audit_bsm.c revision 175455
1155192Srwatson/* 2155192Srwatson * Copyright (c) 1999-2005 Apple Computer, Inc. 3155192Srwatson * All rights reserved. 4155192Srwatson * 5155192Srwatson * Redistribution and use in source and binary forms, with or without 6155192Srwatson * modification, are permitted provided that the following conditions 7155192Srwatson * are met: 8155192Srwatson * 1. Redistributions of source code must retain the above copyright 9155192Srwatson * notice, this list of conditions and the following disclaimer. 10155192Srwatson * 2. Redistributions in binary form must reproduce the above copyright 11155192Srwatson * notice, this list of conditions and the following disclaimer in the 12155192Srwatson * documentation and/or other materials provided with the distribution. 13155192Srwatson * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14155192Srwatson * its contributors may be used to endorse or promote products derived 15155192Srwatson * from this software without specific prior written permission. 16155192Srwatson * 17155192Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18155192Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19155192Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20155192Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21155192Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22155192Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23155192Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24155192Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25155192Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26155192Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27155192Srwatson * POSSIBILITY OF SUCH DAMAGE. 28155192Srwatson * 29155192Srwatson * $FreeBSD: head/sys/security/audit/audit_bsm.c 175455 2008-01-18 19:50:34Z csjp $ 30155192Srwatson */ 31155192Srwatson 32155192Srwatson#include <sys/param.h> 33155192Srwatson#include <sys/vnode.h> 34155192Srwatson#include <sys/ipc.h> 35155192Srwatson#include <sys/lock.h> 36155192Srwatson#include <sys/malloc.h> 37155192Srwatson#include <sys/mutex.h> 38155192Srwatson#include <sys/socket.h> 39160136Swsalamon#include <sys/extattr.h> 40155192Srwatson#include <sys/fcntl.h> 41155192Srwatson#include <sys/user.h> 42155192Srwatson#include <sys/systm.h> 43155192Srwatson 44155192Srwatson#include <bsm/audit.h> 45155192Srwatson#include <bsm/audit_internal.h> 46155192Srwatson#include <bsm/audit_record.h> 47155192Srwatson#include <bsm/audit_kevents.h> 48155192Srwatson 49155192Srwatson#include <security/audit/audit.h> 50155192Srwatson#include <security/audit/audit_private.h> 51155192Srwatson 52155192Srwatson#include <netinet/in_systm.h> 53155192Srwatson#include <netinet/in.h> 54155192Srwatson#include <netinet/ip.h> 55155192Srwatson 56155192SrwatsonMALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); 57155192Srwatson 58155192Srwatsonstatic void audit_sys_auditon(struct audit_record *ar, 59155192Srwatson struct au_record *rec); 60155192Srwatson 61155192Srwatson/* 62155192Srwatson * Initialize the BSM auditing subsystem. 63155192Srwatson */ 64155192Srwatsonvoid 65155192Srwatsonkau_init(void) 66155192Srwatson{ 67155192Srwatson 68155192Srwatson au_evclassmap_init(); 69155192Srwatson} 70155192Srwatson 71155192Srwatson/* 72156889Srwatson * This call reserves memory for the audit record. Memory must be guaranteed 73156889Srwatson * before any auditable event can be generated. The au_record structure 74156889Srwatson * maintains a reference to the memory allocated above and also the list of 75156889Srwatson * tokens associated with this record 76156889Srwatson */ 77156889Srwatsonstatic struct au_record * 78155192Srwatsonkau_open(void) 79156889Srwatson{ 80155192Srwatson struct au_record *rec; 81156889Srwatson 82155192Srwatson rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); 83162466Srwatson rec->data = NULL; 84155192Srwatson TAILQ_INIT(&rec->token_q); 85155192Srwatson rec->len = 0; 86155192Srwatson rec->used = 1; 87155192Srwatson 88155192Srwatson return (rec); 89155192Srwatson} 90155192Srwatson 91155192Srwatson/* 92155192Srwatson * Store the token with the record descriptor. 93156889Srwatson */ 94155192Srwatsonstatic void 95155192Srwatsonkau_write(struct au_record *rec, struct au_token *tok) 96155192Srwatson{ 97155192Srwatson 98155192Srwatson KASSERT(tok != NULL, ("kau_write: tok == NULL")); 99155192Srwatson 100155192Srwatson TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens); 101155192Srwatson rec->len += tok->len; 102155192Srwatson} 103155192Srwatson 104155192Srwatson/* 105155192Srwatson * Close out the audit record by adding the header token, identifying any 106155192Srwatson * missing tokens. Write out the tokens to the record memory. 107155192Srwatson */ 108155192Srwatsonstatic void 109155192Srwatsonkau_close(struct au_record *rec, struct timespec *ctime, short event) 110155192Srwatson{ 111155192Srwatson u_char *dptr; 112155192Srwatson size_t tot_rec_size; 113155192Srwatson token_t *cur, *hdr, *trail; 114155192Srwatson struct timeval tm; 115156889Srwatson 116161635Srwatson tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE; 117162466Srwatson rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO); 118170196Srwatson 119162466Srwatson tm.tv_usec = ctime->tv_nsec / 1000; 120162466Srwatson tm.tv_sec = ctime->tv_sec; 121162466Srwatson hdr = au_to_header32_tm(tot_rec_size, event, 0, tm); 122162466Srwatson TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens); 123155192Srwatson 124162466Srwatson trail = au_to_trailer(tot_rec_size); 125162466Srwatson TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); 126155192Srwatson 127162466Srwatson rec->len = tot_rec_size; 128162466Srwatson dptr = rec->data; 129162466Srwatson TAILQ_FOREACH(cur, &rec->token_q, tokens) { 130162466Srwatson memcpy(dptr, cur->t_data, cur->len); 131162466Srwatson dptr += cur->len; 132155192Srwatson } 133155192Srwatson} 134155192Srwatson 135155192Srwatson/* 136156889Srwatson * Free a BSM audit record by releasing all the tokens and clearing the audit 137156889Srwatson * record information. 138155192Srwatson */ 139155192Srwatsonvoid 140155192Srwatsonkau_free(struct au_record *rec) 141155192Srwatson{ 142155192Srwatson struct au_token *tok; 143155192Srwatson 144156889Srwatson /* Free the token list. */ 145155192Srwatson while ((tok = TAILQ_FIRST(&rec->token_q))) { 146155192Srwatson TAILQ_REMOVE(&rec->token_q, tok, tokens); 147155192Srwatson free(tok->t_data, M_AUDITBSM); 148155192Srwatson free(tok, M_AUDITBSM); 149156889Srwatson } 150155192Srwatson 151155192Srwatson rec->used = 0; 152156889Srwatson rec->len = 0; 153155192Srwatson free(rec->data, M_AUDITBSM); 154155192Srwatson free(rec, M_AUDITBSM); 155155192Srwatson} 156155192Srwatson 157155192Srwatson/* 158170196Srwatson * XXX: May want turn some (or all) of these macros into functions in order 159155192Srwatson * to reduce the generated code sized. 