1 /*-
2 * Copyright (c) 2004-2009 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
5 * Copyright (c) 2006 Martin Voros
6 * All rights reserved.
7 *
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 #include <sys/types.h>
37
38 #include <config/config.h>
39
40 #ifdef USE_ENDIAN_H
41 #include <endian.h>
42 #endif
43 #ifdef USE_SYS_ENDIAN_H
44 #include <sys/endian.h>
45 #endif
46 #ifdef USE_MACHINE_ENDIAN_H
47 #include <machine/endian.h>
48 #endif
49 #ifdef USE_COMPAT_ENDIAN_H
50 #include <compat/endian.h>
51 #endif
52 #ifdef USE_COMPAT_ENDIAN_ENC_H
53 #include <compat/endian_enc.h>
54 #endif
55
56 #ifdef HAVE_FULL_QUEUE_H
57 #include <sys/queue.h>
58 #else /* !HAVE_FULL_QUEUE_H */
59 #include <compat/queue.h>
60 #endif /* !HAVE_FULL_QUEUE_H */
61
62 #include <sys/stat.h>
63 #include <sys/socket.h>
64
65 #include <bsm/libbsm.h>
66
67 #include <unistd.h>
68 #include <netinet/in.h>
69 #include <arpa/inet.h>
70 #include <errno.h>
71 #include <time.h>
72 #include <stdlib.h>
73 #include <stdio.h>
74 #include <string.h>
75 #include <pwd.h>
76 #include <grp.h>
77
78 #ifdef HAVE_VIS
79 #include <vis.h>
80 #else
81 #include <compat/vis.h>
82 #endif
83
84 #include <bsm/audit_internal.h>
85
86 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
87 if ((bytesread) + (size) > (u_int32_t)(len)) { \
88 (err) = 1; \
89 } else { \
90 memcpy((dest), (buf) + (bytesread), (size)); \
91 bytesread += size; \
92 } \
93 } while (0)
94
95 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
96 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \
97 (dest) = buf[(bytesread)]; \
98 (bytesread) += sizeof(u_char); \
99 } else \
100 (err) = 1; \
101 } while (0)
102
103 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
104 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \
105 (dest) = be16dec((buf) + (bytesread)); \
106 (bytesread) += sizeof(u_int16_t); \
107 } else \
108 (err) = 1; \
109 } while (0)
110
111 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
112 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \
113 (dest) = be32dec((buf) + (bytesread)); \
114 (bytesread) += sizeof(u_int32_t); \
115 } else \
116 (err) = 1; \
117 } while (0)
118
119 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
120 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \
121 dest = be64dec((buf) + (bytesread)); \
122 (bytesread) += sizeof(u_int64_t); \
123 } else \
124 (err) = 1; \
125 } while (0)
126
127 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
128 if ((bytesread) + (size) > (u_int32_t)(len)) \
129 (err) = 1; \
130 else { \
131 (ptr) = (buf) + (bytesread); \
132 (bytesread) += (size); \
133 } \
134 } while (0)
135
136 /*
137 * XML option.
138 */
139 #define AU_PLAIN 0
140 #define AU_XML 1
141
142 /*
143 * Prints the delimiter string.
144 */
145 static void
print_delim(FILE * fp,const char * del)146 print_delim(FILE *fp, const char *del)
147 {
148
149 fprintf(fp, "%s", del);
150 }
151
152 /*
153 * Prints a single byte in the given format.
154 */
155 static void
print_1_byte(FILE * fp,u_char val,const char * format)156 print_1_byte(FILE *fp, u_char val, const char *format)
157 {
158
159 fprintf(fp, format, val);
160 }
161
162 /*
163 * Print 2 bytes in the given format.
164 */
165 static void
print_2_bytes(FILE * fp,u_int16_t val,const char * format)166 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
167 {
168
169 fprintf(fp, format, val);
170 }
171
172 /*
173 * Prints 4 bytes in the given format.
174 */
175 static void
print_4_bytes(FILE * fp,u_int32_t val,const char * format)176 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
177 {
178
179 fprintf(fp, format, val);
180 }
181
182 /*
183 * Prints 8 bytes in the given format.
184 */
185 static void
print_8_bytes(FILE * fp,u_int64_t val,const char * format)186 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
187 {
188
189 fprintf(fp, format, val);
190 }
191
192 /*
193 * Prints the given size of data bytes in hex.
194 */
195 static void
print_mem(FILE * fp,u_char * data,size_t len)196 print_mem(FILE *fp, u_char *data, size_t len)
197 {
198 u_int32_t i;
199
200 if (len > 0) {
201 fprintf(fp, "0x");
202 for (i = 0; i < len; i++)
203 fprintf(fp, "%02x", data[i]);
204 }
205 }
206
207 /*
208 * Prints the given data bytes as a string.
209 */
210 static void
print_string(FILE * fp,const char * str,size_t len)211 print_string(FILE *fp, const char *str, size_t len)
212 {
213 u_int32_t i;
214
215 if (len > 0) {
216 for (i = 0; i < len; i++) {
217 if (str[i] != '\0')
218 fprintf(fp, "%c", str[i]);
219 }
220 }
221 }
222
223 /*
224 * Prints the given data bytes as an XML-sanitized string.
225 */
226 static void
print_xml_string(FILE * fp,const char * str,size_t len)227 print_xml_string(FILE *fp, const char *str, size_t len)
228 {
229 u_int32_t i;
230 char visbuf[5];
231
232 if (len == 0)
233 return;
234
235 for (i = 0; i < len; i++) {
236 switch (str[i]) {
237 case '\0':
238 return;
239
240 case '&':
241 (void) fprintf(fp, "&");
242 break;
243
244 case '<':
245 (void) fprintf(fp, "<");
246 break;
247
248 case '>':
249 (void) fprintf(fp, ">");
250 break;
251
252 case '\"':
253 (void) fprintf(fp, """);
254 break;
255
256 case '\'':
257 (void) fprintf(fp, "'");
258 break;
259
260 default:
261 (void) vis(visbuf, str[i], VIS_CSTYLE, 0);
262 (void) fprintf(fp, "%s", visbuf);
263 break;
264 }
265 }
266 }
267
268 /*
269 * Prints the beginning of an attribute.
270 */
271 static void
open_attr(FILE * fp,const char * str)272 open_attr(FILE *fp, const char *str)
273 {
274
275 fprintf(fp,"%s=\"", str);
276 }
277
278 /*
279 * Prints the end of an attribute.
280 */
281 static void
close_attr(FILE * fp)282 close_attr(FILE *fp)
283 {
284
285 fprintf(fp,"\" ");
286 }
287
288 /*
289 * Prints the end of a tag.
290 */
291 static void
close_tag(FILE * fp,u_char type)292 close_tag(FILE *fp, u_char type)
293 {
294
295 switch(type) {
296 case AUT_HEADER32:
297 fprintf(fp, ">");
298 break;
299
300 case AUT_HEADER32_EX:
301 fprintf(fp, ">");
302 break;
303
304 case AUT_HEADER64:
305 fprintf(fp, ">");
306 break;
307
308 case AUT_HEADER64_EX:
309 fprintf(fp, ">");
310 break;
311
312 case AUT_ARG32:
313 fprintf(fp, "/>");
314 break;
315
316 case AUT_ARG64:
317 fprintf(fp, "/>");
318 break;
319
320 case AUT_ATTR32:
321 fprintf(fp, "/>");
322 break;
323
324 case AUT_ATTR64:
325 fprintf(fp, "/>");
326 break;
327
328 case AUT_EXIT:
329 fprintf(fp, "/>");
330 break;
331
332 case AUT_EXEC_ARGS:
333 fprintf(fp, "</exec_args>");
334 break;
335
336 case AUT_EXEC_ENV:
337 fprintf(fp, "</exec_env>");
338 break;
339
340 case AUT_OTHER_FILE32:
341 fprintf(fp, "</file>");
342 break;
343
344 case AUT_NEWGROUPS:
345 fprintf(fp, "</group>");
346 break;
347
348 case AUT_IN_ADDR:
349 fprintf(fp, "</ip_address>");
350 break;
351
352 case AUT_IN_ADDR_EX:
353 fprintf(fp, "</ip_address>");
354 break;
355
356 case AUT_IP:
357 fprintf(fp, "/>");
358 break;
359
360 case AUT_IPC:
361 fprintf(fp, "/>");
362 break;
363
364 case AUT_IPC_PERM:
365 fprintf(fp, "/>");
366 break;
367
368 case AUT_IPORT:
369 fprintf(fp, "</ip_port>");
370 break;
371
372 case AUT_OPAQUE:
373 fprintf(fp, "</opaque>");
374 break;
375
376 case AUT_PATH:
377 fprintf(fp, "</path>");
378 break;
379
380 case AUT_PROCESS32:
381 fprintf(fp, "/>");
382 break;
383
384 case AUT_PROCESS32_EX:
385 fprintf(fp, "/>");
386 break;
387
388 case AUT_PROCESS64:
389 fprintf(fp, "/>");
390 break;
391
392 case AUT_PROCESS64_EX:
393 fprintf(fp, "/>");
394 break;
395
396 case AUT_RETURN32:
397 fprintf(fp, "/>");
398 break;
399
400 case AUT_RETURN64:
401 fprintf(fp, "/>");
402 break;
403
404 case AUT_SEQ:
405 fprintf(fp, "/>");
406 break;
407
408 case AUT_SOCKET:
409 fprintf(fp, "/>");
410 break;
411
412 case AUT_SOCKINET32:
413 fprintf(fp, "/>");
414 break;
415
416 case AUT_SOCKUNIX:
417 fprintf(fp, "/>");
418 break;
419
420 case AUT_SOCKINET128:
421 fprintf(fp, "/>");
422 break;
423
424 case AUT_SUBJECT32:
425 fprintf(fp, "/>");
426 break;
427
428 case AUT_SUBJECT64:
429 fprintf(fp, "/>");
430 break;
431
432 case AUT_SUBJECT32_EX:
433 fprintf(fp, "/>");
434 break;
435
436 case AUT_SUBJECT64_EX:
437 fprintf(fp, "/>");
438 break;
439
440 case AUT_TEXT:
441 fprintf(fp, "</text>");
442 break;
443
444 case AUT_SOCKET_EX:
445 fprintf(fp, "/>");
446 break;
447
448 case AUT_DATA:
449 fprintf(fp, "</arbitrary>");
450 break;
451
452 case AUT_ZONENAME:
453 fprintf(fp, "/>");
454 break;
455 }
456 }
457
458 /*
459 * Prints the token type in either the raw or the default form.
460 */
461 static void
print_tok_type(FILE * fp,u_char type,const char * tokname,int oflags)462 print_tok_type(FILE *fp, u_char type, const char *tokname, int oflags)
463 {
464
465 if (oflags & AU_OFLAG_XML) {
466 switch(type) {
467 case AUT_HEADER32:
468 fprintf(fp, "<record ");
469 break;
470
471 case AUT_HEADER32_EX:
472 fprintf(fp, "<record ");
473 break;
474
475 case AUT_HEADER64:
476 fprintf(fp, "<record ");
477 break;
478
479 case AUT_HEADER64_EX:
480 fprintf(fp, "<record ");
481 break;
482
483 case AUT_TRAILER:
484 fprintf(fp, "</record>");
485 break;
486
487 case AUT_ARG32:
488 fprintf(fp, "<argument ");
489 break;
490
491 case AUT_ARG64:
492 fprintf(fp, "<argument ");
493 break;
494
495 case AUT_ATTR32:
496 fprintf(fp, "<attribute ");
497 break;
498
499 case AUT_ATTR64:
500 fprintf(fp, "<attribute ");
501 break;
502
503 case AUT_EXIT:
504 fprintf(fp, "<exit ");
505 break;
506
507 case AUT_EXEC_ARGS:
508 fprintf(fp, "<exec_args>");
509 break;
510
511 case AUT_EXEC_ENV:
512 fprintf(fp, "<exec_env>");
513 break;
514
515 case AUT_OTHER_FILE32:
516 fprintf(fp, "<file ");
517 break;
518
519 case AUT_NEWGROUPS:
520 fprintf(fp, "<group>");
521 break;
522
523 case AUT_IN_ADDR:
524 fprintf(fp, "<ip_address>");
525 break;
526
527 case AUT_IN_ADDR_EX:
528 fprintf(fp, "<ip_address>");
529 break;
530
531 case AUT_IP:
532 fprintf(fp, "<ip ");
533 break;
534
535 case AUT_IPC:
536 fprintf(fp, "<IPC");
537 break;
538
539 case AUT_IPC_PERM:
540 fprintf(fp, "<IPC_perm ");
541 break;
542
543 case AUT_IPORT:
544 fprintf(fp, "<ip_port>");
545 break;
546
547 case AUT_OPAQUE:
548 fprintf(fp, "<opaque>");
549 break;
550
551 case AUT_PATH:
552 fprintf(fp, "<path>");
553 break;
554
555 case AUT_PROCESS32:
556 fprintf(fp, "<process ");
557 break;
558
559 case AUT_PROCESS32_EX:
560 fprintf(fp, "<process ");
561 break;
562
563 case AUT_PROCESS64:
564 fprintf(fp, "<process ");
565 break;
566
567 case AUT_PROCESS64_EX:
568 fprintf(fp, "<process ");
569 break;
570
571 case AUT_RETURN32:
572 fprintf(fp, "<return ");
573 break;
574
575 case AUT_RETURN64:
576 fprintf(fp, "<return ");
577 break;
578
579 case AUT_SEQ:
580 fprintf(fp, "<sequence ");
581 break;
582
583 case AUT_SOCKET:
584 fprintf(fp, "<socket ");
585 break;
586
587 case AUT_SOCKINET32:
588 fprintf(fp, "<socket-inet ");
589 break;
590
591 case AUT_SOCKUNIX:
592 fprintf(fp, "<socket-unix ");
593 break;
594
595 case AUT_SOCKINET128:
596 fprintf(fp, "<socket-inet6 ");
597 break;
598
599 case AUT_SUBJECT32:
600 fprintf(fp, "<subject ");
601 break;
602
603 case AUT_SUBJECT64:
604 fprintf(fp, "<subject ");
605 break;
606
607 case AUT_SUBJECT32_EX:
608 fprintf(fp, "<subject ");
609 break;
610
611 case AUT_SUBJECT64_EX:
612 fprintf(fp, "<subject ");
613 break;
614
615 case AUT_TEXT:
616 fprintf(fp, "<text>");
617 break;
618
619 case AUT_SOCKET_EX:
620 fprintf(fp, "<socket ");
621 break;
622
623 case AUT_DATA:
624 fprintf(fp, "<arbitrary ");
625 break;
626
627 case AUT_ZONENAME:
628 fprintf(fp, "<zone ");
629 break;
630 }
631 } else {
632 if (oflags & AU_OFLAG_RAW)
633 fprintf(fp, "%u", type);
634 else
635 fprintf(fp, "%s", tokname);
636 }
637 }
638
639 /*
640 * Prints a user value.
641 */
642 static void
print_user(FILE * fp,u_int32_t usr,int oflags)643 print_user(FILE *fp, u_int32_t usr, int oflags)
644 {
645 struct passwd *pwent;
646
647 if (oflags & (AU_OFLAG_RAW | AU_OFLAG_NORESOLVE))
648 fprintf(fp, "%d", usr);
649 else {
650 pwent = getpwuid(usr);
651 if (pwent != NULL)
652 fprintf(fp, "%s", pwent->pw_name);
653 else
654 fprintf(fp, "%d", usr);
655 }
656 }
657
658 /*
659 * Prints a group value.
