/*
- * Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 2003-2004 Apple Computer, Inc. All rights reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
- * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved.
+ * The contents of this file constitute Original Code as defined in and
+ * are subject to the Apple Public Source License Version 1.1 (the
+ * "License"). You may not use this file except in compliance with the
+ * License. Please obtain a copy of the License at
+ * http://www.apple.com/publicsource and read it before using this file.
*
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * This Original Code and all software distributed under the License are
+ * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
+ * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
+ * License for the specific language governing rights and limitations
+ * under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
#include <sys/types.h>
-#include <sys/vnode.h>
+#include <sys/vnode_internal.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/socketvar.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <sys/fcntl.h>
-#include <sys/audit.h>
-#include <sys/kern_audit.h>
-#include <sys/bsm_token.h>
-#include <sys/bsm_kevents.h>
-#include <sys/bsm_klib.h>
#include <sys/user.h>
+
+#include <sys/ipc.h>
+#include <bsm/audit.h>
+#include <bsm/audit_record.h>
+#include <bsm/audit_kernel.h>
+#include <bsm/audit_kevents.h>
+#include <bsm/audit_klib.h>
+
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <kern/lock.h>
+#include <kern/kalloc.h>
/* The number of BSM records allocated. */
static int bsm_rec_count = 0;
*/
static mutex_t *bsm_audit_mutex;
+static void audit_sys_auditon(struct audit_record *ar, struct au_record *rec);
+
/*
* Initialize the BSM auditing subsystem.
*/
{
printf("BSM auditing present\n");
LIST_INIT(&bsm_free_q);
- bsm_audit_mutex = mutex_alloc(ETAP_NO_TRACE);
+ bsm_audit_mutex = mutex_alloc(0);
+ au_evclassmap_init();
}
/*
/*
* Create a new BSM kernel record.
*/
- kmem_alloc(kernel_map, &rec, sizeof(*rec));
+ rec = (struct au_record *)kalloc(sizeof(*rec));
if(rec == NULL) {
return NULL;
}
- kmem_alloc(kernel_map, &rec->data,
- MAX_AUDIT_RECORD_SIZE * sizeof(u_char));
+ rec->data = (u_char *)kalloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char));
if((rec->data) == NULL) {
- kmem_free(kernel_map, rec, sizeof(*rec));
+ kfree(rec, sizeof(*rec));
return NULL;
}
mutex_lock(bsm_audit_mutex);
* Close out the audit record by adding the header token, identifying
* any missing tokens. Write out the tokens to the record memory.
*/
-int kau_close(struct au_record *rec, struct timespec *ctime, short event)
+int
+kau_close(struct au_record *rec, struct timespec *ctime, short event)
{
u_char *dptr;
size_t tot_rec_size;
dptr += cur->len;
}
}
+
+ return(retval);
}
/*
/* Free the token list */
while ((tok = TAILQ_FIRST(&rec->token_q))) {
TAILQ_REMOVE(&rec->token_q, tok, tokens);
- kmem_free(kernel_map, tok->t_data, tok->len);
