]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_bsm_audit.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-792.12.6.tar.gz
[apple/xnu.git] / bsd / kern / kern_bsm_audit.c
1 /*
2 * Copyright (c) 2003-2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_OSREFERENCE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the
10 * License may not be used to create, or enable the creation or
11 * redistribution of, unlawful or unlicensed copies of an Apple operating
12 * system, or to circumvent, violate, or enable the circumvention or
13 * violation of, any terms of an Apple operating system software license
14 * agreement.
15 *
16 * Please obtain a copy of the License at
17 * http://www.opensource.apple.com/apsl/ and read it before using this
18 * file.
19 *
20 * The Original Code and all software distributed under the License are
21 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
22 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
23 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
24 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
25 * Please see the License for the specific language governing rights and
26 * limitations under the License.
27 *
28 * @APPLE_LICENSE_OSREFERENCE_HEADER_END@
29 */
30 #include <sys/types.h>
31 #include <sys/vnode_internal.h>
32 #include <sys/ipc.h>
33 #include <sys/sem.h>
34 #include <sys/socketvar.h>
35 #include <sys/socket.h>
36 #include <sys/queue.h>
37 #include <sys/fcntl.h>
38 #include <sys/user.h>
39
40 #include <sys/ipc.h>
41 #include <bsm/audit.h>
42 #include <bsm/audit_record.h>
43 #include <bsm/audit_kernel.h>
44 #include <bsm/audit_kevents.h>
45 #include <bsm/audit_klib.h>
46
47 #include <netinet/in_systm.h>
48 #include <netinet/in.h>
49 #include <netinet/ip.h>
50
51 #include <kern/lock.h>
52 #include <kern/kalloc.h>
53
54 /* The number of BSM records allocated. */
55 static int bsm_rec_count = 0;
56
57 /*
58 * Records that can be recycled are maintained in the list given below
59 * The maximum number of elements that can be present in this list is
60 * bounded by MAX_AUDIT_RECORDS. Memory allocated for these records are never
61 * freed
62 */
63 LIST_HEAD(, au_record) bsm_free_q;
64
65 /*
66 * Lock for serializing access to the list of audit records.
67 */
68 static mutex_t *bsm_audit_mutex;
69
70 static void audit_sys_auditon(struct audit_record *ar, struct au_record *rec);
71
72 /*
73 * Initialize the BSM auditing subsystem.
74 */
75 void
76 kau_init(void)
77 {
78 printf("BSM auditing present\n");
79 LIST_INIT(&bsm_free_q);
80 bsm_audit_mutex = mutex_alloc(0);
81 au_evclassmap_init();
82 }
83
84 /*
85 * This call reserves memory for the audit record.
86 * Memory must be guaranteed before any auditable event can be
87 * generated.
88 * The au_record structure maintains a reference to the
89 * memory allocated above and also the list of tokens associated
90 * with this record
91 */
92 struct au_record *
93 kau_open(void)
94 {
95 struct au_record *rec = NULL;
96
97 /*
98 * Find an unused record, remove it from the free list, mark as used
99 */
100 mutex_lock(bsm_audit_mutex);
101 if (!LIST_EMPTY(&bsm_free_q)) {
102 rec = LIST_FIRST(&bsm_free_q);
103 LIST_REMOVE(rec, au_rec_q);
104 }
105 mutex_unlock(bsm_audit_mutex);
106
107 if (rec == NULL) {
108 mutex_lock(bsm_audit_mutex);
109 if (bsm_rec_count >= MAX_AUDIT_RECORDS) {
110 /* XXX We need to increase size of MAX_AUDIT_RECORDS */
111 mutex_unlock(bsm_audit_mutex);
112 return NULL;
113 }
114 mutex_unlock(bsm_audit_mutex);
115
116 /*
117 * Create a new BSM kernel record.
118 */
119 rec = (struct au_record *)kalloc(sizeof(*rec));
120 if(rec == NULL) {
121 return NULL;
122 }
123 rec->data = (u_char *)kalloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char));
124 if((rec->data) == NULL) {
125 kfree(rec, sizeof(*rec));
126 return NULL;
127 }
128 mutex_lock(bsm_audit_mutex);
129 bsm_rec_count++;
130 mutex_unlock(bsm_audit_mutex);
131 }
132 memset(rec->data, 0, MAX_AUDIT_RECORD_SIZE);
133
134 TAILQ_INIT(&rec->token_q);
135 rec->len = 0;
136 rec->used = 1;
137
138 return rec;
139 }
140
141 /*
142 * Store the token with the record descriptor
143 *
144 */
145 int kau_write(struct au_record *rec, struct au_token *tok)
146 {
147 if(tok == NULL) {
148 return -1; /* Invalid Token */
149 }
150
151 /* Add the token to the tail */
152 /*
153 * XXX Not locking here -- we should not be writing to
154 * XXX the same audit record from different threads
155 */
156 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
157
158 rec->len += tok->len; /* grow record length by token size bytes */
159
160 return 0;
161 }
162
163 /*
164 * Close out the audit record by adding the header token, identifying
165 * any missing tokens. Write out the tokens to the record memory.
