]> git.saurik.com Git - apple/xnu.git/blame - bsd/security/audit/audit_bsm.c
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-4903.241.1.tar.gz
[apple/xnu.git] / bsd / security / audit / audit_bsm.c
CommitLineData
b0d623f7 1/*
39037602 2 * Copyright (c) 1999-2016 Apple Inc.
b0d623f7
A		 3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29/*
30 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
31 * support for mandatory and extensible security protections. This notice
32 * is included in support of clause 2.2 (b) of the Apple Public License,
33 * Version 2.0.
34 */
35
36#include <sys/types.h>
37#include <sys/vnode_internal.h>
38#include <sys/ipc.h>
39#include <sys/sem.h>
40#include <sys/socketvar.h>
41#include <sys/socket.h>
42#include <sys/queue.h>
43#include <sys/fcntl.h>
44#include <sys/user.h>
45#include <sys/ipc.h>
46
47#include <bsm/audit.h>
48#include <bsm/audit_internal.h>
49#include <bsm/audit_record.h>
50#include <bsm/audit_kevents.h>
51
52#include <security/audit/audit.h>
53#include <security/audit/audit_bsd.h>
54#include <security/audit/audit_private.h>
55
56#include <netinet/in_systm.h>
57#include <netinet/in.h>
58#include <netinet/ip.h>
59
b0d623f7
A		 60#if CONFIG_AUDIT
61MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
62
63#if CONFIG_MACF
64#include <security/mac_framework.h>
65#endif
66
67static void audit_sys_auditon(struct audit_record *ar,
68 struct au_record *rec);
69static void audit_sys_fcntl(struct kaudit_record *kar,
70 struct au_record *rec);
71
72/*
73 * Initialize the BSM auditing subsystem.
74 */
75void
76kau_init(void)
77{
78
79 au_evclassmap_init();
80}
81
82/*
83 * This call reserves memory for the audit record. Memory must be guaranteed
84 * before any auditable event can be generated. The au_record structure
85 * maintains a reference to the memory allocated above and also the list of
86 * tokens associated with this record.
87 */
88static struct au_record *
89kau_open(void)
90{
91 struct au_record *rec;
92
93 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
94 rec->data = NULL;
95 TAILQ_INIT(&rec->token_q);
96 rec->len = 0;
97 rec->used = 1;
98
99 return (rec);
100}
101
102/*
103 * Store the token with the record descriptor.
104 */
105static void
106kau_write(struct au_record *rec, struct au_token *tok)
107{
108
109 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
110
111 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
112 rec->len += tok->len;
113}
114
115/*
116 * Close out the audit record by adding the header token, identifying any
117 * missing tokens. Write out the tokens to the record memory.
118 */
119static void
120kau_close(struct au_record *rec, struct timespec *ctime, short event)
121{
122 u_char *dptr;
123 size_t tot_rec_size;
124 token_t *cur, *hdr, *trail;
125 struct timeval tm;
126 size_t hdrsize;
127 struct auditinfo_addr ak;
128 struct in6_addr *ap;
129
130 audit_get_kinfo(&ak);
131 hdrsize = 0;
132 switch (ak.ai_termid.at_type) {
133 case AU_IPv4:
134 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
135 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
136 break;
137 case AU_IPv6:
138 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
139 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
140 AUDIT_HEADER_EX_SIZE(&ak);
141 break;
142 default:
143 panic("kau_close: invalid address family");
144 }
145 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
146 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
147
148 tm.tv_usec = ctime->tv_nsec / 1000;
149 tm.tv_sec = ctime->tv_sec;
150 if (hdrsize != AUDIT_HEADER_SIZE)
151 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
152 else
153 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
154 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
155
156 trail = au_to_trailer(tot_rec_size);
157 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
158
159 rec->len = tot_rec_size;
160 dptr = rec->data;
161 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
162 memcpy(dptr, cur->t_data, cur->len);
163 dptr += cur->len;
164 }
165}
166
167/*
168 * Free a BSM audit record by releasing all the tokens and clearing the audit
169 * record information.
170 */
171void
172kau_free(struct au_record *rec)
173{
174 struct au_token *tok;
175
176 /* Free the token list. */
177 while ((tok = TAILQ_FIRST(&rec->token_q))) {
178 TAILQ_REMOVE(&rec->token_q, tok, tokens);
179 free(tok->t_data, M_AUDITBSM);
180 free(tok, M_AUDITBSM);
181 }
182
183 rec->used = 0;
184 rec->len = 0;
185 free(rec->data, M_AUDITBSM);
186 free(rec, M_AUDITBSM);
187}
188
189/*
190 * XXX: May want turn some (or all) of these macros into functions in order
191 * to reduce the generated code size.
192 *
193 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
194 * caller are OK with this.
195 */
196#if CONFIG_MACF
197#define MAC_VNODE1_LABEL_TOKEN do { \
198 if (ar->ar_vnode1_mac_labels != NULL && \
199 strlen(ar->ar_vnode1_mac_labels) != 0) { \
200 tok = au_to_text(ar->ar_vnode1_mac_labels); \
201 kau_write(rec, tok); \
202 } \
203} while (0)
204
205#define MAC_VNODE2_LABEL_TOKEN do { \
206 if (ar->ar_vnode2_mac_labels != NULL && \
207 strlen(ar->ar_vnode2_mac_labels) != 0) { \
208 tok = au_to_text(ar->ar_vnode2_mac_labels); \
209 kau_write(rec, tok); \
210 } \
211} while (0)
212#else
213#define MAC_VNODE1_LABEL_TOKEN
214#define MAC_VNODE2_LABEL_TOKEN
215#endif
216#define UPATH1_TOKENS do { \
217 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
218 tok = au_to_path(ar->ar_arg_upath1); \
219 kau_write(rec, tok); \
220 } \
221} while (0)
222
223#define UPATH2_TOKENS do { \
224 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
225 tok = au_to_path(ar->ar_arg_upath2); \
226 kau_write(rec, tok); \
227 } \
228} while (0)
229
b226f5e5
A		 230#define KPATH2_TOKENS do { \
231 if (ARG_IS_VALID(kar, ARG_KPATH2)) { \
232 tok = au_to_path(ar->ar_arg_kpath2); \
233 kau_write(rec, tok); \
234 } \
235} while (0)
236
b0d623f7
A		 237#define VNODE1_TOKENS do { \
238 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
239 tok = au_to_path(ar->ar_arg_kpath1); \
240 kau_write(rec, tok); \
241 } \
242 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
243 tok = au_to_attr32(&ar->ar_arg_vnode1); \
244 kau_write(rec, tok); \
245 MAC_VNODE1_LABEL_TOKEN; \
246 } \
247} while (0)
248
249#define UPATH1_VNODE1_TOKENS do { \
250 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
251 tok = au_to_path(ar->ar_arg_upath1); \
252 kau_write(rec, tok); \
253 } \
254 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
255 tok = au_to_path(ar->ar_arg_kpath1); \
256 kau_write(rec, tok); \
257 } \
258 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
259 tok = au_to_attr32(&ar->ar_arg_vnode1); \
260 kau_write(rec, tok); \
261 MAC_VNODE1_LABEL_TOKEN; \
262 } \
263} while (0)
264
265#define VNODE2_TOKENS do { \
266 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
267 tok = au_to_attr32(&ar->ar_arg_vnode2); \
268 kau_write(rec, tok); \
269 MAC_VNODE2_LABEL_TOKEN; \
270 } \
271} while (0)
272
d9a64523
A		 273#define VNODE2_PATH_TOKENS do { \
274 if (ARG_IS_VALID(kar, ARG_KPATH2)) { \
275 tok = au_to_path(ar->ar_arg_kpath2); \
276 kau_write(rec, tok); \
277 } \
278 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
279 tok = au_to_attr32(&ar->ar_arg_vnode2); \
280 kau_write(rec, tok); \
281 MAC_VNODE2_LABEL_TOKEN; \
282 } \
283} while (0)
284
b0d623f7
A		 285#define FD_VNODE1_TOKENS do { \
286 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
287 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
288 tok = au_to_path(ar->ar_arg_kpath1); \
289 kau_write(rec, tok); \
290 } \
291 if (ARG_IS_VALID(kar, ARG_FD)) { \
292 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
293 kau_write(rec, tok); \
294 MAC_VNODE1_LABEL_TOKEN; \
295 } \
296 tok = au_to_attr32(&ar->ar_arg_vnode1); \
297 kau_write(rec, tok); \
298 } else { \
299 if (ARG_IS_VALID(kar, ARG_FD)) { \
300 tok = au_to_arg32(1, "fd", \
301 ar->ar_arg_fd); \
302 kau_write(rec, tok); \
303 MAC_VNODE1_LABEL_TOKEN; \
304 } \
305 } \
306} while (0)
307
308#define PROCESS_PID_TOKENS(argn) do { \
309 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
310 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
311 tok = au_to_process32_ex(ar->ar_arg_auid, \
312 ar->ar_arg_euid, ar->ar_arg_egid, \
313 ar->ar_arg_ruid, ar->ar_arg_rgid, \
314 ar->ar_arg_pid, ar->ar_arg_asid, \
315 &ar->ar_arg_termid_addr); \
316 kau_write(rec, tok); \
317 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
318 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
319 kau_write(rec, tok); \
320 } \
321} while (0)
322
323#define EXTATTR_TOKENS do { \
324 if (ARG_IS_VALID(kar, ARG_VALUE32)) { \
325 switch (ar->ar_arg_value32) { \
326 case EXTATTR_NAMESPACE_USER: \
327 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
328 break; \
329 case EXTATTR_NAMESPACE_SYSTEM: \
330 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
331 break; \
332 default: \
333 tok = au_to_arg32(3, "attrnamespace", \
334 ar->ar_arg_value32); \
335 break; \
336 } \
337 kau_write(rec, tok); \
338 } \
339 /* attrname is in the text field */ \
340 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
341 tok = au_to_text(ar->ar_arg_text); \
342 kau_write(rec, tok); \
343 } \
344} while (0)
345
346#define EXTENDED_TOKENS(n) do { \
347 /* ACL data */ \
348 if (ARG_IS_VALID(kar, ARG_OPAQUE)) { \
349 tok = au_to_opaque(ar->ar_arg_opaque, \
350 ar->ar_arg_opq_size); \
351 kau_write(rec, tok); \
352 } \
353 if (ARG_IS_VALID(kar, ARG_MODE)) { \
354 tok = au_to_arg32(n+2, "mode", ar->ar_arg_mode);\
355 kau_write(rec, tok); \
356 } \
357 if (ARG_IS_VALID(kar, ARG_GID)) { \
358 tok = au_to_arg32(n+1, "gid", ar->ar_arg_gid); \
359 kau_write(rec, tok); \
360 } \
361 if (ARG_IS_VALID(kar, ARG_UID)) { \
362 tok = au_to_arg32(n, "uid", ar->ar_arg_uid); \
363 kau_write(rec, tok); \
364 } \
365} while (0)
366
367#define PROCESS_MAC_TOKENS do { \
368 if (ar->ar_valid_arg & ARG_MAC_STRING) { \
369 tok = au_to_text(ar->ar_arg_mac_string); \
370 kau_write(rec, tok); \
371 } \
372} while (0)
373
374/*
375 * Implement auditing for the auditon() system call. The audit tokens that
376 * are generated depend on the command that was sent into the auditon()
377 * system call.
