]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_bsm_klib.c
xnu-1228.0.2.tar.gz
[apple/xnu.git] / bsd / kern / kern_bsm_klib.c
1 /*
2 * Copyright (c) 2004-2007 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*
29 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
30 * support for mandatory and extensible security protections. This notice
31 * is included in support of clause 2.2 (b) of the Apple Public License,
32 * Version 2.0.
33 */
34
35 #include <sys/systm.h>
36 #include <sys/sysent.h>
37 #include <sys/types.h>
38 #include <sys/proc_internal.h>
39 #include <sys/vnode_internal.h>
40 #include <sys/fcntl.h>
41 #include <sys/filedesc.h>
42 #include <sys/sem.h>
43
44 #include <bsm/audit.h>
45 #include <bsm/audit_kernel.h>
46 #include <bsm/audit_kevents.h>
47 #include <bsm/audit_klib.h>
48
49 #include <kern/kalloc.h>
50
51 /*
52 * Initialize the system call to audit event mapping table. This table
53 * must be kept in sync with the system call table. This table is meant to
54 * be directly accessed.
55 * XXX This should be improved, though, to make it independent of the syscall
56 * table (but we don't want to traverse a large table for every system call
57 * to find a match). Ultimately, it would be best to place the audit event
58 * number in the system call table.
59 */
60 au_event_t sys_au_event[] = {
61 AUE_NULL, /* 0 = indir */
62 AUE_EXIT, /* 1 = exit */
63 AUE_FORK, /* 2 = fork */
64 AUE_NULL, /* 3 = read */
65 AUE_NULL, /* 4 = write */
66 AUE_OPEN_RWTC, /* 5 = open */
67 AUE_CLOSE, /* 6 = close */
68 AUE_NULL, /* 7 = wait4 */
69 AUE_O_CREAT, /* 8 = old creat */
70 AUE_LINK, /* 9 = link */
71 AUE_UNLINK, /* 10 = unlink */
72 AUE_NULL, /* 11 was obsolete execv */
73 AUE_CHDIR, /* 12 = chdir */
74 AUE_FCHDIR, /* 13 = fchdir */
75 AUE_MKNOD, /* 14 = mknod */
76 AUE_CHMOD, /* 15 = chmod */
77 AUE_CHOWN, /* 16 = chown; now 3 args */
78 AUE_NULL, /* 17 = old break */
79 #if COMPAT_GETFSSTAT
80 AUE_GETFSSTAT, /* 18 = getfsstat */
81 #else
82 AUE_NULL, /* 18 = ogetfsstat */
83 #endif
84 AUE_NULL, /* 19 = old lseek */
85 AUE_NULL, /* 20 = getpid */
86 AUE_NULL, /* 21 was obsolete mount */
87 AUE_NULL, /* 22 was obsolete umount */
88 AUE_SETUID, /* 23 = setuid */
89 AUE_NULL, /* 24 = getuid */
90 AUE_NULL, /* 25 = geteuid */
91 AUE_PTRACE, /* 26 = ptrace */
92 AUE_RECVMSG, /* 27 = recvmsg */
93 AUE_SENDMSG, /* 28 = sendmsg */
94 AUE_RECVFROM, /* 29 = recvfrom */
95 AUE_ACCEPT, /* 30 = accept */
96 AUE_NULL, /* 31 = getpeername */
97 AUE_NULL, /* 32 = getsockname */
98 AUE_ACCESS, /* 33 = access */
99 AUE_CHFLAGS, /* 34 = chflags */
100 AUE_FCHFLAGS, /* 35 = fchflags */
101 AUE_NULL, /* 36 = sync */
102 AUE_KILL, /* 37 = kill */
103 AUE_O_STAT, /* 38 = old stat */
104 AUE_NULL, /* 39 = getppid */
105 AUE_O_LSTAT, /* 40 = old lstat */
106 AUE_NULL, /* 41 = dup */
107 AUE_PIPE, /* 42 = pipe */
108 AUE_NULL, /* 43 = getegid */
109 AUE_NULL, /* 44 = profil */
110 AUE_NULL, /* 45 = old ktrace */
111 AUE_NULL, /* 46 = sigaction */
112 AUE_NULL, /* 47 = getgid */
113 AUE_NULL, /* 48 = sigprocmask */
114 AUE_NULL, /* 49 = getlogin */
115 AUE_SETLOGIN, /* 50 = setlogin */
116 AUE_ACCT, /* 51 = turn acct off/on */
117 AUE_NULL, /* 52 = sigpending */
118 AUE_NULL, /* 53 = sigaltstack */
119 AUE_IOCTL, /* 54 = ioctl */
