LXR darwin-xnu/bsd/kern/kern_bsm

   1/*
   2 * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
   3 *
   4 * @APPLE_LICENSE_HEADER_START@
   5 * 
   6 * The contents of this file constitute Original Code as defined in and
   7 * are subject to the Apple Public Source License Version 1.1 (the
   8 * "License").  You may not use this file except in compliance with the
   9 * License.  Please obtain a copy of the License at
  10 * http://www.apple.com/publicsource and read it before using this file.
  11 * 
  12 * This Original Code and all software distributed under the License are
  13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
  17 * License for the specific language governing rights and limitations
  18 * under the License.
  19 * 
  20 * @APPLE_LICENSE_HEADER_END@
  21 */
  22
  23#include <sys/systm.h>
  24#include <sys/types.h>
  25#include <sys/proc_internal.h>
  26#include <sys/vnode_internal.h>
  27#include <sys/fcntl.h>
  28#include <sys/filedesc.h>
  29#include <sys/sem.h>
  30
  31#include <bsm/audit.h>
  32#include <bsm/audit_kernel.h>
  33#include <bsm/audit_kevents.h>
  34#include <bsm/audit_klib.h>
  35
  36/*
  37 * Initialize the system call to audit event mapping table. This table 
  38 * must be kept in sync with the system call table. This table is meant to
  39 * be directly accessed. 
  40 * XXX This should be improved, though, to make it independent of the syscall
  41 * table (but we don't want to traverse a large table for every system call
  42 * to find a match). Ultimately, it would be best to place the audit event
  43 * number in the system call table.
  44 */
  45au_event_t sys_au_event[] = {
  46        AUE_NULL,                       /*   0 = indir */
  47        AUE_EXIT,                       /*   1 = exit */
  48        AUE_FORK,                       /*   2 = fork */
  49        AUE_NULL,                       /*   3 = read */
  50        AUE_NULL,                       /*   4 = write */
  51        AUE_OPEN_RWTC,                  /*   5 = open */
  52        AUE_CLOSE,                      /*   6 = close */
  53        AUE_NULL,                       /*   7 = wait4 */
  54        AUE_O_CREAT,                    /*   8 = old creat */
  55        AUE_LINK,                       /*   9 = link */
  56        AUE_UNLINK,                     /*  10 = unlink */
  57        AUE_NULL,                       /*  11 was obsolete execv */
  58        AUE_CHDIR,                      /*  12 = chdir */
  59        AUE_FCHDIR,                     /*  13 = fchdir */
  60        AUE_MKNOD,                      /*  14 = mknod */
  61        AUE_CHMOD,                      /*  15 = chmod */
  62        AUE_CHOWN,                      /*  16 = chown; now 3 args */
  63        AUE_NULL,                       /*  17 = old break */
  64#if COMPAT_GETFSSTAT
  65        AUE_GETFSSTAT,                  /*  18 = getfsstat */
  66#else
  67        AUE_NULL,                       /*  18 = ogetfsstat */
  68#endif
  69        AUE_NULL,                       /*  19 = old lseek */
  70        AUE_NULL,                       /*  20 = getpid */
  71        AUE_NULL,                       /*  21 was obsolete mount */
  72        AUE_NULL,                       /*  22 was obsolete umount */
  73        AUE_SETUID,                     /*  23 = setuid */
  74        AUE_NULL,                       /*  24 = getuid */
  75        AUE_NULL,                       /*  25 = geteuid */
  76        AUE_PTRACE,                     /*  26 = ptrace */
  77        AUE_RECVMSG,                    /*  27 = recvmsg */
  78        AUE_SENDMSG,                    /*  28 = sendmsg */
  79        AUE_RECVFROM,                   /*  29 = recvfrom */
  80        AUE_ACCEPT,                     /*  30 = accept */
  81        AUE_NULL,                       /*  31 = getpeername */
  82        AUE_NULL,                       /*  32 = getsockname */
  83        AUE_ACCESS,                     /*  33 = access */
  84        AUE_CHFLAGS,                    /* 34 = chflags */
  85        AUE_FCHFLAGS,                   /* 35 = fchflags */
  86        AUE_NULL,                       /*  36 = sync */
  87        AUE_KILL,                       /*  37 = kill */
  88        AUE_O_STAT,                     /*  38 = old stat */
  89        AUE_NULL,                       /*  39 = getppid */
  90        AUE_O_LSTAT,                    /*  40 = old lstat */
  91        AUE_NULL,                       /*  41 = dup */
  92        AUE_PIPE,                       /*  42 = pipe */
  93        AUE_NULL,                       /*  43 = getegid */
  94        AUE_NULL,                       /*  44 = profil */
  95        AUE_KTRACE,                     /*  45 = ktrace */
  96        AUE_NULL,                       /*  46 = sigaction */
  97        AUE_NULL,                       /*  47 = getgid */
  98        AUE_NULL,                       /*  48 = sigprocmask */
  99        AUE_NULL,                       /*  49 = getlogin */
 100        AUE_SETLOGIN,                   /*  50 = setlogin */