378 */
379static void
380audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
381{
382 struct au_token *tok;
383
384 switch (ar->ar_arg_cmd) {
385 case A_OLDSETPOLICY:
386 if (ar->ar_arg_len > sizeof(int)) {
387 tok = au_to_arg32(3, "length", ar->ar_arg_len);
388 kau_write(rec, tok);
389 tok = au_to_arg64(2, "policy",
390 ar->ar_arg_auditon.au_policy64);
391 kau_write(rec, tok);
392 break;
393 }
394 /* FALLTHROUGH */
395 case A_SETPOLICY:
396 tok = au_to_arg32(3, "length", ar->ar_arg_len);
397 kau_write(rec, tok);
398 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
399 kau_write(rec, tok);
400 break;
401
402 case A_SETKMASK:
403 tok = au_to_arg32(3, "length", ar->ar_arg_len);
404 kau_write(rec, tok);
405 tok = au_to_arg32(2, "setkmask:as_success",
406 ar->ar_arg_auditon.au_mask.am_success);
407 kau_write(rec, tok);
408 tok = au_to_arg32(2, "setkmask:as_failure",
409 ar->ar_arg_auditon.au_mask.am_failure);
410 kau_write(rec, tok);
411 break;
412
413 case A_OLDSETQCTRL:
414 if (ar->ar_arg_len > sizeof(au_qctrl_t)) {
415 tok = au_to_arg32(3, "length", ar->ar_arg_len);
416 kau_write(rec, tok);
417 tok = au_to_arg64(2, "setqctrl:aq_hiwater",
418 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
419 kau_write(rec, tok);
420 tok = au_to_arg64(2, "setqctrl:aq_lowater",
421 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
422 kau_write(rec, tok);
423 tok = au_to_arg64(2, "setqctrl:aq_bufsz",
424 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
425 kau_write(rec, tok);
426 tok = au_to_arg64(2, "setqctrl:aq_delay",
427 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
428 kau_write(rec, tok);
429 tok = au_to_arg32(2, "setqctrl:aq_minfree",
430 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
431 kau_write(rec, tok);
432 break;
433 }
434 /* FALLTHROUGH */
435 case A_SETQCTRL:
436 tok = au_to_arg32(3, "length", ar->ar_arg_len);
437 kau_write(rec, tok);
438 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
439 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
440 kau_write(rec, tok);
441 tok = au_to_arg32(2, "setqctrl:aq_lowater",
442 ar->ar_arg_auditon.au_qctrl.aq_lowater);
443 kau_write(rec, tok);
444 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
445 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
446 kau_write(rec, tok);
447 tok = au_to_arg32(2, "setqctrl:aq_delay",
448 ar->ar_arg_auditon.au_qctrl.aq_delay);
449 kau_write(rec, tok);
450 tok = au_to_arg32(2, "setqctrl:aq_minfree",
451 ar->ar_arg_auditon.au_qctrl.aq_minfree);
452 kau_write(rec, tok);
453 break;
454
455 case A_SETUMASK:
456 tok = au_to_arg32(3, "length", ar->ar_arg_len);
457 kau_write(rec, tok);
458 tok = au_to_arg32(2, "setumask:as_success",
459 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
460 kau_write(rec, tok);
461 tok = au_to_arg32(2, "setumask:as_failure",
462 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
463 kau_write(rec, tok);
464 break;
465
466 case A_SETSMASK:
467 tok = au_to_arg32(3, "length", ar->ar_arg_len);
468 kau_write(rec, tok);
469 tok = au_to_arg32(2, "setsmask:as_success",
470 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
471 kau_write(rec, tok);
472 tok = au_to_arg32(2, "setsmask:as_failure",
473 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
474 kau_write(rec, tok);
475 break;
476
477 case A_OLDSETCOND:
478 if (ar->ar_arg_len > sizeof(int)) {
479 tok = au_to_arg32(3, "length", ar->ar_arg_len);
480 kau_write(rec, tok);
481 tok = au_to_arg64(2, "setcond",
482 ar->ar_arg_auditon.au_cond64);
483 kau_write(rec, tok);
484 break;
485 }
486 /* FALLTHROUGH */
487 case A_SETCOND:
488 tok = au_to_arg32(3, "length", ar->ar_arg_len);
489 kau_write(rec, tok);
490 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
491 kau_write(rec, tok);
492 break;
493
494 case A_SETCLASS:
495 tok = au_to_arg32(3, "length", ar->ar_arg_len);
496 kau_write(rec, tok);
497 tok = au_to_arg32(2, "setclass:ec_event",
498 ar->ar_arg_auditon.au_evclass.ec_number);
499 kau_write(rec, tok);
500 tok = au_to_arg32(3, "setclass:ec_class",
501 ar->ar_arg_auditon.au_evclass.ec_class);
502 kau_write(rec, tok);
503 break;
504
505 case A_SETPMASK:
506 tok = au_to_arg32(3, "length", ar->ar_arg_len);
507 kau_write(rec, tok);
508 tok = au_to_arg32(2, "setpmask:as_success",
509 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
510 kau_write(rec, tok);
511 tok = au_to_arg32(2, "setpmask:as_failure",
512 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
513 kau_write(rec, tok);
514 break;
515
516 case A_SETFSIZE:
517 tok = au_to_arg32(3, "length", ar->ar_arg_len);
518 kau_write(rec, tok);
519 tok = au_to_arg32(2, "setfsize:filesize",
520 ar->ar_arg_auditon.au_fstat.af_filesz);
521 kau_write(rec, tok);
522 break;
523
524 default:
525 break;
526 }
527 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
528 kau_write(rec, tok);
529}
530
531/*
532 * Implement auditing for the fcntl() system call. The audit tokens that
533 * are generated depend on the command that was sent into the fcntl()
534 * system call.
