]> git.saurik.com Git - apple/xnu.git/blame - bsd/kern/kern_bsm_klib.c
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-792.6.61.tar.gz
[apple/xnu.git] / bsd / kern / kern_bsm_klib.c
CommitLineData
55e303ae 1/*
e5568f75 2 * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
55e303ae
A		 3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
37839358
A		 6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
55e303ae 11 *
37839358
A		 12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
55e303ae
A		 14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
37839358
A		 16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
55e303ae
A		 19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22
91447636 23#include <sys/systm.h>
55e303ae 24#include <sys/types.h>
91447636
A		 25#include <sys/proc_internal.h>
26#include <sys/vnode_internal.h>
55e303ae
A		 27#include <sys/fcntl.h>
28#include <sys/filedesc.h>
29#include <sys/sem.h>
e5568f75
A		 30
31#include <bsm/audit.h>
32#include <bsm/audit_kernel.h>
33#include <bsm/audit_kevents.h>
34#include <bsm/audit_klib.h>
55e303ae
A		 35
36/*
37 * Initialize the system call to audit event mapping table. This table
38 * must be kept in sync with the system call table. This table is meant to
39 * be directly accessed.
40 * XXX This should be improved, though, to make it independent of the syscall
41 * table (but we don't want to traverse a large table for every system call
42 * to find a match). Ultimately, it would be best to place the audit event
43 * number in the system call table.
44 */
45au_event_t sys_au_event[] = {
46 AUE_NULL, /* 0 = indir */
47 AUE_EXIT, /* 1 = exit */
e5568f75 48 AUE_FORK, /* 2 = fork */
55e303ae
A		 49 AUE_NULL, /* 3 = read */
50 AUE_NULL, /* 4 = write */
e5568f75
A		 51 AUE_OPEN_RWTC, /* 5 = open */
52 AUE_CLOSE, /* 6 = close */
55e303ae 53 AUE_NULL, /* 7 = wait4 */
e5568f75 54 AUE_O_CREAT, /* 8 = old creat */
55e303ae
A		 55 AUE_LINK, /* 9 = link */
56 AUE_UNLINK, /* 10 = unlink */
57 AUE_NULL, /* 11 was obsolete execv */
58 AUE_CHDIR, /* 12 = chdir */
59 AUE_FCHDIR, /* 13 = fchdir */
60 AUE_MKNOD, /* 14 = mknod */
61 AUE_CHMOD, /* 15 = chmod */
62 AUE_CHOWN, /* 16 = chown; now 3 args */
63 AUE_NULL, /* 17 = old break */
64#if COMPAT_GETFSSTAT
55e303ae 65 AUE_GETFSSTAT, /* 18 = getfsstat */
e5568f75
A		 66#else
67 AUE_NULL, /* 18 = ogetfsstat */
55e303ae
A		 68#endif
69 AUE_NULL, /* 19 = old lseek */
70 AUE_NULL, /* 20 = getpid */
71 AUE_NULL, /* 21 was obsolete mount */
72 AUE_NULL, /* 22 was obsolete umount */
73 AUE_SETUID, /* 23 = setuid */
74 AUE_NULL, /* 24 = getuid */
75 AUE_NULL, /* 25 = geteuid */
e5568f75 76 AUE_PTRACE, /* 26 = ptrace */
55e303ae
A		 77 AUE_RECVMSG, /* 27 = recvmsg */
78 AUE_SENDMSG, /* 28 = sendmsg */
79 AUE_RECVFROM, /* 29 = recvfrom */
80 AUE_ACCEPT, /* 30 = accept */
81 AUE_NULL, /* 31 = getpeername */
82 AUE_NULL, /* 32 = getsockname */
83 AUE_ACCESS, /* 33 = access */
84 AUE_CHFLAGS, /* 34 = chflags */
85 AUE_FCHFLAGS, /* 35 = fchflags */
86 AUE_NULL, /* 36 = sync */
e5568f75
A		 87 AUE_KILL, /* 37 = kill */