166 */
167 int
168 kau_close(struct au_record *rec, struct timespec *ctime, short event)
169 {
170 u_char *dptr;
171 size_t tot_rec_size;
172 token_t *cur, *hdr, *trail;
173 int retval = 0;
174
175 tot_rec_size = rec->len + HEADER_SIZE + TRAILER_SIZE;
176 if(tot_rec_size <= MAX_AUDIT_RECORD_SIZE) {
177 /* Create the header token */
178 hdr = kau_to_header32(ctime, tot_rec_size, event, 0);
179
180 if(hdr != NULL) {
181 /* Add to head of list */
182 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
183
184 trail = au_to_trailer(tot_rec_size);
185 if(trail != NULL) {
186 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
187 }
188 }
189 /* Serialize token data to the record */
190
191 rec->len = tot_rec_size;
192 dptr = rec->data;
193 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
194 memcpy(dptr, cur->t_data, cur->len);
195 dptr += cur->len;
196 }
197 }
198
199 return(retval);
200 }
201
202 /*
203 * Free a BSM audit record by releasing all the tokens and clearing the
204 * audit record information.
205 */
206 void kau_free(struct au_record *rec)
207 {
208 struct au_token *tok;
209
210 /* Free the token list */
211 while ((tok = TAILQ_FIRST(&rec->token_q))) {
212 TAILQ_REMOVE(&rec->token_q, tok, tokens);
213 kfree(tok, sizeof(*tok) + tok->len);
214 }
215
216 rec->used = 0;
217 rec->len = 0;
218
219 mutex_lock(bsm_audit_mutex);
220
221 /* Add the record to the freelist */
222 LIST_INSERT_HEAD(&bsm_free_q, rec, au_rec_q);
223
224 mutex_unlock(bsm_audit_mutex);
225
226 }
227
228 /*
229 * XXX May want turn some (or all) of these macros into functions in order
230 * to reduce the generated code sized.
231 */
232 #define UPATH1_TOKENS \
233 do { \
234 if (ar->ar_valid_arg & ARG_UPATH1) { \
235 tok = au_to_path(ar->ar_arg_upath1); \
236 kau_write(rec, tok); \
237 } \
238 } while (0)
239
240 #define UPATH2_TOKENS \
241 do { \
242 if (ar->ar_valid_arg & ARG_UPATH2) { \
243 tok = au_to_path(ar->ar_arg_upath2); \
244 kau_write(rec, tok); \
245 } \
246 } while (0)
247
248 #define UPATH1_KPATH1_VNODE1_TOKENS \
249 do { \
250 if (ar->ar_valid_arg & ARG_UPATH1) { \
251 tok = au_to_path(ar->ar_arg_upath1); \
252 kau_write(rec, tok); \
253 } \
254 if (ar->ar_valid_arg & ARG_KPATH1) { \
255 tok = au_to_path(ar->ar_arg_kpath1); \
256 kau_write(rec, tok); \
257 } \
258 if (ar->ar_valid_arg & ARG_VNODE1) { \
259 tok = kau_to_attr32(&ar->ar_arg_vnode1);\
260 kau_write(rec, tok); \
261 } \
262 } while (0)
263
264 #define KPATH1_VNODE1_TOKENS \
265 do { \
266 if (ar->ar_valid_arg & ARG_KPATH1) { \
267 tok = au_to_path(ar->ar_arg_kpath1); \
268 kau_write(rec, tok); \
269 } \
270 if (ar->ar_valid_arg & ARG_VNODE1) { \
271 tok = kau_to_attr32(&ar->ar_arg_vnode1);\
272 kau_write(rec, tok); \
273 } \
274 } while (0)
275
276 #define KPATH2_VNODE2_TOKENS \
277 do { \
278 if (ar->ar_valid_arg & ARG_KPATH2) { \
279 tok = au_to_path(ar->ar_arg_kpath2); \
280 kau_write(rec, tok); \
281 } \
282 if (ar->ar_valid_arg & ARG_VNODE2) { \
283 tok = kau_to_attr32(&ar->ar_arg_vnode1);\
284 kau_write(rec, tok); \
285 } \
286 } while (0)
287
288 #define FD_KPATH1_VNODE1_TOKENS \
289 do { \
290 if (ar->ar_valid_arg & ARG_KPATH1) { \
291 tok = au_to_path(ar->ar_arg_kpath1); \
292 kau_write(rec, tok); \
293 if (ar->ar_valid_arg & ARG_VNODE1) { \
294 tok = kau_to_attr32(&ar->ar_arg_vnode1);\
295 kau_write(rec, tok); \
296 } \
297 } else { \
298 tok = au_to_arg32(1, "no path: fd", ar->ar_arg_fd); \
299 kau_write(rec, tok); \
300 } \
301 } while (0)
302
303 #define PROCESS_PID_TOKENS(argn) \
304 do { \
305 if ((ar->ar_arg_pid > 0) /* Kill a single process */ \
306 && (ar->ar_valid_arg & ARG_PROCESS)) { \
307 tok = au_to_process(ar->ar_arg_auid, ar->ar_arg_euid, \
308 ar->ar_arg_egid, ar->ar_arg_ruid, \
309 ar->ar_arg_rgid, ar->ar_arg_pid, \
310 ar->ar_arg_asid, &ar->ar_arg_termid); \
311 kau_write(rec, tok); \
312 } else { \
313 tok = au_to_arg32(argn, "process", ar->ar_arg_pid);\
314 kau_write(rec, tok); \
315 } \
316 } while (0) \
317
318 /*
319 * Implement auditing for the auditon() system call. The audit tokens
320 * that are generated depend on the command that was sent into the
321 * auditon() system call.
