1 /*-
2 * Copyright (c) 2004-2009 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
5 * Copyright (c) 2006 Martin Voros
6 * All rights reserved.
7 *
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 #include <sys/types.h>
37
38 #include <config/config.h>
39
40 #ifdef USE_ENDIAN_H
41 #include <endian.h>
42 #endif
43 #ifdef USE_SYS_ENDIAN_H
44 #include <sys/endian.h>
45 #endif
46 #ifdef USE_MACHINE_ENDIAN_H
47 #include <machine/endian.h>
48 #endif
49 #ifdef USE_COMPAT_ENDIAN_H
50 #include <compat/endian.h>
51 #endif
52 #ifdef USE_COMPAT_ENDIAN_ENC_H
53 #include <compat/endian_enc.h>
54 #endif
55
56 #ifdef HAVE_FULL_QUEUE_H
57 #include <sys/queue.h>
58 #else /* !HAVE_FULL_QUEUE_H */
59 #include <compat/queue.h>
60 #endif /* !HAVE_FULL_QUEUE_H */
61
62 #include <sys/stat.h>
63 #include <sys/socket.h>
64
65 #include <bsm/libbsm.h>
66
67 #include <unistd.h>
68 #include <netinet/in.h>
69 #include <arpa/inet.h>
70 #include <errno.h>
71 #include <time.h>
72 #include <stdlib.h>
73 #include <stdio.h>
74 #include <string.h>
75 #include <pwd.h>
76 #include <grp.h>
77
78 #ifdef HAVE_VIS
79 #include <vis.h>
80 #else
81 #include <compat/vis.h>
82 #endif
83
84 #include <bsm/audit_internal.h>
85
86 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
87 if ((bytesread) + (size) > (u_int32_t)(len)) { \
88 (err) = 1; \
89 } else { \
90 memcpy((dest), (buf) + (bytesread), (size)); \
91 bytesread += size; \
92 } \
93 } while (0)
94
95 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
96 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \
97 (dest) = buf[(bytesread)]; \
98 (bytesread) += sizeof(u_char); \
99 } else \
100 (err) = 1; \
101 } while (0)
102
103 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
104 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \
105 (dest) = be16dec((buf) + (bytesread)); \
106 (bytesread) += sizeof(u_int16_t); \
107 } else \
108 (err) = 1; \
109 } while (0)
110
111 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
112 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \
113 (dest) = be32dec((buf) + (bytesread)); \
114 (bytesread) += sizeof(u_int32_t); \
115 } else \
116 (err) = 1; \
117 } while (0)
118
119 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
120 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \
121 dest = be64dec((buf) + (bytesread)); \
122 (bytesread) += sizeof(u_int64_t); \
123 } else \
124 (err) = 1; \
125 } while (0)
126
127 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
128 if ((bytesread) + (size) > (u_int32_t)(len)) \
129 (err) = 1; \
130 else { \
131 (ptr) = (buf) + (bytesread); \
132 (bytesread) += (size); \
133 } \
134 } while (0)
135
136 /*
137 * XML option.
138 */
139 #define AU_PLAIN 0
140 #define AU_XML 1
141
142 /*
143 * Prints the delimiter string.
144 */
145 static void
print_delim(FILE * fp,const char * del)146 print_delim(FILE *fp, const char *del)
147 {
148
149 fprintf(fp, "%s", del);
150 }
151
152 /*
153 * Prints a single byte in the given format.
154 */
155 static void
print_1_byte(FILE * fp,u_char val,const char * format)156 print_1_byte(FILE *fp, u_char val, const char *format)
157 {
158
159 fprintf(fp, format, val);
160 }
161
162 /*
163 * Print 2 bytes in the given format.
164 */
165 static void
print_2_bytes(FILE * fp,u_int16_t val,const char * format)166 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
167 {
168
169 fprintf(fp, format, val);
170 }
171
172 /*
173 * Prints 4 bytes in the given format.
174 */
175 static void
print_4_bytes(FILE * fp,u_int32_t val,const char * format)176 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
177 {
178
179 fprintf(fp, format, val);
180 }
181
182 /*
183 * Prints 8 bytes in the given format.
184 */
185 static void
print_8_bytes(FILE * fp,u_int64_t val,const char * format)186 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
187 {
188
189 fprintf(fp, format, val);
190 }
191
192 /*
193 * Prints the given size of data bytes in hex.
194 */
195 static void
print_mem(FILE * fp,u_char * data,size_t len)196 print_mem(FILE *fp, u_char *data, size_t len)
197 {
198 u_int32_t i;
199
200 if (len > 0) {
201 fprintf(fp, "0x");
202 for (i = 0; i < len; i++)
203 fprintf(fp, "%02x", data[i]);
204 }
205 }
206
207 /*
208 * Prints the given data bytes as a string.
209 */
210 static void
print_string(FILE * fp,const char * str,size_t len)211 print_string(FILE *fp, const char *str, size_t len)
212 {
213 u_int32_t i;
214
215 if (len > 0) {
216 for (i = 0; i < len; i++) {
217 if (str[i] != '\0')
218 fprintf(fp, "%c", str[i]);
219 }
220 }
221 }
222
223 /*
224 * Prints the given data bytes as an XML-sanitized string.
225 */
226 static void
print_xml_string(FILE * fp,const char * str,size_t len)227 print_xml_string(FILE *fp, const char *str, size_t len)
228 {
229 u_int32_t i;
230 char visbuf[5];
231
232 if (len == 0)
233 return;
234
235 for (i = 0; i < len; i++) {
236 switch (str[i]) {
237 case '\0':
238 return;
239
240 case '&':
241 (void) fprintf(fp, "&");
242 break;
243
244 case '<':
245 (void) fprintf(fp, "<");
246 break;
247
248 case '>':
249 (void) fprintf(fp, ">");
250 break;
251
252 case '\"':
253 (void) fprintf(fp, """);
254 break;
255
256 case '\'':
257 (void) fprintf(fp, "'");
258 break;
259
260 default:
261 (void) vis(visbuf, str[i], VIS_CSTYLE, 0);
262 (void) fprintf(fp, "%s", visbuf);
263 break;
264 }
265 }
266 }
267
268 /*
269 * Prints the beginning of an attribute.
270 */
271 static void
open_attr(FILE * fp,const char * str)272 open_attr(FILE *fp, const char *str)
273 {
274
275 fprintf(fp,"%s=\"", str);
276 }
277
278 /*
279 * Prints the end of an attribute.
280 */
281 static void
close_attr(FILE * fp)282 close_attr(FILE *fp)
283 {
284
285 fprintf(fp,"\" ");
286 }
287
288 /*
289 * Prints the end of a tag.
290 */
291 static void
close_tag(FILE * fp,u_char type)292 close_tag(FILE *fp, u_char type)
293 {
294
295 switch(type) {
296 case AUT_HEADER32:
297 fprintf(fp, ">");
298 break;
299
300 case AUT_HEADER32_EX:
301 fprintf(fp, ">");
302 break;
303
304 case AUT_HEADER64:
305 fprintf(fp, ">");
306 break;
307
308 case AUT_HEADER64_EX:
309 fprintf(fp, ">");
310 break;
311
312 case AUT_ARG32:
313 fprintf(fp, "/>");
314 break;
315
316 case AUT_ARG64:
317 fprintf(fp, "/>");
318 break;
319
320 case AUT_ATTR32:
321 fprintf(fp, "/>");
322 break;
323
324 case AUT_ATTR64:
325 fprintf(fp, "/>");
326 break;
327
328 case AUT_EXIT:
329 fprintf(fp, "/>");
330 break;
331
332 case AUT_EXEC_ARGS:
333 fprintf(fp, "</exec_args>");
334 break;
335
336 case AUT_EXEC_ENV:
337 fprintf(fp, "</exec_env>");
338 break;
339
340 case AUT_OTHER_FILE32:
341 fprintf(fp, "</file>");
342 break;
343
344 case AUT_NEWGROUPS:
345 fprintf(fp, "</group>");
346 break;
347
348 case AUT_IN_ADDR:
349 fprintf(fp, "</ip_address>");
350 break;
351
352 case AUT_IN_ADDR_EX:
353 fprintf(fp, "</ip_address>");
354 break;
355
356 case AUT_IP:
357 fprintf(fp, "/>");
358 break;
359
360 case AUT_IPC:
361 fprintf(fp, "/>");
362 break;
363
364 case AUT_IPC_PERM:
365 fprintf(fp, "/>");
366 break;
367
368 case AUT_IPORT:
369 fprintf(fp, "</ip_port>");
370 break;
371
372 case AUT_OPAQUE:
373 fprintf(fp, "</opaque>");
374 break;
375
376 case AUT_PATH:
377 fprintf(fp, "</path>");
378 break;
379
380 case AUT_PROCESS32:
381 fprintf(fp, "/>");
382 break;
383
384 case AUT_PROCESS32_EX:
385 fprintf(fp, "/>");
386 break;
387
388 case AUT_PROCESS64:
389 fprintf(fp, "/>");
390 break;
391
392 case AUT_PROCESS64_EX:
393 fprintf(fp, "/>");
394 break;
395
396 case AUT_RETURN32:
397 fprintf(fp, "/>");
398 break;
399
400 case AUT_RETURN64:
401 fprintf(fp, "/>");
402 break;
403
404 case AUT_SEQ:
405 fprintf(fp, "/>");
406 break;
407
408 case AUT_SOCKET:
409 fprintf(fp, "/>");
410 break;
411
412 case AUT_SOCKINET32:
413 fprintf(fp, "/>");
414 break;
415
416 case AUT_SOCKUNIX:
417 fprintf(fp, "/>");
418 break;
419
420 case AUT_SOCKINET128:
421 fprintf(fp, "/>");
422 break;
423
424 case AUT_SUBJECT32:
425 fprintf(fp, "/>");
426 break;
427
428 case AUT_SUBJECT64:
429 fprintf(fp, "/>");
430 break;
431
432 case AUT_SUBJECT32_EX:
433 fprintf(fp, "/>");
434 break;
435
436 case AUT_SUBJECT64_EX:
437 fprintf(fp, "/>");
438 break;
439
440 case AUT_TEXT:
441 fprintf(fp, "</text>");
442 break;
443
444 case AUT_SOCKET_EX:
445 fprintf(fp, "/>");
446 break;
447
448 case AUT_DATA:
449 fprintf(fp, "</arbitrary>");
450 break;
451
452 case AUT_ZONENAME:
453 fprintf(fp, "/>");
454 break;
455 }
456 }
457
458 /*
459 * Prints the token type in either the raw or the default form.
460 */
461 static void
print_tok_type(FILE * fp,u_char type,const char * tokname,int oflags)462 print_tok_type(FILE *fp, u_char type, const char *tokname, int oflags)
463 {
464
465 if (oflags & AU_OFLAG_XML) {
466 switch(type) {
467 case AUT_HEADER32:
468 fprintf(fp, "<record ");
469 break;
470
471 case AUT_HEADER32_EX:
472 fprintf(fp, "<record ");
473 break;
474
475 case AUT_HEADER64:
476 fprintf(fp, "<record ");
477 break;
478
479 case AUT_HEADER64_EX:
480 fprintf(fp, "<record ");
481 break;
482
483 case AUT_TRAILER:
484 fprintf(fp, "</record>");
485 break;
486
487 case AUT_ARG32:
488 fprintf(fp, "<argument ");
489 break;
490
491 case AUT_ARG64:
492 fprintf(fp, "<argument ");
493 break;
494
495 case AUT_ATTR32:
496 fprintf(fp, "<attribute ");
497 break;
498
499 case AUT_ATTR64:
500 fprintf(fp, "<attribute ");
501 break;
502
503 case AUT_EXIT:
504 fprintf(fp, "<exit ");
505 break;
506
507 case AUT_EXEC_ARGS:
508 fprintf(fp, "<exec_args>");
509 break;
510
511 case AUT_EXEC_ENV:
512 fprintf(fp, "<exec_env>");
513 break;
514
515 case AUT_OTHER_FILE32:
516 fprintf(fp, "<file ");
517 break;
518
519 case AUT_NEWGROUPS:
520 fprintf(fp, "<group>");
521 break;
522
523 case AUT_IN_ADDR:
524 fprintf(fp, "<ip_address>");
525 break;
526
527 case AUT_IN_ADDR_EX:
528 fprintf(fp, "<ip_address>");
529 break;
530
531 case AUT_IP:
532 fprintf(fp, "<ip ");
533 break;
534
535 case AUT_IPC:
536 fprintf(fp, "<IPC");
537 break;
538
539 case AUT_IPC_PERM:
540 fprintf(fp, "<IPC_perm ");
541 break;
542
543 case AUT_IPORT:
544 fprintf(fp, "<ip_port>");
545 break;
546
547 case AUT_OPAQUE:
548 fprintf(fp, "<opaque>");
549 break;
550
551 case AUT_PATH:
552 fprintf(fp, "<path>");
553 break;
554
555 case AUT_PROCESS32:
556 fprintf(fp, "<process ");
557 break;
558
559 case AUT_PROCESS32_EX:
560 fprintf(fp, "<process ");
561 break;
562
563 case AUT_PROCESS64:
564 fprintf(fp, "<process ");
565 break;
566
567 case AUT_PROCESS64_EX:
568 fprintf(fp, "<process ");
569 break;
570
571 case AUT_RETURN32:
572 fprintf(fp, "<return ");
573 break;
574
575 case AUT_RETURN64:
576 fprintf(fp, "<return ");
577 break;
578
579 case AUT_SEQ:
580 fprintf(fp, "<sequence ");
581 break;
582
583 case AUT_SOCKET:
584 fprintf(fp, "<socket ");
585 break;
586
587 case AUT_SOCKINET32:
588 fprintf(fp, "<socket-inet ");
589 break;
590
591 case AUT_SOCKUNIX:
592 fprintf(fp, "<socket-unix ");
593 break;
594
595 case AUT_SOCKINET128:
596 fprintf(fp, "<socket-inet6 ");
597 break;
598
599 case AUT_SUBJECT32:
600 fprintf(fp, "<subject ");
601 break;
602
603 case AUT_SUBJECT64:
604 fprintf(fp, "<subject ");
605 break;
606
607 case AUT_SUBJECT32_EX:
608 fprintf(fp, "<subject ");
609 break;
610
611 case AUT_SUBJECT64_EX:
612 fprintf(fp, "<subject ");
613 break;
614
615 case AUT_TEXT:
616 fprintf(fp, "<text>");
617 break;
618
619 case AUT_SOCKET_EX:
620 fprintf(fp, "<socket ");
621 break;
622
623 case AUT_DATA:
624 fprintf(fp, "<arbitrary ");
625 break;
626
627 case AUT_ZONENAME:
628 fprintf(fp, "<zone ");
629 break;
630 }
631 } else {
632 if (oflags & AU_OFLAG_RAW)
633 fprintf(fp, "%u", type);
634 else
635 fprintf(fp, "%s", tokname);
636 }
637 }
638
639 /*
640 * Prints a user value.