88 AUE_O_STAT, /* 38 = old stat */
55e303ae 89 AUE_NULL, /* 39 = getppid */
e5568f75 90 AUE_O_LSTAT, /* 40 = old lstat */
55e303ae
A		 91 AUE_NULL, /* 41 = dup */
92 AUE_PIPE, /* 42 = pipe */
93 AUE_NULL, /* 43 = getegid */
94 AUE_NULL, /* 44 = profil */
e5568f75 95 AUE_KTRACE, /* 45 = ktrace */
55e303ae
A		 96 AUE_NULL, /* 46 = sigaction */
97 AUE_NULL, /* 47 = getgid */
98 AUE_NULL, /* 48 = sigprocmask */
99 AUE_NULL, /* 49 = getlogin */
e5568f75
A		 100 AUE_SETLOGIN, /* 50 = setlogin */
101 AUE_ACCT, /* 51 = turn acct off/on */
55e303ae
A		 102 AUE_NULL, /* 52 = sigpending */
103 AUE_NULL, /* 53 = sigaltstack */
e5568f75
A		 104 AUE_IOCTL, /* 54 = ioctl */
105 AUE_REBOOT, /* 55 = reboot */
55e303ae
A		 106 AUE_REVOKE, /* 56 = revoke */
107 AUE_SYMLINK, /* 57 = symlink */
108 AUE_READLINK, /* 58 = readlink */
109 AUE_EXECVE, /* 59 = execve */
110 AUE_UMASK, /* 60 = umask */
111 AUE_CHROOT, /* 61 = chroot */
e5568f75 112 AUE_O_FSTAT, /* 62 = old fstat */
55e303ae
A		 113 AUE_NULL, /* 63 = used internally, reserved */
114 AUE_NULL, /* 64 = old getpagesize */
115 AUE_NULL, /* 65 = msync */
e5568f75 116 AUE_VFORK, /* 66 = vfork */
55e303ae
A		 117 AUE_NULL, /* 67 was obsolete vread */
118 AUE_NULL, /* 68 was obsolete vwrite */
119 AUE_NULL, /* 69 = sbrk */
120 AUE_NULL, /* 70 = sstk */
e5568f75 121 AUE_O_MMAP, /* 71 = old mmap */
55e303ae 122 AUE_NULL, /* 72 = old vadvise */
e5568f75
A		 123 AUE_MUNMAP, /* 73 = munmap */
124 AUE_MPROTECT, /* 74 = mprotect */
55e303ae
A		 125 AUE_NULL, /* 75 = madvise */
126 AUE_NULL, /* 76 was obsolete vhangup */
127 AUE_NULL, /* 77 was obsolete vlimit */
128 AUE_NULL, /* 78 = mincore */
129 AUE_NULL, /* 79 = getgroups */
130 AUE_SETGROUPS, /* 80 = setgroups */
131 AUE_NULL, /* 81 = getpgrp */
132 AUE_SETPGRP, /* 82 = setpgid */
133 AUE_NULL, /* 83 = setitimer */
134 AUE_NULL, /* 84 = old wait */
135 AUE_NULL, /* 85 = swapon */
136 AUE_NULL, /* 86 = getitimer */
137 AUE_NULL, /* 87 = old gethostname */
e5568f75 138 AUE_O_SETHOSTNAME, /* 88 = old sethostname */
55e303ae
A		 139 AUE_NULL, /* 89 getdtablesize */
140 AUE_NULL, /* 90 = dup2 */
141 AUE_NULL, /* 91 was obsolete getdopt */
142 AUE_FCNTL, /* 92 = fcntl */
143 AUE_NULL, /* 93 = select */
144 AUE_NULL, /* 94 was obsolete setdopt */
145 AUE_NULL, /* 95 = fsync */
e5568f75 146 AUE_SETPRIORITY, /* 96 = setpriority */
55e303ae
A		 147 AUE_SOCKET, /* 97 = socket */
148 AUE_CONNECT, /* 98 = connect */
149 AUE_NULL, /* 99 = accept */
150 AUE_NULL, /* 100 = getpriority */
e5568f75
A		 151 AUE_O_SEND, /* 101 = old send */
152 AUE_O_RECV, /* 102 = old recv */
55e303ae
A		 153 AUE_NULL, /* 103 = sigreturn */
154 AUE_BIND, /* 104 = bind */
155 AUE_SETSOCKOPT, /* 105 = setsockopt */
156 AUE_NULL, /* 106 = listen */
157 AUE_NULL, /* 107 was vtimes */
158 AUE_NULL, /* 108 = sigvec */
159 AUE_NULL, /* 109 = sigblock */
160 AUE_NULL, /* 110 = sigsetmask */
161 AUE_NULL, /* 111 = sigpause */
162 AUE_NULL, /* 112 = sigstack */
e5568f75
A		 163 AUE_O_RECVMSG, /* 113 = recvmsg */
164 AUE_O_SENDMSG, /* 114 = sendmsg */
55e303ae
A		 165 AUE_NULL, /* 115 = old vtrace */
