X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/b0d623f7f2ae71ed96e60569f61f9a9a27016e80..eee3565979933af707c711411001ba11fe406a3c:/bsd/security/audit/audit_bsm.c?ds=sidebyside diff --git a/bsd/security/audit/audit_bsm.c b/bsd/security/audit/audit_bsm.c index 0ee35a074..da938d8a1 100644 --- a/bsd/security/audit/audit_bsm.c +++ b/bsd/security/audit/audit_bsm.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2009 Apple Inc. + * Copyright (c) 1999-2016 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -57,8 +57,6 @@ #include #include -#include - #if CONFIG_AUDIT MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); @@ -1022,6 +1020,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) case AUE_FUTIMES: case AUE_GETDIRENTRIES: case AUE_GETDIRENTRIESATTR: + case AUE_GETATTRLISTBULK: #if 0 /* XXXss new */ case AUE_POLL: #endif @@ -1282,22 +1281,47 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) } break; - case AUE_OPENAT_RC: - case AUE_OPENAT_RTC: - case AUE_OPENAT_RWC: - case AUE_OPENAT_RWTC: - case AUE_OPENAT_WC: - case AUE_OPENAT_WTC: + case AUE_OPEN: + case AUE_OPEN_R: + case AUE_OPEN_RT: + case AUE_OPEN_RW: + case AUE_OPEN_RWT: + case AUE_OPEN_W: + case AUE_OPEN_WT: + if (ARG_IS_VALID(kar, ARG_FFLAGS)) { + tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); + kau_write(rec, tok); + } + UPATH1_VNODE1_TOKENS; + break; + + case AUE_OPEN_RC: + case AUE_OPEN_RTC: + case AUE_OPEN_RWC: + case AUE_OPEN_RWTC: + case AUE_OPEN_WC: + case AUE_OPEN_WTC: if (ARG_IS_VALID(kar, ARG_MODE)) { tok = au_to_arg32(3, "mode", ar->ar_arg_mode); kau_write(rec, tok); } if (ARG_IS_VALID(kar, ARG_FFLAGS)) { - tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); + tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); kau_write(rec, tok); } - if (ARG_IS_VALID(kar, ARG_FD)) { - tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd); + UPATH1_VNODE1_TOKENS; + break; + + case AUE_OPEN_EXTENDED: + case AUE_OPEN_EXTENDED_R: + case AUE_OPEN_EXTENDED_RT: + case AUE_OPEN_EXTENDED_RW: + case AUE_OPEN_EXTENDED_RWT: + case AUE_OPEN_EXTENDED_W: + case AUE_OPEN_EXTENDED_WT: + EXTENDED_TOKENS(3); + if (ARG_IS_VALID(kar, ARG_FFLAGS)) { + tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); kau_write(rec, tok); } UPATH1_VNODE1_TOKENS; @@ -1317,23 +1341,6 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) UPATH1_VNODE1_TOKENS; break; - case AUE_OPEN_RC: - case AUE_OPEN_RTC: - case AUE_OPEN_RWC: - case AUE_OPEN_RWTC: - case AUE_OPEN_WC: - case AUE_OPEN_WTC: - if (ARG_IS_VALID(kar, ARG_MODE)) { - tok = au_to_arg32(3, "mode", ar->ar_arg_mode); - kau_write(rec, tok); - } - if (ARG_IS_VALID(kar, ARG_FFLAGS)) { - tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); - kau_write(rec, tok); - } - UPATH1_VNODE1_TOKENS; - break; - case AUE_OPENAT: case AUE_OPENAT_R: case AUE_OPENAT_RT: @@ -1352,36 +1359,59 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) UPATH1_VNODE1_TOKENS; break; - case AUE_OPEN_EXTENDED: - case AUE_OPEN_EXTENDED_R: - case AUE_OPEN_EXTENDED_RT: - case AUE_OPEN_EXTENDED_RW: - case AUE_OPEN_EXTENDED_RWT: - case AUE_OPEN_EXTENDED_W: - case AUE_OPEN_EXTENDED_WT: - EXTENDED_TOKENS(3); + case AUE_OPENAT_RC: + case AUE_OPENAT_RTC: + case AUE_OPENAT_RWC: + case AUE_OPENAT_RWTC: + case AUE_OPENAT_WC: + case AUE_OPENAT_WTC: + if (ARG_IS_VALID(kar, ARG_MODE)) { + tok = au_to_arg32(4, "mode", ar->ar_arg_mode); + kau_write(rec, tok); + } if (ARG_IS_VALID(kar, ARG_FFLAGS)) { - tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); + tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_FD)) { + tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd); kau_write(rec, tok); } UPATH1_VNODE1_TOKENS; break; - case AUE_OPEN: - case AUE_OPEN_R: - case AUE_OPEN_RT: - case AUE_OPEN_RW: - case AUE_OPEN_RWT: - case AUE_OPEN_W: - case AUE_OPEN_WT: + case AUE_OPENBYID: + case AUE_OPENBYID_R: + case AUE_OPENBYID_RT: + case AUE_OPENBYID_RW: + case AUE_OPENBYID_RWT: + case AUE_OPENBYID_W: + case AUE_OPENBYID_WT: if (ARG_IS_VALID(kar, ARG_FFLAGS)) { - tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); + tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_VALUE32)) { + tok = au_to_arg32(1, "volfsid", ar->ar_arg_value32); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_VALUE64)) { + tok = au_to_arg64(2, "objid", ar->ar_arg_value64); kau_write(rec, tok); } - UPATH1_VNODE1_TOKENS; break; + case AUE_RENAMEAT: + case AUE_FACCESSAT: + case AUE_FCHMODAT: + case AUE_FCHOWNAT: + case AUE_FSTATAT: + case AUE_LINKAT: case AUE_UNLINKAT: + case AUE_READLINKAT: + case AUE_SYMLINKAT: + case AUE_MKDIRAT: + case AUE_GETATTRLISTAT: if (ARG_IS_VALID(kar, ARG_FD)) { tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd); kau_write(rec, tok); @@ -1389,6 +1419,36 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) UPATH1_VNODE1_TOKENS; break; + case AUE_CLONEFILEAT: + if (ARG_IS_VALID(kar, ARG_FD)) { + tok = au_to_arg32(1, "src dir fd", ar->ar_arg_fd); + kau_write(rec, tok); + } + UPATH1_VNODE1_TOKENS; + if (ARG_IS_VALID(kar, ARG_FD2)) { + tok = au_to_arg32(1, "dst dir fd", ar->ar_arg_fd2); + kau_write(rec, tok); + } + UPATH2_TOKENS; + if (ARG_IS_VALID(kar, ARG_VALUE32)) { + tok = au_to_arg32(1, "flags", ar->ar_arg_value32); + kau_write(rec, tok); + } + break; + + case AUE_FCLONEFILEAT: + FD_VNODE1_TOKENS; + if (ARG_IS_VALID(kar, ARG_FD2)) { + tok = au_to_arg32(1, "dst dir fd", ar->ar_arg_fd2); + kau_write(rec, tok); + } + UPATH2_TOKENS; + if (ARG_IS_VALID(kar, ARG_VALUE32)) { + tok = au_to_arg32(1, "flags", ar->ar_arg_value32); + kau_write(rec, tok); + } + break; + case AUE_PTRACE: if (ARG_IS_VALID(kar, ARG_CMD)) { tok = au_to_arg32(1, "request", ar->ar_arg_cmd); @@ -1757,6 +1817,24 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) } break; + case AUE_SESSION_START: + case AUE_SESSION_UPDATE: + case AUE_SESSION_END: + case AUE_SESSION_CLOSE: + if (ARG_IS_VALID(kar, ARG_VALUE64)) { + tok = au_to_arg64(1, "sflags", ar->ar_arg_value64); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_AMASK)) { + tok = au_to_arg32(2, "am_success", + ar->ar_arg_amask.am_success); + kau_write(rec, tok); + tok = au_to_arg32(3, "am_failure", + ar->ar_arg_amask.am_failure); + kau_write(rec, tok); + } + break; + /************************ * Mach system calls * ************************/ @@ -1863,8 +1941,6 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) case AUE_MAC_GET_PROC: case AUE_MAC_SET_PROC: - case AUE_MAC_GET_LCTX: - case AUE_MAC_SET_LCTX: PROCESS_MAC_TOKENS; break; #endif @@ -1884,7 +1960,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) } #if CONFIG_MACF - do { + if (NULL != ar->ar_mac_records) { /* Convert the audit data from the MAC policies */ struct mac_audit_record *mar; @@ -1913,7 +1989,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) kau_write(rec, tok); } - } while (0); + } #endif kau_write(rec, subj_tok);