641 */
642 static void
print_user(FILE * fp,u_int32_t usr,int oflags)643 print_user(FILE *fp, u_int32_t usr, int oflags)
644 {
645 struct passwd *pwent;
646
647 if (oflags & (AU_OFLAG_RAW | AU_OFLAG_NORESOLVE))
648 fprintf(fp, "%d", usr);
649 else {
650 pwent = getpwuid(usr);
651 if (pwent != NULL)
652 fprintf(fp, "%s", pwent->pw_name);
653 else
654 fprintf(fp, "%d", usr);
655 }
656 }
657
658 /*
659 * Prints a group value.
660 */
661 static void
print_group(FILE * fp,u_int32_t grp,int oflags)662 print_group(FILE *fp, u_int32_t grp, int oflags)
663 {
664 struct group *grpent;
665
666 if (oflags & (AU_OFLAG_RAW | AU_OFLAG_NORESOLVE))
667 fprintf(fp, "%d", grp);
668 else {
669 grpent = getgrgid(grp);
670 if (grpent != NULL)
671 fprintf(fp, "%s", grpent->gr_name);
672 else
673 fprintf(fp, "%d", grp);
674 }
675 }
676
677 /*
678 * Prints the event from the header token in either the short, default or raw
679 * form.
680 */
681 static void
print_event(FILE * fp,u_int16_t ev,int oflags)682 print_event(FILE *fp, u_int16_t ev, int oflags)
683 {
684 char event_ent_name[AU_EVENT_NAME_MAX];
685 char event_ent_desc[AU_EVENT_DESC_MAX];
686 struct au_event_ent e, *ep;
687
688 bzero(&e, sizeof(e));
689 bzero(event_ent_name, sizeof(event_ent_name));
690 bzero(event_ent_desc, sizeof(event_ent_desc));
691 e.ae_name = event_ent_name;
692 e.ae_desc = event_ent_desc;
693
694 ep = getauevnum_r(&e, ev);
695 if (ep == NULL) {
696 fprintf(fp, "%u", ev);
697 return;
698 }
699
700 if (oflags & AU_OFLAG_RAW)
701 fprintf(fp, "%u", ev);
702 else if (oflags & AU_OFLAG_SHORT)
703 fprintf(fp, "%s", e.ae_name);
704 else
705 fprintf(fp, "%s", e.ae_desc);
706 }
707
708
709 /*
710 * Prints the event modifier from the header token in either the default or
711 * raw form.
712 */
713 static void
print_evmod(FILE * fp,u_int16_t evmod,int oflags)714 print_evmod(FILE *fp, u_int16_t evmod, int oflags)
715 {
716 if (oflags & AU_OFLAG_RAW)
717 fprintf(fp, "%u", evmod);
718 else
719 fprintf(fp, "%u", evmod);
720 }
721
722 /*
723 * Prints seconds in the ctime format.
724 */
725 static void
print_sec32(FILE * fp,u_int32_t sec,int oflags)726 print_sec32(FILE *fp, u_int32_t sec, int oflags)
727 {
728 time_t timestamp;
729 char timestr[26];
730
731 if (oflags & AU_OFLAG_RAW)
732 fprintf(fp, "%u", sec);
733 else {
734 timestamp = (time_t)sec;
735 ctime_r(×tamp, timestr);
736 timestr[24] = '\0'; /* No new line */
737 fprintf(fp, "%s", timestr);
738 }
739 }
740
741 /*
742 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
743 * assume a 32-bit time_t, we simply truncate for now.
744 */
745 static void
print_sec64(FILE * fp,u_int64_t sec,int oflags)746 print_sec64(FILE *fp, u_int64_t sec, int oflags)
747 {
748 time_t timestamp;
749 char timestr[26];
750
751 if (oflags & AU_OFLAG_RAW)
752 fprintf(fp, "%u", (u_int32_t)sec);
753 else {
754 timestamp = (time_t)sec;
755 ctime_r(×tamp, timestr);
756 timestr[24] = '\0'; /* No new line */
757 fprintf(fp, "%s", timestr);
758 }
759 }
760
761 /*
762 * Prints the excess milliseconds.
763 */
764 static void
print_msec32(FILE * fp,u_int32_t msec,int oflags)765 print_msec32(FILE *fp, u_int32_t msec, int oflags)
766 {
767 if (oflags & AU_OFLAG_RAW)
768 fprintf(fp, "%u", msec);
769 else
770 fprintf(fp, " + %u msec", msec);
771 }
772
773 /*
774 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
775 * a 32-bit msec, we simply truncate for now.
776 */
777 static void
print_msec64(FILE * fp,u_int64_t msec,int oflags)778 print_msec64(FILE *fp, u_int64_t msec, int oflags)
779 {
780
781 msec &= 0xffffffff;
782 if (oflags & AU_OFLAG_RAW)
783 fprintf(fp, "%u", (u_int32_t)msec);
784 else
785 fprintf(fp, " + %u msec", (u_int32_t)msec);
786 }
787
788 /*
789 * Prints a dotted form for the IP address.
790 */
791 static void
print_ip_address(FILE * fp,u_int32_t ip)792 print_ip_address(FILE *fp, u_int32_t ip)
793 {
794 struct in_addr ipaddr;
795
796 ipaddr.s_addr = ip;
797 fprintf(fp, "%s", inet_ntoa(ipaddr));
798 }
799
800 /*
801 * Prints a string value for the given ip address.
802 */
803 static void
print_ip_ex_address(FILE * fp,u_int32_t type,u_int32_t * ipaddr)804 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
805 {
806 struct in_addr ipv4;
807 struct in6_addr ipv6;
808 char dst[INET6_ADDRSTRLEN];
809
810 switch (type) {
811 case AU_IPv4:
812 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
813 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
814 INET6_ADDRSTRLEN));
815 break;
816
817 case AU_IPv6:
818 bcopy(ipaddr, &ipv6, sizeof(ipv6));
819 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
820 INET6_ADDRSTRLEN));
821 break;
822
823 default:
824 fprintf(fp, "invalid");
825 }
826 }
827
828 /*
829 * Prints return value as success or failure.
830 */
831 static void
print_retval(FILE * fp,u_char status,int oflags)832 print_retval(FILE *fp, u_char status, int oflags)
833 {
834 int error;
835
836 if (oflags & AU_OFLAG_RAW)
837 fprintf(fp, "%u", status);
838 else {
839 /*
840 * Convert to a local error number and print the OS's version
841 * of the error string if possible. We may want to provide
842 * an au_strerror(3) in the future so that we can print
843 * strings for non-local errors.
844 */
845 if (au_bsm_to_errno(status, &error) == 0) {
846 if (error == 0)
847 fprintf(fp, "success");
848 else
849 fprintf(fp, "failure : %s", strerror(error));
850 } else
851 fprintf(fp, "failure: Unknown error: %d", status);
852 }
853 }
854
855 /*
856 * Prints the exit value.
857 */
858 static void
print_errval(FILE * fp,u_int32_t val)859 print_errval(FILE *fp, u_int32_t val)
860 {
861
862 fprintf(fp, "Error %u", val);
863 }
864
865 /*
866 * Prints IPC type.
867 */
868 static void
print_ipctype(FILE * fp,u_char type,int oflags)869 print_ipctype(FILE *fp, u_char type, int oflags)
870 {
871 if (oflags & AU_OFLAG_RAW)
872 fprintf(fp, "%u", type);
873 else {
874 if (type == AT_IPC_MSG)
875 fprintf(fp, "Message IPC");
876 else if (type == AT_IPC_SEM)
877 fprintf(fp, "Semaphore IPC");
878 else if (type == AT_IPC_SHM)
879 fprintf(fp, "Shared Memory IPC");
880 else
881 fprintf(fp, "%u", type);
882 }
883 }
884
885 /*
886 * Print XML header.
887 */
888 void
au_print_xml_header(FILE * outfp)889 au_print_xml_header(FILE *outfp)
890 {
891
892 fprintf(outfp, "<?xml version='1.0' ?>\n");
893 fprintf(outfp, "<audit>\n");
894 }
895
896 /*
897 * Print XML footer.
898 */
899 void
au_print_xml_footer(FILE * outfp)900 au_print_xml_footer(FILE *outfp)
901 {
902
903 fprintf(outfp, "</audit>\n");
904 }
905
906 /*
907 * record byte count 4 bytes
908 * version # 1 byte [2]
909 * event type 2 bytes
910 * event modifier 2 bytes
911 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
912 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
913 */
914 static int
fetch_header32_tok(tokenstr_t * tok,u_char * buf,int len)915 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
916 {
917 int err = 0;
918
919 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
920 if (err)
921 return (-1);
922
923 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
924 if (err)
925 return (-1);
926
927 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
928 if (err)
929 return (-1);
930
931 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
932 if (err)
933 return (-1);
934
935 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
936 if (err)
937 return (-1);
938
939 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
940 if (err)
941 return (-1);
942
943 return (0);
944 }
945
946 static void
print_header32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)947 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
948 {
949
950 print_tok_type(fp, tok->id, "header", oflags);
951 if (oflags & AU_OFLAG_XML) {
952 open_attr(fp, "version");
953 print_1_byte(fp, tok->tt.hdr32.version, "%u");
954 close_attr(fp);
955 open_attr(fp, "event");
956 print_event(fp, tok->tt.hdr32.e_type, oflags);
957 close_attr(fp);
958 open_attr(fp, "modifier");
959 print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
960 close_attr(fp);
961 open_attr(fp, "time");
962 print_sec32(fp, tok->tt.hdr32.s, oflags);
963 close_attr(fp);
964 open_attr(fp, "msec");
965 print_msec32(fp, tok->tt.hdr32.ms, oflags);
966 close_attr(fp);
967 close_tag(fp, tok->id);
968 } else {
969 print_delim(fp, del);
970 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
971 print_delim(fp, del);
972 print_1_byte(fp, tok->tt.hdr32.version, "%u");
973 print_delim(fp, del);
974 print_event(fp, tok->tt.hdr32.e_type, oflags);
975 print_delim(fp, del);
976 print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
977 print_delim(fp, del);
978 print_sec32(fp, tok->tt.hdr32.s, oflags);
979 print_delim(fp, del);
980 print_msec32(fp, tok->tt.hdr32.ms, oflags);
981 }
982 }
983
984 /*
985 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
986 * depending on the bit of the specifications found. The OpenSolaris source
987 * code uses a 4-byte address length, followed by some number of bytes of
988 * address data. This contrasts with the Solaris audit.log.5 man page, which
989 * specifies a 1-byte length field. We use the Solaris 10 definition so that
990 * we can parse audit trails from that system.