160155192Srwatson * 161155192Srwatson * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the 162155192Srwatson * caller are OK with this. 163155192Srwatson */ 164155192Srwatson#define UPATH1_TOKENS do { \ 165155192Srwatson if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 166155192Srwatson tok = au_to_path(ar->ar_arg_upath1); \ 167155192Srwatson kau_write(rec, tok); \ 168155192Srwatson } \ 169155192Srwatson} while (0) 170155192Srwatson 171155192Srwatson#define UPATH2_TOKENS do { \ 172155192Srwatson if (ARG_IS_VALID(kar, ARG_UPATH2)) { \ 173155192Srwatson tok = au_to_path(ar->ar_arg_upath2); \ 174155192Srwatson kau_write(rec, tok); \ 175155192Srwatson } \ 176155192Srwatson} while (0) 177155192Srwatson 178155192Srwatson#define VNODE1_TOKENS do { \ 179155192Srwatson if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 180155192Srwatson tok = au_to_attr32(&ar->ar_arg_vnode1); \ 181155192Srwatson kau_write(rec, tok); \ 182155192Srwatson } \ 183155192Srwatson} while (0) 184155192Srwatson 185155192Srwatson#define UPATH1_VNODE1_TOKENS do { \ 186155192Srwatson if (ARG_IS_VALID(kar, ARG_UPATH1)) { \ 187155192Srwatson UPATH1_TOKENS; \ 188155192Srwatson } \ 189155192Srwatson if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 190155192Srwatson tok = au_to_attr32(&ar->ar_arg_vnode1); \ 191155192Srwatson kau_write(rec, tok); \ 192155192Srwatson } \ 193155192Srwatson} while (0) 194155192Srwatson 195155192Srwatson#define VNODE2_TOKENS do { \ 196155192Srwatson if (ARG_IS_VALID(kar, ARG_VNODE2)) { \ 197155192Srwatson tok = au_to_attr32(&ar->ar_arg_vnode2); \ 198155192Srwatson kau_write(rec, tok); \ 199155192Srwatson } \ 200155192Srwatson} while (0) 201155192Srwatson 202155192Srwatson#define FD_VNODE1_TOKENS do { \ 203155192Srwatson if (ARG_IS_VALID(kar, ARG_VNODE1)) { \ 204155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { \ 205155192Srwatson tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \ 206155192Srwatson kau_write(rec, tok); \ 207155192Srwatson } \ 208155192Srwatson tok = au_to_attr32(&ar->ar_arg_vnode1); \ 209155192Srwatson kau_write(rec, tok); \ 210155192Srwatson } else { \ 211155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { \ 212156889Srwatson tok = au_to_arg32(1, "non-file: fd", \ 213156889Srwatson ar->ar_arg_fd); \ 214155192Srwatson kau_write(rec, tok); \ 215155192Srwatson } \ 216155192Srwatson } \ 217155192Srwatson} while (0) 218155192Srwatson 219155192Srwatson#define PROCESS_PID_TOKENS(argn) do { \ 220159277Srwatson if ((ar->ar_arg_pid > 0) /* Reference a single process */ \ 221159277Srwatson && (ARG_IS_VALID(kar, ARG_PROCESS))) { \ 222172915Scsjp tok = au_to_process32_ex(ar->ar_arg_auid, \ 223159277Srwatson ar->ar_arg_euid, ar->ar_arg_egid, \ 224159277Srwatson ar->ar_arg_ruid, ar->ar_arg_rgid, \ 225159277Srwatson ar->ar_arg_pid, ar->ar_arg_asid, \ 226172915Scsjp &ar->ar_arg_termid_addr); \ 227159277Srwatson kau_write(rec, tok); \ 228159277Srwatson } else if (ARG_IS_VALID(kar, ARG_PID)) { \ 229159277Srwatson tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \ 230159277Srwatson kau_write(rec, tok); \ 231155192Srwatson } \ 232155192Srwatson} while (0) \ 233155192Srwatson 234160136Swsalamon#define EXTATTR_TOKENS do { \ 235160136Swsalamon if (ARG_IS_VALID(kar, ARG_VALUE)) { \ 236160136Swsalamon switch (ar->ar_arg_value) { \ 237160136Swsalamon case EXTATTR_NAMESPACE_USER: \ 238160136Swsalamon tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\ 239160136Swsalamon break; \ 240160136Swsalamon case EXTATTR_NAMESPACE_SYSTEM: \ 241160136Swsalamon tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\ 242160136Swsalamon break; \ 243160136Swsalamon default: \ 244160136Swsalamon tok = au_to_arg32(3, "attrnamespace", \ 245160136Swsalamon ar->ar_arg_value); \ 246160136Swsalamon break; \ 247160136Swsalamon } \ 248160136Swsalamon kau_write(rec, tok); \ 249160136Swsalamon } \ 250160136Swsalamon /* attrname is in the text field */ \ 251160136Swsalamon if (ARG_IS_VALID(kar, ARG_TEXT)) { \ 252160136Swsalamon tok = au_to_text(ar->ar_arg_text); \ 253160136Swsalamon kau_write(rec, tok); \ 254160136Swsalamon } \ 255160136Swsalamon} while (0) 256160136Swsalamon 257155192Srwatson/* 258155192Srwatson * Implement auditing for the auditon() system call. The audit tokens that 259155192Srwatson * are generated depend on the command that was sent into the auditon() 260155192Srwatson * system call. 261155192Srwatson */ 262155192Srwatsonstatic void 263155192Srwatsonaudit_sys_auditon(struct audit_record *ar, struct au_record *rec) 264155192Srwatson{ 265155192Srwatson struct au_token *tok; 266155192Srwatson 267155192Srwatson switch (ar->ar_arg_cmd) { 268156889Srwatson case A_SETPOLICY: 269155192Srwatson if (sizeof(ar->ar_arg_auditon.au_flags) > 4) 270156889Srwatson tok = au_to_arg64(1, "policy", 271156889Srwatson ar->ar_arg_auditon.au_flags); 272155192Srwatson else 273156889Srwatson tok = au_to_arg32(1, "policy", 274156889Srwatson ar->ar_arg_auditon.au_flags); 275155192Srwatson kau_write(rec, tok); 276155192Srwatson break; 277155192Srwatson 278156889Srwatson case A_SETKMASK: 279156889Srwatson tok = au_to_arg32(2, "setkmask:as_success", 280156889Srwatson ar->ar_arg_auditon.au_mask.am_success); 281155192Srwatson kau_write(rec, tok); 282156889Srwatson tok = au_to_arg32(2, "setkmask:as_failure", 283156889Srwatson ar->ar_arg_auditon.au_mask.am_failure); 284155192Srwatson kau_write(rec, tok); 285155192Srwatson break; 286155192Srwatson 287156889Srwatson case A_SETQCTRL: 288156889Srwatson tok = au_to_arg32(3, "setqctrl:aq_hiwater", 289156889Srwatson ar->ar_arg_auditon.au_qctrl.aq_hiwater); 290155192Srwatson kau_write(rec, tok); 291156889Srwatson tok = au_to_arg32(3, "setqctrl:aq_lowater", 292156889Srwatson ar->ar_arg_auditon.au_qctrl.aq_lowater); 293155192Srwatson kau_write(rec, tok); 294156889Srwatson tok = au_to_arg32(3, "setqctrl:aq_bufsz", 295156889Srwatson ar->ar_arg_auditon.au_qctrl.aq_bufsz); 296155192Srwatson kau_write(rec, tok); 297156889Srwatson tok = au_to_arg32(3, "setqctrl:aq_delay", 298156889Srwatson ar->ar_arg_auditon.au_qctrl.aq_delay); 299155192Srwatson kau_write(rec, tok); 300156889Srwatson tok = au_to_arg32(3, "setqctrl:aq_minfree", 301156889Srwatson ar->ar_arg_auditon.au_qctrl.aq_minfree); 302155192Srwatson kau_write(rec, tok); 303155192Srwatson break; 304155192Srwatson 305156889Srwatson case A_SETUMASK: 306156889Srwatson tok = au_to_arg32(3, "setumask:as_success", 307156889Srwatson ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 308155192Srwatson kau_write(rec, tok); 309156889Srwatson tok = au_to_arg32(3, "setumask:as_failure", 310156889Srwatson ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 311155192Srwatson kau_write(rec, tok); 312155192Srwatson break; 313155192Srwatson 314156889Srwatson case A_SETSMASK: 315156889Srwatson tok = au_to_arg32(3, "setsmask:as_success", 316156889Srwatson ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); 317155192Srwatson kau_write(rec, tok); 318156889Srwatson tok = au_to_arg32(3, "setsmask:as_failure", 319156889Srwatson ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); 320155192Srwatson kau_write(rec, tok); 321155192Srwatson break; 322155192Srwatson 323156889Srwatson case A_SETCOND: 324155192Srwatson if (sizeof(ar->ar_arg_auditon.au_cond) > 4) 325156889Srwatson tok = au_to_arg64(3, "setcond", 326156889Srwatson ar->ar_arg_auditon.au_cond); 327155192Srwatson else 328156889Srwatson tok = au_to_arg32(3, "setcond", 329156889Srwatson ar->ar_arg_auditon.au_cond); 330155192Srwatson kau_write(rec, tok); 331155192Srwatson break; 332155192Srwatson 333156889Srwatson case A_SETCLASS: 334155192Srwatson tok = au_to_arg32(2, "setclass:ec_event", 335156889Srwatson ar->ar_arg_auditon.au_evclass.ec_number); 336155192Srwatson kau_write(rec, tok); 337155192Srwatson tok = au_to_arg32(3, "setclass:ec_class", 338156889Srwatson ar->ar_arg_auditon.au_evclass.ec_class); 339155192Srwatson kau_write(rec, tok); 340155192Srwatson break; 341155192Srwatson 342156889Srwatson case A_SETPMASK: 343156889Srwatson tok = au_to_arg32(2, "setpmask:as_success", 344156889Srwatson ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); 345155192Srwatson kau_write(rec, tok); 346156889Srwatson tok = au_to_arg32(2, "setpmask:as_failure", 347156889Srwatson ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); 348155192Srwatson kau_write(rec, tok); 349155192Srwatson break; 350155192Srwatson 351156889Srwatson case A_SETFSIZE: 352156889Srwatson tok = au_to_arg32(2, "setfsize:filesize", 353156889Srwatson ar->ar_arg_auditon.au_fstat.af_filesz); 354155192Srwatson kau_write(rec, tok); 355155192Srwatson break; 356155192Srwatson 357155192Srwatson default: 358155192Srwatson break; 359155192Srwatson } 360155192Srwatson} 361155192Srwatson 362155192Srwatson/* 363156889Srwatson * Convert an internal kernel audit record to a BSM record and return a 364156889Srwatson * success/failure indicator. The BSM record is passed as an out parameter to 365156889Srwatson * this function. 