322 *
323 */
324 static void
325 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
326 {
327 struct au_token *tok;
328
329 switch (ar->ar_arg_cmd) {
330 case A_SETPOLICY:
331 if (sizeof(ar->ar_arg_auditon.au_flags) > 4)
332 tok = au_to_arg64(1, "policy",
333 ar->ar_arg_auditon.au_flags);
334 else
335 tok = au_to_arg32(1, "policy",
336 ar->ar_arg_auditon.au_flags);
337 kau_write(rec, tok);
338 break;
339 case A_SETKMASK:
340 tok = au_to_arg32(2, "setkmask:as_success",
341 ar->ar_arg_auditon.au_mask.am_success);
342 kau_write(rec, tok);
343 tok = au_to_arg32(2, "setkmask:as_failure",
344 ar->ar_arg_auditon.au_mask.am_failure);
345 kau_write(rec, tok);
346 break;
347 case A_SETQCTRL:
348 tok = au_to_arg32(3, "setqctrl:aq_hiwater",
349 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
350 kau_write(rec, tok);
351 tok = au_to_arg32(3, "setqctrl:aq_lowater",
352 ar->ar_arg_auditon.au_qctrl.aq_lowater);
353 kau_write(rec, tok);
354 tok = au_to_arg32(3, "setqctrl:aq_bufsz",
355 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
356 kau_write(rec, tok);
357 tok = au_to_arg32(3, "setqctrl:aq_delay",
358 ar->ar_arg_auditon.au_qctrl.aq_delay);
359 kau_write(rec, tok);
360 tok = au_to_arg32(3, "setqctrl:aq_minfree",
361 ar->ar_arg_auditon.au_qctrl.aq_minfree);
362 kau_write(rec, tok);
363 break;
364 case A_SETUMASK:
365 tok = au_to_arg32(3, "setumask:as_success",
366 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
367 kau_write(rec, tok);
368 tok = au_to_arg32(3, "setumask:as_failure",
369 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
370 kau_write(rec, tok);
371 break;
372 case A_SETSMASK:
373 tok = au_to_arg32(3, "setsmask:as_success",
374 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
375 kau_write(rec, tok);
376 tok = au_to_arg32(3, "setsmask:as_failure",
377 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
378 kau_write(rec, tok);
379 break;
380 case A_SETCOND:
381 if (sizeof(ar->ar_arg_auditon.au_cond) > 4)
382 tok = au_to_arg64(3, "setcond",
383 ar->ar_arg_auditon.au_cond);
384 else
385 tok = au_to_arg32(3, "setcond",
386 ar->ar_arg_auditon.au_cond);
387 kau_write(rec, tok);
388 break;
389 case A_SETCLASS:
390 tok = au_to_arg32(2, "setclass:ec_event",
391 ar->ar_arg_auditon.au_evclass.ec_number);
392 kau_write(rec, tok);
393 tok = au_to_arg32(3, "setclass:ec_class",
394 ar->ar_arg_auditon.au_evclass.ec_class);
395 kau_write(rec, tok);
396 break;
397 case A_SETPMASK:
398 tok = au_to_arg32(2, "setpmask:as_success",
399 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
400 kau_write(rec, tok);
401 tok = au_to_arg32(2, "setpmask:as_failure",
402 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
403 kau_write(rec, tok);
404 break;
405 case A_SETFSIZE:
406 tok = au_to_arg32(2, "setfsize:filesize",
407 ar->ar_arg_auditon.au_fstat.af_filesz);
408 kau_write(rec, tok);
409 break;
410 default:
411 break;
412 }
413 }
414
415 /*
416 * Convert an internal kernel audit record to a BSM record and return
417 * a success/failure indicator. The BSM record is passed as an out
418 * parameter to this function.
419 * Return conditions:
420 * BSM_SUCCESS: The BSM record is valid
421 * BSM_FAILURE: Failure; the BSM record is NULL.