991 *
992 * record byte count 4 bytes
993 * version # 1 byte [2]
994 * event type 2 bytes
995 * event modifier 2 bytes
996 * address type/length 4 bytes
997 * [ Solaris man page: address type/length 1 byte]
998 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
999 * seconds of time 4 bytes/8 bytes (32/64-bits)
1000 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1001 */
1002 static int
fetch_header32_ex_tok(tokenstr_t * tok,u_char * buf,int len)1003 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1004 {
1005 int err = 0;
1006
1007 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
1008 if (err)
1009 return (-1);
1010
1011 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
1012 if (err)
1013 return (-1);
1014
1015 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
1016 if (err)
1017 return (-1);
1018
1019 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
1020 if (err)
1021 return (-1);
1022
1023 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
1024 if (err)
1025 return (-1);
1026
1027 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
1028 switch (tok->tt.hdr32_ex.ad_type) {
1029 case AU_IPv4:
1030 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
1031 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
1032 if (err)
1033 return (-1);
1034 break;
1035
1036 case AU_IPv6:
1037 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
1038 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
1039 break;
1040 }
1041
1042 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
1043 if (err)
1044 return (-1);
1045
1046 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
1047 if (err)
1048 return (-1);
1049
1050 return (0);
1051 }
1052
1053 static void
print_header32_ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1054 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1055 {
1056
1057 print_tok_type(fp, tok->id, "header_ex", oflags);
1058 if (oflags & AU_OFLAG_RAW) {
1059 open_attr(fp, "version");
1060 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1061 close_attr(fp);
1062 open_attr(fp, "event");
1063 print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1064 close_attr(fp);
1065 open_attr(fp, "modifier");
1066 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1067 close_attr(fp);
1068 open_attr(fp, "host");
1069 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1070 tok->tt.hdr32_ex.addr);
1071 close_attr(fp);
1072 open_attr(fp, "time");
1073 print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1074 close_attr(fp);
1075 open_attr(fp, "msec");
1076 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1077 close_attr(fp);
1078 close_tag(fp, tok->id);
1079 } else {
1080 print_delim(fp, del);
1081 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1082 print_delim(fp, del);
1083 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1084 print_delim(fp, del);
1085 print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1086 print_delim(fp, del);
1087 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1088 print_delim(fp, del);
1089 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1090 tok->tt.hdr32_ex.addr);
1091 print_delim(fp, del);
1092 print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1093 print_delim(fp, del);
1094 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1095 }
1096 }
1097
1098 /*
1099 * record byte count 4 bytes
1100 * event type 2 bytes
1101 * event modifier 2 bytes
1102 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1103 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1104 * version #
1105 */
1106 static int
fetch_header64_tok(tokenstr_t * tok,u_char * buf,int len)1107 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1108 {
1109 int err = 0;
1110
1111 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1112 if (err)
1113 return (-1);
1114
1115 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1116 if (err)
1117 return (-1);
1118
1119 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1120 if (err)
1121 return (-1);
1122
1123 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1124 if (err)
1125 return (-1);
1126
1127 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1128 if (err)
1129 return (-1);
1130
1131 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1132 if (err)
1133 return (-1);
1134
1135 return (0);
1136 }
1137
1138 static void
print_header64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1139 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1140 {
1141
1142 print_tok_type(fp, tok->id, "header", oflags);
1143 if (oflags & AU_OFLAG_XML) {
1144 open_attr(fp, "version");
1145 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1146 close_attr(fp);
1147 open_attr(fp, "event");
1148 print_event(fp, tok->tt.hdr64.e_type, oflags);
1149 close_attr(fp);
1150 open_attr(fp, "modifier");
1151 print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1152 close_attr(fp);
1153 open_attr(fp, "time");
1154 print_sec64(fp, tok->tt.hdr64.s, oflags);
1155 close_attr(fp);
1156 open_attr(fp, "msec");
1157 print_msec64(fp, tok->tt.hdr64.ms, oflags);
1158 close_attr(fp);
1159 close_tag(fp, tok->id);
1160 } else {
1161 print_delim(fp, del);
1162 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1163 print_delim(fp, del);
1164 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1165 print_delim(fp, del);
1166 print_event(fp, tok->tt.hdr64.e_type, oflags);
1167 print_delim(fp, del);
1168 print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1169 print_delim(fp, del);
1170 print_sec64(fp, tok->tt.hdr64.s, oflags);
1171 print_delim(fp, del);
1172 print_msec64(fp, tok->tt.hdr64.ms, oflags);
1173 }
1174 }
1175
1176 /*
1177 * record byte count 4 bytes
1178 * version # 1 byte [2]
1179 * event type 2 bytes
1180 * event modifier 2 bytes
1181 * address type/length 4 bytes
1182 * [ Solaris man page: address type/length 1 byte]
1183 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1184 * seconds of time 4 bytes/8 bytes (32/64-bits)
1185 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1186 *
1187 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1188 * accuracy of the BSM spec.
1189 */
1190 static int
fetch_header64_ex_tok(tokenstr_t * tok,u_char * buf,int len)1191 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1192 {
1193 int err = 0;
1194
1195 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1196 if (err)
1197 return (-1);
1198
1199 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1200 if (err)
1201 return (-1);
1202
1203 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1204 if (err)
1205 return (-1);
1206
1207 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1208 if (err)
1209 return (-1);
1210
1211 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1212 if (err)
1213 return (-1);
1214
1215 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1216 switch (tok->tt.hdr64_ex.ad_type) {
1217 case AU_IPv4:
1218 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1219 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1220 if (err)
1221 return (-1);
1222 break;
1223
1224 case AU_IPv6:
1225 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1226 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1227 break;
1228 }
1229
1230 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1231 if (err)
1232 return (-1);
1233
1234 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1235 if (err)
1236 return (-1);
1237
1238 return (0);
1239 }
1240
1241 static void
print_header64_ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1242 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1243 {
1244
1245 print_tok_type(fp, tok->id, "header_ex", oflags);
1246 if (oflags & AU_OFLAG_XML) {
1247 open_attr(fp, "version");
1248 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1249 close_attr(fp);
1250 open_attr(fp, "event");
1251 print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1252 close_attr(fp);
1253 open_attr(fp, "modifier");
1254 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1255 close_attr(fp);
1256 open_attr(fp, "host");
1257 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1258 tok->tt.hdr64_ex.addr);
1259 close_attr(fp);
1260 open_attr(fp, "time");
1261 print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1262 close_attr(fp);
1263 open_attr(fp, "msec");
1264 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1265 close_attr(fp);
1266 close_tag(fp, tok->id);
1267 } else {
1268 print_delim(fp, del);
1269 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1270 print_delim(fp, del);
1271 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1272 print_delim(fp, del);
1273 print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1274 print_delim(fp, del);
1275 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1276 print_delim(fp, del);
1277 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1278 tok->tt.hdr64_ex.addr);
1279 print_delim(fp, del);
1280 print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1281 print_delim(fp, del);
1282 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1283 }
1284 }
1285
1286 /*
1287 * trailer magic 2 bytes
1288 * record size 4 bytes
1289 */
1290 static int
fetch_trailer_tok(tokenstr_t * tok,u_char * buf,int len)1291 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1292 {
1293 int err = 0;
1294
1295 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1296 if (err)
1297 return (-1);
1298
1299 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1300 if (err)
1301 return (-1);
1302
1303 return (0);
1304 }
1305
1306 static void
print_trailer_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1307 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1308 {
1309
1310 print_tok_type(fp, tok->id, "trailer", oflags);
1311 if (!(oflags & AU_OFLAG_XML)) {
1312 print_delim(fp, del);
1313 print_4_bytes(fp, tok->tt.trail.count, "%u");
1314 }
1315 }
1316
1317 /*
1318 * argument # 1 byte
1319 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1320 * text length 2 bytes
1321 * text N bytes + 1 terminating NULL byte
1322 */
1323 static int
fetch_arg32_tok(tokenstr_t * tok,u_char * buf,int len)1324 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1325 {
1326 int err = 0;
1327
1328 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1329 if (err)
1330 return (-1);
1331
1332 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1333 if (err)
1334 return (-1);
1335
1336 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1337 if (err)
1338 return (-1);
1339
1340 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1341 tok->len, err);
1342 if (err)
1343 return (-1);
1344
1345 return (0);
1346 }
1347
1348 static void
print_arg32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1349 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1350 {
1351
1352 print_tok_type(fp, tok->id, "argument", oflags);
1353 if (oflags & AU_OFLAG_XML) {
1354 open_attr(fp, "arg-num");
1355 print_1_byte(fp, tok->tt.arg32.no, "%u");
1356 close_attr(fp);
1357 open_attr(fp, "value");
1358 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1359 close_attr(fp);
1360 open_attr(fp, "desc");
1361 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1362 close_attr(fp);
1363 close_tag(fp, tok->id);
1364 } else {
1365 print_delim(fp, del);
1366 print_1_byte(fp, tok->tt.arg32.no, "%u");
1367 print_delim(fp, del);
1368 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1369 print_delim(fp, del);
1370 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1371 }
1372 }
1373
1374 static int
fetch_arg64_tok(tokenstr_t * tok,u_char * buf,int len)1375 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1376 {
1377 int err = 0;
1378
1379 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1380 if (err)
1381 return (-1);
1382
1383 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1384 if (err)
1385 return (-1);
1386
1387 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1388 if (err)
1389 return (-1);
1390
1391 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1392 tok->len, err);
1393 if (err)
1394 return (-1);
1395
1396 return (0);
1397 }
1398
1399 static void
print_arg64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1400 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1401 {
1402
1403 print_tok_type(fp, tok->id, "argument", oflags);
1404 if (oflags & AU_OFLAG_XML) {
1405 open_attr(fp, "arg-num");
1406 print_1_byte(fp, tok->tt.arg64.no, "%u");
1407 close_attr(fp);
1408 open_attr(fp, "value");
1409 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1410 close_attr(fp);
1411 open_attr(fp, "desc");
1412 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1413 close_attr(fp);
1414 close_tag(fp, tok->id);
1415 } else {
1416 print_delim(fp, del);
1417 print_1_byte(fp, tok->tt.arg64.no, "%u");
1418 print_delim(fp, del);
1419 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1420 print_delim(fp, del);
1421 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1422 }
1423 }
1424
1425 /*
1426 * how to print 1 byte
1427 * basic unit 1 byte
1428 * unit count 1 byte
1429 * data items (depends on basic unit)
1430 */
1431 static int
fetch_arb_tok(tokenstr_t * tok,u_char * buf,int len)1432 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1433 {
1434 int err = 0;
1435 int datasize;
1436
1437 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1438 if (err)
1439 return (-1);
1440
1441 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1442 if (err)
1443 return (-1);
1444
1445 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1446 if (err)
1447 return (-1);
1448
1449 /*
1450 * Determine the size of the basic unit.
