2006-02-01 20:01:18 +00:00
|
|
|
/*
|
2008-07-22 15:29:48 +00:00
|
|
|
* Copyright (c) 1999-2005 Apple Inc.
|
2006-02-01 20:01:18 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
2008-07-22 15:29:48 +00:00
|
|
|
* 3. Neither the name of Apple Inc. ("Apple") nor the names of
|
2006-02-01 20:01:18 +00:00
|
|
|
* its contributors may be used to endorse or promote products derived
|
|
|
|
* from this software without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
|
|
|
|
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
|
|
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
2008-04-13 22:06:56 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/vnode.h>
|
|
|
|
#include <sys/ipc.h>
|
|
|
|
#include <sys/lock.h>
|
|
|
|
#include <sys/malloc.h>
|
|
|
|
#include <sys/mutex.h>
|
|
|
|
#include <sys/socket.h>
|
2006-07-06 19:33:38 +00:00
|
|
|
#include <sys/extattr.h>
|
2006-02-01 20:01:18 +00:00
|
|
|
#include <sys/fcntl.h>
|
|
|
|
#include <sys/user.h>
|
|
|
|
#include <sys/systm.h>
|
|
|
|
|
|
|
|
#include <bsm/audit.h>
|
|
|
|
#include <bsm/audit_internal.h>
|
|
|
|
#include <bsm/audit_record.h>
|
|
|
|
#include <bsm/audit_kevents.h>
|
|
|
|
|
|
|
|
#include <security/audit/audit.h>
|
|
|
|
#include <security/audit/audit_private.h>
|
|
|
|
|
|
|
|
#include <netinet/in_systm.h>
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#include <netinet/ip.h>
|
|
|
|
|
|
|
|
MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
|
|
|
|
|
|
|
|
static void audit_sys_auditon(struct audit_record *ar,
|
|
|
|
struct au_record *rec);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Initialize the BSM auditing subsystem.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
kau_init(void)
|
|
|
|
{
|
|
|
|
|
|
|
|
au_evclassmap_init();
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2006-03-19 17:34:00 +00:00
|
|
|
* This call reserves memory for the audit record. Memory must be guaranteed
|
|
|
|
* before any auditable event can be generated. The au_record structure
|
|
|
|
* maintains a reference to the memory allocated above and also the list of
|
2008-07-22 16:02:21 +00:00
|
|
|
* tokens associated with this record.
|
2006-03-19 17:34:00 +00:00
|
|
|
*/
|
|
|
|
static struct au_record *
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_open(void)
|
2006-03-19 17:34:00 +00:00
|
|
|
{
|
2006-02-01 20:01:18 +00:00
|
|
|
struct au_record *rec;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
|
2006-09-20 13:23:40 +00:00
|
|
|
rec->data = NULL;
|
2006-02-01 20:01:18 +00:00
|
|
|
TAILQ_INIT(&rec->token_q);
|
|
|
|
rec->len = 0;
|
|
|
|
rec->used = 1;
|
|
|
|
|
|
|
|
return (rec);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Store the token with the record descriptor.
|
2006-03-19 17:34:00 +00:00
|
|
|
*/
|
2006-02-01 20:01:18 +00:00
|
|
|
static void
|
|
|
|
kau_write(struct au_record *rec, struct au_token *tok)
|
|
|
|
{
|
|
|
|
|
|
|
|
KASSERT(tok != NULL, ("kau_write: tok == NULL"));
|
|
|
|
|
|
|
|
TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
|
|
|
|
rec->len += tok->len;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Close out the audit record by adding the header token, identifying any
|
|
|
|
* missing tokens. Write out the tokens to the record memory.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
kau_close(struct au_record *rec, struct timespec *ctime, short event)
|
|
|
|
{
|
|
|
|
u_char *dptr;
|
|
|
|
size_t tot_rec_size;
|
|
|
|
token_t *cur, *hdr, *trail;
|
|
|
|
struct timeval tm;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-08-26 08:17:58 +00:00
|
|
|
tot_rec_size = rec->len + AUDIT_HEADER_SIZE + AUDIT_TRAILER_SIZE;
|
2006-09-20 13:23:40 +00:00
|
|
|
rec->data = malloc(tot_rec_size, M_AUDITBSM, M_WAITOK | M_ZERO);
|
2007-06-01 21:58:59 +00:00
|
|
|
|
2006-09-20 13:23:40 +00:00
|
|
|
tm.tv_usec = ctime->tv_nsec / 1000;
|
|
|
|
tm.tv_sec = ctime->tv_sec;
|
|
|
|
hdr = au_to_header32_tm(tot_rec_size, event, 0, tm);
|
|
|
|
TAILQ_INSERT_HEAD(&rec->token_q, hdr, tokens);
|
|
|
|
|
|
|
|
trail = au_to_trailer(tot_rec_size);
|
|
|
|
TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
|
|
|
|
|
|
|
|
rec->len = tot_rec_size;
|
|
|
|
dptr = rec->data;
|
|
|
|
TAILQ_FOREACH(cur, &rec->token_q, tokens) {
|
|
|
|
memcpy(dptr, cur->t_data, cur->len);
|
|
|
|
dptr += cur->len;
|
2006-02-01 20:01:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2006-03-19 17:34:00 +00:00
|
|
|
* Free a BSM audit record by releasing all the tokens and clearing the audit
|
|
|
|
* record information.
|
2006-02-01 20:01:18 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
kau_free(struct au_record *rec)
|
|
|
|
{
|
|
|
|
struct au_token *tok;
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
/* Free the token list. */
|
2006-02-01 20:01:18 +00:00
|
|
|
while ((tok = TAILQ_FIRST(&rec->token_q))) {
|
|
|
|
TAILQ_REMOVE(&rec->token_q, tok, tokens);
|
|
|
|
free(tok->t_data, M_AUDITBSM);
|
|
|
|
free(tok, M_AUDITBSM);
|
2006-03-19 17:34:00 +00:00
|
|
|
}
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
rec->used = 0;
|
2006-03-19 17:34:00 +00:00
|
|
|
rec->len = 0;
|
2006-02-01 20:01:18 +00:00
|
|
|
free(rec->data, M_AUDITBSM);
|
|
|
|
free(rec, M_AUDITBSM);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2007-06-01 21:58:59 +00:00
|
|
|
* XXX: May want turn some (or all) of these macros into functions in order
|
2008-07-22 15:54:10 +00:00
|
|
|
* to reduce the generated code size.