120 AUE_REBOOT, /* 55 = reboot */
121 AUE_REVOKE, /* 56 = revoke */
122 AUE_SYMLINK, /* 57 = symlink */
123 AUE_READLINK, /* 58 = readlink */
124 AUE_EXECVE, /* 59 = execve */
125 AUE_UMASK, /* 60 = umask */
126 AUE_CHROOT, /* 61 = chroot */
127 AUE_O_FSTAT, /* 62 = old fstat */
128 AUE_NULL, /* 63 = used internally, reserved */
129 AUE_NULL, /* 64 = old getpagesize */
130 AUE_NULL, /* 65 = msync */
131 AUE_VFORK, /* 66 = vfork */
132 AUE_NULL, /* 67 was obsolete vread */
133 AUE_NULL, /* 68 was obsolete vwrite */
134 AUE_NULL, /* 69 = sbrk */
135 AUE_NULL, /* 70 = sstk */
136 AUE_O_MMAP, /* 71 = old mmap */
137 AUE_NULL, /* 72 = old vadvise */
138 AUE_MUNMAP, /* 73 = munmap */
139 AUE_MPROTECT, /* 74 = mprotect */
140 AUE_NULL, /* 75 = madvise */
141 AUE_NULL, /* 76 was obsolete vhangup */
142 AUE_NULL, /* 77 was obsolete vlimit */
143 AUE_NULL, /* 78 = mincore */
144 AUE_NULL, /* 79 = getgroups */
145 AUE_SETGROUPS, /* 80 = setgroups */
146 AUE_NULL, /* 81 = getpgrp */
147 AUE_SETPGRP, /* 82 = setpgid */
148 AUE_NULL, /* 83 = setitimer */
149 AUE_NULL, /* 84 = old wait */
150 AUE_NULL, /* 85 = swapon */
151 AUE_NULL, /* 86 = getitimer */
152 AUE_NULL, /* 87 = old gethostname */
153 AUE_O_SETHOSTNAME, /* 88 = old sethostname */
154 AUE_NULL, /* 89 getdtablesize */
155 AUE_NULL, /* 90 = dup2 */
156 AUE_NULL, /* 91 was obsolete getdopt */
157 AUE_FCNTL, /* 92 = fcntl */
158 AUE_NULL, /* 93 = select */
159 AUE_NULL, /* 94 was obsolete setdopt */
160 AUE_NULL, /* 95 = fsync */
161 AUE_SETPRIORITY, /* 96 = setpriority */
162 AUE_SOCKET, /* 97 = socket */
163 AUE_CONNECT, /* 98 = connect */
164 AUE_NULL, /* 99 = accept */
165 AUE_NULL, /* 100 = getpriority */
166 AUE_O_SEND, /* 101 = old send */
167 AUE_O_RECV, /* 102 = old recv */
168 AUE_NULL, /* 103 = sigreturn */
169 AUE_BIND, /* 104 = bind */
170 AUE_SETSOCKOPT, /* 105 = setsockopt */
171 AUE_NULL, /* 106 = listen */
172 AUE_NULL, /* 107 was vtimes */
173 AUE_NULL, /* 108 = sigvec */
174 AUE_NULL, /* 109 = sigblock */
175 AUE_NULL, /* 110 = sigsetmask */
176 AUE_NULL, /* 111 = sigpause */
177 AUE_NULL, /* 112 = sigstack */
178 AUE_O_RECVMSG, /* 113 = recvmsg */
179 AUE_O_SENDMSG, /* 114 = sendmsg */
180 AUE_NULL, /* 115 = old vtrace */
181 AUE_NULL, /* 116 = gettimeofday */
182 AUE_NULL, /* 117 = getrusage */
183 AUE_NULL, /* 118 = getsockopt */
184 AUE_NULL, /* 119 = old resuba */
185 AUE_NULL, /* 120 = readv */
186 AUE_NULL, /* 121 = writev */
187 AUE_SETTIMEOFDAY, /* 122 = settimeofday */
188 AUE_FCHOWN, /* 123 = fchown */
189 AUE_FCHMOD, /* 124 = fchmod */
190 AUE_O_RECVFROM, /* 125 = recvfrom */
191 AUE_NULL, /* 126 = setreuid */
192 AUE_NULL, /* 127 = setregid */
193 AUE_RENAME, /* 128 = rename */
194 AUE_O_TRUNCATE, /* 129 = old truncate */
195 AUE_O_FTRUNCATE, /* 130 = old ftruncate */
196 AUE_FLOCK, /* 131 = flock */
197 AUE_MKFIFO, /* 132 = mkfifo */
198 AUE_SENDTO, /* 133 = sendto */
199 AUE_SHUTDOWN, /* 134 = shutdown */
200 AUE_SOCKETPAIR, /* 135 = socketpair */
201 AUE_MKDIR, /* 136 = mkdir */
202 AUE_RMDIR, /* 137 = rmdir */
203 AUE_UTIMES, /* 138 = utimes */
204 AUE_FUTIMES, /* 139 = futimes */
205 AUE_ADJTIME, /* 140 = adjtime */
206 AUE_NULL, /* 141 = getpeername */
207 AUE_NULL, /* 142 = old gethostid */
208 AUE_NULL, /* 143 = old sethostid */
209 AUE_NULL, /* 144 = old getrlimit */
