]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. | |
3 | * | |
4 | * @APPLE_LICENSE_HEADER_START@ | |
5 | * | |
6 | * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. | |
7 | * | |
8 | * This file contains Original Code and/or Modifications of Original Code | |
9 | * as defined in and that are subject to the Apple Public Source License | |
10 | * Version 2.0 (the 'License'). You may not use this file except in | |
11 | * compliance with the License. Please obtain a copy of the License at | |
12 | * http://www.opensource.apple.com/apsl/ and read it before using this | |
13 | * file. | |
14 | * | |
15 | * The Original Code and all software distributed under the License are | |
16 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
17 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
18 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
19 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
20 | * Please see the License for the specific language governing rights and | |
21 | * limitations under the License. | |
22 | * | |
23 | * @APPLE_LICENSE_HEADER_END@ | |
24 | */ | |
25 | ||
26 | #include <sys/types.h> | |
27 | #include <sys/vnode.h> | |
28 | #include <sys/fcntl.h> | |
29 | #include <sys/filedesc.h> | |
30 | #include <sys/sem.h> | |
31 | #include <sys/audit.h> | |
32 | #include <sys/kern_audit.h> | |
33 | #include <sys/bsm_kevents.h> | |
34 | #include <sys/bsm_klib.h> | |
35 | ||
36 | /* | |
37 | * Initialize the system call to audit event mapping table. This table | |
38 | * must be kept in sync with the system call table. This table is meant to | |
39 | * be directly accessed. | |
40 | * XXX This should be improved, though, to make it independent of the syscall | |
41 | * table (but we don't want to traverse a large table for every system call | |
42 | * to find a match). Ultimately, it would be best to place the audit event | |
43 | * number in the system call table. | |
44 | */ | |
45 | au_event_t sys_au_event[] = { | |
46 | AUE_NULL, /* 0 = indir */ | |
47 | AUE_EXIT, /* 1 = exit */ | |
48 | AUE_NULL, /* 2 = fork */ | |
49 | AUE_NULL, /* 3 = read */ | |
50 | AUE_NULL, /* 4 = write */ | |
51 | AUE_OPEN_R, /* 5 = open */ | |
52 | AUE_NULL, /* 6 = close */ | |
53 | AUE_NULL, /* 7 = wait4 */ | |
54 | AUE_NULL, /* 8 = old creat */ | |
55 | AUE_LINK, /* 9 = link */ | |
56 | AUE_UNLINK, /* 10 = unlink */ | |
57 | AUE_NULL, /* 11 was obsolete execv */ | |
58 | AUE_CHDIR, /* 12 = chdir */ | |
59 | AUE_FCHDIR, /* 13 = fchdir */ | |
60 | AUE_MKNOD, /* 14 = mknod */ | |
61 | AUE_CHMOD, /* 15 = chmod */ | |
62 | AUE_CHOWN, /* 16 = chown; now 3 args */ | |
63 | AUE_NULL, /* 17 = old break */ | |
64 | #if COMPAT_GETFSSTAT | |
65 | AUE_NULL, /* 18 = ogetfsstat */ | |
66 | #else | |
67 | AUE_GETFSSTAT, /* 18 = getfsstat */ | |
68 | #endif | |
69 | AUE_NULL, /* 19 = old lseek */ | |
70 | AUE_NULL, /* 20 = getpid */ | |
71 | AUE_NULL, /* 21 was obsolete mount */ | |
72 | AUE_NULL, /* 22 was obsolete umount */ | |
73 | AUE_SETUID, /* 23 = setuid */ | |
74 | AUE_NULL, /* 24 = getuid */ | |
75 | AUE_NULL, /* 25 = geteuid */ | |
76 | AUE_NULL, /* 26 = ptrace */ | |
77 | AUE_RECVMSG, /* 27 = recvmsg */ | |
78 | AUE_SENDMSG, /* 28 = sendmsg */ | |
79 | AUE_RECVFROM, /* 29 = recvfrom */ | |
80 | AUE_ACCEPT, /* 30 = accept */ | |
81 | AUE_NULL, /* 31 = getpeername */ | |
82 | AUE_NULL, /* 32 = getsockname */ | |
83 | AUE_ACCESS, /* 33 = access */ | |
84 | AUE_CHFLAGS, /* 34 = chflags */ | |