166 AUE_NULL, /* 116 = gettimeofday */
167 AUE_NULL, /* 117 = getrusage */
168 AUE_NULL, /* 118 = getsockopt */
169 AUE_NULL, /* 119 = old resuba */
170 AUE_NULL, /* 120 = readv */
171 AUE_NULL, /* 121 = writev */
e5568f75 172 AUE_SETTIMEOFDAY, /* 122 = settimeofday */
55e303ae
A		 173 AUE_FCHOWN, /* 123 = fchown */
174 AUE_FCHMOD, /* 124 = fchmod */
e5568f75 175 AUE_O_RECVFROM, /* 125 = recvfrom */
55e303ae
A		 176 AUE_NULL, /* 126 = setreuid */
177 AUE_NULL, /* 127 = setregid */
178 AUE_RENAME, /* 128 = rename */
e5568f75
A		 179 AUE_O_TRUNCATE, /* 129 = old truncate */
180 AUE_O_FTRUNCATE, /* 130 = old ftruncate */
55e303ae
A		 181 AUE_FLOCK, /* 131 = flock */
182 AUE_MKFIFO, /* 132 = mkfifo */
183 AUE_SENDTO, /* 133 = sendto */
184 AUE_SHUTDOWN, /* 134 = shutdown */
185 AUE_SOCKETPAIR, /* 135 = socketpair */
186 AUE_MKDIR, /* 136 = mkdir */
187 AUE_RMDIR, /* 137 = rmdir */
188 AUE_UTIMES, /* 138 = utimes */
189 AUE_FUTIMES, /* 139 = futimes */
190 AUE_ADJTIME, /* 140 = adjtime */
191 AUE_NULL, /* 141 = getpeername */
192 AUE_NULL, /* 142 = old gethostid */
193 AUE_NULL, /* 143 = old sethostid */
194 AUE_NULL, /* 144 = old getrlimit */
e5568f75
A		 195 AUE_O_SETRLIMIT, /* 145 = old setrlimit */
196 AUE_O_KILLPG, /* 146 = old killpg */
197 AUE_SETSID, /* 147 = setsid */
55e303ae
A		 198 AUE_NULL, /* 148 was setquota */
199 AUE_NULL, /* 149 was qquota */
200 AUE_NULL, /* 150 = getsockname */
201 AUE_NULL, /* 151 = getpgid */
e5568f75 202 AUE_SETPRIVEXEC, /* 152 = setprivexec */
55e303ae
A		 203 AUE_NULL, /* 153 = pread */
204 AUE_NULL, /* 154 = pwrite */
ccc36f2f 205 AUE_NFSSVC, /* 155 = nfs_svc */
e5568f75 206 AUE_O_GETDIRENTRIES, /* 156 = old getdirentries */
55e303ae
A		 207 AUE_STATFS, /* 157 = statfs */
208 AUE_FSTATFS, /* 158 = fstatfs */
ccc36f2f 209 AUE_UNMOUNT, /* 159 = unmount */
55e303ae
A		 210 AUE_NULL, /* 160 was async_daemon */
211 AUE_GETFH, /* 161 = get file handle */
212 AUE_NULL, /* 162 = getdomainname */
e5568f75 213 AUE_O_SETDOMAINNAME, /* 163 = setdomainname */
55e303ae
A		 214 AUE_NULL, /* 164 */
215#if QUOTA
216 AUE_QUOTACTL, /* 165 = quotactl */
217#else /* QUOTA */
218 AUE_NULL, /* 165 = not configured */
219#endif /* QUOTA */
220 AUE_NULL, /* 166 was exportfs */
221 AUE_MOUNT, /* 167 = mount */
222 AUE_NULL, /* 168 was ustat */
223 AUE_NULL, /* 169 = nosys */
224 AUE_NULL, /* 170 was table */
225 AUE_NULL, /* 171 = old wait3 */
226 AUE_NULL, /* 172 was rpause */
227 AUE_NULL, /* 173 = nosys */
228 AUE_NULL, /* 174 was getdents */
229 AUE_NULL, /* 175 was gc_control */
230 AUE_NULL, /* 176 = add_profil */
231 AUE_NULL, /* 177 */
232 AUE_NULL, /* 178 */
233 AUE_NULL, /* 179 */
234 AUE_NULL, /* 180 */
235 AUE_SETGID, /* 181 */
236 AUE_SETEGID, /* 182 */
237 AUE_SETEUID, /* 183 */
238 AUE_NULL, /* 184 = nosys */
239 AUE_NULL, /* 185 = nosys */
240 AUE_NULL, /* 186 = nosys */
241 AUE_NULL, /* 187 = nosys */
242 AUE_STAT, /* 188 = stat */
243 AUE_FSTAT, /* 189 = fstat */
244 AUE_LSTAT, /* 190 = lstat */
245 AUE_PATHCONF, /* 191 = pathconf */
246 AUE_FPATHCONF, /* 192 = fpathconf */
55e303ae
A		 247#if COMPAT_GETFSSTAT
