS(4);
1120 UPATH1_VNODE1_TOKENS;
1128 UPATH1_VNODE1_TOKENS;
1133 case AUE_LOADSHFILE:
1134 ADDR_TOKEN(4, "base addr");
1135 UPATH1_VNODE1_TOKENS;
1143 if (ARG_IS_VALID(kar, ARG_MODE)) {
1144 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1145 kau_write(rec, tok);
1147 UPATH1_VNODE1_TOKENS;
1153 if (ARG_IS_VALID(kar, ARG_MODE)) {
1154 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1155 kau_write(rec, tok);
1157 if (ARG_IS_VALID(kar, ARG_DEV)) {
1158 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
1159 kau_write(rec, tok);
1161 UPATH1_VNODE1_TOKENS;
1170 ADDR_TOKEN(1, "addr");
1171 if (ARG_IS_VALID(kar, ARG_LEN)) {
1172 tok = au_to_arg32(2, "len", ar->ar_arg_len);
1173 kau_write(rec, tok);
1175 if (ar->ar_event == AUE_MMAP)
1177 if (ar->ar_event == AUE_MPROTECT) {
1178 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1179 tok = au_to_arg32(3, "protection",
1181 kau_write(rec, tok);
1184 if (ar->ar_event == AUE_MINHERIT) {
1185 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1186 tok = au_to_arg32(3, "inherit",
1188 kau_write(rec, tok);
1195 /* XXX Need to handle NFS mounts */
1196 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1197 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1198 kau_write(rec, tok);
1200 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1201 tok = au_to_text(ar->ar_arg_text);
1202 kau_write(rec, tok);
1207 if (ARG_IS_VALID(kar, ARG_CMD)) {
1208 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
1209 kau_write(rec, tok);
1214 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1215 tok = au_to_arg32(2, "flags", ar->ar_arg_value);
1216 kau_write(rec, tok);
1218 UPATH1_VNODE1_TOKENS;
1219 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1220 tok = au_to_text(ar->ar_arg_text);
1221 kau_write(rec, tok);
1226 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1231 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1232 kau_write(rec, tok);
1233 if (ar->ar_errno != EINVAL) {
1234 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1235 kau_write(rec, tok);
1240 if (ar->ar_errno == 0) {
1241 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1242 tok = au_to_ipc(AT_IPC_MSG,
1243 ar->ar_arg_svipc_id);
1244 kau_write(rec, tok);
1249 case AUE_RESETSHFILE:
1250 ADDR_TOKEN(1, "base addr");
1260 if (ARG_IS_VALID(kar, ARG_MODE)) {
1261 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1262 kau_write(rec, tok);
1272 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1273 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1274 kau_write(rec, tok);
1276 UPATH1_VNODE1_TOKENS;
1280 case AUE_OPENAT_RTC:
1281 case AUE_OPENAT_RWC:
1282 case AUE_OPENAT_RWTC:
1284 case AUE_OPENAT_WTC:
1285 if (ARG_IS_VALID(kar, ARG_MODE)) {
1286 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1287 kau_write(rec, tok);
1294 case AUE_OPENAT_RWT:
1297 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1298 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1299 kau_write(rec, tok);
1302 UPATH1_VNODE1_TOKENS;
1306 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1307 tok = au_to_arg32(1, "idtype", ar->ar_arg_value);
1308 kau_write(rec, tok);
1310 if (ARG_IS_VALID(kar, ARG_CMD)) {
1311 tok = au_to_arg32(2, "com", ar->ar_arg_cmd);
1312 kau_write(rec, tok);
1314 PROCESS_PID_TOKENS(3);
1318 if (ARG_IS_VALID(kar, ARG_CMD)) {
1319 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1320 kau_write(rec, tok);
1322 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1323 tok = au_to_arg32(4, "data", ar->ar_arg_value);
1324 kau_write(rec, tok);
1326 PROCESS_PID_TOKENS(2);
1330 if (ARG_IS_VALID(kar, ARG_CMD)) {
1331 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1332 kau_write(rec, tok);
1334 if (ARG_IS_VALID(kar, ARG_UID)) {
1335 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1336 kau_write(rec, tok);
1338 if (ARG_IS_VALID(kar, ARG_GID)) {
1339 tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
1340 kau_write(rec, tok);
1342 UPATH1_VNODE1_TOKENS;
1346 if (ARG_IS_VALID(kar, ARG_CMD)) {
1347 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1348 kau_write(rec, tok);
1353 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1357 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1358 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1359 kau_write(rec, tok);
1360 if (ar->ar_errno != EINVAL) {
1361 tok = au_to_ipc(AT_IPC_SEM,
1362 ar->ar_arg_svipc_id);
1363 kau_write(rec, tok);
1369 if (ar->ar_errno == 0) {
1370 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1371 tok = au_to_ipc(AT_IPC_SEM,
1372 ar->ar_arg_svipc_id);
1373 kau_write(rec, tok);
1379 if (ARG_IS_VALID(kar, ARG_EGID)) {