 101        AUE_ACCT,                       /*  51 = turn acct off/on */
 102        AUE_NULL,                       /*  52 = sigpending */
 103        AUE_NULL,                       /*  53 = sigaltstack */
 104        AUE_IOCTL,                      /*  54 = ioctl */
 105        AUE_REBOOT,                     /*  55 = reboot */
 106        AUE_REVOKE,                     /*  56 = revoke */
 107        AUE_SYMLINK,                    /*  57 = symlink */
 108        AUE_READLINK,                   /*  58 = readlink */
 109        AUE_EXECVE,                     /*  59 = execve */
 110        AUE_UMASK,                      /*  60 = umask */
 111        AUE_CHROOT,                     /*  61 = chroot */
 112        AUE_O_FSTAT,                    /*  62 = old fstat */
 113        AUE_NULL,                       /*  63 = used internally, reserved */
 114        AUE_NULL,                       /*  64 = old getpagesize */
 115        AUE_NULL,                       /*  65 = msync */
 116        AUE_VFORK,                      /*  66 = vfork */
 117        AUE_NULL,                       /*  67 was obsolete vread */
 118        AUE_NULL,                       /*  68 was obsolete vwrite */
 119        AUE_NULL,                       /*  69 = sbrk */
 120        AUE_NULL,                       /*  70 = sstk */
 121        AUE_O_MMAP,                     /*  71 = old mmap */
 122        AUE_NULL,                       /*  72 = old vadvise */
 123        AUE_MUNMAP,                     /*  73 = munmap */
 124        AUE_MPROTECT,                   /*  74 = mprotect */
 125        AUE_NULL,                       /*  75 = madvise */
 126        AUE_NULL,                       /*  76 was obsolete vhangup */
 127        AUE_NULL,                       /*  77 was obsolete vlimit */
 128        AUE_NULL,                       /*  78 = mincore */
 129        AUE_NULL,                       /*  79 = getgroups */
 130        AUE_SETGROUPS,                  /*  80 = setgroups */
 131        AUE_NULL,                       /*  81 = getpgrp */
 132        AUE_SETPGRP,                    /*  82 = setpgid */
 133        AUE_NULL,                       /*  83 = setitimer */
 134        AUE_NULL,                       /*  84 = old wait */
 135        AUE_NULL,                       /*  85 = swapon */
 136        AUE_NULL,                       /*  86 = getitimer */
 137        AUE_NULL,                       /*  87 = old gethostname */
 138        AUE_O_SETHOSTNAME,              /*  88 = old sethostname */
 139        AUE_NULL,                       /* 89 getdtablesize */
 140        AUE_NULL,                       /*  90 = dup2 */
 141        AUE_NULL,                       /*  91 was obsolete getdopt */
 142        AUE_FCNTL,                      /*  92 = fcntl */
 143        AUE_NULL,                       /*  93 = select */
 144        AUE_NULL,                       /*  94 was obsolete setdopt */
 145        AUE_NULL,                       /*  95 = fsync */
 146        AUE_SETPRIORITY,                /*  96 = setpriority */
 147        AUE_SOCKET,                     /*  97 = socket */
 148        AUE_CONNECT,                    /*  98 = connect */
 149        AUE_NULL,                       /*  99 = accept */
 150        AUE_NULL,                       /* 100 = getpriority */
 151        AUE_O_SEND,                     /* 101 = old send */
 152        AUE_O_RECV,                     /* 102 = old recv */
 153        AUE_NULL,                       /* 103 = sigreturn */
 154        AUE_BIND,                       /* 104 = bind */
 155        AUE_SETSOCKOPT,                 /* 105 = setsockopt */
 156        AUE_NULL,                       /* 106 = listen */
 157        AUE_NULL,                       /* 107 was vtimes */
 158        AUE_NULL,                       /* 108 = sigvec */
 159        AUE_NULL,                       /* 109 = sigblock */
 160        AUE_NULL,                       /* 110 = sigsetmask */
 161        AUE_NULL,                       /* 111 = sigpause */
 162        AUE_NULL,                       /* 112 = sigstack */
 163        AUE_O_RECVMSG,                  /* 113 = recvmsg */
 164        AUE_O_SENDMSG,                  /* 114 = sendmsg */
 165        AUE_NULL,                       /* 115 = old vtrace */
 166        AUE_NULL,                       /* 116 = gettimeofday */
 167        AUE_NULL,                       /* 117 = getrusage */
 168        AUE_NULL,                       /* 118 = getsockopt */
 169        AUE_NULL,                       /* 119 = old resuba */
 170        AUE_NULL,                       /* 120 = readv */
 171        AUE_NULL,                       /* 121 = writev */
 172        AUE_SETTIMEOFDAY,               /* 122 = settimeofday */
 173        AUE_FCHOWN,                     /* 123 = fchown */
 174        AUE_FCHMOD,                     /* 124 = fchmod */
 175        AUE_O_RECVFROM,                 /* 125 = recvfrom */
 176        AUE_NULL,                       /* 126 = setreuid */
 177        AUE_NULL,                       /* 127 = setregid */
