2 * Copyright (c) 1999-2009 Apple Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
33 #include <sys/param.h>
34 #include <sys/vnode.h>
37 #include <sys/malloc.h>
38 #include <sys/mutex.h>
39 #include <sys/socket.h>
40 #include <sys/extattr.h>
41 #include <sys/fcntl.h>
43 #include <sys/systm.h>
45 #include <bsm/audit.h>
46 #include <bsm/audit_internal.h>
47 #include <bsm/audit_record.h>
48 #include <bsm/audit_kevents.h>
50 #include <security/audit/audit.h>
51 #include <security/audit/audit_private.h>
53 #include <netinet/in_systm.h>
54 #include <netinet/in.h>
55 #include <netinet/ip.h>
57 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
59 static void audit_sys_auditon(struct audit_record *ar,
60 struct au_record *rec);
63 * Initialize the BSM auditing subsystem.
73 * This call reserves memory for the audit record. Memory must be guaranteed
74 * before any auditable event can be generated. The au_record structure
75 * maintains a reference to the memory allocated above and also the list of
76 * tokens associated with this record.
78 static struct au_record *
81 struct au_record *rec;
83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
85 TAILQ_INIT(&rec->token_q);
93 * Store the token with the record descriptor.
96 kau_write(struct au_record *rec, struct au_token *tok)
99 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
102 rec->len += tok->len;
106 * Close out the audit record by adding the header token, identifying any
107 * missing tokens. Write out the tokens to the record memory.
110 kau_close(struct au_record *rec, struct timespec *ctime, short event)
114 token_t *cur, *hdr, *trail;
117 struct auditinfo_addr ak;
120 audit_get_kinfo(&ak);
122 switch (ak.ai_termid.at_type) {
124 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
125 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
128 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
129 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
130 AUDIT_HEADER_EX_SIZE(&ak);
133 panic("kau_close: invalid address family");
135 tot_rec_size = rec->len + hdrsize + AUDIT_TRAILER_SIZE;
136 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
138 tm.tv_usec = ctime->tv_nsec / 1000;
139 tm.tv_sec = ctime->tv_sec;
140 if (hdrsize != AUDIT_HEADER_SIZE)
141 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
143 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
144 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
146 trail = au_to_trailer(tot_rec_size);
147 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
149 rec->len = tot_rec_size;
151 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
152 memcpy(dptr, cur->t_data, cur->len);
158 * Free a BSM audit record by releasing all the tokens and clearing the audit
159 * record information.
162 kau_free(struct au_record *rec)
164 struct au_token *tok;
166 /* Free the token list. */
167 while ((tok = TAILQ_FIRST(&rec->token_q))) {
168 TAILQ_REMOVE(&rec->token_q, tok, tokens);
169 free(tok->t_data, M_AUDITBSM);
170 free(tok, M_AUDITBSM);
175 free(rec->data, M_AUDITBSM);
176 free(rec, M_AUDITBSM);
180 * XXX: May want turn some (or all) of these macros into functions in order
181 * to reduce the generated code size.
183 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
184 * caller are OK with this.