248 AUE_GETFSSTAT, /* 193 = getfsstat */
249#else
250 AUE_NULL, /* 193 is unused */
251#endif
252 AUE_NULL, /* 194 = getrlimit */
253 AUE_SETRLIMIT, /* 195 = setrlimit */
254 AUE_GETDIRENTRIES, /* 196 = getdirentries */
e5568f75 255 AUE_MMAP, /* 197 = mmap */
55e303ae
A		 256 AUE_NULL, /* 198 = __syscall */
257 AUE_NULL, /* 199 = lseek */
258 AUE_TRUNCATE, /* 200 = truncate */
259 AUE_FTRUNCATE, /* 201 = ftruncate */
e5568f75
A		 260 AUE_SYSCTL, /* 202 = __sysctl */
261 AUE_MLOCK, /* 203 = mlock */
262 AUE_MUNLOCK, /* 204 = munlock */
55e303ae
A		 263 AUE_UNDELETE, /* 205 = undelete */
264 AUE_NULL, /* 206 = ATsocket */
265 AUE_NULL, /* 207 = ATgetmsg*/
266 AUE_NULL, /* 208 = ATputmsg*/
267 AUE_NULL, /* 209 = ATPsndreq*/
268 AUE_NULL, /* 210 = ATPsndrsp*/
269 AUE_NULL, /* 211 = ATPgetreq*/
270 AUE_NULL, /* 212 = ATPgetrsp*/
271 AUE_NULL, /* 213 = Reserved for AppleTalk */
272 AUE_NULL, /* 214 = Reserved for AppleTalk */
273 AUE_NULL, /* 215 = Reserved for AppleTalk */
274
275 AUE_NULL, /* 216 = HFS make complex file call (multipel forks */
276 AUE_NULL, /* 217 = HFS statv extended stat call for HFS */
277 AUE_NULL, /* 218 = HFS lstatv extended lstat call for HFS */
278 AUE_NULL, /* 219 = HFS fstatv extended fstat call for HFS */
279 AUE_GETATTRLIST,/* 220 = HFS getarrtlist get attribute list cal */
280 AUE_SETATTRLIST,/* 221 = HFS setattrlist set attribute list */
281 AUE_GETDIRENTRIESATTR,/* 222 = HFS getdirentriesattr get directory attributes */
282 AUE_EXCHANGEDATA,/* 223 = HFS exchangedata exchange file contents */
ccc36f2f 283 AUE_CHECKUSERACCESS,/* 224 = HFS checkuseraccess check access to file */
55e303ae 284 AUE_SEARCHFS, /* 225 = HFS searchfs to implement catalog searching */
ccc36f2f 285 AUE_DELETE, /* 226 = private delete (Carbon semantics) */
55e303ae
A		 286 AUE_NULL, /* 227 = copyfile - orignally for AFP */
287 AUE_NULL, /* 228 */
288 AUE_NULL, /* 229 */
289 AUE_NULL, /* 230 */
290 AUE_NULL, /* 231 */
291 AUE_NULL, /* 232 */
292 AUE_NULL, /* 233 */
293 AUE_NULL, /* 234 */
294 AUE_NULL, /* 235 */
295 AUE_NULL, /* 236 */
296 AUE_NULL, /* 237 */
297 AUE_NULL, /* 238 */
298 AUE_NULL, /* 239 */
299 AUE_NULL, /* 240 */
300 AUE_NULL, /* 241 */
301 AUE_NULL, /* 242 = fsctl */
302 AUE_NULL, /* 243 */
303 AUE_NULL, /* 244 */
304 AUE_NULL, /* 245 */
305 AUE_NULL, /* 246 */
306 AUE_NULL, /* 247 = nfsclnt*/
307 AUE_NULL, /* 248 = fhopen */
308 AUE_NULL, /* 249 */
e5568f75 309 AUE_MINHERIT, /* 250 = minherit */
55e303ae
A		 310 AUE_NULL, /* 251 = semsys */
311 AUE_NULL, /* 252 = msgsys */
312 AUE_NULL, /* 253 = shmsys */
313 AUE_SEMCTL, /* 254 = semctl */
314 AUE_SEMGET, /* 255 = semget */
315 AUE_SEMOP, /* 256 = semop */
37839358 316 AUE_NULL, /* 257 = */
55e303ae
A		 317 AUE_MSGCTL, /* 258 = msgctl */
318 AUE_MSGGET, /* 259 = msgget */
319 AUE_MSGSND, /* 260 = msgsnd */
320 AUE_MSGRCV, /* 261 = msgrcv */
321 AUE_SHMAT, /* 262 = shmat */
322 AUE_SHMCTL, /* 263 = shmctl */
323 AUE_SHMDT, /* 264 = shmdt */
324 AUE_SHMGET, /* 265 = shmget */
e5568f75
A		 325 AUE_SHMOPEN, /* 266 = shm_open */
326 AUE_SHMUNLINK, /* 267 = shm_unlink */