422 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
423 */
424 int
425 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
426 {
427 struct au_token *tok, *subj_tok;
428 struct au_record *rec;
429 au_tid_t tid;
430 struct audit_record *ar;
431 int ctr;
432
433 *pau = NULL;
434 if (kar == NULL)
435 return (BSM_FAILURE);
436
437 ar = &kar->k_ar;
438
439 rec = kau_open();
440 if (rec == NULL)
441 return (BSM_FAILURE);
442
443 /* Create the subject token */
444 tid.port = ar->ar_subj_term.port;
445 tid.machine = ar->ar_subj_term.machine;
446 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
447 ar->ar_subj_cred.cr_uid, /* eff uid */
448 ar->ar_subj_egid, /* eff group id */
449 ar->ar_subj_ruid, /* real uid */
450 ar->ar_subj_rgid, /* real group id */
451 ar->ar_subj_pid, /* process id */
452 ar->ar_subj_asid, /* session ID */
453 &tid);
454
455 /* The logic inside each case fills in the tokens required for the
456 * event, except for the header, trailer, and return tokens. The
457 * header and trailer tokens are added by the kau_close() function.
458 * The return token is added outside of the switch statement.
459 */
460 switch(ar->ar_event) {
461
462 /*
463 * Socket-related events.
464 */
465 case AUE_ACCEPT:
466 case AUE_BIND:
467 case AUE_CONNECT:
468 case AUE_RECVFROM:
469 case AUE_RECVMSG:
470 case AUE_SENDMSG:
471 case AUE_SENDTO:
472 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
473 kau_write(rec, tok);
474 if (ar->ar_valid_arg & ARG_SADDRINET) {
475 tok = au_to_sock_inet(
476 (struct sockaddr_in *)&ar->ar_arg_sockaddr);
477 kau_write(rec, tok);
478 }
479 if (ar->ar_valid_arg & ARG_SADDRUNIX) {
480 tok = au_to_sock_unix(
481 (struct sockaddr_un *)&ar->ar_arg_sockaddr);
482 kau_write(rec, tok);
483 UPATH1_TOKENS;
484 }
485 /* XXX Need to handle ARG_SADDRINET6 */
486 break;
487
488 case AUE_SOCKET:
489 case AUE_SOCKETPAIR:
490 tok = au_to_arg32(1,"domain", ar->ar_arg_sockinfo.so_domain);
491 kau_write(rec, tok);
492 tok = au_to_arg32(2,"type", ar->ar_arg_sockinfo.so_type);
493 kau_write(rec, tok);
494 tok = au_to_arg32(3,"protocol",ar->ar_arg_sockinfo.so_protocol);
495 kau_write(rec, tok);
496 break;
497
498 case AUE_SETSOCKOPT:
499 case AUE_SHUTDOWN:
500 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
501 kau_write(rec, tok);
502 break;
503
504 case AUE_ACCT:
505 if (ar->ar_valid_arg & (ARG_KPATH1 | ARG_UPATH1)) {
506 UPATH1_KPATH1_VNODE1_TOKENS;
507 } else {
508 tok = au_to_arg32(1, "accounting off", 0);
509 kau_write(rec, tok);
510 }
511 break;
512
513 case AUE_SETAUID:
514 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
515 kau_write(rec, tok);
516 break;
517
518 case AUE_SETAUDIT:
519 if (ar->ar_valid_arg & ARG_AUID) {
520 tok = au_to_arg32(1, "setaudit:auid", ar->ar_arg_auid);
521 kau_write(rec, tok);
522 tok = au_to_arg32(1, "setaudit:port",
523 ar->ar_arg_termid.port);
524 kau_write(rec, tok);
525 tok = au_to_arg32(1, "setaudit:machine",
526 ar->ar_arg_termid.machine);
527 kau_write(rec, tok);
528 tok = au_to_arg32(1, "setaudit:as_success",
529 ar->ar_arg_amask.am_success);
530 kau_write(rec, tok);
531 tok = au_to_arg32(1, "setaudit:as_failure",
532 ar->ar_arg_amask.am_failure);
533 kau_write(rec, tok);
534 tok = au_to_arg32(1, "setaudit:asid", ar->ar_arg_asid);
535 kau_write(rec, tok);
536 }
537 break;
538
539 case AUE_SETAUDIT_ADDR:
540 break; /* XXX need to add arguments */
541
542 case AUE_AUDITON:
543 /* For AUDITON commands without own event, audit the cmd */
544 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
545 kau_write(rec, tok);
546 /* fall thru */
547
548 case AUE_AUDITON_GETCAR:
549 case AUE_AUDITON_GETCLASS:
550 case AUE_AUDITON_GETCOND:
551 case AUE_AUDITON_GETCWD:
552 case AUE_AUDITON_GETKMASK:
553 case AUE_AUDITON_GETSTAT:
554 case AUE_AUDITON_GPOLICY:
555 case AUE_AUDITON_GQCTRL:
556 case AUE_AUDITON_SETCLASS:
557 case AUE_AUDITON_SETCOND:
558 case AUE_AUDITON_SETKMASK:
559 case AUE_AUDITON_SETSMASK:
560 case AUE_AUDITON_SETSTAT:
561 case AUE_AUDITON_SETUMASK:
562 case AUE_AUDITON_SPOLICY:
563 case AUE_AUDITON_SQCTRL:
564 if (ar->ar_valid_arg & ARG_AUDITON) {
565 audit_sys_auditon(ar, rec);
566 }
567 break;
568