366156889Srwatson * 367155192Srwatson * Return conditions: 368155192Srwatson * BSM_SUCCESS: The BSM record is valid 369155192Srwatson * BSM_FAILURE: Failure; the BSM record is NULL. 370156889Srwatson * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. 371155192Srwatson */ 372155192Srwatsonint 373155192Srwatsonkaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) 374155192Srwatson{ 375155192Srwatson struct au_token *tok, *subj_tok; 376155192Srwatson struct au_record *rec; 377155192Srwatson au_tid_t tid; 378155192Srwatson struct audit_record *ar; 379155192Srwatson int ctr; 380155192Srwatson 381155192Srwatson KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL")); 382155192Srwatson 383155192Srwatson *pau = NULL; 384155192Srwatson ar = &kar->k_ar; 385155192Srwatson rec = kau_open(); 386155192Srwatson 387155192Srwatson /* Create the subject token */ 388168688Scsjp switch (ar->ar_subj_term_addr.at_type) { 389168688Scsjp case AU_IPv4: 390168688Scsjp tid.port = ar->ar_subj_term_addr.at_port; 391168688Scsjp tid.machine = ar->ar_subj_term_addr.at_addr[0]; 392168688Scsjp subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */ 393168688Scsjp ar->ar_subj_cred.cr_uid, /* eff uid */ 394168688Scsjp ar->ar_subj_egid, /* eff group id */ 395168688Scsjp ar->ar_subj_ruid, /* real uid */ 396168688Scsjp ar->ar_subj_rgid, /* real group id */ 397168688Scsjp ar->ar_subj_pid, /* process id */ 398168688Scsjp ar->ar_subj_asid, /* session ID */ 399168688Scsjp &tid); 400168688Scsjp break; 401168688Scsjp case AU_IPv6: 402168688Scsjp subj_tok = au_to_subject32_ex(ar->ar_subj_auid, 403168688Scsjp ar->ar_subj_cred.cr_uid, 404168688Scsjp ar->ar_subj_egid, 405168688Scsjp ar->ar_subj_ruid, 406168688Scsjp ar->ar_subj_rgid, 407168688Scsjp ar->ar_subj_pid, 408168688Scsjp ar->ar_subj_asid, 409168688Scsjp &ar->ar_subj_term_addr); 410168688Scsjp break; 411168688Scsjp default: 412168688Scsjp bzero(&tid, sizeof(tid)); 413168688Scsjp subj_tok = au_to_subject32(ar->ar_subj_auid, 414168688Scsjp ar->ar_subj_cred.cr_uid, 415168688Scsjp ar->ar_subj_egid, 416168688Scsjp ar->ar_subj_ruid, 417168688Scsjp ar->ar_subj_rgid, 418168688Scsjp ar->ar_subj_pid, 419168688Scsjp ar->ar_subj_asid, 420168688Scsjp &tid); 421168688Scsjp } 422155192Srwatson 423156889Srwatson /* 424156889Srwatson * The logic inside each case fills in the tokens required for the 425156889Srwatson * event, except for the header, trailer, and return tokens. The 426155192Srwatson * header and trailer tokens are added by the kau_close() function. 427155192Srwatson * The return token is added outside of the switch statement. 428156889Srwatson */ 429155192Srwatson switch(ar->ar_event) { 430155192Srwatson case AUE_ACCEPT: 431155192Srwatson case AUE_BIND: 432175455Scsjp case AUE_LISTEN: 433155192Srwatson case AUE_CONNECT: 434162990Srwatson case AUE_RECV: 435155192Srwatson case AUE_RECVFROM: 436156889Srwatson case AUE_RECVMSG: 437162990Srwatson case AUE_SEND: 438162990Srwatson case AUE_SENDFILE: 439155192Srwatson case AUE_SENDMSG: 440155192Srwatson case AUE_SENDTO: 441156889Srwatson /* 442156889Srwatson * Socket-related events. 443156889Srwatson */ 444155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { 445155192Srwatson tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 446155192Srwatson kau_write(rec, tok); 447155192Srwatson } 448155192Srwatson if (ARG_IS_VALID(kar, ARG_SADDRINET)) { 449156889Srwatson tok = au_to_sock_inet((struct sockaddr_in *) 450156889Srwatson &ar->ar_arg_sockaddr); 451155192Srwatson kau_write(rec, tok); 452155192Srwatson } 453155192Srwatson if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { 454156889Srwatson tok = au_to_sock_unix((struct sockaddr_un *) 455156889Srwatson &ar->ar_arg_sockaddr); 456155192Srwatson kau_write(rec, tok); 457155192Srwatson UPATH1_TOKENS; 458155192Srwatson } 459155192Srwatson /* XXX Need to handle ARG_SADDRINET6 */ 460155192Srwatson break; 461155192Srwatson 462155192Srwatson case AUE_SOCKET: 463155192Srwatson case AUE_SOCKETPAIR: 464155192Srwatson if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 465155192Srwatson tok = au_to_arg32(1,"domain", 466155192Srwatson ar->ar_arg_sockinfo.so_domain); 467155192Srwatson kau_write(rec, tok); 468155192Srwatson tok = au_to_arg32(2,"type", 469155192Srwatson ar->ar_arg_sockinfo.so_type); 470155192Srwatson kau_write(rec, tok); 471155192Srwatson tok = au_to_arg32(3,"protocol", 472155192Srwatson ar->ar_arg_sockinfo.so_protocol); 473155192Srwatson kau_write(rec, tok); 474155192Srwatson } 475155192Srwatson break; 476155192Srwatson 477155192Srwatson case AUE_SETSOCKOPT: 478155192Srwatson case AUE_SHUTDOWN: 479155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { 480155192Srwatson tok = au_to_arg32(1, "fd", ar->ar_arg_fd); 481155192Srwatson kau_write(rec, tok); 482155192Srwatson } 483155192Srwatson break; 484155192Srwatson 485155192Srwatson case AUE_ACCT: 486155192Srwatson if (ARG_IS_VALID(kar, ARG_UPATH1)) { 487155192Srwatson UPATH1_VNODE1_TOKENS; 488155192Srwatson } else { 489155192Srwatson tok = au_to_arg32(1, "accounting off", 0); 490155192Srwatson kau_write(rec, tok); 491155192Srwatson } 492155192Srwatson break; 493155192Srwatson 494155192Srwatson case AUE_SETAUID: 495155192Srwatson if (ARG_IS_VALID(kar, ARG_AUID)) { 496155192Srwatson tok = au_to_arg32(2, "setauid", ar->ar_arg_auid); 497155192Srwatson kau_write(rec, tok); 498155192Srwatson } 499155192Srwatson break; 500155192Srwatson 501155192Srwatson case AUE_SETAUDIT: 502171066Scsjp if (ARG_IS_VALID(kar, ARG_AUID) && 503171066Scsjp ARG_IS_VALID(kar, ARG_ASID) && 504171066Scsjp ARG_IS_VALID(kar, ARG_AMASK) && 505171066Scsjp ARG_IS_VALID(kar, ARG_TERMID)) { 506156889Srwatson tok = au_to_arg32(1, "setaudit:auid", 507156889Srwatson ar->ar_arg_auid); 508155192Srwatson kau_write(rec, tok); 509156889Srwatson tok = au_to_arg32(1, "setaudit:port", 510156889Srwatson ar->ar_arg_termid.port); 511155192Srwatson kau_write(rec, tok); 512156889Srwatson tok = au_to_arg32(1, "setaudit:machine", 513156889Srwatson ar->ar_arg_termid.machine); 514155192Srwatson kau_write(rec, tok); 515156889Srwatson tok = au_to_arg32(1, "setaudit:as_success", 516156889Srwatson ar->ar_arg_amask.am_success); 517155192Srwatson kau_write(rec, tok); 518156889Srwatson tok = au_to_arg32(1, "setaudit:as_failure", 519156889Srwatson ar->ar_arg_amask.am_failure); 520155192Srwatson kau_write(rec, tok); 521156889Srwatson tok = au_to_arg32(1, "setaudit:asid", 522156889Srwatson ar->ar_arg_asid); 523155192Srwatson kau_write(rec, tok); 524155192Srwatson } 525155192Srwatson break; 526155192Srwatson 527155192Srwatson case AUE_SETAUDIT_ADDR: 528171066Scsjp if (ARG_IS_VALID(kar, ARG_AUID) && 