]> git.saurik.com Git - apple/xnu.git/blame_incremental - bsd/kern/kern_bsm_klib.c
projects / apple / xnu.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
xnu-792.22.5.tar.gz
[apple/xnu.git] / bsd / kern / kern_bsm_klib.c
... / ...
CommitLineData
1/*
2 * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29#include <sys/systm.h>
30#include <sys/types.h>
31#include <sys/proc_internal.h>
32#include <sys/vnode_internal.h>
33#include <sys/fcntl.h>
34#include <sys/filedesc.h>
35#include <sys/sem.h>
36
37#include <bsm/audit.h>
38#include <bsm/audit_kernel.h>
39#include <bsm/audit_kevents.h>
40#include <bsm/audit_klib.h>
41
42/*
43 * Initialize the system call to audit event mapping table. This table
44 * must be kept in sync with the system call table. This table is meant to
45 * be directly accessed.
46 * XXX This should be improved, though, to make it independent of the syscall
47 * table (but we don't want to traverse a large table for every system call
48 * to find a match). Ultimately, it would be best to place the audit event
49 * number in the system call table.
50 */
51au_event_t sys_au_event[] = {
52 AUE_NULL, /* 0 = indir */
53 AUE_EXIT, /* 1 = exit */
54 AUE_FORK, /* 2 = fork */
55 AUE_NULL, /* 3 = read */
56 AUE_NULL, /* 4 = write */
57 AUE_OPEN_RWTC, /* 5 = open */
58 AUE_CLOSE, /* 6 = close */
59 AUE_NULL, /* 7 = wait4 */
60 AUE_O_CREAT, /* 8 = old creat */
61 AUE_LINK, /* 9 = link */
62 AUE_UNLINK, /* 10 = unlink */
63 AUE_NULL, /* 11 was obsolete execv */
64 AUE_CHDIR, /* 12 = chdir */
65 AUE_FCHDIR, /* 13 = fchdir */
66 AUE_MKNOD, /* 14 = mknod */
67 AUE_CHMOD, /* 15 = chmod */
68 AUE_CHOWN, /* 16 = chown; now 3 args */
69 AUE_NULL, /* 17 = old break */
70#if COMPAT_GETFSSTAT
71 AUE_GETFSSTAT, /* 18 = getfsstat */
72#else
73 AUE_NULL, /* 18 = ogetfsstat */
74#endif
75 AUE_NULL, /* 19 = old lseek */
76 AUE_NULL, /* 20 = getpid */
77 AUE_NULL, /* 21 was obsolete mount */
78 AUE_NULL, /* 22 was obsolete umount */
79 AUE_SETUID, /* 23 = setuid */
80 AUE_NULL, /* 24 = getuid */
81 AUE_NULL, /* 25 = geteuid */
82 AUE_PTRACE, /* 26 = ptrace */
83 AUE_RECVMSG, /* 27 = recvmsg */
84 AUE_SENDMSG, /* 28 = sendmsg */
85 AUE_RECVFROM, /* 29 = recvfrom */
86 AUE_ACCEPT, /* 30 = accept */
87 AUE_NULL, /* 31 = getpeername */
88 AUE_NULL, /* 32 = getsockname */
89 AUE_ACCESS, /* 33 = access */
90 AUE_CHFLAGS, /* 34 = chflags */
91 AUE_FCHFLAGS, /* 35 = fchflags */
92 AUE_NULL, /* 36 = sync */
93 AUE_KILL, /* 37 = kill */
94 AUE_O_STAT, /* 38 = old stat */
95 AUE_NULL, /* 39 = getppid */
96 AUE_O_LSTAT, /* 40 = old lstat */
97 AUE_NULL, /* 41 = dup */
98 AUE_PIPE, /* 42 = pipe */
99 AUE_NULL, /* 43 = getegid */
100 AUE_NULL, /* 44 = profil */
101 AUE_KTRACE, /* 45 = ktrace */
102 AUE_NULL, /* 46 = sigaction */
103 AUE_NULL, /* 47 = getgid */
104 AUE_NULL, /* 48 = sigprocmask */
105 AUE_NULL, /* 49 = getlogin */
106 AUE_SETLOGIN, /* 50 = setlogin */
107 AUE_ACCT, /* 51 = turn acct off/on */
108 AUE_NULL, /* 52 = sigpending */
