]> git.saurik.com Git - apple/xnu.git/blob - bsd/security/audit/audit_bsm.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-2422.115.4.tar.gz
[apple/xnu.git] / bsd / security / audit / audit_bsm.c
1 /*
2 * Copyright (c) 1999-2009 Apple Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29 /*
30 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
31 * support for mandatory and extensible security protections. This notice
32 * is included in support of clause 2.2 (b) of the Apple Public License,
33 * Version 2.0.
34 */
35
36 #include <sys/types.h>
37 #include <sys/vnode_internal.h>
38 #include <sys/ipc.h>
39 #include <sys/sem.h>
40 #include <sys/socketvar.h>
41 #include <sys/socket.h>
42 #include <sys/queue.h>
43 #include <sys/fcntl.h>
44 #include <sys/user.h>
45 #include <sys/ipc.h>
46
47 #include <bsm/audit.h>
48 #include <bsm/audit_internal.h>
49 #include <bsm/audit_record.h>
50 #include <bsm/audit_kevents.h>
51
52 #include <security/audit/audit.h>
53 #include <security/audit/audit_bsd.h>
54 #include <security/audit/audit_private.h>
55
56 #include <netinet/in_systm.h>
57 #include <netinet/in.h>
58 #include <netinet/ip.h>
59
60 #include <kern/lock.h>
61
62 #if CONFIG_AUDIT
63 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
64
65 #if CONFIG_MACF
66 #include <security/mac_framework.h>
67 #endif
68
69 static void audit_sys_auditon(struct audit_record *ar,
70 struct au_record *rec);
71 static void audit_sys_fcntl(struct kaudit_record *kar,
72 struct au_record *rec);
73
74 /*
75 * Initialize the BSM auditing subsystem.
76 */
77 void
78 kau_init(void)
79 {
80
81 au_evclassmap_init();
82 }
83
84 /*
85 * This call reserves memory for the audit record. Memory must be guaranteed
86 * before any auditable event can be generated. The au_record structure
87 * maintains a reference to the memory allocated above and also the list of
88 * tokens associated with this record.
89 */
90 static struct au_record *
91 kau_open(void)
92 {
93 struct au_record *rec;
94
95 rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
96 rec->data = NULL;
97 TAILQ_INIT(&rec->token_q);
98 rec->len = 0;
99 rec->used = 1;
100
101 return (rec);
102 }
103
104 /*
105 * Store the token with the record descriptor.
106 */
107 static void
108 kau_write(struct au_record *rec, struct au_token *tok)
109 {
110
111 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
112
113 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
114 rec->len += tok->len;
115 }
116
117 /*
118 * Close out the audit record by adding the header token, identifying any
119 * missing tokens. Write out the tokens to the record memory.
120 */
121 static void
122 kau_close(struct au_record *rec, struct timespec *ctime, short event)
123 {
124 u_char *dptr;
125 size_t tot_rec_size;
126 token_t *cur, *hdr, *trail;
127 struct timeval tm;
128 size_t hdrsize;
129 struct auditinfo_addr ak;
130 struct in6_addr *ap;
131
132 audit_get_kinfo(&ak);
133 hdrsize = 0;
134 switch (ak.ai_termid.at_type) {
135 case AU_IPv4:
136 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
137 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
138 break;
139 case AU_IPv6:
140 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
141 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
142 AUDIT_HEADER_EX_SIZE(&ak);
143 break;
144 default:
145 panic("kau_close: invalid address family");
146 }
147 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
148 rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
149
150 tm.tv_usec = ctime->tv_nsec / 1000;
151 tm.tv_sec = ctime->tv_sec;
152 if (hdrsize != AUDIT_HEADER_SIZE)
153 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
154 else
155 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
156 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
157
158 trail = au_to_trailer(tot_rec_size);
159 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
160
161 rec->len = tot_rec_size;
162 dptr = rec->data;
163 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
164 memcpy(dptr, cur->t_data, cur->len);
165 dptr += cur->len;
166 }
167 }
168
169 /*
170 * Free a BSM audit record by releasing all the tokens and clearing the audit
171 * record information.
172 */
173 void
174 kau_free(struct au_record *rec)
175 {
176 struct au_token *tok;
177
178 /* Free the token list. */
179 while ((tok = TAILQ_FIRST(&rec->token_q))) {
180 TAILQ_REMOVE(&rec->token_q, tok, tokens);
181 free(tok->t_data, M_AUDITBSM);
182 free(tok, M_AUDITBSM);
183 }
184
185 rec->used = 0;
186 rec->len = 0;
187 free(rec->data, M_AUDITBSM);
188 free(rec, M_AUDITBSM);
189 }
190
191 /*
192 * XXX: May want turn some (or all) of these macros into functions in order
193 * to reduce the generated code size.
194 *
195 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
196 * caller are OK with this.
197 */
198 #if CONFIG_MACF
199 #define MAC_VNODE1_LABEL_TOKEN do { \
200 if (ar->ar_vnode1_mac_labels != NULL && \
201 strlen(ar->ar_vnode1_mac_labels) != 0) { \
202 tok = au_to_text(ar->ar_vnode1_mac_labels); \
203 kau_write(rec, tok); \
204 } \
205 } while (0)
206
207 #define MAC_VNODE2_LABEL_TOKEN do { \
208 if (ar->ar_vnode2_mac_labels != NULL && \
209 strlen(ar->ar_vnode2_mac_labels) != 0) { \
210 tok = au_to_text(ar->ar_vnode2_mac_labels); \
211 kau_write(rec, tok); \
212 } \
213 } while (0)
214 #else
215 #define MAC_VNODE1_LABEL_TOKEN
216 #define MAC_VNODE2_LABEL_TOKEN
217 #endif
218 #define UPATH1_TOKENS do { \
219 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
220 tok = au_to_path(ar->ar_arg_upath1); \
221 kau_write(rec, tok); \
222 } \
223 } while (0)
224
225 #define UPATH2_TOKENS do { \
226 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
227 tok = au_to_path(ar->ar_arg_upath2); \
228 kau_write(rec, tok); \
229 } \
230 } while (0)
231
232 #define VNODE1_TOKENS do { \
233 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
234 tok = au_to_path(ar->ar_arg_kpath1); \
235 kau_write(rec, tok); \
236 } \
237 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
238 tok = au_to_attr32(&ar->ar_arg_vnode1); \
239 kau_write(rec, tok); \
240 MAC_VNODE1_LABEL_TOKEN; \
241 } \
242 } while (0)
243
244 #define UPATH1_VNODE1_TOKENS do { \
245 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
246 tok = au_to_path(ar->ar_arg_upath1); \
247 kau_write(rec, tok); \
248 } \
249 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
250 tok = au_to_path(ar->ar_arg_kpath1); \
251 kau_write(rec, tok); \
252 } \
253 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
254 tok = au_to_attr32(&ar->ar_arg_vnode1); \
255 kau_write(rec, tok); \
256 MAC_VNODE1_LABEL_TOKEN; \
257 } \
258 } while (0)
259
260 #define VNODE2_TOKENS do { \
261 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
262 tok = au_to_attr32(&ar->ar_arg_vnode2); \
263 kau_write(rec, tok); \
264 MAC_VNODE2_LABEL_TOKEN; \
265 } \
266 } while (0)
267
268 #define FD_VNODE1_TOKENS do { \
269 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
270 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
271 tok = au_to_path(ar->ar_arg_kpath1); \
272 kau_write(rec, tok); \
273 } \
274 if (ARG_IS_VALID(kar, ARG_FD)) { \
275 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
276 kau_write(rec, tok); \
277 MAC_VNODE1_LABEL_TOKEN; \
278 } \
279 tok = au_to_attr32(&ar->ar_arg_vnode1); \
280 kau_write(rec, tok); \
281 } else { \
282 if (ARG_IS_VALID(kar, ARG_FD)) { \
