const char *aulookup_syscall(llist *l, char *buf, size_t size)
{
const char *sys;
if (report_format <= RPT_DEFAULT) {
snprintf(buf, size, "%d", l->s.syscall);
return buf;
}
machine = audit_elf_to_machine(l->s.arch);
if (machine < 0)
return Q;
sys = audit_syscall_to_name(l->s.syscall, machine);
if (sys) {
const char *func = NULL;
if (strcmp(sys, "socketcall") == 0) {
if (list_find_item(l, AUDIT_SYSCALL))
func = aulookup_socketcall((long)l->cur->a0);
} else if (strcmp(sys, "ipc") == 0) {
if(list_find_item(l, AUDIT_SYSCALL))
func = aulookup_ipccall((long)l->cur->a0);
}
if (func) {
snprintf(buf, size, "%s(%s)", sys, func);
return buf;
}
return sys;
}
snprintf(buf, size, "%d", l->s.syscall);
return buf;
}
static const char *print_syscall(const char *val, const rnode *r)
{
const char *sys;
char *out;
int machine = r->machine, syscall = r->syscall;
unsigned long long a0 = r->a0;
if (machine < 0)
machine = audit_detect_machine();
if (machine < 0) {
out = strdup(val);
return out;
}
sys = audit_syscall_to_name(syscall, machine);
if (sys) {
const char *func = NULL;
if (strcmp(sys, "socketcall") == 0) {
if ((int)a0 == a0)
func = sock_i2s(a0);
} else if (strcmp(sys, "ipc") == 0)
if ((int)a0 == a0)
func = ipc_i2s(a0);
if (func)
asprintf(&out, "%s(%s)", sys, func);
else
return strdup(sys);
}
else
asprintf(&out, "unknown syscall(%d)", syscall);
return out;
}
static void print_syscall(const char *val)
{
const char *sys;
int ival;
if (machine < 0)
machine = audit_detect_machine();
if (machine < 0) {
printf("%s ", val);
return;
}
errno = 0;
ival = strtoul(val, NULL, 10);
if (errno) {
printf("conversion error(%s) ", val);
return;
}
sys = audit_syscall_to_name(ival, machine);
if (sys) {
const char *func = NULL;
if (strcmp(sys, "socketcall") == 0)
func = aulookup_socketcall((long)a0);
else if (strcmp(sys, "ipc") == 0)
func = aulookup_ipccall((long)a0);
if (func)
printf("%s(%s) ", sys, func);
else
printf("%s ", sys);
}
else
printf("unknown syscall(%s) ", val);
}
static const char *print_a2(const char *val, const rnode *r)
{
int machine = r->machine, syscall = r->syscall;
char *out;
const char *sys = audit_syscall_to_name(syscall, machine);
if (sys) {
if (strncmp(sys, "fcntl", 5) == 0) {
int ival;
errno = 0;
ival = strtoul(val, NULL, 16);
if (errno) {
asprintf(&out, "conversion error(%s)", val);
return out;
}
switch (r->a1)
{
case F_SETOWN:
return print_uid(val, 16);
case F_SETFD:
if (ival == FD_CLOEXEC)
return strdup("FD_CLOEXEC");
/* Fall thru okay. */
case F_SETFL:
case F_SETLEASE:
case F_GETLEASE:
case F_NOTIFY:
break;
}
} else if (strcmp(sys, "openat") == 0)
return print_open_flags(val);
else if (strcmp(sys, "fchmodat") == 0)
return print_mode_short(val);
else if (strstr(sys, "chown"))
return print_gid(val, 16);
else if (strcmp(sys, "setresuid") == 0)
return print_uid(val, 16);
else if (strcmp(sys, "setresgid") == 0)
return print_gid(val, 16);
else if (strcmp(sys, "tgkill") == 0)
return print_signals(val, 16);
else if (strcmp(sys, "mkdirat") == 0)
return print_mode_short(val);
else if (strcmp(sys, "mmap") == 0)
return print_prot(val, 1);
else if (strcmp(sys, "mprotect") == 0)
return print_prot(val, 0);
else if (strcmp(sys, "socket") == 0)
return print_socket_proto(val);
else if (strcmp(sys, "clone") == 0)
return print_clone_flags(val);
else if (strcmp(sys, "recvmsg") == 0)
return print_recv(val);
}
return strdup(val);
}
static int print_syscall(const struct audit_rule_data *r, unsigned int *sc)
