1 /*
2 * Copyright (c) 1999-2020 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
13 * its contributors may be used to endorse or promote products derived
14 * from this software without specific prior written permission.
15 *
16 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
20 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 * POSSIBILITY OF SUCH DAMAGE.
27 */
28 /*
29 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
30 * support for mandatory and extensible security protections. This notice
31 * is included in support of clause 2.2 (b) of the Apple Public License,
32 * Version 2.0.
33 */
34
35 #include <sys/types.h>
36 #include <sys/vnode_internal.h>
37 #include <sys/ipc.h>
38 #include <sys/sem.h>
39 #include <sys/socketvar.h>
40 #include <sys/socket.h>
41 #include <sys/queue.h>
42 #include <sys/fcntl.h>
43 #include <sys/user.h>
44 #include <sys/ipc.h>
45
46 #include <bsm/audit.h>
47 #include <bsm/audit_internal.h>
48 #include <bsm/audit_record.h>
49 #include <bsm/audit_kevents.h>
50
51 #include <security/audit/audit.h>
52 #include <security/audit/audit_bsd.h>
53 #include <security/audit/audit_private.h>
54
55 #include <netinet/in_systm.h>
56 #include <netinet/in.h>
57 #include <netinet/ip.h>
58
59 #if CONFIG_AUDIT
60 MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
61
62 #if CONFIG_MACF
63 #include <security/mac_framework.h>
64 #endif
65
66 static void audit_sys_auditon(struct audit_record *ar,
67 struct au_record *rec);
68 static void audit_sys_fcntl(struct kaudit_record *kar,
69 struct au_record *rec);
70
71 /*
72 * Initialize the BSM auditing subsystem.
73 */
74 void
kau_init(void)75 kau_init(void)
76 {
77 au_evclassmap_init();
78 }
79
80 /*
81 * This call reserves memory for the audit record. Memory must be guaranteed
82 * before any auditable event can be generated. The au_record structure
83 * maintains a reference to the memory allocated above and also the list of
84 * tokens associated with this record.
85 */
86 static struct au_record *
kau_open(void)87 kau_open(void)
88 {
89 struct au_record *rec;
90
91 rec = kalloc_type(struct au_record, Z_WAITOK | Z_ZERO | Z_NOFAIL);
92 TAILQ_INIT(&rec->token_q);
93 rec->used = 1;
94 rec->data = NULL;
95
96 return rec;
97 }
98
99 /*
100 * Store the token with the record descriptor.
101 */
102 static void
kau_write(struct au_record * rec,struct au_token * tok)103 kau_write(struct au_record *rec, struct au_token *tok)
104 {
105 KASSERT(tok != NULL, ("kau_write: tok == NULL"));
106
107 TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
108 rec->len += tok->len;
109 }
110
111 /*
112 * Close out the audit record by adding the header token, identifying any
113 * missing tokens. Write out the tokens to the record memory.
114 */
115 static int
kau_close(struct au_record * rec,struct timespec * ctime,short event)116 kau_close(struct au_record *rec, struct timespec *ctime, short event)
117 {
118 u_char *dptr;
119 size_t tot_rec_size;
120 token_t *cur, *hdr, *trail;
121 struct timeval tm;
122 size_t hdrsize;
123 struct auditinfo_addr ak;
124 struct in6_addr *ap;
125
126 audit_get_kinfo(&ak);
127 hdrsize = 0;
128 switch (ak.ai_termid.at_type) {
129 case AU_IPv4:
130 hdrsize = (ak.ai_termid.at_addr[0] == INADDR_ANY) ?
131 AUDIT_HEADER_SIZE : AUDIT_HEADER_EX_SIZE(&ak);
132 break;
133 case AU_IPv6:
134 ap = (struct in6_addr *)&ak.ai_termid.at_addr[0];
135 hdrsize = (IN6_IS_ADDR_UNSPECIFIED(ap)) ? AUDIT_HEADER_SIZE :
136 AUDIT_HEADER_EX_SIZE(&ak);
137 break;
138 default:
139 panic("kau_close: invalid address family");
140 }
141 tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
142 rec->data = kalloc_data(tot_rec_size, Z_WAITOK | Z_ZERO);
143 if (rec->data == NULL) {
144 return ENOMEM;
145 }
146
147 tm.tv_usec = ctime->tv_nsec / 1000;
148 tm.tv_sec = ctime->tv_sec;
149 if (hdrsize != AUDIT_HEADER_SIZE) {
150 hdr = au_to_header32_ex_tm(tot_rec_size, event, 0, tm, &ak);
151 } else {
152 hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
153 }
154 TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
155
156 trail = au_to_trailer(tot_rec_size);
157 TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
158
159 rec->len = tot_rec_size;
160 dptr = rec->data;
161 TAILQ_FOREACH(cur, &rec->token_q, tokens) {
162 memcpy(dptr, cur->t_data, cur->len);
163 dptr += cur->len;
164 }
165
166 return 0;
167 }
168
169 /*
170 * Free a BSM audit record by releasing all the tokens and clearing the audit
171 * record information.
172 */
173 void
kau_free(struct au_record * rec)174 kau_free(struct au_record *rec)
175 {
176 struct au_token *tok;
177
178 /* Free the token list. */
179 while ((tok = TAILQ_FIRST(&rec->token_q))) {
180 TAILQ_REMOVE(&rec->token_q, tok, tokens);
181 kfree_data(tok->t_data, tok->len);
182 kfree_type(token_t, tok);
183 }
184
185 if (rec->data != NULL) {
186 kfree_data(rec->data, rec->len);
187 }
188 kfree_type(struct au_record, rec);
189 }
190
191 /*
192 * XXX: May want turn some (or all) of these macros into functions in order
193 * to reduce the generated code size.
194 *
195 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
196 * caller are OK with this.
197 */
198 #if CONFIG_MACF
199 #define MAC_VNODE1_LABEL_TOKEN do { \
200 if (ar->ar_vnode1_mac_labels != NULL && \
201 strlen(ar->ar_vnode1_mac_labels) != 0) { \
202 tok = au_to_text(ar->ar_vnode1_mac_labels); \
203 kau_write(rec, tok); \
204 } \
205 } while (0)
206
207 #define MAC_VNODE2_LABEL_TOKEN do { \
208 if (ar->ar_vnode2_mac_labels != NULL && \
209 strlen(ar->ar_vnode2_mac_labels) != 0) { \
210 tok = au_to_text(ar->ar_vnode2_mac_labels); \
211 kau_write(rec, tok); \
212 } \
213 } while (0)
214 #else
215 #define MAC_VNODE1_LABEL_TOKEN
216 #define MAC_VNODE2_LABEL_TOKEN
217 #endif
218 #define UPATH1_TOKENS do { \
219 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
220 tok = au_to_path(ar->ar_arg_upath1); \
221 kau_write(rec, tok); \
222 } \
223 } while (0)
224
225 #define UPATH2_TOKENS do { \
226 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
227 tok = au_to_path(ar->ar_arg_upath2); \
228 kau_write(rec, tok); \
229 } \
230 } while (0)
231
232 #define KPATH2_TOKENS do { \
233 if (ARG_IS_VALID(kar, ARG_KPATH2)) { \
234 tok = au_to_path(ar->ar_arg_kpath2); \
235 kau_write(rec, tok); \
236 } \
237 } while (0)
238
239 #define VNODE1_TOKENS do { \
240 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
241 tok = au_to_path(ar->ar_arg_kpath1); \
242 kau_write(rec, tok); \
243 } \
244 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
245 tok = au_to_attr32(&ar->ar_arg_vnode1); \
246 kau_write(rec, tok); \
247 MAC_VNODE1_LABEL_TOKEN; \
248 } \
249 } while (0)
250
251 #define UPATH1_VNODE1_TOKENS do { \
252 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
253 tok = au_to_path(ar->ar_arg_upath1); \
254 kau_write(rec, tok); \
255 } \
256 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
257 tok = au_to_path(ar->ar_arg_kpath1); \
258 kau_write(rec, tok); \
259 } \
260 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
261 tok = au_to_attr32(&ar->ar_arg_vnode1); \
262 kau_write(rec, tok); \
263 MAC_VNODE1_LABEL_TOKEN; \
264 } \
265 } while (0)
266
267 #define VNODE2_TOKENS do { \
268 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
269 tok = au_to_attr32(&ar->ar_arg_vnode2); \
270 kau_write(rec, tok); \
271 MAC_VNODE2_LABEL_TOKEN; \
272 } \
273 } while (0)
274
275 #define VNODE2_PATH_TOKENS do { \
276 if (ARG_IS_VALID(kar, ARG_KPATH2)) { \
277 tok = au_to_path(ar->ar_arg_kpath2); \
278 kau_write(rec, tok); \
279 } \
280 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
281 tok = au_to_attr32(&ar->ar_arg_vnode2); \
282 kau_write(rec, tok); \
283 MAC_VNODE2_LABEL_TOKEN; \
284 } \
285 } while (0)
286
287 #define FD_VNODE1_TOKENS do { \
288 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