535 */
536static void
537audit_sys_fcntl(struct kaudit_record *kar, struct au_record *rec)
538{
539 struct au_token *tok;
540 struct audit_record *ar = &kar->k_ar;
541
542 switch (ar->ar_arg_cmd) {
543
544 case F_DUPFD:
545 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
546 tok = au_to_arg32(3, "min fd", ar->ar_arg_value32);
547 kau_write(rec, tok);
548 }
549 break;
550
551 case F_SETFD:
552 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
553 tok = au_to_arg32(3, "close-on-exec flag",
554 ar->ar_arg_value32);
555 kau_write(rec, tok);
556 }
557 break;
558
559 case F_SETFL:
560 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
561 tok = au_to_arg32(3, "fd flags", ar->ar_arg_value32);
562 kau_write(rec, tok);
563 }
564 break;
565
566 case F_SETOWN:
567 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
568 tok = au_to_arg32(3, "pid", ar->ar_arg_value32);
569 kau_write(rec, tok);
570 }
571 break;
572
573#ifdef F_SETSIZE
574 case F_SETSIZE:
575 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
576 tok = au_to_arg64(3, "offset", ar->ar_arg_value64);
577 kau_write(rec, tok);
578 }
579 break;
580#endif /* F_SETSIZE */
581
582#ifdef F_PATHPKG_CHECK
583 case F_PATHPKG_CHECK:
584 if (ARG_IS_VALID(kar, ARG_TEXT)) {
585 tok = au_to_text(ar->ar_arg_text);
586 kau_write(rec, tok);
587 }
588 break;
589#endif
590
591 default:
592 break;
593 }
594 tok = au_to_arg32(2, "cmd", au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
595 kau_write(rec, tok);
596}
597
598/*
599 * Convert an internal kernel audit record to a BSM record and return a
600 * success/failure indicator. The BSM record is passed as an out parameter to
601 * this function.
602 *
603 * Return conditions:
604 * BSM_SUCCESS: The BSM record is valid
605 * BSM_FAILURE: Failure; the BSM record is NULL.
606 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
607 */
608int
609kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
610{
611 struct au_token *tok = NULL, *subj_tok;
612 struct au_record *rec;
613 au_tid_t tid;
614 struct audit_record *ar;
615 int ctr;
616 u_int uctr;
617
618 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
619
620 *pau = NULL;
621 ar = &kar->k_ar;
622 rec = kau_open();
623
624 /*
625 * Create the subject token.
626 */
627 switch (ar->ar_subj_term_addr.at_type) {
628 case AU_IPv4:
629 tid.port = ar->ar_subj_term_addr.at_port;
630 tid.machine = ar->ar_subj_term_addr.at_addr[0];
631 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
632 ar->ar_subj_cred.cr_uid, /* eff uid */
633 ar->ar_subj_egid, /* eff group id */
634 ar->ar_subj_ruid, /* real uid */
635 ar->ar_subj_rgid, /* real group id */
636 ar->ar_subj_pid, /* process id */
637 ar->ar_subj_asid, /* session ID */
638 &tid);
639 break;
640 case AU_IPv6:
641 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
642 ar->ar_subj_cred.cr_uid,
643 ar->ar_subj_egid,
644 ar->ar_subj_ruid,
645 ar->ar_subj_rgid,
646 ar->ar_subj_pid,
647 ar->ar_subj_asid,
648 &ar->ar_subj_term_addr);
649 break;
650 default:
651 bzero(&tid, sizeof(tid));
652 subj_tok = au_to_subject32(ar->ar_subj_auid,
653 ar->ar_subj_cred.cr_uid,
654 ar->ar_subj_egid,
655 ar->ar_subj_ruid,
656 ar->ar_subj_rgid,
657 ar->ar_subj_pid,
658 ar->ar_subj_asid,
659 &tid);
660 }
661
662 /*
663 * The logic inside each case fills in the tokens required for the
664 * event, except for the header, trailer, and return tokens. The
665 * header and trailer tokens are added by the kau_close() function.
666 * The return token is added outside of the switch statement.
667 */
668 switch(ar->ar_event) {
669 case AUE_SENDFILE:
670 /* For sendfile the file and socket descriptor are both saved */
671 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
672 tok = au_to_arg32(2, "sd", ar->ar_arg_value32);
673 kau_write(rec, tok);
674 }
675 /* FALLTHROUGH */
676 case AUE_ACCEPT:
677 case AUE_BIND:
678 case AUE_LISTEN:
679 case AUE_CONNECT:
680 case AUE_RECVFROM:
681 case AUE_RECVMSG:
682 case AUE_SENDMSG:
683 case AUE_SENDTO:
684 /*
685 * Socket-related events.
686 */
687 if (ARG_IS_VALID(kar, ARG_FD)) {
688 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
689 kau_write(rec, tok);
690 }
691 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
692 tok = au_to_sock_inet((struct sockaddr_in *)
693 &ar->ar_arg_sockaddr);
694 kau_write(rec, tok);
695 }
696 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
697 tok = au_to_sock_unix((struct sockaddr_un *)
698 &ar->ar_arg_sockaddr);
699 kau_write(rec, tok);
700 UPATH1_TOKENS;
701 }
702 if (ARG_IS_VALID(kar, ARG_SADDRINET6)) {
703 tok = au_to_sock_inet128((struct sockaddr_in6 *)
704 &ar->ar_arg_sockaddr);
705 kau_write(rec, tok);
706 }
707 break;
708
709 case AUE_SOCKET:
710 case AUE_SOCKETPAIR:
711 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
712 tok = au_to_arg32(1,"domain",
713 au_domain_to_bsm(ar->ar_arg_sockinfo.sai_domain));
714 kau_write(rec, tok);
715 tok = au_to_arg32(2,"type",
716 au_socket_type_to_bsm(ar->ar_arg_sockinfo.sai_type));
717 kau_write(rec, tok);
718 tok = au_to_arg32(3,"protocol",
719 ar->ar_arg_sockinfo.sai_protocol);
720 kau_write(rec, tok);
721 }
722 break;
723
724 case AUE_SETSOCKOPT:
725 case AUE_SHUTDOWN:
726 if (ARG_IS_VALID(kar, ARG_FD)) {
727 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
728 kau_write(rec, tok);
729 }
730 break;
731
732 case AUE_ACCT:
733 if (ARG_IS_VALID(kar, (ARG_KPATH1 | ARG_UPATH1))) {
734 UPATH1_VNODE1_TOKENS;
735 } else {
736 tok = au_to_arg32(1, "accounting off", 0);
737 kau_write(rec, tok);
738 }
739 break;
740
741 case AUE_SETAUID:
742 if (ARG_IS_VALID(kar, ARG_AUID)) {
743 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
744 kau_write(rec, tok);
745 }
746 break;
747
748 case AUE_SETAUDIT:
749 if (ARG_IS_VALID(kar, ARG_AUID) &&
750 ARG_IS_VALID(kar, ARG_ASID) &&
751 ARG_IS_VALID(kar, ARG_AMASK) &&
752 ARG_IS_VALID(kar, ARG_TERMID)) {
753 tok = au_to_arg32(1, "setaudit:auid",
754 ar->ar_arg_auid);
755 kau_write(rec, tok);
756 tok = au_to_arg32(1, "setaudit:port",
757 ar->ar_arg_termid.port);
758 kau_write(rec, tok);
759 tok = au_to_arg32(1, "setaudit:machine",
760 ar->ar_arg_termid.machine);
761 kau_write(rec, tok);
762 tok = au_to_arg32(1, "setaudit:as_success",
763 ar->ar_arg_amask.am_success);
764 kau_write(rec, tok);
765 tok = au_to_arg32(1, "setaudit:as_failure",
766 ar->ar_arg_amask.am_failure);
767 kau_write(rec, tok);
768 tok = au_to_arg32(1, "setaudit:asid",
769 ar->ar_arg_asid);
770 kau_write(rec, tok);
771 }
772 break;
773
774 case AUE_SETAUDIT_ADDR:
775 if (ARG_IS_VALID(kar, ARG_AUID) &&
776 ARG_IS_VALID(kar, ARG_ASID) &&
777 ARG_IS_VALID(kar, ARG_AMASK) &&
778 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
779 tok = au_to_arg32(1, "setaudit_addr:auid",
780 ar->ar_arg_auid);
781 kau_write(rec, tok);
782 tok = au_to_arg32(1, "setaudit_addr:as_success",
783 ar->ar_arg_amask.am_success);
784 kau_write(rec, tok);
785 tok = au_to_arg32(1, "setaudit_addr:as_failure",
786 ar->ar_arg_amask.am_failure);
787 kau_write(rec, tok);
788 tok = au_to_arg32(1, "setaudit_addr:asid",
789 ar->ar_arg_asid);
790 kau_write(rec, tok);
791 tok = au_to_arg32(1, "setaudit_addr:type",
792 ar->ar_arg_termid_addr.at_type);
793 kau_write(rec, tok);
794 tok = au_to_arg32(1, "setaudit_addr:port",
795 ar->ar_arg_termid_addr.at_port);
796 kau_write(rec, tok);
797 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
798 tok = au_to_in_addr_ex((struct in6_addr *)
799 &ar->ar_arg_termid_addr.at_addr[0]);
800 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
801 tok = au_to_in_addr((struct in_addr *)
802 &ar->ar_arg_termid_addr.at_addr[0]);
803 kau_write(rec, tok);
804 }
805 break;
806
807 case AUE_AUDITON:
808 /*
809 * For AUDITON commands without own event, audit the cmd.