85 | AUE_FCHFLAGS, /* 35 = fchflags */ | |
86 | AUE_NULL, /* 36 = sync */ | |
87 | AUE_NULL, /* 37 = kill */ | |
88 | AUE_NULL, /* 38 = old stat */ | |
89 | AUE_NULL, /* 39 = getppid */ | |
90 | AUE_NULL, /* 40 = old lstat */ | |
91 | AUE_NULL, /* 41 = dup */ | |
92 | AUE_PIPE, /* 42 = pipe */ | |
93 | AUE_NULL, /* 43 = getegid */ | |
94 | AUE_NULL, /* 44 = profil */ | |
95 | AUE_NULL, /* 45 = ktrace */ | |
96 | AUE_NULL, /* 46 = sigaction */ | |
97 | AUE_NULL, /* 47 = getgid */ | |
98 | AUE_NULL, /* 48 = sigprocmask */ | |
99 | AUE_NULL, /* 49 = getlogin */ | |
100 | AUE_NULL, /* 50 = setlogin */ | |
101 | AUE_NULL, /* 51 = turn acct off/on */ | |
102 | AUE_NULL, /* 52 = sigpending */ | |
103 | AUE_NULL, /* 53 = sigaltstack */ | |
104 | AUE_NULL, /* 54 = ioctl */ | |
105 | AUE_NULL, /* 55 = reboot */ | |
106 | AUE_REVOKE, /* 56 = revoke */ | |
107 | AUE_SYMLINK, /* 57 = symlink */ | |
108 | AUE_READLINK, /* 58 = readlink */ | |
109 | AUE_EXECVE, /* 59 = execve */ | |
110 | AUE_UMASK, /* 60 = umask */ | |
111 | AUE_CHROOT, /* 61 = chroot */ | |
112 | AUE_NULL, /* 62 = old fstat */ | |
113 | AUE_NULL, /* 63 = used internally, reserved */ | |
114 | AUE_NULL, /* 64 = old getpagesize */ | |
115 | AUE_NULL, /* 65 = msync */ | |
116 | AUE_NULL, /* 66 = vfork */ | |
117 | AUE_NULL, /* 67 was obsolete vread */ | |
118 | AUE_NULL, /* 68 was obsolete vwrite */ | |
119 | AUE_NULL, /* 69 = sbrk */ | |
120 | AUE_NULL, /* 70 = sstk */ | |
121 | AUE_NULL, /* 71 = old mmap */ | |
122 | AUE_NULL, /* 72 = old vadvise */ | |
123 | AUE_NULL, /* 73 = munmap */ | |
124 | AUE_NULL, /* 74 = mprotect */ | |
125 | AUE_NULL, /* 75 = madvise */ | |
126 | AUE_NULL, /* 76 was obsolete vhangup */ | |
127 | AUE_NULL, /* 77 was obsolete vlimit */ | |
128 | AUE_NULL, /* 78 = mincore */ | |
129 | AUE_NULL, /* 79 = getgroups */ | |
130 | AUE_SETGROUPS, /* 80 = setgroups */ | |
131 | AUE_NULL, /* 81 = getpgrp */ | |
132 | AUE_SETPGRP, /* 82 = setpgid */ | |
133 | AUE_NULL, /* 83 = setitimer */ | |
134 | AUE_NULL, /* 84 = old wait */ | |
135 | AUE_NULL, /* 85 = swapon */ | |
136 | AUE_NULL, /* 86 = getitimer */ | |
137 | AUE_NULL, /* 87 = old gethostname */ | |
138 | AUE_NULL, /* 88 = old sethostname */ | |
139 | AUE_NULL, /* 89 getdtablesize */ | |
140 | AUE_NULL, /* 90 = dup2 */ | |
141 | AUE_NULL, /* 91 was obsolete getdopt */ | |
142 | AUE_FCNTL, /* 92 = fcntl */ | |
143 | AUE_NULL, /* 93 = select */ | |
144 | AUE_NULL, /* 94 was obsolete setdopt */ | |
145 | AUE_NULL, /* 95 = fsync */ | |
146 | AUE_NULL, /* 96 = setpriority */ | |
147 | AUE_SOCKET, /* 97 = socket */ | |
148 | AUE_CONNECT, /* 98 = connect */ | |
149 | AUE_NULL, /* 99 = accept */ | |
150 | AUE_NULL, /* 100 = getpriority */ | |
151 | AUE_NULL, /* 101 = old send */ | |
152 | AUE_NULL, /* 102 = old recv */ | |
153 | AUE_NULL, /* 103 = sigreturn */ | |
154 | AUE_BIND, /* 104 = bind */ | |
155 | AUE_SETSOCKOPT, /* 105 = setsockopt */ | |
156 | AUE_NULL, /* 106 = listen */ | |
157 | AUE_NULL, /* 107 was vtimes */ | |
158 | AUE_NULL, /* 108 = sigvec */ | |
159 | AUE_NULL, /* 109 = sigblock */ | |
160 | AUE_NULL, /* 110 = sigsetmask */ | |
161 | AUE_NULL, /* 111 = sigpause */ | |
162 | AUE_NULL, /* 112 = sigstack */ | |
163 | AUE_NULL, /* 113 = recvmsg */ | |
164 | AUE_NULL, /* 114 = sendmsg */ | |
165 | AUE_NULL, /* 115 = old vtrace */ | |
166 | AUE_NULL, /* 116 = gettimeofday */ | |
167 | AUE_NULL, /* 117 = getrusage */ | |
168 | AUE_NULL, /* 118 = getsockopt */ | |