289 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
290 tok = au_to_path(ar->ar_arg_kpath1); \
291 kau_write(rec, tok); \
292 } \
293 if (ARG_IS_VALID(kar, ARG_FD)) { \
294 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
295 kau_write(rec, tok); \
296 MAC_VNODE1_LABEL_TOKEN; \
297 } \
298 tok = au_to_attr32(&ar->ar_arg_vnode1); \
299 kau_write(rec, tok); \
300 } else { \
301 if (ARG_IS_VALID(kar, ARG_FD)) { \
302 tok = au_to_arg32(1, "fd", \
303 ar->ar_arg_fd); \
304 kau_write(rec, tok); \
305 MAC_VNODE1_LABEL_TOKEN; \
306 } \
307 } \
308 } while (0)
309
310 #define PROCESS_PID_TOKENS(argn) do { \
311 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
312 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
313 tok = au_to_process32_ex(ar->ar_arg_auid, \
314 ar->ar_arg_euid, ar->ar_arg_egid, \
315 ar->ar_arg_ruid, ar->ar_arg_rgid, \
316 ar->ar_arg_pid, ar->ar_arg_asid, \
317 &ar->ar_arg_termid_addr); \
318 kau_write(rec, tok); \
319 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
320 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
321 kau_write(rec, tok); \
322 } \
323 } while (0)
324
325 #define EXTATTR_TOKENS do { \
326 if (ARG_IS_VALID(kar, ARG_VALUE32)) { \
327 switch (ar->ar_arg_value32) { \
328 case EXTATTR_NAMESPACE_USER: \
329 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
330 break; \
331 case EXTATTR_NAMESPACE_SYSTEM: \
332 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
333 break; \
334 default: \
335 tok = au_to_arg32(3, "attrnamespace", \
336 ar->ar_arg_value32); \
337 break; \
338 } \
339 kau_write(rec, tok); \
340 } \
341 /* attrname is in the text field */ \
342 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
343 tok = au_to_text(ar->ar_arg_text); \
344 kau_write(rec, tok); \
345 } \
346 } while (0)
347
348 #define EXTENDED_TOKENS(n) do { \
349 /* ACL data */ \
350 if (ARG_IS_VALID(kar, ARG_OPAQUE)) { \
351 tok = au_to_opaque(ar->ar_arg_opaque, \
352 ar->ar_arg_opq_size); \
353 kau_write(rec, tok); \
354 } \
355 if (ARG_IS_VALID(kar, ARG_MODE)) { \
356 tok = au_to_arg32(n+2, "mode", ar->ar_arg_mode);\
357 kau_write(rec, tok); \
358 } \
359 if (ARG_IS_VALID(kar, ARG_GID)) { \
360 tok = au_to_arg32(n+1, "gid", ar->ar_arg_gid); \
361 kau_write(rec, tok); \
362 } \
363 if (ARG_IS_VALID(kar, ARG_UID)) { \
364 tok = au_to_arg32(n, "uid", ar->ar_arg_uid); \
365 kau_write(rec, tok); \
366 } \
367 } while (0)
368
369 #define PROCESS_MAC_TOKENS do { \
370 if (ar->ar_valid_arg & ARG_MAC_STRING) { \
371 tok = au_to_text(ar->ar_arg_mac_string); \
372 kau_write(rec, tok); \
373 } \
374 } while (0)
375
376 /*
377 * Implement auditing for the auditon() system call. The audit tokens that
378 * are generated depend on the command that was sent into the auditon()
379 * system call.
380 */
381 static void
audit_sys_auditon(struct audit_record * ar,struct au_record * rec)382 audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
383 {
384 struct au_token *tok;
385
386 switch (ar->ar_arg_cmd) {
387 case A_OLDSETPOLICY:
388 if (ar->ar_arg_len > sizeof(int)) {
389 tok = au_to_arg32(3, "length", ar->ar_arg_len);
390 kau_write(rec, tok);
391 tok = au_to_arg64(2, "policy",
392 ar->ar_arg_auditon.au_policy64);
393 kau_write(rec, tok);
394 break;
395 }
396 OS_FALLTHROUGH;
397 case A_SETPOLICY:
398 tok = au_to_arg32(3, "length", ar->ar_arg_len);
399 kau_write(rec, tok);
400 tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
401 kau_write(rec, tok);
402 break;
403
404 case A_SETKMASK:
405 tok = au_to_arg32(3, "length", ar->ar_arg_len);
406 kau_write(rec, tok);
407 tok = au_to_arg32(2, "setkmask:as_success",
408 ar->ar_arg_auditon.au_mask.am_success);
409 kau_write(rec, tok);
410 tok = au_to_arg32(2, "setkmask:as_failure",
411 ar->ar_arg_auditon.au_mask.am_failure);
412 kau_write(rec, tok);
413 break;
414
415 case A_OLDSETQCTRL:
416 if (ar->ar_arg_len > sizeof(au_qctrl_t)) {
417 tok = au_to_arg32(3, "length", ar->ar_arg_len);
418 kau_write(rec, tok);
419 tok = au_to_arg64(2, "setqctrl:aq_hiwater",
420 ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
421 kau_write(rec, tok);
422 tok = au_to_arg64(2, "setqctrl:aq_lowater",
423 ar->ar_arg_auditon.au_qctrl64.aq64_lowater);
424 kau_write(rec, tok);
425 tok = au_to_arg64(2, "setqctrl:aq_bufsz",
426 ar->ar_arg_auditon.au_qctrl64.aq64_bufsz);
427 kau_write(rec, tok);
428 tok = au_to_arg64(2, "setqctrl:aq_delay",
429 ar->ar_arg_auditon.au_qctrl64.aq64_delay);
430 kau_write(rec, tok);
431 tok = au_to_arg32(2, "setqctrl:aq_minfree",
432 ar->ar_arg_auditon.au_qctrl64.aq64_minfree);
433 kau_write(rec, tok);
434 break;
435 }
436 OS_FALLTHROUGH;
437 case A_SETQCTRL:
438 tok = au_to_arg32(3, "length", ar->ar_arg_len);
439 kau_write(rec, tok);
440 tok = au_to_arg32(2, "setqctrl:aq_hiwater",
441 ar->ar_arg_auditon.au_qctrl.aq_hiwater);
442 kau_write(rec, tok);
443 tok = au_to_arg32(2, "setqctrl:aq_lowater",
444 ar->ar_arg_auditon.au_qctrl.aq_lowater);
445 kau_write(rec, tok);
446 tok = au_to_arg32(2, "setqctrl:aq_bufsz",
447 ar->ar_arg_auditon.au_qctrl.aq_bufsz);
448 kau_write(rec, tok);
449 tok = au_to_arg32(2, "setqctrl:aq_delay",
450 ar->ar_arg_auditon.au_qctrl.aq_delay);
451 kau_write(rec, tok);
452 tok = au_to_arg32(2, "setqctrl:aq_minfree",
453 ar->ar_arg_auditon.au_qctrl.aq_minfree);
454 kau_write(rec, tok);
455 break;
456
457 case A_SETUMASK:
458 tok = au_to_arg32(3, "length", ar->ar_arg_len);
459 kau_write(rec, tok);
460 tok = au_to_arg32(2, "setumask:as_success",
461 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
462 kau_write(rec, tok);
463 tok = au_to_arg32(2, "setumask:as_failure",
464 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
465 kau_write(rec, tok);
466 break;
467
468 case A_SETSMASK:
469 tok = au_to_arg32(3, "length", ar->ar_arg_len);
470 kau_write(rec, tok);
471 tok = au_to_arg32(2, "setsmask:as_success",
472 ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
473 kau_write(rec, tok);
474 tok = au_to_arg32(2, "setsmask:as_failure",
475 ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
476 kau_write(rec, tok);
477 break;
478
479 case A_OLDSETCOND:
480 if (ar->ar_arg_len > sizeof(int)) {
481 tok = au_to_arg32(3, "length", ar->ar_arg_len);
482 kau_write(rec, tok);
483 tok = au_to_arg64(2, "setcond",
484 ar->ar_arg_auditon.au_cond64);
485 kau_write(rec, tok);
486 break;
487 }
488 OS_FALLTHROUGH;
489 case A_SETCOND:
490 tok = au_to_arg32(3, "length", ar->ar_arg_len);
491 kau_write(rec, tok);
492 tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
493 kau_write(rec, tok);
494 break;
495
496 case A_SETCLASS:
497 tok = au_to_arg32(3, "length", ar->ar_arg_len);
498 kau_write(rec, tok);
499 tok = au_to_arg32(2, "setclass:ec_event",
500 ar->ar_arg_auditon.au_evclass.ec_number);
501 kau_write(rec, tok);
502 tok = au_to_arg32(3, "setclass:ec_class",
503 ar->ar_arg_auditon.au_evclass.ec_class);
504 kau_write(rec, tok);
505 break;
506
507 case A_SETPMASK:
508 tok = au_to_arg32(3, "length", ar->ar_arg_len);
509 kau_write(rec, tok);
510 tok = au_to_arg32(2, "setpmask:as_success",
511 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
512 kau_write(rec, tok);
513 tok = au_to_arg32(2, "setpmask:as_failure",
514 ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
515 kau_write(rec, tok);
516 break;
517
518 case A_SETFSIZE:
519 tok = au_to_arg32(3, "length", ar->ar_arg_len);
520 kau_write(rec, tok);
521 tok = au_to_arg32(2, "setfsize:filesize",
522 ar->ar_arg_auditon.au_fstat.af_filesz);
523 kau_write(rec, tok);
524 break;
525
526 default:
527 break;
528 }
529 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
530 kau_write(rec, tok);
531 }
532
533 /*
534 * Implement auditing for the fcntl() system call. The audit tokens that
535 * are generated depend on the command that was sent into the fcntl()
536 * system call.