1451 */
1452 switch(tok->tt.arb.bu) {
1453 case AUR_BYTE:
1454 /* case AUR_CHAR: */
1455 datasize = AUR_BYTE_SIZE;
1456 break;
1457
1458 case AUR_SHORT:
1459 datasize = AUR_SHORT_SIZE;
1460 break;
1461
1462 case AUR_INT32:
1463 /* case AUR_INT: */
1464 datasize = AUR_INT32_SIZE;
1465 break;
1466
1467 case AUR_INT64:
1468 datasize = AUR_INT64_SIZE;
1469 break;
1470
1471 default:
1472 return (-1);
1473 }
1474
1475 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1476 tok->len, err);
1477 if (err)
1478 return (-1);
1479
1480 return (0);
1481 }
1482
1483 static void
print_arb_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1484 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1485 {
1486 char *str;
1487 char *format;
1488 size_t size;
1489 int i;
1490
1491 print_tok_type(fp, tok->id, "arbitrary", oflags);
1492 if (!(oflags & AU_OFLAG_XML))
1493 print_delim(fp, del);
1494
1495 switch(tok->tt.arb.howtopr) {
1496 case AUP_BINARY:
1497 str = "binary";
1498 format = " %c";
1499 break;
1500
1501 case AUP_OCTAL:
1502 str = "octal";
1503 format = " %o";
1504 break;
1505
1506 case AUP_DECIMAL:
1507 str = "decimal";
1508 format = " %d";
1509 break;
1510
1511 case AUP_HEX:
1512 str = "hex";
1513 format = " %x";
1514 break;
1515
1516 case AUP_STRING:
1517 str = "string";
1518 format = "%c";
1519 break;
1520
1521 default:
1522 return;
1523 }
1524
1525 if (oflags & AU_OFLAG_XML) {
1526 open_attr(fp, "print");
1527 fprintf(fp, "%s",str);
1528 close_attr(fp);
1529 } else {
1530 print_string(fp, str, strlen(str));
1531 print_delim(fp, del);
1532 }
1533 switch(tok->tt.arb.bu) {
1534 case AUR_BYTE:
1535 /* case AUR_CHAR: */
1536 str = "byte";
1537 size = AUR_BYTE_SIZE;
1538 if (oflags & AU_OFLAG_XML) {
1539 open_attr(fp, "type");
1540 fprintf(fp, "%zu", size);
1541 close_attr(fp);
1542 open_attr(fp, "count");
1543 print_1_byte(fp, tok->tt.arb.uc, "%u");
1544 close_attr(fp);
1545 fprintf(fp, ">");
1546 for (i = 0; i<tok->tt.arb.uc; i++)
1547 fprintf(fp, format, *(tok->tt.arb.data +
1548 (size * i)));
1549 close_tag(fp, tok->id);
1550 } else {
1551 print_string(fp, str, strlen(str));
1552 print_delim(fp, del);
1553 print_1_byte(fp, tok->tt.arb.uc, "%u");
1554 print_delim(fp, del);
1555 for (i = 0; i<tok->tt.arb.uc; i++)
1556 fprintf(fp, format, *(tok->tt.arb.data +
1557 (size * i)));
1558 }
1559 break;
1560
1561 case AUR_SHORT:
1562 str = "short";
1563 size = AUR_SHORT_SIZE;
1564 if (oflags & AU_OFLAG_XML) {
1565 open_attr(fp, "type");
1566 fprintf(fp, "%zu", size);
1567 close_attr(fp);
1568 open_attr(fp, "count");
1569 print_1_byte(fp, tok->tt.arb.uc, "%u");
1570 close_attr(fp);
1571 fprintf(fp, ">");
1572 for (i = 0; i < tok->tt.arb.uc; i++)
1573 fprintf(fp, format,
1574 *((u_int16_t *)(tok->tt.arb.data +
1575 (size * i))));
1576 close_tag(fp, tok->id);
1577 } else {
1578 print_string(fp, str, strlen(str));
1579 print_delim(fp, del);
1580 print_1_byte(fp, tok->tt.arb.uc, "%u");
1581 print_delim(fp, del);
1582 for (i = 0; i < tok->tt.arb.uc; i++)
1583 fprintf(fp, format,
1584 *((u_int16_t *)(tok->tt.arb.data +
1585 (size * i))));
1586 }
1587 break;
1588
1589 case AUR_INT32:
1590 /* case AUR_INT: */
1591 str = "int";
1592 size = AUR_INT32_SIZE;
1593 if (oflags & AU_OFLAG_XML) {
1594 open_attr(fp, "type");
1595 fprintf(fp, "%zu", size);
1596 close_attr(fp);
1597 open_attr(fp, "count");
1598 print_1_byte(fp, tok->tt.arb.uc, "%u");
1599 close_attr(fp);
1600 fprintf(fp, ">");
1601 for (i = 0; i < tok->tt.arb.uc; i++)
1602 fprintf(fp, format,
1603 *((u_int32_t *)(tok->tt.arb.data +
1604 (size * i))));
1605 close_tag(fp, tok->id);
1606 } else {
1607 print_string(fp, str, strlen(str));
1608 print_delim(fp, del);
1609 print_1_byte(fp, tok->tt.arb.uc, "%u");
1610 print_delim(fp, del);
1611 for (i = 0; i < tok->tt.arb.uc; i++)
1612 fprintf(fp, format,
1613 *((u_int32_t *)(tok->tt.arb.data +
1614 (size * i))));
1615 }
1616 break;
1617
1618 case AUR_INT64:
1619 str = "int64";
1620 size = AUR_INT64_SIZE;
1621 if (oflags & AU_OFLAG_XML) {
1622 open_attr(fp, "type");
1623 fprintf(fp, "%zu", size);
1624 close_attr(fp);
1625 open_attr(fp, "count");
1626 print_1_byte(fp, tok->tt.arb.uc, "%u");
1627 close_attr(fp);
1628 fprintf(fp, ">");
1629 for (i = 0; i < tok->tt.arb.uc; i++)
1630 fprintf(fp, format,
1631 *((u_int64_t *)(tok->tt.arb.data +
1632 (size * i))));
1633 close_tag(fp, tok->id);
1634 } else {
1635 print_string(fp, str, strlen(str));
1636 print_delim(fp, del);
1637 print_1_byte(fp, tok->tt.arb.uc, "%u");
1638 print_delim(fp, del);
1639 for (i = 0; i < tok->tt.arb.uc; i++)
1640 fprintf(fp, format,
1641 *((u_int64_t *)(tok->tt.arb.data +
1642 (size * i))));
1643 }
1644 break;
1645
1646 default:
1647 return;
1648 }
1649 }
1650
1651 /*
1652 * file access mode 4 bytes
1653 * owner user ID 4 bytes
1654 * owner group ID 4 bytes
1655 * file system ID 4 bytes
1656 * node ID 8 bytes
1657 * device 4 bytes/8 bytes (32-bit/64-bit)
1658 */
1659 static int
fetch_attr32_tok(tokenstr_t * tok,u_char * buf,int len)1660 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1661 {
1662 int err = 0;
1663
1664 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1665 if (err)
1666 return (-1);
1667
1668 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1669 if (err)
1670 return (-1);
1671
1672 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1673 if (err)
1674 return (-1);
1675
1676 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1677 if (err)
1678 return (-1);
1679
1680 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1681 if (err)
1682 return (-1);
1683
1684 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1685 if (err)
1686 return (-1);
1687
1688 return (0);
1689 }
1690
1691 static void
print_attr32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1692 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1693 {
1694
1695 print_tok_type(fp, tok->id, "attribute", oflags);
1696 if (oflags & AU_OFLAG_XML) {
1697 open_attr(fp, "mode");
1698 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1699 close_attr(fp);
1700 open_attr(fp, "uid");
1701 print_user(fp, tok->tt.attr32.uid, oflags);
1702 close_attr(fp);
1703 open_attr(fp, "gid");
1704 print_group(fp, tok->tt.attr32.gid, oflags);
1705 close_attr(fp);
1706 open_attr(fp, "fsid");
1707 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1708 close_attr(fp);
1709 open_attr(fp, "nodeid");
1710 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1711 close_attr(fp);
1712 open_attr(fp, "device");
1713 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1714 close_attr(fp);
1715 close_tag(fp, tok->id);
1716 } else {
1717 print_delim(fp, del);
1718 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1719 print_delim(fp, del);
1720 print_user(fp, tok->tt.attr32.uid, oflags);
1721 print_delim(fp, del);
1722 print_group(fp, tok->tt.attr32.gid, oflags);
1723 print_delim(fp, del);
1724 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1725 print_delim(fp, del);
1726 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1727 print_delim(fp, del);
1728 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1729 }
1730 }
1731
1732 /*
1733 * file access mode 4 bytes
1734 * owner user ID 4 bytes
1735 * owner group ID 4 bytes
1736 * file system ID 4 bytes
1737 * node ID 8 bytes
1738 * device 4 bytes/8 bytes (32-bit/64-bit)
1739 */
1740 static int
fetch_attr64_tok(tokenstr_t * tok,u_char * buf,int len)1741 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1742 {
1743 int err = 0;
1744
1745 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1746 if (err)
1747 return (-1);
1748
1749 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1750 if (err)
1751 return (-1);
1752
1753 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1754 if (err)
1755 return (-1);
1756
1757 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1758 if (err)
1759 return (-1);
1760
1761 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1762 if (err)
1763 return (-1);
1764
1765 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1766 if (err)
1767 return (-1);
1768
1769 return (0);
1770 }
1771
1772 static void
print_attr64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1773 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1774 {
1775
1776 print_tok_type(fp, tok->id, "attribute", oflags);
1777 if (oflags & AU_OFLAG_XML) {
1778 open_attr(fp, "mode");
1779 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1780 close_attr(fp);
1781 open_attr(fp, "uid");
1782 print_user(fp, tok->tt.attr64.uid, oflags);
1783 close_attr(fp);
1784 open_attr(fp, "gid");
1785 print_group(fp, tok->tt.attr64.gid, oflags);
1786 close_attr(fp);
1787 open_attr(fp, "fsid");
1788 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1789 close_attr(fp);
1790 open_attr(fp, "nodeid");
1791 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1792 close_attr(fp);
1793 open_attr(fp, "device");
1794 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1795 close_attr(fp);
1796 close_tag(fp, tok->id);
1797 } else {
1798 print_delim(fp, del);
1799 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1800 print_delim(fp, del);
1801 print_user(fp, tok->tt.attr64.uid, oflags);
1802 print_delim(fp, del);
1803 print_group(fp, tok->tt.attr64.gid, oflags);
1804 print_delim(fp, del);
1805 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1806 print_delim(fp, del);
1807 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1808 print_delim(fp, del);
1809 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1810 }
1811 }
1812
1813 /*
1814 * status 4 bytes
1815 * return value 4 bytes
1816 */
1817 static int
fetch_exit_tok(tokenstr_t * tok,u_char * buf,int len)1818 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1819 {
1820 int err = 0;
1821
1822 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1823 if (err)
1824 return (-1);
1825
1826 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1827 if (err)
1828 return (-1);
1829
1830 return (0);
1831 }
1832
1833 static void
print_exit_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1834 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1835 {
1836
1837 print_tok_type(fp, tok->id, "exit", oflags);
1838 if (oflags & AU_OFLAG_XML) {
1839 open_attr(fp, "errval");
1840 print_errval(fp, tok->tt.exit.status);
1841 close_attr(fp);
1842 open_attr(fp, "retval");
1843 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1844 close_attr(fp);
1845 close_tag(fp, tok->id);
1846 } else {
1847 print_delim(fp, del);
1848 print_errval(fp, tok->tt.exit.status);
1849 print_delim(fp, del);
1850 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1851 }
1852 }
1853
1854 /*
1855 * count 4 bytes
1856 * text count null-terminated string(s)
1857 */
1858 static int
fetch_execarg_tok(tokenstr_t * tok,u_char * buf,int len)1859 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1860 {
1861 int err = 0;
1862 u_int32_t i;
1863 u_char *bptr;
1864
1865 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1866 if (err)
1867 return (-1);
1868
1869 for (i = 0; i < tok->tt.execarg.count; i++) {
1870 bptr = buf + tok->len;
1871 if (i < AUDIT_MAX_ARGS)
1872 tok->tt.execarg.text[i] = (char*)bptr;
1873
1874 /* Look for a null terminated string. */
1875 while (bptr && (*bptr != '\0')) {
1876 if (++tok->len >= (u_int32_t)len)
1877 return (-1);
1878 bptr = buf + tok->len;
1879 }
1880 if (!bptr)
1881 return (-1);
1882 tok->len++; /* \0 character */
1883 }
1884 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1885 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1886
1887 return (0);
1888 }
1889
1890 static void
print_execarg_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1891 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1892 {
1893 u_int32_t i;
1894
1895 print_tok_type(fp, tok->id, "exec arg", oflags);
1896 for (i = 0; i < tok->tt.execarg.count; i++) {
1897 if (oflags & AU_OFLAG_XML) {
1898 fprintf(fp, "<arg>");
1899 print_xml_string(fp, tok->tt.execarg.text[i],
1900 strlen(tok->tt.execarg.text[i]));
1901 fprintf(fp, "</arg>");
1902 } else {
1903 print_delim(fp, del);
1904 print_string(fp, tok->tt.execarg.text[i],
1905 strlen(tok->tt.execarg.text[i]));
1906 }
1907 }
1908 if (oflags & AU_OFLAG_XML)
1909 close_tag(fp, tok->id);
1910 }
1911
1912 /*
1913 * count 4 bytes
1914 * text count null-terminated string(s)
1915 */
1916 static int
fetch_execenv_tok(tokenstr_t * tok,u_char * buf,int len)1917 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1918 {
1919 int err = 0;
1920 u_int32_t i;
1921 u_char *bptr;
1922
1923 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1924 if (err)
1925 return (-1);
1926
1927 for (i = 0; i < tok->tt.execenv.count; i++) {
1928 bptr = buf + tok->len;
1929 if (i < AUDIT_MAX_ENV)
1930 tok->tt.execenv.text[i] = (char*)bptr;
1931
1932 /* Look for a null terminated string. */
1933 while (bptr && (*bptr != '\0')) {
1934 if (++tok->len >= (u_int32_t)len)
1935 return (-1);
1936 bptr = buf + tok->len;
1937 }
1938 if (!bptr)
1939 return (-1);
1940 tok->len++; /* \0 character */
1941 }
1942 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1943 tok->tt.execenv.count = AUDIT_MAX_ENV;
1944
1945 return (0);
1946 }
1947
1948 static void
print_execenv_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1949 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1950 {
1951 u_int32_t i;
1952
1953 print_tok_type(fp, tok->id, "exec env", oflags);
1954 for (i = 0; i< tok->tt.execenv.count; i++) {
1955 if (oflags & AU_OFLAG_XML) {
1956 fprintf(fp, "<env>");
1957 print_xml_string(fp, tok->tt.execenv.text[i],
1958 strlen(tok->tt.execenv.text[i]));
1959 fprintf(fp, "</env>");
1960 } else {
1961 print_delim(fp, del);
1962 print_string(fp, tok->tt.execenv.text[i],
1963 strlen(tok->tt.execenv.text[i]));
1964 }
1965 }
1966 if (oflags & AU_OFLAG_XML)
1967 close_tag(fp, tok->id);
1968 }
1969
1970 /*
1971 * seconds of time 4 bytes
1972 * milliseconds of time 4 bytes
1973 * file name len 2 bytes
1974 * file pathname N bytes + 1 terminating NULL byte
1975 */
1976 static int
fetch_file_tok(tokenstr_t * tok,u_char * buf,int len)1977 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1978 {
1979 int err = 0;
1980
1981 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1982 if (err)
1983 return (-1);
1984
1985 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1986 if (err)
1987 return (-1);
1988
1989 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1990 if (err)