 178        AUE_RENAME,                     /* 128 = rename */
 179        AUE_O_TRUNCATE,                 /* 129 = old truncate */
 180        AUE_O_FTRUNCATE,                /* 130 = old ftruncate */
 181        AUE_FLOCK,                      /* 131 = flock */
 182        AUE_MKFIFO,                     /* 132 = mkfifo */
 183        AUE_SENDTO,                     /* 133 = sendto */
 184        AUE_SHUTDOWN,                   /* 134 = shutdown */
 185        AUE_SOCKETPAIR,                 /* 135 = socketpair */
 186        AUE_MKDIR,                      /* 136 = mkdir */
 187        AUE_RMDIR,                      /* 137 = rmdir */
 188        AUE_UTIMES,                     /* 138 = utimes */
 189        AUE_FUTIMES,                    /* 139 = futimes */
 190        AUE_ADJTIME,                    /* 140 = adjtime */
 191        AUE_NULL,                       /* 141 = getpeername */
 192        AUE_NULL,                       /* 142 = old gethostid */
 193        AUE_NULL,                       /* 143 = old sethostid */
 194        AUE_NULL,                       /* 144 = old getrlimit */
 195        AUE_O_SETRLIMIT,                /* 145 = old setrlimit */
 196        AUE_O_KILLPG,                   /* 146 = old killpg */
 197        AUE_SETSID,                     /* 147 = setsid */
 198        AUE_NULL,                       /* 148 was setquota */
 199        AUE_NULL,                       /* 149 was qquota */
 200        AUE_NULL,                       /* 150 = getsockname */
 201        AUE_NULL,                       /* 151 = getpgid */
 202        AUE_SETPRIVEXEC,                /* 152 = setprivexec */
 203        AUE_NULL,                       /* 153 = pread */
 204        AUE_NULL,                       /* 154 = pwrite */
 205        AUE_NFSSVC,                     /* 155 = nfs_svc */
 206        AUE_O_GETDIRENTRIES,            /* 156 = old getdirentries */
 207        AUE_STATFS,                     /* 157 = statfs */
 208        AUE_FSTATFS,                    /* 158 = fstatfs */
 209        AUE_UNMOUNT,                    /* 159 = unmount */
 210        AUE_NULL,                       /* 160 was async_daemon */
 211        AUE_GETFH,                      /* 161 = get file handle */
 212        AUE_NULL,                       /* 162 = getdomainname */
 213        AUE_O_SETDOMAINNAME,            /* 163 = setdomainname */
 214        AUE_NULL,                       /* 164 */
 215#if     QUOTA
 216        AUE_QUOTACTL,                   /* 165 = quotactl */
 217#else   /* QUOTA */
 218        AUE_NULL,                       /* 165 = not configured */
 219#endif  /* QUOTA */
 220        AUE_NULL,                       /* 166 was exportfs */
 221        AUE_MOUNT,                      /* 167 = mount */
 222        AUE_NULL,                       /* 168 was ustat */
 223        AUE_NULL,                       /* 169 = nosys */
 224        AUE_NULL,                       /* 170 was table */
 225        AUE_NULL,                       /* 171 = old wait3 */
 226        AUE_NULL,                       /* 172 was rpause */
 227        AUE_NULL,                       /* 173 = nosys */
 228        AUE_NULL,                       /* 174 was getdents */
 229        AUE_NULL,                       /* 175 was gc_control */
 230        AUE_NULL,                       /* 176 = add_profil */
 231        AUE_NULL,                       /* 177 */
 232        AUE_NULL,                       /* 178 */
 233        AUE_NULL,                       /* 179 */
 234        AUE_NULL,                       /* 180 */
 235        AUE_SETGID,                     /* 181 */
 236        AUE_SETEGID,                    /* 182 */
 237        AUE_SETEUID,                    /* 183 */
 238        AUE_NULL,                       /* 184 = nosys */
 239        AUE_NULL,                       /* 185 = nosys */
 240        AUE_NULL,                       /* 186 = nosys */
 241        AUE_NULL,                       /* 187 = nosys */
 242        AUE_STAT,                       /* 188 = stat */
 243        AUE_FSTAT,                      /* 189 = fstat */
 244        AUE_LSTAT,                      /* 190 = lstat */
 245        AUE_PATHCONF,                   /* 191 = pathconf */
 246        AUE_FPATHCONF,                  /* 192 = fpathconf */
 247#if COMPAT_GETFSSTAT
 248        AUE_GETFSSTAT,                  /* 193 = getfsstat */
 249#else
 250        AUE_NULL,                       /* 193 is unused */ 
 251#endif
 252        AUE_NULL,                       /* 194 = getrlimit */
 253        AUE_SETRLIMIT,                  /* 195 = setrlimit */
 254        AUE_GETDIRENTRIES,              /* 196 = getdirentries */
 255        AUE_MMAP,                       /* 197 = mmap */
 256        AUE_NULL,                       /* 198 = __syscall */
 257        AUE_NULL,                       /* 199 = lseek */
 258        AUE_TRUNCATE,                   /* 200 = truncate */
 259        AUE_FTRUNCATE,                  /* 201 = ftruncate */
 260        AUE_SYSCTL,                     /* 202 = __sysctl */