283 tok = au_to_arg32(1, "fd", \
284 ar->ar_arg_fd); \
285 kau_write(rec, tok); \
286 MAC_VNODE1_LABEL_TOKEN; \
287 } \
288 } \
289 } while (0)
290
291 #define PROCESS_PID_TOKENS(argn) do { \
292 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
293 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
294 tok = au_to_process32_ex(ar->ar_arg_auid, \
295 ar->ar_arg_euid, ar->ar_arg_egid, \
296 ar->ar_arg_ruid, ar->ar_arg_rgid, \
297 ar->ar_arg_pid, ar->ar_arg_asid, \
298 &ar->ar_arg_termid_addr); \
299 kau_write(rec, tok); \
300 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
301 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
302 kau_write(rec, tok); \
303 } \
304 } while (0)
305
306 #define EXTATTR_TOKENS do { \
307 if (ARG_IS_VALID(kar, ARG_VALUE32)) { \
308 switch (ar->ar_arg_value32) { \
309 case EXTATTR_NAMESPACE_USER: \
310 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
311 break; \
312 case EXTATTR_NAMESPACE_SYSTEM: \
313 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
314 break; \
315 default: \
316 tok = au_to_arg32(3, "attrnamespace", \
317 ar->ar_arg_value32); \
318 break; \
319 } \
320 kau_write(rec, tok); \
321 } \
322 /* attrname is in the text field */ \
323 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
324 tok = au_to_text(ar->ar_arg_text); \
325 kau_write(rec, tok); \
326 } \
327 } while (0)
328
329 #define EXTENDED_TOKENS(n) do { \
330 /* ACL data */ \
331 if (ARG_IS_VALID(kar, ARG_OPAQUE)) { \
332 tok = au_to_opaque(ar->ar_arg_opaque, \
333 ar->ar_arg_opq_size); \
334 kau_write(rec, tok); \
335 } \
336 if (ARG_IS_VALID(kar, ARG_MODE)) { \
337 tok = au_to_arg32(n+2, "mode", ar->ar_arg_mode);\
338 kau_write(rec, tok); \
339 } \
340 if (ARG_IS_VALID(kar, ARG_GID)) { \
341 tok = au_to_arg32(n+1, "gid", ar->ar_arg_gid); \
342 kau_write(rec, tok); \
343 } \
344 if (ARG_IS_VALID(kar, ARG_UID)) { \
345 tok = au_to_arg32(n, "uid", ar->ar_arg_uid); \
346 kau_write(rec, tok); \
347 } \
348 } while (0)
349
350 #define PROCESS_MAC_TOKENS do { \
351 if (ar->ar_valid_arg & ARG_MAC_STRING) { \
352 tok = au_to_text(ar->ar_arg_mac_string); \
353 kau_write(rec, tok); \
354 } \
355 } while (0)
356
357 /*
358 * Implement auditing for the auditon() system call. The audit tokens that
359 * are generated depend on the command that was sent into the auditon()
360 * system call.
361 */
362 static void
363 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
364 {
365 struct au_token *tok;
366
367 switch (ar->ar_arg_cmd) {
368 case A_OLDSETPOLICY:
369 if (ar->ar_arg_len > sizeof(int)) {
370 tok = au_to_arg32(3, "length", ar->ar_arg_len);
371 kau_write(rec, tok);
372 tok = au_to_arg64(2, "policy",
373 ar->ar_arg_auditon.au_policy64);
374 kau_write(rec, tok);
375 break;
376 }
377 /* FALLTHROUGH */
378 case A_SETPOLICY:
379 tok = au_to_arg32(3, "length", ar->ar_arg_len);
380 kau_write(rec, tok);
381 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
382 kau_write(rec, tok);
383 break;
384
385 case A_SETKMASK:
386 tok = au_to_arg32(3, "length", ar->ar_arg_len);
387 kau_write(rec, tok);
388 tok = au_to_arg32(2, "setkmask:as_success",
389 ar->ar_arg_auditon.au_mask.am_success);
390 kau_write(rec, tok);
391 tok = au_to_arg32(2, "setkmask:as_failure",
392 ar->ar_arg_auditon.au_mask.am_failure);
393 kau_write(rec, tok);
394 break;
395
396 case A_OLDSETQCTRL:
397 if (ar->ar_arg_len > sizeof(au_qctrl_t)) {
398 tok = au_to_arg32(3, "length", ar->ar_arg_len);
399 kau_write(rec, tok);
400 tok = au_to_arg64(2, "setqctrl:aq_hiwater",
401 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
402 kau_write(rec, tok);
403 tok = au_to_arg64(2, "setqctrl:aq_lowater",
404 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
405 kau_write(rec, tok);
406 tok = au_to_arg64(2, "setqctrl:aq_bufsz",
407 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
408 kau_write(rec, tok);
409 tok = au_to_arg64(2, "setqctrl:aq_delay",
410 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
411 kau_write(rec, tok);
412 tok = au_to_arg32(2, "setqctrl:aq_minfree",
413 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
414 kau_write(rec, tok);
415 break;
416 }
417 /* FALLTHROUGH */
418 case A_SETQCTRL:
419 tok = au_to_arg32(3, "length", ar->ar_arg_len);
420 kau_write(rec, tok);
421 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
422 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
423 kau_write(rec, tok);
424 tok = au_to_arg32(2, "setqctrl:aq_lowater",
425 ar->ar_arg_auditon.au_qctrl.aq_lowater);
426 kau_write(rec, tok);
427 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
428 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
429 kau_write(rec, tok);
430 tok = au_to_arg32(2, "setqctrl:aq_delay",
431 ar->ar_arg_auditon.au_qctrl.aq_delay);
432 kau_write(rec, tok);
433 tok = au_to_arg32(2, "setqctrl:aq_minfree",
434 ar->ar_arg_auditon.au_qctrl.aq_minfree);
435 kau_write(rec, tok);
436 break;
437
438 case A_SETUMASK:
439 tok = au_to_arg32(3, "length", ar->ar_arg_len);
440 kau_write(rec, tok);
441 tok = au_to_arg32(2, "setumask:as_success",
442 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
443 kau_write(rec, tok);
444 tok = au_to_arg32(2, "setumask:as_failure",
445 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
446 kau_write(rec, tok);
447 break;
448
449 case A_SETSMASK:
450 tok = au_to_arg32(3, "length", ar->ar_arg_len);
451 kau_write(rec, tok);
452 tok = au_to_arg32(2, "setsmask:as_success",
453 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
454 kau_write(rec, tok);
455 tok = au_to_arg32(2, "setsmask:as_failure",
456 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
457 kau_write(rec, tok);
458 break;
459
460 case A_OLDSETCOND:
461 if (ar->ar_arg_len > sizeof(int)) {
462 tok = au_to_arg32(3, "length", ar->ar_arg_len);
463 kau_write(rec, tok);
464 tok = au_to_arg64(2, "setcond",
465 ar->ar_arg_auditon.au_cond64);
466 kau_write(rec, tok);
467 break;
468 }
469 /* FALLTHROUGH */
470 case A_SETCOND:
471 tok = au_to_arg32(3, "length", ar->ar_arg_len);
472 kau_write(rec, tok);
473 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
474 kau_write(rec, tok);
475 break;
476
477 case A_SETCLASS:
478 tok = au_to_arg32(3, "length", ar->ar_arg_len);
479 kau_write(rec, tok);
480 tok = au_to_arg32(2, "setclass:ec_event",
481 ar->ar_arg_auditon.au_evclass.ec_number);
482 kau_write(rec, tok);
483 tok = au_to_arg32(3, "setclass:ec_class",
484 ar->ar_arg_auditon.au_evclass.ec_class);
485 kau_write(rec, tok);
486 break;
487
488 case A_SETPMASK:
489 tok = au_to_arg32(3, "length", ar->ar_arg_len);
490 kau_write(rec, tok);
491 tok = au_to_arg32(2, "setpmask:as_success",
492 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
493 kau_write(rec, tok);
494 tok = au_to_arg32(2, "setpmask:as_failure",
495 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
496 kau_write(rec, tok);
497 break;
498
499 case A_SETFSIZE:
500 tok = au_to_arg32(3, "length", ar->ar_arg_len);
501 kau_write(rec, tok);
502 tok = au_to_arg32(2, "setfsize:filesize",
503 ar->ar_arg_auditon.au_fstat.af_filesz);
504 kau_write(rec, tok);
505 break;
506
507 default:
508 break;
509 }
510 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
511 kau_write(rec, tok);
512 }
513
514 /*
515 * Implement auditing for the fcntl() system call. The audit tokens that
516 * are generated depend on the command that was sent into the fcntl()
517 * system call.