109 AUE_NULL, /* 53 = sigaltstack */
110 AUE_IOCTL, /* 54 = ioctl */
111 AUE_REBOOT, /* 55 = reboot */
112 AUE_REVOKE, /* 56 = revoke */
113 AUE_SYMLINK, /* 57 = symlink */
114 AUE_READLINK, /* 58 = readlink */
115 AUE_EXECVE, /* 59 = execve */
116 AUE_UMASK, /* 60 = umask */
117 AUE_CHROOT, /* 61 = chroot */
118 AUE_O_FSTAT, /* 62 = old fstat */
119 AUE_NULL, /* 63 = used internally, reserved */
120 AUE_NULL, /* 64 = old getpagesize */
121 AUE_NULL, /* 65 = msync */
122 AUE_VFORK, /* 66 = vfork */
123 AUE_NULL, /* 67 was obsolete vread */
124 AUE_NULL, /* 68 was obsolete vwrite */
125 AUE_NULL, /* 69 = sbrk */
126 AUE_NULL, /* 70 = sstk */
127 AUE_O_MMAP, /* 71 = old mmap */
128 AUE_NULL, /* 72 = old vadvise */
129 AUE_MUNMAP, /* 73 = munmap */
130 AUE_MPROTECT, /* 74 = mprotect */
131 AUE_NULL, /* 75 = madvise */
132 AUE_NULL, /* 76 was obsolete vhangup */
133 AUE_NULL, /* 77 was obsolete vlimit */
134 AUE_NULL, /* 78 = mincore */
135 AUE_NULL, /* 79 = getgroups */
136 AUE_SETGROUPS, /* 80 = setgroups */
137 AUE_NULL, /* 81 = getpgrp */
138 AUE_SETPGRP, /* 82 = setpgid */
139 AUE_NULL, /* 83 = setitimer */
140 AUE_NULL, /* 84 = old wait */
141 AUE_NULL, /* 85 = swapon */
142 AUE_NULL, /* 86 = getitimer */
143 AUE_NULL, /* 87 = old gethostname */
144 AUE_O_SETHOSTNAME, /* 88 = old sethostname */
145 AUE_NULL, /* 89 getdtablesize */
146 AUE_NULL, /* 90 = dup2 */
147 AUE_NULL, /* 91 was obsolete getdopt */
148 AUE_FCNTL, /* 92 = fcntl */
149 AUE_NULL, /* 93 = select */
150 AUE_NULL, /* 94 was obsolete setdopt */
151 AUE_NULL, /* 95 = fsync */
152 AUE_SETPRIORITY, /* 96 = setpriority */
153 AUE_SOCKET, /* 97 = socket */
154 AUE_CONNECT, /* 98 = connect */
155 AUE_NULL, /* 99 = accept */
156 AUE_NULL, /* 100 = getpriority */
157 AUE_O_SEND, /* 101 = old send */
158 AUE_O_RECV, /* 102 = old recv */
159 AUE_NULL, /* 103 = sigreturn */
160 AUE_BIND, /* 104 = bind */
161 AUE_SETSOCKOPT, /* 105 = setsockopt */
162 AUE_NULL, /* 106 = listen */
163 AUE_NULL, /* 107 was vtimes */
164 AUE_NULL, /* 108 = sigvec */
165 AUE_NULL, /* 109 = sigblock */
166 AUE_NULL, /* 110 = sigsetmask */
167 AUE_NULL, /* 111 = sigpause */
168 AUE_NULL, /* 112 = sigstack */
169 AUE_O_RECVMSG, /* 113 = recvmsg */
170 AUE_O_SENDMSG, /* 114 = sendmsg */
171 AUE_NULL, /* 115 = old vtrace */
172 AUE_NULL, /* 116 = gettimeofday */
173 AUE_NULL, /* 117 = getrusage */
174 AUE_NULL, /* 118 = getsockopt */
175 AUE_NULL, /* 119 = old resuba */
176 AUE_NULL, /* 120 = readv */
177 AUE_NULL, /* 121 = writev */
178 AUE_SETTIMEOFDAY, /* 122 = settimeofday */
179 AUE_FCHOWN, /* 123 = fchown */
180 AUE_FCHMOD, /* 124 = fchmod */
181 AUE_O_RECVFROM, /* 125 = recvfrom */
182 AUE_NULL, /* 126 = setreuid */
183 AUE_NULL, /* 127 = setregid */
184 AUE_RENAME, /* 128 = rename */
185 AUE_O_TRUNCATE, /* 129 = old truncate */
186 AUE_O_FTRUNCATE, /* 130 = old ftruncate */
187 AUE_FLOCK, /* 131 = flock */
188 AUE_MKFIFO, /* 132 = mkfifo */
189 AUE_SENDTO, /* 133 = sendto */