660 */
661 static void
print_group(FILE * fp,u_int32_t grp,int oflags)662 print_group(FILE *fp, u_int32_t grp, int oflags)
663 {
664 struct group *grpent;
665
666 if (oflags & (AU_OFLAG_RAW | AU_OFLAG_NORESOLVE))
667 fprintf(fp, "%d", grp);
668 else {
669 grpent = getgrgid(grp);
670 if (grpent != NULL)
671 fprintf(fp, "%s", grpent->gr_name);
672 else
673 fprintf(fp, "%d", grp);
674 }
675 }
676
677 /*
678 * Prints the event from the header token in either the short, default or raw
679 * form.
680 */
681 static void
print_event(FILE * fp,u_int16_t ev,int oflags)682 print_event(FILE *fp, u_int16_t ev, int oflags)
683 {
684 char event_ent_name[AU_EVENT_NAME_MAX];
685 char event_ent_desc[AU_EVENT_DESC_MAX];
686 struct au_event_ent e, *ep;
687
688 bzero(&e, sizeof(e));
689 bzero(event_ent_name, sizeof(event_ent_name));
690 bzero(event_ent_desc, sizeof(event_ent_desc));
691 e.ae_name = event_ent_name;
692 e.ae_desc = event_ent_desc;
693
694 ep = getauevnum_r(&e, ev);
695 if (ep == NULL) {
696 fprintf(fp, "%u", ev);
697 return;
698 }
699
700 if (oflags & AU_OFLAG_RAW)
701 fprintf(fp, "%u", ev);
702 else if (oflags & AU_OFLAG_SHORT)
703 fprintf(fp, "%s", e.ae_name);
704 else
705 fprintf(fp, "%s", e.ae_desc);
706 }
707
708
709 /*
710 * Prints the event modifier from the header token in either the default or
711 * raw form.
712 */
713 static void
print_evmod(FILE * fp,u_int16_t evmod,int oflags)714 print_evmod(FILE *fp, u_int16_t evmod, int oflags)
715 {
716 if (oflags & AU_OFLAG_RAW)
717 fprintf(fp, "%u", evmod);
718 else
719 fprintf(fp, "%u", evmod);
720 }
721
722 /*
723 * Prints seconds in the ctime format.
724 */
725 static void
print_sec32(FILE * fp,u_int32_t sec,int oflags)726 print_sec32(FILE *fp, u_int32_t sec, int oflags)
727 {
728 time_t timestamp;
729 char timestr[26];
730
731 if (oflags & AU_OFLAG_RAW)
732 fprintf(fp, "%u", sec);
733 else {
734 timestamp = (time_t)sec;
735 ctime_r(×tamp, timestr);
736 timestr[24] = '\0'; /* No new line */
737 fprintf(fp, "%s", timestr);
738 }
739 }
740
741 /*
742 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
743 * assume a 32-bit time_t, we simply truncate for now.
744 */
745 static void
print_sec64(FILE * fp,u_int64_t sec,int oflags)746 print_sec64(FILE *fp, u_int64_t sec, int oflags)
747 {
748 time_t timestamp;
749 char timestr[26];
750
751 if (oflags & AU_OFLAG_RAW)
752 fprintf(fp, "%u", (u_int32_t)sec);
753 else {
754 timestamp = (time_t)sec;
755 ctime_r(×tamp, timestr);
756 timestr[24] = '\0'; /* No new line */
757 fprintf(fp, "%s", timestr);
758 }
759 }
760
761 /*
762 * Prints the excess milliseconds.
763 */
764 static void
print_msec32(FILE * fp,u_int32_t msec,int oflags)765 print_msec32(FILE *fp, u_int32_t msec, int oflags)
766 {
767 if (oflags & AU_OFLAG_RAW)
768 fprintf(fp, "%u", msec);
769 else
770 fprintf(fp, " + %u msec", msec);
771 }
772
773 /*
774 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
775 * a 32-bit msec, we simply truncate for now.
776 */
777 static void
print_msec64(FILE * fp,u_int64_t msec,int oflags)778 print_msec64(FILE *fp, u_int64_t msec, int oflags)
779 {
780
781 msec &= 0xffffffff;
782 if (oflags & AU_OFLAG_RAW)
783 fprintf(fp, "%u", (u_int32_t)msec);
784 else
785 fprintf(fp, " + %u msec", (u_int32_t)msec);
786 }
787
788 /*
789 * Prints a dotted form for the IP address.
790 */
791 static void
print_ip_address(FILE * fp,u_int32_t ip)792 print_ip_address(FILE *fp, u_int32_t ip)
793 {
794 struct in_addr ipaddr;
795
796 ipaddr.s_addr = ip;
797 fprintf(fp, "%s", inet_ntoa(ipaddr));
798 }
799
800 /*
801 * Prints a string value for the given ip address.
802 */
803 static void
print_ip_ex_address(FILE * fp,u_int32_t type,u_int32_t * ipaddr)804 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
805 {
806 struct in_addr ipv4;
807 struct in6_addr ipv6;
808 char dst[INET6_ADDRSTRLEN];
809
810 switch (type) {
811 case AU_IPv4:
812 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
813 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
814 INET6_ADDRSTRLEN));
815 break;
816
817 case AU_IPv6:
818 bcopy(ipaddr, &ipv6, sizeof(ipv6));
819 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
820 INET6_ADDRSTRLEN));
821 break;
822
823 default:
824 fprintf(fp, "invalid");
825 }
826 }
827
828 /*
829 * Prints return value as success or failure.
830 */
831 static void
print_retval(FILE * fp,u_char status,int oflags)832 print_retval(FILE *fp, u_char status, int oflags)
833 {
834 int error;
835
836 if (oflags & AU_OFLAG_RAW)
837 fprintf(fp, "%u", status);
838 else {
839 /*
840 * Convert to a local error number and print the OS's version
841 * of the error string if possible. We may want to provide
842 * an au_strerror(3) in the future so that we can print
843 * strings for non-local errors.
844 */
845 if (au_bsm_to_errno(status, &error) == 0) {
846 if (error == 0)
847 fprintf(fp, "success");
848 else
849 fprintf(fp, "failure : %s", strerror(error));
850 } else
851 fprintf(fp, "failure: Unknown error: %d", status);
852 }
853 }
854
855 /*
856 * Prints the exit value.
857 */
858 static void
print_errval(FILE * fp,u_int32_t val)859 print_errval(FILE *fp, u_int32_t val)
860 {
861
862 fprintf(fp, "Error %u", val);
863 }
864
865 /*
866 * Prints IPC type.
867 */
868 static void
print_ipctype(FILE * fp,u_char type,int oflags)869 print_ipctype(FILE *fp, u_char type, int oflags)
870 {
871 if (oflags & AU_OFLAG_RAW)
872 fprintf(fp, "%u", type);
873 else {
874 if (type == AT_IPC_MSG)
875 fprintf(fp, "Message IPC");
876 else if (type == AT_IPC_SEM)
877 fprintf(fp, "Semaphore IPC");
878 else if (type == AT_IPC_SHM)
879 fprintf(fp, "Shared Memory IPC");
880 else
881 fprintf(fp, "%u", type);
882 }
883 }
884
885 /*
886 * Print XML header.
887 */
888 void
au_print_xml_header(FILE * outfp)889 au_print_xml_header(FILE *outfp)
890 {
891
892 fprintf(outfp, "<?xml version='1.0' ?>\n");
893 fprintf(outfp, "<audit>\n");
894 }
895
896 /*
897 * Print XML footer.
898 */
899 void
au_print_xml_footer(FILE * outfp)900 au_print_xml_footer(FILE *outfp)
901 {
902
903 fprintf(outfp, "</audit>\n");
904 }
905
906 /*
907 * record byte count 4 bytes
908 * version # 1 byte [2]
909 * event type 2 bytes
910 * event modifier 2 bytes
911 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
912 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
913 */
914 static int
fetch_header32_tok(tokenstr_t * tok,u_char * buf,int len)915 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
916 {
917 int err = 0;
918
919 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
920 if (err)
921 return (-1);
922
923 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
924 if (err)
925 return (-1);
926
927 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
928 if (err)
929 return (-1);
930
931 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
932 if (err)
933 return (-1);
934
935 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
936 if (err)
937 return (-1);
938
939 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
940 if (err)
941 return (-1);
942
943 return (0);
944 }
945
946 static void
print_header32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)947 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
948 {
949
950 print_tok_type(fp, tok->id, "header", oflags);
951 if (oflags & AU_OFLAG_XML) {
952 open_attr(fp, "version");
953 print_1_byte(fp, tok->tt.hdr32.version, "%u");
954 close_attr(fp);
955 open_attr(fp, "event");
956 print_event(fp, tok->tt.hdr32.e_type, oflags);
957 close_attr(fp);
958 open_attr(fp, "modifier");
959 print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
960 close_attr(fp);
961 open_attr(fp, "time");
962 print_sec32(fp, tok->tt.hdr32.s, oflags);
963 close_attr(fp);
964 open_attr(fp, "msec");
965 print_msec32(fp, tok->tt.hdr32.ms, oflags);
966 close_attr(fp);
967 close_tag(fp, tok->id);
968 } else {
969 print_delim(fp, del);
970 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
971 print_delim(fp, del);
972 print_1_byte(fp, tok->tt.hdr32.version, "%u");
973 print_delim(fp, del);
974 print_event(fp, tok->tt.hdr32.e_type, oflags);
975 print_delim(fp, del);
976 print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
977 print_delim(fp, del);
978 print_sec32(fp, tok->tt.hdr32.s, oflags);
979 print_delim(fp, del);
980 print_msec32(fp, tok->tt.hdr32.ms, oflags);
981 }
982 }
983
984 /*
985 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
986 * depending on the bit of the specifications found. The OpenSolaris source
987 * code uses a 4-byte address length, followed by some number of bytes of
988 * address data. This contrasts with the Solaris audit.log.5 man page, which
989 * specifies a 1-byte length field. We use the Solaris 10 definition so that
990 * we can parse audit trails from that system.
991 *
992 * record byte count 4 bytes
993 * version # 1 byte [2]
994 * event type 2 bytes
995 * event modifier 2 bytes
996 * address type/length 4 bytes
997 * [ Solaris man page: address type/length 1 byte]
998 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
999 * seconds of time 4 bytes/8 bytes (32/64-bits)
1000 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1001 */
1002 static int
fetch_header32_ex_tok(tokenstr_t * tok,u_char * buf,int len)1003 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1004 {
1005 int err = 0;
1006
1007 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
1008 if (err)
1009 return (-1);
1010
1011 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
1012 if (err)
1013 return (-1);
1014
1015 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
1016 if (err)
1017 return (-1);
1018
1019 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
1020 if (err)
1021 return (-1);
1022
1023 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
1024 if (err)
1025 return (-1);
1026
1027 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
1028 switch (tok->tt.hdr32_ex.ad_type) {
1029 case AU_IPv4:
1030 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
1031 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
1032 if (err)
1033 return (-1);
1034 break;
1035
1036 case AU_IPv6:
1037 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
1038 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
1039 break;
1040 }
1041
1042 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
1043 if (err)
1044 return (-1);
1045
1046 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
1047 if (err)
1048 return (-1);
1049
1050 return (0);
1051 }
1052
1053 static void
print_header32_ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1054 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1055 {
1056
1057 print_tok_type(fp, tok->id, "header_ex", oflags);
1058 if (oflags & AU_OFLAG_RAW) {
1059 open_attr(fp, "version");
1060 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1061 close_attr(fp);
1062 open_attr(fp, "event");
1063 print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1064 close_attr(fp);
1065 open_attr(fp, "modifier");
1066 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1067 close_attr(fp);
1068 open_attr(fp, "host");
1069 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1070 tok->tt.hdr32_ex.addr);
1071 close_attr(fp);
1072 open_attr(fp, "time");
1073 print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1074 close_attr(fp);
1075 open_attr(fp, "msec");
1076 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1077 close_attr(fp);
1078 close_tag(fp, tok->id);
1079 } else {
1080 print_delim(fp, del);
1081 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1082 print_delim(fp, del);
1083 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1084 print_delim(fp, del);
1085 print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1086 print_delim(fp, del);
1087 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1088 print_delim(fp, del);
1089 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1090 tok->tt.hdr32_ex.addr);
1091 print_delim(fp, del);
1092 print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1093 print_delim(fp, del);
1094 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1095 }
1096 }
1097
1098 /*
1099 * record byte count 4 bytes
1100 * event type 2 bytes
1101 * event modifier 2 bytes
1102 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1103 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1104 * version #
1105 */
1106 static int
fetch_header64_tok(tokenstr_t * tok,u_char * buf,int len)1107 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1108 {
1109 int err = 0;
1110
1111 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1112 if (err)
1113 return (-1);
1114
1115 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1116 if (err)
1117 return (-1);
1118
1119 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1120 if (err)
1121 return (-1);
1122
1123 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1124 if (err)
1125 return (-1);
1126
1127 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1128 if (err)
1129 return (-1);
1130
1131 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1132 if (err)
1133 return (-1);
1134
1135 return (0);
1136 }
1137
1138 static void
print_header64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1139 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1140 {
1141
1142 print_tok_type(fp, tok->id, "header", oflags);
1143 if (oflags & AU_OFLAG_XML) {
1144 open_attr(fp, "version");
1145 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1146 close_attr(fp);
1147 open_attr(fp, "event");
1148 print_event(fp, tok->tt.hdr64.e_type, oflags);
1149 close_attr(fp);
1150 open_attr(fp, "modifier");
1151 print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1152 close_attr(fp);
1153 open_attr(fp, "time");
1154 print_sec64(fp, tok->tt.hdr64.s, oflags);
1155 close_attr(fp);
1156 open_attr(fp, "msec");
1157 print_msec64(fp, tok->tt.hdr64.ms, oflags);
1158 close_attr(fp);
1159 close_tag(fp, tok->id);
1160 } else {
1161 print_delim(fp, del);
1162 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1163 print_delim(fp, del);
1164 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1165 print_delim(fp, del);
1166 print_event(fp, tok->tt.hdr64.e_type, oflags);
1167 print_delim(fp, del);
1168 print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1169 print_delim(fp, del);
1170 print_sec64(fp, tok->tt.hdr64.s, oflags);
1171 print_delim(fp, del);
1172 print_msec64(fp, tok->tt.hdr64.ms, oflags);
1173 }
1174 }
1175
1176 /*
1177 * record byte count 4 bytes
1178 * version # 1 byte [2]
1179 * event type 2 bytes
1180 * event modifier 2 bytes
1181 * address type/length 4 bytes
1182 * [ Solaris man page: address type/length 1 byte]
1183 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1184 * seconds of time 4 bytes/8 bytes (32/64-bits)
1185 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1186 *
1187 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1188 * accuracy of the BSM spec.