518 */
519 static void
520 audit_sys_fcntl(struct kaudit_record *kar, struct au_record *rec)
521 {
522 struct au_token *tok;
523 struct audit_record *ar = &kar->k_ar;
524
525 switch (ar->ar_arg_cmd) {
526
527 case F_DUPFD:
528 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
529 tok = au_to_arg32(3, "min fd", ar->ar_arg_value32);
530 kau_write(rec, tok);
531 }
532 break;
533
534 case F_SETFD:
535 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
536 tok = au_to_arg32(3, "close-on-exec flag",
537 ar->ar_arg_value32);
538 kau_write(rec, tok);
539 }
540 break;
541
542 case F_SETFL:
543 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
544 tok = au_to_arg32(3, "fd flags", ar->ar_arg_value32);
545 kau_write(rec, tok);
546 }
547 break;
548
549 case F_SETOWN:
550 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
551 tok = au_to_arg32(3, "pid", ar->ar_arg_value32);
552 kau_write(rec, tok);
553 }
554 break;
555
556 #ifdef F_SETSIZE
557 case F_SETSIZE:
558 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
559 tok = au_to_arg64(3, "offset", ar->ar_arg_value64);
560 kau_write(rec, tok);
561 }
562 break;
563 #endif /* F_SETSIZE */
564
565 #ifdef F_PATHPKG_CHECK
566 case F_PATHPKG_CHECK:
567 if (ARG_IS_VALID(kar, ARG_TEXT)) {
568 tok = au_to_text(ar->ar_arg_text);
569 kau_write(rec, tok);
570 }
571 break;
572 #endif
573
574 default:
575 break;
576 }
577 tok = au_to_arg32(2, "cmd", au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
578 kau_write(rec, tok);
579 }
580
581 /*
582 * Convert an internal kernel audit record to a BSM record and return a
583 * success/failure indicator. The BSM record is passed as an out parameter to
584 * this function.
585 *
586 * Return conditions:
587 * BSM_SUCCESS: The BSM record is valid
588 * BSM_FAILURE: Failure; the BSM record is NULL.
589 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
590 */
591 int
592 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
593 {
594 struct au_token *tok = NULL, *subj_tok;
595 struct au_record *rec;
596 au_tid_t tid;
597 struct audit_record *ar;
598 int ctr;
599 u_int uctr;
600
601 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
602
603 *pau = NULL;
604 ar = &kar->k_ar;
605 rec = kau_open();
606
607 /*
608 * Create the subject token.
609 */
610 switch (ar->ar_subj_term_addr.at_type) {
611 case AU_IPv4:
612 tid.port = ar->ar_subj_term_addr.at_port;
613 tid.machine = ar->ar_subj_term_addr.at_addr[0];
614 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
615 ar->ar_subj_cred.cr_uid, /* eff uid */
616 ar->ar_subj_egid, /* eff group id */
617 ar->ar_subj_ruid, /* real uid */
618 ar->ar_subj_rgid, /* real group id */
619 ar->ar_subj_pid, /* process id */
620 ar->ar_subj_asid, /* session ID */
621 &tid);
622 break;
623 case AU_IPv6:
624 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
625 ar->ar_subj_cred.cr_uid,
626 ar->ar_subj_egid,
627 ar->ar_subj_ruid,
628 ar->ar_subj_rgid,
629 ar->ar_subj_pid,
630 ar->ar_subj_asid,
631 &ar->ar_subj_term_addr);
632 break;
633 default:
634 bzero(&tid, sizeof(tid));
635 subj_tok = au_to_subject32(ar->ar_subj_auid,
636 ar->ar_subj_cred.cr_uid,
637 ar->ar_subj_egid,
638 ar->ar_subj_ruid,
639 ar->ar_subj_rgid,
640 ar->ar_subj_pid,
641 ar->ar_subj_asid,
642 &tid);
643 }
644
645 /*
646 * The logic inside each case fills in the tokens required for the
647 * event, except for the header, trailer, and return tokens. The
648 * header and trailer tokens are added by the kau_close() function.
649 * The return token is added outside of the switch statement.
650 */
651 switch(ar->ar_event) {
652 case AUE_SENDFILE:
653 /* For sendfile the file and socket descriptor are both saved */
654 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
655 tok = au_to_arg32(2, "sd", ar->ar_arg_value32);
656 kau_write(rec, tok);
657 }
658 /* FALLTHROUGH */
659 case AUE_ACCEPT:
660 case AUE_BIND:
661 case AUE_LISTEN:
662 case AUE_CONNECT:
663 case AUE_RECVFROM:
664 case AUE_RECVMSG:
665 case AUE_SENDMSG:
666 case AUE_SENDTO:
667 /*
668 * Socket-related events.
669 */
670 if (ARG_IS_VALID(kar, ARG_FD)) {
671 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
672 kau_write(rec, tok);
673 }
674 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
675 tok = au_to_sock_inet((struct sockaddr_in *)
676 &ar->ar_arg_sockaddr);
677 kau_write(rec, tok);
678 }
679 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
680 tok = au_to_sock_unix((struct sockaddr_un *)
681 &ar->ar_arg_sockaddr);
682 kau_write(rec, tok);
683 UPATH1_TOKENS;
684 }
685 if (ARG_IS_VALID(kar, ARG_SADDRINET6)) {
686 tok = au_to_sock_inet128((struct sockaddr_in6 *)
687 &ar->ar_arg_sockaddr);
688 kau_write(rec, tok);
689 }
690 break;
691
692 case AUE_SOCKET:
693 case AUE_SOCKETPAIR:
694 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
695 tok = au_to_arg32(1,"domain",
696 au_domain_to_bsm(ar->ar_arg_sockinfo.sai_domain));
697 kau_write(rec, tok);
698 tok = au_to_arg32(2,"type",
699 au_socket_type_to_bsm(ar->ar_arg_sockinfo.sai_type));
700 kau_write(rec, tok);
701 tok = au_to_arg32(3,"protocol",
702 ar->ar_arg_sockinfo.sai_protocol);
703 kau_write(rec, tok);
704 }
705 break;
706
707 case AUE_SETSOCKOPT:
708 case AUE_SHUTDOWN:
709 if (ARG_IS_VALID(kar, ARG_FD)) {
710 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
711 kau_write(rec, tok);
712 }
713 break;
714
715 case AUE_ACCT:
716 if (ARG_IS_VALID(kar, (ARG_KPATH1 | ARG_UPATH1))) {
717 UPATH1_VNODE1_TOKENS;
718 } else {
719 tok = au_to_arg32(1, "accounting off", 0);
720 kau_write(rec, tok);
721 }
722 break;
723
724 case AUE_SETAUID:
725 if (ARG_IS_VALID(kar, ARG_AUID)) {
726 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
727 kau_write(rec, tok);
728 }
729 break;
730
731 case AUE_SETAUDIT:
732 if (ARG_IS_VALID(kar, ARG_AUID) &&
733 ARG_IS_VALID(kar, ARG_ASID) &&
734 ARG_IS_VALID(kar, ARG_AMASK) &&
735 ARG_IS_VALID(kar, ARG_TERMID)) {
736 tok = au_to_arg32(1, "setaudit:auid",
737 ar->ar_arg_auid);
738 kau_write(rec, tok);
739 tok = au_to_arg32(1, "setaudit:port",
740 ar->ar_arg_termid.port);
741 kau_write(rec, tok);
742 tok = au_to_arg32(1, "setaudit:machine",
743 ar->ar_arg_termid.machine);
744 kau_write(rec, tok);
745 tok = au_to_arg32(1, "setaudit:as_success",
746 ar->ar_arg_amask.am_success);
747 kau_write(rec, tok);
748 tok = au_to_arg32(1, "setaudit:as_failure",
749 ar->ar_arg_amask.am_failure);
750 kau_write(rec, tok);
751 tok = au_to_arg32(1, "setaudit:asid",
752 ar->ar_arg_asid);
753 kau_write(rec, tok);
754 }
755 break;
756
757 case AUE_SETAUDIT_ADDR:
758 if (ARG_IS_VALID(kar, ARG_AUID) &&
759 ARG_IS_VALID(kar, ARG_ASID) &&
760 ARG_IS_VALID(kar, ARG_AMASK) &&
761 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
762 tok = au_to_arg32(1, "setaudit_addr:auid",
763 ar->ar_arg_auid);
764 kau_write(rec, tok);
765 tok = au_to_arg32(1, "setaudit_addr:as_success",
766 ar->ar_arg_amask.am_success);
767 kau_write(rec, tok);
768 tok = au_to_arg32(1, "setaudit_addr:as_failure",
769 ar->ar_arg_amask.am_failure);
770 kau_write(rec, tok);
771 tok = au_to_arg32(1, "setaudit_addr:asid",
772 ar->ar_arg_asid);
773 kau_write(rec, tok);
774 tok = au_to_arg32(1, "setaudit_addr:type",
775 ar->ar_arg_termid_addr.at_type);
776 kau_write(rec, tok);
777 tok = au_to_arg32(1, "setaudit_addr:port",
778 ar->ar_arg_termid_addr.at_port);
779 kau_write(rec, tok);
780 if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
781 tok = au_to_in_addr_ex((struct in6_addr *)
782 &ar->ar_arg_termid_addr.at_addr[0]);
783 if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
784 tok = au_to_in_addr((struct in_addr *)
785 &ar->ar_arg_termid_addr.at_addr[0]);
786 kau_write(rec, tok);
787 }
788 break;
789
790 case AUE_AUDITON:
791 /*
792 * For AUDITON commands without own event, audit the cmd.