|
2006-02-01 20:01:18 +00:00
|
|
|
*
|
|
|
|
* XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
|
|
|
|
* caller are OK with this.
|
|
|
|
*/
|
2008-07-22 16:21:59 +00:00
|
|
|
#define UPATH1_TOKENS do { \
|
2006-02-01 20:01:18 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
|
|
|
|
tok = au_to_path(ar->ar_arg_upath1); \
|
|
|
|
kau_write(rec, tok); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
2008-07-22 16:21:59 +00:00
|
|
|
#define UPATH2_TOKENS do { \
|
2006-02-01 20:01:18 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
|
|
|
|
tok = au_to_path(ar->ar_arg_upath2); \
|
|
|
|
kau_write(rec, tok); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
2008-07-22 16:21:59 +00:00
|
|
|
#define VNODE1_TOKENS do { \
|
2008-07-22 16:44:48 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
|
2006-02-01 20:01:18 +00:00
|
|
|
tok = au_to_attr32(&ar->ar_arg_vnode1); \
|
|
|
|
kau_write(rec, tok); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
2008-07-22 16:21:59 +00:00
|
|
|
#define UPATH1_VNODE1_TOKENS do { \
|
2008-07-22 16:44:48 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
|
2006-02-01 20:01:18 +00:00
|
|
|
UPATH1_TOKENS; \
|
|
|
|
} \
|
2008-07-22 16:44:48 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
|
2006-02-01 20:01:18 +00:00
|
|
|
tok = au_to_attr32(&ar->ar_arg_vnode1); \
|
|
|
|
kau_write(rec, tok); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
2008-07-22 16:21:59 +00:00
|
|
|
#define VNODE2_TOKENS do { \
|
2008-07-22 16:44:48 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
|
2006-02-01 20:01:18 +00:00
|
|
|
tok = au_to_attr32(&ar->ar_arg_vnode2); \
|
|
|
|
kau_write(rec, tok); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
2008-07-22 17:06:49 +00:00
|
|
|
#define FD_VNODE1_TOKENS do { \
|
2006-02-01 20:01:18 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FD)) { \
|
|
|
|
tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
|
|
|
|
kau_write(rec, tok); \
|
|
|
|
} \
|
|
|
|
tok = au_to_attr32(&ar->ar_arg_vnode1); \
|
|
|
|
kau_write(rec, tok); \
|
|
|
|
} else { \
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FD)) { \
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(1, "non-file: fd", \
|
|
|
|
ar->ar_arg_fd); \
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok); \
|
|
|
|
} \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
2008-07-22 16:21:59 +00:00
|
|
|
#define PROCESS_PID_TOKENS(argn) do { \
|
2006-06-05 16:12:00 +00:00
|
|
|
if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
|
|
|
|
&& (ARG_IS_VALID(kar, ARG_PROCESS))) { \
|
2007-10-24 00:05:52 +00:00
|
|
|
tok = au_to_process32_ex(ar->ar_arg_auid, \
|
2006-06-05 16:12:00 +00:00
|
|
|
ar->ar_arg_euid, ar->ar_arg_egid, \
|
|
|
|
ar->ar_arg_ruid, ar->ar_arg_rgid, \
|
|
|
|
ar->ar_arg_pid, ar->ar_arg_asid, \
|
2007-10-24 00:05:52 +00:00
|
|
|
&ar->ar_arg_termid_addr); \
|
2006-06-05 16:12:00 +00:00
|
|
|
kau_write(rec, tok); \
|
|
|
|
} else if (ARG_IS_VALID(kar, ARG_PID)) { \
|
|
|
|
tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
|
|
|
|
kau_write(rec, tok); \
|
2006-02-01 20:01:18 +00:00
|
|
|
} \
|
2008-07-22 17:08:27 +00:00
|
|
|
} while (0)
|
2006-02-01 20:01:18 +00:00
|
|
|
|
2008-07-22 17:06:49 +00:00
|
|
|
#define EXTATTR_TOKENS do { \
|
2006-07-06 19:33:38 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_VALUE)) { \
|
|
|
|
switch (ar->ar_arg_value) { \
|
|
|
|
case EXTATTR_NAMESPACE_USER: \
|
|
|
|
tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
|
|
|
|
break; \
|
|
|
|
case EXTATTR_NAMESPACE_SYSTEM: \
|
|
|
|
tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
|
|
|
|
break; \
|
|
|
|
default: \
|
|
|
|
tok = au_to_arg32(3, "attrnamespace", \
|
|
|
|
ar->ar_arg_value); \
|
|
|
|
break; \
|
|
|
|
} \
|
|
|
|
kau_write(rec, tok); \
|
|
|
|
} \
|
|
|
|
/* attrname is in the text field */ \
|
|
|
|
if (ARG_IS_VALID(kar, ARG_TEXT)) { \
|
|
|
|
tok = au_to_text(ar->ar_arg_text); \
|
|
|
|
kau_write(rec, tok); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
/*
|
|
|
|
* Implement auditing for the auditon() system call. The audit tokens that
|
|
|
|
* are generated depend on the command that was sent into the auditon()
|
|
|
|
* system call.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
|
|
|
|
{
|
|
|
|
struct au_token *tok;
|
|
|
|
|
|
|
|
switch (ar->ar_arg_cmd) {
|
2006-03-19 17:34:00 +00:00
|
|
|
case A_SETPOLICY:
|
2006-02-01 20:01:18 +00:00
|
|
|
if (sizeof(ar->ar_arg_auditon.au_flags) > 4)
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg64(1, "policy",
|
|
|
|
ar->ar_arg_auditon.au_flags);
|
2006-02-01 20:01:18 +00:00
|
|
|
else
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(1, "policy",
|
|
|
|
ar->ar_arg_auditon.au_flags);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
break;
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
case A_SETKMASK:
|
|
|
|
tok = au_to_arg32(2, "setkmask:as_success",
|
|
|
|
ar->ar_arg_auditon.au_mask.am_success);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(2, "setkmask:as_failure",
|
|
|
|
ar->ar_arg_auditon.au_mask.am_failure);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
break;
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
case A_SETQCTRL:
