const char *aulookup_syscall(llist *l, char *buf, size_t size) { const char *sys; if (report_format <= RPT_DEFAULT) { snprintf(buf, size, "%d", l->s.syscall); return buf; } machine = audit_elf_to_machine(l->s.arch); if (machine < 0) return Q; sys = audit_syscall_to_name(l->s.syscall, machine); if (sys) { const char *func = NULL; if (strcmp(sys, "socketcall") == 0) { if (list_find_item(l, AUDIT_SYSCALL)) func = aulookup_socketcall((long)l->cur->a0); } else if (strcmp(sys, "ipc") == 0) { if(list_find_item(l, AUDIT_SYSCALL)) func = aulookup_ipccall((long)l->cur->a0); } if (func) { snprintf(buf, size, "%s(%s)", sys, func); return buf; } return sys; } snprintf(buf, size, "%d", l->s.syscall); return buf; }
static const char *print_syscall(const char *val, const rnode *r) { const char *sys; char *out; int machine = r->machine, syscall = r->syscall; unsigned long long a0 = r->a0; if (machine < 0) machine = audit_detect_machine(); if (machine < 0) { out = strdup(val); return out; } sys = audit_syscall_to_name(syscall, machine); if (sys) { const char *func = NULL; if (strcmp(sys, "socketcall") == 0) { if ((int)a0 == a0) func = sock_i2s(a0); } else if (strcmp(sys, "ipc") == 0) if ((int)a0 == a0) func = ipc_i2s(a0); if (func) asprintf(&out, "%s(%s)", sys, func); else return strdup(sys); } else asprintf(&out, "unknown syscall(%d)", syscall); return out; }
static void print_syscall(const char *val) { const char *sys; int ival; if (machine < 0) machine = audit_detect_machine(); if (machine < 0) { printf("%s ", val); return; } errno = 0; ival = strtoul(val, NULL, 10); if (errno) { printf("conversion error(%s) ", val); return; } sys = audit_syscall_to_name(ival, machine); if (sys) { const char *func = NULL; if (strcmp(sys, "socketcall") == 0) func = aulookup_socketcall((long)a0); else if (strcmp(sys, "ipc") == 0) func = aulookup_ipccall((long)a0); if (func) printf("%s(%s) ", sys, func); else printf("%s ", sys); } else printf("unknown syscall(%s) ", val); }
static const char *print_a2(const char *val, const rnode *r) { int machine = r->machine, syscall = r->syscall; char *out; const char *sys = audit_syscall_to_name(syscall, machine); if (sys) { if (strncmp(sys, "fcntl", 5) == 0) { int ival; errno = 0; ival = strtoul(val, NULL, 16); if (errno) { asprintf(&out, "conversion error(%s)", val); return out; } switch (r->a1) { case F_SETOWN: return print_uid(val, 16); case F_SETFD: if (ival == FD_CLOEXEC) return strdup("FD_CLOEXEC"); /* Fall thru okay. */ case F_SETFL: case F_SETLEASE: case F_GETLEASE: case F_NOTIFY: break; } } else if (strcmp(sys, "openat") == 0) return print_open_flags(val); else if (strcmp(sys, "fchmodat") == 0) return print_mode_short(val); else if (strstr(sys, "chown")) return print_gid(val, 16); else if (strcmp(sys, "setresuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setresgid") == 0) return print_gid(val, 16); else if (strcmp(sys, "tgkill") == 0) return print_signals(val, 16); else if (strcmp(sys, "mkdirat") == 0) return print_mode_short(val); else if (strcmp(sys, "mmap") == 0) return print_prot(val, 1); else if (strcmp(sys, "mprotect") == 0) return print_prot(val, 0); else if (strcmp(sys, "socket") == 0) return print_socket_proto(val); else if (strcmp(sys, "clone") == 0) return print_clone_flags(val); else if (strcmp(sys, "recvmsg") == 0) return print_recv(val); } return strdup(val); }
static int print_syscall(const struct audit_rule_data *r, unsigned int *sc) { int count = 0; int all = 1; unsigned int i; int machine = audit_detect_machine(); /* Rules on the following filters do not take a syscall */ if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) || ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) || ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE)) return 0; /* See if its all or specific syscalls */ for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) { if (r->mask[i] != (uint32_t)~0) { all = 0; break; } } if (all) { printf(" -S all"); count = i; } else for (i = 0; i < AUDIT_BITMASK_SIZE * 32; i++) { int word = AUDIT_WORD(i); int bit = AUDIT_BIT(i); if (r->mask[word] & bit) { const char *ptr; if (_audit_elf) machine = audit_elf_to_machine(_audit_elf); if (machine < 0) ptr = NULL; else ptr = audit_syscall_to_name(i, machine); if (!count) printf(" -S "); if (ptr) printf("%s%s", !count ? "" : ",", ptr); else printf("%s%d", !count ? "" : ",", i); count++; *sc = i; } } return count; }