793 */
794 if (ARG_IS_VALID(kar, ARG_CMD)) {
795 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
796 kau_write(rec, tok);
797 }
798 /* FALLTHROUGH */
799
800 case AUE_AUDITON_GETCAR:
801 case AUE_AUDITON_GETCLASS:
802 case AUE_AUDITON_GETCOND:
803 case AUE_AUDITON_GETCWD:
804 case AUE_AUDITON_GETKMASK:
805 case AUE_AUDITON_GETSTAT:
806 case AUE_AUDITON_GPOLICY:
807 case AUE_AUDITON_GQCTRL:
808 case AUE_AUDITON_SETCLASS:
809 case AUE_AUDITON_SETCOND:
810 case AUE_AUDITON_SETKMASK:
811 case AUE_AUDITON_SETSMASK:
812 case AUE_AUDITON_SETSTAT:
813 case AUE_AUDITON_SETUMASK:
814 case AUE_AUDITON_SPOLICY:
815 case AUE_AUDITON_SQCTRL:
816 if (ARG_IS_VALID(kar, ARG_AUDITON))
817 audit_sys_auditon(ar, rec);
818 break;
819
820 case AUE_AUDITCTL:
821 UPATH1_VNODE1_TOKENS;
822 break;
823
824 case AUE_EXIT:
825 if (ARG_IS_VALID(kar, ARG_EXIT)) {
826 tok = au_to_exit(ar->ar_arg_exitretval,
827 ar->ar_arg_exitstatus);
828 kau_write(rec, tok);
829 }
830 break;
831
832 case AUE_ADJTIME:
833 case AUE_AUDIT:
834 case AUE_DUP2:
835 case AUE_GETAUDIT:
836 case AUE_GETAUDIT_ADDR:
837 case AUE_GETAUID:
838 case AUE_GETFSSTAT:
839 case AUE_KQUEUE:
840 case AUE_LSEEK:
841 #if 0
842 /* XXXss replace with kext */
843 case AUE_MODLOAD:
844 case AUE_MODUNLOAD:
845 #endif
846 case AUE_MAC_GETFSSTAT:
847 case AUE_PIPE:
848 case AUE_PROFILE:
849 case AUE_SEMSYS:
850 case AUE_SHMSYS:
851 case AUE_SETPGRP:
852 case AUE_SETRLIMIT:
853 case AUE_SETSID:
854 case AUE_SETTIMEOFDAY:
855 case AUE_KDEBUGTRACE:
856 case AUE_PTHREADSIGMASK:
857 /*
858 * Header, subject, and return tokens added at end.
859 */
860 break;
861
862 case AUE_MKFIFO:
863 if (ARG_IS_VALID(kar, ARG_MODE)) {
864 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
865 kau_write(rec, tok);
866 }
867 UPATH1_VNODE1_TOKENS;
868 break;
869
870 case AUE_ACCESS_EXTENDED:
871 /*
872 * The access_extended() argument vector is stored in an
873 * opaque token.
874 */
875 if (ARG_IS_VALID(kar, ARG_OPAQUE)) {
876 tok = au_to_opaque(ar->ar_arg_opaque,
877 ar->ar_arg_opq_size);
878 kau_write(rec, tok);
879 }
880 /*
881 * The access_extended() result vector is stored in an arbitrary
882 * data token.
883 */
884 if (ARG_IS_VALID(kar, ARG_DATA)) {
885 tok = au_to_data(AUP_DECIMAL, ar->ar_arg_data_type,
886 ar->ar_arg_data_count, ar->ar_arg_data);
887 kau_write(rec, tok);
888 }
889 UPATH1_VNODE1_TOKENS;
890 break;
891
892 case AUE_LSTAT_EXTENDED:
893 case AUE_STAT_EXTENDED:
894 case AUE_ACCESS:
895 case AUE_CHDIR:
896 case AUE_CHROOT:
897 case AUE_GETATTRLIST:
898 case AUE_NFS_GETFH:
899 case AUE_LSTAT:
900 case AUE_PATHCONF:
901 case AUE_READLINK:
902 case AUE_REVOKE:
903 case AUE_RMDIR:
904 case AUE_SEARCHFS:
905 case AUE_SETATTRLIST:
906 case AUE_STAT:
907 case AUE_STATFS:
908 case AUE_TRUNCATE:
909 case AUE_UNDELETE:
910 case AUE_UNLINK:
911 case AUE_UTIMES:
912 UPATH1_VNODE1_TOKENS;
913 break;
914
915 case AUE_FHOPEN:
916 break;
917
918 case AUE_CHFLAGS:
919 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
920 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
921 kau_write(rec, tok);
922 }
923 UPATH1_VNODE1_TOKENS;
924 break;
925
926 case AUE_CHMOD:
927 if (ARG_IS_VALID(kar, ARG_MODE)) {
928 tok = au_to_arg32(2, "new file mode",
929 ar->ar_arg_mode);
930 kau_write(rec, tok);
931 }
932 UPATH1_VNODE1_TOKENS;
933 break;
934
935 case AUE_CHOWN:
936 case AUE_LCHOWN:
937 if (ARG_IS_VALID(kar, ARG_UID)) {
938 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
939 kau_write(rec, tok);
940 }
941 if (ARG_IS_VALID(kar, ARG_GID)) {
942 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
943 kau_write(rec, tok);
944 }
945 UPATH1_VNODE1_TOKENS;
946 break;
947
948 case AUE_EXCHANGEDATA:
949 UPATH1_VNODE1_TOKENS;
950 UPATH2_TOKENS;
951 break;
952
953 case AUE_CLOSE:
954 if (ARG_IS_VALID(kar, ARG_FD)) {
955 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
956 kau_write(rec, tok);
957 }
958 UPATH1_VNODE1_TOKENS;
959 break;
960
961 case AUE_CORE:
962 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
963 tok = au_to_arg32(0, "signal", ar->ar_arg_signum);
964 kau_write(rec, tok);
965 }
966 UPATH1_VNODE1_TOKENS;
967 break;
968
969 case AUE_POSIX_SPAWN:
970 if (ARG_IS_VALID(kar, ARG_PID)) {
971 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
972 kau_write(rec, tok);
973 }
974 /* FALLTHROUGH */
975
976 case AUE_EXECVE:
977 if (ARG_IS_VALID(kar, ARG_ARGV)) {
978 tok = au_to_exec_args(ar->ar_arg_argv,
979 ar->ar_arg_argc);
980 kau_write(rec, tok);
981 }
982 if (ARG_IS_VALID(kar, ARG_ENVV)) {
983 tok = au_to_exec_env(ar->ar_arg_envv,
984 ar->ar_arg_envc);
985 kau_write(rec, tok);
986 }
987 UPATH1_VNODE1_TOKENS;
988 break;
989
990 case AUE_FCHMOD_EXTENDED:
991 EXTENDED_TOKENS(2);
992 FD_VNODE1_TOKENS;
993 break;
994
995 case AUE_FCHMOD:
996 if (ARG_IS_VALID(kar, ARG_MODE)) {
997 tok = au_to_arg32(2, "new file mode",
998 ar->ar_arg_mode);
999 kau_write(rec, tok);
1000 }
1001 FD_VNODE1_TOKENS;
1002 break;
1003
1004 case AUE_NFS_SVC:
1005 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1006 kau_write(rec, tok);
1007 if (ar->ar_valid_arg & (ARG_KPATH1 | ARG_UPATH1)) {
1008 UPATH1_VNODE1_TOKENS;
1009 }
1010 break;
1011
1012 /*
1013 * XXXRW: Some of these need to handle non-vnode cases as well.