169 | AUE_NULL, /* 119 = old resuba */ | |
170 | AUE_NULL, /* 120 = readv */ | |
171 | AUE_NULL, /* 121 = writev */ | |
172 | AUE_NULL, /* 122 = settimeofday */ | |
173 | AUE_FCHOWN, /* 123 = fchown */ | |
174 | AUE_FCHMOD, /* 124 = fchmod */ | |
175 | AUE_NULL, /* 125 = recvfrom */ | |
176 | AUE_NULL, /* 126 = setreuid */ | |
177 | AUE_NULL, /* 127 = setregid */ | |
178 | AUE_RENAME, /* 128 = rename */ | |
179 | AUE_NULL, /* 129 = old truncate */ | |
180 | AUE_NULL, /* 130 = old ftruncate */ | |
181 | AUE_FLOCK, /* 131 = flock */ | |
182 | AUE_MKFIFO, /* 132 = mkfifo */ | |
183 | AUE_SENDTO, /* 133 = sendto */ | |
184 | AUE_SHUTDOWN, /* 134 = shutdown */ | |
185 | AUE_SOCKETPAIR, /* 135 = socketpair */ | |
186 | AUE_MKDIR, /* 136 = mkdir */ | |
187 | AUE_RMDIR, /* 137 = rmdir */ | |
188 | AUE_UTIMES, /* 138 = utimes */ | |
189 | AUE_FUTIMES, /* 139 = futimes */ | |
190 | AUE_ADJTIME, /* 140 = adjtime */ | |
191 | AUE_NULL, /* 141 = getpeername */ | |
192 | AUE_NULL, /* 142 = old gethostid */ | |
193 | AUE_NULL, /* 143 = old sethostid */ | |
194 | AUE_NULL, /* 144 = old getrlimit */ | |
195 | AUE_NULL, /* 145 = old setrlimit */ | |
196 | AUE_NULL, /* 146 = old killpg */ | |
197 | AUE_NULL, /* 147 = setsid */ | |
198 | AUE_NULL, /* 148 was setquota */ | |
199 | AUE_NULL, /* 149 was qquota */ | |
200 | AUE_NULL, /* 150 = getsockname */ | |
201 | AUE_NULL, /* 151 = getpgid */ | |
202 | AUE_NULL, /* 152 = setprivexec */ | |
203 | AUE_NULL, /* 153 = pread */ | |
204 | AUE_NULL, /* 154 = pwrite */ | |
205 | AUE_NULL, /* 155 = nfs_svc */ | |
206 | AUE_NULL, /* 156 = old getdirentries */ | |
207 | AUE_STATFS, /* 157 = statfs */ | |
208 | AUE_FSTATFS, /* 158 = fstatfs */ | |
209 | AUE_UMOUNT, /* 159 = unmount */ | |
210 | AUE_NULL, /* 160 was async_daemon */ | |
211 | AUE_GETFH, /* 161 = get file handle */ | |
212 | AUE_NULL, /* 162 = getdomainname */ | |
213 | AUE_NULL, /* 163 = setdomainname */ | |
214 | AUE_NULL, /* 164 */ | |
215 | #if QUOTA | |
216 | AUE_QUOTACTL, /* 165 = quotactl */ | |
217 | #else /* QUOTA */ | |
218 | AUE_NULL, /* 165 = not configured */ | |
219 | #endif /* QUOTA */ | |
220 | AUE_NULL, /* 166 was exportfs */ | |
221 | AUE_MOUNT, /* 167 = mount */ | |
222 | AUE_NULL, /* 168 was ustat */ | |
223 | AUE_NULL, /* 169 = nosys */ | |
224 | AUE_NULL, /* 170 was table */ | |
225 | AUE_NULL, /* 171 = old wait3 */ | |
226 | AUE_NULL, /* 172 was rpause */ | |
227 | AUE_NULL, /* 173 = nosys */ | |
228 | AUE_NULL, /* 174 was getdents */ | |
229 | AUE_NULL, /* 175 was gc_control */ | |
230 | AUE_NULL, /* 176 = add_profil */ | |
231 | AUE_NULL, /* 177 */ | |
232 | AUE_NULL, /* 178 */ | |
233 | AUE_NULL, /* 179 */ | |
234 | AUE_NULL, /* 180 */ | |
235 | AUE_SETGID, /* 181 */ | |
236 | AUE_SETEGID, /* 182 */ | |
237 | AUE_SETEUID, /* 183 */ | |
238 | AUE_NULL, /* 184 = nosys */ | |
239 | AUE_NULL, /* 185 = nosys */ | |
240 | AUE_NULL, /* 186 = nosys */ | |
241 | AUE_NULL, /* 187 = nosys */ | |
242 | AUE_STAT, /* 188 = stat */ | |
243 | AUE_FSTAT, /* 189 = fstat */ | |
244 | AUE_LSTAT, /* 190 = lstat */ | |
245 | AUE_PATHCONF, /* 191 = pathconf */ | |
246 | AUE_FPATHCONF, /* 192 = fpathconf */ | |
247 | ||
248 | #if COMPAT_GETFSSTAT | |
249 | AUE_GETFSSTAT, /* 193 = getfsstat */ | |
250 | #else | |
251 | AUE_NULL, /* 193 is unused */ | |
252 | #endif | |
253 | AUE_NULL, /* 194 = getrlimit */ | |
254 | AUE_SETRLIMIT, /* 195 = setrlimit */ | |
255 | AUE_GETDIRENTRIES, /* 196 = getdirentries */ | |