- kmem_free(kernel_map, tok, sizeof(struct au_token));
+ kfree(tok, sizeof(*tok) + tok->len);
}
rec->used = 0;
} \
} while (0)
-#define KPATH1_VNODE1_TOKENS \
+#define UPATH1_KPATH1_VNODE1_TOKENS \
do { \
+ if (ar->ar_valid_arg & ARG_UPATH1) { \
+ tok = au_to_path(ar->ar_arg_upath1); \
+ kau_write(rec, tok); \
+ } \
if (ar->ar_valid_arg & ARG_KPATH1) { \
tok = au_to_path(ar->ar_arg_kpath1); \
kau_write(rec, tok); \
} \
if (ar->ar_valid_arg & ARG_VNODE1) { \
- fill_vattr(&vattr, &ar->ar_arg_vnode1); \
- tok = au_to_attr32(&vattr); \
+ tok = kau_to_attr32(&ar->ar_arg_vnode1);\
kau_write(rec, tok); \
} \
} while (0)
-#define KPATH1_VNODE1_OR_UPATH1_TOKENS \
+#define KPATH1_VNODE1_TOKENS \
do { \
if (ar->ar_valid_arg & ARG_KPATH1) { \
tok = au_to_path(ar->ar_arg_kpath1); \
kau_write(rec, tok); \
- } else { \
- UPATH1_TOKENS; \
} \
if (ar->ar_valid_arg & ARG_VNODE1) { \
- fill_vattr(&vattr, &ar->ar_arg_vnode1); \
- tok = au_to_attr32(&vattr); \
+ tok = kau_to_attr32(&ar->ar_arg_vnode1);\
kau_write(rec, tok); \
} \
} while (0)
kau_write(rec, tok); \
} \
if (ar->ar_valid_arg & ARG_VNODE2) { \
- fill_vattr(&vattr, &ar->ar_arg_vnode2); \
- tok = au_to_attr32(&vattr); \
+ tok = kau_to_attr32(&ar->ar_arg_vnode1);\
kau_write(rec, tok); \
} \
} while (0)
tok = au_to_path(ar->ar_arg_kpath1); \
kau_write(rec, tok); \
if (ar->ar_valid_arg & ARG_VNODE1) { \
- fill_vattr(&vattr, &ar->ar_arg_vnode1); \
- tok = au_to_attr32(&vattr); \
+ tok = kau_to_attr32(&ar->ar_arg_vnode1);\
kau_write(rec, tok); \
} \
} else { \
} \
} while (0)
+#define PROCESS_PID_TOKENS(argn) \
+ do { \
+ if ((ar->ar_arg_pid > 0) /* Kill a single process */ \
+ && (ar->ar_valid_arg & ARG_PROCESS)) { \
+ tok = au_to_process(ar->ar_arg_auid, ar->ar_arg_euid, \
+ ar->ar_arg_egid, ar->ar_arg_ruid, \
+ ar->ar_arg_rgid, ar->ar_arg_pid, \
+ ar->ar_arg_asid, &ar->ar_arg_termid); \
+ kau_write(rec, tok); \
+ } else { \
+ tok = au_to_arg32(argn, "process", ar->ar_arg_pid);\
+ kau_write(rec, tok); \
+ } \
+ } while (0) \
+
+/*
+ * Implement auditing for the auditon() system call. The audit tokens
+ * that are generated depend on the command that was sent into the
+ * auditon() system call.
+ *
+ */
+static void
+audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
+{
+ struct au_token *tok;
+
+ switch (ar->ar_arg_cmd) {
+ case A_SETPOLICY:
+ if (sizeof(ar->ar_arg_auditon.au_flags) > 4)
+ tok = au_to_arg64(1, "policy",
+ ar->ar_arg_auditon.au_flags);
+ else
+ tok = au_to_arg32(1, "policy",
+ ar->ar_arg_auditon.au_flags);
+ kau_write(rec, tok);
+ break;
+ case A_SETKMASK:
+ tok = au_to_arg32(2, "setkmask:as_success",
+ ar->ar_arg_auditon.au_mask.am_success);
+ kau_write(rec, tok);
+ tok = au_to_arg32(2, "setkmask:as_failure",
+ ar->ar_arg_auditon.au_mask.am_failure);
+ kau_write(rec, tok);
+ break;
+ case A_SETQCTRL:
+ tok = au_to_arg32(3, "setqctrl:aq_hiwater",
+ ar->ar_arg_auditon.au_qctrl.aq_hiwater);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "setqctrl:aq_lowater",