|
|
|
|
tok = au_to_arg32(3, "setqctrl:aq_hiwater",
|
|
|
|
ar->ar_arg_auditon.au_qctrl.aq_hiwater);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(3, "setqctrl:aq_lowater",
|
|
|
|
ar->ar_arg_auditon.au_qctrl.aq_lowater);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(3, "setqctrl:aq_bufsz",
|
|
|
|
ar->ar_arg_auditon.au_qctrl.aq_bufsz);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(3, "setqctrl:aq_delay",
|
|
|
|
ar->ar_arg_auditon.au_qctrl.aq_delay);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(3, "setqctrl:aq_minfree",
|
|
|
|
ar->ar_arg_auditon.au_qctrl.aq_minfree);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
break;
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
case A_SETUMASK:
|
|
|
|
tok = au_to_arg32(3, "setumask:as_success",
|
|
|
|
ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(3, "setumask:as_failure",
|
|
|
|
ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
break;
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
case A_SETSMASK:
|
|
|
|
tok = au_to_arg32(3, "setsmask:as_success",
|
|
|
|
ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(3, "setsmask:as_failure",
|
|
|
|
ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
break;
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
case A_SETCOND:
|
2006-02-01 20:01:18 +00:00
|
|
|
if (sizeof(ar->ar_arg_auditon.au_cond) > 4)
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg64(3, "setcond",
|
|
|
|
ar->ar_arg_auditon.au_cond);
|
2006-02-01 20:01:18 +00:00
|
|
|
else
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(3, "setcond",
|
|
|
|
ar->ar_arg_auditon.au_cond);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
break;
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
case A_SETCLASS:
|
2006-02-01 20:01:18 +00:00
|
|
|
tok = au_to_arg32(2, "setclass:ec_event",
|
2006-03-19 17:34:00 +00:00
|
|
|
ar->ar_arg_auditon.au_evclass.ec_number);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
tok = au_to_arg32(3, "setclass:ec_class",
|
2006-03-19 17:34:00 +00:00
|
|
|
ar->ar_arg_auditon.au_evclass.ec_class);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
break;
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
case A_SETPMASK:
|
|
|
|
tok = au_to_arg32(2, "setpmask:as_success",
|
|
|
|
ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(2, "setpmask:as_failure",
|
|
|
|
ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
break;
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
case A_SETFSIZE:
|
|
|
|
tok = au_to_arg32(2, "setfsize:filesize",
|
|
|
|
ar->ar_arg_auditon.au_fstat.af_filesz);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2006-03-19 17:34:00 +00:00
|
|
|
* Convert an internal kernel audit record to a BSM record and return a
|
|
|
|
* success/failure indicator. The BSM record is passed as an out parameter to
|
|
|
|
* this function.
|
|
|
|
*
|
2006-02-01 20:01:18 +00:00
|
|
|
* Return conditions:
|
|
|
|
* BSM_SUCCESS: The BSM record is valid
|
|
|
|
* BSM_FAILURE: Failure; the BSM record is NULL.
|
2006-03-19 17:34:00 +00:00
|
|
|
* BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
|
2006-02-01 20:01:18 +00:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
|
|
|
|
{
|
|
|
|
struct au_token *tok, *subj_tok;
|
|
|
|
struct au_record *rec;
|
|
|
|
au_tid_t tid;
|
|
|
|
struct audit_record *ar;
|
|
|
|
int ctr;
|
|
|
|
|
|
|
|
KASSERT(kar != NULL, ("kaudit_to_bsm: kar == NULL"));
|
|
|
|
|
|
|
|
*pau = NULL;
|
|
|
|
ar = &kar->k_ar;
|
|
|
|
rec = kau_open();
|
|
|
|
|
2008-07-22 17:49:30 +00:00
|
|
|
/*
|
|
|
|
* Create the subject token.
|
|
|
|
*/
|
2007-04-13 14:55:19 +00:00
|
|
|
switch (ar->ar_subj_term_addr.at_type) {
|
|
|
|
case AU_IPv4:
|
|
|
|
tid.port = ar->ar_subj_term_addr.at_port;
|
|
|
|
tid.machine = ar->ar_subj_term_addr.at_addr[0];
|
|
|
|
subj_tok = au_to_subject32(ar->ar_subj_auid, /* audit ID */
|
|
|
|
ar->ar_subj_cred.cr_uid, /* eff uid */
|
|
|
|
ar->ar_subj_egid, /* eff group id */
|
2008-07-22 16:44:48 +00:00
|
|
|
ar->ar_subj_ruid, /* real uid */
|
|
|
|
ar->ar_subj_rgid, /* real group id */
|
2007-04-13 14:55:19 +00:00
|
|
|
ar->ar_subj_pid, /* process id */
|
|
|
|
ar->ar_subj_asid, /* session ID */
|
|
|
|
&tid);
|
|
|
|
break;
|
|
|
|
case AU_IPv6:
|
|
|
|
subj_tok = au_to_subject32_ex(ar->ar_subj_auid,
|
|
|
|
ar->ar_subj_cred.cr_uid,
|
|
|
|
ar->ar_subj_egid,
|
|
|
|
ar->ar_subj_ruid,
|
|
|
|
ar->ar_subj_rgid,
|
|
|
|
ar->ar_subj_pid,
|
|
|
|
ar->ar_subj_asid,
|
|
|
|
&ar->ar_subj_term_addr);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
bzero(&tid, sizeof(tid));
|
|
|
|
subj_tok = au_to_subject32(ar->ar_subj_auid,
|
|
|
|
ar->ar_subj_cred.cr_uid,
|
|
|
|
ar->ar_subj_egid,
|
|
|
|
ar->ar_subj_ruid,
|
|
|
|
ar->ar_subj_rgid,
|
|
|
|
ar->ar_subj_pid,
|
|
|
|
ar->ar_subj_asid,
|
|
|
|
&tid);
|
|
|
|
}
|
2006-02-01 20:01:18 +00:00
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
/*
|
|
|
|
* The logic inside each case fills in the tokens required for the
|
|
|
|
* event, except for the header, trailer, and return tokens. The
|
2006-02-01 20:01:18 +00:00
|
|
|
* header and trailer tokens are added by the kau_close() function.
|
|
|
|
* The return token is added outside of the switch statement.