190 AUE_SHUTDOWN, /* 134 = shutdown */
191 AUE_SOCKETPAIR, /* 135 = socketpair */
192 AUE_MKDIR, /* 136 = mkdir */
193 AUE_RMDIR, /* 137 = rmdir */
194 AUE_UTIMES, /* 138 = utimes */
195 AUE_FUTIMES, /* 139 = futimes */
196 AUE_ADJTIME, /* 140 = adjtime */
197 AUE_NULL, /* 141 = getpeername */
198 AUE_NULL, /* 142 = old gethostid */
199 AUE_NULL, /* 143 = old sethostid */
200 AUE_NULL, /* 144 = old getrlimit */
201 AUE_O_SETRLIMIT, /* 145 = old setrlimit */
202 AUE_O_KILLPG, /* 146 = old killpg */
203 AUE_SETSID, /* 147 = setsid */
204 AUE_NULL, /* 148 was setquota */
205 AUE_NULL, /* 149 was qquota */
206 AUE_NULL, /* 150 = getsockname */
207 AUE_NULL, /* 151 = getpgid */
208 AUE_SETPRIVEXEC, /* 152 = setprivexec */
209 AUE_NULL, /* 153 = pread */
210 AUE_NULL, /* 154 = pwrite */
211 AUE_NFSSVC, /* 155 = nfs_svc */
212 AUE_O_GETDIRENTRIES, /* 156 = old getdirentries */
213 AUE_STATFS, /* 157 = statfs */
214 AUE_FSTATFS, /* 158 = fstatfs */
215 AUE_UNMOUNT, /* 159 = unmount */
216 AUE_NULL, /* 160 was async_daemon */
217 AUE_GETFH, /* 161 = get file handle */
218 AUE_NULL, /* 162 = getdomainname */
219 AUE_O_SETDOMAINNAME, /* 163 = setdomainname */
220 AUE_NULL, /* 164 */
221#if QUOTA
222 AUE_QUOTACTL, /* 165 = quotactl */
223#else /* QUOTA */
224 AUE_NULL, /* 165 = not configured */
225#endif /* QUOTA */
226 AUE_NULL, /* 166 was exportfs */
227 AUE_MOUNT, /* 167 = mount */
228 AUE_NULL, /* 168 was ustat */
229 AUE_NULL, /* 169 = nosys */
230 AUE_NULL, /* 170 was table */
231 AUE_NULL, /* 171 = old wait3 */
232 AUE_NULL, /* 172 was rpause */
233 AUE_NULL, /* 173 = nosys */
234 AUE_NULL, /* 174 was getdents */
235 AUE_NULL, /* 175 was gc_control */
236 AUE_NULL, /* 176 = add_profil */
237 AUE_NULL, /* 177 */
238 AUE_NULL, /* 178 */
239 AUE_NULL, /* 179 */
240 AUE_NULL, /* 180 */
241 AUE_SETGID, /* 181 */
242 AUE_SETEGID, /* 182 */
243 AUE_SETEUID, /* 183 */
244 AUE_NULL, /* 184 = nosys */
245 AUE_NULL, /* 185 = nosys */
246 AUE_NULL, /* 186 = nosys */
247 AUE_NULL, /* 187 = nosys */
248 AUE_STAT, /* 188 = stat */
249 AUE_FSTAT, /* 189 = fstat */
250 AUE_LSTAT, /* 190 = lstat */
251 AUE_PATHCONF, /* 191 = pathconf */
252 AUE_FPATHCONF, /* 192 = fpathconf */
253#if COMPAT_GETFSSTAT
254 AUE_GETFSSTAT, /* 193 = getfsstat */
255#else
256 AUE_NULL, /* 193 is unused */
257#endif
258 AUE_NULL, /* 194 = getrlimit */
259 AUE_SETRLIMIT, /* 195 = setrlimit */
260 AUE_GETDIRENTRIES, /* 196 = getdirentries */
261 AUE_MMAP, /* 197 = mmap */
262 AUE_NULL, /* 198 = __syscall */
263 AUE_NULL, /* 199 = lseek */
264 AUE_TRUNCATE, /* 200 = truncate */
265 AUE_FTRUNCATE, /* 201 = ftruncate */
266 AUE_SYSCTL, /* 202 = __sysctl */
267 AUE_MLOCK, /* 203 = mlock */
268 AUE_MUNLOCK, /* 204 = munlock */
269 AUE_UNDELETE, /* 205 = undelete */
270 AUE_NULL, /* 206 = ATsocket */
271 AUE_NULL, /* 207 = ATgetmsg*/
272 AUE_NULL, /* 208 = ATputmsg*/
273 AUE_NULL, /* 209 = ATPsndreq*/
274 AUE_NULL, /* 210 = ATPsndrsp*/
275 AUE_NULL, /* 211 = ATPgetreq*/