+ ar->ar_arg_auditon.au_qctrl.aq_lowater);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "setqctrl:aq_bufsz",
+ ar->ar_arg_auditon.au_qctrl.aq_bufsz);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "setqctrl:aq_delay",
+ ar->ar_arg_auditon.au_qctrl.aq_delay);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "setqctrl:aq_minfree",
+ ar->ar_arg_auditon.au_qctrl.aq_minfree);
+ kau_write(rec, tok);
+ break;
+ case A_SETUMASK:
+ tok = au_to_arg32(3, "setumask:as_success",
+ ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "setumask:as_failure",
+ ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
+ kau_write(rec, tok);
+ break;
+ case A_SETSMASK:
+ tok = au_to_arg32(3, "setsmask:as_success",
+ ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "setsmask:as_failure",
+ ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
+ kau_write(rec, tok);
+ break;
+ case A_SETCOND:
+ if (sizeof(ar->ar_arg_auditon.au_cond) > 4)
+ tok = au_to_arg64(3, "setcond",
+ ar->ar_arg_auditon.au_cond);
+ else
+ tok = au_to_arg32(3, "setcond",
+ ar->ar_arg_auditon.au_cond);
+ kau_write(rec, tok);
+ break;
+ case A_SETCLASS:
+ tok = au_to_arg32(2, "setclass:ec_event",
+ ar->ar_arg_auditon.au_evclass.ec_number);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "setclass:ec_class",
+ ar->ar_arg_auditon.au_evclass.ec_class);
+ kau_write(rec, tok);
+ break;
+ case A_SETPMASK:
+ tok = au_to_arg32(2, "setpmask:as_success",
+ ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
+ kau_write(rec, tok);
+ tok = au_to_arg32(2, "setpmask:as_failure",
+ ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
+ kau_write(rec, tok);
+ break;
+ case A_SETFSIZE:
+ tok = au_to_arg32(2, "setfsize:filesize",
+ ar->ar_arg_auditon.au_fstat.af_filesz);
+ kau_write(rec, tok);
+ break;
+ default:
+ break;
+ }
+}
+
/*
* Convert an internal kernel audit record to a BSM record and return
* a success/failure indicator. The BSM record is passed as an out
struct au_record *rec;
au_tid_t tid;
struct audit_record *ar;
- struct vattr vattr;
- int sorf;
int ctr;
*pau = NULL;
ar = &kar->k_ar;
- /*
- * Decide whether to create the BSM audit record by checking the
- * error value from the system call and using the appropriate
- * user audit mask.
- */
- if (ar->ar_errno)
- sorf = AU_PRS_FAILURE;
- else
- sorf = AU_PRS_SUCCESS;
-
- if (au_preselect(ar->ar_event, &ar->ar_subj_amask, sorf) == 0)
- return (BSM_NOAUDIT);
-
rec = kau_open();
if (rec == NULL)
return (BSM_FAILURE);
case AUE_SOCKET:
case AUE_SOCKETPAIR:
- tok = au_to_arg32(1,"domain", ar->ar_arg_sockinfo.sodomain);
+ tok = au_to_arg32(1,"domain", ar->ar_arg_sockinfo.so_domain);
kau_write(rec, tok);
- tok = au_to_arg32(2,"type", ar->ar_arg_sockinfo.sotype);
+ tok = au_to_arg32(2,"type", ar->ar_arg_sockinfo.so_type);
kau_write(rec, tok);
- tok = au_to_arg32(3,"protocol", ar->ar_arg_sockinfo.soprotocol);
+ tok = au_to_arg32(3,"protocol",ar->ar_arg_sockinfo.so_protocol);
kau_write(rec, tok);
break;
kau_write(rec, tok);
break;