186 #define ATFD1_TOKENS(argnum) do { \
187 if (ARG_IS_VALID(kar, ARG_ATFD1)) { \
188 tok = au_to_arg32(argnum, "at fd 1", ar->ar_arg_atfd1); \
189 kau_write(rec, tok); \
193 #define ATFD2_TOKENS(argnum) do { \
194 if (ARG_IS_VALID(kar, ARG_ATFD2)) { \
195 tok = au_to_arg32(argnum, "at fd 2", ar->ar_arg_atfd2); \
196 kau_write(rec, tok); \
200 #define UPATH1_TOKENS do { \
201 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
202 tok = au_to_path(ar->ar_arg_upath1); \
203 kau_write(rec, tok); \
207 #define UPATH2_TOKENS do { \
208 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
209 tok = au_to_path(ar->ar_arg_upath2); \
210 kau_write(rec, tok); \
214 #define VNODE1_TOKENS do { \
215 if (ARG_IS_VALID(kar, ARG_ATFD)) { \
216 tok = au_to_arg32(1, "at fd", ar->ar_arg_atfd); \
217 kau_write(rec, tok); \
219 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
220 tok = au_to_attr32(&ar->ar_arg_vnode1); \
221 kau_write(rec, tok); \
225 #define UPATH1_VNODE1_TOKENS do { \
227 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
228 tok = au_to_attr32(&ar->ar_arg_vnode1); \
229 kau_write(rec, tok); \
233 #define VNODE2_TOKENS do { \
234 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
235 tok = au_to_attr32(&ar->ar_arg_vnode2); \
236 kau_write(rec, tok); \
240 #define FD_VNODE1_TOKENS do { \
241 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
242 if (ARG_IS_VALID(kar, ARG_FD)) { \
243 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
244 kau_write(rec, tok); \
246 tok = au_to_attr32(&ar->ar_arg_vnode1); \
247 kau_write(rec, tok); \
249 if (ARG_IS_VALID(kar, ARG_FD)) { \
250 tok = au_to_arg32(1, "non-file: fd", \
252 kau_write(rec, tok); \
257 #define PROCESS_PID_TOKENS(argn) do { \
258 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
259 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
260 tok = au_to_process32_ex(ar->ar_arg_auid, \
261 ar->ar_arg_euid, ar->ar_arg_egid, \
262 ar->ar_arg_ruid, ar->ar_arg_rgid, \
263 ar->ar_arg_pid, ar->ar_arg_asid, \
264 &ar->ar_arg_termid_addr); \
265 kau_write(rec, tok); \
266 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
267 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
268 kau_write(rec, tok); \
272 #define EXTATTR_TOKENS(namespace_argnum) do { \
273 if (ARG_IS_VALID(kar, ARG_VALUE)) { \
274 switch (ar->ar_arg_value) { \
275 case EXTATTR_NAMESPACE_USER: \
276 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
278 case EXTATTR_NAMESPACE_SYSTEM: \
279 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
282 tok = au_to_arg32((namespace_argnum), \
283 "attrnamespace", ar->ar_arg_value); \
286 kau_write(rec, tok); \
288 /* attrname is in the text field */ \
289 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
290 tok = au_to_text(ar->ar_arg_text); \
291 kau_write(rec, tok); \
296 * Not all pointer arguments to system calls are of interest, but in some
297 * cases they reflect delegation of rights, such as mmap(2) followed by
298 * minherit(2) before execve(2), so do the best we can.
300 #define ADDR_TOKEN(argnum, argname) do { \
301 if (ARG_IS_VALID(kar, ARG_ADDR)) { \
302 if (sizeof(void *) == sizeof(uint32_t)) \
303 tok = au_to_arg32((argnum), (argname), \
304 (uint32_t)(uintptr_t)ar->ar_arg_addr); \
306 tok = au_to_arg64((argnum), (argname), \
307 (uint64_t)(uintptr_t)ar->ar_arg_addr); \
308 kau_write(rec, tok); \
314 * Implement auditing for the auditon() system call. The audit tokens that
315 * are generated depend on the command that was sent into the auditon()
319 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
321 struct au_token *tok;
323 tok = au_to_arg32(3, "length", ar->ar_arg_len);
325 switch (ar->ar_arg_cmd) {
327 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
328 tok = au_to_arg64(2, "policy",
329 ar->ar_arg_auditon.au_policy64);
336 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
341 tok = au_to_arg32(2, "setkmask:as_success",