276 AUE_NULL, /* 212 = ATPgetrsp*/
277 AUE_NULL, /* 213 = Reserved for AppleTalk */
278 AUE_NULL, /* 214 = Reserved for AppleTalk */
279 AUE_NULL, /* 215 = Reserved for AppleTalk */
280
281 AUE_NULL, /* 216 = HFS make complex file call (multipel forks */
282 AUE_NULL, /* 217 = HFS statv extended stat call for HFS */
283 AUE_NULL, /* 218 = HFS lstatv extended lstat call for HFS */
284 AUE_NULL, /* 219 = HFS fstatv extended fstat call for HFS */
285 AUE_GETATTRLIST,/* 220 = HFS getarrtlist get attribute list cal */
286 AUE_SETATTRLIST,/* 221 = HFS setattrlist set attribute list */
287 AUE_GETDIRENTRIESATTR,/* 222 = HFS getdirentriesattr get directory attributes */
288 AUE_EXCHANGEDATA,/* 223 = HFS exchangedata exchange file contents */
289 AUE_CHECKUSERACCESS,/* 224 = HFS checkuseraccess check access to file */
290 AUE_SEARCHFS, /* 225 = HFS searchfs to implement catalog searching */
291 AUE_DELETE, /* 226 = private delete (Carbon semantics) */
292 AUE_NULL, /* 227 = copyfile - orignally for AFP */
293 AUE_NULL, /* 228 */
294 AUE_NULL, /* 229 */
295 AUE_NULL, /* 230 */
296 AUE_NULL, /* 231 */
297 AUE_NULL, /* 232 */
298 AUE_NULL, /* 233 */
299 AUE_NULL, /* 234 */
300 AUE_NULL, /* 235 */
301 AUE_NULL, /* 236 */
302 AUE_NULL, /* 237 */
303 AUE_NULL, /* 238 */
304 AUE_NULL, /* 239 */
305 AUE_NULL, /* 240 */
306 AUE_NULL, /* 241 */
307 AUE_NULL, /* 242 = fsctl */
308 AUE_NULL, /* 243 */
309 AUE_NULL, /* 244 */
310 AUE_NULL, /* 245 */
311 AUE_NULL, /* 246 */
312 AUE_NULL, /* 247 = nfsclnt*/
313 AUE_NULL, /* 248 = fhopen */
314 AUE_NULL, /* 249 */
315 AUE_MINHERIT, /* 250 = minherit */
316 AUE_NULL, /* 251 = semsys */
317 AUE_NULL, /* 252 = msgsys */
318 AUE_NULL, /* 253 = shmsys */
319 AUE_SEMCTL, /* 254 = semctl */
320 AUE_SEMGET, /* 255 = semget */
321 AUE_SEMOP, /* 256 = semop */
322 AUE_NULL, /* 257 = */
323 AUE_MSGCTL, /* 258 = msgctl */
324 AUE_MSGGET, /* 259 = msgget */
325 AUE_MSGSND, /* 260 = msgsnd */
326 AUE_MSGRCV, /* 261 = msgrcv */
327 AUE_SHMAT, /* 262 = shmat */
328 AUE_SHMCTL, /* 263 = shmctl */
329 AUE_SHMDT, /* 264 = shmdt */
330 AUE_SHMGET, /* 265 = shmget */
331 AUE_SHMOPEN, /* 266 = shm_open */
332 AUE_SHMUNLINK, /* 267 = shm_unlink */
333 AUE_SEMOPEN, /* 268 = sem_open */
334 AUE_SEMCLOSE, /* 269 = sem_close */
335 AUE_SEMUNLINK, /* 270 = sem_unlink */
336 AUE_NULL, /* 271 = sem_wait */
337 AUE_NULL, /* 272 = sem_trywait */
338 AUE_NULL, /* 273 = sem_post */
339 AUE_NULL, /* 274 = sem_getvalue */
340 AUE_NULL, /* 275 = sem_init */
341 AUE_NULL, /* 276 = sem_destroy */
342 AUE_NULL, /* 277 */
343 AUE_NULL, /* 278 */
344 AUE_NULL, /* 279 */
345 AUE_NULL, /* 280 */
346 AUE_NULL, /* 281 */
347 AUE_NULL, /* 282 */
348 AUE_NULL, /* 283 */
349 AUE_NULL, /* 284 */
350 AUE_NULL, /* 285 */
351 AUE_NULL, /* 286 */
352 AUE_NULL, /* 287 */
353 AUE_NULL, /* 288 */
354 AUE_NULL, /* 289 */
355 AUE_NULL, /* 290 */
356 AUE_NULL, /* 291 */
357 AUE_NULL, /* 292 */
358 AUE_NULL, /* 293 */
359 AUE_NULL, /* 294 */
360 AUE_NULL, /* 295 */