|
|
|
|
*/
|
2006-03-19 17:34:00 +00:00
|
|
|
switch(ar->ar_event) {
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_ACCEPT:
|
|
|
|
case AUE_BIND:
|
2008-01-18 19:50:34 +00:00
|
|
|
case AUE_LISTEN:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_CONNECT:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_RECV:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_RECVFROM:
|
2006-03-19 17:34:00 +00:00
|
|
|
case AUE_RECVMSG:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_SEND:
|
|
|
|
case AUE_SENDFILE:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SENDMSG:
|
|
|
|
case AUE_SENDTO:
|
2006-03-19 17:34:00 +00:00
|
|
|
/*
|
|
|
|
* Socket-related events.
|
|
|
|
*/
|
2006-02-01 20:01:18 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_FD)) {
|
|
|
|
tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_sock_inet((struct sockaddr_in *)
|
|
|
|
&ar->ar_arg_sockaddr);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_sock_unix((struct sockaddr_un *)
|
|
|
|
&ar->ar_arg_sockaddr);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
UPATH1_TOKENS;
|
|
|
|
}
|
|
|
|
/* XXX Need to handle ARG_SADDRINET6 */
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SOCKET:
|
|
|
|
case AUE_SOCKETPAIR:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
|
|
|
|
tok = au_to_arg32(1,"domain",
|
|
|
|
ar->ar_arg_sockinfo.so_domain);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
tok = au_to_arg32(2,"type",
|
|
|
|
ar->ar_arg_sockinfo.so_type);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
tok = au_to_arg32(3,"protocol",
|
|
|
|
ar->ar_arg_sockinfo.so_protocol);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SETSOCKOPT:
|
|
|
|
case AUE_SHUTDOWN:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FD)) {
|
|
|
|
tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_ACCT:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_UPATH1)) {
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
} else {
|
|
|
|
tok = au_to_arg32(1, "accounting off", 0);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SETAUID:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_AUID)) {
|
|
|
|
tok = au_to_arg32(2, "setauid", ar->ar_arg_auid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SETAUDIT:
|
2007-06-27 17:01:15 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_AUID) &&
|
|
|
|
ARG_IS_VALID(kar, ARG_ASID) &&
|
|
|
|
ARG_IS_VALID(kar, ARG_AMASK) &&
|
|
|
|
ARG_IS_VALID(kar, ARG_TERMID)) {
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(1, "setaudit:auid",
|
|
|
|
ar->ar_arg_auid);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(1, "setaudit:port",
|
|
|
|
ar->ar_arg_termid.port);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(1, "setaudit:machine",
|
|
|
|
ar->ar_arg_termid.machine);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(1, "setaudit:as_success",
|
|
|
|
ar->ar_arg_amask.am_success);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(1, "setaudit:as_failure",
|
|
|
|
ar->ar_arg_amask.am_failure);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(1, "setaudit:asid",
|
|
|
|
ar->ar_arg_asid);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SETAUDIT_ADDR:
|
2007-06-27 17:01:15 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_AUID) &&
|
|
|
|
ARG_IS_VALID(kar, ARG_ASID) &&
|
|
|
|
ARG_IS_VALID(kar, ARG_AMASK) &&
|
|
|
|
ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
|
|
|
|
tok = au_to_arg32(1, "setaudit_addr:auid",
|
|
|
|
ar->ar_arg_auid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
tok = au_to_arg32(1, "setaudit_addr:as_success",
|
|
|
|
ar->ar_arg_amask.am_success);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
tok = au_to_arg32(1, "setaudit_addr:as_failure",
|
|
|
|
ar->ar_arg_amask.am_failure);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
tok = au_to_arg32(1, "setaudit_addr:asid",
|
|
|
|
ar->ar_arg_asid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
tok = au_to_arg32(1, "setaudit_addr:type",
|
|
|
|
ar->ar_arg_termid_addr.at_type);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
tok = au_to_arg32(1, "setaudit_addr:port",
|
|
|
|
ar->ar_arg_termid_addr.at_port);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
|
|
|
|
tok = au_to_in_addr_ex((struct in6_addr *)
|
|
|
|
&ar->ar_arg_termid_addr.at_addr[0]);
|
|
|
|
if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
|
|
|
|
tok = au_to_in_addr((struct in_addr *)
|
|
|
|
&ar->ar_arg_termid_addr.at_addr[0]);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
case AUE_AUDITON:
|
2006-03-19 17:34:00 +00:00
|
|
|
/*
|
|
|
|
* For AUDITON commands without own event, audit the cmd.
|
|
|
|
*/
|
2006-02-01 20:01:18 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_CMD)) {
|
|
|
|
tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
/* fall thru */
|
|
|
|
|
|
|
|
case AUE_AUDITON_GETCAR:
|
|
|
|
case AUE_AUDITON_GETCLASS:
|
|
|
|
case AUE_AUDITON_GETCOND:
|
|
|
|
case AUE_AUDITON_GETCWD:
|
|
|
|
case AUE_AUDITON_GETKMASK:
|
|
|
|
case AUE_AUDITON_GETSTAT:
|
|
|
|
case AUE_AUDITON_GPOLICY:
|
|
|
|
case AUE_AUDITON_GQCTRL:
|
|
|
|
case AUE_AUDITON_SETCLASS:
|
|
|
|
case AUE_AUDITON_SETCOND:
|
|
|
|
case AUE_AUDITON_SETKMASK:
|
|
|
|
case AUE_AUDITON_SETSMASK:
|
|
|
|
case AUE_AUDITON_SETSTAT:
|
|
|
|
case AUE_AUDITON_SETUMASK:
|
|
|
|
case AUE_AUDITON_SPOLICY:
|
|
|
|
case AUE_AUDITON_SQCTRL:
|
2006-03-19 17:34:00 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_AUDITON))
|
2006-02-01 20:01:18 +00:00
|
|
|
audit_sys_auditon(ar, rec);
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_AUDITCTL:
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_EXIT:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_EXIT)) {
|
|
|
|
tok = au_to_exit(ar->ar_arg_exitretval,
|
|
|
|
ar->ar_arg_exitstatus);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_ADJTIME:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_CLOCK_SETTIME:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_AUDIT:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_DUP2:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_GETAUDIT:
|
|
|
|
case AUE_GETAUDIT_ADDR:
|
|
|
|
case AUE_GETAUID:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_GETCWD:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_GETFSSTAT:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_GETRESUID:
|
|
|
|
case AUE_GETRESGID:
|
|
|
|
case AUE_KQUEUE:
|
|
|
|
case AUE_LSEEK:
|
|
|
|
case AUE_MODLOAD:
|
|
|
|
case AUE_MODUNLOAD:
|
|
|
|
case AUE_MSGSYS:
|
|
|
|
case AUE_NFS_SVC:
|
|
|
|
case AUE_NTP_ADJTIME:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_PIPE:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_PROFILE:
|
|
|
|
case AUE_RTPRIO:
|
|
|
|
case AUE_SEMSYS:
|
|
|
|
case AUE_SHMSYS:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SETPGRP:
|
|
|
|
case AUE_SETRLIMIT:
|
|
|
|
case AUE_SETSID:
|
|
|
|
case AUE_SETTIMEOFDAY:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_SYSARCH:
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
/*
|
|
|
|
* Header, subject, and return tokens added at end.