810 */
811 if (ARG_IS_VALID(kar, ARG_CMD)) {
812 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
813 kau_write(rec, tok);
814 }
815 /* FALLTHROUGH */
816
817 case AUE_AUDITON_GETCAR:
818 case AUE_AUDITON_GETCLASS:
819 case AUE_AUDITON_GETCOND:
820 case AUE_AUDITON_GETCWD:
821 case AUE_AUDITON_GETKMASK:
822 case AUE_AUDITON_GETSTAT:
823 case AUE_AUDITON_GPOLICY:
824 case AUE_AUDITON_GQCTRL:
825 case AUE_AUDITON_SETCLASS:
826 case AUE_AUDITON_SETCOND:
827 case AUE_AUDITON_SETKMASK:
828 case AUE_AUDITON_SETSMASK:
829 case AUE_AUDITON_SETSTAT:
830 case AUE_AUDITON_SETUMASK:
831 case AUE_AUDITON_SPOLICY:
832 case AUE_AUDITON_SQCTRL:
833 if (ARG_IS_VALID(kar, ARG_AUDITON))
834 audit_sys_auditon(ar, rec);
835 break;
836
837 case AUE_AUDITCTL:
838 UPATH1_VNODE1_TOKENS;
839 break;
840
841 case AUE_EXIT:
842 if (ARG_IS_VALID(kar, ARG_EXIT)) {
843 tok = au_to_exit(ar->ar_arg_exitretval,
844 ar->ar_arg_exitstatus);
845 kau_write(rec, tok);
846 }
847 break;
848
849 case AUE_ADJTIME:
850 case AUE_AUDIT:
851 case AUE_DUP2:
852 case AUE_GETAUDIT:
853 case AUE_GETAUDIT_ADDR:
854 case AUE_GETAUID:
855 case AUE_GETFSSTAT:
856 case AUE_KQUEUE:
857 case AUE_LSEEK:
858#if 0
859/* XXXss replace with kext */
860 case AUE_MODLOAD:
861 case AUE_MODUNLOAD:
862#endif
863 case AUE_MAC_GETFSSTAT:
864 case AUE_PIPE:
865 case AUE_PROFILE:
866 case AUE_SEMSYS:
867 case AUE_SHMSYS:
868 case AUE_SETPGRP:
869 case AUE_SETRLIMIT:
870 case AUE_SETSID:
871 case AUE_SETTIMEOFDAY:
872 case AUE_KDEBUGTRACE:
873 case AUE_PTHREADSIGMASK:
874 /*
875 * Header, subject, and return tokens added at end.
876 */
877 break;
878
879 case AUE_MKFIFO:
880 if (ARG_IS_VALID(kar, ARG_MODE)) {
881 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
882 kau_write(rec, tok);
883 }
884 UPATH1_VNODE1_TOKENS;
885 break;
886
887 case AUE_ACCESS_EXTENDED:
888 /*
889 * The access_extended() argument vector is stored in an
890 * opaque token.
891 */
892 if (ARG_IS_VALID(kar, ARG_OPAQUE)) {
893 tok = au_to_opaque(ar->ar_arg_opaque,
894 ar->ar_arg_opq_size);
895 kau_write(rec, tok);
896 }
897 /*
898 * The access_extended() result vector is stored in an arbitrary
899 * data token.
900 */
901 if (ARG_IS_VALID(kar, ARG_DATA)) {
902 tok = au_to_data(AUP_DECIMAL, ar->ar_arg_data_type,
903 ar->ar_arg_data_count, ar->ar_arg_data);
904 kau_write(rec, tok);
905 }
906 UPATH1_VNODE1_TOKENS;
907 break;
908
909 case AUE_LSTAT_EXTENDED:
910 case AUE_STAT_EXTENDED:
911 case AUE_ACCESS:
912 case AUE_CHDIR:
913 case AUE_CHROOT:
914 case AUE_GETATTRLIST:
915 case AUE_NFS_GETFH:
916 case AUE_LSTAT:
917 case AUE_PATHCONF:
918 case AUE_READLINK:
919 case AUE_REVOKE:
920 case AUE_RMDIR:
921 case AUE_SEARCHFS:
922 case AUE_SETATTRLIST:
923 case AUE_STAT:
924 case AUE_STATFS:
925 case AUE_TRUNCATE:
926 case AUE_UNDELETE:
927 case AUE_UNLINK:
928 case AUE_UTIMES:
929 UPATH1_VNODE1_TOKENS;
930 break;
931
932 case AUE_FHOPEN:
933 break;
934
935 case AUE_CHFLAGS:
936 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
937 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
938 kau_write(rec, tok);
939 }
940 UPATH1_VNODE1_TOKENS;
941 break;
942
943 case AUE_CHMOD:
944 if (ARG_IS_VALID(kar, ARG_MODE)) {
945 tok = au_to_arg32(2, "new file mode",
946 ar->ar_arg_mode);
947 kau_write(rec, tok);
948 }
949 UPATH1_VNODE1_TOKENS;
950 break;
951
952 case AUE_CHOWN:
953 case AUE_LCHOWN:
954 if (ARG_IS_VALID(kar, ARG_UID)) {
955 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
956 kau_write(rec, tok);
957 }
958 if (ARG_IS_VALID(kar, ARG_GID)) {
959 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
960 kau_write(rec, tok);
961 }
962 UPATH1_VNODE1_TOKENS;
963 break;
964
965 case AUE_EXCHANGEDATA:
966 UPATH1_VNODE1_TOKENS;
967 UPATH2_TOKENS;
968 break;
969
970 case AUE_CLOSE:
971 if (ARG_IS_VALID(kar, ARG_FD)) {
972 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
973 kau_write(rec, tok);
974 }
975 UPATH1_VNODE1_TOKENS;
976 break;
977
978 case AUE_CORE:
979 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
980 tok = au_to_arg32(0, "signal", ar->ar_arg_signum);
981 kau_write(rec, tok);
982 }
983 UPATH1_VNODE1_TOKENS;
984 break;
985
986 case AUE_POSIX_SPAWN:
987 if (ARG_IS_VALID(kar, ARG_PID)) {
988 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
989 kau_write(rec, tok);
990 }
991 /* FALLTHROUGH */
992
993 case AUE_EXECVE:
994 if (ARG_IS_VALID(kar, ARG_ARGV)) {
995 tok = au_to_exec_args(ar->ar_arg_argv,
996 ar->ar_arg_argc);
997 kau_write(rec, tok);
998 }
999 if (ARG_IS_VALID(kar, ARG_ENVV)) {
1000 tok = au_to_exec_env(ar->ar_arg_envv,
1001 ar->ar_arg_envc);
1002 kau_write(rec, tok);
1003 }
1004 UPATH1_VNODE1_TOKENS;
d9a64523
A		 1005 VNODE2_PATH_TOKENS;
1006 if (ARG_IS_VALID(kar, ARG_DATA)) {
1007 tok = au_to_data(AUP_HEX, ar->ar_arg_data_type,
1008 ar->ar_arg_data_count, ar->ar_arg_data);
1009 kau_write(rec, tok);
1010 }
b0d623f7
A		 1011 break;
1012
1013 case AUE_FCHMOD_EXTENDED:
1014 EXTENDED_TOKENS(2);
1015 FD_VNODE1_TOKENS;
1016 break;
1017
1018 case AUE_FCHMOD:
1019 if (ARG_IS_VALID(kar, ARG_MODE)) {
1020 tok = au_to_arg32(2, "new file mode",
1021 ar->ar_arg_mode);
1022 kau_write(rec, tok);
1023 }
1024 FD_VNODE1_TOKENS;
1025 break;
1026
1027 case AUE_NFS_SVC:
1028 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1029 kau_write(rec, tok);
1030 if (ar->ar_valid_arg & (ARG_KPATH1 | ARG_UPATH1)) {
1031 UPATH1_VNODE1_TOKENS;
1032 }
1033 break;
1034
1035 /*
1036 * XXXRW: Some of these need to handle non-vnode cases as well.