342 ar->ar_arg_auditon.au_mask.am_success);
344 tok = au_to_arg32(2, "setkmask:as_failure",
345 ar->ar_arg_auditon.au_mask.am_failure);
350 if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
351 tok = au_to_arg64(2, "setqctrl:aq_hiwater",
352 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
354 tok = au_to_arg64(2, "setqctrl:aq_lowater",
355 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
357 tok = au_to_arg64(2, "setqctrl:aq_bufsz",
358 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
360 tok = au_to_arg64(2, "setqctrl:aq_delay",
361 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
363 tok = au_to_arg64(2, "setqctrl:aq_minfree",
364 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
371 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
372 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
374 tok = au_to_arg32(2, "setqctrl:aq_lowater",
375 ar->ar_arg_auditon.au_qctrl.aq_lowater);
377 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
378 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
380 tok = au_to_arg32(2, "setqctrl:aq_delay",
381 ar->ar_arg_auditon.au_qctrl.aq_delay);
383 tok = au_to_arg32(2, "setqctrl:aq_minfree",
384 ar->ar_arg_auditon.au_qctrl.aq_minfree);
389 tok = au_to_arg32(2, "setumask:as_success",
390 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
392 tok = au_to_arg32(2, "setumask:as_failure",
393 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
398 tok = au_to_arg32(2, "setsmask:as_success",
399 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
401 tok = au_to_arg32(2, "setsmask:as_failure",
402 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
407 if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
408 tok = au_to_arg64(2, "setcond",
409 ar->ar_arg_auditon.au_cond64);
416 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
422 tok = au_to_arg32(2, "setclass:ec_event",
423 ar->ar_arg_auditon.au_evclass.ec_number);
425 tok = au_to_arg32(2, "setclass:ec_class",
426 ar->ar_arg_auditon.au_evclass.ec_class);
431 tok = au_to_arg32(2, "setpmask:as_success",
432 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
434 tok = au_to_arg32(2, "setpmask:as_failure",
435 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
440 tok = au_to_arg32(2, "setfsize:filesize",
441 ar->ar_arg_auditon.au_fstat.af_filesz);
451 * Convert an internal kernel audit record to a BSM record and return a
452 * success/failure indicator. The BSM record is passed as an out parameter to
456 * BSM_SUCCESS: The BSM record is valid
457 * BSM_FAILURE: Failure; the BSM record is NULL.
458 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
461 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
463 struct au_token *tok, *subj_tok, *jail_tok;
464 struct au_record *rec;
466 struct audit_record *ar;
469 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
476 * Create the subject token. If this credential was jailed be sure to
477 * generate a zonename token.
479 if (ar->ar_jailname[0] != '\0')
480 jail_tok = au_to_zonename(ar->ar_jailname);
483 switch (ar->ar_subj_term_addr.at_type) {
485 tid.port = ar->ar_subj_term_addr.at_port;
486 tid.machine = ar->ar_subj_term_addr.at_addr[0];
487 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
488 ar->ar_subj_cred.cr_uid, /* eff uid */
489 ar->ar_subj_egid, /* eff group id */
490 ar->ar_subj_ruid, /* real uid */
491 ar->ar_subj_rgid, /* real group id */
492 ar->ar_subj_pid, /* process id */
493 ar->ar_subj_asid, /* session ID */
497 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
498 ar->ar_subj_cred.cr_uid,
504 &ar->ar_subj_term_addr);
507 bzero(&tid, sizeof(tid));
508 subj_tok = au_to_subject32(ar->ar_subj_auid,
509 ar->ar_subj_cred.cr_uid,
519 * The logic inside each case fills in the tokens required for the
520 * event, except for the header, trailer, and return tokens. The