210 AUE_O_SETRLIMIT, /* 145 = old setrlimit */
211 AUE_O_KILLPG, /* 146 = old killpg */
212 AUE_SETSID, /* 147 = setsid */
213 AUE_NULL, /* 148 was setquota */
214 AUE_NULL, /* 149 was qquota */
215 AUE_NULL, /* 150 = getsockname */
216 AUE_NULL, /* 151 = getpgid */
217 AUE_SETPRIVEXEC, /* 152 = setprivexec */
218 AUE_NULL, /* 153 = pread */
219 AUE_NULL, /* 154 = pwrite */
220 AUE_NFSSVC, /* 155 = nfs_svc */
221 AUE_O_GETDIRENTRIES, /* 156 = old getdirentries */
222 AUE_STATFS, /* 157 = statfs */
223 AUE_FSTATFS, /* 158 = fstatfs */
224 AUE_UNMOUNT, /* 159 = unmount */
225 AUE_NULL, /* 160 was async_daemon */
226 AUE_GETFH, /* 161 = get file handle */
227 AUE_NULL, /* 162 = getdomainname */
228 AUE_O_SETDOMAINNAME, /* 163 = setdomainname */
229 AUE_NULL, /* 164 */
230 #if QUOTA
231 AUE_QUOTACTL, /* 165 = quotactl */
232 #else /* QUOTA */
233 AUE_NULL, /* 165 = not configured */
234 #endif /* QUOTA */
235 AUE_NULL, /* 166 was exportfs */
236 AUE_MOUNT, /* 167 = mount */
237 AUE_NULL, /* 168 was ustat */
238 AUE_NULL, /* 169 = nosys */
239 AUE_NULL, /* 170 was table */
240 AUE_NULL, /* 171 = old wait3 */
241 AUE_NULL, /* 172 was rpause */
242 AUE_NULL, /* 173 = nosys */
243 AUE_NULL, /* 174 was getdents */
244 AUE_NULL, /* 175 was gc_control */
245 AUE_NULL, /* 176 = add_profil */
246 AUE_NULL, /* 177 */
247 AUE_NULL, /* 178 */
248 AUE_NULL, /* 179 */
249 AUE_NULL, /* 180 */
250 AUE_SETGID, /* 181 */
251 AUE_SETEGID, /* 182 */
252 AUE_SETEUID, /* 183 */
253 AUE_NULL, /* 184 = nosys */
254 AUE_NULL, /* 185 = nosys */
255 AUE_NULL, /* 186 = nosys */
256 AUE_NULL, /* 187 = nosys */
257 AUE_STAT, /* 188 = stat */
258 AUE_FSTAT, /* 189 = fstat */
259 AUE_LSTAT, /* 190 = lstat */
260 AUE_PATHCONF, /* 191 = pathconf */
261 AUE_FPATHCONF, /* 192 = fpathconf */
262 #if COMPAT_GETFSSTAT
263 AUE_GETFSSTAT, /* 193 = getfsstat */
264 #else
265 AUE_NULL, /* 193 is unused */
266 #endif
267 AUE_NULL, /* 194 = getrlimit */
268 AUE_SETRLIMIT, /* 195 = setrlimit */
269 AUE_GETDIRENTRIES, /* 196 = getdirentries */
270 AUE_MMAP, /* 197 = mmap */
271 AUE_NULL, /* 198 = __syscall */
272 AUE_NULL, /* 199 = lseek */
273 AUE_TRUNCATE, /* 200 = truncate */
274 AUE_FTRUNCATE, /* 201 = ftruncate */
275 AUE_SYSCTL, /* 202 = __sysctl */
276 AUE_MLOCK, /* 203 = mlock */
277 AUE_MUNLOCK, /* 204 = munlock */
278 AUE_UNDELETE, /* 205 = undelete */
279 AUE_NULL, /* 206 = ATsocket */
280 AUE_NULL, /* 207 = ATgetmsg*/
281 AUE_NULL, /* 208 = ATputmsg*/
282 AUE_NULL, /* 209 = ATPsndreq*/
283 AUE_NULL, /* 210 = ATPsndrsp*/
284 AUE_NULL, /* 211 = ATPgetreq*/
285 AUE_NULL, /* 212 = ATPgetrsp*/
286 AUE_NULL, /* 213 = Reserved for AppleTalk */
287 AUE_NULL, /* 214 = Reserved for AppleTalk */
288 AUE_NULL, /* 215 = Reserved for AppleTalk */
289
290 AUE_NULL, /* 216 = HFS make complex file call (multipel forks */
291 AUE_NULL, /* 217 = HFS statv extended stat call for HFS */
292 AUE_NULL, /* 218 = HFS lstatv extended lstat call for HFS */
293 AUE_NULL, /* 219 = HFS fstatv extended fstat call for HFS */
294 AUE_GETATTRLIST,/* 220 = HFS getarrtlist get attribute list cal */
295 AUE_SETATTRLIST,/* 221 = HFS setattrlist set attribute list */
296 AUE_GETDIRENTRIESATTR,/* 222 = HFS getdirentriesattr get directory attributes */
297 AUE_EXCHANGEDATA,/* 223 = HFS exchangedata exchange file contents */