1991 return (-1);
1992
1993 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1994 err);
1995 if (err)
1996 return (-1);
1997
1998 return (0);
1999 }
2000
2001 static void
print_file_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2002 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2003 {
2004
2005 print_tok_type(fp, tok->id, "file", oflags);
2006 if (oflags & AU_OFLAG_XML) {
2007 open_attr(fp, "time");
2008 print_sec32(fp, tok->tt.file.s, oflags);
2009 close_attr(fp);
2010 open_attr(fp, "msec");
2011 print_msec32(fp, tok->tt.file.ms, oflags);
2012 close_attr(fp);
2013 fprintf(fp, ">");
2014 print_string(fp, tok->tt.file.name, tok->tt.file.len);
2015 close_tag(fp, tok->id);
2016 } else {
2017 print_delim(fp, del);
2018 print_sec32(fp, tok->tt.file.s, oflags);
2019 print_delim(fp, del);
2020 print_msec32(fp, tok->tt.file.ms, oflags);
2021 print_delim(fp, del);
2022 print_string(fp, tok->tt.file.name, tok->tt.file.len);
2023 }
2024 }
2025
2026 /*
2027 * number groups 2 bytes
2028 * group list count * 4 bytes
2029 */
2030 static int
fetch_newgroups_tok(tokenstr_t * tok,u_char * buf,int len)2031 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
2032 {
2033 int i;
2034 int err = 0;
2035
2036 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
2037 if (err)
2038 return (-1);
2039
2040 for (i = 0; i<tok->tt.grps.no; i++) {
2041 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
2042 err);
2043 if (err)
2044 return (-1);
2045 }
2046
2047 return (0);
2048 }
2049
2050 static void
print_newgroups_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2051 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2052 {
2053 int i;
2054
2055 print_tok_type(fp, tok->id, "group", oflags);
2056 for (i = 0; i < tok->tt.grps.no; i++) {
2057 if (oflags & AU_OFLAG_XML) {
2058 fprintf(fp, "<gid>");
2059 print_group(fp, tok->tt.grps.list[i], oflags);
2060 fprintf(fp, "</gid>");
2061 close_tag(fp, tok->id);
2062 } else {
2063 print_delim(fp, del);
2064 print_group(fp, tok->tt.grps.list[i], oflags);
2065 }
2066 }
2067 }
2068
2069 /*
2070 * Internet addr 4 bytes
2071 */
2072 static int
fetch_inaddr_tok(tokenstr_t * tok,u_char * buf,int len)2073 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2074 {
2075 int err = 0;
2076
2077 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2078 tok->len, err);
2079 if (err)
2080 return (-1);
2081
2082 return (0);
2083
2084 }
2085
2086 static void
print_inaddr_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2087 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2088 {
2089
2090 print_tok_type(fp, tok->id, "ip addr", oflags);
2091 if (oflags & AU_OFLAG_XML) {
2092 print_ip_address(fp, tok->tt.inaddr.addr);
2093 close_tag(fp, tok->id);
2094 } else {
2095 print_delim(fp, del);
2096 print_ip_address(fp, tok->tt.inaddr.addr);
2097 }
2098 }
2099
2100 /*
2101 * type 4 bytes
2102 * address 16 bytes
2103 */
2104 static int
fetch_inaddr_ex_tok(tokenstr_t * tok,u_char * buf,int len)2105 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2106 {
2107 int err = 0;
2108
2109 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2110 if (err)
2111 return (-1);
2112
2113 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2114 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2115 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2116 if (err)
2117 return (-1);
2118 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2119 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2120 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2121 if (err)
2122 return (-1);
2123 } else
2124 return (-1);
2125
2126 return (0);
2127 }
2128
2129 static void
print_inaddr_ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2130 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2131 {
2132
2133 print_tok_type(fp, tok->id, "ip addr ex", oflags);
2134 if (oflags & AU_OFLAG_XML) {
2135 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2136 tok->tt.inaddr_ex.addr);
2137 close_tag(fp, tok->id);
2138 } else {
2139 print_delim(fp, del);
2140 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2141 tok->tt.inaddr_ex.addr);
2142 }
2143 }
2144
2145 /*
2146 * ip header 20 bytes
2147 */
2148 static int
fetch_ip_tok(tokenstr_t * tok,u_char * buf,int len)2149 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2150 {
2151 int err = 0;
2152
2153 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2154 if (err)
2155 return (-1);
2156
2157 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2158 if (err)
2159 return (-1);
2160
2161 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2162 tok->len, err);
2163 if (err)
2164 return (-1);
2165
2166 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2167 tok->len, err);
2168 if (err)
2169 return (-1);
2170
2171 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2172 tok->len, err);
2173 if (err)
2174 return (-1);
2175
2176 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2177 if (err)
2178 return (-1);
2179
2180 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2181 if (err)
2182 return (-1);
2183
2184 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2185 tok->len, err);
2186 if (err)
2187 return (-1);
2188
2189 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2190 tok->len, err);
2191 if (err)
2192 return (-1);
2193
2194 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2195 tok->len, err);
2196 if (err)
2197 return (-1);
2198
2199 return (0);
2200 }
2201
2202 static void
print_ip_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2203 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2204 {
2205
2206 print_tok_type(fp, tok->id, "ip", oflags);
2207 if (oflags & AU_OFLAG_XML) {
2208 open_attr(fp, "version");
2209 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2210 sizeof(u_char));
2211 close_attr(fp);
2212 open_attr(fp, "service_type");
2213 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2214 close_attr(fp);
2215 open_attr(fp, "len");
2216 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2217 close_attr(fp);
2218 open_attr(fp, "id");
2219 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2220 close_attr(fp);
2221 open_attr(fp, "offset");
2222 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2223 close_attr(fp);
2224 open_attr(fp, "time_to_live");
2225 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2226 close_attr(fp);
2227 open_attr(fp, "protocol");
2228 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2229 close_attr(fp);
2230 open_attr(fp, "cksum");
2231 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2232 close_attr(fp);
2233 open_attr(fp, "src_addr");
2234 print_ip_address(fp, tok->tt.ip.src);
2235 close_attr(fp);
2236 open_attr(fp, "dest_addr");
2237 print_ip_address(fp, tok->tt.ip.dest);
2238 close_attr(fp);
2239 close_tag(fp, tok->id);
2240 } else {
2241 print_delim(fp, del);
2242 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2243 sizeof(u_char));
2244 print_delim(fp, del);
2245 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2246 print_delim(fp, del);
2247 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2248 print_delim(fp, del);
2249 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2250 print_delim(fp, del);
2251 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2252 print_delim(fp, del);
2253 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2254 print_delim(fp, del);
2255 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2256 print_delim(fp, del);
2257 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2258 print_delim(fp, del);
2259 print_ip_address(fp, tok->tt.ip.src);
2260 print_delim(fp, del);
2261 print_ip_address(fp, tok->tt.ip.dest);
2262 }
2263 }
2264
2265 /*
2266 * object ID type 1 byte
2267 * Object ID 4 bytes
2268 */
2269 static int
fetch_ipc_tok(tokenstr_t * tok,u_char * buf,int len)2270 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2271 {
2272 int err = 0;
2273
2274 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2275 if (err)
2276 return (-1);
2277
2278 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2279 if (err)
2280 return (-1);
2281
2282 return (0);
2283 }
2284
2285 static void
print_ipc_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2286 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2287 {
2288
2289 print_tok_type(fp, tok->id, "IPC", oflags);
2290 if (oflags & AU_OFLAG_XML) {
2291 open_attr(fp, "ipc-type");
2292 print_ipctype(fp, tok->tt.ipc.type, oflags);
2293 close_attr(fp);
2294 open_attr(fp, "ipc-id");
2295 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2296 close_attr(fp);
2297 close_tag(fp, tok->id);
2298 } else {
2299 print_delim(fp, del);
2300 print_ipctype(fp, tok->tt.ipc.type, oflags);
2301 print_delim(fp, del);
2302 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2303 }
2304 }
2305
2306 /*
2307 * owner user id 4 bytes
2308 * owner group id 4 bytes
2309 * creator user id 4 bytes
2310 * creator group id 4 bytes
2311 * access mode 4 bytes
2312 * slot seq 4 bytes
2313 * key 4 bytes
2314 */
2315 static int
fetch_ipcperm_tok(tokenstr_t * tok,u_char * buf,int len)2316 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2317 {
2318 int err = 0;
2319
2320 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2321 if (err)
2322 return (-1);
2323
2324 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2325 if (err)
2326 return (-1);
2327
2328 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2329 if (err)
2330 return (-1);
2331
2332 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2333 if (err)
2334 return (-1);
2335
2336 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2337 if (err)
2338 return (-1);
2339
2340 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2341 if (err)
2342 return (-1);
2343
2344 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2345 if (err)
2346 return (-1);
2347
2348 return (0);
2349 }
2350
2351 static void
print_ipcperm_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2352 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2353 {
2354
2355 print_tok_type(fp, tok->id, "IPC perm", oflags);
2356 if (oflags & AU_OFLAG_XML) {
2357 open_attr(fp, "uid");
2358 print_user(fp, tok->tt.ipcperm.uid, oflags);
2359 close_attr(fp);
2360 open_attr(fp, "gid");
2361 print_group(fp, tok->tt.ipcperm.gid, oflags);
2362 close_attr(fp);
2363 open_attr(fp, "creator-uid");
2364 print_user(fp, tok->tt.ipcperm.puid, oflags);
2365 close_attr(fp);
2366 open_attr(fp, "creator-gid");
2367 print_group(fp, tok->tt.ipcperm.pgid, oflags);
2368 close_attr(fp);
2369 open_attr(fp, "mode");
2370 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2371 close_attr(fp);
2372 open_attr(fp, "seq");
2373 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2374 close_attr(fp);
2375 open_attr(fp, "key");
2376 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2377 close_attr(fp);
2378 close_tag(fp, tok->id);
2379 } else {
2380 print_delim(fp, del);
2381 print_user(fp, tok->tt.ipcperm.uid, oflags);
2382 print_delim(fp, del);
2383 print_group(fp, tok->tt.ipcperm.gid, oflags);
2384 print_delim(fp, del);
2385 print_user(fp, tok->tt.ipcperm.puid, oflags);
2386 print_delim(fp, del);
2387 print_group(fp, tok->tt.ipcperm.pgid, oflags);
2388 print_delim(fp, del);
2389 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2390 print_delim(fp, del);
2391 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2392 print_delim(fp, del);
2393 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2394 }
2395 }
2396
2397 /*
2398 * port Ip address 2 bytes
2399 */
2400 static int
fetch_iport_tok(tokenstr_t * tok,u_char * buf,int len)2401 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2402 {
2403 int err = 0;
2404
2405 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2406 tok->len, err);
2407 if (err)
2408 return (-1);
2409
2410 return (0);
2411 }
2412
2413 static void
print_iport_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2414 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2415 {
2416
2417 print_tok_type(fp, tok->id, "ip port", oflags);
2418 if (oflags & AU_OFLAG_XML) {
2419 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2420 close_tag(fp, tok->id);
2421 } else {
2422 print_delim(fp, del);
2423 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2424 }
2425 }
2426
2427 /*
2428 * size 2 bytes
2429 * data size bytes
2430 */
2431 static int
fetch_opaque_tok(tokenstr_t * tok,u_char * buf,int len)2432 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2433 {
2434 int err = 0;
2435
2436 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2437 if (err)
2438 return (-1);
2439
2440 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2441 tok->len, err);
2442 if (err)
2443 return (-1);
2444
2445 return (0);
2446 }
2447
2448 static void
print_opaque_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2449 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2450 {
2451
2452 print_tok_type(fp, tok->id, "opaque", oflags);
2453 if (oflags & AU_OFLAG_XML) {
2454 print_mem(fp, (u_char*)tok->tt.opaque.data,
2455 tok->tt.opaque.size);
2456 close_tag(fp, tok->id);
2457 } else {
2458 print_delim(fp, del);
2459 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2460 print_delim(fp, del);
2461 print_mem(fp, (u_char*)tok->tt.opaque.data,
2462 tok->tt.opaque.size);
2463 }
2464 }
2465
2466 /*
2467 * size 2 bytes
2468 * data size bytes
2469 */
2470 static int
fetch_path_tok(tokenstr_t * tok,u_char * buf,int len)2471 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2472 {
2473 int err = 0;
2474
2475 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2476 if (err)
2477 return (-1);
2478
2479 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2480 err);
2481 if (err)
2482 return (-1);
2483
2484 return (0);
2485 }
2486
2487 static void
print_path_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2488 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2489 {
2490
2491 print_tok_type(fp, tok->id, "path", oflags);
2492 if (oflags & AU_OFLAG_XML) {
2493 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2494 close_tag(fp, tok->id);
2495 } else {
2496 print_delim(fp, del);
2497 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2498 }
2499 }
2500
2501 /*
2502 * token ID 1 byte
2503 * audit ID 4 bytes
2504 * euid 4 bytes
2505 * egid 4 bytes
2506 * ruid 4 bytes
2507 * rgid 4 bytes
2508 * pid 4 bytes
2509 * sessid 4 bytes
2510 * terminal ID