327 AUE_SEMOPEN, /* 268 = sem_open */
328 AUE_SEMCLOSE, /* 269 = sem_close */
329 AUE_SEMUNLINK, /* 270 = sem_unlink */
55e303ae
A		 330 AUE_NULL, /* 271 = sem_wait */
331 AUE_NULL, /* 272 = sem_trywait */
332 AUE_NULL, /* 273 = sem_post */
333 AUE_NULL, /* 274 = sem_getvalue */
334 AUE_NULL, /* 275 = sem_init */
335 AUE_NULL, /* 276 = sem_destroy */
336 AUE_NULL, /* 277 */
337 AUE_NULL, /* 278 */
338 AUE_NULL, /* 279 */
339 AUE_NULL, /* 280 */
340 AUE_NULL, /* 281 */
341 AUE_NULL, /* 282 */
342 AUE_NULL, /* 283 */
343 AUE_NULL, /* 284 */
344 AUE_NULL, /* 285 */
345 AUE_NULL, /* 286 */
346 AUE_NULL, /* 287 */
347 AUE_NULL, /* 288 */
348 AUE_NULL, /* 289 */
349 AUE_NULL, /* 290 */
350 AUE_NULL, /* 291 */
351 AUE_NULL, /* 292 */
352 AUE_NULL, /* 293 */
353 AUE_NULL, /* 294 */
354 AUE_NULL, /* 295 */
e5568f75
A		 355 AUE_LOADSHFILE, /* 296 = load_shared_file */
356 AUE_RESETSHFILE, /* 297 = reset_shared_file */
91447636 357 AUE_NEWSYSTEMSHREG, /* 298 = new_system_shared_regions */
55e303ae
A		 358 AUE_NULL, /* 299 */
359 AUE_NULL, /* 300 */
360 AUE_NULL, /* 301 */
361 AUE_NULL, /* 302 */
362 AUE_NULL, /* 303 */
363 AUE_NULL, /* 304 */
364 AUE_NULL, /* 305 */
365 AUE_NULL, /* 306 */
366 AUE_NULL, /* 307 */
367 AUE_NULL, /* 308 */
368 AUE_NULL, /* 309 */
369 AUE_NULL, /* 310 = getsid */
370 AUE_NULL, /* 311 */
371 AUE_NULL, /* 312 */
372 AUE_NULL, /* 313 */
373 AUE_NULL, /* 314 */
374 AUE_NULL, /* 315 */
375 AUE_NULL, /* 316 */
376 AUE_NULL, /* 317 */
377 AUE_NULL, /* 318 */
378 AUE_NULL, /* 319 */
379 AUE_NULL, /* 320 */
380 AUE_NULL, /* 321 */
381 AUE_NULL, /* 322 */
382 AUE_NULL, /* 323 */
383 AUE_NULL, /* 324 = mlockall*/
384 AUE_NULL, /* 325 = munlockall*/
385 AUE_NULL, /* 326 */
386 AUE_NULL, /* 327 = issetugid */
387 AUE_NULL, /* 328 */
388 AUE_NULL, /* 329 */
389 AUE_NULL, /* 330 */
390 AUE_NULL, /* 331 */
391 AUE_NULL, /* 332 */
392 AUE_NULL, /* 333 */
393 AUE_NULL, /* 334 */
394 AUE_NULL, /* 335 = utrace */
395 AUE_NULL, /* 336 */
396 AUE_NULL, /* 337 */
397 AUE_NULL, /* 338 */
398 AUE_NULL, /* 339 */
399 AUE_NULL, /* 340 */
400 AUE_NULL, /* 341 */
401 AUE_NULL, /* 342 */
402 AUE_NULL, /* 343 */
403 AUE_NULL, /* 344 */
404 AUE_NULL, /* 345 */
405 AUE_NULL, /* 346 */
406 AUE_NULL, /* 347 */
407 AUE_NULL, /* 348 */
408 AUE_NULL, /* 349 */
409 AUE_AUDIT, /* 350 */
e5568f75 410 AUE_AUDITON, /* 351 */
55e303ae
A		 411 AUE_NULL, /* 352 */
412 AUE_GETAUID, /* 353 */
413 AUE_SETAUID, /* 354 */
e5568f75
A		 414 AUE_GETAUDIT, /* 355 */
415 AUE_SETAUDIT, /* 356 */
416 AUE_GETAUDIT_ADDR, /* 357 */
417 AUE_SETAUDIT_ADDR, /* 358 */
418 AUE_AUDITCTL, /* 359 */
55e303ae
A		 419 AUE_NULL, /* 360 */
420 AUE_NULL, /* 361 */
421 AUE_NULL, /* 362 = kqueue */
422 AUE_NULL, /* 363 = kevent */
91447636 423 AUE_LCHOWN, /* 364 = lchown */
55e303ae
A		 424 AUE_NULL, /* 365 */
425 AUE_NULL, /* 366 */
426 AUE_NULL, /* 367 */
427 AUE_NULL, /* 368 */
428 AUE_NULL /* 369 */
429};
430int nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]);
431
e5568f75
A		 432/*
433 * Hash table functions for the audit event number to event class mask mapping.