298 AUE_CHECKUSERACCESS,/* 224 = HFS checkuseraccess check access to file */
299 AUE_SEARCHFS, /* 225 = HFS searchfs to implement catalog searching */
300 AUE_DELETE, /* 226 = private delete (Carbon semantics) */
301 AUE_NULL, /* 227 = copyfile - orignally for AFP */
302 AUE_NULL, /* 228 */
303 AUE_NULL, /* 229 */
304 AUE_NULL, /* 230 */
305 AUE_NULL, /* 231 */
306 AUE_NULL, /* 232 */
307 AUE_NULL, /* 233 */
308 AUE_NULL, /* 234 */
309 AUE_NULL, /* 235 */
310 AUE_NULL, /* 236 */
311 AUE_NULL, /* 237 */
312 AUE_NULL, /* 238 */
313 AUE_NULL, /* 239 */
314 AUE_NULL, /* 240 */
315 AUE_NULL, /* 241 */
316 AUE_NULL, /* 242 = fsctl */
317 AUE_NULL, /* 243 */
318 AUE_NULL, /* 244 */
319 AUE_NULL, /* 245 */
320 AUE_NULL, /* 246 */
321 AUE_NULL, /* 247 = nfsclnt*/
322 AUE_NULL, /* 248 = fhopen */
323 AUE_NULL, /* 249 */
324 AUE_MINHERIT, /* 250 = minherit */
325 AUE_NULL, /* 251 = semsys */
326 AUE_NULL, /* 252 = msgsys */
327 AUE_NULL, /* 253 = shmsys */
328 AUE_SEMCTL, /* 254 = semctl */
329 AUE_SEMGET, /* 255 = semget */
330 AUE_SEMOP, /* 256 = semop */
331 AUE_NULL, /* 257 = */
332 AUE_MSGCTL, /* 258 = msgctl */
333 AUE_MSGGET, /* 259 = msgget */
334 AUE_MSGSND, /* 260 = msgsnd */
335 AUE_MSGRCV, /* 261 = msgrcv */
336 AUE_SHMAT, /* 262 = shmat */
337 AUE_SHMCTL, /* 263 = shmctl */
338 AUE_SHMDT, /* 264 = shmdt */
339 AUE_SHMGET, /* 265 = shmget */
340 AUE_SHMOPEN, /* 266 = shm_open */
341 AUE_SHMUNLINK, /* 267 = shm_unlink */
342 AUE_SEMOPEN, /* 268 = sem_open */
343 AUE_SEMCLOSE, /* 269 = sem_close */
344 AUE_SEMUNLINK, /* 270 = sem_unlink */
345 AUE_NULL, /* 271 = sem_wait */
346 AUE_NULL, /* 272 = sem_trywait */
347 AUE_NULL, /* 273 = sem_post */
348 AUE_NULL, /* 274 = sem_getvalue */
349 AUE_NULL, /* 275 = sem_init */
350 AUE_NULL, /* 276 = sem_destroy */
351 AUE_NULL, /* 277 */
352 AUE_NULL, /* 278 */
353 AUE_NULL, /* 279 */
354 AUE_NULL, /* 280 */
355 AUE_NULL, /* 281 */
356 AUE_NULL, /* 282 */
357 AUE_NULL, /* 283 */
358 AUE_NULL, /* 284 */
359 AUE_NULL, /* 285 */
360 AUE_NULL, /* 286 */
361 AUE_NULL, /* 287 */
362 AUE_NULL, /* 288 */
363 AUE_NULL, /* 289 */
364 AUE_NULL, /* 290 */
365 AUE_NULL, /* 291 */
366 AUE_NULL, /* 292 */
367 AUE_NULL, /* 293 */
368 AUE_NULL, /* 294 */
369 AUE_NULL, /* 295 */
370 AUE_NULL, /* 296 */
371 AUE_NULL, /* 297 */
372 AUE_NULL, /* 298 */
373 AUE_NULL, /* 299 */
374 AUE_NULL, /* 300 */
375 AUE_NULL, /* 301 */
376 AUE_NULL, /* 302 */
377 AUE_NULL, /* 303 */
378 AUE_NULL, /* 304 */
379 AUE_NULL, /* 305 */
380 AUE_NULL, /* 306 */
381 AUE_NULL, /* 307 */
382 AUE_NULL, /* 308 */
383 AUE_NULL, /* 309 */
384 AUE_NULL, /* 310 = getsid */
385 AUE_NULL, /* 311 */
386 AUE_NULL, /* 312 */
387 AUE_NULL, /* 313 */
388 AUE_NULL, /* 314 */
389 AUE_NULL, /* 315 */
390 AUE_NULL, /* 316 */
391 AUE_NULL, /* 317 */
392 AUE_NULL, /* 318 */
393 AUE_NULL, /* 319 */
394 AUE_NULL, /* 320 */
395 AUE_NULL, /* 321 */
396 AUE_NULL, /* 322 */
397 AUE_NULL, /* 323 */
398 AUE_NULL, /* 324 = mlockall*/
399 AUE_NULL, /* 325 = munlockall*/
400 AUE_NULL, /* 326 */
401 AUE_NULL, /* 327 = issetugid */
402 AUE_NULL, /* 328 */
403 AUE_NULL, /* 329 */
404 AUE_NULL, /* 330 */
405 AUE_NULL, /* 331 */
406 AUE_NULL, /* 332 */
407 AUE_NULL, /* 333 */
408 AUE_NULL, /* 334 */
409 AUE_NULL, /* 335 = utrace */
410 AUE_NULL, /* 336 */