+ case AUE_ACCT:
+ if (ar->ar_valid_arg & (ARG_KPATH1 | ARG_UPATH1)) {
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ } else {
+ tok = au_to_arg32(1, "accounting off", 0);
+ kau_write(rec, tok);
+ }
+ break;
+
case AUE_SETAUID:
tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
kau_write(rec, tok);
- /* fall through */
+ break;
+
+ case AUE_SETAUDIT:
+ if (ar->ar_valid_arg & ARG_AUID) {
+ tok = au_to_arg32(1, "setaudit:auid", ar->ar_arg_auid);
+ kau_write(rec, tok);
+ tok = au_to_arg32(1, "setaudit:port",
+ ar->ar_arg_termid.port);
+ kau_write(rec, tok);
+ tok = au_to_arg32(1, "setaudit:machine",
+ ar->ar_arg_termid.machine);
+ kau_write(rec, tok);
+ tok = au_to_arg32(1, "setaudit:as_success",
+ ar->ar_arg_amask.am_success);
+ kau_write(rec, tok);
+ tok = au_to_arg32(1, "setaudit:as_failure",
+ ar->ar_arg_amask.am_failure);
+ kau_write(rec, tok);
+ tok = au_to_arg32(1, "setaudit:asid", ar->ar_arg_asid);
+ kau_write(rec, tok);
+ }
+ break;
+
+ case AUE_SETAUDIT_ADDR:
+ break; /* XXX need to add arguments */
+
+ case AUE_AUDITON:
+ /* For AUDITON commands without own event, audit the cmd */
+ tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
+ kau_write(rec, tok);
+ /* fall thru */
+
+ case AUE_AUDITON_GETCAR:
+ case AUE_AUDITON_GETCLASS:
+ case AUE_AUDITON_GETCOND:
+ case AUE_AUDITON_GETCWD:
+ case AUE_AUDITON_GETKMASK:
+ case AUE_AUDITON_GETSTAT:
+ case AUE_AUDITON_GPOLICY:
+ case AUE_AUDITON_GQCTRL:
+ case AUE_AUDITON_SETCLASS:
+ case AUE_AUDITON_SETCOND:
+ case AUE_AUDITON_SETKMASK:
+ case AUE_AUDITON_SETSMASK:
+ case AUE_AUDITON_SETSTAT:
+ case AUE_AUDITON_SETUMASK:
+ case AUE_AUDITON_SPOLICY:
+ case AUE_AUDITON_SQCTRL:
+ if (ar->ar_valid_arg & ARG_AUDITON) {
+ audit_sys_auditon(ar, rec);
+ }
+ break;
+
+ case AUE_AUDITCTL:
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ break;
+
case AUE_ADJTIME:
case AUE_AUDIT:
case AUE_EXIT:
+ case AUE_GETAUDIT:
+ case AUE_GETAUDIT_ADDR:
case AUE_GETAUID:
case AUE_GETFSSTAT:
case AUE_PIPE:
case AUE_SETPGRP:
case AUE_SETRLIMIT:
+ case AUE_SETSID:
+ case AUE_SETTIMEOFDAY:
+ case AUE_NEWSYSTEMSHREG:
/* Header, subject, and return tokens added at end */
break;
case AUE_UNDELETE:
case AUE_UNLINK:
case AUE_UTIMES:
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
break;
case AUE_CHFLAGS:
tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
kau_write(rec, tok);
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
break;
case AUE_CHMOD:
tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode);
kau_write(rec, tok);
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
break;
case AUE_CHOWN:
+ case AUE_LCHOWN:
tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
kau_write(rec, tok);
tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
kau_write(rec, tok);
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
break;
case AUE_EXCHANGEDATA:
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
KPATH2_VNODE2_TOKENS;
break;
-/*
- * XXXAUDIT: Close is not audited in the kernel yet.