256 | AUE_NULL, /* 197 = mmap */ | |
257 | AUE_NULL, /* 198 = __syscall */ | |
258 | AUE_NULL, /* 199 = lseek */ | |
259 | AUE_TRUNCATE, /* 200 = truncate */ | |
260 | AUE_FTRUNCATE, /* 201 = ftruncate */ | |
261 | AUE_NULL, /* 202 = __sysctl */ | |
262 | AUE_NULL, /* 203 = mlock */ | |
263 | AUE_NULL, /* 204 = munlock */ | |
264 | AUE_UNDELETE, /* 205 = undelete */ | |
265 | AUE_NULL, /* 206 = ATsocket */ | |
266 | AUE_NULL, /* 207 = ATgetmsg*/ | |
267 | AUE_NULL, /* 208 = ATputmsg*/ | |
268 | AUE_NULL, /* 209 = ATPsndreq*/ | |
269 | AUE_NULL, /* 210 = ATPsndrsp*/ | |
270 | AUE_NULL, /* 211 = ATPgetreq*/ | |
271 | AUE_NULL, /* 212 = ATPgetrsp*/ | |
272 | AUE_NULL, /* 213 = Reserved for AppleTalk */ | |
273 | AUE_NULL, /* 214 = Reserved for AppleTalk */ | |
274 | AUE_NULL, /* 215 = Reserved for AppleTalk */ | |
275 | ||
276 | AUE_NULL, /* 216 = HFS make complex file call (multipel forks */ | |
277 | AUE_NULL, /* 217 = HFS statv extended stat call for HFS */ | |
278 | AUE_NULL, /* 218 = HFS lstatv extended lstat call for HFS */ | |
279 | AUE_NULL, /* 219 = HFS fstatv extended fstat call for HFS */ | |
280 | AUE_GETATTRLIST,/* 220 = HFS getarrtlist get attribute list cal */ | |
281 | AUE_SETATTRLIST,/* 221 = HFS setattrlist set attribute list */ | |
282 | AUE_GETDIRENTRIESATTR,/* 222 = HFS getdirentriesattr get directory attributes */ | |
283 | AUE_EXCHANGEDATA,/* 223 = HFS exchangedata exchange file contents */ | |
284 | AUE_NULL,/* 224 = HFS checkuseraccess check access to a file */ | |
285 | AUE_SEARCHFS, /* 225 = HFS searchfs to implement catalog searching */ | |
286 | AUE_NULL, /* 226 = private delete (Carbon semantics) */ | |
287 | AUE_NULL, /* 227 = copyfile - orignally for AFP */ | |
288 | AUE_NULL, /* 228 */ | |
289 | AUE_NULL, /* 229 */ | |
290 | AUE_NULL, /* 230 */ | |
291 | AUE_NULL, /* 231 */ | |
292 | AUE_NULL, /* 232 */ | |
293 | AUE_NULL, /* 233 */ | |
294 | AUE_NULL, /* 234 */ | |
295 | AUE_NULL, /* 235 */ | |
296 | AUE_NULL, /* 236 */ | |
297 | AUE_NULL, /* 237 */ | |
298 | AUE_NULL, /* 238 */ | |
299 | AUE_NULL, /* 239 */ | |
300 | AUE_NULL, /* 240 */ | |
301 | AUE_NULL, /* 241 */ | |
302 | AUE_NULL, /* 242 = fsctl */ | |
303 | AUE_NULL, /* 243 */ | |
304 | AUE_NULL, /* 244 */ | |
305 | AUE_NULL, /* 245 */ | |
306 | AUE_NULL, /* 246 */ | |
307 | AUE_NULL, /* 247 = nfsclnt*/ | |
308 | AUE_NULL, /* 248 = fhopen */ | |
309 | AUE_NULL, /* 249 */ | |
310 | AUE_NULL, /* 250 = minherit */ | |
311 | AUE_NULL, /* 251 = semsys */ | |
312 | AUE_NULL, /* 252 = msgsys */ | |
313 | AUE_NULL, /* 253 = shmsys */ | |
314 | AUE_SEMCTL, /* 254 = semctl */ | |
315 | AUE_SEMGET, /* 255 = semget */ | |
316 | AUE_SEMOP, /* 256 = semop */ | |
317 | AUE_NULL, /* 257 = semconfig */ | |
318 | AUE_MSGCTL, /* 258 = msgctl */ | |
319 | AUE_MSGGET, /* 259 = msgget */ | |
320 | AUE_MSGSND, /* 260 = msgsnd */ | |
321 | AUE_MSGRCV, /* 261 = msgrcv */ | |
322 | AUE_SHMAT, /* 262 = shmat */ | |
323 | AUE_SHMCTL, /* 263 = shmctl */ | |
324 | AUE_SHMDT, /* 264 = shmdt */ | |
325 | AUE_SHMGET, /* 265 = shmget */ | |
326 | AUE_NULL, /* 266 = shm_open */ | |
327 | AUE_NULL, /* 267 = shm_unlink */ | |
328 | AUE_NULL, /* 268 = sem_open */ | |
329 | AUE_NULL, /* 269 = sem_close */ | |
330 | AUE_NULL, /* 270 = sem_unlink */ | |
331 | AUE_NULL, /* 271 = sem_wait */ | |
332 | AUE_NULL, /* 272 = sem_trywait */ | |
333 | AUE_NULL, /* 273 = sem_post */ | |
334 | AUE_NULL, /* 274 = sem_getvalue */ | |
335 | AUE_NULL, /* 275 = sem_init */ | |