 261        AUE_MLOCK,                      /* 203 = mlock */
 262        AUE_MUNLOCK,                    /* 204 = munlock */
 263        AUE_UNDELETE,                   /* 205 = undelete */
 264        AUE_NULL,                       /* 206 = ATsocket */
 265        AUE_NULL,                       /* 207 = ATgetmsg*/
 266        AUE_NULL,                       /* 208 = ATputmsg*/
 267        AUE_NULL,                       /* 209 = ATPsndreq*/
 268        AUE_NULL,                       /* 210 = ATPsndrsp*/
 269        AUE_NULL,                       /* 211 = ATPgetreq*/
 270        AUE_NULL,                       /* 212 = ATPgetrsp*/
 271        AUE_NULL,                       /* 213 = Reserved for AppleTalk */
 272        AUE_NULL,                       /* 214 = Reserved for AppleTalk */
 273        AUE_NULL,                       /* 215 = Reserved for AppleTalk */
 274        
 275        AUE_NULL,       /* 216 = HFS make complex file call (multipel forks */
 276        AUE_NULL,       /* 217 = HFS statv extended stat call for HFS */
 277        AUE_NULL,       /* 218 = HFS lstatv extended lstat call for HFS */      
 278        AUE_NULL,       /* 219 = HFS fstatv extended fstat call for HFS */
 279        AUE_GETATTRLIST,/* 220 = HFS getarrtlist get attribute list cal */
 280        AUE_SETATTRLIST,/* 221 = HFS setattrlist set attribute list */
 281        AUE_GETDIRENTRIESATTR,/* 222 = HFS getdirentriesattr get directory attributes */
 282        AUE_EXCHANGEDATA,/* 223 = HFS exchangedata exchange file contents */
 283        AUE_CHECKUSERACCESS,/* 224 = HFS checkuseraccess check access to file */
 284        AUE_SEARCHFS,   /* 225 = HFS searchfs to implement catalog searching */
 285        AUE_DELETE,     /* 226 = private delete (Carbon semantics) */
 286        AUE_NULL,       /* 227 = copyfile - orignally for AFP */
 287        AUE_NULL,                       /* 228 */
 288        AUE_NULL,                       /* 229 */
 289        AUE_NULL,                       /* 230 */
 290        AUE_NULL,                       /* 231 */
 291        AUE_NULL,                       /* 232 */
 292        AUE_NULL,                       /* 233 */
 293        AUE_NULL,                       /* 234 */
 294        AUE_NULL,                       /* 235 */
 295        AUE_NULL,                       /* 236 */
 296        AUE_NULL,                       /* 237 */
 297        AUE_NULL,                       /* 238 */
 298        AUE_NULL,                       /* 239 */
 299        AUE_NULL,                       /* 240 */
 300        AUE_NULL,                       /* 241 */
 301        AUE_NULL,                       /* 242 = fsctl */
 302        AUE_NULL,                       /* 243 */
 303        AUE_NULL,                       /* 244 */
 304        AUE_NULL,                       /* 245 */
 305        AUE_NULL,                       /* 246 */
 306        AUE_NULL,                       /* 247 = nfsclnt*/
 307        AUE_NULL,                       /* 248 = fhopen */
 308        AUE_NULL,                       /* 249 */
 309        AUE_MINHERIT,                   /* 250 = minherit */
 310        AUE_NULL,                       /* 251 = semsys */
 311        AUE_NULL,                       /* 252 = msgsys */
 312        AUE_NULL,                       /* 253 = shmsys */
 313        AUE_SEMCTL,                     /* 254 = semctl */
 314        AUE_SEMGET,                     /* 255 = semget */
 315        AUE_SEMOP,                      /* 256 = semop */
 316        AUE_NULL,                       /* 257 = */
 317        AUE_MSGCTL,                     /* 258 = msgctl */
 318        AUE_MSGGET,                     /* 259 = msgget */
 319        AUE_MSGSND,                     /* 260 = msgsnd */
 320        AUE_MSGRCV,                     /* 261 = msgrcv */
 321        AUE_SHMAT,                      /* 262 = shmat */
 322        AUE_SHMCTL,                     /* 263 = shmctl */
 323        AUE_SHMDT,                      /* 264 = shmdt */
 324        AUE_SHMGET,                     /* 265 = shmget */
 325        AUE_SHMOPEN,                    /* 266 = shm_open */
 326        AUE_SHMUNLINK,                  /* 267 = shm_unlink */
 327        AUE_SEMOPEN,                    /* 268 = sem_open */
 328        AUE_SEMCLOSE,                   /* 269 = sem_close */
 329        AUE_SEMUNLINK,                  /* 270 = sem_unlink */
 330        AUE_NULL,                       /* 271 = sem_wait */
 331        AUE_NULL,                       /* 272 = sem_trywait */
 332        AUE_NULL,                       /* 273 = sem_post */
 333        AUE_NULL,                       /* 274 = sem_getvalue */
 334        AUE_NULL,                       /* 275 = sem_init */
 335        AUE_NULL,                       /* 276 = sem_destroy */
 336        AUE_NULL,                       /* 277 */
 337        AUE_NULL,                       /* 278 */
 338        AUE_NULL,                       /* 279 */
 339        AUE_NULL,                       /* 280 */
 340        AUE_NULL,                       /* 281 */