1037 */
1038 case AUE_FSTAT_EXTENDED:
1039 case AUE_FCHDIR:
1040 case AUE_FPATHCONF:
1041 case AUE_FSTAT: /* XXX Need to handle sockets and shm */
1042 case AUE_FSTATFS:
1043 case AUE_FSYNC:
1044 case AUE_FTRUNCATE:
1045 case AUE_FUTIMES:
1046 case AUE_GETDIRENTRIES:
1047 case AUE_GETDIRENTRIESATTR:
fe8ab488 1048 case AUE_GETATTRLISTBULK:
b0d623f7
A		 1049#if 0 /* XXXss new */
1050 case AUE_POLL:
1051#endif
1052 case AUE_READ:
1053 case AUE_READV:
1054 case AUE_PREAD:
1055 case AUE_WRITE:
1056 case AUE_WRITEV:
1057 case AUE_PWRITE:
1058 FD_VNODE1_TOKENS;
1059 break;
1060
1061 case AUE_FCHOWN:
1062 if (ARG_IS_VALID(kar, ARG_UID)) {
1063 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
1064 kau_write(rec, tok);
1065 }
1066 if (ARG_IS_VALID(kar, ARG_GID)) {
1067 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
1068 kau_write(rec, tok);
1069 }
1070 FD_VNODE1_TOKENS;
1071 break;
1072
1073 case AUE_FCNTL:
1074 if (ARG_IS_VALID(kar, ARG_CMD))
1075 audit_sys_fcntl(kar, rec);
1076 FD_VNODE1_TOKENS;
1077 break;
1078
1079 case AUE_FSCTL:
1080 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1081 tok = au_to_arg32(4, "options", ar->ar_arg_value32);
1082 kau_write(rec, tok);
1083 }
1084 if (ARG_IS_VALID(kar, ARG_CMD)) {
1085 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1086 kau_write(rec, tok);
1087 }
1088 UPATH1_VNODE1_TOKENS;
1089 break;
1090
1091 case AUE_FFSCTL:
1092 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1093 tok = au_to_arg32(4, "options", ar->ar_arg_value32);
1094 kau_write(rec, tok);
1095 }
1096 if (ARG_IS_VALID(kar, ARG_CMD)) {
1097 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1098 kau_write(rec, tok);
1099 }
1100 FD_VNODE1_TOKENS;
1101 break;
1102
1103
1104 case AUE_FCHFLAGS:
1105 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1106 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1107 kau_write(rec, tok);
1108 }
1109 FD_VNODE1_TOKENS;
1110 break;
1111
1112 case AUE_FLOCK:
1113 if (ARG_IS_VALID(kar, ARG_CMD)) {
1114 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1115 kau_write(rec, tok);
1116 }
1117 FD_VNODE1_TOKENS;
1118 break;
1119
1120 case AUE_FORK:
1121 case AUE_VFORK:
1122 if (ARG_IS_VALID(kar, ARG_PID)) {
1123 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1124 kau_write(rec, tok);
1125 }
1126 break;
1127
1128 case AUE_GETLCID:
1129 if (ARG_IS_VALID(kar, ARG_PID)) {
1130 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1131 kau_write(rec, tok);
1132 }
1133 break;
1134
1135 case AUE_SETLCID:
1136 if (ARG_IS_VALID(kar, ARG_PID)) {
1137 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1138 kau_write(rec, tok);
1139 }
1140 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1141 tok = au_to_arg32(2, "lcid",
1142 (u_int32_t)ar->ar_arg_value32);
1143 kau_write(rec, tok);
1144 }
1145 break;
1146
1147 case AUE_IOCTL:
1148 if (ARG_IS_VALID(kar, ARG_CMD)) {
1149 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1150 kau_write(rec, tok);
1151 }
1152 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1153 tok = au_to_arg64(2, "cmd", ar->ar_arg_value64);
1154 kau_write(rec, tok);
1155 }
1156 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1157 tok = au_to_arg64(3, "arg", ar->ar_arg_addr);
1158 kau_write(rec, tok);
1159 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1160 tok = au_to_arg32(3, "arg",
1161 (u_int32_t)ar->ar_arg_addr);
1162 kau_write(rec, tok);
1163 }
1164 if (ARG_IS_VALID(kar, ARG_VNODE1))
1165 FD_VNODE1_TOKENS;
1166 else {
1167 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
1168 tok = au_to_socket_ex(
1169 ar->ar_arg_sockinfo.sai_domain,
1170 ar->ar_arg_sockinfo.sai_type,
1171 (struct sockaddr *)
1172 &ar->ar_arg_sockinfo.sai_laddr,
1173 (struct sockaddr *)
1174 &ar->ar_arg_sockinfo.sai_faddr);
1175 kau_write(rec, tok);
1176 } else {
1177 if (ARG_IS_VALID(kar, ARG_FD)) {
1178 tok = au_to_arg32(1, "fd",
1179 ar->ar_arg_fd);
1180 kau_write(rec, tok);
1181 }
1182 }
1183 }
1184 break;
1185
1186 case AUE_KILL:
1187 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1188 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1189 kau_write(rec, tok);
1190 }
1191 PROCESS_PID_TOKENS(1);
1192 break;
1193
1194 case AUE_LINK:
1195 case AUE_RENAME:
1196 UPATH1_VNODE1_TOKENS;
1197 UPATH2_TOKENS;
b226f5e5 1198 KPATH2_TOKENS;
b0d623f7
A		 1199 break;
1200
1201 case AUE_MKDIR_EXTENDED:
1202 case AUE_CHMOD_EXTENDED:
1203 case AUE_MKFIFO_EXTENDED:
1204 EXTENDED_TOKENS(2);
1205 UPATH1_VNODE1_TOKENS;
1206 break;
1207
1208 case AUE_MKDIR:
1209 if (ARG_IS_VALID(kar, ARG_MODE)) {
1210 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1211 kau_write(rec, tok);
1212 }
1213 UPATH1_VNODE1_TOKENS;
1214 break;
1215
1216 case AUE_MKNOD:
1217 if (ARG_IS_VALID(kar, ARG_MODE)) {
1218 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1219 kau_write(rec, tok);
1220 }
1221 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1222 tok = au_to_arg32(3, "dev", ar->ar_arg_value32);
1223 kau_write(rec, tok);
1224 }
1225 UPATH1_VNODE1_TOKENS;
1226 break;
1227
1228 case AUE_MMAP:
1229 case AUE_MUNMAP:
1230 case AUE_MPROTECT:
1231 case AUE_MLOCK:
1232 case AUE_MUNLOCK:
1233 case AUE_MINHERIT:
1234 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1235 tok = au_to_arg64(1, "addr", ar->ar_arg_addr);
1236 kau_write(rec, tok);
1237 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1238 tok = au_to_arg32(1, "addr",
1239 (u_int32_t)ar->ar_arg_addr);
1240 kau_write(rec, tok);
1241 }
1242 if (ARG_IS_VALID(kar, ARG_LEN)) {
1243 tok = au_to_arg64(2, "len", ar->ar_arg_len);
1244 kau_write(rec, tok);
1245 }
1246 if (ar->ar_event == AUE_MMAP)
1247 FD_VNODE1_TOKENS;
1248 if (ar->ar_event == AUE_MPROTECT) {
1249 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1250 tok = au_to_arg32(3, "protection",
1251 ar->ar_arg_value32);
1252 kau_write(rec, tok);
1253 }
1254 }
1255 if (ar->ar_event == AUE_MINHERIT) {
1256 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1257 tok = au_to_arg32(3, "inherit",
1258 ar->ar_arg_value32);
1259 kau_write(rec, tok);
1260 }
1261 }
1262 break;
1263
1264#if CONFIG_MACF
1265 case AUE_MAC_MOUNT:
1266 PROCESS_MAC_TOKENS;
1267 /* FALLTHROUGH */
1268#endif
1269 case AUE_MOUNT:
1270 /* XXX Need to handle NFS mounts */
1271 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1272 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1273 kau_write(rec, tok);
1274 }
1275 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1276 tok = au_to_text(ar->ar_arg_text);
1277 kau_write(rec, tok);
1278 }
1279 /* FALLTHROUGH */
1280
1281 case AUE_UMOUNT:
1282 case AUE_UNMOUNT:
1283 UPATH1_VNODE1_TOKENS;
1284 break;
5ba3f43e
A		 1285 case AUE_FMOUNT:
1286 if (ARG_IS_VALID(kar, ARG_FD)) {
1287 tok = au_to_arg32(2, "dir fd", ar->ar_arg_fd);
1288 kau_write(rec, tok);
1289 }
1290 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1291 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1292 kau_write(rec, tok);
1293 }
1294 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1295 tok = au_to_text(ar->ar_arg_text);
1296 kau_write(rec, tok);
1297 }
1298 break;
b0d623f7
A		 1299
1300 case AUE_MSGCTL:
1301 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1302 /* FALLTHROUGH */
1303
1304 case AUE_MSGRCV:
1305 case AUE_MSGSND:
1306 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1307 kau_write(rec, tok);
1308 if (ar->ar_errno != EINVAL) {
1309 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1310 kau_write(rec, tok);
1311 }
1312 break;
1313
1314 case AUE_MSGGET:
1315 if (ar->ar_errno == 0) {