361 AUE_LOADSHFILE, /* 296 = load_shared_file */
362 AUE_RESETSHFILE, /* 297 = reset_shared_file */
363 AUE_NEWSYSTEMSHREG, /* 298 = new_system_shared_regions */
364 AUE_NULL, /* 299 */
365 AUE_NULL, /* 300 */
366 AUE_NULL, /* 301 */
367 AUE_NULL, /* 302 */
368 AUE_NULL, /* 303 */
369 AUE_NULL, /* 304 */
370 AUE_NULL, /* 305 */
371 AUE_NULL, /* 306 */
372 AUE_NULL, /* 307 */
373 AUE_NULL, /* 308 */
374 AUE_NULL, /* 309 */
375 AUE_NULL, /* 310 = getsid */
376 AUE_NULL, /* 311 */
377 AUE_NULL, /* 312 */
378 AUE_NULL, /* 313 */
379 AUE_NULL, /* 314 */
380 AUE_NULL, /* 315 */
381 AUE_NULL, /* 316 */
382 AUE_NULL, /* 317 */
383 AUE_NULL, /* 318 */
384 AUE_NULL, /* 319 */
385 AUE_NULL, /* 320 */
386 AUE_NULL, /* 321 */
387 AUE_NULL, /* 322 */
388 AUE_NULL, /* 323 */
389 AUE_NULL, /* 324 = mlockall*/
390 AUE_NULL, /* 325 = munlockall*/
391 AUE_NULL, /* 326 */
392 AUE_NULL, /* 327 = issetugid */
393 AUE_NULL, /* 328 */
394 AUE_NULL, /* 329 */
395 AUE_NULL, /* 330 */
396 AUE_NULL, /* 331 */
397 AUE_NULL, /* 332 */
398 AUE_NULL, /* 333 */
399 AUE_NULL, /* 334 */
400 AUE_NULL, /* 335 = utrace */
401 AUE_NULL, /* 336 */
402 AUE_NULL, /* 337 */
403 AUE_NULL, /* 338 */
404 AUE_NULL, /* 339 */
405 AUE_NULL, /* 340 */
406 AUE_NULL, /* 341 */
407 AUE_NULL, /* 342 */
408 AUE_NULL, /* 343 */
409 AUE_NULL, /* 344 */
410 AUE_NULL, /* 345 */
411 AUE_NULL, /* 346 */
412 AUE_NULL, /* 347 */
413 AUE_NULL, /* 348 */
414 AUE_NULL, /* 349 */
415 AUE_AUDIT, /* 350 */
416 AUE_AUDITON, /* 351 */
417 AUE_NULL, /* 352 */
418 AUE_GETAUID, /* 353 */
419 AUE_SETAUID, /* 354 */
420 AUE_GETAUDIT, /* 355 */
421 AUE_SETAUDIT, /* 356 */
422 AUE_GETAUDIT_ADDR, /* 357 */
423 AUE_SETAUDIT_ADDR, /* 358 */
424 AUE_AUDITCTL, /* 359 */
425 AUE_NULL, /* 360 */
426 AUE_NULL, /* 361 */
427 AUE_NULL, /* 362 = kqueue */
428 AUE_NULL, /* 363 = kevent */
429 AUE_LCHOWN, /* 364 = lchown */
430 AUE_NULL, /* 365 */
431 AUE_NULL, /* 366 */
432 AUE_NULL, /* 367 */
433 AUE_NULL, /* 368 */
434 AUE_NULL /* 369 */
435};
436int nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]);
437
438/*
439 * Hash table functions for the audit event number to event class mask mapping.
440 */
441
442#define EVCLASSMAP_HASH_TABLE_SIZE 251
443struct evclass_elem {
444 au_event_t event;
445 au_class_t class;
446 LIST_ENTRY(evclass_elem) entry;
447};
448struct evclass_list {
449 LIST_HEAD(, evclass_elem) head;
450};
451
452struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
453
454au_class_t au_event_class(au_event_t event)
455{
456
457 struct evclass_list *evcl;
458 struct evclass_elem *evc;
459
460 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
461
462 /* If an entry at our hash location matches the event, just return */
463 LIST_FOREACH(evc, &evcl->head, entry) {
464 if (evc->event == event)
465 return (evc->class);
466 }
467 return (AU_NULL);
468}
469
470 /*
471 * Insert a event to class mapping. If the event already exists in the
472 * mapping, then replace the mapping with the new one.