537 */
538 static void
audit_sys_fcntl(struct kaudit_record * kar,struct au_record * rec)539 audit_sys_fcntl(struct kaudit_record *kar, struct au_record *rec)
540 {
541 struct au_token *tok;
542 struct audit_record *ar = &kar->k_ar;
543
544 switch (ar->ar_arg_cmd) {
545 case F_DUPFD:
546 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
547 tok = au_to_arg32(3, "min fd", ar->ar_arg_value32);
548 kau_write(rec, tok);
549 }
550 break;
551
552 case F_SETFD:
553 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
554 tok = au_to_arg32(3, "close-on-exec flag",
555 ar->ar_arg_value32);
556 kau_write(rec, tok);
557 }
558 break;
559
560 case F_SETFL:
561 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
562 tok = au_to_arg32(3, "fd flags", ar->ar_arg_value32);
563 kau_write(rec, tok);
564 }
565 break;
566
567 case F_SETOWN:
568 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
569 tok = au_to_arg32(3, "pid", ar->ar_arg_value32);
570 kau_write(rec, tok);
571 }
572 break;
573
574 #ifdef F_SETSIZE
575 case F_SETSIZE:
576 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
577 tok = au_to_arg64(3, "offset", ar->ar_arg_value64);
578 kau_write(rec, tok);
579 }
580 break;
581 #endif /* F_SETSIZE */
582
583 #ifdef F_PATHPKG_CHECK
584 case F_PATHPKG_CHECK:
585 if (ARG_IS_VALID(kar, ARG_TEXT)) {
586 tok = au_to_text(ar->ar_arg_text);
587 kau_write(rec, tok);
588 }
589 break;
590 #endif
591
592 default:
593 break;
594 }
595 tok = au_to_arg32(2, "cmd", au_fcntl_cmd_to_bsm(ar->ar_arg_cmd));
596 kau_write(rec, tok);
597 }
598
599 /*
600 * Convert an internal kernel audit record to a BSM record and return a
601 * success/failure indicator. The BSM record is passed as an out parameter to
602 * this function.
603 *
604 * Return conditions:
605 * BSM_SUCCESS: The BSM record is valid
606 * BSM_FAILURE: Failure; the BSM record is NULL.
607 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
608 */
609 int
kaudit_to_bsm(struct kaudit_record * kar,struct au_record ** pau)610 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
611 {
612 struct au_token *tok = NULL, *subj_tok;
613 struct au_record *rec = NULL;
614 au_tid_t tid;
615 struct audit_record *ar;
616 int ctr;
617 u_int uctr;
618 int rv;
619
620 KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
621
622 *pau = NULL;
623 ar = &kar->k_ar;
624 rec = kau_open();
625
626 /*
627 * Create the subject token.
628 */
629 switch (ar->ar_subj_term_addr.at_type) {
630 case AU_IPv4:
631 tid.port = ar->ar_subj_term_addr.at_port;
632 tid.machine = ar->ar_subj_term_addr.at_addr[0];
633 subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
634 ar->ar_subj_cred.cr_uid, /* eff uid */
635 ar->ar_subj_egid, /* eff group id */
636 ar->ar_subj_ruid, /* real uid */
637 ar->ar_subj_rgid, /* real group id */
638 ar->ar_subj_pid, /* process id */
639 ar->ar_subj_asid, /* session ID */
640 &tid);
641 break;
642 case AU_IPv6:
643 subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
644 ar->ar_subj_cred.cr_uid,
645 ar->ar_subj_egid,
646 ar->ar_subj_ruid,
647 ar->ar_subj_rgid,
648 ar->ar_subj_pid,
649 ar->ar_subj_asid,
650 &ar->ar_subj_term_addr);
651 break;
652 default:
653 bzero(&tid, sizeof(tid));
654 subj_tok = au_to_subject32(ar->ar_subj_auid,
655 ar->ar_subj_cred.cr_uid,
656 ar->ar_subj_egid,
657 ar->ar_subj_ruid,
658 ar->ar_subj_rgid,
659 ar->ar_subj_pid,
660 ar->ar_subj_asid,
661 &tid);
662 }
663
664 /*
665 * The logic inside each case fills in the tokens required for the
666 * event, except for the header, trailer, and return tokens. The
667 * header and trailer tokens are added by the kau_close() function.
668 * The return token is added outside of the switch statement.
669 */
670 switch (ar->ar_event) {
671 case AUE_SENDFILE:
672 /* For sendfile the file and socket descriptor are both saved */
673 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
674 tok = au_to_arg32(2, "sd", ar->ar_arg_value32);
675 kau_write(rec, tok);
676 }
677 OS_FALLTHROUGH;
678 case AUE_ACCEPT:
679 case AUE_BIND:
680 case AUE_LISTEN:
681 case AUE_CONNECT:
682 case AUE_RECVFROM:
683 case AUE_RECVMSG:
684 case AUE_SENDMSG:
685 case AUE_SENDTO:
686 /*
687 * Socket-related events.
688 */
689 if (ARG_IS_VALID(kar, ARG_FD)) {
690 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
691 kau_write(rec, tok);
692 }
693 if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
694 tok = au_to_sock_inet((struct sockaddr_in *)
695 &ar->ar_arg_sockaddr);
696 kau_write(rec, tok);
697 }
698 if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
699 tok = au_to_sock_unix((struct sockaddr_un *)
700 &ar->ar_arg_sockaddr);
701 kau_write(rec, tok);
702 UPATH1_TOKENS;
703 }
704 if (ARG_IS_VALID(kar, ARG_SADDRINET6)) {
705 tok = au_to_sock_inet128((struct sockaddr_in6 *)
706 &ar->ar_arg_sockaddr);
707 kau_write(rec, tok);
708 }
709 break;
710
711 case AUE_SOCKET:
712 case AUE_SOCKETPAIR:
713 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
714 tok = au_to_arg32(1, "domain",
715 au_domain_to_bsm(ar->ar_arg_sockinfo.sai_domain));
716 kau_write(rec, tok);
717 tok = au_to_arg32(2, "type",
718 au_socket_type_to_bsm(ar->ar_arg_sockinfo.sai_type));
719 kau_write(rec, tok);
720 tok = au_to_arg32(3, "protocol",
721 ar->ar_arg_sockinfo.sai_protocol);
722 kau_write(rec, tok);
723 }
724 break;
725
726 case AUE_SETSOCKOPT:
727 case AUE_SHUTDOWN:
728 if (ARG_IS_VALID(kar, ARG_FD)) {
729 tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
730 kau_write(rec, tok);
731 }
732 break;
733
734 case AUE_ACCT:
735 if (ARG_IS_VALID(kar, (ARG_KPATH1 | ARG_UPATH1))) {
736 UPATH1_VNODE1_TOKENS;
737 } else {
738 tok = au_to_arg32(1, "accounting off", 0);
739 kau_write(rec, tok);
740 }
741 break;
742
743 case AUE_SETAUID:
744 if (ARG_IS_VALID(kar, ARG_AUID)) {
745 tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
746 kau_write(rec, tok);
747 }
748 break;
749
750 case AUE_SETAUDIT:
751 if (ARG_IS_VALID(kar, ARG_AUID) &&
752 ARG_IS_VALID(kar, ARG_ASID) &&
753 ARG_IS_VALID(kar, ARG_AMASK) &&
754 ARG_IS_VALID(kar, ARG_TERMID)) {
755 tok = au_to_arg32(1, "setaudit:auid",
756 ar->ar_arg_auid);
757 kau_write(rec, tok);
758 tok = au_to_arg32(1, "setaudit:port",
759 ar->ar_arg_termid.port);
760 kau_write(rec, tok);
761 tok = au_to_arg32(1, "setaudit:machine",
762 ar->ar_arg_termid.machine);
763 kau_write(rec, tok);
764 tok = au_to_arg32(1, "setaudit:as_success",
765 ar->ar_arg_amask.am_success);
766 kau_write(rec, tok);
767 tok = au_to_arg32(1, "setaudit:as_failure",
768 ar->ar_arg_amask.am_failure);
769 kau_write(rec, tok);
770 tok = au_to_arg32(1, "setaudit:asid",
771 ar->ar_arg_asid);
772 kau_write(rec, tok);
773 }
774 break;
775
776 case AUE_SETAUDIT_ADDR:
777 if (ARG_IS_VALID(kar, ARG_AUID) &&
778 ARG_IS_VALID(kar, ARG_ASID) &&
779 ARG_IS_VALID(kar, ARG_AMASK) &&
780 ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
781 tok = au_to_arg32(1, "setaudit_addr:auid",
782 ar->ar_arg_auid);
783 kau_write(rec, tok);
784 tok = au_to_arg32(1, "setaudit_addr:as_success",
785 ar->ar_arg_amask.am_success);
786 kau_write(rec, tok);
787 tok = au_to_arg32(1, "setaudit_addr:as_failure",
788 ar->ar_arg_amask.am_failure);
789 kau_write(rec, tok);
790 tok = au_to_arg32(1, "setaudit_addr:asid",
791 ar->ar_arg_asid);
792 kau_write(rec, tok);
793 tok = au_to_arg32(1, "setaudit_addr:type",
794 ar->ar_arg_termid_addr.at_type);
795 kau_write(rec, tok);
796 tok = au_to_arg32(1, "setaudit_addr:port",
797 ar->ar_arg_termid_addr.at_port);
798 kau_write(rec, tok);
799 switch (ar->ar_arg_termid_addr.at_type) {
800 case AU_IPv6:
801 tok = au_to_in_addr_ex((struct in6_addr *)
802 &ar->ar_arg_termid_addr.at_addr[0]);
803 kau_write(rec, tok);
804 break;
805 case AU_IPv4:
806 tok = au_to_in_addr((struct in_addr *)
807 &ar->ar_arg_termid_addr.at_addr[0]);
808 kau_write(rec, tok);
809 break;
810 }
811 }
812 break;
813
814 case AUE_AUDITON:
815 /*
816 * For AUDITON commands without own event, audit the cmd.
