2 * Copyright (c) 1999-2005 Apple Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
33 #include <sys/param.h>
34 #include <sys/vnode.h>
37 #include <sys/malloc.h>
38 #include <sys/mutex.h>
39 #include <sys/socket.h>
40 #include <sys/extattr.h>
41 #include <sys/fcntl.h>
43 #include <sys/systm.h>
45 #include <bsm/audit.h>
46 #include <bsm/audit_internal.h>
47 #include <bsm/audit_record.h>
48 #include <bsm/audit_kevents.h>
50 #include <security/audit/audit.h>
51 #include <security/audit/audit_private.h>
53 #include <netinet/in_systm.h>
54 #include <netinet/in.h>
55 #include <netinet/ip.h>
57 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
59 static void audit_sys_auditon(struct audit_record *ar,
60 struct au_record *rec);
63 * Initialize the BSM auditing subsystem.
73 * This call reserves memory for the audit record. Memory must be guaranteed
74 * before any auditable event can be generated. The au_record structure
75 * maintains a reference to the memory allocated above and also the list of
76 * tokens associated with this record.
78 static struct au_record *
81 struct au_record *rec;
83 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
85 TAILQ_INIT(&rec->token_q);
93 * Store the token with the record descriptor.
96 kau_write(struct au_record *rec, struct au_token *tok)
99 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
101 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
102 rec->len += tok->len;
106 * Close out the audit record by adding the header token, identifying any
107 * missing tokens. Write out the tokens to the record memory.
110 kau_close(struct au_record *rec, struct timespec *ctime, short event)
114 token_t *cur, *hdr, *trail;
117 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
118 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
120 tm.tv_usec = ctime->tv_nsec / 1000;
121 tm.tv_sec = ctime->tv_sec;
122 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
123 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
125 trail = au_to_trailer(tot_rec_size);
126 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
128 rec->len = tot_rec_size;
130 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
131 memcpy(dptr, cur->t_data, cur->len);
137 * Free a BSM audit record by releasing all the tokens and clearing the audit
138 * record information.
141 kau_free(struct au_record *rec)
143 struct au_token *tok;
145 /* Free the token list. */
146 while ((tok = TAILQ_FIRST(&rec->token_q))) {
147 TAILQ_REMOVE(&rec->token_q, tok, tokens);
148 free(tok->t_data, M_AUDITBSM);
149 free(tok, M_AUDITBSM);
154 free(rec->data, M_AUDITBSM);
155 free(rec, M_AUDITBSM);
159 * XXX: May want turn some (or all) of these macros into functions in order
160 * to reduce the generated code size.
162 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
163 * caller are OK with this.
165 #define UPATH1_TOKENS do { \
166 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
167 tok = au_to_path(ar->ar_arg_upath1); \
168 kau_write(rec, tok); \
172 #define UPATH2_TOKENS do { \
173 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
174 tok = au_to_path(ar->ar_arg_upath2); \
175 kau_write(rec, tok); \
179 #define VNODE1_TOKENS do { \
180 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
181 tok = au_to_attr32(&ar->ar_arg_vnode1); \
182 kau_write(rec, tok); \
186 #define UPATH1_VNODE1_TOKENS do { \
187 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
190 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
191 tok = au_to_attr32(&ar->ar_arg_vnode1); \
192 kau_write(rec, tok); \
196 #define VNODE2_TOKENS do { \
197 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
198 tok = au_to_attr32(&ar->ar_arg_vnode2); \
199 kau_write(rec, tok); \
203 #define FD_VNODE1_TOKENS do { \
204 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
205 if (ARG_IS_VALID(kar, ARG_FD)) { \
206 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
207 kau_write(rec, tok); \
209 tok = au_to_attr32(&ar->ar_arg_vnode1); \