473 * XXX There is currently no constraints placed on the number of mappings.
474 * May want to either limit to a number, or in terms of memory usage.
475 */
476void au_evclassmap_insert(au_event_t event, au_class_t class)
477{
478 struct evclass_list *evcl;
479 struct evclass_elem *evc;
480
481 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
482
483 LIST_FOREACH(evc, &evcl->head, entry) {
484 if (evc->event == event) {
485 evc->class = class;
486 return;
487 }
488 }
489 kmem_alloc(kernel_map, (vm_offset_t *)&evc, sizeof(*evc));
490 if (evc == NULL) {
491 return;
492 }
493 evc->event = event;
494 evc->class = class;
495 LIST_INSERT_HEAD(&evcl->head, evc, entry);
496}
497
498void au_evclassmap_init()
499{
500 int i;
501 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++) {
502 LIST_INIT(&evclass_hash[i].head);
503 }
504
505 /* Set up the initial event to class mapping for system calls. */
506 for (i = 0; i < nsys_au_event; i++) {
507 if (sys_au_event[i] != AUE_NULL) {
508 au_evclassmap_insert(sys_au_event[i], AU_NULL);
509 }
510 }
511 /* Add the Mach system call events */
512 au_evclassmap_insert(AUE_TASKFORPID, AU_NULL);
513 au_evclassmap_insert(AUE_PIDFORTASK, AU_NULL);
514 au_evclassmap_insert(AUE_SWAPON, AU_NULL);
515 au_evclassmap_insert(AUE_SWAPOFF, AU_NULL);
516 au_evclassmap_insert(AUE_MAPFD, AU_NULL);
517 au_evclassmap_insert(AUE_INITPROCESS, AU_NULL);
518
519 /* Add the specific open events to the mapping. */
520 au_evclassmap_insert(AUE_OPEN_R, AU_FREAD);
521 au_evclassmap_insert(AUE_OPEN_RC, AU_FREAD|AU_FCREATE);
522 au_evclassmap_insert(AUE_OPEN_RTC, AU_FREAD|AU_FCREATE|AU_FDELETE);
523 au_evclassmap_insert(AUE_OPEN_RT, AU_FREAD|AU_FDELETE);
524 au_evclassmap_insert(AUE_OPEN_RW, AU_FREAD|AU_FWRITE);
525 au_evclassmap_insert(AUE_OPEN_RWC, AU_FREAD|AU_FWRITE|AU_FCREATE);
526 au_evclassmap_insert(AUE_OPEN_RWTC, AU_FREAD|AU_FWRITE|AU_FCREATE|AU_FDELETE);
527 au_evclassmap_insert(AUE_OPEN_RWT, AU_FREAD|AU_FWRITE|AU_FDELETE);
528 au_evclassmap_insert(AUE_OPEN_W, AU_FWRITE);
529 au_evclassmap_insert(AUE_OPEN_WC, AU_FWRITE|AU_FCREATE);
530 au_evclassmap_insert(AUE_OPEN_WTC, AU_FWRITE|AU_FCREATE|AU_FDELETE);
531 au_evclassmap_insert(AUE_OPEN_WT, AU_FWRITE|AU_FDELETE);
532}
533
534 /*
535 * Check whether an event is aditable by comparing the mask of classes this
536 * event is part of against the given mask.
537 */
538int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf)
539{
540 au_class_t effmask = 0;
541 au_class_t ae_class;
542
543 if(mask_p == NULL)
544 return (-1);
545
546 ae_class = au_event_class(event);
547 /*
548 * Perform the actual check of the masks against the event.