529171066Scsjp ARG_IS_VALID(kar, ARG_ASID) && 530171066Scsjp ARG_IS_VALID(kar, ARG_AMASK) && 531171066Scsjp ARG_IS_VALID(kar, ARG_TERMID_ADDR)) { 532171066Scsjp tok = au_to_arg32(1, "setaudit_addr:auid", 533171066Scsjp ar->ar_arg_auid); 534171066Scsjp kau_write(rec, tok); 535171066Scsjp tok = au_to_arg32(1, "setaudit_addr:as_success", 536171066Scsjp ar->ar_arg_amask.am_success); 537171066Scsjp kau_write(rec, tok); 538171066Scsjp tok = au_to_arg32(1, "setaudit_addr:as_failure", 539171066Scsjp ar->ar_arg_amask.am_failure); 540171066Scsjp kau_write(rec, tok); 541171066Scsjp tok = au_to_arg32(1, "setaudit_addr:asid", 542171066Scsjp ar->ar_arg_asid); 543171066Scsjp kau_write(rec, tok); 544171066Scsjp tok = au_to_arg32(1, "setaudit_addr:type", 545171066Scsjp ar->ar_arg_termid_addr.at_type); 546171066Scsjp kau_write(rec, tok); 547171066Scsjp tok = au_to_arg32(1, "setaudit_addr:port", 548171066Scsjp ar->ar_arg_termid_addr.at_port); 549171066Scsjp kau_write(rec, tok); 550171066Scsjp if (ar->ar_arg_termid_addr.at_type == AU_IPv6) 551171066Scsjp tok = au_to_in_addr_ex((struct in6_addr *) 552171066Scsjp &ar->ar_arg_termid_addr.at_addr[0]); 553171066Scsjp if (ar->ar_arg_termid_addr.at_type == AU_IPv4) 554171066Scsjp tok = au_to_in_addr((struct in_addr *) 555171066Scsjp &ar->ar_arg_termid_addr.at_addr[0]); 556171066Scsjp kau_write(rec, tok); 557171066Scsjp } 558171066Scsjp break; 559155192Srwatson 560155192Srwatson case AUE_AUDITON: 561156889Srwatson /* 562156889Srwatson * For AUDITON commands without own event, audit the cmd. 563156889Srwatson */ 564155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 565155192Srwatson tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); 566155192Srwatson kau_write(rec, tok); 567155192Srwatson } 568155192Srwatson /* fall thru */ 569155192Srwatson 570155192Srwatson case AUE_AUDITON_GETCAR: 571155192Srwatson case AUE_AUDITON_GETCLASS: 572155192Srwatson case AUE_AUDITON_GETCOND: 573155192Srwatson case AUE_AUDITON_GETCWD: 574155192Srwatson case AUE_AUDITON_GETKMASK: 575155192Srwatson case AUE_AUDITON_GETSTAT: 576155192Srwatson case AUE_AUDITON_GPOLICY: 577155192Srwatson case AUE_AUDITON_GQCTRL: 578155192Srwatson case AUE_AUDITON_SETCLASS: 579155192Srwatson case AUE_AUDITON_SETCOND: 580155192Srwatson case AUE_AUDITON_SETKMASK: 581155192Srwatson case AUE_AUDITON_SETSMASK: 582155192Srwatson case AUE_AUDITON_SETSTAT: 583155192Srwatson case AUE_AUDITON_SETUMASK: 584155192Srwatson case AUE_AUDITON_SPOLICY: 585155192Srwatson case AUE_AUDITON_SQCTRL: 586156889Srwatson if (ARG_IS_VALID(kar, ARG_AUDITON)) 587155192Srwatson audit_sys_auditon(ar, rec); 588155192Srwatson break; 589156889Srwatson 590155192Srwatson case AUE_AUDITCTL: 591155192Srwatson UPATH1_VNODE1_TOKENS; 592155192Srwatson break; 593155192Srwatson 594155192Srwatson case AUE_EXIT: 595155192Srwatson if (ARG_IS_VALID(kar, ARG_EXIT)) { 596155192Srwatson tok = au_to_exit(ar->ar_arg_exitretval, 597155192Srwatson ar->ar_arg_exitstatus); 598155192Srwatson kau_write(rec, tok); 599155192Srwatson } 600155192Srwatson break; 601155192Srwatson 602155192Srwatson case AUE_ADJTIME: 603162990Srwatson case AUE_CLOCK_SETTIME: 604155192Srwatson case AUE_AUDIT: 605162990Srwatson case AUE_DUP2: 606155192Srwatson case AUE_GETAUDIT: 607155192Srwatson case AUE_GETAUDIT_ADDR: 608155192Srwatson case AUE_GETAUID: 609162990Srwatson case AUE_GETCWD: 610155192Srwatson case AUE_GETFSSTAT: 611162990Srwatson case AUE_GETRESUID: 612162990Srwatson case AUE_GETRESGID: 613162990Srwatson case AUE_KQUEUE: 614162990Srwatson case AUE_LSEEK: 615162990Srwatson case AUE_MODLOAD: 616162990Srwatson case AUE_MODUNLOAD: 617162990Srwatson case AUE_MSGSYS: 618162990Srwatson case AUE_NFS_SVC: 619162990Srwatson case AUE_NTP_ADJTIME: 620155192Srwatson case AUE_PIPE: 621162990Srwatson case AUE_PROFILE: 622162990Srwatson case AUE_RTPRIO: 623162990Srwatson case AUE_SEMSYS: 624162990Srwatson case AUE_SHMSYS: 625155192Srwatson case AUE_SETPGRP: 626155192Srwatson case AUE_SETRLIMIT: 627155192Srwatson case AUE_SETSID: 628155192Srwatson case AUE_SETTIMEOFDAY: 629162990Srwatson case AUE_SYSARCH: 630162990Srwatson 631156889Srwatson /* 632156889Srwatson * Header, subject, and return tokens added at end. 633156889Srwatson */ 634155192Srwatson break; 635155192Srwatson 636159278Srwatson case AUE_MKFIFO: 637159278Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 638159278Srwatson tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 639159278Srwatson kau_write(rec, tok); 640159278Srwatson } 641159278Srwatson /* fall through */ 642155192Srwatson case AUE_ACCESS: 643155192Srwatson case AUE_CHDIR: 644155192Srwatson case AUE_CHROOT: 645155559Srwatson case AUE_EACCESS: 646155192Srwatson case AUE_GETATTRLIST: 647162990Srwatson case AUE_JAIL: 648162419Scsjp case AUE_LUTIMES: 649155192Srwatson case AUE_NFS_GETFH: 650155192Srwatson case AUE_LSTAT: 651155192Srwatson case AUE_PATHCONF: 652155192Srwatson case AUE_READLINK: 653155192Srwatson case AUE_REVOKE: 654155192Srwatson case AUE_RMDIR: 655155192Srwatson case AUE_SEARCHFS: 656155192Srwatson case AUE_SETATTRLIST: 657155192Srwatson case AUE_STAT: 658155192Srwatson case AUE_STATFS: 659162990Srwatson case AUE_SWAPON: 660162990Srwatson case AUE_SWAPOFF: 661155192Srwatson case AUE_TRUNCATE: 662155192Srwatson case AUE_UNDELETE: 663155192Srwatson case AUE_UNLINK: 664155192Srwatson case AUE_UTIMES: 665155192Srwatson UPATH1_VNODE1_TOKENS; 666155192Srwatson break; 667155192Srwatson 668162990Srwatson case AUE_FHSTATFS: 669162990Srwatson case AUE_FHOPEN: 670162990Srwatson case AUE_FHSTAT: 671162990Srwatson /* XXXRW: Need to audit vnode argument. */ 672162990Srwatson break; 673162990Srwatson 674155192Srwatson case AUE_CHFLAGS: 675155192Srwatson case AUE_LCHFLAGS: 676155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 677155192Srwatson tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 678155192Srwatson kau_write(rec, tok); 679155192Srwatson } 680155192Srwatson UPATH1_VNODE1_TOKENS; 681155192Srwatson break; 682156889Srwatson 683155192Srwatson case AUE_CHMOD: 684155192Srwatson case AUE_LCHMOD: 685155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 686156889Srwatson tok = au_to_arg32(2, "new file mode", 687156889Srwatson ar->ar_arg_mode); 688155192Srwatson kau_write(rec, tok); 689155192Srwatson } 690155192Srwatson UPATH1_VNODE1_TOKENS; 691155192Srwatson break; 692156889Srwatson 693155192Srwatson case AUE_CHOWN: 694155192Srwatson case AUE_LCHOWN: 695155192Srwatson if (ARG_IS_VALID(kar, ARG_UID)) { 696155192Srwatson tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 697155192Srwatson kau_write(rec, tok); 698155192Srwatson } 699155192Srwatson if (ARG_IS_VALID(kar, ARG_GID)) { 700155192Srwatson tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 701155192Srwatson kau_write(rec, tok); 702155192Srwatson } 703155192Srwatson UPATH1_VNODE1_TOKENS; 704155192Srwatson break; 705156889Srwatson 706155192Srwatson case AUE_EXCHANGEDATA: 707155192Srwatson UPATH1_VNODE1_TOKENS; 708155192Srwatson UPATH2_TOKENS; 709155192Srwatson break; 710155192Srwatson 711155192Srwatson case AUE_CLOSE: 712155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { 713155192Srwatson tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 714155192Srwatson kau_write(rec, tok); 715155192Srwatson } 716155192Srwatson UPATH1_VNODE1_TOKENS; 717155192Srwatson break; 718155192Srwatson 719172995Scsjp case AUE_CORE: 720172995Scsjp if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 721172995Scsjp tok = au_to_arg32(0, "signal", ar->ar_arg_signum); 