210 kau_write(rec, tok); \
212 if (ARG_IS_VALID(kar, ARG_FD)) { \
213 tok = au_to_arg32(1, "non-file: fd", \
215 kau_write(rec, tok); \
220 #define PROCESS_PID_TOKENS(argn) do { \
221 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
222 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
223 tok = au_to_process32_ex(ar->ar_arg_auid, \
224 ar->ar_arg_euid, ar->ar_arg_egid, \
225 ar->ar_arg_ruid, ar->ar_arg_rgid, \
226 ar->ar_arg_pid, ar->ar_arg_asid, \
227 &ar->ar_arg_termid_addr); \
228 kau_write(rec, tok); \
229 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
230 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
231 kau_write(rec, tok); \
235 #define EXTATTR_TOKENS do { \
236 if (ARG_IS_VALID(kar, ARG_VALUE)) { \
237 switch (ar->ar_arg_value) { \
238 case EXTATTR_NAMESPACE_USER: \
239 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
241 case EXTATTR_NAMESPACE_SYSTEM: \
242 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
245 tok = au_to_arg32(3, "attrnamespace", \
249 kau_write(rec, tok); \
251 /* attrname is in the text field */ \
252 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
253 tok = au_to_text(ar->ar_arg_text); \
254 kau_write(rec, tok); \
259 * Implement auditing for the auditon() system call. The audit tokens that
260 * are generated depend on the command that was sent into the auditon()
264 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
266 struct au_token *tok;
268 switch (ar->ar_arg_cmd) {
270 if (sizeof(ar->ar_arg_auditon.au_flags) > 4)
271 tok = au_to_arg64(1, "policy",
272 ar->ar_arg_auditon.au_flags);
274 tok = au_to_arg32(1, "policy",
275 ar->ar_arg_auditon.au_flags);
280 tok = au_to_arg32(2, "setkmask:as_success",
281 ar->ar_arg_auditon.au_mask.am_success);
283 tok = au_to_arg32(2, "setkmask:as_failure",
284 ar->ar_arg_auditon.au_mask.am_failure);
289 tok = au_to_arg32(3, "setqctrl:aq_hiwater",
290 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
292 tok = au_to_arg32(3, "setqctrl:aq_lowater",
293 ar->ar_arg_auditon.au_qctrl.aq_lowater);
295 tok = au_to_arg32(3, "setqctrl:aq_bufsz",
296 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
298 tok = au_to_arg32(3, "setqctrl:aq_delay",
299 ar->ar_arg_auditon.au_qctrl.aq_delay);
301 tok = au_to_arg32(3, "setqctrl:aq_minfree",
302 ar->ar_arg_auditon.au_qctrl.aq_minfree);
307 tok = au_to_arg32(3, "setumask:as_success",
308 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
310 tok = au_to_arg32(3, "setumask:as_failure",
311 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
316 tok = au_to_arg32(3, "setsmask:as_success",
317 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
319 tok = au_to_arg32(3, "setsmask:as_failure",
320 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
325 if (sizeof(ar->ar_arg_auditon.au_cond) > 4)
326 tok = au_to_arg64(3, "setcond",
327 ar->ar_arg_auditon.au_cond);
329 tok = au_to_arg32(3, "setcond",
330 ar->ar_arg_auditon.au_cond);
335 tok = au_to_arg32(2, "setclass:ec_event",
336 ar->ar_arg_auditon.au_evclass.ec_number);
338 tok = au_to_arg32(3, "setclass:ec_class",
339 ar->ar_arg_auditon.au_evclass.ec_class);
344 tok = au_to_arg32(2, "setpmask:as_success",
345 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
347 tok = au_to_arg32(2, "setpmask:as_failure",
348 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
353 tok = au_to_arg32(2, "setfsize:filesize",
354 ar->ar_arg_auditon.au_fstat.af_filesz);
364 * Convert an internal kernel audit record to a BSM record and return a
365 * success/failure indicator. The BSM record is passed as an out parameter to
369 * BSM_SUCCESS: The BSM record is valid
370 * BSM_FAILURE: Failure; the BSM record is NULL.
371 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
374 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
376 struct au_token *tok, *subj_tok;
377 struct au_record *rec;
379 struct audit_record *ar;
382 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
389 * Create the subject token.