434 */
435
436#define EVCLASSMAP_HASH_TABLE_SIZE 251
437struct evclass_elem {
438 au_event_t event;
439 au_class_t class;
440 LIST_ENTRY(evclass_elem) entry;
441};
442struct evclass_list {
443 LIST_HEAD(, evclass_elem) head;
444};
445
446struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
447
448au_class_t au_event_class(au_event_t event)
449{
450
451 struct evclass_list *evcl;
452 struct evclass_elem *evc;
453
454 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
455
456 /* If an entry at our hash location matches the event, just return */
457 LIST_FOREACH(evc, &evcl->head, entry) {
458 if (evc->event == event)
459 return (evc->class);
460 }
461 return (AU_NULL);
462}
463
91447636 464 /*
e5568f75
A		 465 * Insert a event to class mapping. If the event already exists in the
466 * mapping, then replace the mapping with the new one.
467 * XXX There is currently no constraints placed on the number of mappings.
468 * May want to either limit to a number, or in terms of memory usage.
91447636 469 */
e5568f75
A		 470void au_evclassmap_insert(au_event_t event, au_class_t class)
471{
472 struct evclass_list *evcl;
473 struct evclass_elem *evc;
474
475 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
476
477 LIST_FOREACH(evc, &evcl->head, entry) {
478 if (evc->event == event) {
479 evc->class = class;
480 return;
481 }
482 }
91447636 483 kmem_alloc(kernel_map, (vm_offset_t *)&evc, sizeof(*evc));
e5568f75
A		 484 if (evc == NULL) {
485 return;
486 }
487 evc->event = event;
488 evc->class = class;
489 LIST_INSERT_HEAD(&evcl->head, evc, entry);
e5568f75
A		 490}
491
492void au_evclassmap_init()
493{
494 int i;
495 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++) {
496 LIST_INIT(&evclass_hash[i].head);
497 }
498
499 /* Set up the initial event to class mapping for system calls. */
500 for (i = 0; i < nsys_au_event; i++) {
501 if (sys_au_event[i] != AUE_NULL) {
502 au_evclassmap_insert(sys_au_event[i], AU_NULL);
91447636 503 }
e5568f75
A		 504 }
505 /* Add the Mach system call events */
506 au_evclassmap_insert(AUE_TASKFORPID, AU_NULL);
507 au_evclassmap_insert(AUE_PIDFORTASK, AU_NULL);
508 au_evclassmap_insert(AUE_SWAPON, AU_NULL);
509 au_evclassmap_insert(AUE_SWAPOFF, AU_NULL);
510 au_evclassmap_insert(AUE_MAPFD, AU_NULL);
511 au_evclassmap_insert(AUE_INITPROCESS, AU_NULL);
91447636 512
e5568f75
A		 513 /* Add the specific open events to the mapping. */
514 au_evclassmap_insert(AUE_OPEN_R, AU_FREAD);
91447636
A		 515 au_evclassmap_insert(AUE_OPEN_RC, AU_FREAD|AU_FCREATE);
516 au_evclassmap_insert(AUE_OPEN_RTC, AU_FREAD|AU_FCREATE|AU_FDELETE);
517 au_evclassmap_insert(AUE_OPEN_RT, AU_FREAD|AU_FDELETE);
518 au_evclassmap_insert(AUE_OPEN_RW, AU_FREAD|AU_FWRITE);
519 au_evclassmap_insert(AUE_OPEN_RWC, AU_FREAD|AU_FWRITE|AU_FCREATE);
520 au_evclassmap_insert(AUE_OPEN_RWTC, AU_FREAD|AU_FWRITE|AU_FCREATE|AU_FDELETE);
521 au_evclassmap_insert(AUE_OPEN_RWT, AU_FREAD|AU_FWRITE|AU_FDELETE);
522 au_evclassmap_insert(AUE_OPEN_W, AU_FWRITE);
523 au_evclassmap_insert(AUE_OPEN_WC, AU_FWRITE|AU_FCREATE);
524 au_evclassmap_insert(AUE_OPEN_WTC, AU_FWRITE|AU_FCREATE|AU_FDELETE);
525 au_evclassmap_insert(AUE_OPEN_WT, AU_FWRITE|AU_FDELETE);
e5568f75
A		 526}
527
91447636 528 /*
55e303ae 529 * Check whether an event is aditable by comparing the mask of classes this
e5568f75 530 * event is part of against the given mask.
91447636 531 */
55e303ae
A		 532int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf)
533{
55e303ae 534 au_class_t effmask = 0;
e5568f75 535 au_class_t ae_class;
55e303ae
A		 536
537 if(mask_p == NULL)
538 return (-1);
539
e5568f75 540 ae_class = au_event_class(event);
91447636 541 /*
55e303ae
A		 542 * Perform the actual check of the masks against the event.