411 AUE_NULL, /* 337 */
412 AUE_NULL, /* 338 */
413 AUE_NULL, /* 339 */
414 AUE_NULL, /* 340 */
415 AUE_NULL, /* 341 */
416 AUE_NULL, /* 342 */
417 AUE_NULL, /* 343 */
418 AUE_NULL, /* 344 */
419 AUE_NULL, /* 345 */
420 AUE_NULL, /* 346 */
421 AUE_NULL, /* 347 */
422 AUE_NULL, /* 348 */
423 AUE_NULL, /* 349 */
424 AUE_AUDIT, /* 350 */
425 AUE_AUDITON, /* 351 */
426 AUE_NULL, /* 352 */
427 AUE_GETAUID, /* 353 */
428 AUE_SETAUID, /* 354 */
429 AUE_GETAUDIT, /* 355 */
430 AUE_SETAUDIT, /* 356 */
431 AUE_GETAUDIT_ADDR, /* 357 */
432 AUE_SETAUDIT_ADDR, /* 358 */
433 AUE_AUDITCTL, /* 359 */
434 AUE_NULL, /* 360 */
435 AUE_NULL, /* 361 */
436 AUE_NULL, /* 362 = kqueue */
437 AUE_NULL, /* 363 = kevent */
438 AUE_LCHOWN, /* 364 = lchown */
439 AUE_NULL, /* 365 */
440 AUE_NULL, /* 366 */
441 AUE_NULL, /* 367 */
442 AUE_NULL, /* 368 */
443 AUE_NULL, /* 369 */
444 AUE_NULL, /* 370 */
445 AUE_NULL, /* 371 */
446 AUE_NULL, /* 372 */
447 AUE_NULL, /* 373 */
448 AUE_NULL, /* 374 */
449 AUE_NULL, /* 375 */
450 AUE_NULL, /* 376 */
451 AUE_NULL, /* 377 */
452 AUE_NULL, /* 378 */
453 AUE_NULL, /* 379 */
454 AUE_MAC_EXECVE, /* 380 = __mac_execve */
455 AUE_MAC_SYSCALL, /* 381 = __mac_syscall */
456 AUE_MAC_GET_FILE, /* 382 = __mac_get_file */
457 AUE_MAC_SET_FILE, /* 383 = __mac_set_file */
458 AUE_MAC_GET_LINK, /* 384 = __mac_get_link */
459 AUE_MAC_SET_LINK, /* 385 = __mac_set_link */
460 AUE_MAC_GET_PROC, /* 386 = __mac_get_proc */
461 AUE_MAC_SET_PROC, /* 387 = __mac_set_proc */
462 AUE_MAC_GET_FD, /* 388 = __mac_get_fd */
463 AUE_MAC_SET_FD, /* 389 = __mac_set_fd */
464 AUE_MAC_GET_PID, /* 390 = __mac_get_pid */
465 AUE_MAC_GET_LCID, /* 391 = __mac_get_lcid */
466 AUE_MAC_GET_LCTX, /* 392 = __mac_get_lctx */
467 AUE_MAC_SET_LCTX, /* 393 = __mac_set_lctx */
468 AUE_SETLCID, /* 394 = setlcid */
469 AUE_GETLCID, /* 395 = getlcid */
470 AUE_NULL, /* 396 = read_nocancel */
471 AUE_NULL, /* 397 = write_nocancel */
472 AUE_OPEN_RWTC, /* 398 = open_nocancel */
473 AUE_CLOSE, /* 399 = close_nocancel */
474 AUE_NULL, /* 400 = wait4_nocancel */
475 AUE_RECVMSG, /* 401 = recvmsg_nocancel */
476 AUE_SENDMSG, /* 402 = sendmsg_nocancel */
477 AUE_RECVFROM, /* 403 = recvfrom_nocancel */
478 AUE_ACCEPT, /* 404 = accept_nocancel */
479 AUE_NULL, /* 405 = msync_nocancel */
480 AUE_FCNTL, /* 406 = fcntl_nocancel */
481 AUE_NULL, /* 407 = select_nocancel */
482 AUE_NULL, /* 408 = fsync_nocancel */
483 AUE_CONNECT, /* 409 = connect_nocancel */
484 AUE_NULL, /* 410 = sigsuspend_nocancel */
485 AUE_NULL, /* 411 = readv_nocancel */
486 AUE_NULL, /* 412 = writev_nocancel */
487 AUE_SENDTO, /* 413 = sendto_nocancel */
488 AUE_NULL, /* 414 = pread_nocancel */
489 AUE_NULL, /* 415 = pwrite_nocancel */
490 AUE_NULL, /* 416 = waitid_nocancel */
491 AUE_NULL, /* 417 = poll_nocancel */
492 AUE_MSGSND, /* 418 = msgsnd_nocancel */
493 AUE_MSGRCV, /* 419 = msgrcv_nocancel */
494 AUE_NULL, /* 420 = sem_wait_nocancel */
495 AUE_NULL, /* 421 = aio_suspend_nocancel */
496 AUE_NULL, /* 422 = __sigwait_nocancel */
497 AUE_NULL, /* 423 = __semwait_signal_nocancel */
498 AUE_MAC_MOUNT, /* 424 = __mac_mount */
499 AUE_MAC_GET_MOUNT, /* 425 = __mac_get_mount */
500 AUE_MAC_GETFSSTAT, /* 426 = __mac_getfsstat */
501
502 };
503
504 /*
505 * Verify that sys_au_event has an entry for every syscall.