1380 tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
1381 kau_write(rec, tok);
1386 if (ARG_IS_VALID(kar, ARG_EUID)) {
1387 tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
1388 kau_write(rec, tok);
1393 if (ARG_IS_VALID(kar, ARG_RGID)) {
1394 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1395 kau_write(rec, tok);
1397 if (ARG_IS_VALID(kar, ARG_EGID)) {
1398 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1399 kau_write(rec, tok);
1404 if (ARG_IS_VALID(kar, ARG_RUID)) {
1405 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1406 kau_write(rec, tok);
1408 if (ARG_IS_VALID(kar, ARG_EUID)) {
1409 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1410 kau_write(rec, tok);
1415 if (ARG_IS_VALID(kar, ARG_RGID)) {
1416 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1417 kau_write(rec, tok);
1419 if (ARG_IS_VALID(kar, ARG_EGID)) {
1420 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1421 kau_write(rec, tok);
1423 if (ARG_IS_VALID(kar, ARG_SGID)) {
1424 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1425 kau_write(rec, tok);
1430 if (ARG_IS_VALID(kar, ARG_RUID)) {
1431 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1432 kau_write(rec, tok);
1434 if (ARG_IS_VALID(kar, ARG_EUID)) {
1435 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1436 kau_write(rec, tok);
1438 if (ARG_IS_VALID(kar, ARG_SUID)) {
1439 tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1440 kau_write(rec, tok);
1445 if (ARG_IS_VALID(kar, ARG_GID)) {
1446 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1447 kau_write(rec, tok);
1452 if (ARG_IS_VALID(kar, ARG_UID)) {
1453 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1454 kau_write(rec, tok);
1459 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1460 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1462 tok = au_to_arg32(1, "setgroups",
1463 ar->ar_arg_groups.gidset[ctr]);
1464 kau_write(rec, tok);
1470 if (ARG_IS_VALID(kar, ARG_LOGIN)) {
1471 tok = au_to_text(ar->ar_arg_login);
1472 kau_write(rec, tok);
1476 case AUE_SETPRIORITY:
1477 if (ARG_IS_VALID(kar, ARG_CMD)) {
1478 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1479 kau_write(rec, tok);
1481 if (ARG_IS_VALID(kar, ARG_UID)) {
1482 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1483 kau_write(rec, tok);
1485 PROCESS_PID_TOKENS(2);
1486 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1487 tok = au_to_arg32(3, "priority", ar->ar_arg_value);
1488 kau_write(rec, tok);
1492 case AUE_SETPRIVEXEC:
1493 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1494 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1495 kau_write(rec, tok);
1499 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1501 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1502 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1503 kau_write(rec, tok);
1504 /* XXXAUDIT: Does having the ipc token make sense? */
1505 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1506 kau_write(rec, tok);
1508 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1509 tok = au_to_arg32(2, "shmaddr",
1510 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1511 kau_write(rec, tok);
1513 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1514 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1515 kau_write(rec, tok);
1520 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1521 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1522 kau_write(rec, tok);
1523 /* XXXAUDIT: Does having the ipc token make sense? */
1524 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1525 kau_write(rec, tok);
1527 switch (ar->ar_arg_svipc_cmd) {
1529 ar->ar_event = AUE_SHMCTL_STAT;
1532 ar->ar_event = AUE_SHMCTL_RMID;
1535 ar->ar_event = AUE_SHMCTL_SET;
1536 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1537 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1538 kau_write(rec, tok);
1542 break; /* We will audit a bad command */
1547 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1548 tok = au_to_arg32(1, "shmaddr",
1549 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1550 kau_write(rec, tok);
1555 /* This is unusual; the return value is in an argument token */
1556 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1557 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1558 kau_write(rec, tok);
1559 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1560 kau_write(rec, tok);
1562 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1563 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1564 kau_write(rec, tok);
1568 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1569 * and AUE_SEMUNLINK are Posix IPC */