static const char *print_a3(const char *val, const rnode *r) { int machine = r->machine, syscall = r->syscall; const char *sys = audit_syscall_to_name(syscall, machine); if (sys) { if (strcmp(sys, "mmap") == 0) return print_mmap(val); else if (strcmp(sys, "mount") == 0) return print_mount(val); else if (strcmp(sys, "recv") == 0) return print_recv(val); else if (strcmp(sys, "recvfrom") == 0) return print_recv(val); else if (strcmp(sys, "recvmmsg") == 0) return print_recv(val); } return strdup(val); }
static const char *print_a1(const char *val, const rnode *r) { int machine = r->machine, syscall = r->syscall; const char *sys = audit_syscall_to_name(syscall, machine); if (sys) { if (strcmp(sys, "open") == 0) return print_open_flags(val); else if (strcmp(sys, "epoll_ctl") == 0) return print_epoll_ctl(val); else if (strcmp(sys, "chmod") == 0) return print_mode_short(val); else if (strcmp(sys, "fchmod") == 0) return print_mode_short(val); else if (strstr(sys, "chown")) return print_uid(val, 16); else if (strcmp(sys, "setreuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setresuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setregid") == 0) return print_gid(val, 16); else if (strcmp(sys, "setresgid") == 0) return print_gid(val, 16); else if (strcmp(sys, "kill") == 0) return print_signals(val, 16); else if (strcmp(sys, "tkill") == 0) return print_signals(val, 16); else if (strcmp(sys, "mkdir") == 0) return print_mode_short(val); else if (strcmp(sys, "creat") == 0) return print_mode_short(val); else if (strncmp(sys, "fcntl", 5) == 0) return print_fcntl_cmd(val); else if (strcmp(sys, "mknod") == 0) return print_mode(val, 16); else if (strcmp(sys, "socket") == 0) return print_socket_type(val); } return strdup(val); }
static const char *print_a0(const char *val, const rnode *r) { int machine = r->machine, syscall = r->syscall; const char *sys = audit_syscall_to_name(syscall, machine); if (sys) { if (strcmp(sys, "rt_sigaction") == 0) return print_signals(val, 16); else if (strcmp(sys, "setuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setreuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setresuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setfsuid") == 0) return print_uid(val, 16); else if (strcmp(sys, "setgid") == 0) return print_gid(val, 16); else if (strcmp(sys, "setregid") == 0) return print_gid(val, 16); else if (strcmp(sys, "setresgid") == 0) return print_gid(val, 16); else if (strcmp(sys, "setfsgid") == 0) return print_gid(val, 16); else if (strcmp(sys, "clock_settime") == 0) return print_clock_id(val); else if (strcmp(sys, "personality") == 0) return print_personality(val); else if (strcmp(sys, "ptrace") == 0) return print_ptrace(val); else if (strstr(sys, "etrlimit")) return print_rlimit(val); else if (strcmp(sys, "socket") == 0) return print_socket_domain(val); } return strdup(val); }
int main() { FILE * fp; int machine; const char *rsyscall; int i; fp=fopen("/etc/safed-xlate.conf","w"); if(!fp) { perror("Cannot write to safed-xlate.conf"); return(1); } machine=audit_detect_machine(); for(i=0;i<2048;i++) { rsyscall=audit_syscall_to_name(i,machine); if(rsyscall) { fprintf(fp,"%i:%s\n",i,rsyscall); } } fclose(fp); return(0); }
const char *syscalltbl__name(const struct syscalltbl *tbl, int id) { return audit_syscall_to_name(id, tbl->audit_machine); }
/* * This function interprets the reply and prints it to stdout. It returns * 0 if no more should be read and 1 to indicate that more messages of this * type may need to be read. */ static int audit_print_reply(struct audit_reply *rep) { unsigned int i; int first; int sparse; int machine = audit_detect_machine(); size_t boffset; int show_syscall; _audit_elf = 0; switch (rep->type) { case NLMSG_NOOP: return 1; case NLMSG_DONE: if (printed == 0) printf("No rules\n"); return 0; case NLMSG_ERROR: printf("NLMSG_ERROR %d (%s)\n", -rep->error->error, strerror(-rep->error->error)); printed = 1; return 0; case AUDIT_GET: printf("AUDIT_STATUS: enabled=%d flag=%d pid=%d" " rate_limit=%d backlog_limit=%d lost=%d backlog=%u\n", rep->status->enabled, rep->status->failure, rep->status->pid, rep->status->rate_limit, rep->status->backlog_limit, rep->status->lost, rep->status->backlog); printed = 1; return 0; case AUDIT_LIST_RULES: list_requested = 0; boffset = 0; show_syscall = 1; if (key_match(rep) == 0) return 1; printed = 1; printf("%s: %s,%s", audit_msg_type_to_name(rep->type), audit_flag_to_name((int)rep->ruledata->flags), audit_action_to_name(rep->ruledata->action)); for (i = 0; i < rep->ruledata->field_count; i++) { const char *name; int op = rep->ruledata->fieldflags[i] & AUDIT_OPERATORS; int field = rep->ruledata->fields[i] & ~AUDIT_OPERATORS; name = audit_field_to_name(field); if (name) { if (strcmp(name, "arch") == 0) { _audit_elf = rep->ruledata->values[i]; printf(" %s%s%u", name, audit_operator_to_symbol(op), (unsigned)rep->ruledata->values[i]); } else if (strcmp(name, "msgtype") == 0) { if (!audit_msg_type_to_name( rep->ruledata->values[i])) printf(" %s%s%d", name, audit_operator_to_symbol(op), rep->ruledata->values[i]); else { printf(" %s%s%s", name, audit_operator_to_symbol(op), audit_msg_type_to_name(rep->ruledata->values[i])); } } else if ((field >= AUDIT_SUBJ_USER && field <= AUDIT_OBJ_LEV_HIGH) && field != AUDIT_PPID && rep->type == AUDIT_LIST_RULES) { printf(" %s%s%.*s", name, audit_operator_to_symbol(op), rep->ruledata->values[i], &rep->ruledata->buf[boffset]); boffset += rep->ruledata->values[i]; } else if (field == AUDIT_WATCH) { printf(" watch=%.*s", rep->ruledata->values[i], &rep->ruledata->buf[boffset]); boffset += rep->ruledata->values[i]; } else if (field == AUDIT_DIR) { printf(" dir=%.*s", rep->ruledata->values[i], &rep->ruledata->buf[boffset]); boffset += rep->ruledata->values[i]; } else if (field == AUDIT_FILTERKEY) { char *rkey, *ptr; asprintf(&rkey, "%.*s", rep->ruledata->values[i], &rep->ruledata->buf[boffset]); boffset += rep->ruledata->values[i]; ptr = strtok(rkey, key_sep); while (ptr) { printf(" key=%s", ptr); ptr = strtok(NULL, key_sep); } free(rkey); } else if (field == AUDIT_PERM) { char perms[5]; int val=rep->ruledata->values[i]; perms[0] = 0; if (val & AUDIT_PERM_READ) strcat(perms, "r"); if (val & AUDIT_PERM_WRITE) strcat(perms, "w"); if (val & AUDIT_PERM_EXEC) strcat(perms, "x"); if (val & AUDIT_PERM_ATTR) strcat(perms, "a"); printf(" perm=%s", perms); show_syscall = 0; } else if (field == AUDIT_INODE) { // Unsigned items printf(" %s%s%u", name, audit_operator_to_symbol(op), rep->ruledata->values[i]); } else if (field == AUDIT_FIELD_COMPARE) { switch (rep->ruledata->values[i]) { case AUDIT_COMPARE_UID_TO_OBJ_UID: printf(" uid%sobj_uid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_GID_TO_OBJ_GID: printf(" gid%sobj_gid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_EUID_TO_OBJ_UID: printf(" euid%sobj_uid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_EGID_TO_OBJ_GID: printf(" egid%sobj_gid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_AUID_TO_OBJ_UID: printf(" auid%sobj_uid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_SUID_TO_OBJ_UID: printf(" suid%sobj_uid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_SGID_TO_OBJ_GID: printf(" sgid%sobj_gid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_FSUID_TO_OBJ_UID: printf(" fsuid%sobj_uid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_FSGID_TO_OBJ_GID: printf(" fsgid%sobj_gid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_UID_TO_AUID: printf(" uid%sauid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_UID_TO_EUID: printf(" uid%seuid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_UID_TO_FSUID: printf(" uid%sfsuid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_UID_TO_SUID: printf(" uid%ssuid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_AUID_TO_FSUID: printf(" auid%sfsuid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_AUID_TO_SUID: printf(" auid%ssuid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_AUID_TO_EUID: printf(" auid%seuid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_EUID_TO_SUID: printf(" euid%ssuid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_EUID_TO_FSUID: printf(" euid%sfsuid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_SUID_TO_FSUID: printf(" suid%sfsuid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_GID_TO_EGID: printf(" gid%segid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_GID_TO_FSGID: printf(" gid%sfsgid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_GID_TO_SGID: printf(" gid%ssgid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_EGID_TO_FSGID: printf(" egid%sfsgid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_EGID_TO_SGID: printf(" egid%ssgid",audit_operator_to_symbol(op)); break; case AUDIT_COMPARE_SGID_TO_FSGID: printf(" sgid%sfsgid",audit_operator_to_symbol(op)); break; } } else { // Signed items printf(" %s%s%d", name, audit_operator_to_symbol(op), rep->ruledata->values[i]); } } else { printf(" f%d%s%d", rep->ruledata->fields[i], audit_operator_to_symbol(op), rep->ruledata->values[i]); } /* Avoid printing value if the field type is * known to return a string. */ if (rep->ruledata->values[i] && (field < AUDIT_SUBJ_USER || field > AUDIT_SUBJ_CLR) && field != AUDIT_WATCH && field != AUDIT_FILTERKEY && field != AUDIT_PERM && field != AUDIT_FIELD_COMPARE) printf(" (0x%x)", rep->ruledata->values[i]); } if (show_syscall && ((rep->ruledata->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) && ((rep->ruledata->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) && ((rep->ruledata->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) { printf(" syscall="); for (sparse = 0, i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) { if (rep->ruledata->mask[i] != (uint32_t)~0) sparse = 1; } if (!sparse) { printf("all"); } else for (first = 1, i = 0; i < AUDIT_BITMASK_SIZE * 32; i++) { int word = AUDIT_WORD(i); int bit = AUDIT_BIT(i); if (rep->ruledata->mask[word] & bit) { const char *ptr; if (_audit_elf) machine = audit_elf_to_machine( _audit_elf); if (machine < 0) ptr = NULL; else ptr = audit_syscall_to_name(i, machine); if (ptr) printf("%s%s", first ? "" : ",", ptr); else printf("%s%d", first ? "" : ",", i); first = 0; } } } printf("\n"); return 1; /* get more messages until NLMSG_DONE */ default: printf("Unknown: type=%d, len=%d\n", rep->type, rep->nlh->nlmsg_len); printed = 1; return 0; } }
int main(int argc, char *argv[]) { int i, rc; int machine=-1, syscall_num=-1, dump=0, exact=0; const char *name = NULL; if (argc > 4) { fputs("Too many arguments\n", stderr); usage(); } else if (argc < 2) usage(); for (i=1; i<argc; i++) { if (isdigit(argv[i][0])) { if (syscall_num != -1) { fputs("Two syscall numbers not allowed\n", stderr); usage(); } syscall_num = strtol(argv[i], 0, 10); } else if ((rc = audit_name_to_machine(argv[i])) != -1) { if (machine != -1) { fputs("Two machine types not allowed\n",stderr); usage(); } machine = rc; } else if (strcmp("--dump", argv[i]) == 0) { dump=1; } else if (strcmp("--exact", argv[i]) == 0) { exact=1; #ifndef WITH_ALPHA } else if (strcmp("alpha", argv[i]) == 0) { fputs("Alpha processor support is not enabled\n", stderr); exit(1); #endif #ifndef WITH_ARMEB } else if (strcmp("armeb", argv[i]) == 0) { fputs("Arm eabi processor support is not enabled\n", stderr); exit(1); #endif } else { if (name != NULL) { fputs("Two syscall names not allowed\n",stderr); usage(); } name = argv[i]; } } if (machine == -1) machine = audit_detect_machine(); if (machine == -1) { fprintf(stderr, "Unable to detect machine type\n"); return 1; } if (dump) { printf("Using %s syscall table:\n", audit_machine_to_name(machine)); for (i=0; i<8192; i++) { name = audit_syscall_to_name(i, machine); if (name) printf("%d\t%s\n", i, name); } return 0; } if (name) { if (exact) { rc = audit_name_to_syscall(name, machine); if (rc < 0) { fprintf(stderr, "Unknown syscall %s using %s lookup table\n", name, audit_machine_to_name(machine)); return 1; } else printf("%d\n", rc); } else { int found = 0; for (i=0; i< LAST_SYSCALL; i++) { const char *n = audit_syscall_to_name(i, machine); if (n && strcasestr(n, name)) { found = 1; printf("%-18s %d\n", n, i); } } if (!found) { fprintf(stderr, "Unknown syscall %s using %s lookup table\n", name, audit_machine_to_name(machine)); return 1; } } } else if (syscall_num != -1) { name = audit_syscall_to_name(syscall_num, machine); if (name == NULL) { fprintf(stderr, "Unknown syscall %d using %s lookup table\n", syscall_num, audit_machine_to_name(machine)); return 1; } else printf("%s\n", name); } else { fputs("Error - either a syscall name or number must " "be given with an optional arch\n", stderr); return 1; } return 0; }