506 */
507 int audit_sys_table_size_check[(
508 (sizeof(sys_au_event) / sizeof(sys_au_event[0])) == NUM_SYSENT)?
509 1 : -1] __unused;
510
511 /*
512 * Hash table functions for the audit event number to event class mask mapping.
513 */
514
515 #define EVCLASSMAP_HASH_TABLE_SIZE 251
516 struct evclass_elem {
517 au_event_t event;
518 au_class_t class;
519 LIST_ENTRY(evclass_elem) entry;
520 };
521 struct evclass_list {
522 LIST_HEAD(, evclass_elem) head;
523 };
524
525 struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
526
527 au_class_t au_event_class(au_event_t event)
528 {
529
530 struct evclass_list *evcl;
531 struct evclass_elem *evc;
532
533 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
534
535 /* If an entry at our hash location matches the event, just return */
536 LIST_FOREACH(evc, &evcl->head, entry) {
537 if (evc->event == event)
538 return (evc->class);
539 }
540 return (AU_NULL);
541 }
542
543 /*
544 * Insert a event to class mapping. If the event already exists in the
545 * mapping, then replace the mapping with the new one.
546 * XXX There is currently no constraints placed on the number of mappings.
547 * May want to either limit to a number, or in terms of memory usage.
548 */
549 void au_evclassmap_insert(au_event_t event, au_class_t class)
550 {
551 struct evclass_list *evcl;
552 struct evclass_elem *evc;
553
554 evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
555
556 LIST_FOREACH(evc, &evcl->head, entry) {
557 if (evc->event == event) {
558 evc->class = class;
559 return;
560 }
561 }
562 evc = (struct evclass_elem *)kalloc(sizeof (*evc));
563 if (evc == NULL) {
564 return;
565 }
566 evc->event = event;
567 evc->class = class;
568 LIST_INSERT_HEAD(&evcl->head, evc, entry);
569 }
570
571 void
572 au_evclassmap_init(void)
573 {
574 int i;
575 for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++) {
576 LIST_INIT(&evclass_hash[i].head);
577 }
578
579 /* Set up the initial event to class mapping for system calls. */
580 for (i = 0; i < NUM_SYSENT; i++) {
581 if (sys_au_event[i] != AUE_NULL) {
582 au_evclassmap_insert(sys_au_event[i], AU_NULL);
583 }
584 }
585 /* Add the Mach system call events */
586 au_evclassmap_insert(AUE_TASKFORPID, AU_NULL);
587 au_evclassmap_insert(AUE_PIDFORTASK, AU_NULL);
588 au_evclassmap_insert(AUE_SWAPON, AU_NULL);
589 au_evclassmap_insert(AUE_SWAPOFF, AU_NULL);
590 au_evclassmap_insert(AUE_MAPFD, AU_NULL);
591 au_evclassmap_insert(AUE_INITPROCESS, AU_NULL);
592
593 /* Add the specific open events to the mapping. */
594 au_evclassmap_insert(AUE_OPEN_R, AU_FREAD);
595 au_evclassmap_insert(AUE_OPEN_RC, AU_FREAD|AU_FCREATE);
596 au_evclassmap_insert(AUE_OPEN_RTC, AU_FREAD|AU_FCREATE|AU_FDELETE);
597 au_evclassmap_insert(AUE_OPEN_RT, AU_FREAD|AU_FDELETE);
598 au_evclassmap_insert(AUE_OPEN_RW, AU_FREAD|AU_FWRITE);
599 au_evclassmap_insert(AUE_OPEN_RWC, AU_FREAD|AU_FWRITE|AU_FCREATE);
600 au_evclassmap_insert(AUE_OPEN_RWTC, AU_FREAD|AU_FWRITE|AU_FCREATE|AU_FDELETE);
601 au_evclassmap_insert(AUE_OPEN_RWT, AU_FREAD|AU_FWRITE|AU_FDELETE);
602 au_evclassmap_insert(AUE_OPEN_W, AU_FWRITE);
603 au_evclassmap_insert(AUE_OPEN_WC, AU_FWRITE|AU_FCREATE);
604 au_evclassmap_insert(AUE_OPEN_WTC, AU_FWRITE|AU_FCREATE|AU_FDELETE);
605 au_evclassmap_insert(AUE_OPEN_WT, AU_FWRITE|AU_FDELETE);
606 }
607
608 /*
609 * Check whether an event is aditable by comparing the mask of classes this
610 * event is part of against the given mask.