391 switch (ar->ar_subj_term_addr.at_type) {
393 tid.port = ar->ar_subj_term_addr.at_port;
394 tid.machine = ar->ar_subj_term_addr.at_addr[0];
395 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
396 ar->ar_subj_cred.cr_uid, /* eff uid */
397 ar->ar_subj_egid, /* eff group id */
398 ar->ar_subj_ruid, /* real uid */
399 ar->ar_subj_rgid, /* real group id */
400 ar->ar_subj_pid, /* process id */
401 ar->ar_subj_asid, /* session ID */
405 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
406 ar->ar_subj_cred.cr_uid,
412 &ar->ar_subj_term_addr);
415 bzero(&tid, sizeof(tid));
416 subj_tok = au_to_subject32(ar->ar_subj_auid,
417 ar->ar_subj_cred.cr_uid,
427 * The logic inside each case fills in the tokens required for the
428 * event, except for the header, trailer, and return tokens. The
429 * header and trailer tokens are added by the kau_close() function.
430 * The return token is added outside of the switch statement.
432 switch(ar->ar_event) {
445 * Socket-related events.
447 if (ARG_IS_VALID(kar, ARG_FD)) {
448 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
451 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
452 tok = au_to_sock_inet((struct sockaddr_in *)
453 &ar->ar_arg_sockaddr);
456 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
457 tok = au_to_sock_unix((struct sockaddr_un *)
458 &ar->ar_arg_sockaddr);
462 /* XXX Need to handle ARG_SADDRINET6 */
467 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
468 tok = au_to_arg32(1,"domain",
469 ar->ar_arg_sockinfo.so_domain);
471 tok = au_to_arg32(2,"type",
472 ar->ar_arg_sockinfo.so_type);
474 tok = au_to_arg32(3,"protocol",
475 ar->ar_arg_sockinfo.so_protocol);
482 if (ARG_IS_VALID(kar, ARG_FD)) {
483 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
489 if (ARG_IS_VALID(kar, ARG_UPATH1)) {
490 UPATH1_VNODE1_TOKENS;
492 tok = au_to_arg32(1, "accounting off", 0);
498 if (ARG_IS_VALID(kar, ARG_AUID)) {
499 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
505 if (ARG_IS_VALID(kar, ARG_AUID) &&
506 ARG_IS_VALID(kar, ARG_ASID) &&
507 ARG_IS_VALID(kar, ARG_AMASK) &&
508 ARG_IS_VALID(kar, ARG_TERMID)) {
509 tok = au_to_arg32(1, "setaudit:auid",
512 tok = au_to_arg32(1, "setaudit:port",
513 ar->ar_arg_termid.port);
515 tok = au_to_arg32(1, "setaudit:machine",
516 ar->ar_arg_termid.machine);
518 tok = au_to_arg32(1, "setaudit:as_success",
519 ar->ar_arg_amask.am_success);
521 tok = au_to_arg32(1, "setaudit:as_failure",
522 ar->ar_arg_amask.am_failure);
524 tok = au_to_arg32(1, "setaudit:asid",
530 case AUE_SETAUDIT_ADDR:
531 if (ARG_IS_VALID(kar, ARG_AUID) &&
532 ARG_IS_VALID(kar, ARG_ASID) &&
533 ARG_IS_VALID(kar, ARG_AMASK) &&
534 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
535 tok = au_to_arg32(1, "setaudit_addr:auid",
538 tok = au_to_arg32(1, "setaudit_addr:as_success",
539 ar->ar_arg_amask.am_success);
541 tok = au_to_arg32(1, "setaudit_addr:as_failure",
542 ar->ar_arg_amask.am_failure);
544 tok = au_to_arg32(1, "setaudit_addr:asid",
547 tok = au_to_arg32(1, "setaudit_addr:type",
548 ar->ar_arg_termid_addr.at_type);
550 tok = au_to_arg32(1, "setaudit_addr:port",
551 ar->ar_arg_termid_addr.at_port);
553 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
554 tok = au_to_in_addr_ex((struct in6_addr *)
555 &ar->ar_arg_termid_addr.at_addr[0]);
556 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
557 tok = au_to_in_addr((struct in_addr *)
558 &ar->ar_arg_termid_addr.at_addr[0]);
565 * For AUDITON commands without own event, audit the cmd.