1316 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1317 tok = au_to_ipc(AT_IPC_MSG,
1318 ar->ar_arg_svipc_id);
1319 kau_write(rec, tok);
1320 }
1321 }
1322 break;
1323
fe8ab488
A		 1324 case AUE_OPEN:
1325 case AUE_OPEN_R:
1326 case AUE_OPEN_RT:
1327 case AUE_OPEN_RW:
1328 case AUE_OPEN_RWT:
1329 case AUE_OPEN_W:
1330 case AUE_OPEN_WT:
1331 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1332 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1333 kau_write(rec, tok);
1334 }
1335 UPATH1_VNODE1_TOKENS;
1336 break;
1337
1338 case AUE_OPEN_RC:
1339 case AUE_OPEN_RTC:
1340 case AUE_OPEN_RWC:
1341 case AUE_OPEN_RWTC:
1342 case AUE_OPEN_WC:
1343 case AUE_OPEN_WTC:
b0d623f7
A		 1344 if (ARG_IS_VALID(kar, ARG_MODE)) {
1345 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1346 kau_write(rec, tok);
1347 }
1348 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
fe8ab488 1349 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
b0d623f7
A		 1350 kau_write(rec, tok);
1351 }
fe8ab488
A		 1352 UPATH1_VNODE1_TOKENS;
1353 break;
1354
1355 case AUE_OPEN_EXTENDED:
1356 case AUE_OPEN_EXTENDED_R:
1357 case AUE_OPEN_EXTENDED_RT:
1358 case AUE_OPEN_EXTENDED_RW:
1359 case AUE_OPEN_EXTENDED_RWT:
1360 case AUE_OPEN_EXTENDED_W:
1361 case AUE_OPEN_EXTENDED_WT:
1362 EXTENDED_TOKENS(3);
1363 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1364 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
b0d623f7
A		 1365 kau_write(rec, tok);
1366 }
1367 UPATH1_VNODE1_TOKENS;
1368 break;
1369
1370 case AUE_OPEN_EXTENDED_RC:
1371 case AUE_OPEN_EXTENDED_RTC:
1372 case AUE_OPEN_EXTENDED_RWC:
1373 case AUE_OPEN_EXTENDED_RWTC:
1374 case AUE_OPEN_EXTENDED_WC:
1375 case AUE_OPEN_EXTENDED_WTC:
1376 EXTENDED_TOKENS(3);
1377 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1378 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1379 kau_write(rec, tok);
1380 }
1381 UPATH1_VNODE1_TOKENS;
1382 break;
1383
b0d623f7
A		 1384 case AUE_OPENAT:
1385 case AUE_OPENAT_R:
1386 case AUE_OPENAT_RT:
1387 case AUE_OPENAT_RW:
1388 case AUE_OPENAT_RWT:
1389 case AUE_OPENAT_W:
1390 case AUE_OPENAT_WT:
1391 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1392 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1393 kau_write(rec, tok);
1394 }
1395 if (ARG_IS_VALID(kar, ARG_FD)) {
1396 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1397 kau_write(rec, tok);
1398 }
1399 UPATH1_VNODE1_TOKENS;
1400 break;
1401
fe8ab488
A		 1402 case AUE_OPENAT_RC:
1403 case AUE_OPENAT_RTC:
1404 case AUE_OPENAT_RWC:
1405 case AUE_OPENAT_RWTC:
1406 case AUE_OPENAT_WC:
1407 case AUE_OPENAT_WTC:
1408 if (ARG_IS_VALID(kar, ARG_MODE)) {
1409 tok = au_to_arg32(4, "mode", ar->ar_arg_mode);
1410 kau_write(rec, tok);
1411 }
b0d623f7 1412 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
fe8ab488
A		 1413 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1414 kau_write(rec, tok);
1415 }
1416 if (ARG_IS_VALID(kar, ARG_FD)) {
1417 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
b0d623f7
A		 1418 kau_write(rec, tok);
1419 }
1420 UPATH1_VNODE1_TOKENS;
1421 break;
1422
fe8ab488
A		 1423 case AUE_OPENBYID:
1424 case AUE_OPENBYID_R:
1425 case AUE_OPENBYID_RT:
1426 case AUE_OPENBYID_RW:
1427 case AUE_OPENBYID_RWT:
1428 case AUE_OPENBYID_W:
1429 case AUE_OPENBYID_WT:
b0d623f7 1430 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
fe8ab488
A		 1431 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1432 kau_write(rec, tok);
1433 }
1434 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1435 tok = au_to_arg32(1, "volfsid", ar->ar_arg_value32);
1436 kau_write(rec, tok);
1437 }
1438 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1439 tok = au_to_arg64(2, "objid", ar->ar_arg_value64);
b0d623f7
A		 1440 kau_write(rec, tok);
1441 }
b0d623f7
A		 1442 break;
1443
fe8ab488
A		 1444 case AUE_RENAMEAT:
1445 case AUE_FACCESSAT:
1446 case AUE_FCHMODAT:
1447 case AUE_FCHOWNAT:
1448 case AUE_FSTATAT:
1449 case AUE_LINKAT:
b0d623f7 1450 case AUE_UNLINKAT:
fe8ab488
A		 1451 case AUE_READLINKAT:
1452 case AUE_SYMLINKAT:
1453 case AUE_MKDIRAT:
1454 case AUE_GETATTRLISTAT:
5ba3f43e 1455 case AUE_SETATTRLISTAT:
b0d623f7
A		 1456 if (ARG_IS_VALID(kar, ARG_FD)) {
1457 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1458 kau_write(rec, tok);
1459 }
1460 UPATH1_VNODE1_TOKENS;
1461 break;
1462
39037602
A		 1463 case AUE_CLONEFILEAT:
1464 if (ARG_IS_VALID(kar, ARG_FD)) {
1465 tok = au_to_arg32(1, "src dir fd", ar->ar_arg_fd);
1466 kau_write(rec, tok);
1467 }
1468 UPATH1_VNODE1_TOKENS;
1469 if (ARG_IS_VALID(kar, ARG_FD2)) {
1470 tok = au_to_arg32(1, "dst dir fd", ar->ar_arg_fd2);
1471 kau_write(rec, tok);
1472 }
1473 UPATH2_TOKENS;
1474 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1475 tok = au_to_arg32(1, "flags", ar->ar_arg_value32);
1476 kau_write(rec, tok);
1477 }
1478 break;
1479
1480 case AUE_FCLONEFILEAT:
1481 FD_VNODE1_TOKENS;
1482 if (ARG_IS_VALID(kar, ARG_FD2)) {
1483 tok = au_to_arg32(1, "dst dir fd", ar->ar_arg_fd2);
1484 kau_write(rec, tok);
1485 }
1486 UPATH2_TOKENS;
1487 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1488 tok = au_to_arg32(1, "flags", ar->ar_arg_value32);
1489 kau_write(rec, tok);
1490 }
1491 break;
1492
b0d623f7
A		 1493 case AUE_PTRACE:
1494 if (ARG_IS_VALID(kar, ARG_CMD)) {
1495 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1496 kau_write(rec, tok);
1497 }
1498 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1499 tok = au_to_arg64(3, "addr", ar->ar_arg_addr);
1500 kau_write(rec, tok);
1501 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1502 tok = au_to_arg32(3, "addr",
1503 (u_int32_t)ar->ar_arg_addr);
1504 kau_write(rec, tok);
1505 }
1506 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1507 tok = au_to_arg32(4, "data", ar->ar_arg_value32);
1508 kau_write(rec, tok);
1509 }
1510 PROCESS_PID_TOKENS(2);
1511 break;
1512
1513 case AUE_QUOTACTL:
1514 if (ARG_IS_VALID(kar, ARG_CMD)) {
1515 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1516 kau_write(rec, tok);
1517 }
1518 if (ARG_IS_VALID(kar, ARG_UID)) {
1519 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1520 kau_write(rec, tok);
1521 }
1522 UPATH1_VNODE1_TOKENS;
1523 break;
1524
1525 case AUE_REBOOT:
1526 if (ARG_IS_VALID(kar, ARG_CMD)) {
1527 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1528 kau_write(rec, tok);
1529 }
1530 break;
1531
1532 case AUE_SEMCTL:
1533 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1534 /* FALLTHROUGH */
1535
1536 case AUE_SEMOP:
1537 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1538 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1539 kau_write(rec, tok);
1540 if (ar->ar_errno != EINVAL) {
1541 tok = au_to_ipc(AT_IPC_SEM,
1542 ar->ar_arg_svipc_id);
1543 kau_write(rec, tok);
1544 }
1545 }
1546 break;
1547
1548 case AUE_SEMGET:
1549 if (ar->ar_errno == 0) {
1550 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1551 tok = au_to_ipc(AT_IPC_SEM,
1552 ar->ar_arg_svipc_id);
1553 kau_write(rec, tok);
1554 }
1555 }
1556 break;
1557
1558 case AUE_SETEGID:
1559 if (ARG_IS_VALID(kar, ARG_EGID)) {
1560 tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
1561 kau_write(rec, tok);
1562 }
1563 break;
1564
1565 case AUE_SETEUID:
1566 if (ARG_IS_VALID(kar, ARG_EUID)) {
1567 tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
1568 kau_write(rec, tok);
1569 }
1570 break;
1571
1572 case AUE_SETREGID:
1573 if (ARG_IS_VALID(kar, ARG_RGID)) {
1574 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1575 kau_write(rec, tok);
1576 }
1577 if (ARG_IS_VALID(kar, ARG_EGID)) {
1578 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1579 kau_write(rec, tok);