611 */
612 int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf)
613 {
614 au_class_t effmask = 0;
615 au_class_t ae_class;
616
617 if(mask_p == NULL)
618 return (-1);
619
620 ae_class = au_event_class(event);
621 /*
622 * Perform the actual check of the masks against the event.
623 */
624 if(sorf & AU_PRS_SUCCESS) {
625 effmask |= (mask_p->am_success & ae_class);
626 }
627
628 if(sorf & AU_PRS_FAILURE) {
629 effmask |= (mask_p->am_failure & ae_class);
630 }
631
632 if(effmask)
633 return (1);
634 else
635 return (0);
636 }
637
638 /*
639 * Convert sysctl names and present arguments to events
640 */
641 au_event_t ctlname_to_sysctlevent(int name[], uint64_t valid_arg) {
642
643 /* can't parse it - so return the worst case */
644 if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) !=
645 (ARG_CTLNAME | ARG_LEN))
646 return AUE_SYSCTL;
647
648 switch (name[0]) {
649 /* non-admin "lookups" treat them special */
650 case KERN_OSTYPE:
651 case KERN_OSRELEASE:
652 case KERN_OSREV:
653 case KERN_VERSION:
654 case KERN_ARGMAX:
655 case KERN_CLOCKRATE:
656 case KERN_BOOTTIME:
657 case KERN_POSIX1:
658 case KERN_NGROUPS:
659 case KERN_JOB_CONTROL:
660 case KERN_SAVED_IDS:
661 case KERN_NETBOOT:
662 case KERN_SYMFILE:
663 case KERN_SHREG_PRIVATIZABLE:
664 return AUE_SYSCTL_NONADMIN;
665
666 /* only treat the sets as admin */
667 case KERN_MAXVNODES:
668 case KERN_MAXPROC:
669 case KERN_MAXFILES:
670 case KERN_MAXPROCPERUID:
671 case KERN_MAXFILESPERPROC:
672 case KERN_HOSTID:
673 case KERN_AIOMAX:
674 case KERN_AIOPROCMAX:
675 case KERN_AIOTHREADS:
676 case KERN_COREDUMP:
677 case KERN_SUGID_COREDUMP:
678 return (valid_arg & ARG_VALUE) ?
679 AUE_SYSCTL : AUE_SYSCTL_NONADMIN;
680
681 default:
682 return AUE_SYSCTL;
683 }
684 /* NOTREACHED */
685 }
686
687 /*
688 * Convert an open flags specifier into a specific type of open event for
689 * auditing purposes.
690 */
691 au_event_t flags_and_error_to_openevent(int oflags, int error) {
692 au_event_t aevent;
693
694 /* Need to check only those flags we care about. */
695 oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
696
697 /* These checks determine what flags are on with the condition
698 * that ONLY that combination is on, and no other flags are on.
699 */
700 switch (oflags) {
701 case O_RDONLY:
702 aevent = AUE_OPEN_R;
703 break;
704 case (O_RDONLY | O_CREAT):
705 aevent = AUE_OPEN_RC;
706 break;
707 case (O_RDONLY | O_CREAT | O_TRUNC):
708 aevent = AUE_OPEN_RTC;
709 break;
710 case (O_RDONLY | O_TRUNC):
711 aevent = AUE_OPEN_RT;
712 break;
713 case O_RDWR:
714 aevent = AUE_OPEN_RW;
715 break;
716 case (O_RDWR | O_CREAT):
717 aevent = AUE_OPEN_RWC;
718 break;
719 case (O_RDWR | O_CREAT | O_TRUNC):
720 aevent = AUE_OPEN_RWTC;
721 break;
722 case (O_RDWR | O_TRUNC):
723 aevent = AUE_OPEN_RWT;
724 break;
725 case O_WRONLY:
726 aevent = AUE_OPEN_W;
727 break;
728 case (O_WRONLY | O_CREAT):
729 aevent = AUE_OPEN_WC;
730 break;
731 case (O_WRONLY | O_CREAT | O_TRUNC):
732 aevent = AUE_OPEN_WTC;
733 break;
734 case (O_WRONLY | O_TRUNC):
735 aevent = AUE_OPEN_WT;
736 break;
737 default:
738 aevent = AUE_OPEN;
739 break;
740 }
741
742 /*
743 * Convert chatty errors to better matching events.
744 * Failures to find a file are really just attribute
745 * events - so recast them as such.