1189 */
1190 static int
fetch_header64_ex_tok(tokenstr_t * tok,u_char * buf,int len)1191 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1192 {
1193 int err = 0;
1194
1195 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1196 if (err)
1197 return (-1);
1198
1199 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1200 if (err)
1201 return (-1);
1202
1203 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1204 if (err)
1205 return (-1);
1206
1207 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1208 if (err)
1209 return (-1);
1210
1211 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1212 if (err)
1213 return (-1);
1214
1215 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1216 switch (tok->tt.hdr64_ex.ad_type) {
1217 case AU_IPv4:
1218 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1219 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1220 if (err)
1221 return (-1);
1222 break;
1223
1224 case AU_IPv6:
1225 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1226 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1227 break;
1228 }
1229
1230 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1231 if (err)
1232 return (-1);
1233
1234 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1235 if (err)
1236 return (-1);
1237
1238 return (0);
1239 }
1240
1241 static void
print_header64_ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1242 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1243 {
1244
1245 print_tok_type(fp, tok->id, "header_ex", oflags);
1246 if (oflags & AU_OFLAG_XML) {
1247 open_attr(fp, "version");
1248 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1249 close_attr(fp);
1250 open_attr(fp, "event");
1251 print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1252 close_attr(fp);
1253 open_attr(fp, "modifier");
1254 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1255 close_attr(fp);
1256 open_attr(fp, "host");
1257 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1258 tok->tt.hdr64_ex.addr);
1259 close_attr(fp);
1260 open_attr(fp, "time");
1261 print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1262 close_attr(fp);
1263 open_attr(fp, "msec");
1264 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1265 close_attr(fp);
1266 close_tag(fp, tok->id);
1267 } else {
1268 print_delim(fp, del);
1269 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1270 print_delim(fp, del);
1271 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1272 print_delim(fp, del);
1273 print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1274 print_delim(fp, del);
1275 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1276 print_delim(fp, del);
1277 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1278 tok->tt.hdr64_ex.addr);
1279 print_delim(fp, del);
1280 print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1281 print_delim(fp, del);
1282 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1283 }
1284 }
1285
1286 /*
1287 * trailer magic 2 bytes
1288 * record size 4 bytes
1289 */
1290 static int
fetch_trailer_tok(tokenstr_t * tok,u_char * buf,int len)1291 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1292 {
1293 int err = 0;
1294
1295 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1296 if (err)
1297 return (-1);
1298
1299 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1300 if (err)
1301 return (-1);
1302
1303 return (0);
1304 }
1305
1306 static void
print_trailer_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1307 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1308 {
1309
1310 print_tok_type(fp, tok->id, "trailer", oflags);
1311 if (!(oflags & AU_OFLAG_XML)) {
1312 print_delim(fp, del);
1313 print_4_bytes(fp, tok->tt.trail.count, "%u");
1314 }
1315 }
1316
1317 /*
1318 * argument # 1 byte
1319 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1320 * text length 2 bytes
1321 * text N bytes + 1 terminating NULL byte
1322 */
1323 static int
fetch_arg32_tok(tokenstr_t * tok,u_char * buf,int len)1324 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1325 {
1326 int err = 0;
1327
1328 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1329 if (err)
1330 return (-1);
1331
1332 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1333 if (err)
1334 return (-1);
1335
1336 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1337 if (err)
1338 return (-1);
1339
1340 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1341 tok->len, err);
1342 if (err)
1343 return (-1);
1344
1345 return (0);
1346 }
1347
1348 static void
print_arg32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1349 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1350 {
1351
1352 print_tok_type(fp, tok->id, "argument", oflags);
1353 if (oflags & AU_OFLAG_XML) {
1354 open_attr(fp, "arg-num");
1355 print_1_byte(fp, tok->tt.arg32.no, "%u");
1356 close_attr(fp);
1357 open_attr(fp, "value");
1358 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1359 close_attr(fp);
1360 open_attr(fp, "desc");
1361 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1362 close_attr(fp);
1363 close_tag(fp, tok->id);
1364 } else {
1365 print_delim(fp, del);
1366 print_1_byte(fp, tok->tt.arg32.no, "%u");
1367 print_delim(fp, del);
1368 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1369 print_delim(fp, del);
1370 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1371 }
1372 }
1373
1374 static int
fetch_arg64_tok(tokenstr_t * tok,u_char * buf,int len)1375 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1376 {
1377 int err = 0;
1378
1379 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1380 if (err)
1381 return (-1);
1382
1383 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1384 if (err)
1385 return (-1);
1386
1387 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1388 if (err)
1389 return (-1);
1390
1391 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1392 tok->len, err);
1393 if (err)
1394 return (-1);
1395
1396 return (0);
1397 }
1398
1399 static void
print_arg64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1400 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1401 {
1402
1403 print_tok_type(fp, tok->id, "argument", oflags);
1404 if (oflags & AU_OFLAG_XML) {
1405 open_attr(fp, "arg-num");
1406 print_1_byte(fp, tok->tt.arg64.no, "%u");
1407 close_attr(fp);
1408 open_attr(fp, "value");
1409 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1410 close_attr(fp);
1411 open_attr(fp, "desc");
1412 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1413 close_attr(fp);
1414 close_tag(fp, tok->id);
1415 } else {
1416 print_delim(fp, del);
1417 print_1_byte(fp, tok->tt.arg64.no, "%u");
1418 print_delim(fp, del);
1419 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1420 print_delim(fp, del);
1421 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1422 }
1423 }
1424
1425 /*
1426 * how to print 1 byte
1427 * basic unit 1 byte
1428 * unit count 1 byte
1429 * data items (depends on basic unit)
1430 */
1431 static int
fetch_arb_tok(tokenstr_t * tok,u_char * buf,int len)1432 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1433 {
1434 int err = 0;
1435 int datasize;
1436
1437 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1438 if (err)
1439 return (-1);
1440
1441 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1442 if (err)
1443 return (-1);
1444
1445 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1446 if (err)
1447 return (-1);
1448
1449 /*
1450 * Determine the size of the basic unit.
1451 */
1452 switch(tok->tt.arb.bu) {
1453 case AUR_BYTE:
1454 /* case AUR_CHAR: */
1455 datasize = AUR_BYTE_SIZE;
1456 break;
1457
1458 case AUR_SHORT:
1459 datasize = AUR_SHORT_SIZE;
1460 break;
1461
1462 case AUR_INT32:
1463 /* case AUR_INT: */
1464 datasize = AUR_INT32_SIZE;
1465 break;
1466
1467 case AUR_INT64:
1468 datasize = AUR_INT64_SIZE;
1469 break;
1470
1471 default:
1472 return (-1);
1473 }
1474
1475 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1476 tok->len, err);
1477 if (err)
1478 return (-1);
1479
1480 return (0);
1481 }
1482
1483 static void
print_arb_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1484 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1485 {
1486 char *str;
1487 char *format;
1488 size_t size;
1489 int i;
1490
1491 print_tok_type(fp, tok->id, "arbitrary", oflags);
1492 if (!(oflags & AU_OFLAG_XML))
1493 print_delim(fp, del);
1494
1495 switch(tok->tt.arb.howtopr) {
1496 case AUP_BINARY:
1497 str = "binary";
1498 format = " %c";
1499 break;
1500
1501 case AUP_OCTAL:
1502 str = "octal";
1503 format = " %o";
1504 break;
1505
1506 case AUP_DECIMAL:
1507 str = "decimal";
1508 format = " %d";
1509 break;
1510
1511 case AUP_HEX:
1512 str = "hex";
1513 format = " %x";
1514 break;
1515
1516 case AUP_STRING:
1517 str = "string";
1518 format = "%c";
1519 break;
1520
1521 default:
1522 return;
1523 }
1524
1525 if (oflags & AU_OFLAG_XML) {
1526 open_attr(fp, "print");
1527 fprintf(fp, "%s",str);
1528 close_attr(fp);
1529 } else {
1530 print_string(fp, str, strlen(str));
1531 print_delim(fp, del);
1532 }
1533 switch(tok->tt.arb.bu) {
1534 case AUR_BYTE:
1535 /* case AUR_CHAR: */
1536 str = "byte";
1537 size = AUR_BYTE_SIZE;
1538 if (oflags & AU_OFLAG_XML) {
1539 open_attr(fp, "type");
1540 fprintf(fp, "%zu", size);
1541 close_attr(fp);
1542 open_attr(fp, "count");
1543 print_1_byte(fp, tok->tt.arb.uc, "%u");
1544 close_attr(fp);
1545 fprintf(fp, ">");
1546 for (i = 0; i<tok->tt.arb.uc; i++)
1547 fprintf(fp, format, *(tok->tt.arb.data +
1548 (size * i)));
1549 close_tag(fp, tok->id);
1550 } else {
1551 print_string(fp, str, strlen(str));
1552 print_delim(fp, del);
1553 print_1_byte(fp, tok->tt.arb.uc, "%u");
1554 print_delim(fp, del);
1555 for (i = 0; i<tok->tt.arb.uc; i++)
1556 fprintf(fp, format, *(tok->tt.arb.data +
1557 (size * i)));
1558 }
1559 break;
1560
1561 case AUR_SHORT:
1562 str = "short";
1563 size = AUR_SHORT_SIZE;
1564 if (oflags & AU_OFLAG_XML) {
1565 open_attr(fp, "type");
1566 fprintf(fp, "%zu", size);
1567 close_attr(fp);
1568 open_attr(fp, "count");
1569 print_1_byte(fp, tok->tt.arb.uc, "%u");
1570 close_attr(fp);
1571 fprintf(fp, ">");
1572 for (i = 0; i < tok->tt.arb.uc; i++)
1573 fprintf(fp, format,
1574 *((u_int16_t *)(tok->tt.arb.data +
1575 (size * i))));
1576 close_tag(fp, tok->id);
1577 } else {
1578 print_string(fp, str, strlen(str));
1579 print_delim(fp, del);
1580 print_1_byte(fp, tok->tt.arb.uc, "%u");
1581 print_delim(fp, del);
1582 for (i = 0; i < tok->tt.arb.uc; i++)
1583 fprintf(fp, format,
1584 *((u_int16_t *)(tok->tt.arb.data +
1585 (size * i))));
1586 }
1587 break;
1588
1589 case AUR_INT32:
1590 /* case AUR_INT: */
1591 str = "int";
1592 size = AUR_INT32_SIZE;
1593 if (oflags & AU_OFLAG_XML) {
1594 open_attr(fp, "type");
1595 fprintf(fp, "%zu", size);
1596 close_attr(fp);
1597 open_attr(fp, "count");
1598 print_1_byte(fp, tok->tt.arb.uc, "%u");
1599 close_attr(fp);
1600 fprintf(fp, ">");
1601 for (i = 0; i < tok->tt.arb.uc; i++)
1602 fprintf(fp, format,
1603 *((u_int32_t *)(tok->tt.arb.data +
1604 (size * i))));
1605 close_tag(fp, tok->id);
1606 } else {
1607 print_string(fp, str, strlen(str));
1608 print_delim(fp, del);
1609 print_1_byte(fp, tok->tt.arb.uc, "%u");
1610 print_delim(fp, del);
1611 for (i = 0; i < tok->tt.arb.uc; i++)
1612 fprintf(fp, format,
1613 *((u_int32_t *)(tok->tt.arb.data +
1614 (size * i))));
1615 }
1616 break;
1617
1618 case AUR_INT64:
1619 str = "int64";
1620 size = AUR_INT64_SIZE;
1621 if (oflags & AU_OFLAG_XML) {
1622 open_attr(fp, "type");
1623 fprintf(fp, "%zu", size);
1624 close_attr(fp);
1625 open_attr(fp, "count");
1626 print_1_byte(fp, tok->tt.arb.uc, "%u");
1627 close_attr(fp);
1628 fprintf(fp, ">");
1629 for (i = 0; i < tok->tt.arb.uc; i++)
1630 fprintf(fp, format,
1631 *((u_int64_t *)(tok->tt.arb.data +
1632 (size * i))));
1633 close_tag(fp, tok->id);
1634 } else {
1635 print_string(fp, str, strlen(str));
1636 print_delim(fp, del);
1637 print_1_byte(fp, tok->tt.arb.uc, "%u");
1638 print_delim(fp, del);
1639 for (i = 0; i < tok->tt.arb.uc; i++)
1640 fprintf(fp, format,
1641 *((u_int64_t *)(tok->tt.arb.data +
1642 (size * i))));
1643 }
1644 break;
1645
1646 default:
1647 return;
1648 }
1649 }
1650
1651 /*
1652 * file access mode 4 bytes
1653 * owner user ID 4 bytes
1654 * owner group ID 4 bytes
1655 * file system ID 4 bytes
1656 * node ID 8 bytes
1657 * device 4 bytes/8 bytes (32-bit/64-bit)
1658 */
1659 static int
fetch_attr32_tok(tokenstr_t * tok,u_char * buf,int len)1660 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1661 {
1662 int err = 0;
1663
1664 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1665 if (err)
1666 return (-1);
1667
1668 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1669 if (err)
1670 return (-1);
1671
1672 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1673 if (err)
1674 return (-1);
1675
1676 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1677 if (err)
1678 return (-1);
1679
1680 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1681 if (err)
1682 return (-1);
1683
1684 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1685 if (err)
1686 return (-1);
1687
1688 return (0);
1689 }
1690
1691 static void
print_attr32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1692 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1693 {
1694
1695 print_tok_type(fp, tok->id, "attribute", oflags);
1696 if (oflags & AU_OFLAG_XML) {
1697 open_attr(fp, "mode");
1698 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1699 close_attr(fp);
1700 open_attr(fp, "uid");
1701 print_user(fp, tok->tt.attr32.uid, oflags);
1702 close_attr(fp);
1703 open_attr(fp, "gid");
1704 print_group(fp, tok->tt.attr32.gid, oflags);
1705 close_attr(fp);
1706 open_attr(fp, "fsid");
1707 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1708 close_attr(fp);
1709 open_attr(fp, "nodeid");
1710 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1711 close_attr(fp);
1712 open_attr(fp, "device");
1713 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1714 close_attr(fp);
1715 close_tag(fp, tok->id);
1716 } else {
1717 print_delim(fp, del);
1718 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1719 print_delim(fp, del);
1720 print_user(fp, tok->tt.attr32.uid, oflags);
1721 print_delim(fp, del);
1722 print_group(fp, tok->tt.attr32.gid, oflags);
1723 print_delim(fp, del);
1724 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1725 print_delim(fp, del);
1726 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1727 print_delim(fp, del);
1728 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1729 }
1730 }
1731
1732 /*
1733 * file access mode 4 bytes
1734 * owner user ID 4 bytes
1735 * owner group ID 4 bytes
1736 * file system ID 4 bytes
1737 * node ID 8 bytes
1738 * device 4 bytes/8 bytes (32-bit/64-bit)
1739 */
1740 static int
fetch_attr64_tok(tokenstr_t * tok,u_char * buf,int len)1741 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1742 {
1743 int err = 0;
1744
1745 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1746 if (err)
1747 return (-1);
1748
1749 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1750 if (err)
1751 return (-1);
1752
1753 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1754 if (err)
1755 return (-1);
1756
1757 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1758 if (err)
1759 return (-1);
1760
1761 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1762 if (err)
1763 return (-1);
1764
1765 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1766 if (err)
1767 return (-1);
1768
1769 return (0);
1770 }
1771
1772 static void
print_attr64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1773 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1774 {
1775
1776 print_tok_type(fp, tok->id, "attribute", oflags);
1777 if (oflags & AU_OFLAG_XML) {
1778 open_attr(fp, "mode");
1779 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1780 close_attr(fp);
1781 open_attr(fp, "uid");
1782 print_user(fp, tok->tt.attr64.uid, oflags);
1783 close_attr(fp);
1784 open_attr(fp, "gid");
1785 print_group(fp, tok->tt.attr64.gid, oflags);
1786 close_attr(fp);
1787 open_attr(fp, "fsid");
1788 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1789 close_attr(fp);
1790 open_attr(fp, "nodeid");
1791 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1792 close_attr(fp);
1793 open_attr(fp, "device");
1794 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1795 close_attr(fp);
1796 close_tag(fp, tok->id);
1797 } else {
1798 print_delim(fp, del);
1799 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1800 print_delim(fp, del);
1801 print_user(fp, tok->tt.attr64.uid, oflags);
1802 print_delim(fp, del);
1803 print_group(fp, tok->tt.attr64.gid, oflags);
1804 print_delim(fp, del);
1805 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1806 print_delim(fp, del);
1807 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1808 print_delim(fp, del);
1809 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1810 }
1811 }
1812
1813 /*
1814 * status 4 bytes
1815 * return value 4 bytes
1816 */
1817 static int
fetch_exit_tok(tokenstr_t * tok,u_char * buf,int len)1818 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1819 {
1820 int err = 0;
1821
1822 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1823 if (err)
1824 return (-1);
1825
1826 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1827 if (err)
1828 return (-1);
1829
1830 return (0);
1831 }
1832
1833 static void
print_exit_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1834 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1835 {
1836
1837 print_tok_type(fp, tok->id, "exit", oflags);
1838 if (oflags & AU_OFLAG_XML) {
1839 open_attr(fp, "errval");
1840 print_errval(fp, tok->tt.exit.status);
1841 close_attr(fp);
1842 open_attr(fp, "retval");
1843 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1844 close_attr(fp);
1845 close_tag(fp, tok->id);
1846 } else {
1847 print_delim(fp, del);
1848 print_errval(fp, tok->tt.exit.status);
1849 print_delim(fp, del);
1850 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1851 }
1852 }
1853
1854 /*
1855 * count 4 bytes
1856 * text count null-terminated string(s)
1857 */
1858 static int
fetch_execarg_tok(tokenstr_t * tok,u_char * buf,int len)1859 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1860 {
1861 int err = 0;
1862 u_int32_t i;
1863 u_char *bptr;
1864
1865 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1866 if (err)
1867 return (-1);
1868
1869 for (i = 0; i < tok->tt.execarg.count; i++) {
1870 /*
1871 * Make sure that tok->len has not reached the end of the
1872 * buffer. If the previous string's nul byte was the last byte
1873 * in the buffer, the nul accounting below will have set
1874 * tok->len == len, leaving no room for another string.