2511 * portid 4 bytes
2512 * machine id 4 bytes
2513 */
2514 static int
fetch_process32_tok(tokenstr_t * tok,u_char * buf,int len)2515 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2516 {
2517 int err = 0;
2518
2519 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2520 if (err)
2521 return (-1);
2522
2523 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2524 if (err)
2525 return (-1);
2526
2527 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2528 if (err)
2529 return (-1);
2530
2531 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2532 if (err)
2533 return (-1);
2534
2535 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2536 if (err)
2537 return (-1);
2538
2539 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2540 if (err)
2541 return (-1);
2542
2543 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2544 if (err)
2545 return (-1);
2546
2547 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2548 if (err)
2549 return (-1);
2550
2551 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2552 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2553 if (err)
2554 return (-1);
2555
2556 return (0);
2557 }
2558
2559 static void
print_process32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2560 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2561 {
2562
2563 print_tok_type(fp, tok->id, "process", oflags);
2564 if (oflags & AU_OFLAG_XML) {
2565 open_attr(fp, "audit-uid");
2566 print_user(fp, tok->tt.proc32.auid, oflags);
2567 close_attr(fp);
2568 open_attr(fp, "uid");
2569 print_user(fp, tok->tt.proc32.euid, oflags);
2570 close_attr(fp);
2571 open_attr(fp, "gid");
2572 print_group(fp, tok->tt.proc32.egid, oflags);
2573 close_attr(fp);
2574 open_attr(fp, "ruid");
2575 print_user(fp, tok->tt.proc32.ruid, oflags);
2576 close_attr(fp);
2577 open_attr(fp, "rgid");
2578 print_group(fp, tok->tt.proc32.rgid, oflags);
2579 close_attr(fp);
2580 open_attr(fp, "pid");
2581 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2582 close_attr(fp);
2583 open_attr(fp, "sid");
2584 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2585 close_attr(fp);
2586 open_attr(fp, "tid");
2587 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2588 print_ip_address(fp, tok->tt.proc32.tid.addr);
2589 close_attr(fp);
2590 close_tag(fp, tok->id);
2591 } else {
2592 print_delim(fp, del);
2593 print_user(fp, tok->tt.proc32.auid, oflags);
2594 print_delim(fp, del);
2595 print_user(fp, tok->tt.proc32.euid, oflags);
2596 print_delim(fp, del);
2597 print_group(fp, tok->tt.proc32.egid, oflags);
2598 print_delim(fp, del);
2599 print_user(fp, tok->tt.proc32.ruid, oflags);
2600 print_delim(fp, del);
2601 print_group(fp, tok->tt.proc32.rgid, oflags);
2602 print_delim(fp, del);
2603 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2604 print_delim(fp, del);
2605 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2606 print_delim(fp, del);
2607 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2608 print_delim(fp, del);
2609 print_ip_address(fp, tok->tt.proc32.tid.addr);
2610 }
2611 }
2612
2613 /*
2614 * token ID 1 byte
2615 * audit ID 4 bytes
2616 * euid 4 bytes
2617 * egid 4 bytes
2618 * ruid 4 bytes
2619 * rgid 4 bytes
2620 * pid 4 bytes
2621 * sessid 4 bytes
2622 * terminal ID
2623 * portid 8 bytes
2624 * machine id 4 bytes
2625 */
2626 static int
fetch_process64_tok(tokenstr_t * tok,u_char * buf,int len)2627 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2628 {
2629 int err = 0;
2630
2631 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2632 if (err)
2633 return (-1);
2634
2635 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2636 if (err)
2637 return (-1);
2638
2639 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2640 if (err)
2641 return (-1);
2642
2643 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2644 if (err)
2645 return (-1);
2646
2647 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2648 if (err)
2649 return (-1);
2650
2651 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2652 if (err)
2653 return (-1);
2654
2655 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2656 if (err)
2657 return (-1);
2658
2659 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2660 if (err)
2661 return (-1);
2662
2663 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2664 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2665 if (err)
2666 return (-1);
2667
2668 return (0);
2669 }
2670
2671 static void
print_process64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2672 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2673 {
2674 print_tok_type(fp, tok->id, "process", oflags);
2675 if (oflags & AU_OFLAG_XML) {
2676 open_attr(fp, "audit-uid");
2677 print_user(fp, tok->tt.proc64.auid, oflags);
2678 close_attr(fp);
2679 open_attr(fp, "uid");
2680 print_user(fp, tok->tt.proc64.euid, oflags);
2681 close_attr(fp);
2682 open_attr(fp, "gid");
2683 print_group(fp, tok->tt.proc64.egid, oflags);
2684 close_attr(fp);
2685 open_attr(fp, "ruid");
2686 print_user(fp, tok->tt.proc64.ruid, oflags);
2687 close_attr(fp);
2688 open_attr(fp, "rgid");
2689 print_group(fp, tok->tt.proc64.rgid, oflags);
2690 close_attr(fp);
2691 open_attr(fp, "pid");
2692 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2693 close_attr(fp);
2694 open_attr(fp, "sid");
2695 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2696 close_attr(fp);
2697 open_attr(fp, "tid");
2698 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2699 print_ip_address(fp, tok->tt.proc64.tid.addr);
2700 close_attr(fp);
2701 close_tag(fp, tok->id);
2702 } else {
2703 print_delim(fp, del);
2704 print_user(fp, tok->tt.proc64.auid, oflags);
2705 print_delim(fp, del);
2706 print_user(fp, tok->tt.proc64.euid, oflags);
2707 print_delim(fp, del);
2708 print_group(fp, tok->tt.proc64.egid, oflags);
2709 print_delim(fp, del);
2710 print_user(fp, tok->tt.proc64.ruid, oflags);
2711 print_delim(fp, del);
2712 print_group(fp, tok->tt.proc64.rgid, oflags);
2713 print_delim(fp, del);
2714 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2715 print_delim(fp, del);
2716 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2717 print_delim(fp, del);
2718 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2719 print_delim(fp, del);
2720 print_ip_address(fp, tok->tt.proc64.tid.addr);
2721 }
2722 }
2723
2724 /*
2725 * token ID 1 byte
2726 * audit ID 4 bytes
2727 * effective user ID 4 bytes
2728 * effective group ID 4 bytes
2729 * real user ID 4 bytes
2730 * real group ID 4 bytes
2731 * process ID 4 bytes
2732 * session ID 4 bytes
2733 * terminal ID
2734 * port ID 4 bytes
2735 * address type-len 4 bytes
2736 * machine address 16 bytes
2737 */
2738 static int
fetch_process32ex_tok(tokenstr_t * tok,u_char * buf,int len)2739 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2740 {
2741 int err = 0;
2742
2743 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2744 if (err)
2745 return (-1);
2746
2747 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2748 if (err)
2749 return (-1);
2750
2751 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2752 if (err)
2753 return (-1);
2754
2755 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2756 if (err)
2757 return (-1);
2758
2759 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2760 if (err)
2761 return (-1);
2762
2763 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2764 if (err)
2765 return (-1);
2766
2767 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2768 if (err)
2769 return (-1);
2770
2771 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2772 err);
2773 if (err)
2774 return (-1);
2775
2776 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2777 err);
2778 if (err)
2779 return (-1);
2780
2781 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2782 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2783 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2784 if (err)
2785 return (-1);
2786 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2787 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2788 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2789 if (err)
2790 return (-1);
2791 } else
2792 return (-1);
2793
2794 return (0);
2795 }
2796
2797 static void
print_process32ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2798 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2799 {
2800
2801 print_tok_type(fp, tok->id, "process_ex", oflags);
2802 if (oflags & AU_OFLAG_XML) {
2803 open_attr(fp, "audit-uid");
2804 print_user(fp, tok->tt.proc32_ex.auid, oflags);
2805 close_attr(fp);
2806 open_attr(fp, "uid");
2807 print_user(fp, tok->tt.proc32_ex.euid, oflags);
2808 close_attr(fp);
2809 open_attr(fp, "gid");
2810 print_group(fp, tok->tt.proc32_ex.egid, oflags);
2811 close_attr(fp);
2812 open_attr(fp, "ruid");
2813 print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2814 close_attr(fp);
2815 open_attr(fp, "rgid");
2816 print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2817 close_attr(fp);
2818 open_attr(fp, "pid");
2819 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2820 close_attr(fp);
2821 open_attr(fp, "sid");
2822 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2823 close_attr(fp);
2824 open_attr(fp, "tid");
2825 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2826 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2827 tok->tt.proc32_ex.tid.addr);
2828 close_attr(fp);
2829 close_tag(fp, tok->id);
2830 } else {
2831 print_delim(fp, del);
2832 print_user(fp, tok->tt.proc32_ex.auid, oflags);
2833 print_delim(fp, del);
2834 print_user(fp, tok->tt.proc32_ex.euid, oflags);
2835 print_delim(fp, del);
2836 print_group(fp, tok->tt.proc32_ex.egid, oflags);
2837 print_delim(fp, del);
2838 print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2839 print_delim(fp, del);
2840 print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2841 print_delim(fp, del);
2842 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2843 print_delim(fp, del);
2844 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2845 print_delim(fp, del);
2846 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2847 print_delim(fp, del);
2848 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2849 tok->tt.proc32_ex.tid.addr);
2850 }
2851 }
2852
2853 /*
2854 * token ID 1 byte
2855 * audit ID 4 bytes
2856 * effective user ID 4 bytes
2857 * effective group ID 4 bytes
2858 * real user ID 4 bytes
2859 * real group ID 4 bytes
2860 * process ID 4 bytes
2861 * session ID 4 bytes
2862 * terminal ID
2863 * port ID 8 bytes
2864 * address type-len 4 bytes
2865 * machine address 16 bytes
2866 */
2867 static int
fetch_process64ex_tok(tokenstr_t * tok,u_char * buf,int len)2868 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2869 {
2870 int err = 0;
2871
2872 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2873 if (err)
2874 return (-1);
2875
2876 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2877 if (err)
2878 return (-1);
2879
2880 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2881 if (err)
2882 return (-1);
2883
2884 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2885 if (err)
2886 return (-1);
2887
2888 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2889 if (err)
2890 return (-1);
2891
2892 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2893 if (err)
2894 return (-1);
2895
2896 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2897 if (err)
2898 return (-1);
2899
2900 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2901 err);
2902 if (err)
2903 return (-1);
2904
2905 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2906 err);
2907 if (err)
2908 return (-1);
2909
2910 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2911 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2912 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2913 if (err)
2914 return (-1);
2915 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2916 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2917 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2918 if (err)
2919 return (-1);
2920 } else
2921 return (-1);
2922
2923 return (0);
2924 }
2925
2926 static void
print_process64ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2927 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2928 {
2929 print_tok_type(fp, tok->id, "process_ex", oflags);
2930 if (oflags & AU_OFLAG_XML) {
2931 open_attr(fp, "audit-uid");
2932 print_user(fp, tok->tt.proc64_ex.auid, oflags);
2933 close_attr(fp);
2934 open_attr(fp, "uid");
2935 print_user(fp, tok->tt.proc64_ex.euid, oflags);
2936 close_attr(fp);
2937 open_attr(fp, "gid");
2938 print_group(fp, tok->tt.proc64_ex.egid, oflags);
2939 close_attr(fp);
2940 open_attr(fp, "ruid");
2941 print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2942 close_attr(fp);
2943 open_attr(fp, "rgid");
2944 print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2945 close_attr(fp);
2946 open_attr(fp, "pid");
2947 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2948 close_attr(fp);
2949 open_attr(fp, "sid");
2950 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2951 close_attr(fp);
2952 open_attr(fp, "tid");
2953 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2954 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2955 tok->tt.proc64_ex.tid.addr);
2956 close_attr(fp);
2957 close_tag(fp, tok->id);
2958 } else {
2959 print_delim(fp, del);
2960 print_user(fp, tok->tt.proc64_ex.auid, oflags);
2961 print_delim(fp, del);
2962 print_user(fp, tok->tt.proc64_ex.euid, oflags);
2963 print_delim(fp, del);
2964 print_group(fp, tok->tt.proc64_ex.egid, oflags);
2965 print_delim(fp, del);
2966 print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2967 print_delim(fp, del);
2968 print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2969 print_delim(fp, del);
2970 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2971 print_delim(fp, del);
2972 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2973 print_delim(fp, del);
2974 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2975 print_delim(fp, del);
2976 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2977 tok->tt.proc64_ex.tid.addr);
2978 }
2979 }
2980
2981 /*
2982 * errno 1 byte
2983 * return value 4 bytes
2984 */
2985 static int
fetch_return32_tok(tokenstr_t * tok,u_char * buf,int len)2986 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2987 {
2988 int err = 0;
2989