 341        AUE_NULL,                       /* 282 */
 342        AUE_NULL,                       /* 283 */
 343        AUE_NULL,                       /* 284 */
 344        AUE_NULL,                       /* 285 */
 345        AUE_NULL,                       /* 286 */
 346        AUE_NULL,                       /* 287 */
 347        AUE_NULL,                       /* 288 */
 348        AUE_NULL,                       /* 289 */
 349        AUE_NULL,                       /* 290 */
 350        AUE_NULL,                       /* 291 */
 351        AUE_NULL,                       /* 292 */
 352        AUE_NULL,                       /* 293 */
 353        AUE_NULL,                       /* 294 */
 354        AUE_NULL,                       /* 295 */
 355        AUE_LOADSHFILE,                 /* 296 = load_shared_file */
 356        AUE_RESETSHFILE,                /* 297 = reset_shared_file */
 357        AUE_NEWSYSTEMSHREG,             /* 298 = new_system_shared_regions */
 358        AUE_NULL,                       /* 299 */
 359        AUE_NULL,                       /* 300 */
 360        AUE_NULL,                       /* 301 */
 361        AUE_NULL,                       /* 302 */
 362        AUE_NULL,                       /* 303 */
 363        AUE_NULL,                       /* 304 */
 364        AUE_NULL,                       /* 305 */
 365        AUE_NULL,                       /* 306 */
 366        AUE_NULL,                       /* 307 */
 367        AUE_NULL,                       /* 308 */
 368        AUE_NULL,                       /* 309 */
 369        AUE_NULL,                       /* 310 = getsid */
 370        AUE_NULL,                       /* 311 */
 371        AUE_NULL,                       /* 312 */
 372        AUE_NULL,                       /* 313 */
 373        AUE_NULL,                       /* 314 */
 374        AUE_NULL,                       /* 315 */
 375        AUE_NULL,                       /* 316 */
 376        AUE_NULL,                       /* 317 */
 377        AUE_NULL,                       /* 318 */
 378        AUE_NULL,                       /* 319 */
 379        AUE_NULL,                       /* 320 */
 380        AUE_NULL,                       /* 321 */
 381        AUE_NULL,                       /* 322 */
 382        AUE_NULL,                       /* 323 */
 383        AUE_NULL,                       /* 324 = mlockall*/
 384        AUE_NULL,                       /* 325 = munlockall*/
 385        AUE_NULL,                       /* 326 */
 386        AUE_NULL,                       /* 327 = issetugid */
 387        AUE_NULL,                       /* 328 */
 388        AUE_NULL,                       /* 329 */
 389        AUE_NULL,                       /* 330 */
 390        AUE_NULL,                       /* 331 */
 391        AUE_NULL,                       /* 332 */
 392        AUE_NULL,                       /* 333 */
 393        AUE_NULL,                       /* 334 */
 394        AUE_NULL,                       /* 335 = utrace */
 395        AUE_NULL,                       /* 336 */
 396        AUE_NULL,                       /* 337 */
 397        AUE_NULL,                       /* 338 */
 398        AUE_NULL,                       /* 339 */
 399        AUE_NULL,                       /* 340 */
 400        AUE_NULL,                       /* 341 */
 401        AUE_NULL,                       /* 342 */
 402        AUE_NULL,                       /* 343 */
 403        AUE_NULL,                       /* 344 */
 404        AUE_NULL,                       /* 345 */
 405        AUE_NULL,                       /* 346 */
 406        AUE_NULL,                       /* 347 */
 407        AUE_NULL,                       /* 348 */
 408        AUE_NULL,                       /* 349 */
 409        AUE_AUDIT,                      /* 350 */
 410        AUE_AUDITON,                    /* 351 */
 411        AUE_NULL,                       /* 352 */
 412        AUE_GETAUID,                    /* 353 */
 413        AUE_SETAUID,                    /* 354 */
 414        AUE_GETAUDIT,                   /* 355 */
 415        AUE_SETAUDIT,                   /* 356 */
 416        AUE_GETAUDIT_ADDR,              /* 357 */
 417        AUE_SETAUDIT_ADDR,              /* 358 */
 418        AUE_AUDITCTL,                   /* 359 */
 419        AUE_NULL,                       /* 360 */
 420        AUE_NULL,                       /* 361 */
 421        AUE_NULL,                       /* 362 = kqueue */
 422        AUE_NULL,                       /* 363 = kevent */
 423        AUE_LCHOWN,                     /* 364 = lchown */
 424        AUE_NULL,                       /* 365 */
 425        AUE_NULL,                       /* 366 */
 426        AUE_NULL,                       /* 367 */
 427        AUE_NULL,                       /* 368 */
 428        AUE_NULL                        /* 369 */
 429};
 430int     nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]);
 431
 432/*
 433 * Hash table functions for the audit event number to event class mask mapping.