817 */
818 if (ARG_IS_VALID(kar, ARG_CMD)) {
819 tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
820 kau_write(rec, tok);
821 }
822 OS_FALLTHROUGH;
823
824 case AUE_AUDITON_GETCAR:
825 case AUE_AUDITON_GETCLASS:
826 case AUE_AUDITON_GETCOND:
827 case AUE_AUDITON_GETCWD:
828 case AUE_AUDITON_GETKMASK:
829 case AUE_AUDITON_GETSTAT:
830 case AUE_AUDITON_GPOLICY:
831 case AUE_AUDITON_GQCTRL:
832 case AUE_AUDITON_SETCLASS:
833 case AUE_AUDITON_SETCOND:
834 case AUE_AUDITON_SETKMASK:
835 case AUE_AUDITON_SETSMASK:
836 case AUE_AUDITON_SETSTAT:
837 case AUE_AUDITON_SETUMASK:
838 case AUE_AUDITON_SPOLICY:
839 case AUE_AUDITON_SQCTRL:
840 if (ARG_IS_VALID(kar, ARG_AUDITON)) {
841 audit_sys_auditon(ar, rec);
842 }
843 break;
844
845 case AUE_AUDITCTL:
846 UPATH1_VNODE1_TOKENS;
847 break;
848
849 case AUE_EXIT:
850 if (ARG_IS_VALID(kar, ARG_EXIT)) {
851 tok = au_to_exit(ar->ar_arg_exitretval,
852 ar->ar_arg_exitstatus);
853 kau_write(rec, tok);
854 }
855 break;
856
857 case AUE_ADJTIME:
858 case AUE_AUDIT:
859 case AUE_DUP2:
860 case AUE_GETAUDIT:
861 case AUE_GETAUDIT_ADDR:
862 case AUE_GETAUID:
863 case AUE_GETFSSTAT:
864 case AUE_KQUEUE:
865 case AUE_LSEEK:
866 #if 0
867 /* XXXss replace with kext */
868 case AUE_MODLOAD:
869 case AUE_MODUNLOAD:
870 #endif
871 case AUE_MAC_GETFSSTAT:
872 case AUE_PIPE:
873 case AUE_PROFILE:
874 case AUE_SEMSYS:
875 case AUE_SHMSYS:
876 case AUE_SETPGRP:
877 case AUE_SETRLIMIT:
878 case AUE_SETSID:
879 case AUE_SETTIMEOFDAY:
880 case AUE_KDEBUGTRACE:
881 case AUE_PTHREADSIGMASK:
882 /*
883 * Header, subject, and return tokens added at end.
884 */
885 break;
886
887 case AUE_MKFIFO:
888 if (ARG_IS_VALID(kar, ARG_MODE)) {
889 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
890 kau_write(rec, tok);
891 }
892 UPATH1_VNODE1_TOKENS;
893 break;
894
895 case AUE_ACCESS_EXTENDED:
896 /*
897 * The access_extended() argument vector is stored in an
898 * opaque token.
899 */
900 if (ARG_IS_VALID(kar, ARG_OPAQUE)) {
901 tok = au_to_opaque(ar->ar_arg_opaque,
902 ar->ar_arg_opq_size);
903 kau_write(rec, tok);
904 }
905 /*
906 * The access_extended() result vector is stored in an arbitrary
907 * data token.
908 */
909 if (ARG_IS_VALID(kar, ARG_DATA)) {
910 tok = au_to_data(AUP_DECIMAL, ar->ar_arg_data_type,
911 ar->ar_arg_data_count, ar->ar_arg_data);
912 kau_write(rec, tok);
913 }
914 UPATH1_VNODE1_TOKENS;
915 break;
916
917 case AUE_LSTAT_EXTENDED:
918 case AUE_STAT_EXTENDED:
919 case AUE_ACCESS:
920 case AUE_CHDIR:
921 case AUE_CHROOT:
922 case AUE_GETATTRLIST:
923 case AUE_NFS_GETFH:
924 case AUE_LSTAT:
925 case AUE_PATHCONF:
926 case AUE_READLINK:
927 case AUE_REVOKE:
928 case AUE_RMDIR:
929 case AUE_SEARCHFS:
930 case AUE_SETATTRLIST:
931 case AUE_STAT:
932 case AUE_STATFS:
933 case AUE_TRUNCATE:
934 case AUE_UNDELETE:
935 case AUE_UNLINK:
936 case AUE_UTIMES:
937 UPATH1_VNODE1_TOKENS;
938 break;
939
940 case AUE_FHOPEN:
941 break;
942
943 case AUE_CHFLAGS:
944 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
945 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
946 kau_write(rec, tok);
947 }
948 UPATH1_VNODE1_TOKENS;
949 break;
950
951 case AUE_CHMOD:
952 if (ARG_IS_VALID(kar, ARG_MODE)) {
953 tok = au_to_arg32(2, "new file mode",
954 ar->ar_arg_mode);
955 kau_write(rec, tok);
956 }
957 UPATH1_VNODE1_TOKENS;
958 break;
959
960 case AUE_CHOWN:
961 case AUE_LCHOWN:
962 if (ARG_IS_VALID(kar, ARG_UID)) {
963 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
964 kau_write(rec, tok);
965 }
966 if (ARG_IS_VALID(kar, ARG_GID)) {
967 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
968 kau_write(rec, tok);
969 }
970 UPATH1_VNODE1_TOKENS;
971 break;
972
973 case AUE_EXCHANGEDATA:
974 UPATH1_VNODE1_TOKENS;
975 UPATH2_TOKENS;
976 break;
977
978 case AUE_CLOSE:
979 if (ARG_IS_VALID(kar, ARG_FD)) {
980 tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
981 kau_write(rec, tok);
982 }
983 UPATH1_VNODE1_TOKENS;
984 break;
985
986 case AUE_CORE:
987 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
988 tok = au_to_arg32(0, "signal", ar->ar_arg_signum);
989 kau_write(rec, tok);
990 }
991 UPATH1_VNODE1_TOKENS;
992 break;
993
994 case AUE_POSIX_SPAWN:
995 if (ARG_IS_VALID(kar, ARG_PID)) {
996 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
997 kau_write(rec, tok);
998 }
999 OS_FALLTHROUGH;
1000
1001 case AUE_EXECVE:
1002 if (ARG_IS_VALID(kar, ARG_ARGV)) {
1003 tok = au_to_exec_args(ar->ar_arg_argv,
1004 ar->ar_arg_argc);
1005 kau_write(rec, tok);
1006 }
1007 if (ARG_IS_VALID(kar, ARG_ENVV)) {
1008 tok = au_to_exec_env(ar->ar_arg_envv,
1009 ar->ar_arg_envc);
1010 kau_write(rec, tok);
1011 }
1012 UPATH1_VNODE1_TOKENS;
1013 VNODE2_PATH_TOKENS;
1014 if (ARG_IS_VALID(kar, ARG_DATA)) {
1015 tok = au_to_data(AUP_HEX, ar->ar_arg_data_type,
1016 ar->ar_arg_data_count, ar->ar_arg_data);
1017 kau_write(rec, tok);
1018 }
1019 break;
1020
1021 case AUE_FCHMOD_EXTENDED:
1022 EXTENDED_TOKENS(2);
1023 FD_VNODE1_TOKENS;
1024 break;
1025
1026 case AUE_FCHMOD:
1027 if (ARG_IS_VALID(kar, ARG_MODE)) {
1028 tok = au_to_arg32(2, "new file mode",
1029 ar->ar_arg_mode);
1030 kau_write(rec, tok);
1031 }
1032 FD_VNODE1_TOKENS;
1033 break;
1034
1035 case AUE_NFS_SVC:
1036 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1037 kau_write(rec, tok);
1038 if (ar->ar_valid_arg & (ARG_KPATH1 | ARG_UPATH1)) {
1039 UPATH1_VNODE1_TOKENS;
1040 }
1041 break;
1042
1043 /*
1044 * XXXRW: Some of these need to handle non-vnode cases as well.