521 * header and trailer tokens are added by the kau_close() function.
522 * The return token is added outside of the switch statement.
524 switch(ar->ar_event) {
537 * Socket-related events.
539 if (ARG_IS_VALID(kar, ARG_FD)) {
540 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
543 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
544 tok = au_to_sock_inet((struct sockaddr_in *)
545 &ar->ar_arg_sockaddr);
548 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
549 tok = au_to_sock_unix((struct sockaddr_un *)
550 &ar->ar_arg_sockaddr);
554 /* XXX Need to handle ARG_SADDRINET6 */
560 if (ARG_IS_VALID(kar, ARG_FD)) {
561 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
564 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
565 tok = au_to_sock_unix((struct sockaddr_un *)
566 &ar->ar_arg_sockaddr);
574 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
575 tok = au_to_arg32(1, "domain",
576 ar->ar_arg_sockinfo.so_domain);
578 tok = au_to_arg32(2, "type",
579 ar->ar_arg_sockinfo.so_type);
581 tok = au_to_arg32(3, "protocol",
582 ar->ar_arg_sockinfo.so_protocol);
589 if (ARG_IS_VALID(kar, ARG_FD)) {
590 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
596 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
597 UPATH1_VNODE1_TOKENS;
599 tok = au_to_arg32(1, "accounting off", 0);
605 if (ARG_IS_VALID(kar, ARG_AUID)) {
606 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
612 if (ARG_IS_VALID(kar, ARG_AUID) &&
613 ARG_IS_VALID(kar, ARG_ASID) &&
614 ARG_IS_VALID(kar, ARG_AMASK) &&
615 ARG_IS_VALID(kar, ARG_TERMID)) {
616 tok = au_to_arg32(1, "setaudit:auid",
619 tok = au_to_arg32(1, "setaudit:port",
620 ar->ar_arg_termid.port);
622 tok = au_to_arg32(1, "setaudit:machine",
623 ar->ar_arg_termid.machine);
625 tok = au_to_arg32(1, "setaudit:as_success",
626 ar->ar_arg_amask.am_success);
628 tok = au_to_arg32(1, "setaudit:as_failure",
629 ar->ar_arg_amask.am_failure);
631 tok = au_to_arg32(1, "setaudit:asid",
637 case AUE_SETAUDIT_ADDR:
638 if (ARG_IS_VALID(kar, ARG_AUID) &&
639 ARG_IS_VALID(kar, ARG_ASID) &&
640 ARG_IS_VALID(kar, ARG_AMASK) &&
641 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
642 tok = au_to_arg32(1, "setaudit_addr:auid",
645 tok = au_to_arg32(1, "setaudit_addr:as_success",
646 ar->ar_arg_amask.am_success);
648 tok = au_to_arg32(1, "setaudit_addr:as_failure",
649 ar->ar_arg_amask.am_failure);
651 tok = au_to_arg32(1, "setaudit_addr:asid",
654 tok = au_to_arg32(1, "setaudit_addr:type",
655 ar->ar_arg_termid_addr.at_type);
657 tok = au_to_arg32(1, "setaudit_addr:port",
658 ar->ar_arg_termid_addr.at_port);
660 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
661 tok = au_to_in_addr_ex((struct in6_addr *)
662 &ar->ar_arg_termid_addr.at_addr[0]);
663 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
664 tok = au_to_in_addr((struct in_addr *)
665 &ar->ar_arg_termid_addr.at_addr[0]);
672 * For AUDITON commands without own event, audit the cmd.
674 if (ARG_IS_VALID(kar, ARG_CMD)) {
675 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
680 case AUE_AUDITON_GETCAR:
681 case AUE_AUDITON_GETCLASS:
682 case AUE_AUDITON_GETCOND:
683 case AUE_AUDITON_GETCWD:
684 case AUE_AUDITON_GETKMASK:
685 case AUE_AUDITON_GETSTAT:
686 case AUE_AUDITON_GPOLICY:
687 case AUE_AUDITON_GQCTRL:
688 case AUE_AUDITON_SETCLASS:
689 case AUE_AUDITON_SETCOND:
690 case AUE_AUDITON_SETKMASK:
691 case AUE_AUDITON_SETSMASK:
692 case AUE_AUDITON_SETSTAT:
693 case AUE_AUDITON_SETUMASK:
694 case AUE_AUDITON_SPOLICY:
695 case AUE_AUDITON_SQCTRL:
696 if (ARG_IS_VALID(kar, ARG_AUDITON))
697 audit_sys_auditon(ar, rec);
701 UPATH1_VNODE1_TOKENS;
705 if (ARG_IS_VALID(kar, ARG_EXIT)) {
706 tok = au_to_exit(ar->ar_arg_exitretval,
707 ar->ar_arg_exitstatus);
713 case AUE_CLOCK_SETTIME:
717 case AUE_GETAUDIT_ADDR:
727 case AUE_NTP_ADJTIME:
729 case AUE_POSIX_OPENPT:
737 case AUE_SETTIMEOFDAY:
741 * Header, subject, and return tokens added at end.