1580 }
1581 break;
1582
1583 case AUE_SETREUID:
1584 if (ARG_IS_VALID(kar, ARG_RUID)) {
1585 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1586 kau_write(rec, tok);
1587 }
1588 if (ARG_IS_VALID(kar, ARG_EUID)) {
1589 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1590 kau_write(rec, tok);
1591 }
1592 break;
1593
1594 case AUE_SETGID:
1595 if (ARG_IS_VALID(kar, ARG_GID)) {
1596 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1597 kau_write(rec, tok);
1598 }
1599 break;
1600
1601 case AUE_SETUID:
1602 if (ARG_IS_VALID(kar, ARG_UID)) {
1603 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1604 kau_write(rec, tok);
1605 }
1606 break;
1607
1608 case AUE_SETGROUPS:
1609 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1610 for (uctr = 0; uctr < ar->ar_arg_groups.gidset_size;
1611 uctr++) {
1612 tok = au_to_arg32(1, "setgroups",
1613 ar->ar_arg_groups.gidset[uctr]);
1614 kau_write(rec, tok);
1615 }
1616 }
1617 break;
1618
1619 case AUE_SETLOGIN:
1620 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1621 tok = au_to_text(ar->ar_arg_text);
1622 kau_write(rec, tok);
1623 }
1624 break;
1625
1626 case AUE_SETPRIORITY:
1627 if (ARG_IS_VALID(kar, ARG_CMD)) {
1628 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1629 kau_write(rec, tok);
1630 }
1631 if (ARG_IS_VALID(kar, ARG_UID)) {
1632 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1633 kau_write(rec, tok);
1634 }
1635 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1636 tok = au_to_arg32(2, "priority", ar->ar_arg_value32);
1637 kau_write(rec, tok);
1638 }
1639 break;
1640
1641 case AUE_SETPRIVEXEC:
1642 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1643 tok = au_to_arg32(1, "flag", ar->ar_arg_value32);
1644 kau_write(rec, tok);
1645 }
1646 break;
1647
1648 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1649 case AUE_SHMAT:
1650 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1651 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1652 kau_write(rec, tok);
1653 /* XXXAUDIT: Does having the ipc token make sense? */
1654 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1655 kau_write(rec, tok);
1656 }
1657 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1658 tok = au_to_arg64(2, "shmaddr", ar->ar_arg_svipc_addr);
1659 kau_write(rec, tok);
1660 }
1661 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1662 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1663 kau_write(rec, tok);
1664 }
1665 break;
1666
1667 case AUE_SHMCTL:
1668 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1669 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1670 kau_write(rec, tok);
1671 /* XXXAUDIT: Does having the ipc token make sense? */
1672 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1673 kau_write(rec, tok);
1674 }
1675 switch (ar->ar_arg_svipc_cmd) {
1676 case IPC_STAT:
1677 ar->ar_event = AUE_SHMCTL_STAT;
1678 break;
1679 case IPC_RMID:
1680 ar->ar_event = AUE_SHMCTL_RMID;
1681 break;
1682 case IPC_SET:
1683 ar->ar_event = AUE_SHMCTL_SET;
1684 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1685 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1686 kau_write(rec, tok);
1687 }
1688 break;
1689 default:
1690 break; /* We will audit a bad command */
1691 }
1692 break;
1693
1694 case AUE_SHMDT:
1695 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1696 tok = au_to_arg64(1, "shmaddr",
1697 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1698 kau_write(rec, tok);
1699 }
1700 break;
1701
1702 case AUE_SHMGET:
1703 /* This is unusual; the return value is in an argument token */
1704 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1705 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1706 kau_write(rec, tok);
1707 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1708 kau_write(rec, tok);
1709 }
1710 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1711 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1712 kau_write(rec, tok);
1713 }
1714 break;
1715
1716 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1717 * and AUE_SEMUNLINK are Posix IPC */
1718 case AUE_SHMOPEN:
1719 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1720 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1721 kau_write(rec, tok);
1722 }
1723 if (ARG_IS_VALID(kar, ARG_MODE)) {
1724 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1725 kau_write(rec, tok);
1726 }
1727 /* FALLTHROUGH */
1728
1729 case AUE_SHMUNLINK:
1730 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1731 tok = au_to_text(ar->ar_arg_text);
1732 kau_write(rec, tok);
1733 }
1734 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1735 struct ipc_perm perm;
1736
1737 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1738 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1739 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1740 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1741 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1742 perm._seq = 0;
1743 perm._key = 0;
1744 tok = au_to_ipc_perm(&perm);
1745 kau_write(rec, tok);
1746 }
1747 break;
1748
1749 case AUE_SEMOPEN:
1750 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1751 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1752 kau_write(rec, tok);
1753 }
1754 if (ARG_IS_VALID(kar, ARG_MODE)) {
1755 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1756 kau_write(rec, tok);
1757 }
1758 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1759 tok = au_to_arg32(4, "value", ar->ar_arg_value32);
1760 kau_write(rec, tok);
1761 }
1762 /* FALLTHROUGH */
1763
1764 case AUE_SEMUNLINK:
1765 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1766 tok = au_to_text(ar->ar_arg_text);
1767 kau_write(rec, tok);
1768 }
1769 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1770 struct ipc_perm perm;
1771
1772 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1773 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1774 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1775 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1776 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1777 perm._seq = 0;
1778 perm._key = 0;
1779 tok = au_to_ipc_perm(&perm);
1780 kau_write(rec, tok);
1781 }
1782 break;
1783
1784 case AUE_SEMCLOSE:
1785 if (ARG_IS_VALID(kar, ARG_FD)) {
1786 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1787 kau_write(rec, tok);
1788 }
1789 break;
1790
1791 case AUE_SYMLINK:
1792 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1793 tok = au_to_text(ar->ar_arg_text);
1794 kau_write(rec, tok);
1795 }
1796 UPATH1_VNODE1_TOKENS;
1797 break;
1798
1799 case AUE_SYSCTL:
1800 case AUE_SYSCTL_NONADMIN:
1801 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1802 for (ctr = 0; ctr < (int)ar->ar_arg_len; ctr++) {
1803 tok = au_to_arg32(1, "name",
1804 ar->ar_arg_ctlname[ctr]);
1805 kau_write(rec, tok);
1806 }
1807 }
1808 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1809 tok = au_to_arg32(5, "newval", ar->ar_arg_value32);
1810 kau_write(rec, tok);
1811 }
1812 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1813 tok = au_to_text(ar->ar_arg_text);
1814 kau_write(rec, tok);
1815 }
1816 break;
1817
1818 case AUE_UMASK_EXTENDED:
1819 /* ACL data */
1820 if (ARG_IS_VALID(kar, ARG_OPAQUE)) {
1821 tok = au_to_opaque(ar->ar_arg_opaque,
1822 ar->ar_arg_opq_size);
1823 kau_write(rec, tok);
1824 }
1825 /* FALLTHROUGH */
1826
1827 case AUE_UMASK:
1828 if (ARG_IS_VALID(kar, ARG_MASK)) {
1829 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1830 kau_write(rec, tok);
1831 }