1875 */
1876 if (tok->len >= (u_int32_t)len) {
1877 return (-1);
1878 }
1879 bptr = buf + tok->len;
1880 if (i < AUDIT_MAX_ARGS)
1881 tok->tt.execarg.text[i] = (char*)bptr;
1882
1883 /* Look for a null terminated string. */
1884 while (bptr && (*bptr != '\0')) {
1885 if (++tok->len >= (u_int32_t)len)
1886 return (-1);
1887 bptr = buf + tok->len;
1888 }
1889 if (!bptr)
1890 return (-1);
1891 tok->len++; /* \0 character */
1892 }
1893 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1894 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1895
1896 return (0);
1897 }
1898
1899 static void
print_execarg_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1900 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1901 {
1902 u_int32_t i;
1903
1904 print_tok_type(fp, tok->id, "exec arg", oflags);
1905 for (i = 0; i < tok->tt.execarg.count; i++) {
1906 if (oflags & AU_OFLAG_XML) {
1907 fprintf(fp, "<arg>");
1908 print_xml_string(fp, tok->tt.execarg.text[i],
1909 strlen(tok->tt.execarg.text[i]));
1910 fprintf(fp, "</arg>");
1911 } else {
1912 print_delim(fp, del);
1913 print_string(fp, tok->tt.execarg.text[i],
1914 strlen(tok->tt.execarg.text[i]));
1915 }
1916 }
1917 if (oflags & AU_OFLAG_XML)
1918 close_tag(fp, tok->id);
1919 }
1920
1921 /*
1922 * count 4 bytes
1923 * text count null-terminated string(s)
1924 */
1925 static int
fetch_execenv_tok(tokenstr_t * tok,u_char * buf,int len)1926 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1927 {
1928 int err = 0;
1929 u_int32_t i;
1930 u_char *bptr;
1931
1932 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1933 if (err)
1934 return (-1);
1935
1936 for (i = 0; i < tok->tt.execenv.count; i++) {
1937 /*
1938 * Make sure that tok->len has not reached the end of the
1939 * buffer. If the previous string's nul byte was the last byte
1940 * in the buffer, the nul accounting below will have set
1941 * tok->len == len, leaving no room for another string.
1942 */
1943 if (tok->len >= (u_int32_t)len) {
1944 return (-1);
1945 }
1946 bptr = buf + tok->len;
1947 if (i < AUDIT_MAX_ENV)
1948 tok->tt.execenv.text[i] = (char*)bptr;
1949
1950 /* Look for a null terminated string. */
1951 while (bptr && (*bptr != '\0')) {
1952 if (++tok->len >= (u_int32_t)len)
1953 return (-1);
1954 bptr = buf + tok->len;
1955 }
1956 if (!bptr)
1957 return (-1);
1958 tok->len++; /* \0 character */
1959 }
1960 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1961 tok->tt.execenv.count = AUDIT_MAX_ENV;
1962
1963 return (0);
1964 }
1965
1966 static void
print_execenv_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1967 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1968 {
1969 u_int32_t i;
1970
1971 print_tok_type(fp, tok->id, "exec env", oflags);
1972 for (i = 0; i< tok->tt.execenv.count; i++) {
1973 if (oflags & AU_OFLAG_XML) {
1974 fprintf(fp, "<env>");
1975 print_xml_string(fp, tok->tt.execenv.text[i],
1976 strlen(tok->tt.execenv.text[i]));
1977 fprintf(fp, "</env>");
1978 } else {
1979 print_delim(fp, del);
1980 print_string(fp, tok->tt.execenv.text[i],
1981 strlen(tok->tt.execenv.text[i]));
1982 }
1983 }
1984 if (oflags & AU_OFLAG_XML)
1985 close_tag(fp, tok->id);
1986 }
1987
1988 /*
1989 * seconds of time 4 bytes
1990 * milliseconds of time 4 bytes
1991 * file name len 2 bytes
1992 * file pathname N bytes + 1 terminating NULL byte
1993 */
1994 static int
fetch_file_tok(tokenstr_t * tok,u_char * buf,int len)1995 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1996 {
1997 int err = 0;
1998
1999 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
2000 if (err)
2001 return (-1);
2002
2003 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
2004 if (err)
2005 return (-1);
2006
2007 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
2008 if (err)
2009 return (-1);
2010
2011 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
2012 err);
2013 if (err)
2014 return (-1);
2015
2016 return (0);
2017 }
2018
2019 static void
print_file_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2020 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2021 {
2022
2023 print_tok_type(fp, tok->id, "file", oflags);
2024 if (oflags & AU_OFLAG_XML) {
2025 open_attr(fp, "time");
2026 print_sec32(fp, tok->tt.file.s, oflags);
2027 close_attr(fp);
2028 open_attr(fp, "msec");
2029 print_msec32(fp, tok->tt.file.ms, oflags);
2030 close_attr(fp);
2031 fprintf(fp, ">");
2032 print_string(fp, tok->tt.file.name, tok->tt.file.len);
2033 close_tag(fp, tok->id);
2034 } else {
2035 print_delim(fp, del);
2036 print_sec32(fp, tok->tt.file.s, oflags);
2037 print_delim(fp, del);
2038 print_msec32(fp, tok->tt.file.ms, oflags);
2039 print_delim(fp, del);
2040 print_string(fp, tok->tt.file.name, tok->tt.file.len);
2041 }
2042 }
2043
2044 /*
2045 * number groups 2 bytes
2046 * group list count * 4 bytes
2047 */
2048 static int
fetch_newgroups_tok(tokenstr_t * tok,u_char * buf,int len)2049 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
2050 {
2051 int i;
2052 int err = 0;
2053
2054 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
2055 if (err)
2056 return (-1);
2057
2058 /*
2059 * grps.list[] is statically sized and set to AUDIT_MAX_GROUPS. If the
2060 * group count specified in the record is greater than this value just
2061 * clamp/truncate it. Silently truncating a malformed record changes
2062 * what was recorded and could mask tampering. However, a precedent
2063 * has been set in fetch_execarg_tok and fetch_execenv_tok which
2064 * truncate the count under similar circumstances.
2065 */
2066 if (tok->tt.grps.no > AUDIT_MAX_GROUPS) {
2067 tok->tt.grps.no = AUDIT_MAX_GROUPS;
2068 }
2069 for (i = 0; i<tok->tt.grps.no; i++) {
2070 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
2071 err);
2072 if (err)
2073 return (-1);
2074 }
2075
2076 return (0);
2077 }
2078
2079 static void
print_newgroups_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2080 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2081 {
2082 int i;
2083
2084 print_tok_type(fp, tok->id, "group", oflags);
2085 for (i = 0; i < tok->tt.grps.no; i++) {
2086 if (oflags & AU_OFLAG_XML) {
2087 fprintf(fp, "<gid>");
2088 print_group(fp, tok->tt.grps.list[i], oflags);
2089 fprintf(fp, "</gid>");
2090 close_tag(fp, tok->id);
2091 } else {
2092 print_delim(fp, del);
2093 print_group(fp, tok->tt.grps.list[i], oflags);
2094 }
2095 }
2096 }
2097
2098 /*
2099 * Internet addr 4 bytes
2100 */
2101 static int
fetch_inaddr_tok(tokenstr_t * tok,u_char * buf,int len)2102 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2103 {
2104 int err = 0;
2105
2106 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2107 tok->len, err);
2108 if (err)
2109 return (-1);
2110
2111 return (0);
2112
2113 }
2114
2115 static void
print_inaddr_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2116 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2117 {
2118
2119 print_tok_type(fp, tok->id, "ip addr", oflags);
2120 if (oflags & AU_OFLAG_XML) {
2121 print_ip_address(fp, tok->tt.inaddr.addr);
2122 close_tag(fp, tok->id);
2123 } else {
2124 print_delim(fp, del);
2125 print_ip_address(fp, tok->tt.inaddr.addr);
2126 }
2127 }
2128
2129 /*
2130 * type 4 bytes
2131 * address 16 bytes
2132 */
2133 static int
fetch_inaddr_ex_tok(tokenstr_t * tok,u_char * buf,int len)2134 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2135 {
2136 int err = 0;
2137
2138 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2139 if (err)
2140 return (-1);
2141
2142 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2143 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2144 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2145 if (err)
2146 return (-1);
2147 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2148 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2149 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2150 if (err)
2151 return (-1);
2152 } else
2153 return (-1);
2154
2155 return (0);
2156 }
2157
2158 static void
print_inaddr_ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2159 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2160 {
2161
2162 print_tok_type(fp, tok->id, "ip addr ex", oflags);
2163 if (oflags & AU_OFLAG_XML) {
2164 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2165 tok->tt.inaddr_ex.addr);
2166 close_tag(fp, tok->id);
2167 } else {
2168 print_delim(fp, del);
2169 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2170 tok->tt.inaddr_ex.addr);
2171 }
2172 }
2173
2174 /*
2175 * ip header 20 bytes
2176 */
2177 static int
fetch_ip_tok(tokenstr_t * tok,u_char * buf,int len)2178 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2179 {
2180 int err = 0;
2181
2182 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2183 if (err)
2184 return (-1);
2185
2186 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2187 if (err)
2188 return (-1);
2189
2190 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2191 tok->len, err);
2192 if (err)
2193 return (-1);
2194
2195 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2196 tok->len, err);
2197 if (err)
2198 return (-1);
2199
2200 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2201 tok->len, err);
2202 if (err)
2203 return (-1);
2204
2205 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2206 if (err)
2207 return (-1);
2208
2209 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2210 if (err)
2211 return (-1);
2212
2213 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2214 tok->len, err);
2215 if (err)
2216 return (-1);
2217
2218 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2219 tok->len, err);
2220 if (err)
2221 return (-1);
2222
2223 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2224 tok->len, err);
2225 if (err)
2226 return (-1);
2227
2228 return (0);
2229 }
2230
2231 static void
print_ip_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2232 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2233 {
2234
2235 print_tok_type(fp, tok->id, "ip", oflags);
2236 if (oflags & AU_OFLAG_XML) {
2237 open_attr(fp, "version");
2238 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2239 sizeof(u_char));
2240 close_attr(fp);
2241 open_attr(fp, "service_type");
2242 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2243 close_attr(fp);
2244 open_attr(fp, "len");
2245 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2246 close_attr(fp);
2247 open_attr(fp, "id");
2248 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2249 close_attr(fp);
2250 open_attr(fp, "offset");
2251 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2252 close_attr(fp);
2253 open_attr(fp, "time_to_live");
2254 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2255 close_attr(fp);
2256 open_attr(fp, "protocol");
2257 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2258 close_attr(fp);
2259 open_attr(fp, "cksum");
2260 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2261 close_attr(fp);
2262 open_attr(fp, "src_addr");
2263 print_ip_address(fp, tok->tt.ip.src);
2264 close_attr(fp);
2265 open_attr(fp, "dest_addr");
2266 print_ip_address(fp, tok->tt.ip.dest);
2267 close_attr(fp);
2268 close_tag(fp, tok->id);
2269 } else {
2270 print_delim(fp, del);
2271 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2272 sizeof(u_char));
2273 print_delim(fp, del);
2274 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2275 print_delim(fp, del);
2276 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2277 print_delim(fp, del);
2278 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2279 print_delim(fp, del);
2280 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2281 print_delim(fp, del);
2282 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2283 print_delim(fp, del);
2284 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2285 print_delim(fp, del);
2286 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2287 print_delim(fp, del);
2288 print_ip_address(fp, tok->tt.ip.src);
2289 print_delim(fp, del);
2290 print_ip_address(fp, tok->tt.ip.dest);
2291 }
2292 }
2293
2294 /*
2295 * object ID type 1 byte
2296 * Object ID 4 bytes
2297 */
2298 static int
fetch_ipc_tok(tokenstr_t * tok,u_char * buf,int len)2299 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2300 {
2301 int err = 0;
2302
2303 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2304 if (err)
2305 return (-1);
2306
2307 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2308 if (err)
2309 return (-1);
2310
2311 return (0);
2312 }
2313
2314 static void
print_ipc_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2315 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2316 {
2317
2318 print_tok_type(fp, tok->id, "IPC", oflags);
2319 if (oflags & AU_OFLAG_XML) {
2320 open_attr(fp, "ipc-type");
2321 print_ipctype(fp, tok->tt.ipc.type, oflags);
2322 close_attr(fp);
2323 open_attr(fp, "ipc-id");
2324 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2325 close_attr(fp);
2326 close_tag(fp, tok->id);
2327 } else {
2328 print_delim(fp, del);
2329 print_ipctype(fp, tok->tt.ipc.type, oflags);
2330 print_delim(fp, del);
2331 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2332 }
2333 }
2334
2335 /*
2336 * owner user id 4 bytes
2337 * owner group id 4 bytes
2338 * creator user id 4 bytes
2339 * creator group id 4 bytes
2340 * access mode 4 bytes
2341 * slot seq 4 bytes
2342 * key 4 bytes
2343 */
2344 static int
fetch_ipcperm_tok(tokenstr_t * tok,u_char * buf,int len)2345 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2346 {
2347 int err = 0;
2348
2349 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2350 if (err)
2351 return (-1);
2352
2353 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2354 if (err)
2355 return (-1);
2356
2357 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2358 if (err)
2359 return (-1);
2360
2361 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2362 if (err)
2363 return (-1);
2364
2365 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2366 if (err)
2367 return (-1);
2368
2369 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2370 if (err)
2371 return (-1);
2372
2373 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2374 if (err)
2375 return (-1);
2376
2377 return (0);
2378 }
2379
2380 static void
print_ipcperm_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2381 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2382 {
2383
2384 print_tok_type(fp, tok->id, "IPC perm", oflags);
2385 if (oflags & AU_OFLAG_XML) {
2386 open_attr(fp, "uid");
2387 print_user(fp, tok->tt.ipcperm.uid, oflags);
2388 close_attr(fp);
2389 open_attr(fp, "gid");
2390 print_group(fp, tok->tt.ipcperm.gid, oflags);
2391 close_attr(fp);
2392 open_attr(fp, "creator-uid");
2393 print_user(fp, tok->tt.ipcperm.puid, oflags);
2394 close_attr(fp);
2395 open_attr(fp, "creator-gid");
2396 print_group(fp, tok->tt.ipcperm.pgid, oflags);
2397 close_attr(fp);
2398 open_attr(fp, "mode");
2399 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2400 close_attr(fp);
2401 open_attr(fp, "seq");
2402 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2403 close_attr(fp);
2404 open_attr(fp, "key");
2405 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2406 close_attr(fp);
2407 close_tag(fp, tok->id);
2408 } else {
2409 print_delim(fp, del);
2410 print_user(fp, tok->tt.ipcperm.uid, oflags);
2411 print_delim(fp, del);
2412 print_group(fp, tok->tt.ipcperm.gid, oflags);
2413 print_delim(fp, del);
2414 print_user(fp, tok->tt.ipcperm.puid, oflags);
2415 print_delim(fp, del);
2416 print_group(fp, tok->tt.ipcperm.pgid, oflags);
2417 print_delim(fp, del);
2418 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2419 print_delim(fp, del);
2420 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2421 print_delim(fp, del);
2422 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2423 }
2424 }
2425
2426 /*
2427 * port Ip address 2 bytes
2428 */
2429 static int
fetch_iport_tok(tokenstr_t * tok,u_char * buf,int len)2430 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2431 {
2432 int err = 0;
2433
2434 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2435 tok->len, err);
2436 if (err)
2437 return (-1);
2438
2439 return (0);
2440 }
2441
2442 static void
print_iport_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2443 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2444 {
2445
2446 print_tok_type(fp, tok->id, "ip port", oflags);
2447 if (oflags & AU_OFLAG_XML) {
2448 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2449 close_tag(fp, tok->id);
2450 } else {
2451 print_delim(fp, del);
2452 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2453 }
2454 }
2455
2456 /*
2457 * size 2 bytes
2458 * data size bytes
2459 */
2460 static int
fetch_opaque_tok(tokenstr_t * tok,u_char * buf,int len)2461 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2462 {