case AUE_CLOSE:
tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
kau_write(rec, tok);
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
break;
-*/
+
case AUE_FCHMOD:
tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode);
kau_write(rec, tok);
FD_KPATH1_VNODE1_TOKENS;
break;
+ case AUE_NFSSVC:
+ tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
+ kau_write(rec, tok);
+ if (ar->ar_valid_arg & (ARG_KPATH1 | ARG_UPATH1)) {
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ }
+ break;
+
case AUE_FCHDIR:
case AUE_FPATHCONF:
case AUE_FSTAT: /* XXX Need to handle sockets and shm */
break;
case AUE_FCNTL:
- if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK ||
- ar->ar_arg_cmd == F_SETLKW) {
- tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
- kau_write(rec, tok);
+ tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
+ kau_write(rec, tok);
+ if (ar->ar_valid_arg & ARG_VNODE1) {
FD_KPATH1_VNODE1_TOKENS;
}
break;
FD_KPATH1_VNODE1_TOKENS;
break;
+ case AUE_FORK:
+ case AUE_VFORK:
+ tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
+ kau_write(rec, tok);
+ break;
+
+ case AUE_IOCTL:
+ tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
+ kau_write(rec, tok);
+ tok = au_to_arg32(1, "arg", (u_int32_t)ar->ar_arg_addr);
+ kau_write(rec, tok);
+ if (ar->ar_valid_arg & ARG_VNODE1) {
+ FD_KPATH1_VNODE1_TOKENS;
+ } else {
+ if (ar->ar_valid_arg & ARG_SOCKINFO) {
+ tok = kau_to_socket(&ar->ar_arg_sockinfo);
+ kau_write(rec, tok);
+ } else {
+ tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+ kau_write(rec, tok);
+ }
+ }
+ break;
+
+ case AUE_KILL:
+ tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
+ kau_write(rec, tok);
+ PROCESS_PID_TOKENS(1);
+ break;
+
+ case AUE_KTRACE:
+ tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
+ kau_write(rec, tok);
+ PROCESS_PID_TOKENS(4);
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ break;
+
case AUE_LINK:
case AUE_RENAME:
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
UPATH2_TOKENS;
break;
+ case AUE_LOADSHFILE:
+ tok = au_to_arg32(4, "base addr", (u_int32_t)ar->ar_arg_addr);
+ kau_write(rec, tok);
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ break;
+
case AUE_MKDIR:
tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
kau_write(rec, tok);
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
break;
case AUE_MKNOD:
kau_write(rec, tok);
tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
kau_write(rec, tok);
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ break;
+
+ case AUE_MMAP:
+ case AUE_MUNMAP:
+ case AUE_MPROTECT:
+ case AUE_MLOCK:
+ case AUE_MUNLOCK:
+ case AUE_MINHERIT:
+ tok = au_to_arg32(1, "addr", (u_int32_t)ar->ar_arg_addr); /* LP64todo */
+ kau_write(rec, tok);
+ tok = au_to_arg32(2, "len", ar->ar_arg_len); /* LP64todo */
+ kau_write(rec, tok);
+ if (ar->ar_event == AUE_MMAP)
+ FD_KPATH1_VNODE1_TOKENS;
+ if (ar->ar_event == AUE_MPROTECT) {
+ tok = au_to_arg32(3, "protection", ar->ar_arg_value);
+ kau_write(rec, tok);
+ }
+ if (ar->ar_event == AUE_MINHERIT) {
+ tok = au_to_arg32(3, "inherit", ar->ar_arg_value);
+ kau_write(rec, tok);
+ }
break;
case AUE_MOUNT:
/* XXX Need to handle NFS mounts */
tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
kau_write(rec, tok);
- if (ar->ar_arg_text != NULL) {
+ if (ar->ar_valid_arg & ARG_TEXT) {
tok = au_to_text(ar->ar_arg_text);
kau_write(rec, tok);
}
/* fall through */
- case AUE_UMOUNT:
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ case AUE_UNMOUNT:
+ UPATH1_KPATH1_VNODE1_TOKENS;
break;
case AUE_MSGCTL:
}
break;
- case AUE_OPEN_R:
+ case AUE_RESETSHFILE:
+ tok = au_to_arg32(1, "base addr", (u_int32_t)ar->ar_arg_addr);
+ kau_write(rec, tok);
+ break;
+
case AUE_OPEN_RC:
case AUE_OPEN_RTC:
- case AUE_OPEN_RT:
- case AUE_OPEN_RW:
case AUE_OPEN_RWC:
case AUE_OPEN_RWTC:
- case AUE_OPEN_RWT:
- case AUE_OPEN_W:
case AUE_OPEN_WC:
case AUE_OPEN_WTC:
+ tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
+ kau_write(rec, tok);
+ /* fall thru */
+
+ case AUE_OPEN:
+ case AUE_OPEN_R:
+ case AUE_OPEN_RT:
+ case AUE_OPEN_RW:
+ case AUE_OPEN_RWT:
+ case AUE_OPEN_W:
case AUE_OPEN_WT:
- /* The open syscall always writes a OPEN_R event; convert the
- * file flags to the proper type of event.