722172995Scsjp kau_write(rec, tok); 723172995Scsjp } 724172995Scsjp UPATH1_VNODE1_TOKENS; 725172995Scsjp break; 726172995Scsjp 727160136Swsalamon case AUE_EXTATTRCTL: 728160136Swsalamon UPATH1_VNODE1_TOKENS; 729160136Swsalamon if (ARG_IS_VALID(kar, ARG_CMD)) { 730160136Swsalamon tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 731160136Swsalamon kau_write(rec, tok); 732160136Swsalamon } 733160136Swsalamon /* extattrctl(2) filename parameter is in upath2/vnode2 */ 734160136Swsalamon UPATH2_TOKENS; 735160136Swsalamon VNODE2_TOKENS; 736160136Swsalamon EXTATTR_TOKENS; 737160136Swsalamon break; 738160136Swsalamon 739160136Swsalamon case AUE_EXTATTR_GET_FILE: 740160136Swsalamon case AUE_EXTATTR_SET_FILE: 741160136Swsalamon case AUE_EXTATTR_LIST_FILE: 742160136Swsalamon case AUE_EXTATTR_DELETE_FILE: 743160136Swsalamon case AUE_EXTATTR_GET_LINK: 744160136Swsalamon case AUE_EXTATTR_SET_LINK: 745160136Swsalamon case AUE_EXTATTR_LIST_LINK: 746160136Swsalamon case AUE_EXTATTR_DELETE_LINK: 747160136Swsalamon UPATH1_VNODE1_TOKENS; 748160136Swsalamon EXTATTR_TOKENS; 749160136Swsalamon break; 750160136Swsalamon 751160136Swsalamon case AUE_EXTATTR_GET_FD: 752160136Swsalamon case AUE_EXTATTR_SET_FD: 753160136Swsalamon case AUE_EXTATTR_LIST_FD: 754160136Swsalamon case AUE_EXTATTR_DELETE_FD: 755160136Swsalamon if (ARG_IS_VALID(kar, ARG_FD)) { 756160136Swsalamon tok = au_to_arg32(2, "fd", ar->ar_arg_fd); 757160136Swsalamon kau_write(rec, tok); 758160136Swsalamon } 759160136Swsalamon EXTATTR_TOKENS; 760160136Swsalamon break; 761160136Swsalamon 762161813Swsalamon case AUE_EXECVE: 763161813Swsalamon if (ARG_IS_VALID(kar, ARG_ARGV)) { 764161813Swsalamon tok = au_to_exec_args(ar->ar_arg_argv, 765161813Swsalamon ar->ar_arg_argc); 766161813Swsalamon kau_write(rec, tok); 767161813Swsalamon } 768161813Swsalamon if (ARG_IS_VALID(kar, ARG_ENVV)) { 769161813Swsalamon tok = au_to_exec_env(ar->ar_arg_envv, 770161813Swsalamon ar->ar_arg_envc); 771161813Swsalamon kau_write(rec, tok); 772161813Swsalamon } 773161813Swsalamon UPATH1_VNODE1_TOKENS; 774161813Swsalamon break; 775161813Swsalamon 776155192Srwatson case AUE_FCHMOD: 777155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 778156889Srwatson tok = au_to_arg32(2, "new file mode", 779156889Srwatson ar->ar_arg_mode); 780155192Srwatson kau_write(rec, tok); 781155192Srwatson } 782155192Srwatson FD_VNODE1_TOKENS; 783155192Srwatson break; 784156889Srwatson 785162990Srwatson /* 786162990Srwatson * XXXRW: Some of these need to handle non-vnode cases as well. 787162990Srwatson */ 788155192Srwatson case AUE_FCHDIR: 789155192Srwatson case AUE_FPATHCONF: 790162990Srwatson case AUE_FSTAT: 791155192Srwatson case AUE_FSTATFS: 792155192Srwatson case AUE_FSYNC: 793155192Srwatson case AUE_FTRUNCATE: 794155192Srwatson case AUE_FUTIMES: 795155192Srwatson case AUE_GETDIRENTRIES: 796155192Srwatson case AUE_GETDIRENTRIESATTR: 797162990Srwatson case AUE_POLL: 798162990Srwatson case AUE_READ: 799162990Srwatson case AUE_READV: 800162990Srwatson case AUE_WRITE: 801162990Srwatson case AUE_WRITEV: 802155192Srwatson FD_VNODE1_TOKENS; 803155192Srwatson break; 804156889Srwatson 805155192Srwatson case AUE_FCHOWN: 806155192Srwatson if (ARG_IS_VALID(kar, ARG_UID)) { 807155192Srwatson tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid); 808155192Srwatson kau_write(rec, tok); 809155192Srwatson } 810155192Srwatson if (ARG_IS_VALID(kar, ARG_GID)) { 811155192Srwatson tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid); 812155192Srwatson kau_write(rec, tok); 813155192Srwatson } 814155192Srwatson FD_VNODE1_TOKENS; 815155192Srwatson break; 816156889Srwatson 817155192Srwatson case AUE_FCNTL: 818155192Srwatson if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK || 819155192Srwatson ar->ar_arg_cmd == F_SETLKW) { 820155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 821155192Srwatson tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 822155192Srwatson kau_write(rec, tok); 823155192Srwatson } 824155192Srwatson FD_VNODE1_TOKENS; 825155192Srwatson } 826155192Srwatson break; 827156889Srwatson 828155192Srwatson case AUE_FCHFLAGS: 829155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 830155192Srwatson tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 831155192Srwatson kau_write(rec, tok); 832155192Srwatson } 833155192Srwatson FD_VNODE1_TOKENS; 834155192Srwatson break; 835156889Srwatson 836155192Srwatson case AUE_FLOCK: 837155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 838155192Srwatson tok = au_to_arg32(2, "operation", ar->ar_arg_cmd); 839155192Srwatson kau_write(rec, tok); 840155192Srwatson } 841155192Srwatson FD_VNODE1_TOKENS; 842155192Srwatson break; 843156889Srwatson 844155192Srwatson case AUE_RFORK: 845155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 846155192Srwatson tok = au_to_arg32(1, "flags", ar->ar_arg_fflags); 847155192Srwatson kau_write(rec, tok); 848155192Srwatson } 849155192Srwatson /* fall through */ 850155192Srwatson case AUE_FORK: 851155192Srwatson case AUE_VFORK: 852155192Srwatson if (ARG_IS_VALID(kar, ARG_PID)) { 853155192Srwatson tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); 854155192Srwatson kau_write(rec, tok); 855155192Srwatson } 856155192Srwatson break; 857156889Srwatson 858155192Srwatson case AUE_IOCTL: 859155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 860155192Srwatson tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); 861155192Srwatson kau_write(rec, tok); 862155192Srwatson } 863155192Srwatson if (ARG_IS_VALID(kar, ARG_ADDR)) { 864155271Srwatson tok = au_to_arg32(1, "arg", 865155271Srwatson (u_int32_t)(uintptr_t)ar->ar_arg_addr); 866155192Srwatson kau_write(rec, tok); 867155192Srwatson } 868156889Srwatson if (ARG_IS_VALID(kar, ARG_VNODE1)) 869155192Srwatson FD_VNODE1_TOKENS; 870156889Srwatson else { 871155192Srwatson if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { 872156889Srwatson tok = kau_to_socket(&ar->ar_arg_sockinfo); 873155192Srwatson kau_write(rec, tok); 874155192Srwatson } else { 875155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { 876155192Srwatson tok = au_to_arg32(1, "fd", 877155192Srwatson ar->ar_arg_fd); 878155192Srwatson kau_write(rec, tok); 879155192Srwatson } 880155192Srwatson } 881155192Srwatson } 882155192Srwatson break; 883155192Srwatson 884155192Srwatson case AUE_KILL: 885162990Srwatson case AUE_KILLPG: 886155192Srwatson if (ARG_IS_VALID(kar, ARG_SIGNUM)) { 887155192Srwatson tok = au_to_arg32(2, "signal", ar->ar_arg_signum); 888155192Srwatson kau_write(rec, tok); 889155192Srwatson } 890155192Srwatson PROCESS_PID_TOKENS(1); 891155192Srwatson break; 892155192Srwatson 893155192Srwatson case AUE_KTRACE: 894155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 895155192Srwatson tok = au_to_arg32(2, "ops", ar->ar_arg_cmd); 896155192Srwatson kau_write(rec, tok); 897155192Srwatson } 898155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 899155192Srwatson tok = au_to_arg32(3, "trpoints", ar->ar_arg_value); 900155192Srwatson kau_write(rec, tok); 901155192Srwatson } 902155192Srwatson PROCESS_PID_TOKENS(4); 903155192Srwatson UPATH1_VNODE1_TOKENS; 904155192Srwatson break; 905155192Srwatson 906155192Srwatson case AUE_LINK: 907155192Srwatson case AUE_RENAME: 908155192Srwatson UPATH1_VNODE1_TOKENS; 909155192Srwatson UPATH2_TOKENS; 910155192Srwatson break; 911155192Srwatson 912155192Srwatson case AUE_LOADSHFILE: 913155192Srwatson if (ARG_IS_VALID(kar, ARG_ADDR)) { 914155192Srwatson tok = au_to_arg32(4, "base addr", 915155271Srwatson (u_int32_t)(uintptr_t)ar->ar_arg_addr); 916155192Srwatson kau_write(rec, tok); 917155192Srwatson } 918155192Srwatson UPATH1_VNODE1_TOKENS; 919155192Srwatson break; 920156889Srwatson 921155192Srwatson case AUE_MKDIR: 922155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 923155192Srwatson tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 924155192Srwatson kau_write(rec, tok); 925155192Srwatson } 926155192Srwatson UPATH1_VNODE1_TOKENS; 927155192Srwatson break; 928155192Srwatson 929155192Srwatson case AUE_MKNOD: 930155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 931155192Srwatson tok = au_to_arg32(2, "mode", ar->ar_arg_mode); 932155192Srwatson kau_write(rec, tok); 933155192Srwatson } 934155192Srwatson if (ARG_IS_VALID(kar, ARG_DEV)) { 935155192Srwatson tok = au_to_arg32(3, "dev", ar->ar_arg_dev); 936155192Srwatson kau_write(rec, tok); 937155192Srwatson } 938155192Srwatson UPATH1_VNODE1_TOKENS; 939155192Srwatson break; 940155192Srwatson 941155192Srwatson case AUE_MMAP: 942155192Srwatson case AUE_MUNMAP: 943155192Srwatson case AUE_MPROTECT: 944155192Srwatson case AUE_MLOCK: 945155192Srwatson case AUE_MUNLOCK: 946155192Srwatson case AUE_MINHERIT: 947155192Srwatson if (ARG_IS_VALID(kar, ARG_ADDR)) { 948155192Srwatson tok = au_to_arg32(1, "addr", 949155271Srwatson (u_int32_t)(uintptr_t)ar->ar_arg_addr); 950155192Srwatson kau_write(rec, tok); 951155192Srwatson } 952155192Srwatson if (ARG_IS_VALID(kar, ARG_LEN)) { 953155192Srwatson tok = au_to_arg32(2, "len", ar->ar_arg_len); 954155192Srwatson kau_write(rec, tok); 955155192Srwatson } 956155192Srwatson if (ar->ar_event == AUE_MMAP) 957155192Srwatson FD_VNODE1_TOKENS; 958155192Srwatson if (ar->ar_event == AUE_MPROTECT) { 959155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 960155192Srwatson tok = au_to_arg32(3, "protection", 961155192Srwatson ar->ar_arg_value); 962155192Srwatson kau_write(rec, tok); 963155192Srwatson } 964155192Srwatson } 965155192Srwatson if (ar->ar_event == AUE_MINHERIT) { 966155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 967155192Srwatson tok = au_to_arg32(3, "inherit", 968155192Srwatson ar->ar_arg_value); 969155192Srwatson kau_write(rec, tok); 970155192Srwatson } 971155192Srwatson } 972155192Srwatson break; 973155192Srwatson 974155192Srwatson case AUE_MOUNT: 975162990Srwatson case AUE_NMOUNT: 976155192Srwatson /* XXX Need to handle NFS mounts */ 977155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 978155192Srwatson tok = au_to_arg32(3, "flags", ar->ar_arg_fflags); 979155192Srwatson kau_write(rec, tok); 980155192Srwatson } 981155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 982155192Srwatson tok = au_to_text(ar->ar_arg_text); 983155192Srwatson kau_write(rec, tok); 984155192Srwatson } 985155192Srwatson /* fall through */ 986156889Srwatson 987155192Srwatson case AUE_UMOUNT: 988155192Srwatson UPATH1_VNODE1_TOKENS; 989155192Srwatson break; 990155192Srwatson 991155192Srwatson case AUE_MSGCTL: 992155192Srwatson ar->ar_event = msgctl_to_event(ar->ar_arg_svipc_cmd); 993155192Srwatson /* Fall through */ 994156889Srwatson 995155192Srwatson case AUE_MSGRCV: 996155192Srwatson case AUE_MSGSND: 997155192Srwatson tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id); 998155192Srwatson kau_write(rec, tok); 999155192Srwatson if (ar->ar_errno != EINVAL) { 1000155192Srwatson tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id); 1001155192Srwatson kau_write(rec, tok); 1002155192Srwatson } 1003155192Srwatson break; 1004155192Srwatson 1005155192Srwatson case AUE_MSGGET: 1006155192Srwatson if (ar->ar_errno == 0) { 1007155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1008155192Srwatson tok = au_to_ipc(AT_IPC_MSG, 1009155192Srwatson ar->ar_arg_svipc_id); 1010155192Srwatson kau_write(rec, tok); 1011155192Srwatson } 1012155192Srwatson } 1013155192Srwatson break; 1014155192Srwatson 1015155192Srwatson case AUE_RESETSHFILE: 1016155192Srwatson if (ARG_IS_VALID(kar, ARG_ADDR)) { 1017155192Srwatson tok = au_to_arg32(1, "base addr", 1018155271Srwatson (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1019155192Srwatson kau_write(rec, tok); 1020155192Srwatson } 1021155192Srwatson break; 1022156889Srwatson 1023155192Srwatson case AUE_OPEN_RC: 1024155192Srwatson case AUE_OPEN_RTC: 1025155192Srwatson case AUE_OPEN_RWC: 1026155192Srwatson case AUE_OPEN_RWTC: 1027155192Srwatson case AUE_OPEN_WC: 1028155192Srwatson case AUE_OPEN_WTC: 1029162990Srwatson case AUE_CREAT: 1030155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 1031155192Srwatson tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1032155192Srwatson kau_write(rec, tok); 1033155192Srwatson } 1034155192Srwatson /* fall through */ 1035155192Srwatson 1036155192Srwatson case AUE_OPEN_R: 1037155192Srwatson case AUE_OPEN_RT: 1038155192Srwatson case AUE_OPEN_RW: 1039155192Srwatson case AUE_OPEN_RWT: 1040155192Srwatson case AUE_OPEN_W: 1041155192Srwatson case AUE_OPEN_WT: 1042155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1043155192Srwatson tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1044155192Srwatson kau_write(rec, tok); 1045155192Srwatson } 1046155192Srwatson UPATH1_VNODE1_TOKENS; 1047155192Srwatson break; 1048155192Srwatson 1049155192Srwatson case AUE_PTRACE: 1050155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 1051155192Srwatson tok = au_to_arg32(1, "request", ar->ar_arg_cmd); 1052155192Srwatson kau_write(rec, tok); 1053155192Srwatson } 1054155192Srwatson if (ARG_IS_VALID(kar, ARG_ADDR)) { 1055155192Srwatson tok = au_to_arg32(3, "addr", 1056155271Srwatson (u_int32_t)(uintptr_t)ar->ar_arg_addr); 1057155192Srwatson kau_write(rec, tok); 1058155192Srwatson } 1059155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 1060155192Srwatson tok = au_to_arg32(4, "data", ar->ar_arg_value); 1061155192Srwatson kau_write(rec, tok); 1062155192Srwatson } 1063155192Srwatson PROCESS_PID_TOKENS(2); 1064155192Srwatson break; 1065155192Srwatson 1066155192Srwatson case AUE_QUOTACTL: 1067155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 1068155192Srwatson tok = au_to_arg32(2, "command", ar->ar_arg_cmd); 1069155192Srwatson kau_write(rec, tok); 1070155192Srwatson } 1071155192Srwatson if (ARG_IS_VALID(kar, ARG_UID)) { 1072155192Srwatson tok = au_to_arg32(3, "uid", ar->ar_arg_uid); 1073155192Srwatson kau_write(rec, tok); 1074155192Srwatson } 1075155192Srwatson UPATH1_VNODE1_TOKENS; 1076155192Srwatson break; 1077155192Srwatson 1078155192Srwatson case AUE_REBOOT: 1079155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 1080155192Srwatson tok = au_to_arg32(1, "howto", ar->ar_arg_cmd); 1081155192Srwatson kau_write(rec, tok); 1082155192Srwatson } 1083155192Srwatson break; 1084155192Srwatson 1085155192Srwatson case AUE_SEMCTL: 1086155192Srwatson ar->ar_event = semctl_to_event(ar->ar_arg_svipc_cmd); 1087155192Srwatson /* Fall through */ 1088156889Srwatson 1089155192Srwatson case AUE_SEMOP: 1090155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1091155192Srwatson tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id); 1092155192Srwatson kau_write(rec, tok); 1093155192Srwatson if (ar->ar_errno != EINVAL) { 1094155192Srwatson tok = au_to_ipc(AT_IPC_SEM, 1095155192Srwatson ar->ar_arg_svipc_id); 1096155192Srwatson kau_write(rec, tok); 1097155192Srwatson } 1098155192Srwatson } 1099155192Srwatson break; 1100156889Srwatson 1101155192Srwatson case AUE_SEMGET: 1102155192Srwatson if (ar->ar_errno == 0) { 1103155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1104155192Srwatson tok = au_to_ipc(AT_IPC_SEM, 1105155192Srwatson ar->ar_arg_svipc_id); 1106155192Srwatson kau_write(rec, tok); 1107155192Srwatson } 1108155192Srwatson } 1109155192Srwatson break; 1110156889Srwatson 1111155192Srwatson case AUE_SETEGID: 1112155192Srwatson if (ARG_IS_VALID(kar, ARG_EGID)) { 1113155192Srwatson tok = au_to_arg32(1, "gid", ar->ar_arg_egid); 1114155192Srwatson kau_write(rec, tok); 1115155192Srwatson } 1116155192Srwatson break; 1117156889Srwatson 1118155192Srwatson case AUE_SETEUID: 1119155192Srwatson if (ARG_IS_VALID(kar, ARG_EUID)) { 1120155192Srwatson tok = au_to_arg32(1, "uid", ar->ar_arg_euid); 1121155192Srwatson kau_write(rec, tok); 1122155192Srwatson } 1123155192Srwatson break; 1124156889Srwatson 1125155192Srwatson case AUE_SETREGID: 1126155192Srwatson if (ARG_IS_VALID(kar, ARG_RGID)) { 1127155192Srwatson tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1128155192Srwatson kau_write(rec, tok); 1129155192Srwatson } 1130155192Srwatson if (ARG_IS_VALID(kar, ARG_EGID)) { 1131155192Srwatson tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1132155192Srwatson kau_write(rec, tok); 1133155192Srwatson } 1134155192Srwatson break; 1135156889Srwatson 1136155192Srwatson case AUE_SETREUID: 1137155192Srwatson if (ARG_IS_VALID(kar, ARG_RUID)) { 1138155192Srwatson tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1139155192Srwatson kau_write(rec, tok); 1140155192Srwatson } 1141155192Srwatson if (ARG_IS_VALID(kar, ARG_EUID)) { 1142155192Srwatson tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1143155192Srwatson kau_write(rec, tok); 1144155192Srwatson } 1145155192Srwatson break; 1146156889Srwatson 1147155192Srwatson case AUE_SETRESGID: 1148155192Srwatson if (ARG_IS_VALID(kar, ARG_RGID)) { 1149155192Srwatson tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid); 1150155192Srwatson kau_write(rec, tok); 1151155192Srwatson } 1152155192Srwatson if (ARG_IS_VALID(kar, ARG_EGID)) { 1153155192Srwatson tok = au_to_arg32(2, "egid", ar->ar_arg_egid); 1154155192Srwatson kau_write(rec, tok); 1155155192Srwatson } 1156155192Srwatson if (ARG_IS_VALID(kar, ARG_SGID)) { 1157155192Srwatson tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid); 1158155192Srwatson kau_write(rec, tok); 1159155192Srwatson } 1160155192Srwatson break; 1161156889Srwatson 1162155192Srwatson case AUE_SETRESUID: 1163155192Srwatson if (ARG_IS_VALID(kar, ARG_RUID)) { 1164155192Srwatson tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid); 1165155192Srwatson kau_write(rec, tok); 1166155192Srwatson } 1167155192Srwatson if (ARG_IS_VALID(kar, ARG_EUID)) { 1168155192Srwatson tok = au_to_arg32(2, "euid", ar->ar_arg_euid); 1169155192Srwatson kau_write(rec, tok); 1170155192Srwatson } 1171155192Srwatson if (ARG_IS_VALID(kar, ARG_SUID)) { 1172155192Srwatson tok = au_to_arg32(3, "suid", ar->ar_arg_suid); 1173155192Srwatson kau_write(rec, tok); 1174155192Srwatson } 1175155192Srwatson break; 1176156889Srwatson 1177155192Srwatson case AUE_SETGID: 1178155192Srwatson if (ARG_IS_VALID(kar, ARG_GID)) { 1179155192Srwatson tok = au_to_arg32(1, "gid", ar->ar_arg_gid); 1180155192Srwatson kau_write(rec, tok); 1181155192Srwatson } 1182155192Srwatson break; 1183156889Srwatson 1184155192Srwatson case AUE_SETUID: 1185155192Srwatson if (ARG_IS_VALID(kar, ARG_UID)) { 1186155192Srwatson tok = au_to_arg32(1, "uid", ar->ar_arg_uid); 1187155192Srwatson kau_write(rec, tok); 1188155192Srwatson } 1189155192Srwatson break; 1190156889Srwatson 1191155192Srwatson case AUE_SETGROUPS: 1192155192Srwatson if (ARG_IS_VALID(kar, ARG_GROUPSET)) { 1193155192Srwatson for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++) 1194155192Srwatson { 1195155192Srwatson tok = au_to_arg32(1, "setgroups", ar->ar_arg_groups.gidset[ctr]); 1196155192Srwatson kau_write(rec, tok); 1197155192Srwatson } 1198155192Srwatson } 1199155192Srwatson break; 1200155192Srwatson 1201155192Srwatson case AUE_SETLOGIN: 1202155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 1203155192Srwatson tok = au_to_text(ar->ar_arg_text); 1204155192Srwatson kau_write(rec, tok); 1205155192Srwatson } 1206155192Srwatson break; 1207155192Srwatson 1208155192Srwatson case AUE_SETPRIORITY: 1209155192Srwatson if (ARG_IS_VALID(kar, ARG_CMD)) { 1210155192Srwatson tok = au_to_arg32(1, "which", ar->ar_arg_cmd); 1211155192Srwatson kau_write(rec, tok); 1212155192Srwatson } 1213155192Srwatson if (ARG_IS_VALID(kar, ARG_UID)) { 1214155192Srwatson tok = au_to_arg32(2, "who", ar->ar_arg_uid); 1215155192Srwatson kau_write(rec, tok); 1216155192Srwatson } 1217155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 1218155192Srwatson tok = au_to_arg32(2, "priority", ar->ar_arg_value); 1219155192Srwatson kau_write(rec, tok); 1220155192Srwatson } 1221155192Srwatson break; 1222155192Srwatson 1223155192Srwatson case AUE_SETPRIVEXEC: 1224155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 1225155192Srwatson tok = au_to_arg32(1, "flag", ar->ar_arg_value); 1226155192Srwatson kau_write(rec, tok); 1227155192Srwatson } 1228155192Srwatson break; 1229155192Srwatson 1230155192Srwatson /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */ 1231155192Srwatson case AUE_SHMAT: 1232155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1233155192Srwatson tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1234155192Srwatson kau_write(rec, tok); 1235155192Srwatson /* XXXAUDIT: Does having the ipc token make sense? */ 1236155192Srwatson tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1237155192Srwatson kau_write(rec, tok); 1238155192Srwatson } 1239155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1240155192Srwatson tok = au_to_arg32(2, "shmaddr", 1241155271Srwatson (int)(uintptr_t)ar->ar_arg_svipc_addr); 1242155192Srwatson kau_write(rec, tok); 1243155192Srwatson } 1244155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1245155192Srwatson tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1246155192Srwatson kau_write(rec, tok); 1247155192Srwatson } 1248155192Srwatson break; 1249155192Srwatson 1250155192Srwatson case AUE_SHMCTL: 1251155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1252155192Srwatson tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id); 1253155192Srwatson kau_write(rec, tok); 1254155192Srwatson /* XXXAUDIT: Does having the ipc token make sense? */ 1255155192Srwatson tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1256155192Srwatson kau_write(rec, tok); 1257155192Srwatson } 1258155192Srwatson switch (ar->ar_arg_svipc_cmd) { 1259155192Srwatson case IPC_STAT: 1260155192Srwatson ar->ar_event = AUE_SHMCTL_STAT; 1261155192Srwatson break; 1262155192Srwatson case IPC_RMID: 1263155192Srwatson ar->ar_event = AUE_SHMCTL_RMID; 1264155192Srwatson break; 1265155192Srwatson case IPC_SET: 1266155192Srwatson ar->ar_event = AUE_SHMCTL_SET; 1267155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1268155192Srwatson tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1269155192Srwatson kau_write(rec, tok); 1270155192Srwatson } 1271155192Srwatson break; 1272155192Srwatson default: 1273155192Srwatson break; /* We will audit a bad command */ 1274155192Srwatson } 1275155192Srwatson break; 1276155192Srwatson 1277155192Srwatson case AUE_SHMDT: 1278155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1279155192Srwatson tok = au_to_arg32(1, "shmaddr", 1280155271Srwatson (int)(uintptr_t)ar->ar_arg_svipc_addr); 1281155192Srwatson kau_write(rec, tok); 1282155192Srwatson } 1283155192Srwatson break; 1284155192Srwatson 1285155192Srwatson case AUE_SHMGET: 1286155192Srwatson /* This