749 case AUE_GETATTRLIST:
761 case AUE_SETATTRLIST:
772 UPATH1_VNODE1_TOKENS;
779 UPATH1_VNODE1_TOKENS;
780 if (ARG_IS_VALID(kar, ARG_VALUE)) {
781 tok = au_to_arg32(2, "mode", ar->ar_arg_value);
789 /* XXXRW: Need to audit vnode argument. */
794 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
795 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
798 UPATH1_VNODE1_TOKENS;
803 if (ARG_IS_VALID(kar, ARG_MODE)) {
804 tok = au_to_arg32(2, "new file mode",
808 UPATH1_VNODE1_TOKENS;
813 if (ARG_IS_VALID(kar, ARG_MODE)) {
814 tok = au_to_arg32(3, "new file mode",
818 UPATH1_VNODE1_TOKENS;
823 if (ARG_IS_VALID(kar, ARG_UID)) {
824 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
827 if (ARG_IS_VALID(kar, ARG_GID)) {
828 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
831 UPATH1_VNODE1_TOKENS;
836 if (ARG_IS_VALID(kar, ARG_UID)) {
837 tok = au_to_arg32(3, "new file uid", ar->ar_arg_uid);
840 if (ARG_IS_VALID(kar, ARG_GID)) {
841 tok = au_to_arg32(4, "new file gid", ar->ar_arg_gid);
844 UPATH1_VNODE1_TOKENS;
847 case AUE_EXCHANGEDATA:
848 UPATH1_VNODE1_TOKENS;
853 if (ARG_IS_VALID(kar, ARG_FD)) {
854 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
857 UPATH1_VNODE1_TOKENS;
861 if (ARG_IS_VALID(kar, ARG_FD)) {
862 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
868 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
869 tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
872 UPATH1_VNODE1_TOKENS;
876 UPATH1_VNODE1_TOKENS;
877 if (ARG_IS_VALID(kar, ARG_CMD)) {
878 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
881 /* extattrctl(2) filename parameter is in upath2/vnode2 */
887 case AUE_EXTATTR_GET_FILE:
888 case AUE_EXTATTR_SET_FILE:
889 case AUE_EXTATTR_LIST_FILE:
890 case AUE_EXTATTR_DELETE_FILE:
891 case AUE_EXTATTR_GET_LINK:
892 case AUE_EXTATTR_SET_LINK:
893 case AUE_EXTATTR_LIST_LINK:
894 case AUE_EXTATTR_DELETE_LINK:
895 UPATH1_VNODE1_TOKENS;
899 case AUE_EXTATTR_GET_FD:
900 case AUE_EXTATTR_SET_FD:
901 case AUE_EXTATTR_LIST_FD:
902 case AUE_EXTATTR_DELETE_FD:
903 if (ARG_IS_VALID(kar, ARG_FD)) {
904 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
911 if (ARG_IS_VALID(kar, ARG_FD)) {
912 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
919 if (ARG_IS_VALID(kar, ARG_ARGV)) {
920 tok = au_to_exec_args(ar->ar_arg_argv,
924 if (ARG_IS_VALID(kar, ARG_ENVV)) {
925 tok = au_to_exec_env(ar->ar_arg_envv,
929 UPATH1_VNODE1_TOKENS;
933 if (ARG_IS_VALID(kar, ARG_MODE)) {
934 tok = au_to_arg32(2, "new file mode",
942 * XXXRW: Some of these need to handle non-vnode cases as well.
951 case AUE_GETDIRENTRIES:
952 case AUE_GETDIRENTRIESATTR:
965 if (ARG_IS_VALID(kar, ARG_UID)) {
966 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
969 if (ARG_IS_VALID(kar, ARG_GID)) {
970 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
977 if (ARG_IS_VALID(kar, ARG_CMD)) {
978 tok = au_to_arg32(2, "cmd",
979 au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
986 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
987 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
994 if (ARG_IS_VALID(kar, ARG_CMD)) {
995 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1002 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1003 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
1004 kau_write(rec, tok);
1010 if (ARG_IS_VALID(kar, ARG_PID)) {
1011 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1012 kau_write(rec, tok);
1017 if (ARG_IS_VALID(kar, ARG_CMD)) {
1018 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1019 kau_write(rec, tok);
1021 if (ARG_IS_VALID(kar, ARG_VNODE1))
1024 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
1025 tok = kau_to_socket(&ar->ar_arg_sockinfo);
1026 kau_write(rec, tok);
1028 if (ARG_IS_VALID(kar, ARG_FD)) {
1029 tok = au_to_arg32(1, "fd",
1031 kau_write(rec, tok);
1039 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1040 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1041 kau_write(rec, tok);
1043 PROCESS_PID_TOKENS(1);
1047 if (ARG_IS_VALID(kar, ARG_CMD)) {
1048 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
1049 kau_write(rec, tok);
1051 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1052 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
1053 kau_write(rec, tok);
1055 PROCESS_PID_TOKENS(4);
1056 UPATH1_VNODE1_TOKENS;
1064 UPATH1_VNODE1_TOKENS;
1069 case AUE_LOADSHFILE:
1070 ADDR_TOKEN(4, "base addr");
1071 UPATH1_VNODE1_TOKENS;
1079 if (ARG_IS_VALID(kar, ARG_MODE)) {