{
int count = 0;
int all = 1;
unsigned int i;
int machine = audit_detect_machine();
/* Rules on the following filters do not take a syscall */
if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) ||
((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) ||
((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE))
return 0;
/* See if its all or specific syscalls */
for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) {
if (r->mask[i] != (uint32_t)~0) {
all = 0;
break;
}
}
if (all) {
printf(" -S all");
count = i;
} else for (i = 0; i < AUDIT_BITMASK_SIZE * 32; i++) {
int word = AUDIT_WORD(i);
int bit = AUDIT_BIT(i);
if (r->mask[word] & bit) {
const char *ptr;
if (_audit_elf)
machine = audit_elf_to_machine(_audit_elf);
if (machine < 0)
ptr = NULL;
else
ptr = audit_syscall_to_name(i, machine);
if (!count)
printf(" -S ");
if (ptr)
printf("%s%s", !count ? "" : ",", ptr);
else
printf("%s%d", !count ? "" : ",", i);
count++;
*sc = i;
}
}
return count;
}
static const char *print_a3(const char *val, const rnode *r)
{
int machine = r->machine, syscall = r->syscall;
const char *sys = audit_syscall_to_name(syscall, machine);
if (sys) {
if (strcmp(sys, "mmap") == 0)
return print_mmap(val);
else if (strcmp(sys, "mount") == 0)
return print_mount(val);
else if (strcmp(sys, "recv") == 0)
return print_recv(val);
else if (strcmp(sys, "recvfrom") == 0)
return print_recv(val);
else if (strcmp(sys, "recvmmsg") == 0)
return print_recv(val);
}
return strdup(val);
}
static const char *print_a1(const char *val, const rnode *r)
{
int machine = r->machine, syscall = r->syscall;
const char *sys = audit_syscall_to_name(syscall, machine);
if (sys) {
if (strcmp(sys, "open") == 0)
return print_open_flags(val);
else if (strcmp(sys, "epoll_ctl") == 0)
return print_epoll_ctl(val);
else if (strcmp(sys, "chmod") == 0)
return print_mode_short(val);
else if (strcmp(sys, "fchmod") == 0)
return print_mode_short(val);
else if (strstr(sys, "chown"))
return print_uid(val, 16);
else if (strcmp(sys, "setreuid") == 0)
return print_uid(val, 16);
else if (strcmp(sys, "setresuid") == 0)
return print_uid(val, 16);
else if (strcmp(sys, "setregid") == 0)
return print_gid(val, 16);
else if (strcmp(sys, "setresgid") == 0)
return print_gid(val, 16);
else if (strcmp(sys, "kill") == 0)
return print_signals(val, 16);
else if (strcmp(sys, "tkill") == 0)
return print_signals(val, 16);
else if (strcmp(sys, "mkdir") == 0)
return print_mode_short(val);
else if (strcmp(sys, "creat") == 0)
return print_mode_short(val);
else if (strncmp(sys, "fcntl", 5) == 0)
return print_fcntl_cmd(val);
else if (strcmp(sys, "mknod") == 0)
return print_mode(val, 16);
else if (strcmp(sys, "socket") == 0)
return print_socket_type(val);
}
return strdup(val);
}
static const char *print_a0(const char *val, const rnode *r)
{
int machine = r->machine, syscall = r->syscall;
const char *sys = audit_syscall_to_name(syscall, machine);
if (sys) {
if (strcmp(sys, "rt_sigaction") == 0)
return print_signals(val, 16);
else if (strcmp(sys, "setuid") == 0)
return print_uid(val, 16);
else if (strcmp(sys, "setreuid") == 0)
return print_uid(val, 16);
else if (strcmp(sys, "setresuid") == 0)
return print_uid(val, 16);
else if (strcmp(sys, "setfsuid") == 0)
return print_uid(val, 16);
else if (strcmp(sys, "setgid") == 0)
return print_gid(val, 16);
else if (strcmp(sys, "setregid") == 0)
return print_gid(val, 16);