569 case AUE_AUDITCTL:
570 UPATH1_KPATH1_VNODE1_TOKENS;
571 break;
572
573 case AUE_ADJTIME:
574 case AUE_AUDIT:
575 case AUE_EXIT:
576 case AUE_GETAUDIT:
577 case AUE_GETAUDIT_ADDR:
578 case AUE_GETAUID:
579 case AUE_GETFSSTAT:
580 case AUE_PIPE:
581 case AUE_SETPGRP:
582 case AUE_SETRLIMIT:
583 case AUE_SETSID:
584 case AUE_SETTIMEOFDAY:
585 case AUE_NEWSYSTEMSHREG:
586 /* Header, subject, and return tokens added at end */
587 break;
588
589 case AUE_ACCESS:
590 case AUE_CHDIR:
591 case AUE_CHROOT:
592 case AUE_EXECVE:
593 case AUE_GETATTRLIST:
594 case AUE_GETFH:
595 case AUE_LSTAT:
596 case AUE_MKFIFO:
597 case AUE_PATHCONF:
598 case AUE_READLINK:
599 case AUE_REVOKE:
600 case AUE_RMDIR:
601 case AUE_SEARCHFS:
602 case AUE_SETATTRLIST:
603 case AUE_STAT:
604 case AUE_STATFS:
605 case AUE_TRUNCATE:
606 case AUE_UNDELETE:
607 case AUE_UNLINK:
608 case AUE_UTIMES:
609 UPATH1_KPATH1_VNODE1_TOKENS;
610 break;
611
612 case AUE_CHFLAGS:
613 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
614 kau_write(rec, tok);
615 UPATH1_KPATH1_VNODE1_TOKENS;
616 break;
617
618 case AUE_CHMOD:
619 tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode);
620 kau_write(rec, tok);
621 UPATH1_KPATH1_VNODE1_TOKENS;
622 break;
623
624 case AUE_CHOWN:
625 case AUE_LCHOWN:
626 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
627 kau_write(rec, tok);
628 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
629 kau_write(rec, tok);
630 UPATH1_KPATH1_VNODE1_TOKENS;
631 break;
632
633 case AUE_EXCHANGEDATA:
634 UPATH1_KPATH1_VNODE1_TOKENS;
635 KPATH2_VNODE2_TOKENS;
636 break;
637
638 case AUE_CLOSE:
639 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
640 kau_write(rec, tok);
641 UPATH1_KPATH1_VNODE1_TOKENS;
642 break;
643
644 case AUE_FCHMOD:
645 tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode);
646 kau_write(rec, tok);
647 FD_KPATH1_VNODE1_TOKENS;
648 break;
649
650 case AUE_NFSSVC:
651 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
652 kau_write(rec, tok);
653 if (ar->ar_valid_arg & (ARG_KPATH1 | ARG_UPATH1)) {
654 UPATH1_KPATH1_VNODE1_TOKENS;
655 }
656 break;
657
658 case AUE_FCHDIR:
659 case AUE_FPATHCONF:
660 case AUE_FSTAT: /* XXX Need to handle sockets and shm */
661 case AUE_FSTATFS:
662 case AUE_FTRUNCATE:
663 case AUE_FUTIMES:
664 case AUE_GETDIRENTRIES:
665 case AUE_GETDIRENTRIESATTR:
666 FD_KPATH1_VNODE1_TOKENS;
667 break;
668
669 case AUE_FCHOWN:
670 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
671 kau_write(rec, tok);
672 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
673 kau_write(rec, tok);
674 FD_KPATH1_VNODE1_TOKENS;
675 break;
676
677 case AUE_FCNTL:
678 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
679 kau_write(rec, tok);
680 if (ar->ar_valid_arg & ARG_VNODE1) {
681 FD_KPATH1_VNODE1_TOKENS;
682 }
683 break;
684
685 case AUE_FCHFLAGS:
686 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
687 kau_write(rec, tok);
688 FD_KPATH1_VNODE1_TOKENS;
689 break;
690
691 case AUE_FLOCK:
692 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
693 kau_write(rec, tok);
694 FD_KPATH1_VNODE1_TOKENS;
695 break;
696
697 case AUE_FORK:
698 case AUE_VFORK:
699 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
700 kau_write(rec, tok);
701 break;
702
703 case AUE_IOCTL:
704 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
705 kau_write(rec, tok);
706 tok = au_to_arg32(1, "arg", (u_int32_t)ar->ar_arg_addr);
707 kau_write(rec, tok);
708 if (ar->ar_valid_arg & ARG_VNODE1) {
709 FD_KPATH1_VNODE1_TOKENS;
710 } else {
711 if (ar->ar_valid_arg & ARG_SOCKINFO) {
712 tok = kau_to_socket(&ar->ar_arg_sockinfo);
713 kau_write(rec, tok);
714 } else {
715 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
716 kau_write(rec, tok);
717 }
718 }
719 break;
720
721 case AUE_KILL:
722 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
723 kau_write(rec, tok);
724 PROCESS_PID_TOKENS(1);
725 break;
726
727 case AUE_KTRACE:
728 tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
729 kau_write(rec, tok);
730 tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
731 kau_write(rec, tok);
732 PROCESS_PID_TOKENS(4);
733 UPATH1_KPATH1_VNODE1_TOKENS;
734 break;
735