2463 int err = 0;
2464
2465 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2466 if (err)
2467 return (-1);
2468
2469 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2470 tok->len, err);
2471 if (err)
2472 return (-1);
2473
2474 return (0);
2475 }
2476
2477 static void
print_opaque_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2478 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2479 {
2480
2481 print_tok_type(fp, tok->id, "opaque", oflags);
2482 if (oflags & AU_OFLAG_XML) {
2483 print_mem(fp, (u_char*)tok->tt.opaque.data,
2484 tok->tt.opaque.size);
2485 close_tag(fp, tok->id);
2486 } else {
2487 print_delim(fp, del);
2488 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2489 print_delim(fp, del);
2490 print_mem(fp, (u_char*)tok->tt.opaque.data,
2491 tok->tt.opaque.size);
2492 }
2493 }
2494
2495 /*
2496 * size 2 bytes
2497 * data size bytes
2498 */
2499 static int
fetch_path_tok(tokenstr_t * tok,u_char * buf,int len)2500 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2501 {
2502 int err = 0;
2503
2504 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2505 if (err)
2506 return (-1);
2507
2508 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2509 err);
2510 if (err)
2511 return (-1);
2512
2513 return (0);
2514 }
2515
2516 static void
print_path_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2517 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2518 {
2519
2520 print_tok_type(fp, tok->id, "path", oflags);
2521 if (oflags & AU_OFLAG_XML) {
2522 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2523 close_tag(fp, tok->id);
2524 } else {
2525 print_delim(fp, del);
2526 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2527 }
2528 }
2529
2530 /*
2531 * token ID 1 byte
2532 * audit ID 4 bytes
2533 * euid 4 bytes
2534 * egid 4 bytes
2535 * ruid 4 bytes
2536 * rgid 4 bytes
2537 * pid 4 bytes
2538 * sessid 4 bytes
2539 * terminal ID
2540 * portid 4 bytes
2541 * machine id 4 bytes
2542 */
2543 static int
fetch_process32_tok(tokenstr_t * tok,u_char * buf,int len)2544 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2545 {
2546 int err = 0;
2547
2548 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2549 if (err)
2550 return (-1);
2551
2552 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2553 if (err)
2554 return (-1);
2555
2556 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2557 if (err)
2558 return (-1);
2559
2560 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2561 if (err)
2562 return (-1);
2563
2564 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2565 if (err)
2566 return (-1);
2567
2568 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2569 if (err)
2570 return (-1);
2571
2572 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2573 if (err)
2574 return (-1);
2575
2576 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2577 if (err)
2578 return (-1);
2579
2580 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2581 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2582 if (err)
2583 return (-1);
2584
2585 return (0);
2586 }
2587
2588 static void
print_process32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2589 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2590 {
2591
2592 print_tok_type(fp, tok->id, "process", oflags);
2593 if (oflags & AU_OFLAG_XML) {
2594 open_attr(fp, "audit-uid");
2595 print_user(fp, tok->tt.proc32.auid, oflags);
2596 close_attr(fp);
2597 open_attr(fp, "uid");
2598 print_user(fp, tok->tt.proc32.euid, oflags);
2599 close_attr(fp);
2600 open_attr(fp, "gid");
2601 print_group(fp, tok->tt.proc32.egid, oflags);
2602 close_attr(fp);
2603 open_attr(fp, "ruid");
2604 print_user(fp, tok->tt.proc32.ruid, oflags);
2605 close_attr(fp);
2606 open_attr(fp, "rgid");
2607 print_group(fp, tok->tt.proc32.rgid, oflags);
2608 close_attr(fp);
2609 open_attr(fp, "pid");
2610 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2611 close_attr(fp);
2612 open_attr(fp, "sid");
2613 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2614 close_attr(fp);
2615 open_attr(fp, "tid");
2616 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2617 print_ip_address(fp, tok->tt.proc32.tid.addr);
2618 close_attr(fp);
2619 close_tag(fp, tok->id);
2620 } else {
2621 print_delim(fp, del);
2622 print_user(fp, tok->tt.proc32.auid, oflags);
2623 print_delim(fp, del);
2624 print_user(fp, tok->tt.proc32.euid, oflags);
2625 print_delim(fp, del);
2626 print_group(fp, tok->tt.proc32.egid, oflags);
2627 print_delim(fp, del);
2628 print_user(fp, tok->tt.proc32.ruid, oflags);
2629 print_delim(fp, del);
2630 print_group(fp, tok->tt.proc32.rgid, oflags);
2631 print_delim(fp, del);
2632 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2633 print_delim(fp, del);
2634 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2635 print_delim(fp, del);
2636 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2637 print_delim(fp, del);
2638 print_ip_address(fp, tok->tt.proc32.tid.addr);
2639 }
2640 }
2641
2642 /*
2643 * token ID 1 byte
2644 * audit ID 4 bytes
2645 * euid 4 bytes
2646 * egid 4 bytes
2647 * ruid 4 bytes
2648 * rgid 4 bytes
2649 * pid 4 bytes
2650 * sessid 4 bytes
2651 * terminal ID
2652 * portid 8 bytes
2653 * machine id 4 bytes
2654 */
2655 static int
fetch_process64_tok(tokenstr_t * tok,u_char * buf,int len)2656 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2657 {
2658 int err = 0;
2659
2660 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2661 if (err)
2662 return (-1);
2663
2664 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2665 if (err)
2666 return (-1);
2667
2668 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2669 if (err)
2670 return (-1);
2671
2672 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2673 if (err)
2674 return (-1);
2675
2676 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2677 if (err)
2678 return (-1);
2679
2680 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2681 if (err)
2682 return (-1);
2683
2684 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2685 if (err)
2686 return (-1);
2687
2688 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2689 if (err)
2690 return (-1);
2691
2692 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2693 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2694 if (err)
2695 return (-1);
2696
2697 return (0);
2698 }
2699
2700 static void
print_process64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2701 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2702 {
2703 print_tok_type(fp, tok->id, "process", oflags);
2704 if (oflags & AU_OFLAG_XML) {
2705 open_attr(fp, "audit-uid");
2706 print_user(fp, tok->tt.proc64.auid, oflags);
2707 close_attr(fp);
2708 open_attr(fp, "uid");
2709 print_user(fp, tok->tt.proc64.euid, oflags);
2710 close_attr(fp);
2711 open_attr(fp, "gid");
2712 print_group(fp, tok->tt.proc64.egid, oflags);
2713 close_attr(fp);
2714 open_attr(fp, "ruid");
2715 print_user(fp, tok->tt.proc64.ruid, oflags);
2716 close_attr(fp);
2717 open_attr(fp, "rgid");
2718 print_group(fp, tok->tt.proc64.rgid, oflags);
2719 close_attr(fp);
2720 open_attr(fp, "pid");
2721 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2722 close_attr(fp);
2723 open_attr(fp, "sid");
2724 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2725 close_attr(fp);
2726 open_attr(fp, "tid");
2727 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2728 print_ip_address(fp, tok->tt.proc64.tid.addr);
2729 close_attr(fp);
2730 close_tag(fp, tok->id);
2731 } else {
2732 print_delim(fp, del);
2733 print_user(fp, tok->tt.proc64.auid, oflags);
2734 print_delim(fp, del);
2735 print_user(fp, tok->tt.proc64.euid, oflags);
2736 print_delim(fp, del);
2737 print_group(fp, tok->tt.proc64.egid, oflags);
2738 print_delim(fp, del);
2739 print_user(fp, tok->tt.proc64.ruid, oflags);
2740 print_delim(fp, del);
2741 print_group(fp, tok->tt.proc64.rgid, oflags);
2742 print_delim(fp, del);
2743 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2744 print_delim(fp, del);
2745 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2746 print_delim(fp, del);
2747 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2748 print_delim(fp, del);
2749 print_ip_address(fp, tok->tt.proc64.tid.addr);
2750 }
2751 }
2752
2753 /*
2754 * token ID 1 byte
2755 * audit ID 4 bytes
2756 * effective user ID 4 bytes
2757 * effective group ID 4 bytes
2758 * real user ID 4 bytes
2759 * real group ID 4 bytes
2760 * process ID 4 bytes
2761 * session ID 4 bytes
2762 * terminal ID
2763 * port ID 4 bytes
2764 * address type-len 4 bytes
2765 * machine address 16 bytes
2766 */
2767 static int
fetch_process32ex_tok(tokenstr_t * tok,u_char * buf,int len)2768 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2769 {
2770 int err = 0;
2771
2772 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2773 if (err)
2774 return (-1);
2775
2776 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2777 if (err)
2778 return (-1);
2779
2780 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2781 if (err)
2782 return (-1);
2783
2784 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2785 if (err)
2786 return (-1);
2787
2788 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2789 if (err)
2790 return (-1);
2791
2792 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2793 if (err)
2794 return (-1);
2795
2796 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2797 if (err)
2798 return (-1);
2799
2800 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2801 err);
2802 if (err)
2803 return (-1);
2804
2805 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2806 err);
2807 if (err)
2808 return (-1);
2809
2810 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2811 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2812 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2813 if (err)
2814 return (-1);
2815 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2816 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2817 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2818 if (err)
2819 return (-1);
2820 } else
2821 return (-1);
2822
2823 return (0);
2824 }
2825
2826 static void
print_process32ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2827 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2828 {
2829
2830 print_tok_type(fp, tok->id, "process_ex", oflags);
2831 if (oflags & AU_OFLAG_XML) {
2832 open_attr(fp, "audit-uid");
2833 print_user(fp, tok->tt.proc32_ex.auid, oflags);
2834 close_attr(fp);
2835 open_attr(fp, "uid");
2836 print_user(fp, tok->tt.proc32_ex.euid, oflags);
2837 close_attr(fp);
2838 open_attr(fp, "gid");
2839 print_group(fp, tok->tt.proc32_ex.egid, oflags);
2840 close_attr(fp);
2841 open_attr(fp, "ruid");
2842 print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2843 close_attr(fp);
2844 open_attr(fp, "rgid");
2845 print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2846 close_attr(fp);
2847 open_attr(fp, "pid");
2848 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2849 close_attr(fp);
2850 open_attr(fp, "sid");
2851 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2852 close_attr(fp);
2853 open_attr(fp, "tid");
2854 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2855 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2856 tok->tt.proc32_ex.tid.addr);
2857 close_attr(fp);
2858 close_tag(fp, tok->id);
2859 } else {
2860 print_delim(fp, del);
2861 print_user(fp, tok->tt.proc32_ex.auid, oflags);
2862 print_delim(fp, del);
2863 print_user(fp, tok->tt.proc32_ex.euid, oflags);
2864 print_delim(fp, del);
2865 print_group(fp, tok->tt.proc32_ex.egid, oflags);
2866 print_delim(fp, del);
2867 print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2868 print_delim(fp, del);
2869 print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2870 print_delim(fp, del);
2871 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2872 print_delim(fp, del);
2873 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2874 print_delim(fp, del);
2875 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2876 print_delim(fp, del);
2877 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2878 tok->tt.proc32_ex.tid.addr);
2879 }
2880 }
2881
2882 /*
2883 * token ID 1 byte
2884 * audit ID 4 bytes
2885 * effective user ID 4 bytes
2886 * effective group ID 4 bytes
2887 * real user ID 4 bytes
2888 * real group ID 4 bytes
2889 * process ID 4 bytes
2890 * session ID 4 bytes
2891 * terminal ID
2892 * port ID 8 bytes
2893 * address type-len 4 bytes
2894 * machine address 16 bytes
2895 */
2896 static int
fetch_process64ex_tok(tokenstr_t * tok,u_char * buf,int len)2897 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2898 {
2899 int err = 0;
2900
2901 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2902 if (err)
2903 return (-1);
2904
2905 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2906 if (err)
2907 return (-1);
2908
2909 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2910 if (err)
2911 return (-1);
2912
2913 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2914 if (err)
2915 return (-1);
2916
2917 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2918 if (err)
2919 return (-1);
2920
2921 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2922 if (err)
2923 return (-1);
2924
2925 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2926 if (err)
2927 return (-1);
2928
2929 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2930 err);
2931 if (err)
2932 return (-1);
2933
2934 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2935 err);
2936 if (err)
2937 return (-1);
2938
2939 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2940 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2941 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2942 if (err)
2943 return (-1);
2944 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2945 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2946 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2947 if (err)
2948 return (-1);
2949 } else
2950 return (-1);
2951
2952 return (0);
2953 }
2954
2955 static void
print_process64ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2956 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2957 {
2958 print_tok_type(fp, tok->id, "process_ex", oflags);
2959 if (oflags & AU_OFLAG_XML) {
2960 open_attr(fp, "audit-uid");
2961 print_user(fp, tok->tt.proc64_ex.auid, oflags);
2962 close_attr(fp);
2963 open_attr(fp, "uid");
2964 print_user(fp, tok->tt.proc64_ex.euid, oflags);
2965 close_attr(fp);
2966 open_attr(fp, "gid");
2967 print_group(fp, tok->tt.proc64_ex.egid, oflags);
2968 close_attr(fp);
2969 open_attr(fp, "ruid");
2970 print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2971 close_attr(fp);
2972 open_attr(fp, "rgid");
2973 print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2974 close_attr(fp);
2975 open_attr(fp, "pid");
2976 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2977 close_attr(fp);
2978 open_attr(fp, "sid");
2979 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2980 close_attr(fp);
2981 open_attr(fp, "tid");
2982 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2983 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2984 tok->tt.proc64_ex.tid.addr);
2985 close_attr(fp);
2986 close_tag(fp, tok->id);
2987 } else {
2988 print_delim(fp, del);
2989 print_user(fp, tok->tt.proc64_ex.auid, oflags);
2990 print_delim(fp, del);
2991 print_user(fp, tok->tt.proc64_ex.euid, oflags);
2992 print_delim(fp, del);
2993 print_group(fp, tok->tt.proc64_ex.egid, oflags);
2994 print_delim(fp, del);
2995 print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2996 print_delim(fp, del);
2997 print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2998 print_delim(fp, del);
2999 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
3000 print_delim(fp, del);
3001 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
3002 print_delim(fp, del);
3003 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
3004 print_delim(fp, del);
3005 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
3006 tok->tt.proc64_ex.tid.addr);
3007 }
3008 }
3009
3010 /*
3011 * errno 1 byte
3012 * return value 4 bytes
3013 */
3014 static int
fetch_return32_tok(tokenstr_t * tok,u_char * buf,int len)3015 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
3016 {
3017 int err = 0;
3018
3019 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
3020 if (err)
3021 return (-1);
3022
3023 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
3024 if (err)
3025 return (-1);
3026
3027 return (0);
3028 }
3029
3030 static void
print_return32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3031 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3032 {
3033
3034 print_tok_type(fp, tok->id, "return", oflags);