567 if (ARG_IS_VALID(kar, ARG_CMD)) {
568 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
573 case AUE_AUDITON_GETCAR:
574 case AUE_AUDITON_GETCLASS:
575 case AUE_AUDITON_GETCOND:
576 case AUE_AUDITON_GETCWD:
577 case AUE_AUDITON_GETKMASK:
578 case AUE_AUDITON_GETSTAT:
579 case AUE_AUDITON_GPOLICY:
580 case AUE_AUDITON_GQCTRL:
581 case AUE_AUDITON_SETCLASS:
582 case AUE_AUDITON_SETCOND:
583 case AUE_AUDITON_SETKMASK:
584 case AUE_AUDITON_SETSMASK:
585 case AUE_AUDITON_SETSTAT:
586 case AUE_AUDITON_SETUMASK:
587 case AUE_AUDITON_SPOLICY:
588 case AUE_AUDITON_SQCTRL:
589 if (ARG_IS_VALID(kar, ARG_AUDITON))
590 audit_sys_auditon(ar, rec);
594 UPATH1_VNODE1_TOKENS;
598 if (ARG_IS_VALID(kar, ARG_EXIT)) {
599 tok = au_to_exit(ar->ar_arg_exitretval,
600 ar->ar_arg_exitstatus);
606 case AUE_CLOCK_SETTIME:
610 case AUE_GETAUDIT_ADDR:
622 case AUE_NTP_ADJTIME:
631 case AUE_SETTIMEOFDAY:
635 * Header, subject, and return tokens added at end.
640 if (ARG_IS_VALID(kar, ARG_MODE)) {
641 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
650 case AUE_GETATTRLIST:
660 case AUE_SETATTRLIST:
669 UPATH1_VNODE1_TOKENS;
675 /* XXXRW: Need to audit vnode argument. */
680 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
681 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
684 UPATH1_VNODE1_TOKENS;
689 if (ARG_IS_VALID(kar, ARG_MODE)) {
690 tok = au_to_arg32(2, "new file mode",
694 UPATH1_VNODE1_TOKENS;
699 if (ARG_IS_VALID(kar, ARG_UID)) {
700 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
703 if (ARG_IS_VALID(kar, ARG_GID)) {
704 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
707 UPATH1_VNODE1_TOKENS;
710 case AUE_EXCHANGEDATA:
711 UPATH1_VNODE1_TOKENS;
716 if (ARG_IS_VALID(kar, ARG_FD)) {
717 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
720 UPATH1_VNODE1_TOKENS;
724 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
725 tok = au_to_arg32(0, "signal", ar->ar_arg_signum);
728 UPATH1_VNODE1_TOKENS;
732 UPATH1_VNODE1_TOKENS;
733 if (ARG_IS_VALID(kar, ARG_CMD)) {
734 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
737 /* extattrctl(2) filename parameter is in upath2/vnode2 */
743 case AUE_EXTATTR_GET_FILE:
744 case AUE_EXTATTR_SET_FILE:
745 case AUE_EXTATTR_LIST_FILE:
746 case AUE_EXTATTR_DELETE_FILE:
747 case AUE_EXTATTR_GET_LINK:
748 case AUE_EXTATTR_SET_LINK:
749 case AUE_EXTATTR_LIST_LINK:
750 case AUE_EXTATTR_DELETE_LINK:
751 UPATH1_VNODE1_TOKENS;
755 case AUE_EXTATTR_GET_FD:
756 case AUE_EXTATTR_SET_FD:
757 case AUE_EXTATTR_LIST_FD:
758 case AUE_EXTATTR_DELETE_FD:
759 if (ARG_IS_VALID(kar, ARG_FD)) {
760 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
768 if (ARG_IS_VALID(kar, ARG_ARGV)) {
769 tok = au_to_exec_args(ar->ar_arg_argv,
773 if (ARG_IS_VALID(kar, ARG_ENVV)) {
774 tok = au_to_exec_env(ar->ar_arg_envv,
778 UPATH1_VNODE1_TOKENS;
782 if (ARG_IS_VALID(kar, ARG_MODE)) {
783 tok = au_to_arg32(2, "new file mode",
791 * XXXRW: Some of these need to handle non-vnode cases as well.