336 | AUE_NULL, /* 276 = sem_destroy */ | |
337 | AUE_NULL, /* 277 */ | |
338 | AUE_NULL, /* 278 */ | |
339 | AUE_NULL, /* 279 */ | |
340 | AUE_NULL, /* 280 */ | |
341 | AUE_NULL, /* 281 */ | |
342 | AUE_NULL, /* 282 */ | |
343 | AUE_NULL, /* 283 */ | |
344 | AUE_NULL, /* 284 */ | |
345 | AUE_NULL, /* 285 */ | |
346 | AUE_NULL, /* 286 */ | |
347 | AUE_NULL, /* 287 */ | |
348 | AUE_NULL, /* 288 */ | |
349 | AUE_NULL, /* 289 */ | |
350 | AUE_NULL, /* 290 */ | |
351 | AUE_NULL, /* 291 */ | |
352 | AUE_NULL, /* 292 */ | |
353 | AUE_NULL, /* 293 */ | |
354 | AUE_NULL, /* 294 */ | |
355 | AUE_NULL, /* 295 */ | |
356 | AUE_NULL, /* 296 = load_shared_file */ | |
357 | AUE_NULL, /* 297 = reset_shared_file */ | |
358 | AUE_NULL, /* 298 = new_system_shared_regions */ | |
359 | AUE_NULL, /* 299 */ | |
360 | AUE_NULL, /* 300 */ | |
361 | AUE_NULL, /* 301 */ | |
362 | AUE_NULL, /* 302 */ | |
363 | AUE_NULL, /* 303 */ | |
364 | AUE_NULL, /* 304 */ | |
365 | AUE_NULL, /* 305 */ | |
366 | AUE_NULL, /* 306 */ | |
367 | AUE_NULL, /* 307 */ | |
368 | AUE_NULL, /* 308 */ | |
369 | AUE_NULL, /* 309 */ | |
370 | AUE_NULL, /* 310 = getsid */ | |
371 | AUE_NULL, /* 311 */ | |
372 | AUE_NULL, /* 312 */ | |
373 | AUE_NULL, /* 313 */ | |
374 | AUE_NULL, /* 314 */ | |
375 | AUE_NULL, /* 315 */ | |
376 | AUE_NULL, /* 316 */ | |
377 | AUE_NULL, /* 317 */ | |
378 | AUE_NULL, /* 318 */ | |
379 | AUE_NULL, /* 319 */ | |
380 | AUE_NULL, /* 320 */ | |
381 | AUE_NULL, /* 321 */ | |
382 | AUE_NULL, /* 322 */ | |
383 | AUE_NULL, /* 323 */ | |
384 | AUE_NULL, /* 324 = mlockall*/ | |
385 | AUE_NULL, /* 325 = munlockall*/ | |
386 | AUE_NULL, /* 326 */ | |
387 | AUE_NULL, /* 327 = issetugid */ | |
388 | AUE_NULL, /* 328 */ | |
389 | AUE_NULL, /* 329 */ | |
390 | AUE_NULL, /* 330 */ | |
391 | AUE_NULL, /* 331 */ | |
392 | AUE_NULL, /* 332 */ | |
393 | AUE_NULL, /* 333 */ | |
394 | AUE_NULL, /* 334 */ | |
395 | AUE_NULL, /* 335 = utrace */ | |
396 | AUE_NULL, /* 336 */ | |
397 | AUE_NULL, /* 337 */ | |
398 | AUE_NULL, /* 338 */ | |
399 | AUE_NULL, /* 339 */ | |
400 | AUE_NULL, /* 340 */ | |
401 | AUE_NULL, /* 341 */ | |
402 | AUE_NULL, /* 342 */ | |
403 | AUE_NULL, /* 343 */ | |
404 | AUE_NULL, /* 344 */ | |
405 | AUE_NULL, /* 345 */ | |
406 | AUE_NULL, /* 346 */ | |
407 | AUE_NULL, /* 347 */ | |
408 | AUE_NULL, /* 348 */ | |
409 | AUE_NULL, /* 349 */ | |
410 | AUE_AUDIT, /* 350 */ | |
411 | AUE_NULL, /* 351 */ | |
412 | AUE_NULL, /* 352 */ | |
413 | AUE_GETAUID, /* 353 */ | |
414 | AUE_SETAUID, /* 354 */ | |
415 | AUE_NULL, /* 355 */ | |
416 | AUE_NULL, /* 356 */ | |
417 | AUE_NULL, /* 357 */ | |
418 | AUE_NULL, /* 358 */ | |
419 | AUE_NULL, /* 359 */ | |
420 | AUE_NULL, /* 360 */ | |
421 | AUE_NULL, /* 361 */ | |
422 | AUE_NULL, /* 362 = kqueue */ | |
423 | AUE_NULL, /* 363 = kevent */ | |
424 | AUE_NULL, /* 364 */ | |
425 | AUE_NULL, /* 365 */ | |
426 | AUE_NULL, /* 366 */ | |
427 | AUE_NULL, /* 367 */ | |
428 | AUE_NULL, /* 368 */ | |
429 | AUE_NULL /* 369 */ | |
430 | }; | |
431 | int nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]); | |
432 | ||
433 | /* | |
434 | * Check whether an event is aditable by comparing the mask of classes this | |
435 | * event is part of against the kernel's preselection mask the given mask | |
436 | * which will be the process event mask. | |
437 | * | |
438 | * XXX This needs to eventually implement the selection based on the | |
439 | * event->class mapping that is controlled by a configuration file. | |