1014 */
1015 case AUE_FSTAT_EXTENDED:
1016 case AUE_FCHDIR:
1017 case AUE_FPATHCONF:
1018 case AUE_FSTAT: /* XXX Need to handle sockets and shm */
1019 case AUE_FSTATFS:
1020 case AUE_FSYNC:
1021 case AUE_FTRUNCATE:
1022 case AUE_FUTIMES:
1023 case AUE_GETDIRENTRIES:
1024 case AUE_GETDIRENTRIESATTR:
1025 #if 0 /* XXXss new */
1026 case AUE_POLL:
1027 #endif
1028 case AUE_READ:
1029 case AUE_READV:
1030 case AUE_PREAD:
1031 case AUE_WRITE:
1032 case AUE_WRITEV:
1033 case AUE_PWRITE:
1034 FD_VNODE1_TOKENS;
1035 break;
1036
1037 case AUE_FCHOWN:
1038 if (ARG_IS_VALID(kar, ARG_UID)) {
1039 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
1040 kau_write(rec, tok);
1041 }
1042 if (ARG_IS_VALID(kar, ARG_GID)) {
1043 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
1044 kau_write(rec, tok);
1045 }
1046 FD_VNODE1_TOKENS;
1047 break;
1048
1049 case AUE_FCNTL:
1050 if (ARG_IS_VALID(kar, ARG_CMD))
1051 audit_sys_fcntl(kar, rec);
1052 FD_VNODE1_TOKENS;
1053 break;
1054
1055 case AUE_FSCTL:
1056 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1057 tok = au_to_arg32(4, "options", ar->ar_arg_value32);
1058 kau_write(rec, tok);
1059 }
1060 if (ARG_IS_VALID(kar, ARG_CMD)) {
1061 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1062 kau_write(rec, tok);
1063 }
1064 UPATH1_VNODE1_TOKENS;
1065 break;
1066
1067 case AUE_FFSCTL:
1068 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1069 tok = au_to_arg32(4, "options", ar->ar_arg_value32);
1070 kau_write(rec, tok);
1071 }
1072 if (ARG_IS_VALID(kar, ARG_CMD)) {
1073 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1074 kau_write(rec, tok);
1075 }
1076 FD_VNODE1_TOKENS;
1077 break;
1078
1079
1080 case AUE_FCHFLAGS:
1081 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1082 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1083 kau_write(rec, tok);
1084 }
1085 FD_VNODE1_TOKENS;
1086 break;
1087
1088 case AUE_FLOCK:
1089 if (ARG_IS_VALID(kar, ARG_CMD)) {
1090 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1091 kau_write(rec, tok);
1092 }
1093 FD_VNODE1_TOKENS;
1094 break;
1095
1096 case AUE_FORK:
1097 case AUE_VFORK:
1098 if (ARG_IS_VALID(kar, ARG_PID)) {
1099 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1100 kau_write(rec, tok);
1101 }
1102 break;
1103
1104 case AUE_GETLCID:
1105 if (ARG_IS_VALID(kar, ARG_PID)) {
1106 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1107 kau_write(rec, tok);
1108 }
1109 break;
1110
1111 case AUE_SETLCID:
1112 if (ARG_IS_VALID(kar, ARG_PID)) {
1113 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1114 kau_write(rec, tok);
1115 }
1116 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1117 tok = au_to_arg32(2, "lcid",
1118 (u_int32_t)ar->ar_arg_value32);
1119 kau_write(rec, tok);
1120 }
1121 break;
1122
1123 case AUE_IOCTL:
1124 if (ARG_IS_VALID(kar, ARG_CMD)) {
1125 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1126 kau_write(rec, tok);
1127 }
1128 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1129 tok = au_to_arg64(2, "cmd", ar->ar_arg_value64);
1130 kau_write(rec, tok);
1131 }
1132 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1133 tok = au_to_arg64(3, "arg", ar->ar_arg_addr);
1134 kau_write(rec, tok);
1135 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1136 tok = au_to_arg32(3, "arg",
1137 (u_int32_t)ar->ar_arg_addr);
1138 kau_write(rec, tok);
1139 }
1140 if (ARG_IS_VALID(kar, ARG_VNODE1))
1141 FD_VNODE1_TOKENS;
1142 else {
1143 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
1144 tok = au_to_socket_ex(
1145 ar->ar_arg_sockinfo.sai_domain,
1146 ar->ar_arg_sockinfo.sai_type,
1147 (struct sockaddr *)
1148 &ar->ar_arg_sockinfo.sai_laddr,
1149 (struct sockaddr *)
1150 &ar->ar_arg_sockinfo.sai_faddr);
1151 kau_write(rec, tok);
1152 } else {
1153 if (ARG_IS_VALID(kar, ARG_FD)) {
1154 tok = au_to_arg32(1, "fd",
1155 ar->ar_arg_fd);
1156 kau_write(rec, tok);
1157 }
1158 }
1159 }
1160 break;
1161
1162 case AUE_KILL:
1163 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1164 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1165 kau_write(rec, tok);
1166 }
1167 PROCESS_PID_TOKENS(1);
1168 break;
1169
1170 case AUE_LINK:
1171 case AUE_RENAME:
1172 UPATH1_VNODE1_TOKENS;
1173 UPATH2_TOKENS;
1174 break;
1175
1176 case AUE_MKDIR_EXTENDED:
1177 case AUE_CHMOD_EXTENDED:
1178 case AUE_MKFIFO_EXTENDED:
1179 EXTENDED_TOKENS(2);
1180 UPATH1_VNODE1_TOKENS;
1181 break;
1182
1183 case AUE_MKDIR:
1184 if (ARG_IS_VALID(kar, ARG_MODE)) {
1185 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1186 kau_write(rec, tok);
1187 }
1188 UPATH1_VNODE1_TOKENS;
1189 break;
1190
1191 case AUE_MKNOD:
1192 if (ARG_IS_VALID(kar, ARG_MODE)) {
1193 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1194 kau_write(rec, tok);
1195 }
1196 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1197 tok = au_to_arg32(3, "dev", ar->ar_arg_value32);
1198 kau_write(rec, tok);
1199 }
1200 UPATH1_VNODE1_TOKENS;
1201 break;
1202
1203 case AUE_MMAP:
1204 case AUE_MUNMAP:
1205 case AUE_MPROTECT:
1206 case AUE_MLOCK:
1207 case AUE_MUNLOCK:
1208 case AUE_MINHERIT:
1209 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1210 tok = au_to_arg64(1, "addr", ar->ar_arg_addr);
1211 kau_write(rec, tok);
1212 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1213 tok = au_to_arg32(1, "addr",
1214 (u_int32_t)ar->ar_arg_addr);
1215 kau_write(rec, tok);
1216 }
1217 if (ARG_IS_VALID(kar, ARG_LEN)) {
1218 tok = au_to_arg64(2, "len", ar->ar_arg_len);
1219 kau_write(rec, tok);
1220 }
1221 if (ar->ar_event == AUE_MMAP)
1222 FD_VNODE1_TOKENS;
1223 if (ar->ar_event == AUE_MPROTECT) {
1224 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1225 tok = au_to_arg32(3, "protection",
1226 ar->ar_arg_value32);
1227 kau_write(rec, tok);
1228 }
1229 }
1230 if (ar->ar_event == AUE_MINHERIT) {
1231 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1232 tok = au_to_arg32(3, "inherit",
1233 ar->ar_arg_value32);
1234 kau_write(rec, tok);
1235 }
1236 }
1237 break;
1238
1239 #if CONFIG_MACF
1240 case AUE_MAC_MOUNT:
1241 PROCESS_MAC_TOKENS;
1242 /* FALLTHROUGH */
1243 #endif
1244 case AUE_MOUNT:
1245 /* XXX Need to handle NFS mounts */
1246 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1247 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1248 kau_write(rec, tok);
1249 }
1250 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1251 tok = au_to_text(ar->ar_arg_text);
1252 kau_write(rec, tok);
1253 }
1254 /* FALLTHROUGH */
1255
1256 case AUE_UMOUNT:
1257 case AUE_UNMOUNT:
1258 UPATH1_VNODE1_TOKENS;
1259 break;
1260
1261 case AUE_MSGCTL:
1262 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1263 /* FALLTHROUGH */