736 case AUE_LINK:
737 case AUE_RENAME:
738 UPATH1_KPATH1_VNODE1_TOKENS;
739 UPATH2_TOKENS;
740 break;
741
742 case AUE_LOADSHFILE:
743 tok = au_to_arg32(4, "base addr", (u_int32_t)ar->ar_arg_addr);
744 kau_write(rec, tok);
745 UPATH1_KPATH1_VNODE1_TOKENS;
746 break;
747
748 case AUE_MKDIR:
749 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
750 kau_write(rec, tok);
751 UPATH1_KPATH1_VNODE1_TOKENS;
752 break;
753
754 case AUE_MKNOD:
755 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
756 kau_write(rec, tok);
757 tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
758 kau_write(rec, tok);
759 UPATH1_KPATH1_VNODE1_TOKENS;
760 break;
761
762 case AUE_MMAP:
763 case AUE_MUNMAP:
764 case AUE_MPROTECT:
765 case AUE_MLOCK:
766 case AUE_MUNLOCK:
767 case AUE_MINHERIT:
768 tok = au_to_arg32(1, "addr", (u_int32_t)ar->ar_arg_addr); /* LP64todo */
769 kau_write(rec, tok);
770 tok = au_to_arg32(2, "len", ar->ar_arg_len); /* LP64todo */
771 kau_write(rec, tok);
772 if (ar->ar_event == AUE_MMAP)
773 FD_KPATH1_VNODE1_TOKENS;
774 if (ar->ar_event == AUE_MPROTECT) {
775 tok = au_to_arg32(3, "protection", ar->ar_arg_value);
776 kau_write(rec, tok);
777 }
778 if (ar->ar_event == AUE_MINHERIT) {
779 tok = au_to_arg32(3, "inherit", ar->ar_arg_value);
780 kau_write(rec, tok);
781 }
782 break;
783
784 case AUE_MOUNT:
785 /* XXX Need to handle NFS mounts */
786 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
787 kau_write(rec, tok);
788 if (ar->ar_valid_arg & ARG_TEXT) {
789 tok = au_to_text(ar->ar_arg_text);
790 kau_write(rec, tok);
791 }
792 /* fall through */
793 case AUE_UNMOUNT:
794 UPATH1_KPATH1_VNODE1_TOKENS;
795 break;
796
797 case AUE_MSGCTL:
798 ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd);
799 /* Fall through */
800 case AUE_MSGRCV:
801 case AUE_MSGSND:
802 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
803 kau_write(rec, tok);
804 if (ar->ar_errno != EINVAL) {
805 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
806 kau_write(rec, tok);
807 }
808 break;
809
810 case AUE_MSGGET:
811 if (ar->ar_errno == 0) {
812 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
813 kau_write(rec, tok);
814 }
815 break;
816
817 case AUE_RESETSHFILE:
818 tok = au_to_arg32(1, "base addr", (u_int32_t)ar->ar_arg_addr);
819 kau_write(rec, tok);
820 break;
821
822 case AUE_OPEN_RC:
823 case AUE_OPEN_RTC:
824 case AUE_OPEN_RWC:
825 case AUE_OPEN_RWTC:
826 case AUE_OPEN_WC:
827 case AUE_OPEN_WTC:
828 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
829 kau_write(rec, tok);
830 /* fall thru */
831
832 case AUE_OPEN:
833 case AUE_OPEN_R:
834 case AUE_OPEN_RT:
835 case AUE_OPEN_RW:
836 case AUE_OPEN_RWT:
837 case AUE_OPEN_W:
838 case AUE_OPEN_WT:
839 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
840 kau_write(rec, tok);
841 UPATH1_KPATH1_VNODE1_TOKENS;
842 break;
843
844 case AUE_PTRACE:
845 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
846 kau_write(rec, tok);
847 tok = au_to_arg32(3, "addr", (u_int32_t)ar->ar_arg_addr); /* LP64todo */
848 kau_write(rec, tok);
849 tok = au_to_arg32(4, "data", ar->ar_arg_value);
850 kau_write(rec, tok);
851 PROCESS_PID_TOKENS(2);
852 break;
853
854 case AUE_QUOTACTL:
855 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
856 kau_write(rec, tok);
857 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
858 kau_write(rec, tok);
859 UPATH1_KPATH1_VNODE1_TOKENS;
860 break;
861
862 case AUE_REBOOT:
863 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
864 kau_write(rec, tok);
865 break;
866
867 case AUE_SEMCTL:
868 ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd);
869 /* Fall through */
870 case AUE_SEMOP:
871 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
872 kau_write(rec, tok);
873 if (ar->ar_errno != EINVAL) {
874 tok = au_to_ipc(AT_IPC_SEM, ar->ar_arg_svipc_id);
875 kau_write(rec, tok);
876 }
877 break;
878 case AUE_SEMGET:
879 if (ar->ar_errno == 0) {
880 tok = au_to_ipc(AT_IPC_SEM, ar->ar_arg_svipc_id);
881 kau_write(rec, tok);
882 }
883 break;
884 case AUE_SETEGID:
885 tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
886 kau_write(rec, tok);
887 break;
888 case AUE_SETEUID:
889 tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
890 kau_write(rec, tok);
891 break;
892 case AUE_SETGID:
893 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
894 kau_write(rec, tok);
895 break;
896 case AUE_SETUID:
897 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
898 kau_write(rec, tok);
899 break;
900 case AUE_SETGROUPS:
901 if (ar->ar_valid_arg & ARG_GROUPSET) {
902 for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
903 {
904 tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]);
905 kau_write(rec, tok);
906 }
907 }
908 break;
909
910 case AUE_SETLOGIN:
911 if (ar->ar_valid_arg & ARG_TEXT) {
912 tok = au_to_text(ar->ar_arg_text);
913 kau_write(rec, tok);
914 }
915 break;
916
917 case AUE_SETPRIORITY:
918 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
919 kau_write(rec, tok);
920 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
921 kau_write(rec, tok);
922 tok = au_to_arg32(2, "priority", ar->ar_arg_value);
923 kau_write(rec, tok);
924 break;
925
926 case AUE_SETPRIVEXEC:
927 tok = au_to_arg32(1, "flag", ar->ar_arg_value);
928 kau_write(rec, tok);
929 break;
930
931 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
932 case AUE_SHMAT:
933 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
934 kau_write(rec, tok);
935 tok = au_to_arg32(2, "shmaddr", (int)ar->ar_arg_svipc_addr);
936 kau_write(rec, tok);
937 if (ar->ar_valid_arg & ARG_SVIPC_PERM) {
938 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
939 kau_write(rec, tok);
940 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
941 kau_write(rec, tok);
942 }
943 break;
944
945 case AUE_SHMCTL:
946 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
947 kau_write(rec, tok);
948 switch (ar->ar_arg_svipc_cmd) {
949 case IPC_STAT:
950 ar->ar_event = AUE_SHMCTL_STAT;
951 if (ar->ar_valid_arg & ARG_SVIPC_PERM) {
952 tok = au_to_ipc(AT_IPC_SHM,
953 ar->ar_arg_svipc_id);
954 kau_write(rec, tok);
955 }
956 break;
957 case IPC_RMID:
958 ar->ar_event = AUE_SHMCTL_RMID;
959 if (ar->ar_valid_arg & ARG_SVIPC_PERM) {
960 tok = au_to_ipc(AT_IPC_SHM,
961 ar->ar_arg_svipc_id);
962 kau_write(rec, tok);
963 }
964 break;
965 case IPC_SET:
966 ar->ar_event = AUE_SHMCTL_SET;
967 if (ar->ar_valid_arg & ARG_SVIPC_PERM) {
968 tok = au_to_ipc(AT_IPC_SHM,
969 ar->ar_arg_svipc_id);
970 kau_write(rec, tok);
971 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
972 kau_write(rec, tok);
973 }
974 break;
975 default:
976 break; /* We will audit a bad command */
977 }
978 break;
979
980 case AUE_SHMDT:
981 tok = au_to_arg32(1, "shmaddr", (int)ar->ar_arg_svipc_addr);
982 kau_write(rec, tok);
983 break;
984
985 case AUE_SHMGET:
986 /* This is unusual; the return value is in an argument token */
987 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
988 kau_write(rec, tok);
989 if (ar->ar_valid_arg & ARG_SVIPC_PERM) {
990 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
991 kau_write(rec, tok);
992 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
993 kau_write(rec, tok);
994 }
995 break;
996
997 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
998 * and AUE_SEMUNLINK are Posix IPC */
999 case AUE_SHMOPEN:
1000 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1001 kau_write(rec, tok);
1002 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1003 kau_write(rec, tok);
1004 case AUE_SHMUNLINK:
1005 if (ar->ar_valid_arg & ARG_TEXT) {
1006 tok = au_to_text(ar->ar_arg_text);
1007 kau_write(rec, tok);
1008 }
1009 if (ar->ar_valid_arg & ARG_POSIX_IPC_PERM) {
1010 /* Create an ipc_perm token */
1011 struct ipc_perm perm;
1012 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1013 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1014 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1015 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1016 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1017 perm.seq = 0;
1018 perm.key = 0;
1019 tok = au_to_ipc_perm(&perm);
1020 kau_write(rec, tok);
1021 }
1022 break;
1023
1024 case AUE_SEMOPEN:
1025 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1026 kau_write(rec, tok);
1027 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1028 kau_write(rec, tok);