else if (strcmp(sys, "setresgid") == 0)
return print_gid(val, 16);
else if (strcmp(sys, "setfsgid") == 0)
return print_gid(val, 16);
else if (strcmp(sys, "clock_settime") == 0)
return print_clock_id(val);
else if (strcmp(sys, "personality") == 0)
return print_personality(val);
else if (strcmp(sys, "ptrace") == 0)
return print_ptrace(val);
else if (strstr(sys, "etrlimit"))
return print_rlimit(val);
else if (strcmp(sys, "socket") == 0)
return print_socket_domain(val);
}
return strdup(val);
}
int main()
{
FILE * fp;
int machine;
const char *rsyscall;
int i;
fp=fopen("/etc/safed-xlate.conf","w");
if(!fp) {
perror("Cannot write to safed-xlate.conf");
return(1);
}
machine=audit_detect_machine();
for(i=0;i<2048;i++) {
rsyscall=audit_syscall_to_name(i,machine);
if(rsyscall) {
fprintf(fp,"%i:%s\n",i,rsyscall);
}
}
fclose(fp);
return(0);
}
const char *syscalltbl__name(const struct syscalltbl *tbl, int id)
{
return audit_syscall_to_name(id, tbl->audit_machine);
}
/*
* This function interprets the reply and prints it to stdout. It returns
* 0 if no more should be read and 1 to indicate that more messages of this
* type may need to be read.
*/
static int audit_print_reply(struct audit_reply *rep)
{
unsigned int i;
int first;
int sparse;
int machine = audit_detect_machine();
size_t boffset;
int show_syscall;
_audit_elf = 0;
switch (rep->type) {
case NLMSG_NOOP:
return 1;
case NLMSG_DONE:
if (printed == 0)
printf("No rules\n");
return 0;
case NLMSG_ERROR:
printf("NLMSG_ERROR %d (%s)\n",
-rep->error->error,
strerror(-rep->error->error));
printed = 1;
return 0;
case AUDIT_GET:
printf("AUDIT_STATUS: enabled=%d flag=%d pid=%d"
" rate_limit=%d backlog_limit=%d lost=%d backlog=%u\n",
rep->status->enabled, rep->status->failure,
rep->status->pid, rep->status->rate_limit,
rep->status->backlog_limit, rep->status->lost,
rep->status->backlog);
printed = 1;
return 0;
case AUDIT_LIST_RULES:
list_requested = 0;
boffset = 0;
show_syscall = 1;
if (key_match(rep) == 0)
return 1;
printed = 1;
printf("%s: %s,%s", audit_msg_type_to_name(rep->type),
audit_flag_to_name((int)rep->ruledata->flags),
audit_action_to_name(rep->ruledata->action));
for (i = 0; i < rep->ruledata->field_count; i++) {
const char *name;
int op = rep->ruledata->fieldflags[i] &
AUDIT_OPERATORS;
int field = rep->ruledata->fields[i] &
~AUDIT_OPERATORS;
name = audit_field_to_name(field);
if (name) {
if (strcmp(name, "arch") == 0) {
_audit_elf =
rep->ruledata->values[i];
printf(" %s%s%u", name,
audit_operator_to_symbol(op),
(unsigned)rep->ruledata->values[i]);
}
else if (strcmp(name, "msgtype") == 0) {
if (!audit_msg_type_to_name(
rep->ruledata->values[i]))
printf(" %s%s%d", name,
audit_operator_to_symbol(op),
rep->ruledata->values[i]);
else {
printf(" %s%s%s", name,
audit_operator_to_symbol(op),
audit_msg_type_to_name(rep->ruledata->values[i]));
}
} else if ((field >= AUDIT_SUBJ_USER &&
field <= AUDIT_OBJ_LEV_HIGH)
&& field != AUDIT_PPID &&
rep->type == AUDIT_LIST_RULES) {
printf(" %s%s%.*s", name,
audit_operator_to_symbol(op),
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset +=
rep->ruledata->values[i];
} else if (field == AUDIT_WATCH) {
printf(" watch=%.*s",
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset +=
rep->ruledata->values[i];
} else if (field == AUDIT_DIR) {
printf(" dir=%.*s",
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset +=
rep->ruledata->values[i];