800 case AUE_GETDIRENTRIES:
801 case AUE_GETDIRENTRIESATTR:
811 if (ARG_IS_VALID(kar, ARG_UID)) {
812 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
815 if (ARG_IS_VALID(kar, ARG_GID)) {
816 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
823 if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK ||
824 ar->ar_arg_cmd == F_SETLKW) {
825 if (ARG_IS_VALID(kar, ARG_CMD)) {
826 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
834 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
835 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
842 if (ARG_IS_VALID(kar, ARG_CMD)) {
843 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
850 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
851 tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
858 if (ARG_IS_VALID(kar, ARG_PID)) {
859 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
865 if (ARG_IS_VALID(kar, ARG_CMD)) {
866 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
869 if (ARG_IS_VALID(kar, ARG_ADDR)) {
870 tok = au_to_arg32(1, "arg",
871 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
874 if (ARG_IS_VALID(kar, ARG_VNODE1))
877 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
878 tok = kau_to_socket(&ar->ar_arg_sockinfo);
881 if (ARG_IS_VALID(kar, ARG_FD)) {
882 tok = au_to_arg32(1, "fd",
892 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
893 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
896 PROCESS_PID_TOKENS(1);
900 if (ARG_IS_VALID(kar, ARG_CMD)) {
901 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
904 if (ARG_IS_VALID(kar, ARG_VALUE)) {
905 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
908 PROCESS_PID_TOKENS(4);
909 UPATH1_VNODE1_TOKENS;
914 UPATH1_VNODE1_TOKENS;
919 if (ARG_IS_VALID(kar, ARG_ADDR)) {
920 tok = au_to_arg32(4, "base addr",
921 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
924 UPATH1_VNODE1_TOKENS;
928 if (ARG_IS_VALID(kar, ARG_MODE)) {
929 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
932 UPATH1_VNODE1_TOKENS;
936 if (ARG_IS_VALID(kar, ARG_MODE)) {
937 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
940 if (ARG_IS_VALID(kar, ARG_DEV)) {
941 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
944 UPATH1_VNODE1_TOKENS;
953 if (ARG_IS_VALID(kar, ARG_ADDR)) {
954 tok = au_to_arg32(1, "addr",
955 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
958 if (ARG_IS_VALID(kar, ARG_LEN)) {
959 tok = au_to_arg32(2, "len", ar->ar_arg_len);
962 if (ar->ar_event == AUE_MMAP)
964 if (ar->ar_event == AUE_MPROTECT) {
965 if (ARG_IS_VALID(kar, ARG_VALUE)) {
966 tok = au_to_arg32(3, "protection",
971 if (ar->ar_event == AUE_MINHERIT) {
972 if (ARG_IS_VALID(kar, ARG_VALUE)) {
973 tok = au_to_arg32(3, "inherit",
982 /* XXX Need to handle NFS mounts */
983 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
984 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
987 if (ARG_IS_VALID(kar, ARG_TEXT)) {
988 tok = au_to_text(ar->ar_arg_text);
994 UPATH1_VNODE1_TOKENS;
998 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1003 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1004 kau_write(rec, tok);
1005 if (ar->ar_errno != EINVAL) {
1006 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1007 kau_write(rec, tok);
1012 if (ar->ar_errno == 0) {
1013 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1014 tok = au_to_ipc(AT_IPC_MSG,
1015 ar->ar_arg_svipc_id);
1016 kau_write(rec, tok);
1021 case AUE_RESETSHFILE:
1022 if (ARG_IS_VALID(kar, ARG_ADDR)) {
1023 tok = au_to_arg32(1, "base addr",
1024 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
1025 kau_write(rec, tok);
1036 if (ARG_IS_VALID(kar, ARG_MODE)) {
1037 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1038 kau_write(rec, tok);
1048 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1049 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1050 kau_write(rec, tok);
1052 UPATH1_VNODE1_TOKENS;
1056 if (ARG_IS_VALID(kar, ARG_CMD)) {
1057 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1058 kau_write(rec, tok);
1060 if (ARG_IS_VALID(kar, ARG_ADDR)) {
1061 tok = au_to_arg32(3, "addr",
1062 (u_int32_t)(uintptr_t)ar->ar_arg_addr);
1063 kau_write(rec, tok);
1065 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1066 tok = au_to_arg32(4, "data", ar->ar_arg_value);
1067 kau_write(rec, tok);
1069 PROCESS_PID_TOKENS(2);
1073 if (ARG_IS_VALID(kar, ARG_CMD)) {
1074 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1075 kau_write(rec, tok);
1077 if (ARG_IS_VALID(kar, ARG_UID)) {
1078 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1079 kau_write(rec, tok);