 434 */
 435
 436#define EVCLASSMAP_HASH_TABLE_SIZE 251
 437struct evclass_elem {
 438        au_event_t event;
 439        au_class_t class;
 440        LIST_ENTRY(evclass_elem) entry;
 441};
 442struct evclass_list {
 443        LIST_HEAD(, evclass_elem) head;
 444};
 445
 446struct evclass_list evclass_hash[EVCLASSMAP_HASH_TABLE_SIZE];
 447
 448au_class_t au_event_class(au_event_t event)
 449{
 450
 451        struct evclass_list *evcl;
 452        struct evclass_elem *evc;
 453
 454        evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
 455
 456        /* If an entry at our hash location matches the event, just return */
 457        LIST_FOREACH(evc, &evcl->head, entry) {
 458                if (evc->event == event)
 459                        return (evc->class);
 460        }
 461        return (AU_NULL);
 462}
 463
 464        /*
 465 * Insert a event to class mapping. If the event already exists in the
 466 * mapping, then replace the mapping with the new one.
 467 * XXX There is currently no constraints placed on the number of mappings.
 468 *     May want to either limit to a number, or in terms of memory usage.
 469                 */
 470void au_evclassmap_insert(au_event_t event, au_class_t class) 
 471{
 472        struct evclass_list *evcl;
 473        struct evclass_elem *evc;
 474
 475        evcl = &evclass_hash[event % EVCLASSMAP_HASH_TABLE_SIZE];
 476
 477        LIST_FOREACH(evc, &evcl->head, entry) {
 478                if (evc->event == event) {
 479                        evc->class = class;
 480                        return;
 481                }
 482        }
 483        kmem_alloc(kernel_map, (vm_offset_t *)&evc, sizeof(*evc));
 484        if (evc == NULL) {
 485                return;
 486        }
 487        evc->event = event;
 488        evc->class = class;
 489        LIST_INSERT_HEAD(&evcl->head, evc, entry);
 490}
 491
 492void au_evclassmap_init() 
 493{
 494        int i;
 495        for (i = 0; i < EVCLASSMAP_HASH_TABLE_SIZE; i++) {
 496                LIST_INIT(&evclass_hash[i].head);
 497        }
 498
 499        /* Set up the initial event to class mapping for system calls.  */ 
 500        for (i = 0; i < nsys_au_event; i++) {
 501                if (sys_au_event[i] != AUE_NULL) {
 502                        au_evclassmap_insert(sys_au_event[i], AU_NULL);
 503        }
 504        }
 505        /* Add the Mach system call events */
 506        au_evclassmap_insert(AUE_TASKFORPID, AU_NULL);
 507        au_evclassmap_insert(AUE_PIDFORTASK, AU_NULL);
 508        au_evclassmap_insert(AUE_SWAPON, AU_NULL);
 509        au_evclassmap_insert(AUE_SWAPOFF, AU_NULL);
 510        au_evclassmap_insert(AUE_MAPFD, AU_NULL);
 511        au_evclassmap_insert(AUE_INITPROCESS, AU_NULL);
 512
 513        /* Add the specific open events to the mapping. */
 514        au_evclassmap_insert(AUE_OPEN_R, AU_FREAD);
 515        au_evclassmap_insert(AUE_OPEN_RC, AU_FREAD|AU_FCREATE);
 516        au_evclassmap_insert(AUE_OPEN_RTC, AU_FREAD|AU_FCREATE|AU_FDELETE);
 517        au_evclassmap_insert(AUE_OPEN_RT, AU_FREAD|AU_FDELETE);
 518        au_evclassmap_insert(AUE_OPEN_RW, AU_FREAD|AU_FWRITE);
 519        au_evclassmap_insert(AUE_OPEN_RWC, AU_FREAD|AU_FWRITE|AU_FCREATE);
 520        au_evclassmap_insert(AUE_OPEN_RWTC, AU_FREAD|AU_FWRITE|AU_FCREATE|AU_FDELETE);
 521        au_evclassmap_insert(AUE_OPEN_RWT, AU_FREAD|AU_FWRITE|AU_FDELETE);
 522        au_evclassmap_insert(AUE_OPEN_W, AU_FWRITE);
 523        au_evclassmap_insert(AUE_OPEN_WC, AU_FWRITE|AU_FCREATE);
 524        au_evclassmap_insert(AUE_OPEN_WTC, AU_FWRITE|AU_FCREATE|AU_FDELETE);
 525        au_evclassmap_insert(AUE_OPEN_WT, AU_FWRITE|AU_FDELETE);
 526}
 527
 528        /* 
 529 * Check whether an event is aditable by comparing the mask of classes this
 530 * event is part of against the given mask.
 531         */
 532int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf)
 533{
 534        au_class_t effmask = 0;
 535        au_class_t ae_class;
 536
 537        if(mask_p == NULL)
 538                return (-1);
 539
 540        ae_class = au_event_class(event);
 541        /*
 542         * Perform the actual check of the masks against the event.