2990 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2991 if (err)
2992 return (-1);
2993
2994 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2995 if (err)
2996 return (-1);
2997
2998 return (0);
2999 }
3000
3001 static void
print_return32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3002 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3003 {
3004
3005 print_tok_type(fp, tok->id, "return", oflags);
3006 if (oflags & AU_OFLAG_XML) {
3007 open_attr(fp ,"errval");
3008 print_retval(fp, tok->tt.ret32.status, oflags);
3009 close_attr(fp);
3010 open_attr(fp, "retval");
3011 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3012 close_attr(fp);
3013 close_tag(fp, tok->id);
3014 } else {
3015 print_delim(fp, del);
3016 print_retval(fp, tok->tt.ret32.status, oflags);
3017 print_delim(fp, del);
3018 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3019 }
3020 }
3021
3022 static int
fetch_return64_tok(tokenstr_t * tok,u_char * buf,int len)3023 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
3024 {
3025 int err = 0;
3026
3027 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
3028 if (err)
3029 return (-1);
3030
3031 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
3032 if (err)
3033 return (-1);
3034
3035 return (0);
3036 }
3037
3038 static void
print_return64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3039 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3040 {
3041
3042 print_tok_type(fp, tok->id, "return", oflags);
3043 if (oflags & AU_OFLAG_XML) {
3044 open_attr(fp, "errval");
3045 print_retval(fp, tok->tt.ret64.err, oflags);
3046 close_attr(fp);
3047 open_attr(fp, "retval");
3048 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3049 close_attr(fp);
3050 close_tag(fp, tok->id);
3051 } else {
3052 print_delim(fp, del);
3053 print_retval(fp, tok->tt.ret64.err, oflags);
3054 print_delim(fp, del);
3055 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3056 }
3057 }
3058
3059 /*
3060 * seq 4 bytes
3061 */
3062 static int
fetch_seq_tok(tokenstr_t * tok,u_char * buf,int len)3063 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3064 {
3065 int err = 0;
3066
3067 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3068 if (err)
3069 return (-1);
3070
3071 return (0);
3072 }
3073
3074 static void
print_seq_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3075 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3076 {
3077
3078 print_tok_type(fp, tok->id, "sequence", oflags);
3079 if (oflags & AU_OFLAG_XML) {
3080 open_attr(fp, "seq-num");
3081 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3082 close_attr(fp);
3083 close_tag(fp, tok->id);
3084 } else {
3085 print_delim(fp, del);
3086 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3087 }
3088 }
3089
3090 /*
3091 * socket family 2 bytes
3092 * local port 2 bytes
3093 * socket address 4 bytes
3094 */
3095 static int
fetch_sock_inet32_tok(tokenstr_t * tok,u_char * buf,int len)3096 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3097 {
3098 int err = 0;
3099
3100 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3101 err);
3102 if (err)
3103 return (-1);
3104
3105 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3106 sizeof(uint16_t), tok->len, err);
3107 if (err)
3108 return (-1);
3109
3110 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3111 sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err);
3112 if (err)
3113 return (-1);
3114
3115 return (0);
3116 }
3117
3118 static void
print_sock_inet32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3119 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3120 {
3121
3122 print_tok_type(fp, tok->id, "socket-inet", oflags);
3123 if (oflags & AU_OFLAG_XML) {
3124 open_attr(fp, "type");
3125 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3126 close_attr(fp);
3127 open_attr(fp, "port");
3128 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3129 close_attr(fp);
3130 open_attr(fp, "addr");
3131 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3132 close_attr(fp);
3133 close_tag(fp, tok->id);
3134 } else {
3135 print_delim(fp, del);
3136 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3137 print_delim(fp, del);
3138 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3139 print_delim(fp, del);
3140 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3141 }
3142 }
3143
3144 /*
3145 * socket family 2 bytes
3146 * local port 2 bytes
3147 * socket address 16 bytes
3148 */
3149 static int
fetch_sock_inet128_tok(tokenstr_t * tok,u_char * buf,int len)3150 fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len)
3151 {
3152 int err = 0;
3153
3154 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3155 err);
3156 if (err)
3157 return (-1);
3158
3159 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3160 sizeof(uint16_t), tok->len, err);
3161 if (err)
3162 return (-1);
3163
3164 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3165 sizeof(tok->tt.sockinet_ex32.addr), tok->len, err);
3166 if (err)
3167 return (-1);
3168
3169 return (0);
3170 }
3171
3172 static void
print_sock_inet128_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3173 print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3174 {
3175
3176 print_tok_type(fp, tok->id, "socket-inet6", oflags);
3177 if (oflags & AU_OFLAG_XML) {
3178 open_attr(fp, "type");
3179 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3180 close_attr(fp);
3181 open_attr(fp, "port");
3182 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3183 close_attr(fp);
3184 open_attr(fp, "addr");
3185 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3186 close_attr(fp);
3187 close_tag(fp, tok->id);
3188 } else {
3189 print_delim(fp, del);
3190 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3191 print_delim(fp, del);
3192 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3193 print_delim(fp, del);
3194 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3195 }
3196 }
3197
3198 /*
3199 * socket family 2 bytes
3200 * path (up to) 104 bytes + NULL (NULL terminated string).
3201 */
3202 static int
fetch_sock_unix_tok(tokenstr_t * tok,u_char * buf,int len)3203 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3204 {
3205 int err = 0;
3206 u_char *p;
3207 int slen;
3208
3209
3210 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3211 if (err)
3212 return (-1);
3213
3214 /* slen = strnlen((buf + tok->len), 104) + 1; */
3215 p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104);
3216 slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1;
3217
3218 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err);
3219 if (err)
3220 return (-1);
3221
3222 return (0);
3223 }
3224
3225 static void
print_sock_unix_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3226 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3227 {
3228
3229 print_tok_type(fp, tok->id, "socket-unix", oflags);
3230 if (oflags & AU_OFLAG_XML) {
3231 open_attr(fp, "type");
3232 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3233 close_attr(fp);
3234 open_attr(fp, "port");
3235 close_attr(fp);
3236 open_attr(fp, "addr");
3237 print_string(fp, tok->tt.sockunix.path,
3238 strlen(tok->tt.sockunix.path));
3239 close_attr(fp);
3240 close_tag(fp, tok->id);
3241 } else {
3242 print_delim(fp, del);
3243 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3244 print_delim(fp, del);
3245 print_string(fp, tok->tt.sockunix.path,
3246 strlen(tok->tt.sockunix.path));
3247 }
3248 }
3249
3250 /*
3251 * socket type 2 bytes
3252 * local port 2 bytes
3253 * local address 4 bytes
3254 * remote port 2 bytes
3255 * remote address 4 bytes
3256 */
3257 static int
fetch_socket_tok(tokenstr_t * tok,u_char * buf,int len)3258 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3259 {
3260 int err = 0;
3261
3262 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3263 if (err)
3264 return (-1);
3265
3266 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3267 tok->len, err);
3268 if (err)
3269 return (-1);
3270
3271 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3272 sizeof(tok->tt.socket.l_addr), tok->len, err);
3273 if (err)
3274 return (-1);
3275
3276 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3277 tok->len, err);
3278 if (err)
3279 return (-1);
3280
3281 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3282 sizeof(tok->tt.socket.r_addr), tok->len, err);
3283 if (err)
3284 return (-1);
3285
3286 return (0);
3287 }
3288
3289 static void
print_socket_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3290 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3291 {
3292
3293 print_tok_type(fp, tok->id, "socket", oflags);
3294 if (oflags & AU_OFLAG_XML) {
3295 open_attr(fp, "sock_type");
3296 print_2_bytes(fp, tok->tt.socket.type, "%u");
3297 close_attr(fp);
3298 open_attr(fp, "lport");
3299 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3300 close_attr(fp);
3301 open_attr(fp, "laddr");
3302 print_ip_address(fp, tok->tt.socket.l_addr);
3303 close_attr(fp);
3304 open_attr(fp, "fport");
3305 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3306 close_attr(fp);
3307 open_attr(fp, "faddr");
3308 print_ip_address(fp, tok->tt.socket.r_addr);
3309 close_attr(fp);
3310 close_tag(fp, tok->id);
3311 } else {
3312 print_delim(fp, del);
3313 print_2_bytes(fp, tok->tt.socket.type, "%u");
3314 print_delim(fp, del);
3315 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3316 print_delim(fp, del);
3317 print_ip_address(fp, tok->tt.socket.l_addr);
3318 print_delim(fp, del);
3319 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3320 print_delim(fp, del);
3321 print_ip_address(fp, tok->tt.socket.r_addr);
3322 }
3323 }
3324
3325 /*
3326 * audit ID 4 bytes
3327 * euid 4 bytes
3328 * egid 4 bytes
3329 * ruid 4 bytes
3330 * rgid 4 bytes
3331 * pid 4 bytes
3332 * sessid 4 bytes
3333 * terminal ID
3334 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3335 * machine id 4 bytes
3336 */
3337 static int
fetch_subject32_tok(tokenstr_t * tok,u_char * buf,int len)3338 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3339 {
3340 int err = 0;
3341
3342 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3343 if (err)
3344 return (-1);
3345
3346 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3347 if (err)
3348 return (-1);
3349
3350 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3351 if (err)
3352 return (-1);
3353
3354 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3355 if (err)
3356 return (-1);
3357
3358 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3359 if (err)
3360 return (-1);
3361
3362 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3363 if (err)
3364 return (-1);
3365
3366 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3367 if (err)
3368 return (-1);
3369
3370 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3371 if (err)
3372 return (-1);
3373
3374 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3375 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3376 if (err)
3377 return (-1);
3378
3379 return (0);
3380 }
3381
3382 static void
print_subject32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3383 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3384 {
3385
3386 print_tok_type(fp, tok->id, "subject", oflags);
3387 if (oflags & AU_OFLAG_XML) {
3388 open_attr(fp, "audit-uid");
3389 print_user(fp, tok->tt.subj32.auid, oflags);
3390 close_attr(fp);
3391 open_attr(fp, "uid");
3392 print_user(fp, tok->tt.subj32.euid, oflags);
3393 close_attr(fp);
3394 open_attr(fp, "gid");
3395 print_group(fp, tok->tt.subj32.egid, oflags);
3396 close_attr(fp);
3397 open_attr(fp, "ruid");
3398 print_user(fp, tok->tt.subj32.ruid, oflags);
3399 close_attr(fp);
3400 open_attr(fp, "rgid");
3401 print_group(fp, tok->tt.subj32.rgid, oflags);
3402 close_attr(fp);
3403 open_attr(fp,"pid");
3404 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3405 close_attr(fp);
3406 open_attr(fp,"sid");
3407 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3408 close_attr(fp);
3409 open_attr(fp,"tid");
3410 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3411 print_ip_address(fp, tok->tt.subj32.tid.addr);
3412 close_attr(fp);
3413 close_tag(fp, tok->id);
3414 } else {
3415 print_delim(fp, del);
3416 print_user(fp, tok->tt.subj32.auid, oflags);
3417 print_delim(fp, del);
3418 print_user(fp, tok->tt.subj32.euid, oflags);
3419 print_delim(fp, del);
3420 print_group(fp, tok->tt.subj32.egid, oflags);
3421 print_delim(fp, del);
3422 print_user(fp, tok->tt.subj32.ruid, oflags);
3423 print_delim(fp, del);
3424 print_group(fp, tok->tt.subj32.rgid, oflags);
3425 print_delim(fp, del);
3426 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3427 print_delim(fp, del);
3428 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3429 print_delim(fp, del);
3430 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3431 print_delim(fp, del);
3432 print_ip_address(fp, tok->tt.subj32.tid.addr);
3433 }
3434 }
3435
3436 static void
print_upriv_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3437 print_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3438 {
3439
3440 print_tok_type(fp, tok->id, "use of privilege", oflags);
3441 if (oflags & AU_OFLAG_XML) {
3442 open_attr(fp, "status");
3443 if (tok->tt.priv.sorf)
3444 (void) fprintf(fp, "successful use of priv");
3445 else
3446 (void) fprintf(fp, "failed use of priv");
3447 close_attr(fp);
3448 open_attr(fp, "name");
3449 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3450 close_attr(fp);
3451 close_tag(fp, tok->id);
3452 } else {
3453 print_delim(fp, del);
3454 if (tok->tt.priv.sorf)
3455 (void) fprintf(fp, "successful use of priv");
3456 else
3457 (void) fprintf(fp, "failed use of priv");
3458 print_delim(fp, del);
3459 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3460 }
3461 }
3462
3463 /*
3464 * status 1 byte
3465 * privstrlen 2 bytes
3466 * priv N bytes + 1 (\0 byte)
3467 */
3468 static int
fetch_priv_tok(tokenstr_t * tok,u_char * buf,int len)3469 fetch_priv_tok(tokenstr_t *tok, u_char *buf, int len)
3470 {
3471 int err = 0;
3472
3473 READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err);
3474 if (err)
3475 return (-1);
3476 READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err);
3477 if (err)
3478 return (-1);
3479 SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen,
3480 tok->len, err);
3481 if (err)
3482 return (-1);
3483 return (0);
3484 }
3485