746 */
747 switch (aevent) {
748 case AUE_OPEN_R:
749 case AUE_OPEN_RT:
750 case AUE_OPEN_RW:
751 case AUE_OPEN_RWT:
752 case AUE_OPEN_W:
753 case AUE_OPEN_WT:
754 if (error == ENOENT)
755 aevent = AUE_OPEN;
756 }
757 return aevent;
758 }
759
760 /* Convert a MSGCTL command to a specific event. */
761 au_event_t msgctl_to_event(int cmd)
762 {
763 switch (cmd) {
764 case IPC_RMID:
765 return AUE_MSGCTL_RMID;
766 case IPC_SET:
767 return AUE_MSGCTL_SET;
768 case IPC_STAT:
769 return AUE_MSGCTL_STAT;
770 default:
771 return AUE_MSGCTL;
772 /* We will audit a bad command */
773 }
774 }
775
776 /* Convert a SEMCTL command to a specific event. */
777 au_event_t semctl_to_event(int cmd)
778 {
779 switch (cmd) {
780 case GETALL:
781 return AUE_SEMCTL_GETALL;
782 case GETNCNT:
783 return AUE_SEMCTL_GETNCNT;
784 case GETPID:
785 return AUE_SEMCTL_GETPID;
786 case GETVAL:
787 return AUE_SEMCTL_GETVAL;
788 case GETZCNT:
789 return AUE_SEMCTL_GETZCNT;
790 case IPC_RMID:
791 return AUE_SEMCTL_RMID;
792 case IPC_SET:
793 return AUE_SEMCTL_SET;
794 case SETALL:
795 return AUE_SEMCTL_SETALL;
796 case SETVAL:
797 return AUE_SEMCTL_SETVAL;
798 case IPC_STAT:
799 return AUE_SEMCTL_STAT;
800 default:
801 return AUE_SEMCTL;
802 /* We will audit a bad command */
803 }
804 }
805
806 /* Convert a command for the auditon() system call to a audit event. */
807 int auditon_command_event(int cmd)
808 {
809 switch(cmd) {
810 case A_GETPOLICY:
811 return AUE_AUDITON_GPOLICY;
812 break;
813 case A_SETPOLICY:
814 return AUE_AUDITON_SPOLICY;
815 break;
816 case A_GETKMASK:
817 return AUE_AUDITON_GETKMASK;
818 break;
819 case A_SETKMASK:
820 return AUE_AUDITON_SETKMASK;
821 break;
822 case A_GETQCTRL:
823 return AUE_AUDITON_GQCTRL;
824 break;
825 case A_SETQCTRL:
826 return AUE_AUDITON_SQCTRL;
827 break;
828 case A_GETCWD:
829 return AUE_AUDITON_GETCWD;
830 break;
831 case A_GETCAR:
832 return AUE_AUDITON_GETCAR;
833 break;
834 case A_GETSTAT:
835 return AUE_AUDITON_GETSTAT;
836 break;
837 case A_SETSTAT:
838 return AUE_AUDITON_SETSTAT;
839 break;
840 case A_SETUMASK:
841 return AUE_AUDITON_SETUMASK;
842 break;
843 case A_SETSMASK:
844 return AUE_AUDITON_SETSMASK;
845 break;
846 case A_GETCOND:
847 return AUE_AUDITON_GETCOND;
848 break;
849 case A_SETCOND:
850 return AUE_AUDITON_SETCOND;
851 break;
852 case A_GETCLASS:
853 return AUE_AUDITON_GETCLASS;
854 break;
855 case A_SETCLASS:
856 return AUE_AUDITON_SETCLASS;
857 break;
858 case A_GETPINFO:
859 case A_SETPMASK:
860 case A_SETFSIZE:
861 case A_GETFSIZE:
862 case A_GETPINFO_ADDR:
863 case A_GETKAUDIT:
864 case A_SETKAUDIT:
865 default:
866 return AUE_AUDITON; /* No special record */
867 break;
868 }
869 }
870
871 /*
872 * Create a canonical path from given path by prefixing the supplied
873 * current working directory, which may be the root directory.
874 */
875 int
876 canon_path(struct vnode *cwd_vp, char *path, char *cpath)
877 {
878 int len;
879 int ret;
880 char *bufp = path;
881
882 /*
883 * convert multiple leading '/' into a single '/' if the cwd_vp is
884 * NULL (i.e. an absolute path), and strip them entirely if the
885 * cwd_vp represents a chroot directory (i.e. the caller checked for
886 * an initial '/' character itself, saw one, and passed fdp->fd_rdir).
887 * Somewhat complicated, but it places the onus for locking structs
888 * involved on the caller, and makes proxy operations explicit rather
889 * than implicit.
890 */
891 if (*(path) == '/') {
892 while (*(bufp) == '/')
893 bufp++; /* skip leading '/'s */
894 if (cwd_vp == NULL)
895 bufp--; /* restore one '/' */
896 }
897 if (cwd_vp != NULL) {
898 len = MAXPATHLEN;
899 ret = vn_getpath(cwd_vp, cpath, &len);
900 if (ret != 0) {
901 cpath[0] = '\0';
902 return (ret);
903 }
904 if (len < MAXPATHLEN)
905 cpath[len-1] = '/';
906 strlcpy(cpath + len, bufp, MAXPATHLEN - len);
907 } else {
908 strlcpy(cpath, bufp, MAXPATHLEN);
909 }
910 return (0);
911 }