543 */
91447636 544 if(sorf & AU_PRS_SUCCESS) {
55e303ae
A		 545 effmask |= (mask_p->am_success & ae_class);
546 }
547
548 if(sorf & AU_PRS_FAILURE) {
549 effmask |= (mask_p->am_failure & ae_class);
550 }
551
552 if(effmask)
553 return (1);
554 else
555 return (0);
556}
557
e5568f75
A		 558/*
559 * Convert sysctl names and present arguments to events
560 */
561au_event_t ctlname_to_sysctlevent(int name[], uint64_t valid_arg) {
562
563 /* can't parse it - so return the worst case */
564 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) !=
565 (ARG_CTLNAME | ARG_LEN))
566 return AUE_SYSCTL;
567
568 switch (name[0]) {
569 /* non-admin "lookups" treat them special */
570 case KERN_OSTYPE:
571 case KERN_OSRELEASE:
572 case KERN_OSREV:
573 case KERN_VERSION:
574 case KERN_ARGMAX:
575 case KERN_CLOCKRATE:
576 case KERN_BOOTTIME:
577 case KERN_POSIX1:
578 case KERN_NGROUPS:
579 case KERN_JOB_CONTROL:
580 case KERN_SAVED_IDS:
581 case KERN_NETBOOT:
582 case KERN_SYMFILE:
91447636 583 case KERN_SHREG_PRIVATIZABLE:
e5568f75
A		 584 return AUE_SYSCTL_NONADMIN;
585
586 /* only treat the sets as admin */
587 case KERN_MAXVNODES:
588 case KERN_MAXPROC:
589 case KERN_MAXFILES:
590 case KERN_MAXPROCPERUID:
591 case KERN_MAXFILESPERPROC:
592 case KERN_HOSTID:
593 case KERN_AIOMAX:
594 case KERN_AIOPROCMAX:
595 case KERN_AIOTHREADS:
596 case KERN_COREDUMP:
597 case KERN_SUGID_COREDUMP:
598 return (valid_arg & ARG_VALUE) ?
599 AUE_SYSCTL : AUE_SYSCTL_NONADMIN;
600
601 default:
602 return AUE_SYSCTL;
603 }
604 /* NOTREACHED */
605}
606
55e303ae
A		 607/*
608 * Convert an open flags specifier into a specific type of open event for
609 * auditing purposes.
610 */
e5568f75
A		 611au_event_t flags_and_error_to_openevent(int oflags, int error) {
612 au_event_t aevent;
55e303ae
A		 613
614 /* Need to check only those flags we care about. */
615 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
616
617 /* These checks determine what flags are on with the condition
618 * that ONLY that combination is on, and no other flags are on.
619 */
e5568f75
A		 620 switch (oflags) {
621 case O_RDONLY:
622 aevent = AUE_OPEN_R;
623 break;
624 case (O_RDONLY | O_CREAT):
625 aevent = AUE_OPEN_RC;
626 break;
627 case (O_RDONLY | O_CREAT | O_TRUNC):
628 aevent = AUE_OPEN_RTC;
629 break;
630 case (O_RDONLY | O_TRUNC):
631 aevent = AUE_OPEN_RT;
632 break;
633 case O_RDWR:
634 aevent = AUE_OPEN_RW;
635 break;
636 case (O_RDWR | O_CREAT):
637 aevent = AUE_OPEN_RWC;
638 break;
639 case (O_RDWR | O_CREAT | O_TRUNC):
640 aevent = AUE_OPEN_RWTC;
641 break;
642 case (O_RDWR | O_TRUNC):
643 aevent = AUE_OPEN_RWT;
644 break;
645 case O_WRONLY:
646 aevent = AUE_OPEN_W;
647 break;
648 case (O_WRONLY | O_CREAT):
649 aevent = AUE_OPEN_WC;
650 break;
651 case (O_WRONLY | O_CREAT | O_TRUNC):
652 aevent = AUE_OPEN_WTC;
653 break;
654 case (O_WRONLY | O_TRUNC):
655 aevent = AUE_OPEN_WT;
656 break;
657 default:
658 aevent = AUE_OPEN;
659 break;
91447636 660}
55e303ae 661
91447636 662/*
e5568f75
A		 663 * Convert chatty errors to better matching events.
664 * Failures to find a file are really just attribute
665 * events - so recast them as such.