1045 */
1046 case AUE_FSTAT_EXTENDED:
1047 case AUE_FCHDIR:
1048 case AUE_FPATHCONF:
1049 case AUE_FSTAT: /* XXX Need to handle sockets and shm */
1050 case AUE_FSTATFS:
1051 case AUE_FSYNC:
1052 case AUE_FTRUNCATE:
1053 case AUE_FUTIMES:
1054 case AUE_GETDIRENTRIES:
1055 case AUE_GETDIRENTRIESATTR:
1056 case AUE_GETATTRLISTBULK:
1057 #if 0 /* XXXss new */
1058 case AUE_POLL:
1059 #endif
1060 case AUE_READ:
1061 case AUE_READV:
1062 case AUE_PREAD:
1063 case AUE_PREADV:
1064 case AUE_WRITE:
1065 case AUE_WRITEV:
1066 case AUE_PWRITE:
1067 case AUE_PWRITEV:
1068 FD_VNODE1_TOKENS;
1069 break;
1070
1071 case AUE_FCHOWN:
1072 if (ARG_IS_VALID(kar, ARG_UID)) {
1073 tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
1074 kau_write(rec, tok);
1075 }
1076 if (ARG_IS_VALID(kar, ARG_GID)) {
1077 tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
1078 kau_write(rec, tok);
1079 }
1080 FD_VNODE1_TOKENS;
1081 break;
1082
1083 case AUE_FCNTL:
1084 if (ARG_IS_VALID(kar, ARG_CMD)) {
1085 audit_sys_fcntl(kar, rec);
1086 }
1087 FD_VNODE1_TOKENS;
1088 break;
1089
1090 case AUE_FSCTL:
1091 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1092 tok = au_to_arg32(4, "options", ar->ar_arg_value32);
1093 kau_write(rec, tok);
1094 }
1095 if (ARG_IS_VALID(kar, ARG_CMD)) {
1096 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1097 kau_write(rec, tok);
1098 }
1099 UPATH1_VNODE1_TOKENS;
1100 break;
1101
1102 case AUE_FFSCTL:
1103 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1104 tok = au_to_arg32(4, "options", ar->ar_arg_value32);
1105 kau_write(rec, tok);
1106 }
1107 if (ARG_IS_VALID(kar, ARG_CMD)) {
1108 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1109 kau_write(rec, tok);
1110 }
1111 FD_VNODE1_TOKENS;
1112 break;
1113
1114
1115 case AUE_FCHFLAGS:
1116 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1117 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1118 kau_write(rec, tok);
1119 }
1120 FD_VNODE1_TOKENS;
1121 break;
1122
1123 case AUE_FLOCK:
1124 if (ARG_IS_VALID(kar, ARG_CMD)) {
1125 tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
1126 kau_write(rec, tok);
1127 }
1128 FD_VNODE1_TOKENS;
1129 break;
1130
1131 case AUE_FORK:
1132 case AUE_VFORK:
1133 if (ARG_IS_VALID(kar, ARG_PID)) {
1134 tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
1135 kau_write(rec, tok);
1136 }
1137 break;
1138
1139 case AUE_GETLCID:
1140 if (ARG_IS_VALID(kar, ARG_PID)) {
1141 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1142 kau_write(rec, tok);
1143 }
1144 break;
1145
1146 case AUE_SETLCID:
1147 if (ARG_IS_VALID(kar, ARG_PID)) {
1148 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1149 kau_write(rec, tok);
1150 }
1151 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1152 tok = au_to_arg32(2, "lcid",
1153 (u_int32_t)ar->ar_arg_value32);
1154 kau_write(rec, tok);
1155 }
1156 break;
1157
1158 case AUE_IOCTL:
1159 if (ARG_IS_VALID(kar, ARG_CMD)) {
1160 tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
1161 kau_write(rec, tok);
1162 }
1163 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1164 tok = au_to_arg64(2, "cmd", ar->ar_arg_value64);
1165 kau_write(rec, tok);
1166 }
1167 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1168 tok = au_to_arg64(3, "arg", ar->ar_arg_addr);
1169 kau_write(rec, tok);
1170 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1171 tok = au_to_arg32(3, "arg",
1172 (u_int32_t)ar->ar_arg_addr);
1173 kau_write(rec, tok);
1174 }
1175 if (ARG_IS_VALID(kar, ARG_VNODE1)) {
1176 FD_VNODE1_TOKENS;
1177 } else {
1178 if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
1179 tok = au_to_socket_ex(
1180 ar->ar_arg_sockinfo.sai_domain,
1181 ar->ar_arg_sockinfo.sai_type,
1182 (struct sockaddr *)
1183 &ar->ar_arg_sockinfo.sai_laddr,
1184 (struct sockaddr *)
1185 &ar->ar_arg_sockinfo.sai_faddr);
1186 kau_write(rec, tok);
1187 } else {
1188 if (ARG_IS_VALID(kar, ARG_FD)) {
1189 tok = au_to_arg32(1, "fd",
1190 ar->ar_arg_fd);
1191 kau_write(rec, tok);
1192 }
1193 }
1194 }
1195 break;
1196
1197 case AUE_KILL:
1198 if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
1199 tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
1200 kau_write(rec, tok);
1201 }
1202 PROCESS_PID_TOKENS(1);
1203 break;
1204
1205 case AUE_LINK:
1206 case AUE_RENAME:
1207 UPATH1_VNODE1_TOKENS;
1208 UPATH2_TOKENS;
1209 KPATH2_TOKENS;
1210 break;
1211
1212 case AUE_MKDIR_EXTENDED:
1213 case AUE_CHMOD_EXTENDED:
1214 case AUE_MKFIFO_EXTENDED:
1215 EXTENDED_TOKENS(2);
1216 UPATH1_VNODE1_TOKENS;
1217 break;
1218
1219 case AUE_MKDIR:
1220 if (ARG_IS_VALID(kar, ARG_MODE)) {
1221 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1222 kau_write(rec, tok);
1223 }
1224 UPATH1_VNODE1_TOKENS;
1225 break;
1226
1227 case AUE_MKNOD:
1228 if (ARG_IS_VALID(kar, ARG_MODE)) {
1229 tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
1230 kau_write(rec, tok);
1231 }
1232 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1233 tok = au_to_arg32(3, "dev", ar->ar_arg_value32);
1234 kau_write(rec, tok);
1235 }
1236 UPATH1_VNODE1_TOKENS;
1237 break;
1238
1239 case AUE_MMAP:
1240 case AUE_MUNMAP:
1241 case AUE_MPROTECT:
1242 case AUE_MLOCK:
1243 case AUE_MUNLOCK:
1244 case AUE_MINHERIT:
1245 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1246 tok = au_to_arg64(1, "addr", ar->ar_arg_addr);
1247 kau_write(rec, tok);
1248 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1249 tok = au_to_arg32(1, "addr",
1250 (u_int32_t)ar->ar_arg_addr);
1251 kau_write(rec, tok);
1252 }
1253 if (ARG_IS_VALID(kar, ARG_LEN)) {
1254 tok = au_to_arg64(2, "len", ar->ar_arg_len);
1255 kau_write(rec, tok);
1256 }
1257 if (ar->ar_event == AUE_MMAP) {
1258 FD_VNODE1_TOKENS;
1259 }
1260 if (ar->ar_event == AUE_MPROTECT) {
1261 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1262 tok = au_to_arg32(3, "protection",
1263 ar->ar_arg_value32);
1264 kau_write(rec, tok);
1265 }
1266 }
1267 if (ar->ar_event == AUE_MINHERIT) {
1268 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1269 tok = au_to_arg32(3, "inherit",
1270 ar->ar_arg_value32);
1271 kau_write(rec, tok);
1272 }
1273 }
1274 break;
1275
1276 #if CONFIG_MACF
1277 case AUE_MAC_MOUNT:
1278 PROCESS_MAC_TOKENS;
1279 OS_FALLTHROUGH;
1280 #endif
1281 case AUE_MOUNT:
1282 /* XXX Need to handle NFS mounts */
1283 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1284 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1285 kau_write(rec, tok);
1286 }
1287 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1288 tok = au_to_text(ar->ar_arg_text);
1289 kau_write(rec, tok);
1290 }
1291 OS_FALLTHROUGH;
1292
1293 case AUE_UMOUNT:
1294 case AUE_UNMOUNT:
1295 UPATH1_VNODE1_TOKENS;
1296 break;
1297 case AUE_FMOUNT:
1298 if (ARG_IS_VALID(kar, ARG_FD)) {
1299 tok = au_to_arg32(2, "dir fd", ar->ar_arg_fd);
1300 kau_write(rec, tok);
1301 }
1302 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1303 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1304 kau_write(rec, tok);
1305 }
1306 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1307 tok = au_to_text(ar->ar_arg_text);
1308 kau_write(rec, tok);
1309 }
1310 break;
1311
1312 case AUE_MSGCTL:
1313 ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
1314 OS_FALLTHROUGH;
1315
1316 case AUE_MSGRCV:
1317 case AUE_MSGSND:
1318 tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
1319 kau_write(rec, tok);
1320 if (ar->ar_errno != EINVAL) {
1321 tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
1322 kau_write(rec, tok);
1323 }
1324 break;
1325
1326 case AUE_MSGGET:
1327 if (ar->ar_errno == 0) {
1328 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1329 tok = au_to_ipc(AT_IPC_MSG,
1330 ar->ar_arg_svipc_id);
1331 kau_write(rec, tok);
1332 }
1333 }
1334 break;
1335
1336 case AUE_OPEN:
1337 case AUE_OPEN_R:
1338 case AUE_OPEN_RT:
1339 case AUE_OPEN_RW:
1340 case AUE_OPEN_RWT:
1341 case AUE_OPEN_W:
1342 case AUE_OPEN_WT:
1343 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1344 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1345 kau_write(rec, tok);
1346 }
1347 UPATH1_VNODE1_TOKENS;
1348 break;
1349
1350 case AUE_OPEN_RC:
1351 case AUE_OPEN_RTC:
1352 case AUE_OPEN_RWC:
1353 case AUE_OPEN_RWTC:
1354 case AUE_OPEN_WC:
1355 case AUE_OPEN_WTC:
1356 if (ARG_IS_VALID(kar, ARG_MODE)) {
1357 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1358 kau_write(rec, tok);
1359 }
1360 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1361 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1362 kau_write(rec, tok);
1363 }
1364 UPATH1_VNODE1_TOKENS;
1365 break;
1366
1367 case AUE_OPEN_EXTENDED:
1368 case AUE_OPEN_EXTENDED_R:
1369 case AUE_OPEN_EXTENDED_RT:
1370 case AUE_OPEN_EXTENDED_RW:
1371 case AUE_OPEN_EXTENDED_RWT:
1372 case AUE_OPEN_EXTENDED_W:
1373 case AUE_OPEN_EXTENDED_WT:
1374 EXTENDED_TOKENS(3);
1375 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1376 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1377 kau_write(rec, tok);
1378 }
1379 UPATH1_VNODE1_TOKENS;
1380 break;
1381
1382 case AUE_OPEN_EXTENDED_RC:
1383 case AUE_OPEN_EXTENDED_RTC:
1384 case AUE_OPEN_EXTENDED_RWC:
1385 case AUE_OPEN_EXTENDED_RWTC:
1386 case AUE_OPEN_EXTENDED_WC:
1387 case AUE_OPEN_EXTENDED_WTC:
1388 EXTENDED_TOKENS(3);
1389 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1390 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1391 kau_write(rec, tok);
1392 }
1393 UPATH1_VNODE1_TOKENS;
1394 break;
1395
1396 case AUE_OPENAT:
1397 case AUE_OPENAT_R:
1398 case AUE_OPENAT_RT:
1399 case AUE_OPENAT_RW:
1400 case AUE_OPENAT_RWT:
1401 case AUE_OPENAT_W:
1402 case AUE_OPENAT_WT:
1403 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1404 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1405 kau_write(rec, tok);
1406 }
1407 if (ARG_IS_VALID(kar, ARG_FD)) {
1408 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1409 kau_write(rec, tok);
1410 }
1411 UPATH1_VNODE1_TOKENS;
1412 break;
1413
1414 case AUE_OPENAT_RC:
1415 case AUE_OPENAT_RTC:
1416 case AUE_OPENAT_RWC:
1417 case AUE_OPENAT_RWTC:
1418 case AUE_OPENAT_WC:
1419 case AUE_OPENAT_WTC:
1420 if (ARG_IS_VALID(kar, ARG_MODE)) {
1421 tok = au_to_arg32(4, "mode", ar->ar_arg_mode);
1422 kau_write(rec, tok);
1423 }
1424 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1425 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1426 kau_write(rec, tok);
1427 }
1428 if (ARG_IS_VALID(kar, ARG_FD)) {
1429 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1430 kau_write(rec, tok);
1431 }
1432 UPATH1_VNODE1_TOKENS;
1433 break;
1434
1435 case AUE_OPENBYID:
1436 case AUE_OPENBYID_R:
1437 case AUE_OPENBYID_RT:
1438 case AUE_OPENBYID_RW:
1439 case AUE_OPENBYID_RWT:
1440 case AUE_OPENBYID_W:
1441 case AUE_OPENBYID_WT:
1442 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1443 tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
1444 kau_write(rec, tok);
1445 }
1446 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1447 tok = au_to_arg32(1, "volfsid", ar->ar_arg_value32);
1448 kau_write(rec, tok);
1449 }
1450 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1451 tok = au_to_arg64(2, "objid", ar->ar_arg_value64);
1452 kau_write(rec, tok);
1453 }
1454 break;
1455
1456 case AUE_RENAMEAT:
1457 case AUE_FACCESSAT:
1458 case AUE_FCHMODAT:
1459 case AUE_FCHOWNAT:
1460 case AUE_FSTATAT:
1461 case AUE_LINKAT:
1462 case AUE_UNLINKAT:
1463 case AUE_READLINKAT:
1464 case AUE_SYMLINKAT:
1465 case AUE_MKDIRAT:
1466 case AUE_GETATTRLISTAT:
1467 case AUE_SETATTRLISTAT:
1468 if (ARG_IS_VALID(kar, ARG_FD)) {
1469 tok = au_to_arg32(1, "dir fd", ar->ar_arg_fd);
1470 kau_write(rec, tok);
1471 }
1472 UPATH1_VNODE1_TOKENS;
1473 break;
1474
1475 case AUE_CLONEFILEAT:
1476 if (ARG_IS_VALID(kar, ARG_FD)) {
1477 tok = au_to_arg32(1, "src dir fd", ar->ar_arg_fd);
1478 kau_write(rec, tok);
1479 }
1480 UPATH1_VNODE1_TOKENS;
1481 if (ARG_IS_VALID(kar, ARG_FD2)) {
1482 tok = au_to_arg32(1, "dst dir fd", ar->ar_arg_fd2);
1483 kau_write(rec, tok);
1484 }
1485 UPATH2_TOKENS;
1486 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1487 tok = au_to_arg32(1, "flags", ar->ar_arg_value32);
1488 kau_write(rec, tok);
1489 }
1490 break;
1491
1492 case AUE_FCLONEFILEAT:
1493 FD_VNODE1_TOKENS;
1494 if (ARG_IS_VALID(kar, ARG_FD2)) {
1495 tok = au_to_arg32(1, "dst dir fd", ar->ar_arg_fd2);
1496 kau_write(rec, tok);
1497 }
1498 UPATH2_TOKENS;
1499 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1500 tok = au_to_arg32(1, "flags", ar->ar_arg_value32);
1501 kau_write(rec, tok);
1502 }
1503 break;
1504
1505 case AUE_PTRACE:
1506 if (ARG_IS_VALID(kar, ARG_CMD)) {
1507 tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
1508 kau_write(rec, tok);
1509 }
1510 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1511 tok = au_to_arg64(3, "addr", ar->ar_arg_addr);
1512 kau_write(rec, tok);
1513 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1514 tok = au_to_arg32(3, "addr",
1515 (u_int32_t)ar->ar_arg_addr);
1516 kau_write(rec, tok);
1517 }
1518 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1519 tok = au_to_arg32(4, "data", ar->ar_arg_value32);
1520 kau_write(rec, tok);
1521 }
1522 PROCESS_PID_TOKENS(2);
1523 break;
1524
1525 case AUE_QUOTACTL:
1526 if (ARG_IS_VALID(kar, ARG_CMD)) {
1527 tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
1528 kau_write(rec, tok);
1529 }
1530 if (ARG_IS_VALID(kar, ARG_UID)) {
1531 tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
1532 kau_write(rec, tok);
1533 }
1534 UPATH1_VNODE1_TOKENS;
1535 break;
1536
1537 case AUE_REBOOT:
1538 if (ARG_IS_VALID(kar, ARG_CMD)) {
1539 tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
1540 kau_write(rec, tok);
1541 }
1542 break;
1543
1544 case AUE_SEMCTL:
1545 ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
1546 OS_FALLTHROUGH;
1547
1548 case AUE_SEMOP:
1549 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1550 tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
1551 kau_write(rec, tok);
1552 if (ar->ar_errno != EINVAL) {
1553 tok = au_to_ipc(AT_IPC_SEM,
1554 ar->ar_arg_svipc_id);
1555 kau_write(rec, tok);
1556 }
1557 }
1558 break;
1559
1560 case AUE_SEMGET:
1561 if (ar->ar_errno == 0) {
1562 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1563 tok = au_to_ipc(AT_IPC_SEM,
1564 ar->ar_arg_svipc_id);
1565 kau_write(rec, tok);
1566 }
1567 }
1568 break;
1569
1570 case AUE_SETEGID:
1571 if (ARG_IS_VALID(kar, ARG_EGID)) {
1572 tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
1573 kau_write(rec, tok);
1574 }
1575 break;
1576
1577 case AUE_SETEUID:
1578 if (ARG_IS_VALID(kar, ARG_EUID)) {
1579 tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
1580 kau_write(rec, tok);
1581 }
1582 break;
1583
1584 case AUE_SETREGID:
1585 if (ARG_IS_VALID(kar, ARG_RGID)) {
1586 tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
1587 kau_write(rec, tok);
1588 }
1589 if (ARG_IS_VALID(kar, ARG_EGID)) {
1590 tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
1591 kau_write(rec, tok);
1592 }
1593 break;
1594
1595 case AUE_SETREUID:
1596 if (ARG_IS_VALID(kar, ARG_RUID)) {
1597 tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