1081 UPATH1_VNODE1_TOKENS;
1085 if (ARG_IS_VALID(kar, ARG_CMD)) {
1086 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1087 kau_write(rec, tok);
1092 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1096 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1097 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1098 kau_write(rec, tok);
1099 if (ar->ar_errno != EINVAL) {
1100 tok = au_to_ipc(AT_IPC_SEM,
1101 ar->ar_arg_svipc_id);
1102 kau_write(rec, tok);
1108 if (ar->ar_errno == 0) {
1109 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1110 tok = au_to_ipc(AT_IPC_SEM,
1111 ar->ar_arg_svipc_id);
1112 kau_write(rec, tok);
1118 if (ARG_IS_VALID(kar, ARG_EGID)) {
1119 tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
1120 kau_write(rec, tok);
1125 if (ARG_IS_VALID(kar, ARG_EUID)) {
1126 tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
1127 kau_write(rec, tok);
1132 if (ARG_IS_VALID(kar, ARG_RGID)) {
1133 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1134 kau_write(rec, tok);
1136 if (ARG_IS_VALID(kar, ARG_EGID)) {
1137 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1138 kau_write(rec, tok);
1143 if (ARG_IS_VALID(kar, ARG_RUID)) {
1144 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1145 kau_write(rec, tok);
1147 if (ARG_IS_VALID(kar, ARG_EUID)) {
1148 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1149 kau_write(rec, tok);
1154 if (ARG_IS_VALID(kar, ARG_RGID)) {
1155 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1156 kau_write(rec, tok);
1158 if (ARG_IS_VALID(kar, ARG_EGID)) {
1159 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1160 kau_write(rec, tok);
1162 if (ARG_IS_VALID(kar, ARG_SGID)) {
1163 tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
1164 kau_write(rec, tok);
1169 if (ARG_IS_VALID(kar, ARG_RUID)) {
1170 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1171 kau_write(rec, tok);
1173 if (ARG_IS_VALID(kar, ARG_EUID)) {
1174 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1175 kau_write(rec, tok);
1177 if (ARG_IS_VALID(kar, ARG_SUID)) {
1178 tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
1179 kau_write(rec, tok);
1184 if (ARG_IS_VALID(kar, ARG_GID)) {
1185 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1186 kau_write(rec, tok);
1191 if (ARG_IS_VALID(kar, ARG_UID)) {
1192 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1193 kau_write(rec, tok);
1198 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1199 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
1201 tok = au_to_arg32(1, "setgroups",
1202 ar->ar_arg_groups.gidset[ctr]);
1203 kau_write(rec, tok);
1209 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1210 tok = au_to_text(ar->ar_arg_text);
1211 kau_write(rec, tok);
1215 case AUE_SETPRIORITY:
1216 if (ARG_IS_VALID(kar, ARG_CMD)) {
1217 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1218 kau_write(rec, tok);
1220 if (ARG_IS_VALID(kar, ARG_UID)) {
1221 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1222 kau_write(rec, tok);
1224 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1225 tok = au_to_arg32(2, "priority", ar->ar_arg_value);
1226 kau_write(rec, tok);
1230 case AUE_SETPRIVEXEC:
1231 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1232 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
1233 kau_write(rec, tok);
1237 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1239 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1240 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1241 kau_write(rec, tok);
1242 /* XXXAUDIT: Does having the ipc token make sense? */
1243 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1244 kau_write(rec, tok);
1246 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1247 tok = au_to_arg32(2, "shmaddr",
1248 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1249 kau_write(rec, tok);
1251 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1252 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1253 kau_write(rec, tok);
1258 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1259 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1260 kau_write(rec, tok);
1261 /* XXXAUDIT: Does having the ipc token make sense? */
1262 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1263 kau_write(rec, tok);
1265 switch (ar->ar_arg_svipc_cmd) {
1267 ar->ar_event = AUE_SHMCTL_STAT;
1270 ar->ar_event = AUE_SHMCTL_RMID;
1273 ar->ar_event = AUE_SHMCTL_SET;
1274 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1275 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1276 kau_write(rec, tok);
1280 break; /* We will audit a bad command */