|
|
|
|
*/
|
2006-02-01 20:01:18 +00:00
|
|
|
break;
|
|
|
|
|
2006-06-05 16:14:49 +00:00
|
|
|
case AUE_MKFIFO:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_MODE)) {
|
|
|
|
tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
/* fall through */
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_ACCESS:
|
|
|
|
case AUE_CHDIR:
|
|
|
|
case AUE_CHROOT:
|
2006-02-11 23:55:08 +00:00
|
|
|
case AUE_EACCESS:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_GETATTRLIST:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_JAIL:
|
2006-09-18 17:55:32 +00:00
|
|
|
case AUE_LUTIMES:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_NFS_GETFH:
|
|
|
|
case AUE_LSTAT:
|
|
|
|
case AUE_PATHCONF:
|
|
|
|
case AUE_READLINK:
|
|
|
|
case AUE_REVOKE:
|
|
|
|
case AUE_RMDIR:
|
|
|
|
case AUE_SEARCHFS:
|
|
|
|
case AUE_SETATTRLIST:
|
|
|
|
case AUE_STAT:
|
|
|
|
case AUE_STATFS:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_SWAPON:
|
|
|
|
case AUE_SWAPOFF:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_TRUNCATE:
|
|
|
|
case AUE_UNDELETE:
|
|
|
|
case AUE_UNLINK:
|
|
|
|
case AUE_UTIMES:
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_FHSTATFS:
|
|
|
|
case AUE_FHOPEN:
|
|
|
|
case AUE_FHSTAT:
|
|
|
|
/* XXXRW: Need to audit vnode argument. */
|
|
|
|
break;
|
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_CHFLAGS:
|
|
|
|
case AUE_LCHFLAGS:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
|
|
|
|
tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_CHMOD:
|
|
|
|
case AUE_LCHMOD:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_MODE)) {
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(2, "new file mode",
|
|
|
|
ar->ar_arg_mode);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_CHOWN:
|
|
|
|
case AUE_LCHOWN:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_UID)) {
|
|
|
|
tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_GID)) {
|
|
|
|
tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_EXCHANGEDATA:
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
UPATH2_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_CLOSE:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FD)) {
|
|
|
|
tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
Implement AUE_CORE, which adds process core dump support into the kernel.
This change introduces audit_proc_coredump() which is called by coredump(9)
to create an audit record for the coredump event. When a process
dumps a core, it could be security relevant. It could be an indicator that
a stack within the process has been overflowed with an incorrectly constructed
malicious payload or a number of other events.
The record that is generated looks like this:
header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec
argument,0,0xb,signal
path,/usr/home/csjp/test.core
subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2
return,success,1
trailer,111
- We allocate a completely new record to make sure we arent clobbering
the audit data associated with the syscall that produced the core
(assuming the core is being generated in response to SIGABRT and not
an invalid memory access).
- Shuffle around expand_name() so we can use the coredump name at the very
beginning of the coredump call. Make sure we free the storage referenced
by "name" if we need to bail out early.
- Audit both successful and failed coredump creation efforts
Obtained from: TrustedBSD Project
Reviewed by: rwatson
MFC after: 1 month
2007-10-26 01:23:07 +00:00
|
|
|
case AUE_CORE:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
|
|
|
|
tok = au_to_arg32(0, "signal", ar->ar_arg_signum);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
2006-07-06 19:33:38 +00:00
|
|
|
case AUE_EXTATTRCTL:
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
if (ARG_IS_VALID(kar, ARG_CMD)) {
|
|
|
|
tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
/* extattrctl(2) filename parameter is in upath2/vnode2 */
|
|
|
|
UPATH2_TOKENS;
|
|
|
|
VNODE2_TOKENS;
|
|
|
|
EXTATTR_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_EXTATTR_GET_FILE:
|
|
|
|
case AUE_EXTATTR_SET_FILE:
|
|
|
|
case AUE_EXTATTR_LIST_FILE:
|
|
|
|
case AUE_EXTATTR_DELETE_FILE:
|
|
|
|
case AUE_EXTATTR_GET_LINK:
|
|
|
|
case AUE_EXTATTR_SET_LINK:
|
|
|
|
case AUE_EXTATTR_LIST_LINK:
|
|
|
|
case AUE_EXTATTR_DELETE_LINK:
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
EXTATTR_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_EXTATTR_GET_FD:
|
|
|
|
case AUE_EXTATTR_SET_FD:
|
|
|
|
case AUE_EXTATTR_LIST_FD:
|
|
|
|
case AUE_EXTATTR_DELETE_FD:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FD)) {
|
|
|
|
tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
EXTATTR_TOKENS;
|
|
|
|
break;
|
|
|
|
|
2008-08-25 13:50:01 +00:00
|
|
|
case AUE_FEXECVE:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FD)) {
|
|
|
|
tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
/* FALLTHROUGH */
|
|
|
|
|
2006-09-01 11:45:40 +00:00
|
|
|
case AUE_EXECVE:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_ARGV)) {
|
|
|
|
tok = au_to_exec_args(ar->ar_arg_argv,
|
|
|
|
ar->ar_arg_argc);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_ENVV)) {
|
|
|
|
tok = au_to_exec_env(ar->ar_arg_envv,
|
|
|
|
ar->ar_arg_envc);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_FCHMOD:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_MODE)) {
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(2, "new file mode",
|
|
|
|
ar->ar_arg_mode);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
FD_VNODE1_TOKENS;
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-10-03 20:43:48 +00:00
|
|
|
/*
|
|
|
|
* XXXRW: Some of these need to handle non-vnode cases as well.