1598 kau_write(rec, tok);
1599 }
1600 if (ARG_IS_VALID(kar, ARG_EUID)) {
1601 tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
1602 kau_write(rec, tok);
1603 }
1604 break;
1605
1606 case AUE_SETGID:
1607 if (ARG_IS_VALID(kar, ARG_GID)) {
1608 tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
1609 kau_write(rec, tok);
1610 }
1611 break;
1612
1613 case AUE_SETUID:
1614 if (ARG_IS_VALID(kar, ARG_UID)) {
1615 tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
1616 kau_write(rec, tok);
1617 }
1618 break;
1619
1620 case AUE_SETGROUPS:
1621 if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
1622 for (uctr = 0; uctr < ar->ar_arg_groups.gidset_size;
1623 uctr++) {
1624 tok = au_to_arg32(1, "setgroups",
1625 ar->ar_arg_groups.gidset[uctr]);
1626 kau_write(rec, tok);
1627 }
1628 }
1629 break;
1630
1631 case AUE_SETLOGIN:
1632 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1633 tok = au_to_text(ar->ar_arg_text);
1634 kau_write(rec, tok);
1635 }
1636 break;
1637
1638 case AUE_SETPRIORITY:
1639 if (ARG_IS_VALID(kar, ARG_CMD)) {
1640 tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
1641 kau_write(rec, tok);
1642 }
1643 if (ARG_IS_VALID(kar, ARG_UID)) {
1644 tok = au_to_arg32(2, "who", ar->ar_arg_uid);
1645 kau_write(rec, tok);
1646 }
1647 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1648 tok = au_to_arg32(2, "priority", ar->ar_arg_value32);
1649 kau_write(rec, tok);
1650 }
1651 break;
1652
1653 case AUE_SETPRIVEXEC:
1654 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1655 tok = au_to_arg32(1, "flag", ar->ar_arg_value32);
1656 kau_write(rec, tok);
1657 }
1658 break;
1659
1660 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1661 case AUE_SHMAT:
1662 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1663 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1664 kau_write(rec, tok);
1665 /* XXXAUDIT: Does having the ipc token make sense? */
1666 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1667 kau_write(rec, tok);
1668 }
1669 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1670 tok = au_to_arg64(2, "shmaddr", ar->ar_arg_svipc_addr);
1671 kau_write(rec, tok);
1672 }
1673 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1674 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1675 kau_write(rec, tok);
1676 }
1677 break;
1678
1679 case AUE_SHMCTL:
1680 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1681 tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
1682 kau_write(rec, tok);
1683 /* XXXAUDIT: Does having the ipc token make sense? */
1684 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1685 kau_write(rec, tok);
1686 }
1687 switch (ar->ar_arg_svipc_cmd) {
1688 case IPC_STAT:
1689 ar->ar_event = AUE_SHMCTL_STAT;
1690 break;
1691 case IPC_RMID:
1692 ar->ar_event = AUE_SHMCTL_RMID;
1693 break;
1694 case IPC_SET:
1695 ar->ar_event = AUE_SHMCTL_SET;
1696 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1697 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1698 kau_write(rec, tok);
1699 }
1700 break;
1701 default:
1702 break; /* We will audit a bad command */
1703 }
1704 break;
1705
1706 case AUE_SHMDT:
1707 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1708 tok = au_to_arg64(1, "shmaddr",
1709 (int)(uintptr_t)ar->ar_arg_svipc_addr);
1710 kau_write(rec, tok);
1711 }
1712 break;
1713
1714 case AUE_SHMGET:
1715 /* This is unusual; the return value is in an argument token */
1716 if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
1717 tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
1718 kau_write(rec, tok);
1719 tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
1720 kau_write(rec, tok);
1721 }
1722 if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
1723 tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
1724 kau_write(rec, tok);
1725 }
1726 break;
1727
1728 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1729 * and AUE_SEMUNLINK are Posix IPC */
1730 case AUE_SHMOPEN:
1731 if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
1732 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1733 kau_write(rec, tok);
1734 }
1735 if (ARG_IS_VALID(kar, ARG_MODE)) {
1736 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1737 kau_write(rec, tok);
1738 }
1739 OS_FALLTHROUGH;
1740
1741 case AUE_SHMUNLINK:
1742 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1743 tok = au_to_text(ar->ar_arg_text);
1744 kau_write(rec, tok);
1745 }
1746 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1747 struct ipc_perm perm;
1748
1749 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1750 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1751 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1752 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1753 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1754 perm._seq = 0;
1755 perm._key = 0;
1756 tok = au_to_ipc_perm(&perm);
1757 kau_write(rec, tok);
1758 }
1759 break;
1760
1761 case AUE_SEMOPEN:
1762 if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
1763 tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
1764 kau_write(rec, tok);
1765 }
1766 if (ARG_IS_VALID(kar, ARG_MODE)) {
1767 tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
1768 kau_write(rec, tok);
1769 }
1770 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1771 tok = au_to_arg32(4, "value", ar->ar_arg_value32);
1772 kau_write(rec, tok);
1773 }
1774 OS_FALLTHROUGH;
1775
1776 case AUE_SEMUNLINK:
1777 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1778 tok = au_to_text(ar->ar_arg_text);
1779 kau_write(rec, tok);
1780 }
1781 if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
1782 struct ipc_perm perm;
1783
1784 perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
1785 perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
1786 perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
1787 perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
1788 perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
1789 perm._seq = 0;
1790 perm._key = 0;
1791 tok = au_to_ipc_perm(&perm);
1792 kau_write(rec, tok);
1793 }
1794 break;
1795
1796 case AUE_SEMCLOSE:
1797 if (ARG_IS_VALID(kar, ARG_FD)) {
1798 tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
1799 kau_write(rec, tok);
1800 }
1801 break;
1802
1803 case AUE_SYMLINK:
1804 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1805 tok = au_to_text(ar->ar_arg_text);
1806 kau_write(rec, tok);
1807 }
1808 UPATH1_VNODE1_TOKENS;
1809 break;
1810
1811 case AUE_SYSCTL:
1812 case AUE_SYSCTL_NONADMIN:
1813 if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
1814 for (ctr = 0; ctr < (int)ar->ar_arg_len; ctr++) {
1815 tok = au_to_arg32(1, "name",
1816 ar->ar_arg_ctlname[ctr]);
1817 kau_write(rec, tok);
1818 }
1819 }
1820 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1821 tok = au_to_arg32(5, "newval", ar->ar_arg_value32);
1822 kau_write(rec, tok);
1823 }
1824 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1825 tok = au_to_text(ar->ar_arg_text);
1826 kau_write(rec, tok);
1827 }
1828 break;
1829
1830 case AUE_UMASK_EXTENDED:
1831 /* ACL data */
1832 if (ARG_IS_VALID(kar, ARG_OPAQUE)) {
1833 tok = au_to_opaque(ar->ar_arg_opaque,
1834 ar->ar_arg_opq_size);
1835 kau_write(rec, tok);
1836 }
1837 OS_FALLTHROUGH;
1838
1839 case AUE_UMASK:
1840 if (ARG_IS_VALID(kar, ARG_MASK)) {
1841 tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
1842 kau_write(rec, tok);
1843 }
1844 tok = au_to_arg32(0, "prev mask", ar->ar_retval);
1845 kau_write(rec, tok);