1264
1265 case AUE_MSGRCV:
1266 case AUE_MSGSND:
1267 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1268 kau_write(rec, tok);
1269 if (ar->ar_errno != EINVAL) {
1270 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1271 kau_write(rec, tok);
1272 }
1273 break;
1274
1275 case AUE_MSGGET:
1276 if (ar->ar_errno == 0) {
1277 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1278 tok = au_to_ipc(AT_IPC_MSG,
1279 ar->ar_arg_svipc_id);
1280 kau_write(rec, tok);
1281 }
1282 }
1283 break;
1284
1285 case AUE_OPENAT_RC:
1286 case AUE_OPENAT_RTC:
1287 case AUE_OPENAT_RWC:
1288 case AUE_OPENAT_RWTC:
1289 case AUE_OPENAT_WC:
1290 case AUE_OPENAT_WTC:
1291 if (ARG_IS_VALID(kar, ARG_MODE)) {
1292 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1293 kau_write(rec, tok);
1294 }
1295 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1296 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1297 kau_write(rec, tok);
1298 }
1299 if (ARG_IS_VALID(kar, ARG_FD)) {
1300 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1301 kau_write(rec, tok);
1302 }
1303 UPATH1_VNODE1_TOKENS;
1304 break;
1305
1306 case AUE_OPEN_EXTENDED_RC:
1307 case AUE_OPEN_EXTENDED_RTC:
1308 case AUE_OPEN_EXTENDED_RWC:
1309 case AUE_OPEN_EXTENDED_RWTC:
1310 case AUE_OPEN_EXTENDED_WC:
1311 case AUE_OPEN_EXTENDED_WTC:
1312 EXTENDED_TOKENS(3);
1313 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1314 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1315 kau_write(rec, tok);
1316 }
1317 UPATH1_VNODE1_TOKENS;
1318 break;
1319
1320 case AUE_OPEN_RC:
1321 case AUE_OPEN_RTC:
1322 case AUE_OPEN_RWC:
1323 case AUE_OPEN_RWTC:
1324 case AUE_OPEN_WC:
1325 case AUE_OPEN_WTC:
1326 if (ARG_IS_VALID(kar, ARG_MODE)) {
1327 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1328 kau_write(rec, tok);
1329 }
1330 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1331 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1332 kau_write(rec, tok);
1333 }
1334 UPATH1_VNODE1_TOKENS;
1335 break;
1336
1337 case AUE_OPENAT:
1338 case AUE_OPENAT_R:
1339 case AUE_OPENAT_RT:
1340 case AUE_OPENAT_RW:
1341 case AUE_OPENAT_RWT:
1342 case AUE_OPENAT_W:
1343 case AUE_OPENAT_WT:
1344 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1345 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1346 kau_write(rec, tok);
1347 }
1348 if (ARG_IS_VALID(kar, ARG_FD)) {
1349 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1350 kau_write(rec, tok);
1351 }
1352 UPATH1_VNODE1_TOKENS;
1353 break;
1354
1355 case AUE_OPEN_EXTENDED:
1356 case AUE_OPEN_EXTENDED_R:
1357 case AUE_OPEN_EXTENDED_RT:
1358 case AUE_OPEN_EXTENDED_RW:
1359 case AUE_OPEN_EXTENDED_RWT:
1360 case AUE_OPEN_EXTENDED_W:
1361 case AUE_OPEN_EXTENDED_WT:
1362 EXTENDED_TOKENS(3);
1363 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1364 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1365 kau_write(rec, tok);
1366 }
1367 UPATH1_VNODE1_TOKENS;
1368 break;
1369
1370 case AUE_OPEN:
1371 case AUE_OPEN_R:
1372 case AUE_OPEN_RT:
1373 case AUE_OPEN_RW:
1374 case AUE_OPEN_RWT:
1375 case AUE_OPEN_W:
1376 case AUE_OPEN_WT:
1377 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1378 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1379 kau_write(rec, tok);
1380 }
1381 UPATH1_VNODE1_TOKENS;
1382 break;
1383
1384 case AUE_UNLINKAT:
1385 if (ARG_IS_VALID(kar, ARG_FD)) {
1386 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1387 kau_write(rec, tok);
1388 }
1389 UPATH1_VNODE1_TOKENS;
1390 break;
1391
1392 case AUE_PTRACE:
1393 if (ARG_IS_VALID(kar, ARG_CMD)) {
1394 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1395 kau_write(rec, tok);
1396 }
1397 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1398 tok = au_to_arg64(3, "addr", ar->ar_arg_addr);
1399 kau_write(rec, tok);
1400 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1401 tok = au_to_arg32(3, "addr",
1402 (u_int32_t)ar->ar_arg_addr);
1403 kau_write(rec, tok);
1404 }
1405 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1406 tok = au_to_arg32(4, "data", ar->ar_arg_value32);
1407 kau_write(rec, tok);
1408 }
1409 PROCESS_PID_TOKENS(2);
1410 break;
1411
1412 case AUE_QUOTACTL:
1413 if (ARG_IS_VALID(kar, ARG_CMD)) {
1414 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1415 kau_write(rec, tok);
1416 }
1417 if (ARG_IS_VALID(kar, ARG_UID)) {
1418 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1419 kau_write(rec, tok);
1420 }
1421 UPATH1_VNODE1_TOKENS;
1422 break;
1423
1424 case AUE_REBOOT:
1425 if (ARG_IS_VALID(kar, ARG_CMD)) {
1426 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1427 kau_write(rec, tok);
1428 }
1429 break;
1430
1431 case AUE_SEMCTL:
1432 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1433 /* FALLTHROUGH */
1434
1435 case AUE_SEMOP:
1436 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1437 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1438 kau_write(rec, tok);
1439 if (ar->ar_errno != EINVAL) {
1440 tok = au_to_ipc(AT_IPC_SEM,
1441 ar->ar_arg_svipc_id);
1442 kau_write(rec, tok);
1443 }
1444 }
1445 break;
1446
1447 case AUE_SEMGET:
1448 if (ar->ar_errno == 0) {
1449 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1450 tok = au_to_ipc(AT_IPC_SEM,
1451 ar->ar_arg_svipc_id);
1452 kau_write(rec, tok);
1453 }
1454 }
1455 break;
1456
1457 case AUE_SETEGID:
1458 if (ARG_IS_VALID(kar, ARG_EGID)) {
1459 tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
1460 kau_write(rec, tok);
1461 }
1462 break;
1463
1464 case AUE_SETEUID:
1465 if (ARG_IS_VALID(kar, ARG_EUID)) {
1466 tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
1467 kau_write(rec, tok);
1468 }
1469 break;
1470
1471 case AUE_SETREGID:
1472 if (ARG_IS_VALID(kar, ARG_RGID)) {
1473 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1474 kau_write(rec, tok);
1475 }
1476 if (ARG_IS_VALID(kar, ARG_EGID)) {
1477 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1478 kau_write(rec, tok);
1479 }
1480 break;
1481
1482 case AUE_SETREUID:
1483 if (ARG_IS_VALID(kar, ARG_RUID)) {
1484 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1485 kau_write(rec, tok);
1486 }
1487 if (ARG_IS_VALID(kar, ARG_EUID)) {
1488 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1489 kau_write(rec, tok);
1490 }
1491 break;
1492
1493 case AUE_SETGID:
1494 if (ARG_IS_VALID(kar, ARG_GID)) {
1495 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1496 kau_write(rec, tok);
1497 }
1498 break;
1499
1500 case AUE_SETUID:
1501 if (ARG_IS_VALID(kar, ARG_UID)) {
1502 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1503 kau_write(rec, tok);
1504 }
1505 break;
1506
1507 case AUE_SETGROUPS:
1508 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1509 for (uctr = 0; uctr < ar->ar_arg_groups.gidset_size;
1510 uctr++) {
1511 tok = au_to_arg32(1, "setgroups",
1512 ar->ar_arg_groups.gidset[uctr]);
1513 kau_write(rec, tok);
1514 }
1515 }
1516 break;
1517
1518 case AUE_SETLOGIN:
1519 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1520 tok = au_to_text(ar->ar_arg_text);
1521 kau_write(rec, tok);
1522 }
1523 break;
1524
1525 case AUE_SETPRIORITY:
1526 if (ARG_IS_VALID(kar, ARG_CMD)) {
1527 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1528 kau_write(rec, tok);
1529 }
1530 if (ARG_IS_VALID(kar, ARG_UID)) {
1531 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1532 kau_write(rec, tok);
1533 }
1534 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1535 tok = au_to_arg32(2, "priority", ar->ar_arg_value32);
1536 kau_write(rec, tok);
1537 }
1538 break;
1539
1540 case AUE_SETPRIVEXEC:
1541 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1542 tok = au_to_arg32(1, "flag", ar->ar_arg_value32);
1543 kau_write(rec, tok);
1544 }
1545 break;
1546
1547 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1548 case AUE_SHMAT:
1549 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1550 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1551 kau_write(rec, tok);
1552 /* XXXAUDIT: Does having the ipc token make sense? */
1553 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1554 kau_write(rec, tok);
1555 }
1556 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1557 tok = au_to_arg64(2, "shmaddr", ar->ar_arg_svipc_addr);
1558 kau_write(rec, tok);
1559 }
1560 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1561 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1562 kau_write(rec, tok);
1563 }
1564 break;
1565
1566 case AUE_SHMCTL:
1567 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1568 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1569 kau_write(rec, tok);
1570 /* XXXAUDIT: Does having the ipc token make sense? */
1571 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1572 kau_write(rec, tok);
1573 }
1574 switch (ar->ar_arg_svipc_cmd) {
1575 case IPC_STAT:
1576 ar->ar_event = AUE_SHMCTL_STAT;
1577 break;
1578 case IPC_RMID:
1579 ar->ar_event = AUE_SHMCTL_RMID;
1580 break;
1581 case IPC_SET:
1582 ar->ar_event = AUE_SHMCTL_SET;
1583 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1584 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1585 kau_write(rec, tok);
1586 }
1587 break;
1588 default:
1589 break; /* We will audit a bad command */
1590 }
1591 break;
1592
1593 case AUE_SHMDT:
1594 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1595 tok = au_to_arg64(1, "shmaddr",
1596 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1597 kau_write(rec, tok);
1598 }
1599 break;
1600
1601 case AUE_SHMGET:
1602 /* This is unusual; the return value is in an argument token */
1603 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1604 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1605 kau_write(rec, tok);
1606 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1607 kau_write(rec, tok);
1608 }
1609 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1610 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1611 kau_write(rec, tok);
1612 }
1613 break;
1614
1615 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1616 * and AUE_SEMUNLINK are Posix IPC */
1617 case AUE_SHMOPEN:
1618 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1619 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1620 kau_write(rec, tok);
1621 }
1622 if (ARG_IS_VALID(kar, ARG_MODE)) {
1623 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1624 kau_write(rec, tok);
1625 }
1626 /* FALLTHROUGH */
1627
1628 case AUE_SHMUNLINK:
1629 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1630 tok = au_to_text(ar->ar_arg_text);
1631 kau_write(rec, tok);
1632 }
1633 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1634 struct ipc_perm perm;
1635
1636 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1637 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1638 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1639 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1640 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1641 perm._seq = 0;
1642 perm._key = 0;
1643 tok = au_to_ipc_perm(&perm);
1644 kau_write(rec, tok);
1645 }
1646 break;
1647
1648 case AUE_SEMOPEN:
1649 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1650 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1651 kau_write(rec, tok);
1652 }
1653 if (ARG_IS_VALID(kar, ARG_MODE)) {
1654 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1655 kau_write(rec, tok);
1656 }
1657 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1658 tok = au_to_arg32(4, "value", ar->ar_arg_value32);
1659 kau_write(rec, tok);
1660 }
1661 /* FALLTHROUGH */
1662
1663 case AUE_SEMUNLINK:
1664 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1665 tok = au_to_text(ar->ar_arg_text);
1666 kau_write(rec, tok);
1667 }
1668 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1669 struct ipc_perm perm;
1670
1671 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1672 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1673 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1674 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1675 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1676 perm._seq = 0;
1677 perm._key = 0;
1678 tok = au_to_ipc_perm(&perm);
1679 kau_write(rec, tok);
1680 }
1681 break;
1682
1683 case AUE_SEMCLOSE:
1684 if (ARG_IS_VALID(kar, ARG_FD)) {
1685 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1686 kau_write(rec, tok);
1687 }
1688 break;
1689
1690 case AUE_SYMLINK:
1691 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1692 tok = au_to_text(ar->ar_arg_text);
1693 kau_write(rec, tok);
1694 }
1695 UPATH1_VNODE1_TOKENS;
1696 break;
1697
1698 case AUE_SYSCTL:
1699 case AUE_SYSCTL_NONADMIN:
1700 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1701 for (ctr = 0; ctr < (int)ar->ar_arg_len; ctr++) {
1702 tok = au_to_arg32(1, "name",
1703 ar->ar_arg_ctlname[ctr]);
1704 kau_write(rec, tok);
1705 }
1706 }
1707 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1708 tok = au_to_arg32(5, "newval", ar->ar_arg_value32);
1709 kau_write(rec, tok);
1710 }
1711 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1712 tok = au_to_text(ar->ar_arg_text);
1713 kau_write(rec, tok);
1714 }
1715 break;
1716
1717 case AUE_UMASK_EXTENDED:
1718 /* ACL data */
1719 if (ARG_IS_VALID(kar, ARG_OPAQUE)) {
1720 tok = au_to_opaque(ar->ar_arg_opaque,
1721 ar->ar_arg_opq_size);
1722 kau_write(rec, tok);
1723 }
1724 /* FALLTHROUGH */
1725