1571 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1572 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1573 kau_write(rec, tok);
1575 if (ARG_IS_VALID(kar, ARG_MODE)) {
1576 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1577 kau_write(rec, tok);
1583 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1584 struct ipc_perm perm;
1586 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1587 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1588 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1589 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1590 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1593 tok = au_to_ipc_perm(&perm);
1594 kau_write(rec, tok);
1599 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1600 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1601 kau_write(rec, tok);
1603 if (ARG_IS_VALID(kar, ARG_MODE)) {
1604 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1605 kau_write(rec, tok);
1607 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1608 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1609 kau_write(rec, tok);
1614 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1615 tok = au_to_text(ar->ar_arg_text);
1616 kau_write(rec, tok);
1618 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1619 struct ipc_perm perm;
1621 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1622 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1623 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1624 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1625 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1628 tok = au_to_ipc_perm(&perm);
1629 kau_write(rec, tok);
1634 if (ARG_IS_VALID(kar, ARG_FD)) {
1635 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1636 kau_write(rec, tok);
1642 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1643 tok = au_to_text(ar->ar_arg_text);
1644 kau_write(rec, tok);
1647 UPATH1_VNODE1_TOKENS;
1651 case AUE_SYSCTL_NONADMIN:
1652 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1653 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1654 tok = au_to_arg32(1, "name",
1655 ar->ar_arg_ctlname[ctr]);
1656 kau_write(rec, tok);
1659 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1660 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1661 kau_write(rec, tok);
1663 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1664 tok = au_to_text(ar->ar_arg_text);
1665 kau_write(rec, tok);
1670 if (ARG_IS_VALID(kar, ARG_MASK)) {
1671 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1672 kau_write(rec, tok);
1674 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1675 kau_write(rec, tok);
1680 PROCESS_PID_TOKENS(1);
1681 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1682 tok = au_to_arg32(3, "options", ar->ar_arg_value);
1683 kau_write(rec, tok);
1687 case AUE_CAP_RIGHTS_LIMIT:
1689 * XXXRW/XXXJA: Would be nice to audit socket/etc information.
1692 if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
1693 tok = au_to_rights(&ar->ar_arg_rights);
1694 kau_write(rec, tok);
1698 case AUE_CAP_FCNTLS_GET:
1699 case AUE_CAP_IOCTLS_GET:
1700 case AUE_CAP_IOCTLS_LIMIT:
1701 case AUE_CAP_RIGHTS_GET:
1702 if (ARG_IS_VALID(kar, ARG_FD)) {
1703 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1704 kau_write(rec, tok);
1708 case AUE_CAP_FCNTLS_LIMIT:
1710 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) {
1711 tok = au_to_arg32(2, "fcntlrights",
1712 ar->ar_arg_fcntl_rights);
1713 kau_write(rec, tok);
1718 case AUE_CAP_GETMODE:
1723 printf("BSM conversion requested for unknown event %d\n",
1727 * Write the subject token so it is properly freed here.
1729 if (jail_tok != NULL)
1730 kau_write(rec, jail_tok);
1731 kau_write(rec, subj_tok);
1733 return (BSM_NOAUDIT);
1736 if (jail_tok != NULL)
1737 kau_write(rec, jail_tok);
1738 kau_write(rec, subj_tok);
1739 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
1740 kau_write(rec, tok); /* Every record gets a return token */
1742 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1745 return (BSM_SUCCESS);
1749 * Verify that a record is a valid BSM record. This verification is simple
1750 * now, but may be expanded on sometime in the future. Return 1 if the
1751 * record is good, 0 otherwise.
1754 bsm_rec_verify(void *rec)
1756 char c = *(char *)rec;
1759 * Check the token ID of the first token; it has to be a header
1762 * XXXAUDIT There needs to be a token structure to map a token.
1763 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1765 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1766 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))