} else if (field == AUDIT_FILTERKEY) {
char *rkey, *ptr;
asprintf(&rkey, "%.*s",
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset +=
rep->ruledata->values[i];
ptr = strtok(rkey, key_sep);
while (ptr) {
printf(" key=%s", ptr);
ptr = strtok(NULL,
key_sep);
}
free(rkey);
} else if (field == AUDIT_PERM) {
char perms[5];
int val=rep->ruledata->values[i];
perms[0] = 0;
if (val & AUDIT_PERM_READ)
strcat(perms, "r");
if (val & AUDIT_PERM_WRITE)
strcat(perms, "w");
if (val & AUDIT_PERM_EXEC)
strcat(perms, "x");
if (val & AUDIT_PERM_ATTR)
strcat(perms, "a");
printf(" perm=%s", perms);
show_syscall = 0;
} else if (field == AUDIT_INODE) {
// Unsigned items
printf(" %s%s%u", name,
audit_operator_to_symbol(op),
rep->ruledata->values[i]);
} else if (field == AUDIT_FIELD_COMPARE) {
switch (rep->ruledata->values[i])
{
case AUDIT_COMPARE_UID_TO_OBJ_UID:
printf(" uid%sobj_uid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_GID_TO_OBJ_GID:
printf(" gid%sobj_gid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EUID_TO_OBJ_UID:
printf(" euid%sobj_uid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EGID_TO_OBJ_GID:
printf(" egid%sobj_gid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_AUID_TO_OBJ_UID:
printf(" auid%sobj_uid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_SUID_TO_OBJ_UID:
printf(" suid%sobj_uid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_SGID_TO_OBJ_GID:
printf(" sgid%sobj_gid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
printf(" fsuid%sobj_uid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
printf(" fsgid%sobj_gid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_UID_TO_AUID:
printf(" uid%sauid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_UID_TO_EUID:
printf(" uid%seuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_UID_TO_FSUID:
printf(" uid%sfsuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_UID_TO_SUID:
printf(" uid%ssuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_AUID_TO_FSUID:
printf(" auid%sfsuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_AUID_TO_SUID:
printf(" auid%ssuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_AUID_TO_EUID:
printf(" auid%seuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EUID_TO_SUID:
printf(" euid%ssuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EUID_TO_FSUID:
printf(" euid%sfsuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_SUID_TO_FSUID:
printf(" suid%sfsuid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_GID_TO_EGID:
printf(" gid%segid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_GID_TO_FSGID:
printf(" gid%sfsgid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_GID_TO_SGID:
printf(" gid%ssgid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EGID_TO_FSGID:
printf(" egid%sfsgid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_EGID_TO_SGID:
printf(" egid%ssgid",audit_operator_to_symbol(op));
break;
case AUDIT_COMPARE_SGID_TO_FSGID:
printf(" sgid%sfsgid",audit_operator_to_symbol(op));
break;
}
} else {
// Signed items
printf(" %s%s%d", name,
audit_operator_to_symbol(op),
rep->ruledata->values[i]);
}
} else {
printf(" f%d%s%d", rep->ruledata->fields[i],
audit_operator_to_symbol(op),
rep->ruledata->values[i]);
}
/* Avoid printing value if the field type is
* known to return a string. */
if (rep->ruledata->values[i] &&
(field < AUDIT_SUBJ_USER ||
field > AUDIT_SUBJ_CLR) &&
field != AUDIT_WATCH &&