1080 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1081 kau_write(rec, tok);
1083 UPATH1_VNODE1_TOKENS;
1089 if (ARG_IS_VALID(kar, ARG_MODE)) {
1090 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1091 kau_write(rec, tok);
1093 if (ARG_IS_VALID(kar, ARG_DEV)) {
1094 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
1095 kau_write(rec, tok);
1097 UPATH1_VNODE1_TOKENS;
1106 ADDR_TOKEN(1, "addr");
1107 if (ARG_IS_VALID(kar, ARG_LEN)) {
1108 tok = au_to_arg32(2, "len", ar->ar_arg_len);
1109 kau_write(rec, tok);
1111 if (ar->ar_event == AUE_MMAP)
1113 if (ar->ar_event == AUE_MPROTECT) {
1114 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1115 tok = au_to_arg32(3, "protection",
1117 kau_write(rec, tok);
1120 if (ar->ar_event == AUE_MINHERIT) {
1121 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1122 tok = au_to_arg32(3, "inherit",
1124 kau_write(rec, tok);
1131 /* XXX Need to handle NFS mounts */
1132 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1133 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1134 kau_write(rec, tok);
1136 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1137 tok = au_to_text(ar->ar_arg_text);
1138 kau_write(rec, tok);
1143 if (ARG_IS_VALID(kar, ARG_CMD)) {
1144 tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
1145 kau_write(rec, tok);
1150 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1151 tok = au_to_arg32(2, "flags", ar->ar_arg_value);
1152 kau_write(rec, tok);
1154 UPATH1_VNODE1_TOKENS;
1155 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1156 tok = au_to_text(ar->ar_arg_text);
1157 kau_write(rec, tok);
1162 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1167 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1168 kau_write(rec, tok);
1169 if (ar->ar_errno != EINVAL) {
1170 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1171 kau_write(rec, tok);
1176 if (ar->ar_errno == 0) {
1177 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1178 tok = au_to_ipc(AT_IPC_MSG,
1179 ar->ar_arg_svipc_id);
1180 kau_write(rec, tok);
1185 case AUE_RESETSHFILE:
1186 ADDR_TOKEN(1, "base addr");
1196 if (ARG_IS_VALID(kar, ARG_MODE)) {
1197 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1198 kau_write(rec, tok);
1208 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1209 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1210 kau_write(rec, tok);
1212 UPATH1_VNODE1_TOKENS;
1216 case AUE_OPENAT_RTC:
1217 case AUE_OPENAT_RWC:
1218 case AUE_OPENAT_RWTC:
1220 case AUE_OPENAT_WTC:
1221 if (ARG_IS_VALID(kar, ARG_MODE)) {
1222 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1223 kau_write(rec, tok);
1230 case AUE_OPENAT_RWT:
1233 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1234 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1235 kau_write(rec, tok);
1238 UPATH1_VNODE1_TOKENS;
1242 if (ARG_IS_VALID(kar, ARG_CMD)) {
1243 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1244 kau_write(rec, tok);
1246 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1247 tok = au_to_arg32(4, "data", ar->ar_arg_value);
1248 kau_write(rec, tok);
1250 PROCESS_PID_TOKENS(2);
1254 if (ARG_IS_VALID(kar, ARG_CMD)) {
1255 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1256 kau_write(rec, tok);
1258 if (ARG_IS_VALID(kar, ARG_UID)) {
1259 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1260 kau_write(rec, tok);
1262 if (ARG_IS_VALID(kar, ARG_GID)) {
1263 tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
1264 kau_write(rec, tok);
1266 UPATH1_VNODE1_TOKENS;
1270 if (ARG_IS_VALID(kar, ARG_CMD)) {
1271 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1272 kau_write(rec, tok);
1277 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1281 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1282 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1283 kau_write(rec, tok);
1284 if (ar->ar_errno != EINVAL) {
1285 tok = au_to_ipc(AT_IPC_SEM,
1286 ar->ar_arg_svipc_id);
1287 kau_write(rec, tok);
1293 if (ar->ar_errno == 0) {
1294 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1295 tok = au_to_ipc(AT_IPC_SEM,
1296 ar->ar_arg_svipc_id);
1297 kau_write(rec, tok);
1303 if (ARG_IS_VALID(kar, ARG_EGID)) {
1304 tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
1305 kau_write(rec, tok);
1310 if (ARG_IS_VALID(kar, ARG_EUID)) {
1311 tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
1312 kau_write(rec, tok);
1317 if (ARG_IS_VALID(kar, ARG_RGID)) {
1318 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1319 kau_write(rec, tok);
1321 if (ARG_IS_VALID(kar, ARG_EGID)) {