1832 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1833 kau_write(rec, tok);
1834 break;
1835
1836 case AUE_WAIT4:
1837#if 0 /* XXXss - new */
1838 case AUE_WAITID:
1839#endif
1840 if (ARG_IS_VALID(kar, ARG_PID)) {
1841 tok = au_to_arg32(0, "pid", ar->ar_arg_pid);
1842 kau_write(rec, tok);
1843 }
1844 break;
1845
1846 case AUE_FSGETPATH:
1847 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1848 tok = au_to_arg32(3, "volfsid", ar->ar_arg_value32);
1849 kau_write(rec, tok);
1850 }
1851 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1852 tok = au_to_arg64(4, "objid", ar->ar_arg_value64);
1853 kau_write(rec, tok);
1854 }
1855 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1856 tok = au_to_text(ar->ar_arg_text);
1857 kau_write(rec, tok);
1858 }
1859 break;
1860
6d2010ae
A		 1861 case AUE_SESSION_START:
1862 case AUE_SESSION_UPDATE:
1863 case AUE_SESSION_END:
1864 case AUE_SESSION_CLOSE:
1865 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1866 tok = au_to_arg64(1, "sflags", ar->ar_arg_value64);
1867 kau_write(rec, tok);
1868 }
1869 if (ARG_IS_VALID(kar, ARG_AMASK)) {
1870 tok = au_to_arg32(2, "am_success",
1871 ar->ar_arg_amask.am_success);
1872 kau_write(rec, tok);
1873 tok = au_to_arg32(3, "am_failure",
1874 ar->ar_arg_amask.am_failure);
1875 kau_write(rec, tok);
1876 }
1877 break;
1878
b0d623f7
A		 1879 /************************
1880 * Mach system calls *
1881 ************************/
1882 case AUE_INITPROCESS:
1883 break;
1884
1885 case AUE_PIDFORTASK:
1886 if (ARG_IS_VALID(kar, ARG_MACHPORT1)) {
1887 tok = au_to_arg32(1, "port",
1888 (u_int32_t)ar->ar_arg_mach_port1);
1889 kau_write(rec, tok);
1890 }
1891 if (ARG_IS_VALID(kar, ARG_PID)) {
1892 tok = au_to_arg32(2, "pid", (u_int32_t)ar->ar_arg_pid);
1893 kau_write(rec, tok);
1894 }
1895 break;
1896
1897 case AUE_TASKFORPID:
1898 case AUE_TASKNAMEFORPID:
1899 if (ARG_IS_VALID(kar, ARG_MACHPORT1)) {
1900 tok = au_to_arg32(1, "target port",
1901 (u_int32_t)ar->ar_arg_mach_port1);
1902 kau_write(rec, tok);
1903 }
1904 if (ARG_IS_VALID(kar, ARG_MACHPORT2)) {
1905 tok = au_to_arg32(3, "task port",
1906 (u_int32_t)ar->ar_arg_mach_port2);
1907 kau_write(rec, tok);
1908 }
1909 PROCESS_PID_TOKENS(2);
1910 break;
1911
1912 case AUE_SWAPON:
1913 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1914 tok = au_to_arg32(4, "priority",
1915 (u_int32_t)ar->ar_arg_value32);
1916 kau_write(rec, tok);
1917 }
1918 UPATH1_VNODE1_TOKENS;
1919 break;
1920
1921 case AUE_SWAPOFF:
1922 UPATH1_VNODE1_TOKENS;
1923 break;
1924
1925 case AUE_MAPFD:
1926 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1927 tok = au_to_arg64(3, "va", ar->ar_arg_addr);
1928 kau_write(rec, tok);
1929 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1930 tok = au_to_arg32(3, "va",
1931 (u_int32_t)ar->ar_arg_addr);
1932 kau_write(rec, tok);
1933 }
1934 FD_VNODE1_TOKENS;
1935 break;
1936
1937#if CONFIG_MACF
1938 case AUE_MAC_GET_FILE:
1939 case AUE_MAC_SET_FILE:
1940 case AUE_MAC_GET_LINK:
1941 case AUE_MAC_SET_LINK:
1942 case AUE_MAC_GET_MOUNT:
1943 UPATH1_VNODE1_TOKENS;
1944 PROCESS_MAC_TOKENS;
1945 break;
1946
1947 case AUE_MAC_GET_FD:
1948 case AUE_MAC_SET_FD:
1949 FD_VNODE1_TOKENS;
1950 PROCESS_MAC_TOKENS;
1951 break;
1952
1953 case AUE_MAC_SYSCALL:
1954 PROCESS_MAC_TOKENS;
1955 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1956 tok = au_to_arg32(3, "call", ar->ar_arg_value32);
1957 kau_write(rec, tok);
1958 }
1959 break;
1960
1961 case AUE_MAC_EXECVE:
1962 UPATH1_VNODE1_TOKENS;
1963 PROCESS_MAC_TOKENS;
1964 break;
1965
1966 case AUE_MAC_GET_PID:
1967 if (ARG_IS_VALID(kar, ARG_PID)) {
1968 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1969 kau_write(rec, tok);
1970 }
1971 PROCESS_MAC_TOKENS;
1972 break;
1973
1974 case AUE_MAC_GET_LCID:
1975 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1976 tok = au_to_arg32(1, "lcid",
1977 (u_int32_t)ar->ar_arg_value32);
1978 kau_write(rec, tok);
1979 }
1980 PROCESS_MAC_TOKENS;
1981 break;
1982
1983 case AUE_MAC_GET_PROC:
1984 case AUE_MAC_SET_PROC:
b0d623f7
A		 1985 PROCESS_MAC_TOKENS;
1986 break;
1987#endif
1988 case AUE_NULL:
1989 default:
1990#if DIAGNOSTIC
1991 printf("BSM conversion requested for unknown event %d\n",
1992 ar->ar_event);
1993#endif
1994
1995 /*
1996 * Write the subject token so it is properly freed here.
1997 */
1998 kau_write(rec, subj_tok);
1999 kau_free(rec);
2000 return (BSM_NOAUDIT);
2001 }
2002
2003#if CONFIG_MACF
6d2010ae 2004 if (NULL != ar->ar_mac_records) {
b0d623f7
A		 2005 /* Convert the audit data from the MAC policies */
2006 struct mac_audit_record *mar;
2007
2008 LIST_FOREACH(mar, ar->ar_mac_records, records) {
2009 switch (mar->type) {
2010 case MAC_AUDIT_DATA_TYPE:
2011 tok = au_to_data(AUP_BINARY, AUR_BYTE,
2012 mar->length,
2013 (const char *)mar->data);
2014 break;
2015 case MAC_AUDIT_TEXT_TYPE:
2016 tok = au_to_text((char*) mar->data);
2017 break;
2018 default:
2019 /*
2020 * XXX: we can either continue,
2021 * skipping this particular entry,
2022 * or we can pre-verify the list and
2023 * abort before writing any records
2024 */
2025 printf("kaudit_to_bsm(): "
2026 "BSM conversion requested for"
2027 "unknown mac_audit data type %d\n",
2028 mar->type);
2029 }
2030
2031 kau_write(rec, tok);
2032 }
6d2010ae 2033 }
b0d623f7
A		 2034#endif
2035
2036 kau_write(rec, subj_tok);
2037
2038#if CONFIG_MACF
2039 if (ar->ar_cred_mac_labels != NULL &&
2040 strlen(ar->ar_cred_mac_labels) != 0) {
2041 tok = au_to_text(ar->ar_cred_mac_labels);
2042 kau_write(rec, tok);
2043 }
2044#endif
2045
2046 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
2047 kau_write(rec, tok); /* Every record gets a return token */
2048
d9a64523
A		 2049 if (ARG_IS_VALID(kar, ARG_IDENTITY)) {
2050 struct au_identity_info *id = &ar->ar_arg_identity;
2051 tok = au_to_identity(id->signer_type, id->signing_id,
2052 id->signing_id_trunc, id->team_id, id->team_id_trunc,
2053 id->cdhash, id->cdhash_len);
2054 kau_write(rec, tok);
2055 }
2056
b0d623f7
A		 2057 kau_close(rec, &ar->ar_endtime, ar->ar_event);
2058
2059 *pau = rec;
2060 return (BSM_SUCCESS);
2061}
2062
2063/*
d9a64523 2064 * Verify that a record is a valid BSM record. Return 1 if the
b0d623f7
A		 2065 * record is good, 0 otherwise.
2066 */
2067int
d9a64523 2068bsm_rec_verify(void *rec, int length)
b0d623f7 2069{
d9a64523
A		 2070 /* Used to partially deserialize the buffer */
2071 struct hdr_tok_partial *hdr;
2072 struct trl_tok_partial *trl;
b0d623f7 2073
d9a64523
A		 2074 /* A record requires a complete header and trailer token */
2075 if (length < (AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE)) {
2076 return (0);
2077 }
2078
2079 hdr = (struct hdr_tok_partial*)rec;
2080
2081 /* Ensure the provided length matches what the record shows */
2082 if ((uint32_t)length != ntohl(hdr->len)) {
2083 return (0);
2084 }
2085
2086 trl = (struct trl_tok_partial*)(rec + (length - AUDIT_TRAILER_SIZE));
2087
2088 /* Ensure the buffer contains what look like header and trailer tokens */
2089 if (((hdr->type != AUT_HEADER32) && (hdr->type != AUT_HEADER32_EX) &&
2090 (hdr->type != AUT_HEADER64) && (hdr->type != AUT_HEADER64_EX)) ||
2091 (trl->type != AUT_TRAILER)) {
b0d623f7 2092 return (0);
d9a64523
A		 2093 }
2094
2095 /* Ensure the header and trailer agree on the length */
2096 if (hdr->len != trl->len) {
2097 return (0);
2098 }
2099
2100 /* Ensure the trailer token has a proper magic value */
2101 if (ntohs(trl->magic) != AUT_TRAILER_MAGIC) {
2102 return (0);
2103 }
2104
b0d623f7
A		 2105 return (1);
2106}
2107#endif /* CONFIG_AUDIT */
mirror of XNU