field != AUDIT_FILTERKEY &&
field != AUDIT_PERM &&
field != AUDIT_FIELD_COMPARE)
printf(" (0x%x)", rep->ruledata->values[i]);
}
if (show_syscall &&
((rep->ruledata->flags & AUDIT_FILTER_MASK) !=
AUDIT_FILTER_USER) &&
((rep->ruledata->flags & AUDIT_FILTER_MASK) !=
AUDIT_FILTER_TASK) &&
((rep->ruledata->flags & AUDIT_FILTER_MASK) !=
AUDIT_FILTER_EXCLUDE)) {
printf(" syscall=");
for (sparse = 0, i = 0;
i < (AUDIT_BITMASK_SIZE-1); i++) {
if (rep->ruledata->mask[i] != (uint32_t)~0)
sparse = 1;
}
if (!sparse) {
printf("all");
} else for (first = 1, i = 0;
i < AUDIT_BITMASK_SIZE * 32; i++) {
int word = AUDIT_WORD(i);
int bit = AUDIT_BIT(i);
if (rep->ruledata->mask[word] & bit) {
const char *ptr;
if (_audit_elf)
machine =
audit_elf_to_machine(
_audit_elf);
if (machine < 0)
ptr = NULL;
else
ptr =
audit_syscall_to_name(i,
machine);
if (ptr)
printf("%s%s",
first ? "" : ",", ptr);
else
printf("%s%d",
first ? "" : ",", i);
first = 0;
}
}
}
printf("\n");
return 1; /* get more messages until NLMSG_DONE */
default:
printf("Unknown: type=%d, len=%d\n", rep->type,
rep->nlh->nlmsg_len);
printed = 1;
return 0;
}
}
int main(int argc, char *argv[])
{
int i, rc;
int machine=-1, syscall_num=-1, dump=0, exact=0;
const char *name = NULL;
if (argc > 4) {
fputs("Too many arguments\n", stderr);
usage();
} else if (argc < 2)
usage();
for (i=1; i<argc; i++) {
if (isdigit(argv[i][0])) {
if (syscall_num != -1) {
fputs("Two syscall numbers not allowed\n",
stderr);
usage();
}
syscall_num = strtol(argv[i], 0, 10);
} else if ((rc = audit_name_to_machine(argv[i])) != -1) {
if (machine != -1) {
fputs("Two machine types not allowed\n",stderr);
usage();
}
machine = rc;
} else if (strcmp("--dump", argv[i]) == 0) {
dump=1;
} else if (strcmp("--exact", argv[i]) == 0) {
exact=1;
#ifndef WITH_ALPHA
} else if (strcmp("alpha", argv[i]) == 0) {
fputs("Alpha processor support is not enabled\n",
stderr);
exit(1);
#endif
#ifndef WITH_ARMEB
} else if (strcmp("armeb", argv[i]) == 0) {
fputs("Arm eabi processor support is not enabled\n",
stderr);
exit(1);
#endif
} else {
if (name != NULL) {
fputs("Two syscall names not allowed\n",stderr);
usage();
}
name = argv[i];
}
}
if (machine == -1)
machine = audit_detect_machine();
if (machine == -1) {
fprintf(stderr, "Unable to detect machine type\n");
return 1;
}
if (dump) {
printf("Using %s syscall table:\n",
audit_machine_to_name(machine));
for (i=0; i<8192; i++) {
name = audit_syscall_to_name(i, machine);
if (name)
printf("%d\t%s\n", i, name);
}
return 0;
}
if (name) {
if (exact) {
rc = audit_name_to_syscall(name, machine);
if (rc < 0) {
fprintf(stderr,
"Unknown syscall %s using %s lookup table\n",
name, audit_machine_to_name(machine));
return 1;
} else
printf("%d\n", rc);
} else {
int found = 0;
for (i=0; i< LAST_SYSCALL; i++) {
const char *n = audit_syscall_to_name(i, machine);
if (n && strcasestr(n, name)) {
found = 1;
printf("%-18s %d\n", n, i);
}
}
if (!found) {
fprintf(stderr,
"Unknown syscall %s using %s lookup table\n",
name, audit_machine_to_name(machine));
return 1;
}
}
} else if (syscall_num != -1) {
name = audit_syscall_to_name(syscall_num, machine);
if (name == NULL) {
fprintf(stderr,
"Unknown syscall %d using %s lookup table\n",
syscall_num, audit_machine_to_name(machine));
return 1;
} else
printf("%s\n", name);
} else {
fputs("Error - either a syscall name or number must "
"be given with an optional arch\n", stderr);
return 1;
}
return 0;
}