- */
- ar->ar_event = flags_to_openevent(ar->ar_arg_fflags);
- UPATH1_TOKENS; /* Save the user space path */
- KPATH1_VNODE1_TOKENS; /* Audit the kernel path as well */
+ tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
+ kau_write(rec, tok);
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ break;
+
+ case AUE_PTRACE:
+ tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "addr", (u_int32_t)ar->ar_arg_addr); /* LP64todo */
+ kau_write(rec, tok);
+ tok = au_to_arg32(4, "data", ar->ar_arg_value);
+ kau_write(rec, tok);
+ PROCESS_PID_TOKENS(2);
break;
case AUE_QUOTACTL:
kau_write(rec, tok);
tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
kau_write(rec, tok);
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ break;
+
+ case AUE_REBOOT:
+ tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
+ kau_write(rec, tok);
break;
case AUE_SEMCTL:
if (ar->ar_valid_arg & ARG_GROUPSET) {
for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
{
- tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]);
+ tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]);
kau_write(rec, tok);
}
}
break;
+
+ case AUE_SETLOGIN:
+ if (ar->ar_valid_arg & ARG_TEXT) {
+ tok = au_to_text(ar->ar_arg_text);
+ kau_write(rec, tok);
+ }
+ break;
+
+ case AUE_SETPRIORITY:
+ tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
+ kau_write(rec, tok);
+ tok = au_to_arg32(2, "who", ar->ar_arg_uid);
+ kau_write(rec, tok);
+ tok = au_to_arg32(2, "priority", ar->ar_arg_value);
+ kau_write(rec, tok);
+ break;
+
+ case AUE_SETPRIVEXEC:
+ tok = au_to_arg32(1, "flag", ar->ar_arg_value);
+ kau_write(rec, tok);
+ break;
+
+ /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
case AUE_SHMAT:
tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
kau_write(rec, tok);
}
break;
+ /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
+ * and AUE_SEMUNLINK are Posix IPC */
+ case AUE_SHMOPEN:
+ tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
+ kau_write(rec, tok);
+ case AUE_SHMUNLINK:
+ if (ar->ar_valid_arg & ARG_TEXT) {
+ tok = au_to_text(ar->ar_arg_text);
+ kau_write(rec, tok);
+ }
+ if (ar->ar_valid_arg & ARG_POSIX_IPC_PERM) {
+ /* Create an ipc_perm token */
+ struct ipc_perm perm;
+ perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
+ perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
+ perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
+ perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
+ perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
+ perm.seq = 0;
+ perm.key = 0;
+ tok = au_to_ipc_perm(&perm);
+ kau_write(rec, tok);
+ }
+ break;
+
+ case AUE_SEMOPEN:
+ tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
+ kau_write(rec, tok);
+ tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
+ kau_write(rec, tok);
+ tok = au_to_arg32(4, "value", ar->ar_arg_value);
+ kau_write(rec, tok);
+ /* fall through */
+ case AUE_SEMUNLINK:
+ if (ar->ar_valid_arg & ARG_TEXT) {
+ tok = au_to_text(ar->ar_arg_text);
+ kau_write(rec, tok);
+ }
+ if (ar->ar_valid_arg & ARG_POSIX_IPC_PERM) {
+ /* Create an ipc_perm token */