3035 if (oflags & AU_OFLAG_XML) {
3036 open_attr(fp ,"errval");
3037 print_retval(fp, tok->tt.ret32.status, oflags);
3038 close_attr(fp);
3039 open_attr(fp, "retval");
3040 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3041 close_attr(fp);
3042 close_tag(fp, tok->id);
3043 } else {
3044 print_delim(fp, del);
3045 print_retval(fp, tok->tt.ret32.status, oflags);
3046 print_delim(fp, del);
3047 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3048 }
3049 }
3050
3051 static int
fetch_return64_tok(tokenstr_t * tok,u_char * buf,int len)3052 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
3053 {
3054 int err = 0;
3055
3056 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
3057 if (err)
3058 return (-1);
3059
3060 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
3061 if (err)
3062 return (-1);
3063
3064 return (0);
3065 }
3066
3067 static void
print_return64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3068 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3069 {
3070
3071 print_tok_type(fp, tok->id, "return", oflags);
3072 if (oflags & AU_OFLAG_XML) {
3073 open_attr(fp, "errval");
3074 print_retval(fp, tok->tt.ret64.err, oflags);
3075 close_attr(fp);
3076 open_attr(fp, "retval");
3077 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3078 close_attr(fp);
3079 close_tag(fp, tok->id);
3080 } else {
3081 print_delim(fp, del);
3082 print_retval(fp, tok->tt.ret64.err, oflags);
3083 print_delim(fp, del);
3084 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3085 }
3086 }
3087
3088 /*
3089 * seq 4 bytes
3090 */
3091 static int
fetch_seq_tok(tokenstr_t * tok,u_char * buf,int len)3092 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3093 {
3094 int err = 0;
3095
3096 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3097 if (err)
3098 return (-1);
3099
3100 return (0);
3101 }
3102
3103 static void
print_seq_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3104 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3105 {
3106
3107 print_tok_type(fp, tok->id, "sequence", oflags);
3108 if (oflags & AU_OFLAG_XML) {
3109 open_attr(fp, "seq-num");
3110 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3111 close_attr(fp);
3112 close_tag(fp, tok->id);
3113 } else {
3114 print_delim(fp, del);
3115 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3116 }
3117 }
3118
3119 /*
3120 * socket family 2 bytes
3121 * local port 2 bytes
3122 * socket address 4 bytes
3123 */
3124 static int
fetch_sock_inet32_tok(tokenstr_t * tok,u_char * buf,int len)3125 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3126 {
3127 int err = 0;
3128
3129 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3130 err);
3131 if (err)
3132 return (-1);
3133
3134 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3135 sizeof(uint16_t), tok->len, err);
3136 if (err)
3137 return (-1);
3138
3139 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3140 sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err);
3141 if (err)
3142 return (-1);
3143
3144 return (0);
3145 }
3146
3147 static void
print_sock_inet32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3148 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3149 {
3150
3151 print_tok_type(fp, tok->id, "socket-inet", oflags);
3152 if (oflags & AU_OFLAG_XML) {
3153 open_attr(fp, "type");
3154 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3155 close_attr(fp);
3156 open_attr(fp, "port");
3157 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3158 close_attr(fp);
3159 open_attr(fp, "addr");
3160 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3161 close_attr(fp);
3162 close_tag(fp, tok->id);
3163 } else {
3164 print_delim(fp, del);
3165 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3166 print_delim(fp, del);
3167 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3168 print_delim(fp, del);
3169 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3170 }
3171 }
3172
3173 /*
3174 * socket family 2 bytes
3175 * local port 2 bytes
3176 * socket address 16 bytes
3177 */
3178 static int
fetch_sock_inet128_tok(tokenstr_t * tok,u_char * buf,int len)3179 fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len)
3180 {
3181 int err = 0;
3182
3183 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3184 err);
3185 if (err)
3186 return (-1);
3187
3188 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3189 sizeof(uint16_t), tok->len, err);
3190 if (err)
3191 return (-1);
3192
3193 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3194 sizeof(tok->tt.sockinet_ex32.addr), tok->len, err);
3195 if (err)
3196 return (-1);
3197
3198 return (0);
3199 }
3200
3201 static void
print_sock_inet128_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3202 print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3203 {
3204
3205 print_tok_type(fp, tok->id, "socket-inet6", oflags);
3206 if (oflags & AU_OFLAG_XML) {
3207 open_attr(fp, "type");
3208 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3209 close_attr(fp);
3210 open_attr(fp, "port");
3211 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3212 close_attr(fp);
3213 open_attr(fp, "addr");
3214 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3215 close_attr(fp);
3216 close_tag(fp, tok->id);
3217 } else {
3218 print_delim(fp, del);
3219 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3220 print_delim(fp, del);
3221 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3222 print_delim(fp, del);
3223 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3224 }
3225 }
3226
3227 /*
3228 * socket family 2 bytes
3229 * path (up to) AU_UNIX_PATH_MAX bytes (NUL terminated)
3230 */
3231 static int
fetch_sock_unix_tok(tokenstr_t * tok,u_char * buf,int len)3232 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3233 {
3234 size_t remaining, search, pathmax;
3235 int err = 0;
3236 u_char *p;
3237 int slen;
3238
3239 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3240 if (err)
3241 return (-1);
3242
3243 /*
3244 * Clamp the search to the bytes remaining in the token and the path
3245 * storage size. Using sizeof(tok->tt.sockunix.path) rather than a
3246 * literal keeps the bound in sync with au_socketunix_t automatically.
3247 */
3248 pathmax = sizeof(tok->tt.sockunix.path);
3249 remaining = (size_t)(len - (int)tok->len);
3250 search = remaining < pathmax ? remaining : pathmax;
3251 p = (u_char *)memchr((const void *)(buf + tok->len), '\0', search);
3252 slen = (p ? (int)(p - (buf + tok->len)) + 1 : (int)search);
3253
3254 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err);
3255 if (err)
3256 return (-1);
3257 /* guarantee NUL termination when no NUL was found in the token data */
3258 tok->tt.sockunix.path[pathmax - 1] = '\0';
3259
3260 return (0);
3261 }
3262
3263 static void
print_sock_unix_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3264 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3265 {
3266
3267 print_tok_type(fp, tok->id, "socket-unix", oflags);
3268 if (oflags & AU_OFLAG_XML) {
3269 open_attr(fp, "type");
3270 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3271 close_attr(fp);
3272 open_attr(fp, "port");
3273 close_attr(fp);
3274 open_attr(fp, "addr");
3275 print_string(fp, tok->tt.sockunix.path,
3276 strlen(tok->tt.sockunix.path));
3277 close_attr(fp);
3278 close_tag(fp, tok->id);
3279 } else {
3280 print_delim(fp, del);
3281 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3282 print_delim(fp, del);
3283 print_string(fp, tok->tt.sockunix.path,
3284 strlen(tok->tt.sockunix.path));
3285 }
3286 }
3287
3288 /*
3289 * socket type 2 bytes
3290 * local port 2 bytes
3291 * local address 4 bytes
3292 * remote port 2 bytes
3293 * remote address 4 bytes
3294 */
3295 static int
fetch_socket_tok(tokenstr_t * tok,u_char * buf,int len)3296 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3297 {
3298 int err = 0;
3299
3300 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3301 if (err)
3302 return (-1);
3303
3304 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3305 tok->len, err);
3306 if (err)
3307 return (-1);
3308
3309 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3310 sizeof(tok->tt.socket.l_addr), tok->len, err);
3311 if (err)
3312 return (-1);
3313
3314 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3315 tok->len, err);
3316 if (err)
3317 return (-1);
3318
3319 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_addr,
3320 sizeof(tok->tt.socket.r_addr), tok->len, err);
3321 if (err)
3322 return (-1);
3323
3324 return (0);
3325 }
3326
3327 static void
print_socket_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3328 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3329 {
3330
3331 print_tok_type(fp, tok->id, "socket", oflags);
3332 if (oflags & AU_OFLAG_XML) {
3333 open_attr(fp, "sock_type");
3334 print_2_bytes(fp, tok->tt.socket.type, "%u");
3335 close_attr(fp);
3336 open_attr(fp, "lport");
3337 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3338 close_attr(fp);
3339 open_attr(fp, "laddr");
3340 print_ip_address(fp, tok->tt.socket.l_addr);
3341 close_attr(fp);
3342 open_attr(fp, "fport");
3343 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3344 close_attr(fp);
3345 open_attr(fp, "faddr");
3346 print_ip_address(fp, tok->tt.socket.r_addr);
3347 close_attr(fp);
3348 close_tag(fp, tok->id);
3349 } else {
3350 print_delim(fp, del);
3351 print_2_bytes(fp, tok->tt.socket.type, "%u");
3352 print_delim(fp, del);
3353 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3354 print_delim(fp, del);
3355 print_ip_address(fp, tok->tt.socket.l_addr);
3356 print_delim(fp, del);
3357 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3358 print_delim(fp, del);
3359 print_ip_address(fp, tok->tt.socket.r_addr);
3360 }
3361 }
3362
3363 /*
3364 * audit ID 4 bytes
3365 * euid 4 bytes
3366 * egid 4 bytes
3367 * ruid 4 bytes
3368 * rgid 4 bytes
3369 * pid 4 bytes
3370 * sessid 4 bytes
3371 * terminal ID
3372 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3373 * machine id 4 bytes
3374 */
3375 static int
fetch_subject32_tok(tokenstr_t * tok,u_char * buf,int len)3376 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3377 {
3378 int err = 0;
3379
3380 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3381 if (err)
3382 return (-1);
3383
3384 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3385 if (err)
3386 return (-1);
3387
3388 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3389 if (err)
3390 return (-1);
3391
3392 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3393 if (err)
3394 return (-1);
3395
3396 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3397 if (err)
3398 return (-1);
3399
3400 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3401 if (err)
3402 return (-1);
3403
3404 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3405 if (err)
3406 return (-1);
3407
3408 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3409 if (err)
3410 return (-1);
3411
3412 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3413 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3414 if (err)
3415 return (-1);
3416
3417 return (0);
3418 }
3419
3420 static void
print_subject32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3421 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3422 {
3423
3424 print_tok_type(fp, tok->id, "subject", oflags);
3425 if (oflags & AU_OFLAG_XML) {
3426 open_attr(fp, "audit-uid");
3427 print_user(fp, tok->tt.subj32.auid, oflags);
3428 close_attr(fp);
3429 open_attr(fp, "uid");
3430 print_user(fp, tok->tt.subj32.euid, oflags);
3431 close_attr(fp);
3432 open_attr(fp, "gid");
3433 print_group(fp, tok->tt.subj32.egid, oflags);
3434 close_attr(fp);
3435 open_attr(fp, "ruid");
3436 print_user(fp, tok->tt.subj32.ruid, oflags);
3437 close_attr(fp);
3438 open_attr(fp, "rgid");
3439 print_group(fp, tok->tt.subj32.rgid, oflags);
3440 close_attr(fp);
3441 open_attr(fp,"pid");
3442 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3443 close_attr(fp);
3444 open_attr(fp,"sid");
3445 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3446 close_attr(fp);
3447 open_attr(fp,"tid");
3448 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3449 print_ip_address(fp, tok->tt.subj32.tid.addr);
3450 close_attr(fp);
3451 close_tag(fp, tok->id);
3452 } else {
3453 print_delim(fp, del);
3454 print_user(fp, tok->tt.subj32.auid, oflags);
3455 print_delim(fp, del);
3456 print_user(fp, tok->tt.subj32.euid, oflags);
3457 print_delim(fp, del);
3458 print_group(fp, tok->tt.subj32.egid, oflags);
3459 print_delim(fp, del);
3460 print_user(fp, tok->tt.subj32.ruid, oflags);
3461 print_delim(fp, del);
3462 print_group(fp, tok->tt.subj32.rgid, oflags);
3463 print_delim(fp, del);
3464 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3465 print_delim(fp, del);
3466 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3467 print_delim(fp, del);
3468 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3469 print_delim(fp, del);
3470 print_ip_address(fp, tok->tt.subj32.tid.addr);
3471 }
3472 }
3473
3474 static void
print_upriv_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3475 print_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3476 {
3477
3478 print_tok_type(fp, tok->id, "use of privilege", oflags);
3479 if (oflags & AU_OFLAG_XML) {
3480 open_attr(fp, "status");
3481 if (tok->tt.priv.sorf)
3482 (void) fprintf(fp, "successful use of priv");
3483 else
3484 (void) fprintf(fp, "failed use of priv");
3485 close_attr(fp);
3486 open_attr(fp, "name");
3487 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3488 close_attr(fp);
3489 close_tag(fp, tok->id);
3490 } else {
3491 print_delim(fp, del);
3492 if (tok->tt.priv.sorf)
3493 (void) fprintf(fp, "successful use of priv");
3494 else
3495 (void) fprintf(fp, "failed use of priv");
3496 print_delim(fp, del);
3497 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3498 }
3499 }
3500
3501 /*
3502 * status 1 byte
3503 * privstrlen 2 bytes
3504 * priv N bytes + 1 (\0 byte)
3505 */
3506 static int
fetch_priv_tok(tokenstr_t * tok,u_char * buf,int len)3507 fetch_priv_tok(tokenstr_t *tok, u_char *buf, int len)
3508 {
3509 int err = 0;
3510
3511 READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err);
3512 if (err)
3513 return (-1);
3514 READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err);
3515 if (err)
3516 return (-1);
3517 SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen,
3518 tok->len, err);
3519 if (err)
3520 return (-1);
3521 return (0);
3522 }
3523
3524 /*
3525 * privtstrlen 1 byte
3526 * privtstr N bytes + 1
3527 * privstrlen 1 byte
3528 * privstr N bytes + 1
3529 */
3530 static int
fetch_privset_tok(tokenstr_t * tok,u_char * buf,int len)3531 fetch_privset_tok(tokenstr_t *tok, u_char *buf, int len)
3532 {
3533 int err = 0;
3534
3535 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen,
3536 tok->len, err);
3537 if (err)
3538 return (-1);
3539 SET_PTR((char *)buf, len, tok->tt.privset.privtstr,
3540 tok->tt.privset.privtstrlen, tok->len, err);
3541 if (err)
3542 return (-1);
3543 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen,
3544 tok->len, err);
3545 if (err)
3546 return (-1);
3547 SET_PTR((char *)buf, len, tok->tt.privset.privstr,
3548 tok->tt.privset.privstrlen, tok->len, err);
3549 if (err)
3550 return (-1);
3551 return (0);
3552 }
3553
3554 static void
print_privset_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3555 print_privset_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3556 {
3557
3558 print_tok_type(fp, tok->id, "privilege", oflags);
3559 if (oflags & AU_OFLAG_XML) {
3560 open_attr(fp, "type");
3561 print_string(fp, tok->tt.privset.privtstr,
3562 tok->tt.privset.privtstrlen);
3563 close_attr(fp);
3564 open_attr(fp, "priv");
3565 print_string(fp, tok->tt.privset.privstr,
3566 tok->tt.privset.privstrlen);
3567 close_attr(fp);
3568 } else {
3569 print_delim(fp, del);
3570 print_string(fp, tok->tt.privset.privtstr,
3571 tok->tt.privset.privtstrlen);
3572 print_delim(fp, del);
3573 print_string(fp, tok->tt.privset.privstr,
3574 tok->tt.privset.privstrlen);
3575 }
3576 }
3577
3578 /*
3579 * audit ID 4 bytes
3580 * euid 4 bytes
3581 * egid 4 bytes
3582 * ruid 4 bytes
3583 * rgid 4 bytes
3584 * pid 4 bytes
3585 * sessid 4 bytes
3586 * terminal ID
3587 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3588 * machine id 4 bytes
3589 */
3590 static int
fetch_subject64_tok(tokenstr_t * tok,u_char * buf,int len)3591 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3592 {
3593 int err = 0;
3594
3595 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3596 if (err)
3597 return (-1);
3598
3599 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3600 if (err)
3601 return (-1);
3602
3603 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3604 if (err)