440 | */ | |
441 | int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf) | |
442 | { | |
443 | au_class_t ae_class; | |
444 | au_class_t effmask = 0; | |
445 | ||
446 | if(mask_p == NULL) | |
447 | return (-1); | |
448 | ||
449 | /* | |
450 | * XXX Set the event class using a big ugly switch statement. This | |
451 | * will change to use the mapping defined by a configuration file. | |
452 | */ | |
453 | switch (event) { | |
454 | case AUE_MMAP: | |
455 | case AUE_PIPE: | |
456 | /* mmap() and pipe() are AU_NULL in some systems; we'll | |
457 | * place them in AU_IPC for now. | |
458 | */ | |
459 | ae_class = AU_IPC; break; | |
460 | case AUE_READLINK: | |
461 | case AUE_GETDIRENTRIES: | |
462 | ae_class = AU_FREAD; break; | |
463 | case AUE_ACCESS: | |
464 | case AUE_FSTAT: | |
465 | case AUE_FSTATFS: | |
466 | case AUE_GETFH: | |
467 | case AUE_LSTAT: | |
468 | case AUE_FPATHCONF: | |
469 | case AUE_PATHCONF: | |
470 | case AUE_STAT: | |
471 | case AUE_STATFS: | |
472 | case AUE_GETATTRLIST: | |
473 | case AUE_GETFSSTAT: | |
474 | case AUE_GETDIRENTRIESATTR: | |
475 | case AUE_SEARCHFS: | |
476 | ae_class = AU_FACCESS; break; | |
477 | case AUE_CHMOD: | |
478 | case AUE_CHOWN: | |
479 | case AUE_FCHMOD: | |
480 | case AUE_FCHOWN: | |
481 | case AUE_FCNTL: | |
482 | case AUE_FLOCK: | |
483 | case AUE_UTIMES: | |
484 | case AUE_CHFLAGS: | |
485 | case AUE_FCHFLAGS: | |
486 | case AUE_FUTIMES: | |
487 | case AUE_SETATTRLIST: | |
488 | case AUE_TRUNCATE: | |
489 | case AUE_FTRUNCATE: | |
490 | case AUE_UNDELETE: | |
491 | case AUE_EXCHANGEDATA: | |
492 | ae_class = AU_FMODIFY; break; | |
493 | case AUE_LINK: | |
494 | case AUE_MKDIR: | |
495 | case AUE_MKNOD: | |
496 | case AUE_SYMLINK: | |
497 | case AUE_MKFIFO: | |
498 | ae_class = AU_FCREATE; break; | |
499 | case AUE_RMDIR: | |
500 | case AUE_UNLINK: | |
501 | ae_class = AU_FDELETE; break; | |
502 | case AUE_CLOSE: | |
503 | case AUE_MUNMAP: | |
504 | case AUE_REVOKE: | |
505 | ae_class = AU_CLOSE; break; | |
506 | case AUE_CHDIR: | |
507 | case AUE_CHROOT: | |
508 | case AUE_EXIT: | |
509 | case AUE_FCHDIR: | |
510 | case AUE_FORK: | |
511 | case AUE_KILL: | |
512 | case AUE_SETEGID: | |
513 | case AUE_SETEUID: | |
514 | case AUE_SETGID: | |
515 | case AUE_SETGROUPS: | |
516 | case AUE_SETPGRP: | |
517 | case AUE_SETUID: | |
518 | case AUE_VFORK: | |
519 | case AUE_UMASK: | |
520 | ae_class = AU_PROCESS; break; | |
521 | case AUE_ACCEPT: | |
522 | case AUE_BIND: | |
523 | case AUE_CONNECT: | |
524 | case AUE_RECVFROM: | |
525 | case AUE_RECVMSG: | |
526 | case AUE_SENDMSG: | |
527 | case AUE_SENDTO: | |
528 | case AUE_SETSOCKOPT: | |
529 | case AUE_SHUTDOWN: | |
530 | case AUE_SOCKET: | |
531 | case AUE_SOCKETPAIR: | |
532 | ae_class = AU_NET; break; | |
533 | case AUE_MSGCTL: | |
534 | case AUE_MSGGET: | |
535 | case AUE_MSGRCV: | |
536 | case AUE_MSGSND: | |
537 | case AUE_SEMCTL: | |
538 | case AUE_SEMGET: | |
539 | case AUE_SEMOP: | |
540 | case AUE_SHMAT: | |
541 | case AUE_SHMCTL: | |
542 | case AUE_SHMDT: | |
543 | case AUE_SHMGET: | |
544 | ae_class = AU_IPC; break; | |
545 | case AUE_ACCT: | |
546 | case AUE_ADJTIME: | |
547 | case AUE_GETAUID: | |
548 | case AUE_MOUNT: | |
549 | case AUE_SETAUID: | |
550 | case AUE_SETRLIMIT: | |
551 | case AUE_UMOUNT: | |
552 | ae_class = AU_ADMIN; break; | |
553 | case AUE_IOCTL: | |
554 | ae_class = AU_IOCTL; break; | |
555 | case AUE_EXECVE: | |