549 */
550 if(sorf & AU_PRS_SUCCESS) {
551 effmask |= (mask_p->am_success & ae_class);
552 }
553
554 if(sorf & AU_PRS_FAILURE) {
555 effmask |= (mask_p->am_failure & ae_class);
556 }
557
558 if(effmask)
559 return (1);
560 else
561 return (0);
562}
563
564/*
565 * Convert sysctl names and present arguments to events
566 */
567au_event_t ctlname_to_sysctlevent(int name[], uint64_t valid_arg) {
568
569 /* can't parse it - so return the worst case */
570 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) !=
571 (ARG_CTLNAME | ARG_LEN))
572 return AUE_SYSCTL;
573
574 switch (name[0]) {
575 /* non-admin "lookups" treat them special */
576 case KERN_OSTYPE:
577 case KERN_OSRELEASE:
578 case KERN_OSREV:
579 case KERN_VERSION:
580 case KERN_ARGMAX:
581 case KERN_CLOCKRATE:
582 case KERN_BOOTTIME:
583 case KERN_POSIX1:
584 case KERN_NGROUPS:
585 case KERN_JOB_CONTROL:
586 case KERN_SAVED_IDS:
587 case KERN_NETBOOT:
588 case KERN_SYMFILE:
589 case KERN_SHREG_PRIVATIZABLE:
590 return AUE_SYSCTL_NONADMIN;
591
592 /* only treat the sets as admin */
593 case KERN_MAXVNODES:
594 case KERN_MAXPROC:
595 case KERN_MAXFILES:
596 case KERN_MAXPROCPERUID:
597 case KERN_MAXFILESPERPROC:
598 case KERN_HOSTID:
599 case KERN_AIOMAX:
600 case KERN_AIOPROCMAX:
601 case KERN_AIOTHREADS:
602 case KERN_COREDUMP:
603 case KERN_SUGID_COREDUMP:
604 return (valid_arg & ARG_VALUE) ?
605 AUE_SYSCTL : AUE_SYSCTL_NONADMIN;
606
607 default:
608 return AUE_SYSCTL;
609 }
610 /* NOTREACHED */
611}
612
613/*
614 * Convert an open flags specifier into a specific type of open event for
615 * auditing purposes.
616 */
617au_event_t flags_and_error_to_openevent(int oflags, int error) {
618 au_event_t aevent;
619
620 /* Need to check only those flags we care about. */
621 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
622
623 /* These checks determine what flags are on with the condition
624 * that ONLY that combination is on, and no other flags are on.
625 */
626 switch (oflags) {
627 case O_RDONLY:
628 aevent = AUE_OPEN_R;
629 break;
630 case (O_RDONLY | O_CREAT):
631 aevent = AUE_OPEN_RC;
632 break;
633 case (O_RDONLY | O_CREAT | O_TRUNC):
634 aevent = AUE_OPEN_RTC;
635 break;
636 case (O_RDONLY | O_TRUNC):
637 aevent = AUE_OPEN_RT;
638 break;
639 case O_RDWR:
640 aevent = AUE_OPEN_RW;
641 break;
642 case (O_RDWR | O_CREAT):
643 aevent = AUE_OPEN_RWC;
644 break;
645 case (O_RDWR | O_CREAT | O_TRUNC):
646 aevent = AUE_OPEN_RWTC;
647 break;
648 case (O_RDWR | O_TRUNC):
649 aevent = AUE_OPEN_RWT;
650 break;
651 case O_WRONLY:
652 aevent = AUE_OPEN_W;
653 break;
654 case (O_WRONLY | O_CREAT):
655 aevent = AUE_OPEN_WC;
656 break;
657 case (O_WRONLY | O_CREAT | O_TRUNC):
658 aevent = AUE_OPEN_WTC;
659 break;
660 case (O_WRONLY | O_TRUNC):
661 aevent = AUE_OPEN_WT;
662 break;
663 default:
664 aevent = AUE_OPEN;
665 break;
666}
667
668/*
669 * Convert chatty errors to better matching events.
670 * Failures to find a file are really just attribute
671 * events - so recast them as such.