 543         */
 544        if(sorf & AU_PRS_SUCCESS) {
 545                effmask |= (mask_p->am_success & ae_class);
 546        }
 547                        
 548        if(sorf & AU_PRS_FAILURE) {
 549                effmask |= (mask_p->am_failure & ae_class);
 550        }
 551        
 552        if(effmask)
 553                return (1);
 554        else 
 555                return (0);
 556}
 557
 558/*
 559 * Convert sysctl names and present arguments to events
 560 */
 561au_event_t ctlname_to_sysctlevent(int name[], uint64_t valid_arg) {
 562
 563        /* can't parse it - so return the worst case */
 564        if ((valid_arg & (ARG_CTLNAME | ARG_LEN)) != 
 565                         (ARG_CTLNAME | ARG_LEN))
 566                return AUE_SYSCTL;
 567
 568        switch (name[0]) {
 569        /* non-admin "lookups" treat them special */
 570        case KERN_OSTYPE:
 571        case KERN_OSRELEASE:
 572        case KERN_OSREV:
 573        case KERN_VERSION:
 574        case KERN_ARGMAX:
 575        case KERN_CLOCKRATE:
 576        case KERN_BOOTTIME:
 577        case KERN_POSIX1:
 578        case KERN_NGROUPS:
 579        case KERN_JOB_CONTROL:
 580        case KERN_SAVED_IDS:
 581        case KERN_NETBOOT:
 582        case KERN_SYMFILE:
 583        case KERN_SHREG_PRIVATIZABLE:
 584                return AUE_SYSCTL_NONADMIN;
 585
 586        /* only treat the sets as admin */
 587        case KERN_MAXVNODES:
 588        case KERN_MAXPROC:
 589        case KERN_MAXFILES:
 590        case KERN_MAXPROCPERUID:
 591        case KERN_MAXFILESPERPROC:
 592        case KERN_HOSTID:
 593        case KERN_AIOMAX:
 594        case KERN_AIOPROCMAX:
 595        case KERN_AIOTHREADS:
 596        case KERN_COREDUMP:
 597        case KERN_SUGID_COREDUMP:
 598                return (valid_arg & ARG_VALUE) ?
 599                        AUE_SYSCTL : AUE_SYSCTL_NONADMIN;
 600
 601        default:
 602                return AUE_SYSCTL;
 603        }
 604        /* NOTREACHED */
 605}
 606
 607/*
 608 * Convert an open flags specifier into a specific type of open event for 
 609 * auditing purposes.
 610 */
 611au_event_t flags_and_error_to_openevent(int oflags, int error) {
 612        au_event_t aevent;
 613
 614        /* Need to check only those flags we care about. */
 615        oflags = oflags & (O_RDONLY | O_CREAT | O_TRUNC | O_RDWR | O_WRONLY);
 616
 617        /* These checks determine what flags are on with the condition
 618         * that ONLY that combination is on, and no other flags are on.
 619         */
 620        switch (oflags) {
 621        case O_RDONLY:
 622                aevent = AUE_OPEN_R;
 623                break;
 624        case (O_RDONLY | O_CREAT):
 625                aevent = AUE_OPEN_RC;
 626                break;
 627        case (O_RDONLY | O_CREAT | O_TRUNC):
 628                aevent = AUE_OPEN_RTC;
 629                break;
 630        case (O_RDONLY | O_TRUNC):
 631                aevent = AUE_OPEN_RT;
 632                break;
 633        case O_RDWR:
 634                aevent = AUE_OPEN_RW;
 635                break;
 636        case (O_RDWR | O_CREAT):
 637                aevent = AUE_OPEN_RWC;
 638                break;
 639        case (O_RDWR | O_CREAT | O_TRUNC):
 640                aevent = AUE_OPEN_RWTC;
 641                break;
 642        case (O_RDWR | O_TRUNC):
 643                aevent = AUE_OPEN_RWT;
 644                break;
 645        case O_WRONLY:
 646                aevent = AUE_OPEN_W;
 647                break;
 648        case (O_WRONLY | O_CREAT):
 649                aevent = AUE_OPEN_WC;
 650                break;
 651        case (O_WRONLY | O_CREAT | O_TRUNC):
 652                aevent = AUE_OPEN_WTC;
 653                break;
 654        case (O_WRONLY | O_TRUNC):
 655                aevent = AUE_OPEN_WT;
 656                break;
 657        default:
 658                aevent = AUE_OPEN;
 659                break;
 660}
 661
 662/*
 663         * Convert chatty errors to better matching events.
 664         * Failures to find a file are really just attribute
 665         * events - so recast them as such.