556 | ae_class = AU_PROCESS|AU_EXEC; break; | |
557 | case AUE_OPEN_R: | |
558 | ae_class = AU_FREAD; break; | |
559 | case AUE_OPEN_RC: | |
560 | ae_class = AU_FREAD|AU_FCREATE; break; | |
561 | case AUE_OPEN_RTC: | |
562 | ae_class = AU_FREAD|AU_FCREATE|AU_FDELETE; break; | |
563 | case AUE_OPEN_RT: | |
564 | ae_class = AU_FREAD|AU_FDELETE; break; | |
565 | case AUE_OPEN_RW: | |
566 | ae_class = AU_FREAD|AU_FWRITE; break; | |
567 | case AUE_OPEN_RWC: | |
568 | ae_class = AU_FREAD|AU_FWRITE|AU_FCREATE; break; | |
569 | case AUE_OPEN_RWTC: | |
570 | ae_class = AU_FREAD|AU_FWRITE|AU_FCREATE|AU_FDELETE; break; | |
571 | case AUE_OPEN_RWT: | |
572 | ae_class = AU_FREAD|AU_FWRITE|AU_FDELETE; break; | |
573 | case AUE_OPEN_W: | |
574 | ae_class = AU_FWRITE; break; | |
575 | case AUE_OPEN_WC: | |
576 | ae_class = AU_FWRITE|AU_FCREATE; break; | |
577 | case AUE_OPEN_WTC: | |
578 | ae_class = AU_FWRITE|AU_FCREATE|AU_FDELETE; break; | |
579 | case AUE_OPEN_WT: | |
580 | ae_class = AU_FWRITE|AU_FDELETE; break; | |
581 | case AUE_RENAME: | |
582 | ae_class = AU_FCREATE|AU_FDELETE; break; | |
583 | default: /* Assign the event to all classes */ | |
584 | ae_class = AU_ALL; break; | |
585 | } | |
586 | ||
587 | /* | |
588 | * Perform the actual check of the masks against the event. | |
589 | */ | |
590 | /* | |
591 | * XXX Need to compare against the kernel mask??? Or do we not do | |
592 | * that by default and let the client code just call this function | |
593 | * with the kernel preselection mask as the mask parameter? | |
594 | */ | |
595 | if(sorf & AU_PRS_SUCCESS) { | |
596 | effmask |= (mask_p->am_success & ae_class); | |
597 | } | |
598 | ||
599 | if(sorf & AU_PRS_FAILURE) { | |
600 | effmask |= (mask_p->am_failure & ae_class); | |
601 | } | |
602 | ||
603 | if(effmask) | |
604 | return (1); | |
605 | else | |
606 | return (0); | |
607 | } | |
608 | ||
609 | /* | |
610 | * Convert an open flags specifier into a specific type of open event for | |
611 | * auditing purposes. | |
612 | */ | |
613 | au_event_t flags_to_openevent(int oflags) { | |
614 | ||
615 | /* Need to check only those flags we care about. */ | |
616 | oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY); | |
617 | ||
618 | /* These checks determine what flags are on with the condition | |
619 | * that ONLY that combination is on, and no other flags are on. | |
620 | */ | |
621 | if (!(oflags ^ O_RDONLY)) | |
622 | return AUE_OPEN_R; | |
623 | if (!(oflags ^ (O_RDONLY | O_CREAT))) | |
624 | return AUE_OPEN_RC; | |
625 | if (!(oflags ^ (O_RDONLY | O_CREAT | O_TRUNC))) | |
626 | return AUE_OPEN_RTC; | |
627 | if (!(oflags ^ (O_RDONLY | O_TRUNC))) | |
628 | return AUE_OPEN_RT; | |
629 | if (!(oflags ^ O_RDWR)) | |
630 | return AUE_OPEN_RW; | |
631 | if (!(oflags ^ (O_RDWR | O_CREAT))) | |
632 | return AUE_OPEN_RWC; | |
633 | if (!(oflags ^ (O_RDWR | O_CREAT | O_TRUNC))) | |
634 | return AUE_OPEN_RWTC; | |
635 | if (!(oflags ^ (O_RDWR | O_TRUNC))) | |
636 | return AUE_OPEN_RWT; | |
637 | if (!(oflags ^ O_WRONLY)) | |
638 | return AUE_OPEN_W; | |
639 | if (!(oflags ^ (O_WRONLY | O_CREAT))) | |
640 | return AUE_OPEN_WC; | |
641 | if (!(oflags ^ (O_WRONLY | O_CREAT | O_TRUNC))) | |
642 | return AUE_OPEN_WTC; | |
643 | if (!(oflags ^ (O_WRONLY | O_TRUNC))) | |
644 | return AUE_OPEN_WT; | |
645 | ||
646 | return AUE_OPEN_R; | |
647 | } | |
648 | ||
649 | /* | |
650 | * Fill in a vattr struct from kernel audit record fields. This function | |