is unusual; the return value is in an argument token */ 1287155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) { 1288155192Srwatson tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id); 1289155192Srwatson kau_write(rec, tok); 1290155192Srwatson tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id); 1291155192Srwatson kau_write(rec, tok); 1292155192Srwatson } 1293155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) { 1294155192Srwatson tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm); 1295155192Srwatson kau_write(rec, tok); 1296155192Srwatson } 1297155192Srwatson break; 1298155192Srwatson 1299156889Srwatson /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE 1300155192Srwatson * and AUE_SEMUNLINK are Posix IPC */ 1301155192Srwatson case AUE_SHMOPEN: 1302155192Srwatson if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { 1303155192Srwatson tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1304155192Srwatson kau_write(rec, tok); 1305155192Srwatson } 1306155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 1307155192Srwatson tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1308155192Srwatson kau_write(rec, tok); 1309155192Srwatson } 1310155192Srwatson case AUE_SHMUNLINK: 1311155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 1312155192Srwatson tok = au_to_text(ar->ar_arg_text); 1313155192Srwatson kau_write(rec, tok); 1314155192Srwatson } 1315155192Srwatson if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1316155192Srwatson /* Create an ipc_perm token */ 1317155192Srwatson struct ipc_perm perm; 1318155192Srwatson perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1319155192Srwatson perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1320155192Srwatson perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1321155192Srwatson perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1322155192Srwatson perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1323155192Srwatson perm.seq = 0; 1324155192Srwatson perm.key = 0; 1325155192Srwatson tok = au_to_ipc_perm(&perm); 1326155192Srwatson kau_write(rec, tok); 1327155192Srwatson } 1328155192Srwatson break; 1329155192Srwatson 1330155192Srwatson case AUE_SEMOPEN: 1331155192Srwatson if (ARG_IS_VALID(kar, ARG_FFLAGS)) { 1332155192Srwatson tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); 1333155192Srwatson kau_write(rec, tok); 1334155192Srwatson } 1335155192Srwatson if (ARG_IS_VALID(kar, ARG_MODE)) { 1336155192Srwatson tok = au_to_arg32(3, "mode", ar->ar_arg_mode); 1337155192Srwatson kau_write(rec, tok); 1338155192Srwatson } 1339155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 1340155192Srwatson tok = au_to_arg32(4, "value", ar->ar_arg_value); 1341155192Srwatson kau_write(rec, tok); 1342155192Srwatson } 1343155192Srwatson /* fall through */ 1344156889Srwatson 1345155192Srwatson case AUE_SEMUNLINK: 1346155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 1347155192Srwatson tok = au_to_text(ar->ar_arg_text); 1348155192Srwatson kau_write(rec, tok); 1349155192Srwatson } 1350155192Srwatson if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { 1351155192Srwatson /* Create an ipc_perm token */ 1352155192Srwatson struct ipc_perm perm; 1353155192Srwatson perm.uid = ar->ar_arg_pipc_perm.pipc_uid; 1354155192Srwatson perm.gid = ar->ar_arg_pipc_perm.pipc_gid; 1355155192Srwatson perm.cuid = ar->ar_arg_pipc_perm.pipc_uid; 1356155192Srwatson perm.cgid = ar->ar_arg_pipc_perm.pipc_gid; 1357155192Srwatson perm.mode = ar->ar_arg_pipc_perm.pipc_mode; 1358155192Srwatson perm.seq = 0; 1359155192Srwatson perm.key = 0; 1360155192Srwatson tok = au_to_ipc_perm(&perm); 1361155192Srwatson kau_write(rec, tok); 1362155192Srwatson } 1363155192Srwatson break; 1364155192Srwatson 1365155192Srwatson case AUE_SEMCLOSE: 1366155192Srwatson if (ARG_IS_VALID(kar, ARG_FD)) { 1367155192Srwatson tok = au_to_arg32(1, "sem", ar->ar_arg_fd); 1368155192Srwatson kau_write(rec, tok); 1369155192Srwatson } 1370155192Srwatson break; 1371155192Srwatson 1372155192Srwatson case AUE_SYMLINK: 1373155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 1374155192Srwatson tok = au_to_text(ar->ar_arg_text); 1375155192Srwatson kau_write(rec, tok); 1376155192Srwatson } 1377155192Srwatson UPATH1_VNODE1_TOKENS; 1378155192Srwatson break; 1379155192Srwatson 1380155192Srwatson case AUE_SYSCTL: 1381155192Srwatson if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) { 1382155192Srwatson for (ctr = 0; ctr < ar->ar_arg_len; ctr++) { 1383156889Srwatson tok = au_to_arg32(1, "name", 1384156889Srwatson ar->ar_arg_ctlname[ctr]); 1385156889Srwatson kau_write(rec, tok); 1386155192Srwatson } 1387155192Srwatson } 1388155192Srwatson if (ARG_IS_VALID(kar, ARG_VALUE)) { 1389155192Srwatson tok = au_to_arg32(5, "newval", ar->ar_arg_value); 1390155192Srwatson kau_write(rec, tok); 1391155192Srwatson } 1392155192Srwatson if (ARG_IS_VALID(kar, ARG_TEXT)) { 1393155192Srwatson tok = au_to_text(ar->ar_arg_text); 1394155192Srwatson kau_write(rec, tok); 1395155192Srwatson } 1396155192Srwatson break; 1397155192Srwatson 1398155192Srwatson case AUE_UMASK: 1399155192Srwatson if (ARG_IS_VALID(kar, ARG_MASK)) { 1400155192Srwatson tok = au_to_arg32(1, "new mask", ar->ar_arg_mask); 1401155192Srwatson kau_write(rec, tok); 1402155192Srwatson } 1403155192Srwatson tok = au_to_arg32(0, "prev mask", ar->ar_retval); 1404155192Srwatson kau_write(rec, tok); 1405155192Srwatson break; 1406155192Srwatson 1407155192Srwatson case AUE_WAIT4: 1408155192Srwatson if (ARG_IS_VALID(kar, ARG_PID)) { 1409155192Srwatson tok = au_to_arg32(0, "pid", ar->ar_arg_pid); 1410155192Srwatson kau_write(rec, tok); 1411155192Srwatson } 1412155192Srwatson break; 1413155192Srwatson 1414162990Srwatson case AUE_NULL: 1415156889Srwatson default: 1416155192Srwatson printf("BSM conversion requested for unknown event %d\n", 1417156889Srwatson ar->ar_event); 1418155192Srwatson /* Write the subject token so it is properly freed here. */ 1419155192Srwatson kau_write(rec, subj_tok); 1420155192Srwatson kau_free(rec); 1421155192Srwatson return (BSM_NOAUDIT); 1422155192Srwatson } 1423155192Srwatson 1424156889Srwatson kau_write(rec, subj_tok); 1425155192Srwatson tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); 1426155192Srwatson kau_write(rec, tok); /* Every record gets a return token */ 1427155192Srwatson 1428155192Srwatson kau_close(rec, &ar->ar_endtime, ar->ar_event); 1429155192Srwatson 1430155192Srwatson *pau = rec; 1431155192Srwatson return (BSM_SUCCESS); 1432155192Srwatson} 1433155192Srwatson 1434155192Srwatson/* 1435156889Srwatson * Verify that a record is a valid BSM record. This verification is simple 1436156889Srwatson * now, but may be expanded on sometime in the future. Return 1 if the 1437156889Srwatson * record is good, 0 otherwise. 1438155192Srwatson */ 1439155192Srwatsonint 1440155192Srwatsonbsm_rec_verify(void *rec) 1441155192Srwatson{ 1442155192Srwatson char c = *(char *)rec; 1443156889Srwatson 1444156889Srwatson /* 1445155192Srwatson * Check the token ID of the first token; it has to be a header 1446155192Srwatson * token. 1447156889Srwatson * 1448156889Srwatson * XXXAUDIT There needs to be a token structure to map a token. 1449155192Srwatson * XXXAUDIT 'Shouldn't be simply looking at the first char. 1450155192Srwatson */ 1451156889Srwatson if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) && 1452156889Srwatson (c != AUT_HEADER64) && (c != AUT_HEADER64_EX)) 1453155192Srwatson return (0); 1454155192Srwatson return (1); 1455155192Srwatson} 1456