 666*/
 667        switch (aevent) {
 668        case AUE_OPEN_R:
 669        case AUE_OPEN_RT:
 670        case AUE_OPEN_RW:
 671        case AUE_OPEN_RWT:
 672        case AUE_OPEN_W:
 673        case AUE_OPEN_WT:
 674                if (error == ENOENT)
 675                        aevent = AUE_OPEN;
 676}
 677        return aevent;
 678}
 679
 680/* Convert a MSGCTL command to a specific event. */
 681au_event_t msgctl_to_event(int cmd)
 682{
 683        switch (cmd) {
 684        case IPC_RMID:
 685                return AUE_MSGCTL_RMID;
 686        case IPC_SET:
 687                return AUE_MSGCTL_SET;
 688        case IPC_STAT:
 689                return AUE_MSGCTL_STAT;
 690        default:
 691                return AUE_MSGCTL;
 692                        /* We will audit a bad command */
 693        }
 694}
 695
 696/* Convert a SEMCTL command to a specific event. */
 697au_event_t semctl_to_event(int cmd)
 698{
 699        switch (cmd) {
 700        case GETALL:
 701                return AUE_SEMCTL_GETALL;
 702        case GETNCNT:
 703                return AUE_SEMCTL_GETNCNT;
 704        case GETPID:
 705                return AUE_SEMCTL_GETPID;
 706        case GETVAL:
 707                return AUE_SEMCTL_GETVAL;
 708        case GETZCNT:
 709                return AUE_SEMCTL_GETZCNT;
 710        case IPC_RMID:
 711                return AUE_SEMCTL_RMID;
 712        case IPC_SET:
 713                return AUE_SEMCTL_SET;
 714        case SETALL:
 715                return AUE_SEMCTL_SETALL;
 716        case SETVAL:
 717                return AUE_SEMCTL_SETVAL;
 718        case IPC_STAT:
 719                return AUE_SEMCTL_STAT;
 720        default:
 721                return AUE_SEMCTL;
 722                                /* We will audit a bad command */
 723        }
 724}
 725
 726/* Convert a command for the auditon() system call to a audit event. */
 727int auditon_command_event(int cmd)
 728{
 729        switch(cmd) {
 730        case A_GETPOLICY:
 731                return AUE_AUDITON_GPOLICY;
 732                break;
 733        case A_SETPOLICY:
 734                return AUE_AUDITON_SPOLICY;
 735                break;
 736        case A_GETKMASK:
 737                return AUE_AUDITON_GETKMASK;
 738                break;
 739        case A_SETKMASK:
 740                return AUE_AUDITON_SETKMASK;
 741                break;
 742        case A_GETQCTRL:
 743                return AUE_AUDITON_GQCTRL;
 744                break;
 745        case A_SETQCTRL:
 746                return AUE_AUDITON_SQCTRL;
 747                break;
 748        case A_GETCWD:
 749                return AUE_AUDITON_GETCWD;
 750                break;
 751        case A_GETCAR:
 752                return AUE_AUDITON_GETCAR;
 753                break;
 754        case A_GETSTAT:
 755                return AUE_AUDITON_GETSTAT;
 756                break;
 757        case A_SETSTAT:
 758                return AUE_AUDITON_SETSTAT;
 759                break;
 760        case A_SETUMASK:
 761                return AUE_AUDITON_SETUMASK;
 762                break;
 763        case A_SETSMASK:
 764                return AUE_AUDITON_SETSMASK;
 765                break;
 766        case A_GETCOND:
 767                return AUE_AUDITON_GETCOND;
 768                break;
 769        case A_SETCOND:
 770                return AUE_AUDITON_SETCOND;
 771                break;
 772        case A_GETCLASS:
 773                return AUE_AUDITON_GETCLASS;
 774                break;
 775        case A_SETCLASS:
 776                return AUE_AUDITON_SETCLASS;
 777                break;
 778        case A_GETPINFO:
 779        case A_SETPMASK:
 780        case A_SETFSIZE:
 781        case A_GETFSIZE:
 782        case A_GETPINFO_ADDR:
 783        case A_GETKAUDIT:
 784        case A_SETKAUDIT:
 785        default:
 786                return AUE_AUDITON;     /* No special record */
 787                break;
 788        }
 789}
 790
 791/* 
 792 * Create a canonical path from given path by prefixing either the
 793 * root directory, or the current working directory.
 794 * If the process working directory is NULL, we could use 'rootvnode'
 795 * to obtain the root directoty, but this results in a volfs name
 796 * written to the audit log. So we will leave the filename starting
 797 * with '/' in the audit log in this case.
 798 */
 799int canon_path(struct proc *p, char *path, char *cpath)
 800{
 801        char *bufp;
 802        int len;
 803        struct vnode *vnp;
 804        struct filedesc *fdp;
 805        int ret;
 806
 807        fdp = p->p_fd;
 808        bufp = path;
 809        if (*(path) == '/') {
 810                while (*(bufp) == '/') 
 811                        bufp++;                 /* skip leading '/'s         */
 812                /* If no process root, or it is the same as the system root,
 813                 * audit the path as passed in with a single '/'.
 814                 */
 815                if ((fdp->fd_rdir == NULL) ||
 816                    (fdp->fd_rdir == rootvnode)) {      
 817                        vnp = NULL;
 818                        bufp--;                 /* restore one '/'           */
 819                } else {
 820                        vnp = fdp->fd_rdir;     /* use process root          */
 821                }
 822        } else {
 823                vnp = fdp->fd_cdir;     /* prepend the current dir  */
 824                bufp = path;
 825        }
 826        if (vnp != NULL) {
 827                len = MAXPATHLEN;
 828                ret = vn_getpath(vnp, cpath, &len);
 829                if (ret != 0) {
 830                        cpath[0] = '\0';
 831                        return (ret);
 832                }
 833                if (len < MAXPATHLEN)
 834                        cpath[len-1] = '/';     
 835                strncpy(cpath + len, bufp, MAXPATHLEN - len);
 836        } else {
 837                strncpy(cpath, bufp, MAXPATHLEN);
 838        }
 839        return (0);
 840}
 841