91447636 666*/
e5568f75
A		 667 switch (aevent) {
668 case AUE_OPEN_R:
669 case AUE_OPEN_RT:
670 case AUE_OPEN_RW:
671 case AUE_OPEN_RWT:
672 case AUE_OPEN_W:
673 case AUE_OPEN_WT:
674 if (error == ENOENT)
675 aevent = AUE_OPEN;
91447636 676}
e5568f75 677 return aevent;
55e303ae
A		 678}
679
680/* Convert a MSGCTL command to a specific event. */
91447636 681au_event_t msgctl_to_event(int cmd)
55e303ae
A		 682{
683 switch (cmd) {
684 case IPC_RMID:
685 return AUE_MSGCTL_RMID;
686 case IPC_SET:
687 return AUE_MSGCTL_SET;
688 case IPC_STAT:
689 return AUE_MSGCTL_STAT;
690 default:
691 return AUE_MSGCTL;
692 /* We will audit a bad command */
693 }
694}
695
696/* Convert a SEMCTL command to a specific event. */
91447636 697au_event_t semctl_to_event(int cmd)
55e303ae
A		 698{
699 switch (cmd) {
700 case GETALL:
701 return AUE_SEMCTL_GETALL;
702 case GETNCNT:
703 return AUE_SEMCTL_GETNCNT;
704 case GETPID:
705 return AUE_SEMCTL_GETPID;
706 case GETVAL:
707 return AUE_SEMCTL_GETVAL;
708 case GETZCNT:
709 return AUE_SEMCTL_GETZCNT;
710 case IPC_RMID:
711 return AUE_SEMCTL_RMID;
712 case IPC_SET:
713 return AUE_SEMCTL_SET;
714 case SETALL:
715 return AUE_SEMCTL_SETALL;
716 case SETVAL:
717 return AUE_SEMCTL_SETVAL;
718 case IPC_STAT:
719 return AUE_SEMCTL_STAT;
720 default:
721 return AUE_SEMCTL;
722 /* We will audit a bad command */
723 }
724}
725
e5568f75
A		 726/* Convert a command for the auditon() system call to a audit event. */
727int auditon_command_event(int cmd)
728{
729 switch(cmd) {
730 case A_GETPOLICY:
731 return AUE_AUDITON_GPOLICY;
732 break;
733 case A_SETPOLICY:
734 return AUE_AUDITON_SPOLICY;
735 break;
736 case A_GETKMASK:
737 return AUE_AUDITON_GETKMASK;
738 break;
739 case A_SETKMASK:
740 return AUE_AUDITON_SETKMASK;
741 break;
742 case A_GETQCTRL:
743 return AUE_AUDITON_GQCTRL;
744 break;
745 case A_SETQCTRL:
746 return AUE_AUDITON_SQCTRL;
747 break;
748 case A_GETCWD:
749 return AUE_AUDITON_GETCWD;
750 break;
751 case A_GETCAR:
752 return AUE_AUDITON_GETCAR;
753 break;
754 case A_GETSTAT:
755 return AUE_AUDITON_GETSTAT;
756 break;
757 case A_SETSTAT:
758 return AUE_AUDITON_SETSTAT;
759 break;
760 case A_SETUMASK:
761 return AUE_AUDITON_SETUMASK;
762 break;
763 case A_SETSMASK:
764 return AUE_AUDITON_SETSMASK;
765 break;
766 case A_GETCOND:
767 return AUE_AUDITON_GETCOND;
768 break;
769 case A_SETCOND:
770 return AUE_AUDITON_SETCOND;
771 break;
772 case A_GETCLASS:
773 return AUE_AUDITON_GETCLASS;
774 break;
775 case A_SETCLASS:
776 return AUE_AUDITON_SETCLASS;
777 break;
778 case A_GETPINFO:
779 case A_SETPMASK:
780 case A_SETFSIZE:
781 case A_GETFSIZE:
782 case A_GETPINFO_ADDR:
783 case A_GETKAUDIT:
784 case A_SETKAUDIT:
785 default:
786 return AUE_AUDITON; /* No special record */
787 break;
788 }
789}
790
55e303ae
A		 791/*
792 * Create a canonical path from given path by prefixing either the
793 * root directory, or the current working directory.
794 * If the process working directory is NULL, we could use 'rootvnode'
795 * to obtain the root directoty, but this results in a volfs name
796 * written to the audit log. So we will leave the filename starting
797 * with '/' in the audit log in this case.
798 */
e5568f75 799int canon_path(struct proc *p, char *path, char *cpath)
55e303ae
A		 800{
801 char *bufp;
802 int len;
803 struct vnode *vnp;
804 struct filedesc *fdp;
e5568f75 805 int ret;
55e303ae
A		 806
807 fdp = p->p_fd;
808 bufp = path;
809 if (*(path) == '/') {
810 while (*(bufp) == '/')
811 bufp++; /* skip leading '/'s */
812 /* If no process root, or it is the same as the system root,
813 * audit the path as passed in with a single '/'.
814 */
815 if ((fdp->fd_rdir == NULL) ||
816 (fdp->fd_rdir == rootvnode)) {
817 vnp = NULL;
818 bufp--; /* restore one '/' */
819 } else {
820 vnp = fdp->fd_rdir; /* use process root */
821 }
822 } else {
823 vnp = fdp->fd_cdir; /* prepend the current dir */
824 bufp = path;
825 }
826 if (vnp != NULL) {
827 len = MAXPATHLEN;
e5568f75
A		 828 ret = vn_getpath(vnp, cpath, &len);
829 if (ret != 0) {
830 cpath[0] = '\0';
831 return (ret);
832 }
55e303ae 833 if (len < MAXPATHLEN)
91447636
A		 834 cpath[len-1] = '/';
835 strncpy(cpath + len, bufp, MAXPATHLEN - len);
55e303ae
A		 836 } else {
837 strncpy(cpath, bufp, MAXPATHLEN);
838 }
e5568f75 839 return (0);
55e303ae 840}
mirror of XNU