1322 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1323 kau_write(rec, tok);
1328 if (ARG_IS_VALID(kar, ARG_RUID)) {
1329 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1330 kau_write(rec, tok);
1332 if (ARG_IS_VALID(kar, ARG_EUID)) {
1333 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1334 kau_write(rec, tok);
1339 if (ARG_IS_VALID(kar, ARG_RGID)) {
1340 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1341 kau_write(rec, tok);
1343 if (ARG_IS_VALID(kar, ARG_EGID)) {
1344 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1345 kau_write(rec, tok);
1347 if (ARG_IS_VALID(kar, ARG_SGID)) {
1348 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1349 kau_write(rec, tok);
1354 if (ARG_IS_VALID(kar, ARG_RUID)) {
1355 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1356 kau_write(rec, tok);
1358 if (ARG_IS_VALID(kar, ARG_EUID)) {
1359 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1360 kau_write(rec, tok);
1362 if (ARG_IS_VALID(kar, ARG_SUID)) {
1363 tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1364 kau_write(rec, tok);
1369 if (ARG_IS_VALID(kar, ARG_GID)) {
1370 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1371 kau_write(rec, tok);
1376 if (ARG_IS_VALID(kar, ARG_UID)) {
1377 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1378 kau_write(rec, tok);
1383 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1384 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1386 tok = au_to_arg32(1, "setgroups",
1387 ar->ar_arg_groups.gidset[ctr]);
1388 kau_write(rec, tok);
1394 if (ARG_IS_VALID(kar, ARG_LOGIN)) {
1395 tok = au_to_text(ar->ar_arg_login);
1396 kau_write(rec, tok);
1400 case AUE_SETPRIORITY:
1401 if (ARG_IS_VALID(kar, ARG_CMD)) {
1402 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1403 kau_write(rec, tok);
1405 if (ARG_IS_VALID(kar, ARG_UID)) {
1406 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1407 kau_write(rec, tok);
1409 PROCESS_PID_TOKENS(2);
1410 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1411 tok = au_to_arg32(3, "priority", ar->ar_arg_value);
1412 kau_write(rec, tok);
1416 case AUE_SETPRIVEXEC:
1417 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1418 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1419 kau_write(rec, tok);
1423 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1425 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1426 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1427 kau_write(rec, tok);
1428 /* XXXAUDIT: Does having the ipc token make sense? */
1429 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1430 kau_write(rec, tok);
1432 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1433 tok = au_to_arg32(2, "shmaddr",
1434 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1435 kau_write(rec, tok);
1437 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1438 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1439 kau_write(rec, tok);
1444 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1445 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1446 kau_write(rec, tok);
1447 /* XXXAUDIT: Does having the ipc token make sense? */
1448 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1449 kau_write(rec, tok);
1451 switch (ar->ar_arg_svipc_cmd) {
1453 ar->ar_event = AUE_SHMCTL_STAT;
1456 ar->ar_event = AUE_SHMCTL_RMID;
1459 ar->ar_event = AUE_SHMCTL_SET;
1460 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1461 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1462 kau_write(rec, tok);
1466 break; /* We will audit a bad command */
1471 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1472 tok = au_to_arg32(1, "shmaddr",
1473 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1474 kau_write(rec, tok);
1479 /* This is unusual; the return value is in an argument token */
1480 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1481 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1482 kau_write(rec, tok);
1483 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1484 kau_write(rec, tok);
1486 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1487 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1488 kau_write(rec, tok);
1492 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1493 * and AUE_SEMUNLINK are Posix IPC */
1495 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1496 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1497 kau_write(rec, tok);
1499 if (ARG_IS_VALID(kar, ARG_MODE)) {
1500 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1501 kau_write(rec, tok);
