X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/55e303ae13a4cf49d70f2294092726f2fffb9ef2..a3d08fcd5120d2aa8303b6349ca8b14e3f284af3:/bsd/kern/kern_bsm_audit.c diff --git a/bsd/kern/kern_bsm_audit.c b/bsd/kern/kern_bsm_audit.c index 99132a09c..44367bf9d 100644 --- a/bsd/kern/kern_bsm_audit.c +++ b/bsd/kern/kern_bsm_audit.c @@ -1,27 +1,25 @@ /* - * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. + * Copyright (c) 2004 Apple Computer, Inc. All rights reserved. * * @APPLE_LICENSE_HEADER_START@ * - * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. + * The contents of this file constitute Original Code as defined in and + * are subject to the Apple Public Source License Version 1.1 (the + * "License"). You may not use this file except in compliance with the + * License. Please obtain a copy of the License at + * http://www.apple.com/publicsource and read it before using this file. * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * This Original Code and all software distributed under the License are + * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. + * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the + * License for the specific language governing rights and limitations + * under the License. * * @APPLE_LICENSE_HEADER_END@ */ + #include #include #include @@ -30,12 +28,14 @@ #include #include #include -#include -#include -#include -#include -#include #include + +#include +#include +#include +#include +#include + #include #include #include @@ -67,6 +67,7 @@ kau_init(void) printf("BSM auditing present\n"); LIST_INIT(&bsm_free_q); bsm_audit_mutex = mutex_alloc(ETAP_NO_TRACE); + au_evclassmap_init(); } /* @@ -104,14 +105,13 @@ kau_open(void) /* * Create a new BSM kernel record. */ - kmem_alloc(kernel_map, &rec, sizeof(*rec)); + rec = (struct au_record *)kalloc(sizeof(*rec)); if(rec == NULL) { return NULL; } - kmem_alloc(kernel_map, &rec->data, - MAX_AUDIT_RECORD_SIZE * sizeof(u_char)); + rec->data = (u_char *)kalloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char)); if((rec->data) == NULL) { - kmem_free(kernel_map, rec, sizeof(*rec)); + kfree((vm_offset_t)rec, (vm_size_t)sizeof(*rec)); return NULL; } mutex_lock(bsm_audit_mutex); @@ -196,8 +196,7 @@ void kau_free(struct au_record *rec) /* Free the token list */ while ((tok = TAILQ_FIRST(&rec->token_q))) { TAILQ_REMOVE(&rec->token_q, tok, tokens); - kmem_free(kernel_map, tok->t_data, tok->len); - kmem_free(kernel_map, tok, sizeof(struct au_token)); + kfree((vm_offset_t)tok, sizeof(*tok) + tok->len); } rec->used = 0; @@ -232,30 +231,30 @@ void kau_free(struct au_record *rec) } \ } while (0) -#define KPATH1_VNODE1_TOKENS \ +#define UPATH1_KPATH1_VNODE1_TOKENS \ do { \ + if (ar->ar_valid_arg & ARG_UPATH1) { \ + tok = au_to_path(ar->ar_arg_upath1); \ + kau_write(rec, tok); \ + } \ if (ar->ar_valid_arg & ARG_KPATH1) { \ tok = au_to_path(ar->ar_arg_kpath1); \ kau_write(rec, tok); \ } \ if (ar->ar_valid_arg & ARG_VNODE1) { \ - fill_vattr(&vattr, &ar->ar_arg_vnode1); \ - tok = au_to_attr32(&vattr); \ + tok = kau_to_attr32(&ar->ar_arg_vnode1);\ kau_write(rec, tok); \ } \ } while (0) - -#define KPATH1_VNODE1_OR_UPATH1_TOKENS \ + +#define KPATH1_VNODE1_TOKENS \ do { \ if (ar->ar_valid_arg & ARG_KPATH1) { \ tok = au_to_path(ar->ar_arg_kpath1); \ kau_write(rec, tok); \ - } else { \ - UPATH1_TOKENS; \ } \ if (ar->ar_valid_arg & ARG_VNODE1) { \ - fill_vattr(&vattr, &ar->ar_arg_vnode1); \ - tok = au_to_attr32(&vattr); \ + tok = kau_to_attr32(&ar->ar_arg_vnode1);\ kau_write(rec, tok); \ } \ } while (0) @@ -267,8 +266,7 @@ void kau_free(struct au_record *rec) kau_write(rec, tok); \ } \ if (ar->ar_valid_arg & ARG_VNODE2) { \ - fill_vattr(&vattr, &ar->ar_arg_vnode2); \ - tok = au_to_attr32(&vattr); \ + tok = kau_to_attr32(&ar->ar_arg_vnode1);\ kau_write(rec, tok); \ } \ } while (0) @@ -279,8 +277,7 @@ void kau_free(struct au_record *rec) tok = au_to_path(ar->ar_arg_kpath1); \ kau_write(rec, tok); \ if (ar->ar_valid_arg & ARG_VNODE1) { \ - fill_vattr(&vattr, &ar->ar_arg_vnode1); \ - tok = au_to_attr32(&vattr); \ + tok = kau_to_attr32(&ar->ar_arg_vnode1);\ kau_write(rec, tok); \ } \ } else { \ @@ -289,6 +286,118 @@ void kau_free(struct au_record *rec) } \ } while (0) +#define PROCESS_PID_TOKENS(argn) \ + do { \ + if ((ar->ar_arg_pid > 0) /* Kill a single process */ \ + && (ar->ar_valid_arg & ARG_PROCESS)) { \ + tok = au_to_process(ar->ar_arg_auid, ar->ar_arg_euid, \ + ar->ar_arg_egid, ar->ar_arg_ruid, \ + ar->ar_arg_rgid, ar->ar_arg_pid, \ + ar->ar_arg_asid, &ar->ar_arg_termid); \ + kau_write(rec, tok); \ + } else { \ + tok = au_to_arg32(argn, "process", ar->ar_arg_pid);\ + kau_write(rec, tok); \ + } \ + } while (0) \ + +/* + * Implement auditing for the auditon() system call. The audit tokens + * that are generated depend on the command that was sent into the + * auditon() system call. + * + */ +void +audit_sys_auditon(struct audit_record *ar, struct au_record *rec) +{ + struct au_token *tok; + + switch (ar->ar_arg_cmd) { + case A_SETPOLICY: + if (sizeof(ar->ar_arg_auditon.au_flags) > 4) + tok = au_to_arg64(1, "policy", + ar->ar_arg_auditon.au_flags); + else + tok = au_to_arg32(1, "policy", + ar->ar_arg_auditon.au_flags); + kau_write(rec, tok); + break; + case A_SETKMASK: + tok = au_to_arg32(2, "setkmask:as_success", + ar->ar_arg_auditon.au_mask.am_success); + kau_write(rec, tok); + tok = au_to_arg32(2, "setkmask:as_failure", + ar->ar_arg_auditon.au_mask.am_failure); + kau_write(rec, tok); + break; + case A_SETQCTRL: + tok = au_to_arg32(3, "setqctrl:aq_hiwater", + ar->ar_arg_auditon.au_qctrl.aq_hiwater); + kau_write(rec, tok); + tok = au_to_arg32(3, "setqctrl:aq_lowater", + ar->ar_arg_auditon.au_qctrl.aq_lowater); + kau_write(rec, tok); + tok = au_to_arg32(3, "setqctrl:aq_bufsz", + ar->ar_arg_auditon.au_qctrl.aq_bufsz); + kau_write(rec, tok); + tok = au_to_arg32(3, "setqctrl:aq_delay", + ar->ar_arg_auditon.au_qctrl.aq_delay); + kau_write(rec, tok); + tok = au_to_arg32(3, "setqctrl:aq_minfree", + ar->ar_arg_auditon.au_qctrl.aq_minfree); + kau_write(rec, tok); + break; + case A_SETUMASK: + tok = au_to_arg32(3, "setumask:as_success", + ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); + kau_write(rec, tok); + tok = au_to_arg32(3, "setumask:as_failure", + ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); + kau_write(rec, tok); + break; + case A_SETSMASK: + tok = au_to_arg32(3, "setsmask:as_success", + ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); + kau_write(rec, tok); + tok = au_to_arg32(3, "setsmask:as_failure", + ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); + kau_write(rec, tok); + break; + case A_SETCOND: + if (sizeof(ar->ar_arg_auditon.au_cond) > 4) + tok = au_to_arg64(3, "setcond", + ar->ar_arg_auditon.au_cond); + else + tok = au_to_arg32(3, "setcond", + ar->ar_arg_auditon.au_cond); + kau_write(rec, tok); + break; + case A_SETCLASS: + tok = au_to_arg32(2, "setclass:ec_event", + ar->ar_arg_auditon.au_evclass.ec_number); + kau_write(rec, tok); + tok = au_to_arg32(3, "setclass:ec_class", + ar->ar_arg_auditon.au_evclass.ec_class); + kau_write(rec, tok); + break; + case A_SETPMASK: + tok = au_to_arg32(2, "setpmask:as_success", + ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); + kau_write(rec, tok); + tok = au_to_arg32(2, "setpmask:as_failure", + ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); + kau_write(rec, tok); + break; + case A_SETFSIZE: + tok = au_to_arg32(2, "setfsize:filesize", + ar->ar_arg_auditon.au_fstat.af_filesz); + kau_write(rec, tok); + break; + default: + break; + } +} + /* * Convert an internal kernel audit record to a BSM record and return * a success/failure indicator. The BSM record is passed as an out @@ -305,8 +414,6 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) struct au_record *rec; au_tid_t tid; struct audit_record *ar; - struct vattr vattr; - int sorf; int ctr; *pau = NULL; @@ -315,19 +422,6 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) ar = &kar->k_ar; - /* - * Decide whether to create the BSM audit record by checking the - * error value from the system call and using the appropriate - * user audit mask. - */ - if (ar->ar_errno) - sorf = AU_PRS_FAILURE; - else - sorf = AU_PRS_SUCCESS; - - if (au_preselect(ar->ar_event, &ar->ar_subj_amask, sorf) == 0) - return (BSM_NOAUDIT); - rec = kau_open(); if (rec == NULL) return (BSM_FAILURE); @@ -379,11 +473,11 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) case AUE_SOCKET: case AUE_SOCKETPAIR: - tok = au_to_arg32(1,"domain", ar->ar_arg_sockinfo.sodomain); + tok = au_to_arg32(1,"domain", ar->ar_arg_sockinfo.so_domain); kau_write(rec, tok); - tok = au_to_arg32(2,"type", ar->ar_arg_sockinfo.sotype); + tok = au_to_arg32(2,"type", ar->ar_arg_sockinfo.so_type); kau_write(rec, tok); - tok = au_to_arg32(3,"protocol", ar->ar_arg_sockinfo.soprotocol); + tok = au_to_arg32(3,"protocol",ar->ar_arg_sockinfo.so_protocol); kau_write(rec, tok); break; @@ -393,18 +487,88 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) kau_write(rec, tok); break; + case AUE_ACCT: + if (ar->ar_valid_arg & (ARG_KPATH1 | ARG_UPATH1)) { + UPATH1_KPATH1_VNODE1_TOKENS; + } else { + tok = au_to_arg32(1, "accounting off", 0); + kau_write(rec, tok); + } + break; + case AUE_SETAUID: tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); kau_write(rec, tok); - /* fall through */ + break; + + case AUE_SETAUDIT: + if (ar->ar_valid_arg & ARG_AUID) { + tok = au_to_arg32(1, "setaudit:auid", ar->ar_arg_auid); + kau_write(rec, tok); + tok = au_to_arg32(1, "setaudit:port", + ar->ar_arg_termid.port); + kau_write(rec, tok); + tok = au_to_arg32(1, "setaudit:machine", + ar->ar_arg_termid.machine); + kau_write(rec, tok); + tok = au_to_arg32(1, "setaudit:as_success", + ar->ar_arg_amask.am_success); + kau_write(rec, tok); + tok = au_to_arg32(1, "setaudit:as_failure", + ar->ar_arg_amask.am_failure); + kau_write(rec, tok); + tok = au_to_arg32(1, "setaudit:asid", ar->ar_arg_asid); + kau_write(rec, tok); + } + break; + + case AUE_SETAUDIT_ADDR: + break; /* XXX need to add arguments */ + + case AUE_AUDITON: + /* For AUDITON commands without own event, audit the cmd */ + tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); + kau_write(rec, tok); + /* fall thru */ + + case AUE_AUDITON_GETCAR: + case AUE_AUDITON_GETCLASS: + case AUE_AUDITON_GETCOND: + case AUE_AUDITON_GETCWD: + case AUE_AUDITON_GETKMASK: + case AUE_AUDITON_GETSTAT: + case AUE_AUDITON_GPOLICY: + case AUE_AUDITON_GQCTRL: + case AUE_AUDITON_SETCLASS: + case AUE_AUDITON_SETCOND: + case AUE_AUDITON_SETKMASK: + case AUE_AUDITON_SETSMASK: + case AUE_AUDITON_SETSTAT: + case AUE_AUDITON_SETUMASK: + case AUE_AUDITON_SPOLICY: + case AUE_AUDITON_SQCTRL: + if (ar->ar_valid_arg & ARG_AUDITON) { + audit_sys_auditon(ar, rec); + } + break; + + case AUE_AUDITCTL: + UPATH1_KPATH1_VNODE1_TOKENS; + break; + case AUE_ADJTIME: case AUE_AUDIT: case AUE_EXIT: + case AUE_GETAUDIT: + case AUE_GETAUDIT_ADDR: case AUE_GETAUID: case AUE_GETFSSTAT: case AUE_PIPE: case AUE_SETPGRP: case AUE_SETRLIMIT: + case AUE_SETSID: + case AUE_SETTIMEOFDAY: + case AUE_NEWSYSTEMSHREG: /* Header, subject, and return tokens added at end */ break; @@ -428,19 +592,19 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) case AUE_UNDELETE: case AUE_UNLINK: case AUE_UTIMES: - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; break; case AUE_CHFLAGS: tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); kau_write(rec, tok); - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; break; case AUE_CHMOD: tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode); kau_write(rec, tok); - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; break; case AUE_CHOWN: @@ -448,28 +612,34 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) kau_write(rec, tok); tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); kau_write(rec, tok); - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; break; case AUE_EXCHANGEDATA: - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; KPATH2_VNODE2_TOKENS; break; -/* - * XXXAUDIT: Close is not audited in the kernel yet. case AUE_CLOSE: tok = au_to_arg32(2, "fd", ar->ar_arg_fd); kau_write(rec, tok); - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; break; -*/ + case AUE_FCHMOD: tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode); kau_write(rec, tok); FD_KPATH1_VNODE1_TOKENS; break; + case AUE_NFSSVC: + tok = au_to_arg32(1, "request", ar->ar_arg_cmd); + kau_write(rec, tok); + if (ar->ar_valid_arg & (ARG_KPATH1 | ARG_UPATH1)) { + UPATH1_KPATH1_VNODE1_TOKENS; + } + break; + case AUE_FCHDIR: case AUE_FPATHCONF: case AUE_FSTAT: /* XXX Need to handle sockets and shm */ @@ -490,10 +660,9 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) break; case AUE_FCNTL: - if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || - ar->ar_arg_cmd == F_SETLKW) { - tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); - kau_write(rec, tok); + tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); + kau_write(rec, tok); + if (ar->ar_valid_arg & ARG_VNODE1) { FD_KPATH1_VNODE1_TOKENS; } break; @@ -510,16 +679,61 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) FD_KPATH1_VNODE1_TOKENS; break; + case AUE_FORK: + case AUE_VFORK: + tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); + kau_write(rec, tok); + break; + + case AUE_IOCTL: + tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); + kau_write(rec, tok); + tok = au_to_arg32(1, "arg", (u_int32_t)ar->ar_arg_addr); + kau_write(rec, tok); + if (ar->ar_valid_arg & ARG_VNODE1) { + FD_KPATH1_VNODE1_TOKENS; + } else { + if (ar->ar_valid_arg & ARG_SOCKINFO) { + tok = kau_to_socket(&ar->ar_arg_sockinfo); + kau_write(rec, tok); + } else { + tok = au_to_arg32(1, "fd", ar->ar_arg_fd); + kau_write(rec, tok); + } + } + break; + + case AUE_KILL: + tok = au_to_arg32(2, "signal", ar->ar_arg_signum); + kau_write(rec, tok); + PROCESS_PID_TOKENS(1); + break; + + case AUE_KTRACE: + tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); + kau_write(rec, tok); + tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); + kau_write(rec, tok); + PROCESS_PID_TOKENS(4); + UPATH1_KPATH1_VNODE1_TOKENS; + break; + case AUE_LINK: case AUE_RENAME: - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; UPATH2_TOKENS; break; + case AUE_LOADSHFILE: + tok = au_to_arg32(4, "base addr", (u_int32_t)ar->ar_arg_addr); + kau_write(rec, tok); + UPATH1_KPATH1_VNODE1_TOKENS; + break; + case AUE_MKDIR: tok = au_to_arg32(2, "mode", ar->ar_arg_mode); kau_write(rec, tok); - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; break; case AUE_MKNOD: @@ -527,20 +741,42 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) kau_write(rec, tok); tok = au_to_arg32(3, "dev", ar->ar_arg_dev); kau_write(rec, tok); - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; + break; + + case AUE_MMAP: + case AUE_MUNMAP: + case AUE_MPROTECT: + case AUE_MLOCK: + case AUE_MUNLOCK: + case AUE_MINHERIT: + tok = au_to_arg32(1, "addr", (u_int32_t)ar->ar_arg_addr); + kau_write(rec, tok); + tok = au_to_arg32(2, "len", ar->ar_arg_len); + kau_write(rec, tok); + if (ar->ar_event == AUE_MMAP) + FD_KPATH1_VNODE1_TOKENS; + if (ar->ar_event == AUE_MPROTECT) { + tok = au_to_arg32(3, "protection", ar->ar_arg_value); + kau_write(rec, tok); + } + if (ar->ar_event == AUE_MINHERIT) { + tok = au_to_arg32(3, "inherit", ar->ar_arg_value); + kau_write(rec, tok); + } break; case AUE_MOUNT: /* XXX Need to handle NFS mounts */ tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); kau_write(rec, tok); - if (ar->ar_arg_text != NULL) { + if (ar->ar_valid_arg & ARG_TEXT) { tok = au_to_text(ar->ar_arg_text); kau_write(rec, tok); } /* fall through */ - case AUE_UMOUNT: - KPATH1_VNODE1_OR_UPATH1_TOKENS; + case AUE_UNMOUNT: + UPATH1_KPATH1_VNODE1_TOKENS; break; case AUE_MSGCTL: @@ -563,24 +799,41 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) } break; - case AUE_OPEN_R: + case AUE_RESETSHFILE: + tok = au_to_arg32(1, "base addr", (u_int32_t)ar->ar_arg_addr); + kau_write(rec, tok); + break; + case AUE_OPEN_RC: case AUE_OPEN_RTC: - case AUE_OPEN_RT: - case AUE_OPEN_RW: case AUE_OPEN_RWC: case AUE_OPEN_RWTC: - case AUE_OPEN_RWT: - case AUE_OPEN_W: case AUE_OPEN_WC: case AUE_OPEN_WTC: + tok = au_to_arg32(3, "mode", ar->ar_arg_mode); + kau_write(rec, tok); + /* fall