|
|
|
|
*/
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_FCHDIR:
|
|
|
|
case AUE_FPATHCONF:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_FSTAT:
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_FSTATFS:
|
|
|
|
case AUE_FSYNC:
|
|
|
|
case AUE_FTRUNCATE:
|
|
|
|
case AUE_FUTIMES:
|
|
|
|
case AUE_GETDIRENTRIES:
|
|
|
|
case AUE_GETDIRENTRIESATTR:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_POLL:
|
|
|
|
case AUE_READ:
|
|
|
|
case AUE_READV:
|
|
|
|
case AUE_WRITE:
|
|
|
|
case AUE_WRITEV:
|
2006-02-01 20:01:18 +00:00
|
|
|
FD_VNODE1_TOKENS;
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_FCHOWN:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_UID)) {
|
|
|
|
tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_GID)) {
|
|
|
|
tok = au_to_arg32(3, "new file gid", ar->ar_arg_gid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
FD_VNODE1_TOKENS;
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_FCNTL:
|
|
|
|
if (ar->ar_arg_cmd == F_GETLK || ar->ar_arg_cmd == F_SETLK ||
|
2008-07-22 17:49:30 +00:00
|
|
|
ar->ar_arg_cmd == F_SETLKW) {
|
2006-02-01 20:01:18 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_CMD)) {
|
|
|
|
tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
FD_VNODE1_TOKENS;
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_FCHFLAGS:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
|
|
|
|
tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
FD_VNODE1_TOKENS;
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_FLOCK:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_CMD)) {
|
|
|
|
tok = au_to_arg32(2, "operation", ar->ar_arg_cmd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
FD_VNODE1_TOKENS;
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_RFORK:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
|
|
|
|
tok = au_to_arg32(1, "flags", ar->ar_arg_fflags);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
/* fall through */
|
|
|
|
case AUE_FORK:
|
|
|
|
case AUE_VFORK:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_PID)) {
|
|
|
|
tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_IOCTL:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_CMD)) {
|
|
|
|
tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_ADDR)) {
|
2006-02-04 00:14:06 +00:00
|
|
|
tok = au_to_arg32(1, "arg",
|
|
|
|
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
2006-03-19 17:34:00 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_VNODE1))
|
2006-02-01 20:01:18 +00:00
|
|
|
FD_VNODE1_TOKENS;
|
2006-03-19 17:34:00 +00:00
|
|
|
else {
|
2006-02-01 20:01:18 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = kau_to_socket(&ar->ar_arg_sockinfo);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
} else {
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FD)) {
|
|
|
|
tok = au_to_arg32(1, "fd",
|
|
|
|
ar->ar_arg_fd);
|
2008-07-22 16:44:48 +00:00
|
|
|
kau_write(rec, tok);
|
2006-02-01 20:01:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_KILL:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_KILLPG:
|
2006-02-01 20:01:18 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
|
|
|
|
tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
PROCESS_PID_TOKENS(1);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_KTRACE:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_CMD)) {
|
|
|
|
tok = au_to_arg32(2, "ops", ar->ar_arg_cmd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_VALUE)) {
|
|
|
|
tok = au_to_arg32(3, "trpoints", ar->ar_arg_value);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
PROCESS_PID_TOKENS(4);
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_LINK:
|
|
|
|
case AUE_RENAME:
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
UPATH2_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_LOADSHFILE:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_ADDR)) {
|
|
|
|
tok = au_to_arg32(4, "base addr",
|
2006-02-04 00:14:06 +00:00
|
|
|
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_MKDIR:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_MODE)) {
|
|
|
|
tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_MKNOD:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_MODE)) {
|
|
|
|
tok = au_to_arg32(2, "mode", ar->ar_arg_mode);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_DEV)) {
|
|
|
|
tok = au_to_arg32(3, "dev", ar->ar_arg_dev);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_MMAP:
|
|
|
|
case AUE_MUNMAP:
|
|
|
|
case AUE_MPROTECT:
|
|
|
|
case AUE_MLOCK:
|
|
|
|
case AUE_MUNLOCK:
|
|
|
|
case AUE_MINHERIT:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_ADDR)) {
|
|
|
|
tok = au_to_arg32(1, "addr",
|
2006-02-04 00:14:06 +00:00
|
|
|
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_LEN)) {
|
|
|
|
tok = au_to_arg32(2, "len", ar->ar_arg_len);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ar->ar_event == AUE_MMAP)
|
|
|
|
FD_VNODE1_TOKENS;
|
|
|
|
if (ar->ar_event == AUE_MPROTECT) {
|
|
|
|
if (ARG_IS_VALID(kar, ARG_VALUE)) {
|
|
|
|
tok = au_to_arg32(3, "protection",
|
|
|
|
ar->ar_arg_value);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (ar->ar_event == AUE_MINHERIT) {
|
|
|
|
if (ARG_IS_VALID(kar, ARG_VALUE)) {
|
|
|
|
tok = au_to_arg32(3, "inherit",
|
|
|
|
ar->ar_arg_value);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_MOUNT:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_NMOUNT:
|
2006-02-01 20:01:18 +00:00
|
|
|
/* XXX Need to handle NFS mounts */
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
|
|
|
|
tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_TEXT)) {
|
|
|
|
tok = au_to_text(ar->ar_arg_text);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
/* fall through */
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_UMOUNT:
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_MSGCTL:
|
2008-02-25 20:28:00 +00:00
|
|
|
ar->ar_event = audit_msgctl_to_event(ar->ar_arg_svipc_cmd);
|
2006-02-01 20:01:18 +00:00
|
|
|
/* Fall through */
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_MSGRCV:
|
|
|
|
case AUE_MSGSND:
|
|
|
|
tok = au_to_arg32(1, "msg ID", ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
if (ar->ar_errno != EINVAL) {
|
|
|
|
tok = au_to_ipc(AT_IPC_MSG, ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_MSGGET:
|
|
|
|
if (ar->ar_errno == 0) {
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
|
|
|
|
tok = au_to_ipc(AT_IPC_MSG,
|
|
|
|
ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_RESETSHFILE:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_ADDR)) {
|
|
|
|
tok = au_to_arg32(1, "base addr",
|
2006-02-04 00:14:06 +00:00
|
|
|
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_OPEN_RC:
|
|
|
|
case AUE_OPEN_RTC:
|
|
|
|
case AUE_OPEN_RWC:
|
|
|
|
case AUE_OPEN_RWTC:
|
|
|
|
case AUE_OPEN_WC:
|
|
|
|
case AUE_OPEN_WTC:
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_CREAT:
|
2006-02-01 20:01:18 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_MODE)) {
|
|
|
|
tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
/* fall through */
|
|
|
|
|
|
|
|
case AUE_OPEN_R:
|
|
|
|
case AUE_OPEN_RT:
|
|
|
|
case AUE_OPEN_RW:
|
|
|
|
case AUE_OPEN_RWT:
|
|
|
|
case AUE_OPEN_W:
|
|
|
|
case AUE_OPEN_WT:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
|
|
|
|
tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_PTRACE:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_CMD)) {
|
|
|
|
tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_ADDR)) {
|
|
|
|
tok = au_to_arg32(3, "addr",
|
2006-02-04 00:14:06 +00:00
|
|
|
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_VALUE)) {
|
|
|
|
tok = au_to_arg32(4, "data", ar->ar_arg_value);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
PROCESS_PID_TOKENS(2);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_QUOTACTL:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_CMD)) {
|
|
|
|
tok = au_to_arg32(2, "command", ar->ar_arg_cmd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_UID)) {
|
|
|
|
tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_REBOOT:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_CMD)) {
|
|
|
|
tok = au_to_arg32(1, "howto", ar->ar_arg_cmd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SEMCTL:
|
2008-02-25 20:28:00 +00:00
|
|
|
ar->ar_event = audit_semctl_to_event(ar->ar_arg_svipc_cmd);
|
2006-02-01 20:01:18 +00:00
|
|
|
/* Fall through */
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SEMOP:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
|
|
|
|
tok = au_to_arg32(1, "sem ID", ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
if (ar->ar_errno != EINVAL) {
|
|
|
|
tok = au_to_ipc(AT_IPC_SEM,
|
|
|
|
ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SEMGET:
|
|
|
|
if (ar->ar_errno == 0) {
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
|
|
|
|
tok = au_to_ipc(AT_IPC_SEM,
|
|
|
|
ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SETEGID:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_EGID)) {
|
|
|
|
tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SETEUID:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_EUID)) {
|
|
|
|
tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SETREGID:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_RGID)) {
|
|
|
|
tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_EGID)) {
|
|
|
|
tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SETREUID:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_RUID)) {
|
|
|
|
tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_EUID)) {
|
|
|
|
tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SETRESGID:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_RGID)) {
|
|
|
|
tok = au_to_arg32(1, "rgid", ar->ar_arg_rgid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_EGID)) {
|
|
|
|
tok = au_to_arg32(2, "egid", ar->ar_arg_egid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SGID)) {
|
|
|
|
tok = au_to_arg32(3, "sgid", ar->ar_arg_sgid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SETRESUID:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_RUID)) {
|
|
|
|
tok = au_to_arg32(1, "ruid", ar->ar_arg_ruid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_EUID)) {
|
|
|
|
tok = au_to_arg32(2, "euid", ar->ar_arg_euid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SUID)) {
|
|
|
|
tok = au_to_arg32(3, "suid", ar->ar_arg_suid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SETGID:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_GID)) {
|
|
|
|
tok = au_to_arg32(1, "gid", ar->ar_arg_gid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SETUID:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_UID)) {
|
|
|
|
tok = au_to_arg32(1, "uid", ar->ar_arg_uid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SETGROUPS:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_GROUPSET)) {
|
|
|
|
for(ctr = 0; ctr < ar->ar_arg_groups.gidset_size; ctr++)
|
|
|
|
{
|
2008-01-18 19:57:21 +00:00
|
|
|
tok = au_to_arg32(1, "setgroups",
|
|
|
|
ar->ar_arg_groups.gidset[ctr]);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SETLOGIN:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_TEXT)) {
|
|
|
|
tok = au_to_text(ar->ar_arg_text);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SETPRIORITY:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_CMD)) {
|
|
|
|
tok = au_to_arg32(1, "which", ar->ar_arg_cmd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_UID)) {
|
|
|
|
tok = au_to_arg32(2, "who", ar->ar_arg_uid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_VALUE)) {
|
|
|
|
tok = au_to_arg32(2, "priority", ar->ar_arg_value);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SETPRIVEXEC:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_VALUE)) {
|
|
|
|
tok = au_to_arg32(1, "flag", ar->ar_arg_value);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
/* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
|
|
|
|
case AUE_SHMAT:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
|
|
|
|
tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
/* XXXAUDIT: Does having the ipc token make sense? */
|
|
|
|
tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
|
|
|
|
tok = au_to_arg32(2, "shmaddr",
|
2006-02-04 00:14:06 +00:00
|
|
|
(int)(uintptr_t)ar->ar_arg_svipc_addr);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
|
|
|
|
tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SHMCTL:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
|
|
|
|
tok = au_to_arg32(1, "shmid", ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
/* XXXAUDIT: Does having the ipc token make sense? */
|
|
|
|
tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
switch (ar->ar_arg_svipc_cmd) {
|
|
|
|
case IPC_STAT:
|
|
|
|
ar->ar_event = AUE_SHMCTL_STAT;
|
|
|
|
break;
|
|
|
|
case IPC_RMID:
|
|
|
|
ar->ar_event = AUE_SHMCTL_RMID;
|
|
|
|
break;
|
|
|
|
case IPC_SET:
|
|
|
|
ar->ar_event = AUE_SHMCTL_SET;