1506 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1507 tok = au_to_text(ar->ar_arg_text);
1508 kau_write(rec, tok);
1510 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1511 struct ipc_perm perm;
1513 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1514 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1515 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1516 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1517 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1520 tok = au_to_ipc_perm(&perm);
1521 kau_write(rec, tok);
1526 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1527 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1528 kau_write(rec, tok);
1530 if (ARG_IS_VALID(kar, ARG_MODE)) {
1531 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1532 kau_write(rec, tok);
1534 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1535 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1536 kau_write(rec, tok);
1541 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1542 tok = au_to_text(ar->ar_arg_text);
1543 kau_write(rec, tok);
1545 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1546 struct ipc_perm perm;
1548 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1549 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1550 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1551 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1552 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1555 tok = au_to_ipc_perm(&perm);
1556 kau_write(rec, tok);
1561 if (ARG_IS_VALID(kar, ARG_FD)) {
1562 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1563 kau_write(rec, tok);
1569 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1570 tok = au_to_text(ar->ar_arg_text);
1571 kau_write(rec, tok);
1574 UPATH1_VNODE1_TOKENS;
1578 case AUE_SYSCTL_NONADMIN:
1579 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1580 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1581 tok = au_to_arg32(1, "name",
1582 ar->ar_arg_ctlname[ctr]);
1583 kau_write(rec, tok);
1586 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1587 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1588 kau_write(rec, tok);
1590 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1591 tok = au_to_text(ar->ar_arg_text);
1592 kau_write(rec, tok);
1597 if (ARG_IS_VALID(kar, ARG_MASK)) {
1598 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1599 kau_write(rec, tok);
1601 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1602 kau_write(rec, tok);
1607 PROCESS_PID_TOKENS(1);
1608 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1609 tok = au_to_arg32(3, "options", ar->ar_arg_value);
1610 kau_write(rec, tok);
1614 case AUE_CAP_RIGHTS_LIMIT:
1616 * XXXRW/XXXJA: Would be nice to audit socket/etc information.
1619 if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
1620 tok = au_to_rights(&ar->ar_arg_rights);
1621 kau_write(rec, tok);
1625 case AUE_CAP_FCNTLS_GET:
1626 case AUE_CAP_IOCTLS_GET:
1627 case AUE_CAP_IOCTLS_LIMIT:
1628 case AUE_CAP_RIGHTS_GET:
1629 if (ARG_IS_VALID(kar, ARG_FD)) {
1630 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
1631 kau_write(rec, tok);
1635 case AUE_CAP_FCNTLS_LIMIT:
1637 if (ARG_IS_VALID(kar, ARG_FCNTL_RIGHTS)) {
1638 tok = au_to_arg32(2, "fcntlrights",
1639 ar->ar_arg_fcntl_rights);
1640 kau_write(rec, tok);
1645 case AUE_CAP_GETMODE:
1650 printf("BSM conversion requested for unknown event %d\n",
1654 * Write the subject token so it is properly freed here.
1656 if (jail_tok != NULL)
1657 kau_write(rec, jail_tok);
1658 kau_write(rec, subj_tok);
1660 return (BSM_NOAUDIT);
1663 if (jail_tok != NULL)
1664 kau_write(rec, jail_tok);
1665 kau_write(rec, subj_tok);
1666 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
1667 kau_write(rec, tok); /* Every record gets a return token */
1669 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1672 return (BSM_SUCCESS);
1676 * Verify that a record is a valid BSM record. This verification is simple
1677 * now, but may be expanded on sometime in the future. Return 1 if the
1678 * record is good, 0 otherwise.
1681 bsm_rec_verify(void *rec)
1683 char c = *(char *)rec;
1686 * Check the token ID of the first token; it has to be a header
1689 * XXXAUDIT There needs to be a token structure to map a token.
1690 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1692 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1693 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))