thru */ + + case AUE_OPEN: + case AUE_OPEN_R: + case AUE_OPEN_RT: + case AUE_OPEN_RW: + case AUE_OPEN_RWT: + case AUE_OPEN_W: case AUE_OPEN_WT: - /* The open syscall always writes a OPEN_R event; convert the - * file flags to the proper type of event. - */ - ar->ar_event = flags_to_openevent(ar->ar_arg_fflags); - UPATH1_TOKENS; /* Save the user space path */ - KPATH1_VNODE1_TOKENS; /* Audit the kernel path as well */ + tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); + kau_write(rec, tok); + UPATH1_KPATH1_VNODE1_TOKENS; + break; + + case AUE_PTRACE: + tok = au_to_arg32(1, "request", ar->ar_arg_cmd); + kau_write(rec, tok); + tok = au_to_arg32(3, "addr", (u_int32_t)ar->ar_arg_addr); + kau_write(rec, tok); + tok = au_to_arg32(4, "data", ar->ar_arg_value); + kau_write(rec, tok); + PROCESS_PID_TOKENS(2); break; case AUE_QUOTACTL: @@ -588,7 +841,12 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) kau_write(rec, tok); tok = au_to_arg32(3, "uid", ar->ar_arg_uid); kau_write(rec, tok); - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; + break; + + case AUE_REBOOT: + tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); + kau_write(rec, tok); break; case AUE_SEMCTL: @@ -633,6 +891,29 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) } } break; + + case AUE_SETLOGIN: + if (ar->ar_valid_arg & ARG_TEXT) { + tok = au_to_text(ar->ar_arg_text); + kau_write(rec, tok); + } + break; + + case AUE_SETPRIORITY: + tok = au_to_arg32(1, "which", ar->ar_arg_cmd); + kau_write(rec, tok); + tok = au_to_arg32(2, "who", ar->ar_arg_uid); + kau_write(rec, tok); + tok = au_to_arg32(2, "priority", ar->ar_arg_value); + kau_write(rec, tok); + break; + + case AUE_SETPRIVEXEC: + tok = au_to_arg32(1, "flag", ar->ar_arg_value); + kau_write(rec, tok); + break; + + /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ case AUE_SHMAT: tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); kau_write(rec, tok); @@ -698,12 +979,90 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) } break; + /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE + * and AUE_SEMUNLINK are Posix IPC */ + case AUE_SHMOPEN: + tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); + kau_write(rec, tok); + tok = au_to_arg32(3, "mode", ar->ar_arg_mode); + kau_write(rec, tok); + case AUE_SHMUNLINK: + if (ar->ar_valid_arg & ARG_TEXT) { + tok = au_to_text(ar->ar_arg_text); + kau_write(rec, tok); + } + if (ar->ar_valid_arg & ARG_POSIX_IPC_PERM) { + /* Create an ipc_perm token */ + struct ipc_perm perm; + perm.uid = ar->ar_arg_pipc_perm.pipc_uid; + perm.gid = ar->ar_arg_pipc_perm.pipc_gid; + perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; + perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; + perm.mode = ar->ar_arg_pipc_perm.pipc_mode; + perm.seq = 0; + perm.key = 0; + tok = au_to_ipc_perm(&perm); + kau_write(rec, tok); + } + break; + + case AUE_SEMOPEN: + tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); + kau_write(rec, tok); + tok = au_to_arg32(3, "mode", ar->ar_arg_mode); + kau_write(rec, tok); + tok = au_to_arg32(4, "value", ar->ar_arg_value); + kau_write(rec, tok); + /* fall through */ + case AUE_SEMUNLINK: + if (ar->ar_valid_arg & ARG_TEXT) { + tok = au_to_text(ar->ar_arg_text); + kau_write(rec, tok); + } + if (ar->ar_valid_arg & ARG_POSIX_IPC_PERM) { + /* Create an ipc_perm token */ + struct ipc_perm perm; + perm.uid = ar->ar_arg_pipc_perm.pipc_uid; + perm.gid = ar->ar_arg_pipc_perm.pipc_gid; + perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; + perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; + perm.mode = ar->ar_arg_pipc_perm.pipc_mode; + perm.seq = 0; + perm.key = 0; + tok = au_to_ipc_perm(&perm); + kau_write(rec, tok); + } + break; + + case AUE_SEMCLOSE: + tok = au_to_arg32(1, "sem", ar->ar_arg_fd); + kau_write(rec, tok); + break; + case AUE_SYMLINK: if (ar->ar_valid_arg & ARG_TEXT) { tok = au_to_text(ar->ar_arg_text); kau_write(rec, tok); } - KPATH1_VNODE1_OR_UPATH1_TOKENS; + UPATH1_KPATH1_VNODE1_TOKENS; + break; + + case AUE_SYSCTL: + case AUE_SYSCTL_NONADMIN: + if (ar->ar_valid_arg & (ARG_CTLNAME | ARG_LEN)) { + for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { + tok = au_to_arg32(1, "name", ar->ar_arg_ctlname[ctr]); + kau_write(rec, tok); + } + } + if (ar->ar_valid_arg & ARG_VALUE) { + tok = au_to_arg32(5, "newval", ar->ar_arg_value); + kau_write(rec, tok); + } + if (ar->ar_valid_arg & ARG_TEXT) { + tok = au_to_text(ar->ar_arg_text); + kau_write(rec, tok); + } break; case AUE_UMASK: @@ -713,6 +1072,50 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) kau_write(rec, tok); break; + /************************ + * Mach system calls * + ************************/ + case AUE_INITPROCESS: + break; + + case AUE_PIDFORTASK: + tok = au_to_arg32(1, "port", (u_int32_t)ar->ar_arg_mach_port1); + kau_write(rec, tok); + if (ar->ar_valid_arg & ARG_PID) { + tok = au_to_arg32(2, "pid", (u_int32_t)ar->ar_arg_pid); + kau_write(rec, tok); + } + break; + + case AUE_TASKFORPID: + tok = au_to_arg32(1, "target port", + (u_int32_t)ar->ar_arg_mach_port1); + kau_write(rec, tok); + if (ar->ar_valid_arg & ARG_MACHPORT2) { + tok = au_to_arg32(3, "task port", + (u_int32_t)ar->ar_arg_mach_port2); + kau_write(rec, tok); + } + PROCESS_PID_TOKENS(2); + break; + + case AUE_SWAPON: + tok = au_to_arg32(4, "priority", + (u_int32_t)ar->ar_arg_value); + kau_write(rec, tok); + UPATH1_KPATH1_VNODE1_TOKENS; + break; + + case AUE_SWAPOFF: + UPATH1_KPATH1_VNODE1_TOKENS; + break; + + case AUE_MAPFD: + tok = au_to_arg32(3, "va", (u_int32_t)ar->ar_arg_addr); + kau_write(rec, tok); + FD_KPATH1_VNODE1_TOKENS; + break; + default: /* We shouldn't fall through to here. */ printf("BSM conversion requested for unknown event %d\n", ar->ar_event); @@ -737,8 +1140,9 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) * */ int -bsm_rec_verify(caddr_t rec) +bsm_rec_verify(void *rec) { + char c = *(char *)rec; /* * Check the token ID of the first token; it has to be a header * token. @@ -746,10 +1150,10 @@ bsm_rec_verify(caddr_t rec) /* XXXAUDIT There needs to be a token structure to map a token. * XXXAUDIT 'Shouldn't be simply looking at the first char. */ - if ( ((char)*rec != AU_HEADER_32_TOKEN) && - ((char)*rec != AU_HEADER_EX_32_TOKEN) && - ((char)*rec != AU_HEADER_64_TOKEN) && - ((char)*rec != AU_HEADER_EX_64_TOKEN) ) { + if ( (c != AU_HEADER_32_TOKEN) && + (c != AU_HEADER_EX_32_TOKEN) && + (c != AU_HEADER_64_TOKEN) && + (c != AU_HEADER_EX_64_TOKEN) ) { return (0); } return (1);