3605 return (-1);
3606
3607 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3608 if (err)
3609 return (-1);
3610
3611 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3612 if (err)
3613 return (-1);
3614
3615 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3616 if (err)
3617 return (-1);
3618
3619 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3620 if (err)
3621 return (-1);
3622
3623 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3624 if (err)
3625 return (-1);
3626
3627 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3628 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3629 if (err)
3630 return (-1);
3631
3632 return (0);
3633 }
3634
3635 static void
print_subject64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3636 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3637 {
3638
3639 print_tok_type(fp, tok->id, "subject", oflags);
3640 if (oflags & AU_OFLAG_XML) {
3641 open_attr(fp, "audit-uid");
3642 print_user(fp, tok->tt.subj64.auid, oflags);
3643 close_attr(fp);
3644 open_attr(fp, "uid");
3645 print_user(fp, tok->tt.subj64.euid, oflags);
3646 close_attr(fp);
3647 open_attr(fp, "gid");
3648 print_group(fp, tok->tt.subj64.egid, oflags);
3649 close_attr(fp);
3650 open_attr(fp, "ruid");
3651 print_user(fp, tok->tt.subj64.ruid, oflags);
3652 close_attr(fp);
3653 open_attr(fp, "rgid");
3654 print_group(fp, tok->tt.subj64.rgid, oflags);
3655 close_attr(fp);
3656 open_attr(fp, "pid");
3657 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3658 close_attr(fp);
3659 open_attr(fp, "sid");
3660 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3661 close_attr(fp);
3662 open_attr(fp, "tid");
3663 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3664 print_ip_address(fp, tok->tt.subj64.tid.addr);
3665 close_attr(fp);
3666 close_tag(fp, tok->id);
3667 } else {
3668 print_delim(fp, del);
3669 print_user(fp, tok->tt.subj64.auid, oflags);
3670 print_delim(fp, del);
3671 print_user(fp, tok->tt.subj64.euid, oflags);
3672 print_delim(fp, del);
3673 print_group(fp, tok->tt.subj64.egid, oflags);
3674 print_delim(fp, del);
3675 print_user(fp, tok->tt.subj64.ruid, oflags);
3676 print_delim(fp, del);
3677 print_group(fp, tok->tt.subj64.rgid, oflags);
3678 print_delim(fp, del);
3679 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3680 print_delim(fp, del);
3681 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3682 print_delim(fp, del);
3683 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3684 print_delim(fp, del);
3685 print_ip_address(fp, tok->tt.subj64.tid.addr);
3686 }
3687 }
3688
3689 /*
3690 * audit ID 4 bytes
3691 * euid 4 bytes
3692 * egid 4 bytes
3693 * ruid 4 bytes
3694 * rgid 4 bytes
3695 * pid 4 bytes
3696 * sessid 4 bytes
3697 * terminal ID
3698 * portid 4 bytes
3699 * type 4 bytes
3700 * machine id 16 bytes
3701 */
3702 static int
fetch_subject32ex_tok(tokenstr_t * tok,u_char * buf,int len)3703 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3704 {
3705 int err = 0;
3706
3707 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3708 if (err)
3709 return (-1);
3710
3711 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3712 if (err)
3713 return (-1);
3714
3715 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3716 if (err)
3717 return (-1);
3718
3719 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3720 if (err)
3721 return (-1);
3722
3723 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3724 if (err)
3725 return (-1);
3726
3727 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3728 if (err)
3729 return (-1);
3730
3731 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3732 if (err)
3733 return (-1);
3734
3735 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3736 err);
3737 if (err)
3738 return (-1);
3739
3740 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3741 err);
3742 if (err)
3743 return (-1);
3744
3745 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3746 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3747 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3748 if (err)
3749 return (-1);
3750 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3751 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3752 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3753 if (err)
3754 return (-1);
3755 } else
3756 return (-1);
3757
3758 return (0);
3759 }
3760
3761 static void
print_subject32ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3762 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3763 {
3764
3765 print_tok_type(fp, tok->id, "subject_ex", oflags);
3766 if (oflags & AU_OFLAG_XML) {
3767 open_attr(fp, "audit-uid");
3768 print_user(fp, tok->tt.subj32_ex.auid, oflags);
3769 close_attr(fp);
3770 open_attr(fp, "uid");
3771 print_user(fp, tok->tt.subj32_ex.euid, oflags);
3772 close_attr(fp);
3773 open_attr(fp, "gid");
3774 print_group(fp, tok->tt.subj32_ex.egid, oflags);
3775 close_attr(fp);
3776 open_attr(fp, "ruid");
3777 print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3778 close_attr(fp);
3779 open_attr(fp, "rgid");
3780 print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3781 close_attr(fp);
3782 open_attr(fp, "pid");
3783 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3784 close_attr(fp);
3785 open_attr(fp, "sid");
3786 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3787 close_attr(fp);
3788 open_attr(fp, "tid");
3789 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3790 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3791 tok->tt.subj32_ex.tid.addr);
3792 close_attr(fp);
3793 close_tag(fp, tok->id);
3794 } else {
3795 print_delim(fp, del);
3796 print_user(fp, tok->tt.subj32_ex.auid, oflags);
3797 print_delim(fp, del);
3798 print_user(fp, tok->tt.subj32_ex.euid, oflags);
3799 print_delim(fp, del);
3800 print_group(fp, tok->tt.subj32_ex.egid, oflags);
3801 print_delim(fp, del);
3802 print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3803 print_delim(fp, del);
3804 print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3805 print_delim(fp, del);
3806 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3807 print_delim(fp, del);
3808 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3809 print_delim(fp, del);
3810 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3811 print_delim(fp, del);
3812 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3813 tok->tt.subj32_ex.tid.addr);
3814 }
3815 }
3816
3817 /*
3818 * audit ID 4 bytes
3819 * euid 4 bytes
3820 * egid 4 bytes
3821 * ruid 4 bytes
3822 * rgid 4 bytes
3823 * pid 4 bytes
3824 * sessid 4 bytes
3825 * terminal ID
3826 * portid 8 bytes
3827 * type 4 bytes
3828 * machine id 16 bytes
3829 */
3830 static int
fetch_subject64ex_tok(tokenstr_t * tok,u_char * buf,int len)3831 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3832 {
3833 int err = 0;
3834
3835 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3836 if (err)
3837 return (-1);
3838
3839 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3840 if (err)
3841 return (-1);
3842
3843 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3844 if (err)
3845 return (-1);
3846
3847 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3848 if (err)
3849 return (-1);
3850
3851 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3852 if (err)
3853 return (-1);
3854
3855 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3856 if (err)
3857 return (-1);
3858
3859 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3860 if (err)
3861 return (-1);
3862
3863 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3864 err);
3865 if (err)
3866 return (-1);
3867
3868 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3869 err);
3870 if (err)
3871 return (-1);
3872
3873 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3874 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3875 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3876 if (err)
3877 return (-1);
3878 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3879 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3880 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3881 if (err)
3882 return (-1);
3883 } else
3884 return (-1);
3885
3886 return (0);
3887 }
3888
3889 static void
print_subject64ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3890 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3891 {
3892 print_tok_type(fp, tok->id, "subject_ex", oflags);
3893 if (oflags & AU_OFLAG_XML) {
3894 open_attr(fp, "audit-uid");
3895 print_user(fp, tok->tt.subj64_ex.auid, oflags);
3896 close_attr(fp);
3897 open_attr(fp, "uid");
3898 print_user(fp, tok->tt.subj64_ex.euid, oflags);
3899 close_attr(fp);
3900 open_attr(fp, "gid");
3901 print_group(fp, tok->tt.subj64_ex.egid, oflags);
3902 close_attr(fp);
3903 open_attr(fp, "ruid");
3904 print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3905 close_attr(fp);
3906 open_attr(fp, "rgid");
3907 print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3908 close_attr(fp);
3909 open_attr(fp, "pid");
3910 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3911 close_attr(fp);
3912 open_attr(fp, "sid");
3913 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3914 close_attr(fp);
3915 open_attr(fp, "tid");
3916 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3917 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3918 tok->tt.subj64_ex.tid.addr);
3919 close_attr(fp);
3920 close_tag(fp, tok->id);
3921 } else {
3922 print_delim(fp, del);
3923 print_user(fp, tok->tt.subj64_ex.auid, oflags);
3924 print_delim(fp, del);
3925 print_user(fp, tok->tt.subj64_ex.euid, oflags);
3926 print_delim(fp, del);
3927 print_group(fp, tok->tt.subj64_ex.egid, oflags);
3928 print_delim(fp, del);
3929 print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3930 print_delim(fp, del);
3931 print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3932 print_delim(fp, del);
3933 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3934 print_delim(fp, del);
3935 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3936 print_delim(fp, del);
3937 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3938 print_delim(fp, del);
3939 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3940 tok->tt.subj64_ex.tid.addr);
3941 }
3942 }
3943
3944 /*
3945 * size 2 bytes
3946 * data size bytes
3947 */
3948 static int
fetch_text_tok(tokenstr_t * tok,u_char * buf,int len)3949 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3950 {
3951 int err = 0;
3952
3953 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3954 if (err)
3955 return (-1);
3956
3957 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3958 err);
3959 if (err)
3960 return (-1);
3961
3962 return (0);
3963 }
3964
3965 static void
print_text_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3966 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3967 {
3968
3969 print_tok_type(fp, tok->id, "text", oflags);
3970 if (oflags & AU_OFLAG_XML) {
3971 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3972 close_tag(fp, tok->id);
3973 } else {
3974 print_delim(fp, del);
3975 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3976 }
3977 }
3978
3979 /*
3980 * socket domain 2 bytes
3981 * socket type 2 bytes
3982 * address type 2 bytes
3983 * local port 2 bytes
3984 * local Internet address 4/16 bytes
3985 * remote port 2 bytes
3986 * remote Internet address 4/16 bytes
3987 */
3988 static int
fetch_socketex32_tok(tokenstr_t * tok,u_char * buf,int len)3989 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3990 {
3991 int err = 0;
3992
3993 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
3994 err);
3995 if (err)
3996 return (-1);
3997
3998 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3999 err);
4000 if (err)
4001 return (-1);
4002
4003 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
4004 err);
4005 if (err)
4006 return (-1);
4007
4008 if (tok->tt.socket_ex32.atype != AU_IPv4 &&
4009 tok->tt.socket_ex32.atype != AU_IPv6)
4010 return (-1);
4011
4012 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
4013 sizeof(uint16_t), tok->len, err);
4014 if (err)
4015 return (-1);
4016
4017 if (tok->tt.socket_ex32.atype == AU_IPv4) {
4018 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
4019 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
4020 if (err)
4021 return (-1);
4022 } else {
4023 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
4024 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
4025 if (err)
4026 return (-1);
4027 }
4028
4029 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
4030 sizeof(uint16_t), tok->len, err);
4031 if (err)
4032 return (-1);
4033
4034 if (tok->tt.socket_ex32.atype == AU_IPv4) {
4035 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
4036 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
4037 if (err)
4038 return (-1);
4039 } else {
4040 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
4041 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
4042 if (err)
4043 return (-1);
4044 }
4045
4046 return (0);
4047 }
4048
4049 static void
print_socketex32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)4050 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4051 {
4052
4053 /*
4054 * This print routine prints BSM constant space domains and socket
4055 * types rather than converting them. If we add string printers for
4056 * these constants in the future, we may want to call conversion
4057 * routines.
4058 */
4059 print_tok_type(fp, tok->id, "socket", oflags);
4060 if (oflags & AU_OFLAG_XML) {
4061 open_attr(fp, "sock_dom");
4062 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4063 close_attr(fp);
4064 open_attr(fp, "sock_type");
4065 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4066 close_attr(fp);
4067 open_attr(fp, "lport");
4068 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4069 close_attr(fp);
4070 open_attr(fp, "laddr");
4071 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4072 tok->tt.socket_ex32.l_addr);
4073 close_attr(fp);
4074 open_attr(fp, "faddr");
4075 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4076 tok->tt.socket_ex32.r_addr);
4077 close_attr(fp);
4078 open_attr(fp, "fport");
4079 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4080 close_attr(fp);
4081 close_tag(fp, tok->id);
4082 } else {
4083 print_delim(fp, del);
4084 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4085 print_delim(fp, del);
4086 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4087 print_delim(fp, del);
4088 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4089 print_delim(fp, del);
4090 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4091 tok->tt.socket_ex32.l_addr);
4092 print_delim(fp, del);
4093 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4094 print_delim(fp, del);
4095 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4096 tok->tt.socket_ex32.r_addr);
4097 }
4098 }
4099
4100 static int
fetch_invalid_tok(tokenstr_t * tok,u_char * buf,int len)4101 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
4102 {
4103 int err = 0;
4104 int recoversize;
4105
4106 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
4107 if (recoversize <= 0)
4108 return (-1);
4109
4110 tok->tt.invalid.length = recoversize;
4111
4112 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
4113 err);
4114 if (err)
4115 return (-1);
4116
4117 return (0);
4118 }
4119
4120 static void
print_invalid_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)4121 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4122 {
4123
4124 if (!(oflags & AU_OFLAG_XML)) {
4125 print_tok_type(fp, tok->id, "unknown", oflags);
4126 print_delim(fp, del);
4127 print_mem(fp, (u_char*)tok->tt.invalid.data,
4128 tok->tt.invalid.length);
4129 }
4130 }
4131
4132
4133 /*
4134 * size 2 bytes;
4135 * zonename size bytes;
4136 */
4137 static int
fetch_zonename_tok(tokenstr_t * tok,u_char * buf,int len)4138 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
4139 {
4140 int err = 0;
4141
4142 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
4143 if (err)
4144 return (-1);
4145 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
4146 tok->len, err);
4147 if (err)
4148 return (-1);
4149 return (0);
4150 }
4151
4152 static void
print_zonename_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)4153 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4154 {
4155
4156 print_tok_type(fp, tok->id, "zone", oflags);
4157 if (oflags & AU_OFLAG_XML) {
4158 open_attr(fp, "name");
4159 print_string(fp, tok->tt.zonename.zonename,
4160 tok->tt.zonename.len);
4161 close_attr(fp);
4162 close_tag(fp, tok->id);
4163 } else {
4164 print_delim(fp, del);
4165 print_string(fp, tok->tt.zonename.zonename,
4166 tok->tt.zonename.len);
4167 }
4168 }
4169
4170 /*
4171 * Reads the token beginning at buf into tok.