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
|
|
|
|
tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break; /* We will audit a bad command */
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SHMDT:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
|
|
|
|
tok = au_to_arg32(1, "shmaddr",
|
2006-02-04 00:14:06 +00:00
|
|
|
(int)(uintptr_t)ar->ar_arg_svipc_addr);
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SHMGET:
|
|
|
|
/* This is unusual; the return value is in an argument token */
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_ID)) {
|
|
|
|
tok = au_to_arg32(0, "shmid", ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
tok = au_to_ipc(AT_IPC_SHM, ar->ar_arg_svipc_id);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_PERM)) {
|
|
|
|
tok = au_to_ipc_perm(&ar->ar_arg_svipc_perm);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
/* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
|
2006-02-01 20:01:18 +00:00
|
|
|
* and AUE_SEMUNLINK are Posix IPC */
|
|
|
|
case AUE_SHMOPEN:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
|
|
|
|
tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_MODE)) {
|
|
|
|
tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
case AUE_SHMUNLINK:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_TEXT)) {
|
|
|
|
tok = au_to_text(ar->ar_arg_text);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
|
|
|
|
struct ipc_perm perm;
|
2008-07-22 17:49:30 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
|
|
|
|
perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
|
|
|
|
perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
|
|
|
|
perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
|
|
|
|
perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
|
|
|
|
perm.seq = 0;
|
|
|
|
perm.key = 0;
|
|
|
|
tok = au_to_ipc_perm(&perm);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SEMOPEN:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
|
|
|
|
tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_MODE)) {
|
|
|
|
tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_VALUE)) {
|
|
|
|
tok = au_to_arg32(4, "value", ar->ar_arg_value);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
/* fall through */
|
2006-03-19 17:34:00 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
case AUE_SEMUNLINK:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_TEXT)) {
|
|
|
|
tok = au_to_text(ar->ar_arg_text);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
|
|
|
|
struct ipc_perm perm;
|
2008-07-22 17:49:30 +00:00
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
perm.uid = ar->ar_arg_pipc_perm.pipc_uid;
|
|
|
|
perm.gid = ar->ar_arg_pipc_perm.pipc_gid;
|
|
|
|
perm.cuid = ar->ar_arg_pipc_perm.pipc_uid;
|
|
|
|
perm.cgid = ar->ar_arg_pipc_perm.pipc_gid;
|
|
|
|
perm.mode = ar->ar_arg_pipc_perm.pipc_mode;
|
|
|
|
perm.seq = 0;
|
|
|
|
perm.key = 0;
|
|
|
|
tok = au_to_ipc_perm(&perm);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SEMCLOSE:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_FD)) {
|
|
|
|
tok = au_to_arg32(1, "sem", ar->ar_arg_fd);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SYMLINK:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_TEXT)) {
|
|
|
|
tok = au_to_text(ar->ar_arg_text);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
UPATH1_VNODE1_TOKENS;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_SYSCTL:
|
2008-07-22 17:54:32 +00:00
|
|
|
case AUE_SYSCTL_NONADMIN:
|
2006-02-01 20:01:18 +00:00
|
|
|
if (ARG_IS_VALID(kar, ARG_CTLNAME | ARG_LEN)) {
|
|
|
|
for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
|
2006-03-19 17:34:00 +00:00
|
|
|
tok = au_to_arg32(1, "name",
|
|
|
|
ar->ar_arg_ctlname[ctr]);
|
|
|
|
kau_write(rec, tok);
|
2006-02-01 20:01:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_VALUE)) {
|
|
|
|
tok = au_to_arg32(5, "newval", ar->ar_arg_value);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
if (ARG_IS_VALID(kar, ARG_TEXT)) {
|
|
|
|
tok = au_to_text(ar->ar_arg_text);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_UMASK:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_MASK)) {
|
|
|
|
tok = au_to_arg32(1, "new mask", ar->ar_arg_mask);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
tok = au_to_arg32(0, "prev mask", ar->ar_retval);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AUE_WAIT4:
|
|
|
|
if (ARG_IS_VALID(kar, ARG_PID)) {
|
|
|
|
tok = au_to_arg32(0, "pid", ar->ar_arg_pid);
|
|
|
|
kau_write(rec, tok);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
2006-10-03 20:43:48 +00:00
|
|
|
case AUE_NULL:
|
2006-03-19 17:34:00 +00:00
|
|
|
default:
|
2006-02-01 20:01:18 +00:00
|
|
|
printf("BSM conversion requested for unknown event %d\n",
|
2006-03-19 17:34:00 +00:00
|
|
|
ar->ar_event);
|
2008-07-22 17:49:30 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Write the subject token so it is properly freed here.
|
|
|
|
*/
|
2006-02-01 20:01:18 +00:00
|
|
|
kau_write(rec, subj_tok);
|
|
|
|
kau_free(rec);
|
|
|
|
return (BSM_NOAUDIT);
|
|
|
|
}
|
|
|
|
|
2006-03-19 17:34:00 +00:00
|
|
|
kau_write(rec, subj_tok);
|
2006-02-01 20:01:18 +00:00
|
|
|
tok = au_to_return32((char)ar->ar_errno, ar->ar_retval);
|
|
|
|
kau_write(rec, tok); /* Every record gets a return token */
|
|
|
|
|
|
|
|
kau_close(rec, &ar->ar_endtime, ar->ar_event);
|
|
|
|
|
|
|
|
*pau = rec;
|
|
|
|
return (BSM_SUCCESS);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2006-03-19 17:34:00 +00:00
|
|
|
* Verify that a record is a valid BSM record. This verification is simple
|
|
|
|
* now, but may be expanded on sometime in the future. Return 1 if the
|
|
|
|
* record is good, 0 otherwise.
|
2006-02-01 20:01:18 +00:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
bsm_rec_verify(void *rec)
|
|
|
|
{
|
|
|
|
char c = *(char *)rec;
|
2006-03-19 17:34:00 +00:00
|
|
|
|
|
|
|
/*
|
2006-02-01 20:01:18 +00:00
|
|
|
* Check the token ID of the first token; it has to be a header
|
|
|
|
* token.
|
2006-03-19 17:34:00 +00:00
|
|
|
*
|
|
|
|
* XXXAUDIT There needs to be a token structure to map a token.
|
2006-02-01 20:01:18 +00:00
|
|
|
* XXXAUDIT 'Shouldn't be simply looking at the first char.
|
|
|
|
*/
|
2006-03-19 17:34:00 +00:00
|
|
|
if ((c != AUT_HEADER32) && (c != AUT_HEADER32_EX) &&
|
|
|
|
(c != AUT_HEADER64) && (c != AUT_HEADER64_EX))
|
2006-02-01 20:01:18 +00:00
|
|
|
return (0);
|
|
|
|
return (1);
|
|
|
|
}
|