1846 break;
1847
1848 case AUE_WAIT4:
1849 #if 0 /* XXXss - new */
1850 case AUE_WAITID:
1851 #endif
1852 if (ARG_IS_VALID(kar, ARG_PID)) {
1853 tok = au_to_arg32(0, "pid", ar->ar_arg_pid);
1854 kau_write(rec, tok);
1855 }
1856 break;
1857
1858 case AUE_FSGETPATH_EXTENDED:
1859 case AUE_FSGETPATH:
1860 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1861 tok = au_to_arg32(3, "volfsid", ar->ar_arg_value32);
1862 kau_write(rec, tok);
1863 }
1864 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1865 tok = au_to_arg64(4, "objid", ar->ar_arg_value64);
1866 kau_write(rec, tok);
1867 }
1868 if (ARG_IS_VALID(kar, ARG_TEXT)) {
1869 tok = au_to_text(ar->ar_arg_text);
1870 kau_write(rec, tok);
1871 }
1872 break;
1873
1874 case AUE_SESSION_START:
1875 case AUE_SESSION_UPDATE:
1876 case AUE_SESSION_END:
1877 case AUE_SESSION_CLOSE:
1878 if (ARG_IS_VALID(kar, ARG_VALUE64)) {
1879 tok = au_to_arg64(1, "sflags", ar->ar_arg_value64);
1880 kau_write(rec, tok);
1881 }
1882 if (ARG_IS_VALID(kar, ARG_AMASK)) {
1883 tok = au_to_arg32(2, "am_success",
1884 ar->ar_arg_amask.am_success);
1885 kau_write(rec, tok);
1886 tok = au_to_arg32(3, "am_failure",
1887 ar->ar_arg_amask.am_failure);
1888 kau_write(rec, tok);
1889 }
1890 break;
1891
1892 /************************
1893 * Mach system calls *
1894 ************************/
1895 case AUE_INITPROCESS:
1896 break;
1897
1898 case AUE_PIDFORTASK:
1899 if (ARG_IS_VALID(kar, ARG_MACHPORT1)) {
1900 tok = au_to_arg32(1, "port",
1901 (u_int32_t)ar->ar_arg_mach_port1);
1902 kau_write(rec, tok);
1903 }
1904 if (ARG_IS_VALID(kar, ARG_PID)) {
1905 tok = au_to_arg32(2, "pid", (u_int32_t)ar->ar_arg_pid);
1906 kau_write(rec, tok);
1907 }
1908 break;
1909
1910 case AUE_TASKFORPID:
1911 case AUE_TASKNAMEFORPID:
1912 if (ARG_IS_VALID(kar, ARG_MACHPORT1)) {
1913 tok = au_to_arg32(1, "target port",
1914 (u_int32_t)ar->ar_arg_mach_port1);
1915 kau_write(rec, tok);
1916 }
1917 if (ARG_IS_VALID(kar, ARG_MACHPORT2)) {
1918 tok = au_to_arg32(3, "task port",
1919 (u_int32_t)ar->ar_arg_mach_port2);
1920 kau_write(rec, tok);
1921 }
1922 PROCESS_PID_TOKENS(2);
1923 break;
1924
1925 case AUE_SWAPON:
1926 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1927 tok = au_to_arg32(4, "priority",
1928 (u_int32_t)ar->ar_arg_value32);
1929 kau_write(rec, tok);
1930 }
1931 UPATH1_VNODE1_TOKENS;
1932 break;
1933
1934 case AUE_SWAPOFF:
1935 UPATH1_VNODE1_TOKENS;
1936 break;
1937
1938 case AUE_MAPFD:
1939 if (ARG_IS_VALID(kar, ARG_ADDR64)) {
1940 tok = au_to_arg64(3, "va", ar->ar_arg_addr);
1941 kau_write(rec, tok);
1942 } else if (ARG_IS_VALID(kar, ARG_ADDR32)) {
1943 tok = au_to_arg32(3, "va",
1944 (u_int32_t)ar->ar_arg_addr);
1945 kau_write(rec, tok);
1946 }
1947 FD_VNODE1_TOKENS;
1948 break;
1949
1950 #if CONFIG_MACF
1951 case AUE_MAC_GET_FILE:
1952 case AUE_MAC_SET_FILE:
1953 case AUE_MAC_GET_LINK:
1954 case AUE_MAC_SET_LINK:
1955 case AUE_MAC_GET_MOUNT:
1956 UPATH1_VNODE1_TOKENS;
1957 PROCESS_MAC_TOKENS;
1958 break;
1959
1960 case AUE_MAC_GET_FD:
1961 case AUE_MAC_SET_FD:
1962 FD_VNODE1_TOKENS;
1963 PROCESS_MAC_TOKENS;
1964 break;
1965
1966 case AUE_MAC_SYSCALL:
1967 PROCESS_MAC_TOKENS;
1968 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1969 tok = au_to_arg32(3, "call", ar->ar_arg_value32);
1970 kau_write(rec, tok);
1971 }
1972 break;
1973
1974 case AUE_MAC_EXECVE:
1975 UPATH1_VNODE1_TOKENS;
1976 PROCESS_MAC_TOKENS;
1977 break;
1978
1979 case AUE_MAC_GET_PID:
1980 if (ARG_IS_VALID(kar, ARG_PID)) {
1981 tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
1982 kau_write(rec, tok);
1983 }
1984 PROCESS_MAC_TOKENS;
1985 break;
1986
1987 case AUE_MAC_GET_LCID:
1988 if (ARG_IS_VALID(kar, ARG_VALUE32)) {
1989 tok = au_to_arg32(1, "lcid",
1990 (u_int32_t)ar->ar_arg_value32);
1991 kau_write(rec, tok);
1992 }
1993 PROCESS_MAC_TOKENS;
1994 break;
1995
1996 case AUE_MAC_GET_PROC:
1997 case AUE_MAC_SET_PROC:
1998 PROCESS_MAC_TOKENS;
1999 break;
2000 #endif
2001 case AUE_NULL:
2002 default:
2003 #if DIAGNOSTIC
2004 printf("BSM conversion requested for unknown event %d\n",
2005 ar->ar_event);
2006 #endif
2007
2008 /*
2009 * Write the subject token so it is properly freed here.
2010 */
2011 kau_write(rec, subj_tok);
2012 kau_free(rec);
2013 return BSM_NOAUDIT;
2014 }
2015
2016 #if CONFIG_MACF
2017 if (NULL != ar->ar_mac_records) {
2018 /* Convert the audit data from the MAC policies */
2019 struct mac_audit_record *mar;
2020
2021 LIST_FOREACH(mar, ar->ar_mac_records, records) {
2022 switch (mar->type) {
2023 case MAC_AUDIT_DATA_TYPE:
2024 tok = au_to_data(AUP_BINARY, AUR_BYTE,
2025 mar->length,
2026 (const char *)mar->data);
2027 break;
2028 case MAC_AUDIT_TEXT_TYPE:
2029 tok = au_to_text((char*) mar->data);
2030 break;
2031 default:
2032 /*
2033 * XXX: we can either continue,
2034 * skipping this particular entry,
2035 * or we can pre-verify the list and
2036 * abort before writing any records
2037 */
2038 printf("kaudit_to_bsm(): "
2039 "BSM conversion requested for"
2040 "unknown mac_audit data type %d\n",
2041 mar->type);
2042 }
2043
2044 kau_write(rec, tok);
2045 }
2046 }
2047 #endif
2048
2049 kau_write(rec, subj_tok);
2050
2051 #if CONFIG_MACF
2052 if (ar->ar_cred_mac_labels != NULL &&
2053 strlen(ar->ar_cred_mac_labels) != 0) {
2054 tok = au_to_text(ar->ar_cred_mac_labels);
2055 kau_write(rec, tok);
2056 }
2057 #endif
2058
2059 tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
2060 kau_write(rec, tok); /* Every record gets a return token */
2061
2062 if (ARG_IS_VALID(kar, ARG_IDENTITY)) {
2063 struct au_identity_info *id = &ar->ar_arg_identity;
2064 tok = au_to_identity(id->signer_type, id->signing_id,
2065 id->signing_id_trunc, id->team_id, id->team_id_trunc,
2066 id->cdhash, id->cdhash_len);
2067 kau_write(rec, tok);
2068 }
2069
2070 rv = kau_close(rec, &ar->ar_endtime, ar->ar_event);
2071 if (rv != 0) {
2072 kau_free(rec);
2073 return BSM_FAILURE;
2074 }
2075
2076 *pau = rec;
2077 return BSM_SUCCESS;
2078 }
2079
2080 /*
2081 * Verify that a record is a valid BSM record. Return 1 if the
2082 * record is good, 0 otherwise.
2083 */
2084 int
bsm_rec_verify(void * rec,int length,boolean_t kern_events_allowed)2085 bsm_rec_verify(void *rec, int length, boolean_t kern_events_allowed)
2086 {
2087 /* Used to partially deserialize the buffer */
2088 struct hdr_tok_partial *hdr;
2089 struct trl_tok_partial *trl;
2090
2091 /* A record requires a complete header and trailer token */
2092 if (length < (AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE)) {
2093 return 0;
2094 }
2095
2096 hdr = (struct hdr_tok_partial*)rec;
2097
2098 /* Ensure the provided length matches what the record shows */
2099 if ((uint32_t)length != ntohl(hdr->len)) {
2100 return 0;
2101 }
2102
2103 trl = (struct trl_tok_partial*)((uintptr_t)rec + (length - AUDIT_TRAILER_SIZE));
2104
2105 /* Ensure the buffer contains what look like header and trailer tokens */
2106 if (((hdr->type != AUT_HEADER32) && (hdr->type != AUT_HEADER32_EX) &&
2107 (hdr->type != AUT_HEADER64) && (hdr->type != AUT_HEADER64_EX)) ||
2108 (trl->type != AUT_TRAILER)) {
2109 return 0;
2110 }
2111
2112 /* Ensure the header and trailer agree on the length */
2113 if (hdr->len != trl->len) {
2114 return 0;
2115 }
2116
2117 /* Ensure the trailer token has a proper magic value */
2118 if (ntohs(trl->magic) != AUT_TRAILER_MAGIC) {
2119 return 0;
2120 }
2121
2122 if (!kern_events_allowed && AUE_IS_A_KEVENT(ntohs(hdr->e_type))) {
2123 return 0;
2124 }
2125
2126 return 1;
2127 }
2128 #endif /* CONFIG_AUDIT */
2129