4172 */
4173 int
au_fetch_tok(tokenstr_t * tok,u_char * buf,int len)4174 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
4175 {
4176
4177 if (len <= 0)
4178 return (-1);
4179
4180 tok->len = 1;
4181 tok->data = buf;
4182 tok->id = *buf;
4183
4184 switch(tok->id) {
4185 case AUT_HEADER32:
4186 return (fetch_header32_tok(tok, buf, len));
4187
4188 case AUT_HEADER32_EX:
4189 return (fetch_header32_ex_tok(tok, buf, len));
4190
4191 case AUT_HEADER64:
4192 return (fetch_header64_tok(tok, buf, len));
4193
4194 case AUT_HEADER64_EX:
4195 return (fetch_header64_ex_tok(tok, buf, len));
4196
4197 case AUT_TRAILER:
4198 return (fetch_trailer_tok(tok, buf, len));
4199
4200 case AUT_ARG32:
4201 return (fetch_arg32_tok(tok, buf, len));
4202
4203 case AUT_ARG64:
4204 return (fetch_arg64_tok(tok, buf, len));
4205
4206 case AUT_ATTR32:
4207 return (fetch_attr32_tok(tok, buf, len));
4208
4209 case AUT_ATTR64:
4210 return (fetch_attr64_tok(tok, buf, len));
4211
4212 case AUT_EXIT:
4213 return (fetch_exit_tok(tok, buf, len));
4214
4215 case AUT_EXEC_ARGS:
4216 return (fetch_execarg_tok(tok, buf, len));
4217
4218 case AUT_EXEC_ENV:
4219 return (fetch_execenv_tok(tok, buf, len));
4220
4221 case AUT_OTHER_FILE32:
4222 return (fetch_file_tok(tok, buf, len));
4223
4224 case AUT_NEWGROUPS:
4225 return (fetch_newgroups_tok(tok, buf, len));
4226
4227 case AUT_IN_ADDR:
4228 return (fetch_inaddr_tok(tok, buf, len));
4229
4230 case AUT_IN_ADDR_EX:
4231 return (fetch_inaddr_ex_tok(tok, buf, len));
4232
4233 case AUT_IP:
4234 return (fetch_ip_tok(tok, buf, len));
4235
4236 case AUT_IPC:
4237 return (fetch_ipc_tok(tok, buf, len));
4238
4239 case AUT_IPC_PERM:
4240 return (fetch_ipcperm_tok(tok, buf, len));
4241
4242 case AUT_IPORT:
4243 return (fetch_iport_tok(tok, buf, len));
4244
4245 case AUT_OPAQUE:
4246 return (fetch_opaque_tok(tok, buf, len));
4247
4248 case AUT_PATH:
4249 return (fetch_path_tok(tok, buf, len));
4250
4251 case AUT_PROCESS32:
4252 return (fetch_process32_tok(tok, buf, len));
4253
4254 case AUT_PROCESS32_EX:
4255 return (fetch_process32ex_tok(tok, buf, len));
4256
4257 case AUT_PROCESS64:
4258 return (fetch_process64_tok(tok, buf, len));
4259
4260 case AUT_PROCESS64_EX:
4261 return (fetch_process64ex_tok(tok, buf, len));
4262
4263 case AUT_RETURN32:
4264 return (fetch_return32_tok(tok, buf, len));
4265
4266 case AUT_RETURN64:
4267 return (fetch_return64_tok(tok, buf, len));
4268
4269 case AUT_SEQ:
4270 return (fetch_seq_tok(tok, buf, len));
4271
4272 case AUT_SOCKET:
4273 return (fetch_socket_tok(tok, buf, len));
4274
4275 case AUT_SOCKINET32:
4276 return (fetch_sock_inet32_tok(tok, buf, len));
4277
4278 case AUT_SOCKUNIX:
4279 return (fetch_sock_unix_tok(tok, buf, len));
4280
4281 case AUT_SOCKINET128:
4282 return (fetch_sock_inet128_tok(tok, buf, len));
4283
4284 case AUT_SUBJECT32:
4285 return (fetch_subject32_tok(tok, buf, len));
4286
4287 case AUT_SUBJECT32_EX:
4288 return (fetch_subject32ex_tok(tok, buf, len));
4289
4290 case AUT_SUBJECT64:
4291 return (fetch_subject64_tok(tok, buf, len));
4292
4293 case AUT_SUBJECT64_EX:
4294 return (fetch_subject64ex_tok(tok, buf, len));
4295
4296 case AUT_TEXT:
4297 return (fetch_text_tok(tok, buf, len));
4298
4299 case AUT_SOCKET_EX:
4300 return (fetch_socketex32_tok(tok, buf, len));
4301
4302 case AUT_DATA:
4303 return (fetch_arb_tok(tok, buf, len));
4304
4305 case AUT_ZONENAME:
4306 return (fetch_zonename_tok(tok, buf, len));
4307
4308 case AUT_UPRIV:
4309 return (fetch_priv_tok(tok, buf, len));
4310
4311 case AUT_PRIV:
4312 return (fetch_privset_tok(tok, buf, len));
4313
4314 default:
4315 return (fetch_invalid_tok(tok, buf, len));
4316 }
4317 }
4318
4319 void
au_print_flags_tok(FILE * outfp,tokenstr_t * tok,char * del,int oflags)4320 au_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags)
4321 {
4322
4323 switch(tok->id) {
4324 case AUT_HEADER32:
4325 print_header32_tok(outfp, tok, del, oflags);
4326 return;
4327
4328 case AUT_HEADER32_EX:
4329 print_header32_ex_tok(outfp, tok, del, oflags);
4330 return;
4331
4332 case AUT_HEADER64:
4333 print_header64_tok(outfp, tok, del, oflags);
4334 return;
4335
4336 case AUT_HEADER64_EX:
4337 print_header64_ex_tok(outfp, tok, del, oflags);
4338 return;
4339
4340 case AUT_TRAILER:
4341 print_trailer_tok(outfp, tok, del, oflags);
4342 return;
4343
4344 case AUT_ARG32:
4345 print_arg32_tok(outfp, tok, del, oflags);
4346 return;
4347
4348 case AUT_ARG64:
4349 print_arg64_tok(outfp, tok, del, oflags);
4350 return;
4351
4352 case AUT_DATA:
4353 print_arb_tok(outfp, tok, del, oflags);
4354 return;
4355
4356 case AUT_ATTR32:
4357 print_attr32_tok(outfp, tok, del, oflags);
4358 return;
4359
4360 case AUT_ATTR64:
4361 print_attr64_tok(outfp, tok, del, oflags);
4362 return;
4363
4364 case AUT_EXIT:
4365 print_exit_tok(outfp, tok, del, oflags);
4366 return;
4367
4368 case AUT_EXEC_ARGS:
4369 print_execarg_tok(outfp, tok, del, oflags);
4370 return;
4371
4372 case AUT_EXEC_ENV:
4373 print_execenv_tok(outfp, tok, del, oflags);
4374 return;
4375
4376 case AUT_OTHER_FILE32:
4377 print_file_tok(outfp, tok, del, oflags);
4378 return;
4379
4380 case AUT_NEWGROUPS:
4381 print_newgroups_tok(outfp, tok, del, oflags);
4382 return;
4383
4384 case AUT_IN_ADDR:
4385 print_inaddr_tok(outfp, tok, del, oflags);
4386 return;
4387
4388 case AUT_IN_ADDR_EX:
4389 print_inaddr_ex_tok(outfp, tok, del, oflags);
4390 return;
4391
4392 case AUT_IP:
4393 print_ip_tok(outfp, tok, del, oflags);
4394 return;
4395
4396 case AUT_IPC:
4397 print_ipc_tok(outfp, tok, del, oflags);
4398 return;
4399
4400 case AUT_IPC_PERM:
4401 print_ipcperm_tok(outfp, tok, del, oflags);
4402 return;
4403
4404 case AUT_IPORT:
4405 print_iport_tok(outfp, tok, del, oflags);
4406 return;
4407
4408 case AUT_OPAQUE:
4409 print_opaque_tok(outfp, tok, del, oflags);
4410 return;
4411
4412 case AUT_PATH:
4413 print_path_tok(outfp, tok, del, oflags);
4414 return;
4415
4416 case AUT_PROCESS32:
4417 print_process32_tok(outfp, tok, del, oflags);
4418 return;
4419
4420 case AUT_PROCESS32_EX:
4421 print_process32ex_tok(outfp, tok, del, oflags);
4422 return;
4423
4424 case AUT_PROCESS64:
4425 print_process64_tok(outfp, tok, del, oflags);
4426 return;
4427
4428 case AUT_PROCESS64_EX:
4429 print_process64ex_tok(outfp, tok, del, oflags);
4430 return;
4431
4432 case AUT_RETURN32:
4433 print_return32_tok(outfp, tok, del, oflags);
4434 return;
4435
4436 case AUT_RETURN64:
4437 print_return64_tok(outfp, tok, del, oflags);
4438 return;
4439
4440 case AUT_SEQ:
4441 print_seq_tok(outfp, tok, del, oflags);
4442 return;
4443
4444 case AUT_SOCKET:
4445 print_socket_tok(outfp, tok, del, oflags);
4446 return;
4447
4448 case AUT_SOCKINET32:
4449 print_sock_inet32_tok(outfp, tok, del, oflags);
4450 return;
4451
4452 case AUT_SOCKUNIX:
4453 print_sock_unix_tok(outfp, tok, del, oflags);
4454 return;
4455
4456 case AUT_SOCKINET128:
4457 print_sock_inet128_tok(outfp, tok, del, oflags);
4458 return;
4459
4460 case AUT_SUBJECT32:
4461 print_subject32_tok(outfp, tok, del, oflags);
4462 return;
4463
4464 case AUT_SUBJECT64:
4465 print_subject64_tok(outfp, tok, del, oflags);
4466 return;
4467
4468 case AUT_SUBJECT32_EX:
4469 print_subject32ex_tok(outfp, tok, del, oflags);
4470 return;
4471
4472 case AUT_SUBJECT64_EX:
4473 print_subject64ex_tok(outfp, tok, del, oflags);
4474 return;
4475
4476 case AUT_TEXT:
4477 print_text_tok(outfp, tok, del, oflags);
4478 return;
4479
4480 case AUT_SOCKET_EX:
4481 print_socketex32_tok(outfp, tok, del, oflags);
4482 return;
4483
4484 case AUT_ZONENAME:
4485 print_zonename_tok(outfp, tok, del, oflags);
4486 return;
4487
4488 case AUT_UPRIV:
4489 print_upriv_tok(outfp, tok, del, oflags);
4490 return;
4491
4492 case AUT_PRIV:
4493 print_privset_tok(outfp, tok, del, oflags);
4494 return;
4495
4496 default:
4497 print_invalid_tok(outfp, tok, del, oflags);
4498 }
4499 }
4500
4501 /*
4502 * 'prints' the token out to outfp.
4503 */
4504 void
au_print_tok(FILE * outfp,tokenstr_t * tok,char * del,char raw,char sfrm)4505 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4506 {
4507 int oflags = AU_OFLAG_NONE;
4508
4509 if (raw)
4510 oflags |= AU_OFLAG_RAW;
4511 if (sfrm)
4512 oflags |= AU_OFLAG_SHORT;
4513
4514 au_print_flags_tok(outfp, tok, del, oflags);
4515 }
4516
4517 /*
4518 * 'prints' the token out to outfp in XML format.
4519 */
4520 void
au_print_tok_xml(FILE * outfp,tokenstr_t * tok,char * del,char raw,char sfrm)4521 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4522 char sfrm)
4523 {
4524 int oflags = AU_OFLAG_XML;
4525
4526 if (raw)
4527 oflags |= AU_OFLAG_RAW;
4528 if (sfrm)
4529 oflags |= AU_OFLAG_SHORT;
4530
4531 au_print_flags_tok(outfp, tok, del, oflags);
4532 }
4533
4534 /*
4535 * Read a record from the file pointer, store data in buf memory for buf is
4536 * also allocated in this function and has to be free'd outside this call.
4537 *
4538 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4539 * complete audit record.
4540 *
4541 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4542 * state, because it will be partly offset into a record. We should rewind
4543 * or do something more intelligent. Particularly interesting is the case
4544 * where we perform a partial read of a record from a non-blockable file
4545 * descriptor. We should return the partial read and continue...?
4546 */
4547 int
au_read_rec(FILE * fp,u_char ** buf)4548 au_read_rec(FILE *fp, u_char **buf)
4549 {
4550 u_char *bptr;
4551 u_int32_t recsize;
4552 u_int32_t bytestoread;
4553 u_char type;
4554
4555 u_int32_t sec, msec;
4556 u_int16_t filenamelen;
4557
4558 type = fgetc(fp);
4559
4560 switch (type) {
4561 case AUT_HEADER32:
4562 case AUT_HEADER32_EX:
4563 case AUT_HEADER64:
4564 case AUT_HEADER64_EX:
4565 /* read the record size from the token */
4566 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4567 sizeof(u_int32_t)) {
4568 errno = EINVAL;
4569 return (-1);
4570 }
4571 recsize = be32toh(recsize);
4572
4573 /* Check for recsize sanity */
4574 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4575 errno = EINVAL;
4576 return (-1);
4577 }
4578
4579 *buf = calloc(recsize, sizeof(u_char));
4580 if (*buf == NULL)
4581 return (-1);
4582 bptr = *buf;
4583
4584 /* store the token contents already read, back to the buffer*/
4585 *bptr = type;
4586 bptr++;
4587 be32enc(bptr, recsize);
4588 bptr += sizeof(u_int32_t);
4589
4590 /* now read remaining record bytes */
4591 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4592
4593 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4594 free(*buf);
4595 errno = EINVAL;
4596 return (-1);
4597 }
4598 break;
4599
4600 case AUT_OTHER_FILE32:
4601 /*
4602 * The file token is variable-length, as it includes a
4603 * pathname. As a result, we have to read incrementally
4604 * until we know the total length, then allocate space and
4605 * read the rest.
4606 */
4607 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4608 errno = EINVAL;
4609 return (-1);
4610 }
4611 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4612 errno = EINVAL;
4613 return (-1);
4614 }
4615 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4616 sizeof(filenamelen)) {
4617 errno = EINVAL;
4618 return (-1);
4619 }
4620 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4621 sizeof(filenamelen) + ntohs(filenamelen);
4622 *buf = malloc(recsize);
4623 if (*buf == NULL)
4624 return (-1);
4625 bptr = *buf;
4626
4627 bcopy(&type, bptr, sizeof(type));
4628 bptr += sizeof(type);
4629 bcopy(&sec, bptr, sizeof(sec));
4630 bptr += sizeof(sec);
4631 bcopy(&msec, bptr, sizeof(msec));
4632 bptr += sizeof(msec);
4633 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4634 bptr += sizeof(filenamelen);
4635
4636 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4637 ntohs(filenamelen)) {
4638 free(*buf);
4639 errno = EINVAL;
4640 return (-1);
4641 }
4642 break;
4643
4644 default:
4645 errno = EINVAL;
4646 return (-1);
4647 }
4648
4649 return (recsize);
4650 }
4651