1285 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1286 tok = au_to_arg32(1, "shmaddr",
1287 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1288 kau_write(rec, tok);
1293 /* This is unusual; the return value is in an argument token */
1294 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1295 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1296 kau_write(rec, tok);
1297 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1298 kau_write(rec, tok);
1300 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1301 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1302 kau_write(rec, tok);
1306 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1307 * and AUE_SEMUNLINK are Posix IPC */
1309 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1310 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1311 kau_write(rec, tok);
1313 if (ARG_IS_VALID(kar, ARG_MODE)) {
1314 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1315 kau_write(rec, tok);
1320 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1321 tok = au_to_text(ar->ar_arg_text);
1322 kau_write(rec, tok);
1324 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1325 struct ipc_perm perm;
1327 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1328 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1329 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1330 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1331 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1334 tok = au_to_ipc_perm(&perm);
1335 kau_write(rec, tok);
1340 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1341 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1342 kau_write(rec, tok);
1344 if (ARG_IS_VALID(kar, ARG_MODE)) {
1345 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1346 kau_write(rec, tok);
1348 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1349 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1350 kau_write(rec, tok);
1355 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1356 tok = au_to_text(ar->ar_arg_text);
1357 kau_write(rec, tok);
1359 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1360 struct ipc_perm perm;
1362 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1363 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1364 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1365 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1366 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1369 tok = au_to_ipc_perm(&perm);
1370 kau_write(rec, tok);
1375 if (ARG_IS_VALID(kar, ARG_FD)) {
1376 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1377 kau_write(rec, tok);
1382 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1383 tok = au_to_text(ar->ar_arg_text);
1384 kau_write(rec, tok);
1386 UPATH1_VNODE1_TOKENS;
1390 case AUE_SYSCTL_NONADMIN:
1391 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1392 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1393 tok = au_to_arg32(1, "name",
1394 ar->ar_arg_ctlname[ctr]);
1395 kau_write(rec, tok);
1398 if (ARG_IS_VALID(kar, ARG_VALUE)) {
1399 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1400 kau_write(rec, tok);
1402 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1403 tok = au_to_text(ar->ar_arg_text);
1404 kau_write(rec, tok);
1409 if (ARG_IS_VALID(kar, ARG_MASK)) {
1410 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1411 kau_write(rec, tok);
1413 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1414 kau_write(rec, tok);
1418 if (ARG_IS_VALID(kar, ARG_PID)) {
1419 tok = au_to_arg32(0, "pid", ar->ar_arg_pid);
1420 kau_write(rec, tok);
1426 printf("BSM conversion requested for unknown event %d\n",
1430 * Write the subject token so it is properly freed here.
1432 kau_write(rec, subj_tok);
1434 return (BSM_NOAUDIT);
1437 kau_write(rec, subj_tok);
1438 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval);
1439 kau_write(rec, tok); /* Every record gets a return token */
1441 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1444 return (BSM_SUCCESS);
1448 * Verify that a record is a valid BSM record. This verification is simple
1449 * now, but may be expanded on sometime in the future. Return 1 if the
1450 * record is good, 0 otherwise.
1453 bsm_rec_verify(void *rec)
1455 char c = *(char *)rec;
1458 * Check the token ID of the first token; it has to be a header
1461 * XXXAUDIT There needs to be a token structure to map a token.
1462 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1464 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1465 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))