672*/
673 switch (aevent) {
674 case AUE_OPEN_R:
675 case AUE_OPEN_RT:
676 case AUE_OPEN_RW:
677 case AUE_OPEN_RWT:
678 case AUE_OPEN_W:
679 case AUE_OPEN_WT:
680 if (error == ENOENT)
681 aevent = AUE_OPEN;
682}
683 return aevent;
684}
685
686/* Convert a MSGCTL command to a specific event. */
687au_event_t msgctl_to_event(int cmd)
688{
689 switch (cmd) {
690 case IPC_RMID:
691 return AUE_MSGCTL_RMID;
692 case IPC_SET:
693 return AUE_MSGCTL_SET;
694 case IPC_STAT:
695 return AUE_MSGCTL_STAT;
696 default:
697 return AUE_MSGCTL;
698 /* We will audit a bad command */
699 }
700}
701
702/* Convert a SEMCTL command to a specific event. */
703au_event_t semctl_to_event(int cmd)
704{
705 switch (cmd) {
706 case GETALL:
707 return AUE_SEMCTL_GETALL;
708 case GETNCNT:
709 return AUE_SEMCTL_GETNCNT;
710 case GETPID:
711 return AUE_SEMCTL_GETPID;
712 case GETVAL:
713 return AUE_SEMCTL_GETVAL;
714 case GETZCNT:
715 return AUE_SEMCTL_GETZCNT;
716 case IPC_RMID:
717 return AUE_SEMCTL_RMID;
718 case IPC_SET:
719 return AUE_SEMCTL_SET;
720 case SETALL:
721 return AUE_SEMCTL_SETALL;
722 case SETVAL:
723 return AUE_SEMCTL_SETVAL;
724 case IPC_STAT:
725 return AUE_SEMCTL_STAT;
726 default:
727 return AUE_SEMCTL;
728 /* We will audit a bad command */
729 }
730}
731
732/* Convert a command for the auditon() system call to a audit event. */
733int auditon_command_event(int cmd)
734{
735 switch(cmd) {
736 case A_GETPOLICY:
737 return AUE_AUDITON_GPOLICY;
738 break;
739 case A_SETPOLICY:
740 return AUE_AUDITON_SPOLICY;
741 break;
742 case A_GETKMASK:
743 return AUE_AUDITON_GETKMASK;
744 break;
745 case A_SETKMASK:
746 return AUE_AUDITON_SETKMASK;
747 break;
748 case A_GETQCTRL:
749 return AUE_AUDITON_GQCTRL;
750 break;
751 case A_SETQCTRL:
752 return AUE_AUDITON_SQCTRL;
753 break;
754 case A_GETCWD:
755 return AUE_AUDITON_GETCWD;
756 break;
757 case A_GETCAR:
758 return AUE_AUDITON_GETCAR;
759 break;
760 case A_GETSTAT:
761 return AUE_AUDITON_GETSTAT;
762 break;
763 case A_SETSTAT:
764 return AUE_AUDITON_SETSTAT;
765 break;
766 case A_SETUMASK:
767 return AUE_AUDITON_SETUMASK;
768 break;
769 case A_SETSMASK:
770 return AUE_AUDITON_SETSMASK;
771 break;
772 case A_GETCOND:
773 return AUE_AUDITON_GETCOND;
774 break;
775 case A_SETCOND:
776 return AUE_AUDITON_SETCOND;
777 break;
778 case A_GETCLASS:
779 return AUE_AUDITON_GETCLASS;
780 break;
781 case A_SETCLASS:
782 return AUE_AUDITON_SETCLASS;
783 break;
784 case A_GETPINFO:
785 case A_SETPMASK:
786 case A_SETFSIZE:
787 case A_GETFSIZE:
788 case A_GETPINFO_ADDR:
789 case A_GETKAUDIT:
790 case A_SETKAUDIT:
791 default:
792 return AUE_AUDITON; /* No special record */
793 break;
794 }
795}
796
797/*
798 * Create a canonical path from given path by prefixing either the
799 * root directory, or the current working directory.
800 * If the process working directory is NULL, we could use 'rootvnode'
801 * to obtain the root directoty, but this results in a volfs name
802 * written to the audit log. So we will leave the filename starting
803 * with '/' in the audit log in this case.
804 */
805int canon_path(struct proc *p, char *path, char *cpath)
806{
807 char *bufp;
808 int len;
809 struct vnode *vnp;
810 struct filedesc *fdp;
811 int ret;
812
813 fdp = p->p_fd;
814 bufp = path;
815 if (*(path) == '/') {
816 while (*(bufp) == '/')
817 bufp++; /* skip leading '/'s */
818 /* If no process root, or it is the same as the system root,
819 * audit the path as passed in with a single '/'.
820 */
821 if ((fdp->fd_rdir == NULL) ||
822 (fdp->fd_rdir == rootvnode)) {
823 vnp = NULL;
824 bufp--; /* restore one '/' */
825 } else {
826 vnp = fdp->fd_rdir; /* use process root */
827 }
828 } else {
829 vnp = fdp->fd_cdir; /* prepend the current dir */
830 bufp = path;
831 }
832 if (vnp != NULL) {
833 len = MAXPATHLEN;
834 ret = vn_getpath(vnp, cpath, &len);
835 if (ret != 0) {
836 cpath[0] = '\0';
837 return (ret);
838 }
839 if (len < MAXPATHLEN)
840 cpath[len-1] = '/';
841 strncpy(cpath + len, bufp, MAXPATHLEN - len);
842 } else {
843 strncpy(cpath, bufp, MAXPATHLEN);
844 }
845 return (0);
846}
mirror of XNU