651 | * would be unecessary if we store a vattr in the kernel audit record | |
652 | * directly. | |
653 | */ | |
654 | void fill_vattr(struct vattr *v, struct vnode_au_info *vn_info) | |
655 | { | |
656 | v->va_mode = vn_info->vn_mode; | |
657 | v->va_uid = vn_info->vn_uid; | |
658 | v->va_gid = vn_info->vn_gid; | |
659 | v->va_fsid = vn_info->vn_fsid; | |
660 | v->va_fileid = vn_info->vn_fileid; | |
661 | v->va_rdev = vn_info->vn_dev; | |
662 | } | |
663 | ||
664 | /* Convert a MSGCTL command to a specific event. */ | |
665 | int msgctl_to_event(int cmd) | |
666 | { | |
667 | switch (cmd) { | |
668 | case IPC_RMID: | |
669 | return AUE_MSGCTL_RMID; | |
670 | case IPC_SET: | |
671 | return AUE_MSGCTL_SET; | |
672 | case IPC_STAT: | |
673 | return AUE_MSGCTL_STAT; | |
674 | default: | |
675 | return AUE_MSGCTL; | |
676 | /* We will audit a bad command */ | |
677 | } | |
678 | } | |
679 | ||
680 | /* Convert a SEMCTL command to a specific event. */ | |
681 | int semctl_to_event(int cmd) | |
682 | { | |
683 | switch (cmd) { | |
684 | case GETALL: | |
685 | return AUE_SEMCTL_GETALL; | |
686 | case GETNCNT: | |
687 | return AUE_SEMCTL_GETNCNT; | |
688 | case GETPID: | |
689 | return AUE_SEMCTL_GETPID; | |
690 | case GETVAL: | |
691 | return AUE_SEMCTL_GETVAL; | |
692 | case GETZCNT: | |
693 | return AUE_SEMCTL_GETZCNT; | |
694 | case IPC_RMID: | |
695 | return AUE_SEMCTL_RMID; | |
696 | case IPC_SET: | |
697 | return AUE_SEMCTL_SET; | |
698 | case SETALL: | |
699 | return AUE_SEMCTL_SETALL; | |
700 | case SETVAL: | |
701 | return AUE_SEMCTL_SETVAL; | |
702 | case IPC_STAT: | |
703 | return AUE_SEMCTL_STAT; | |
704 | default: | |
705 | return AUE_SEMCTL; | |
706 | /* We will audit a bad command */ | |
707 | } | |
708 | } | |
709 | ||
710 | /* | |
711 | * Create a canonical path from given path by prefixing either the | |
712 | * root directory, or the current working directory. | |
713 | * If the process working directory is NULL, we could use 'rootvnode' | |
714 | * to obtain the root directoty, but this results in a volfs name | |
715 | * written to the audit log. So we will leave the filename starting | |
716 | * with '/' in the audit log in this case. | |
717 | */ | |
718 | void canon_path(struct proc *p, char *path, char *cpath) | |
719 | { | |
720 | char *bufp; | |
721 | int len; | |
722 | struct vnode *vnp; | |
723 | struct filedesc *fdp; | |
724 | ||
725 | fdp = p->p_fd; | |
726 | bufp = path; | |
727 | if (*(path) == '/') { | |
728 | while (*(bufp) == '/') | |
729 | bufp++; /* skip leading '/'s */ | |
730 | /* If no process root, or it is the same as the system root, | |
731 | * audit the path as passed in with a single '/'. | |
732 | */ | |
733 | if ((fdp->fd_rdir == NULL) || | |
734 | (fdp->fd_rdir == rootvnode)) { | |
735 | vnp = NULL; | |
736 | bufp--; /* restore one '/' */ | |
737 | } else { | |
738 | vnp = fdp->fd_rdir; /* use process root */ | |
739 | } | |
740 | } else { | |
741 | vnp = fdp->fd_cdir; /* prepend the current dir */ | |
742 | bufp = path; | |
743 | } | |
744 | if (vnp != NULL) { | |
745 | len = MAXPATHLEN; | |
746 | vn_getpath(vnp, cpath, &len); | |
747 | /* The length returned by vn_getpath() is two greater than the | |
748 | * number of characters in the string. | |
749 | */ | |
750 | if (len < MAXPATHLEN) | |
751 | cpath[len-2] = '/'; | |
752 | strncpy(cpath + len-1, bufp, MAXPATHLEN - len); | |
753 | } else { | |
754 | strncpy(cpath, bufp, MAXPATHLEN); | |
755 | } | |
756 | } |