+ struct ipc_perm perm;
+ perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
+ perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
+ perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
+ perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
+ perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
+ perm.seq = 0;
+ perm.key = 0;
+ tok = au_to_ipc_perm(&perm);
+ kau_write(rec, tok);
+ }
+ break;
+
+ case AUE_SEMCLOSE:
+ tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
+ kau_write(rec, tok);
+ break;
+
case AUE_SYMLINK:
if (ar->ar_valid_arg & ARG_TEXT) {
tok = au_to_text(ar->ar_arg_text);
kau_write(rec, tok);
}
- KPATH1_VNODE1_OR_UPATH1_TOKENS;
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ break;
+
+ case AUE_SYSCTL:
+ case AUE_SYSCTL_NONADMIN:
+ if (ar->ar_valid_arg & (ARG_CTLNAME | ARG_LEN)) {
+ for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
+ tok = au_to_arg32(1, "name", ar->ar_arg_ctlname[ctr]);
+ kau_write(rec, tok);
+ }
+ }
+ if (ar->ar_valid_arg & ARG_VALUE) {
+ tok = au_to_arg32(5, "newval", ar->ar_arg_value);
+ kau_write(rec, tok);
+ }
+ if (ar->ar_valid_arg & ARG_TEXT) {
+ tok = au_to_text(ar->ar_arg_text);
+ kau_write(rec, tok);
+ }
break;
case AUE_UMASK:
kau_write(rec, tok);
break;
+ /************************
+ * Mach system calls *
+ ************************/
+ case AUE_INITPROCESS:
+ break;
+
+ case AUE_PIDFORTASK:
+ tok = au_to_arg32(1, "port", (u_int32_t)ar->ar_arg_mach_port1);
+ kau_write(rec, tok);
+ if (ar->ar_valid_arg & ARG_PID) {
+ tok = au_to_arg32(2, "pid", (u_int32_t)ar->ar_arg_pid);
+ kau_write(rec, tok);
+ }
+ break;
+
+ case AUE_TASKFORPID:
+ tok = au_to_arg32(1, "target port",
+ (u_int32_t)ar->ar_arg_mach_port1);
+ kau_write(rec, tok);
+ if (ar->ar_valid_arg & ARG_MACHPORT2) {
+ tok = au_to_arg32(3, "task port",
+ (u_int32_t)ar->ar_arg_mach_port2);
+ kau_write(rec, tok);
+ }
+ PROCESS_PID_TOKENS(2);
+ break;
+
+ case AUE_SWAPON:
+ tok = au_to_arg32(4, "priority",
+ (u_int32_t)ar->ar_arg_value);
+ kau_write(rec, tok);
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ break;
+
+ case AUE_SWAPOFF:
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ break;
+
+ case AUE_MAPFD:
+ tok = au_to_arg32(3, "va", (u_int32_t)ar->ar_arg_addr);
+ kau_write(rec, tok);
+ FD_KPATH1_VNODE1_TOKENS;
+ break;
+
default: /* We shouldn't fall through to here. */
printf("BSM conversion requested for unknown event %d\n",
ar->ar_event);
*
*/
int
-bsm_rec_verify(caddr_t rec)
+bsm_rec_verify(void* rec)
{
+ char c = *(char *)rec;
/*
* Check the token ID of the first token; it has to be a header
* token.
/* XXXAUDIT There needs to be a token structure to map a token.
* XXXAUDIT 'Shouldn't be simply looking at the first char.
*/
- if ( ((char)*rec != AU_HEADER_32_TOKEN) &&
- ((char)*rec != AU_HEADER_EX_32_TOKEN) &&
- ((char)*rec != AU_HEADER_64_TOKEN) &&
- ((char)*rec != AU_HEADER_EX_64_TOKEN) ) {
+ if ( (c != AU_HEADER_32_TOKEN) &&
+ (c != AU_HEADER_EX_32_TOKEN) &&
+ (c != AU_HEADER_64_TOKEN) &&
+ (c != AU_HEADER_EX_64_TOKEN) ) {
return (0);
}
return (1);
projects / apple / xnu.git / blobdiff