1029 tok = au_to_arg32(4, "value", ar->ar_arg_value);
1030 kau_write(rec, tok);
1031 /* fall through */
1032 case AUE_SEMUNLINK:
1033 if (ar->ar_valid_arg & ARG_TEXT) {
1034 tok = au_to_text(ar->ar_arg_text);
1035 kau_write(rec, tok);
1036 }
1037 if (ar->ar_valid_arg & ARG_POSIX_IPC_PERM) {
1038 /* Create an ipc_perm token */
1039 struct ipc_perm perm;
1040 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1041 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1042 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1043 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1044 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1045 perm.seq = 0;
1046 perm.key = 0;
1047 tok = au_to_ipc_perm(&perm);
1048 kau_write(rec, tok);
1049 }
1050 break;
1051
1052 case AUE_SEMCLOSE:
1053 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1054 kau_write(rec, tok);
1055 break;
1056
1057 case AUE_SYMLINK:
1058 if (ar->ar_valid_arg & ARG_TEXT) {
1059 tok = au_to_text(ar->ar_arg_text);
1060 kau_write(rec, tok);
1061 }
1062 UPATH1_KPATH1_VNODE1_TOKENS;
1063 break;
1064
1065 case AUE_SYSCTL:
1066 case AUE_SYSCTL_NONADMIN:
1067 if (ar->ar_valid_arg & (ARG_CTLNAME | ARG_LEN)) {
1068 for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
1069 tok = au_to_arg32(1, "name", ar->ar_arg_ctlname[ctr]);
1070 kau_write(rec, tok);
1071 }
1072 }
1073 if (ar->ar_valid_arg & ARG_VALUE) {
1074 tok = au_to_arg32(5, "newval", ar->ar_arg_value);
1075 kau_write(rec, tok);
1076 }
1077 if (ar->ar_valid_arg & ARG_TEXT) {
1078 tok = au_to_text(ar->ar_arg_text);
1079 kau_write(rec, tok);
1080 }
1081 break;
1082
1083 case AUE_UMASK:
1084 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1085 kau_write(rec, tok);
1086 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1087 kau_write(rec, tok);
1088 break;
1089
1090 /************************
1091 * Mach system calls *
1092 ************************/
1093 case AUE_INITPROCESS:
1094 break;
1095
1096 case AUE_PIDFORTASK:
1097 tok = au_to_arg32(1, "port", (u_int32_t)ar->ar_arg_mach_port1);
1098 kau_write(rec, tok);
1099 if (ar->ar_valid_arg & ARG_PID) {
1100 tok = au_to_arg32(2, "pid", (u_int32_t)ar->ar_arg_pid);
1101 kau_write(rec, tok);
1102 }
1103 break;
1104
1105 case AUE_TASKFORPID:
1106 tok = au_to_arg32(1, "target port",
1107 (u_int32_t)ar->ar_arg_mach_port1);
1108 kau_write(rec, tok);
1109 if (ar->ar_valid_arg & ARG_MACHPORT2) {
1110 tok = au_to_arg32(3, "task port",
1111 (u_int32_t)ar->ar_arg_mach_port2);
1112 kau_write(rec, tok);
1113 }
1114 PROCESS_PID_TOKENS(2);
1115 break;
1116
1117 case AUE_SWAPON:
1118 tok = au_to_arg32(4, "priority",
1119 (u_int32_t)ar->ar_arg_value);
1120 kau_write(rec, tok);
1121 UPATH1_KPATH1_VNODE1_TOKENS;
1122 break;
1123
1124 case AUE_SWAPOFF:
1125 UPATH1_KPATH1_VNODE1_TOKENS;
1126 break;
1127
1128 case AUE_MAPFD:
1129 tok = au_to_arg32(3, "va", (u_int32_t)ar->ar_arg_addr);
1130 kau_write(rec, tok);
1131 FD_KPATH1_VNODE1_TOKENS;
1132 break;
1133
1134 default: /* We shouldn't fall through to here. */
1135 printf("BSM conversion requested for unknown event %d\n",
1136 ar->ar_event);
1137 kau_free(rec);
1138 return BSM_NOAUDIT;
1139 }
1140
1141 kau_write(rec, subj_tok);
1142 tok = au_to_return32((char)ar->ar_errno, ar->ar_retval);
1143 kau_write(rec, tok); /* Every record gets a return token */
1144
1145 kau_close(rec, &ar->ar_endtime, ar->ar_event);
1146
1147 *pau = rec;
1148 return BSM_SUCCESS;
1149 }
1150
1151 /*
1152 * Verify that a record is a valid BSM record. This verification is
1153 * simple now, but may be expanded on sometime in the future.
1154 * Return 1 if the record is good, 0 otherwise.
1155 *
1156 */
1157 int
1158 bsm_rec_verify(void* rec)
1159 {
1160 char c = *(char *)rec;
1161 /*
1162 * Check the token ID of the first token; it has to be a header
1163 * token.
1164 */
1165 /* XXXAUDIT There needs to be a token structure to map a token.
1166 * XXXAUDIT 'Shouldn't be simply looking at the first char.
1167 */
1168 if ( (c != AU_HEADER_32_TOKEN) &&
1169 (c != AU_HEADER_EX_32_TOKEN) &&
1170 (c != AU_HEADER_64_TOKEN) &&
1171 (c != AU_HEADER_EX_64_TOKEN) ) {
1172 return (0);
1173 }
1174 return (1);
1175 }
mirror of XNU