1726 case AUE_UMASK:
1727 if (ARG_IS_VALID(kar, ARG_MASK)) {
1728 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1729 kau_write(rec, tok);
1730 }
1731 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1732 kau_write(rec, tok);
1733 break;
1734
1735 case AUE_WAIT4:
1736 #if 0 /* XXXss - new */
1737 case AUE_WAITID:
1738 #endif
1739 if (ARG_IS_VALID(kar, ARG_PID)) {
1740 tok = au_to_arg32(0, "pid", ar->ar_arg_pid);
1741 kau_write(rec, tok);
1742 }
1743 break;
1744
1745 case AUE_FSGETPATH:
1746 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1747 tok = au_to_arg32(3, "volfsid", ar->ar_arg_value32);
1748 kau_write(rec, tok);
1749 }
1750 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1751 tok = au_to_arg64(4, "objid", ar->ar_arg_value64);
1752 kau_write(rec, tok);
1753 }
1754 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1755 tok = au_to_text(ar->ar_arg_text);
1756 kau_write(rec, tok);
1757 }
1758 break;
1759
1760 case AUE_SESSION_START:
1761 case AUE_SESSION_UPDATE:
1762 case AUE_SESSION_END:
1763 case AUE_SESSION_CLOSE:
1764 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1765 tok = au_to_arg64(1, "sflags", ar->ar_arg_value64);
1766 kau_write(rec, tok);
1767 }
1768 if (ARG_IS_VALID(kar, ARG_AMASK)) {
1769 tok = au_to_arg32(2, "am_success",
1770 ar->ar_arg_amask.am_success);
1771 kau_write(rec, tok);
1772 tok = au_to_arg32(3, "am_failure",
1773 ar->ar_arg_amask.am_failure);
1774 kau_write(rec, tok);
1775 }
1776 break;
1777
1778 /************************
1779 * Mach system calls *
1780 ************************/
1781 case AUE_INITPROCESS:
1782 break;
1783
1784 case AUE_PIDFORTASK:
1785 if (ARG_IS_VALID(kar, ARG_MACHPORT1)) {
1786 tok = au_to_arg32(1, "port",
1787 (u_int32_t)ar->ar_arg_mach_port1);
1788 kau_write(rec, tok);
1789 }
1790 if (ARG_IS_VALID(kar, ARG_PID)) {
1791 tok = au_to_arg32(2, "pid", (u_int32_t)ar->ar_arg_pid);
1792 kau_write(rec, tok);
1793 }
1794 break;
1795
1796 case AUE_TASKFORPID:
1797 case AUE_TASKNAMEFORPID:
1798 if (ARG_IS_VALID(kar, ARG_MACHPORT1)) {
1799 tok = au_to_arg32(1, "target port",
1800 (u_int32_t)ar->ar_arg_mach_port1);
1801 kau_write(rec, tok);
1802 }
1803 if (ARG_IS_VALID(kar, ARG_MACHPORT2)) {
1804 tok = au_to_arg32(3, "task port",
1805 (u_int32_t)ar->ar_arg_mach_port2);
1806 kau_write(rec, tok);
1807 }
1808 PROCESS_PID_TOKENS(2);
1809 break;
1810
1811 case AUE_SWAPON:
1812 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1813 tok = au_to_arg32(4, "priority",
1814 (u_int32_t)ar->ar_arg_value32);
1815 kau_write(rec, tok);
1816 }
1817 UPATH1_VNODE1_TOKENS;
1818 break;
1819
1820 case AUE_SWAPOFF:
1821 UPATH1_VNODE1_TOKENS;
1822 break;
1823
1824 case AUE_MAPFD:
1825 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1826 tok = au_to_arg64(3, "va", ar->ar_arg_addr);
1827 kau_write(rec, tok);
1828 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1829 tok = au_to_arg32(3, "va",
1830 (u_int32_t)ar->ar_arg_addr);
1831 kau_write(rec, tok);
1832 }
1833 FD_VNODE1_TOKENS;
1834 break;
1835
1836 #if CONFIG_MACF
1837 case AUE_MAC_GET_FILE:
1838 case AUE_MAC_SET_FILE:
1839 case AUE_MAC_GET_LINK:
1840 case AUE_MAC_SET_LINK:
1841 case AUE_MAC_GET_MOUNT:
1842 UPATH1_VNODE1_TOKENS;
1843 PROCESS_MAC_TOKENS;
1844 break;
1845
1846 case AUE_MAC_GET_FD:
1847 case AUE_MAC_SET_FD:
1848 FD_VNODE1_TOKENS;
1849 PROCESS_MAC_TOKENS;
1850 break;
1851
1852 case AUE_MAC_SYSCALL:
1853 PROCESS_MAC_TOKENS;
1854 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1855 tok = au_to_arg32(3, "call", ar->ar_arg_value32);
1856 kau_write(rec, tok);
1857 }
1858 break;
1859
1860 case AUE_MAC_EXECVE:
1861 UPATH1_VNODE1_TOKENS;
1862 PROCESS_MAC_TOKENS;
1863 break;
1864
1865 case AUE_MAC_GET_PID:
1866 if (ARG_IS_VALID(kar, ARG_PID)) {
1867 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1868 kau_write(rec, tok);
1869 }
1870 PROCESS_MAC_TOKENS;
1871 break;
1872
1873 case AUE_MAC_GET_LCID:
1874 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1875 tok = au_to_arg32(1, "lcid",
1876 (u_int32_t)ar->ar_arg_value32);
1877 kau_write(rec, tok);
1878 }
1879 PROCESS_MAC_TOKENS;
1880 break;
1881
1882 case AUE_MAC_GET_PROC:
1883 case AUE_MAC_SET_PROC:
1884 case AUE_MAC_GET_LCTX:
1885 case AUE_MAC_SET_LCTX:
1886 PROCESS_MAC_TOKENS;
1887 break;
1888 #endif
1889 case AUE_NULL:
1890 default:
1891 #if DIAGNOSTIC
1892 printf("BSM conversion requested for unknown event %d\n",
1893 ar->ar_event);
1894 #endif
1895
1896 /*
1897 * Write the subject token so it is properly freed here.
1898 */
1899 kau_write(rec, subj_tok);
1900 kau_free(rec);
1901 return (BSM_NOAUDIT);
1902 }
1903
1904 #if CONFIG_MACF
1905 if (NULL != ar->ar_mac_records) {
1906 /* Convert the audit data from the MAC policies */
1907 struct mac_audit_record *mar;
1908
1909 LIST_FOREACH(mar, ar->ar_mac_records, records) {
1910 switch (mar->type) {
1911 case MAC_AUDIT_DATA_TYPE:
1912 tok = au_to_data(AUP_BINARY, AUR_BYTE,
1913 mar->length,
1914 (const char *)mar->data);
1915 break;
1916 case MAC_AUDIT_TEXT_TYPE:
1917 tok = au_to_text((char*) mar->data);
1918 break;
1919 default:
1920 /*
1921 * XXX: we can either continue,
1922 * skipping this particular entry,
1923 * or we can pre-verify the list and
1924 * abort before writing any records
1925 */
1926 printf("kaudit_to_bsm(): "
1927 "BSM conversion requested for"
1928 "unknown mac_audit data type %d\n",
1929 mar->type);
1930 }
1931
1932 kau_write(rec, tok);
1933 }
1934 }
1935 #endif
1936
1937 kau_write(rec, subj_tok);
1938
1939 #if CONFIG_MACF
1940 if (ar->ar_cred_mac_labels != NULL &&
1941 strlen(ar->ar_cred_mac_labels) != 0) {
1942 tok = au_to_text(ar->ar_cred_mac_labels);
1943 kau_write(rec, tok);
1944 }
1945 #endif
1946
1947 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
1948 kau_write(rec, tok); /* Every record gets a return token */
1949
1950 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1951
1952 *pau = rec;
1953 return (BSM_SUCCESS);
1954 }
1955
1956 /*
1957 * Verify that a record is a valid BSM record. This verification is simple
1958 * now, but may be expanded on sometime in the future. Return 1 if the
1959 * record is good, 0 otherwise.
1960 */
1961 int
1962 bsm_rec_verify(void *rec)
1963 {
1964 char c = *(char *)rec;
1965
1966 /*
1967 * Check the token ID of the first token; it has to be a header
1968 * token.
1969 *
1970 * XXXAUDIT There needs to be a token structure to map a token.
1971 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1972 */
1973 if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
1974 (c != AUT_HEADER64) && (c != AUT_HEADER64_EX))
1975 return (0);
1976 return (1);
1977 }
1978 #endif /* CONFIG_AUDIT */
mirror of XNU