3486 /*
3487 * privtstrlen 1 byte
3488 * privtstr N bytes + 1
3489 * privstrlen 1 byte
3490 * privstr N bytes + 1
3491 */
3492 static int
fetch_privset_tok(tokenstr_t * tok,u_char * buf,int len)3493 fetch_privset_tok(tokenstr_t *tok, u_char *buf, int len)
3494 {
3495 int err = 0;
3496
3497 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen,
3498 tok->len, err);
3499 if (err)
3500 return (-1);
3501 SET_PTR((char *)buf, len, tok->tt.privset.privtstr,
3502 tok->tt.privset.privtstrlen, tok->len, err);
3503 if (err)
3504 return (-1);
3505 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen,
3506 tok->len, err);
3507 if (err)
3508 return (-1);
3509 SET_PTR((char *)buf, len, tok->tt.privset.privstr,
3510 tok->tt.privset.privstrlen, tok->len, err);
3511 if (err)
3512 return (-1);
3513 return (0);
3514 }
3515
3516 static void
print_privset_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3517 print_privset_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3518 {
3519
3520 print_tok_type(fp, tok->id, "privilege", oflags);
3521 if (oflags & AU_OFLAG_XML) {
3522 open_attr(fp, "type");
3523 print_string(fp, tok->tt.privset.privtstr,
3524 tok->tt.privset.privtstrlen);
3525 close_attr(fp);
3526 open_attr(fp, "priv");
3527 print_string(fp, tok->tt.privset.privstr,
3528 tok->tt.privset.privstrlen);
3529 close_attr(fp);
3530 } else {
3531 print_delim(fp, del);
3532 print_string(fp, tok->tt.privset.privtstr,
3533 tok->tt.privset.privtstrlen);
3534 print_delim(fp, del);
3535 print_string(fp, tok->tt.privset.privstr,
3536 tok->tt.privset.privstrlen);
3537 }
3538 }
3539
3540 /*
3541 * audit ID 4 bytes
3542 * euid 4 bytes
3543 * egid 4 bytes
3544 * ruid 4 bytes
3545 * rgid 4 bytes
3546 * pid 4 bytes
3547 * sessid 4 bytes
3548 * terminal ID
3549 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3550 * machine id 4 bytes
3551 */
3552 static int
fetch_subject64_tok(tokenstr_t * tok,u_char * buf,int len)3553 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3554 {
3555 int err = 0;
3556
3557 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3558 if (err)
3559 return (-1);
3560
3561 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3562 if (err)
3563 return (-1);
3564
3565 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3566 if (err)
3567 return (-1);
3568
3569 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3570 if (err)
3571 return (-1);
3572
3573 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3574 if (err)
3575 return (-1);
3576
3577 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3578 if (err)
3579 return (-1);
3580
3581 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3582 if (err)
3583 return (-1);
3584
3585 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3586 if (err)
3587 return (-1);
3588
3589 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3590 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3591 if (err)
3592 return (-1);
3593
3594 return (0);
3595 }
3596
3597 static void
print_subject64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3598 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3599 {
3600
3601 print_tok_type(fp, tok->id, "subject", oflags);
3602 if (oflags & AU_OFLAG_XML) {
3603 open_attr(fp, "audit-uid");
3604 print_user(fp, tok->tt.subj64.auid, oflags);
3605 close_attr(fp);
3606 open_attr(fp, "uid");
3607 print_user(fp, tok->tt.subj64.euid, oflags);
3608 close_attr(fp);
3609 open_attr(fp, "gid");
3610 print_group(fp, tok->tt.subj64.egid, oflags);
3611 close_attr(fp);
3612 open_attr(fp, "ruid");
3613 print_user(fp, tok->tt.subj64.ruid, oflags);
3614 close_attr(fp);
3615 open_attr(fp, "rgid");
3616 print_group(fp, tok->tt.subj64.rgid, oflags);
3617 close_attr(fp);
3618 open_attr(fp, "pid");
3619 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3620 close_attr(fp);
3621 open_attr(fp, "sid");
3622 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3623 close_attr(fp);
3624 open_attr(fp, "tid");
3625 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3626 print_ip_address(fp, tok->tt.subj64.tid.addr);
3627 close_attr(fp);
3628 close_tag(fp, tok->id);
3629 } else {
3630 print_delim(fp, del);
3631 print_user(fp, tok->tt.subj64.auid, oflags);
3632 print_delim(fp, del);
3633 print_user(fp, tok->tt.subj64.euid, oflags);
3634 print_delim(fp, del);
3635 print_group(fp, tok->tt.subj64.egid, oflags);
3636 print_delim(fp, del);
3637 print_user(fp, tok->tt.subj64.ruid, oflags);
3638 print_delim(fp, del);
3639 print_group(fp, tok->tt.subj64.rgid, oflags);
3640 print_delim(fp, del);
3641 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3642 print_delim(fp, del);
3643 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3644 print_delim(fp, del);
3645 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3646 print_delim(fp, del);
3647 print_ip_address(fp, tok->tt.subj64.tid.addr);
3648 }
3649 }
3650
3651 /*
3652 * audit ID 4 bytes
3653 * euid 4 bytes
3654 * egid 4 bytes
3655 * ruid 4 bytes
3656 * rgid 4 bytes
3657 * pid 4 bytes
3658 * sessid 4 bytes
3659 * terminal ID
3660 * portid 4 bytes
3661 * type 4 bytes
3662 * machine id 16 bytes
3663 */
3664 static int
fetch_subject32ex_tok(tokenstr_t * tok,u_char * buf,int len)3665 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3666 {
3667 int err = 0;
3668
3669 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3670 if (err)
3671 return (-1);
3672
3673 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3674 if (err)
3675 return (-1);
3676
3677 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3678 if (err)
3679 return (-1);
3680
3681 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3682 if (err)
3683 return (-1);
3684
3685 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3686 if (err)
3687 return (-1);
3688
3689 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3690 if (err)
3691 return (-1);
3692
3693 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3694 if (err)
3695 return (-1);
3696
3697 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3698 err);
3699 if (err)
3700 return (-1);
3701
3702 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3703 err);
3704 if (err)
3705 return (-1);
3706
3707 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3708 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3709 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3710 if (err)
3711 return (-1);
3712 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3713 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3714 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3715 if (err)
3716 return (-1);
3717 } else
3718 return (-1);
3719
3720 return (0);
3721 }
3722
3723 static void
print_subject32ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3724 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3725 {
3726
3727 print_tok_type(fp, tok->id, "subject_ex", oflags);
3728 if (oflags & AU_OFLAG_XML) {
3729 open_attr(fp, "audit-uid");
3730 print_user(fp, tok->tt.subj32_ex.auid, oflags);
3731 close_attr(fp);
3732 open_attr(fp, "uid");
3733 print_user(fp, tok->tt.subj32_ex.euid, oflags);
3734 close_attr(fp);
3735 open_attr(fp, "gid");
3736 print_group(fp, tok->tt.subj32_ex.egid, oflags);
3737 close_attr(fp);
3738 open_attr(fp, "ruid");
3739 print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3740 close_attr(fp);
3741 open_attr(fp, "rgid");
3742 print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3743 close_attr(fp);
3744 open_attr(fp, "pid");
3745 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3746 close_attr(fp);
3747 open_attr(fp, "sid");
3748 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3749 close_attr(fp);
3750 open_attr(fp, "tid");
3751 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3752 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3753 tok->tt.subj32_ex.tid.addr);
3754 close_attr(fp);
3755 close_tag(fp, tok->id);
3756 } else {
3757 print_delim(fp, del);
3758 print_user(fp, tok->tt.subj32_ex.auid, oflags);
3759 print_delim(fp, del);
3760 print_user(fp, tok->tt.subj32_ex.euid, oflags);
3761 print_delim(fp, del);
3762 print_group(fp, tok->tt.subj32_ex.egid, oflags);
3763 print_delim(fp, del);
3764 print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3765 print_delim(fp, del);
3766 print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3767 print_delim(fp, del);
3768 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3769 print_delim(fp, del);
3770 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3771 print_delim(fp, del);
3772 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3773 print_delim(fp, del);
3774 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3775 tok->tt.subj32_ex.tid.addr);
3776 }
3777 }
3778
3779 /*
3780 * audit ID 4 bytes
3781 * euid 4 bytes
3782 * egid 4 bytes
3783 * ruid 4 bytes
3784 * rgid 4 bytes
3785 * pid 4 bytes
3786 * sessid 4 bytes
3787 * terminal ID
3788 * portid 8 bytes
3789 * type 4 bytes
3790 * machine id 16 bytes
3791 */
3792 static int
fetch_subject64ex_tok(tokenstr_t * tok,u_char * buf,int len)3793 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3794 {
3795 int err = 0;
3796
3797 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3798 if (err)
3799 return (-1);
3800
3801 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3802 if (err)
3803 return (-1);
3804
3805 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3806 if (err)
3807 return (-1);
3808
3809 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3810 if (err)
3811 return (-1);
3812
3813 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3814 if (err)
3815 return (-1);
3816
3817 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3818 if (err)
3819 return (-1);
3820
3821 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3822 if (err)
3823 return (-1);
3824
3825 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3826 err);
3827 if (err)
3828 return (-1);
3829
3830 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3831 err);
3832 if (err)
3833 return (-1);
3834
3835 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3836 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3837 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3838 if (err)
3839 return (-1);
3840 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3841 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3842 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3843 if (err)
3844 return (-1);
3845 } else
3846 return (-1);
3847
3848 return (0);
3849 }
3850
3851 static void
print_subject64ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3852 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3853 {
3854 print_tok_type(fp, tok->id, "subject_ex", oflags);
3855 if (oflags & AU_OFLAG_XML) {
3856 open_attr(fp, "audit-uid");
3857 print_user(fp, tok->tt.subj64_ex.auid, oflags);
3858 close_attr(fp);
3859 open_attr(fp, "uid");
3860 print_user(fp, tok->tt.subj64_ex.euid, oflags);
3861 close_attr(fp);
3862 open_attr(fp, "gid");
3863 print_group(fp, tok->tt.subj64_ex.egid, oflags);
3864 close_attr(fp);
3865 open_attr(fp, "ruid");
3866 print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3867 close_attr(fp);
3868 open_attr(fp, "rgid");
3869 print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3870 close_attr(fp);
3871 open_attr(fp, "pid");
3872 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3873 close_attr(fp);
3874 open_attr(fp, "sid");
3875 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3876 close_attr(fp);
3877 open_attr(fp, "tid");
3878 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3879 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3880 tok->tt.subj64_ex.tid.addr);
3881 close_attr(fp);
3882 close_tag(fp, tok->id);
3883 } else {
3884 print_delim(fp, del);
3885 print_user(fp, tok->tt.subj64_ex.auid, oflags);
3886 print_delim(fp, del);
3887 print_user(fp, tok->tt.subj64_ex.euid, oflags);
3888 print_delim(fp, del);
3889 print_group(fp, tok->tt.subj64_ex.egid, oflags);
3890 print_delim(fp, del);
3891 print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3892 print_delim(fp, del);
3893 print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3894 print_delim(fp, del);
3895 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3896 print_delim(fp, del);
3897 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3898 print_delim(fp, del);
3899 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3900 print_delim(fp, del);
3901 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3902 tok->tt.subj64_ex.tid.addr);
3903 }
3904 }
3905
3906 /*
3907 * size 2 bytes
3908 * data size bytes
3909 */
3910 static int
fetch_text_tok(tokenstr_t * tok,u_char * buf,int len)3911 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3912 {
3913 int err = 0;
3914
3915 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3916 if (err)
3917 return (-1);
3918
3919 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3920 err);
3921 if (err)
3922 return (-1);
3923
3924 return (0);
3925 }
3926
3927 static void
print_text_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3928 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3929 {
3930
3931 print_tok_type(fp, tok->id, "text", oflags);
3932 if (oflags & AU_OFLAG_XML) {
3933 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3934 close_tag(fp, tok->id);
3935 } else {
3936 print_delim(fp, del);
3937 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3938 }
3939 }
3940
3941 /*
3942 * socket domain 2 bytes
3943 * socket type 2 bytes
3944 * address type 2 bytes
3945 * local port 2 bytes
3946 * local Internet address 4/16 bytes
3947 * remote port 2 bytes
3948 * remote Internet address 4/16 bytes
3949 */
3950 static int
fetch_socketex32_tok(tokenstr_t * tok,u_char * buf,int len)3951 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3952 {
3953 int err = 0;
3954
3955 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
3956 err);
3957 if (err)
3958 return (-1);
3959
3960 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3961 err);
3962 if (err)
3963 return (-1);
3964
3965 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
3966 err);
3967 if (err)
3968 return (-1);
3969
3970 if (tok->tt.socket_ex32.atype != AU_IPv4 &&
3971 tok->tt.socket_ex32.atype != AU_IPv6)
3972 return (-1);
3973
3974 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3975 sizeof(uint16_t), tok->len, err);
3976 if (err)
3977 return (-1);
3978
3979 if (tok->tt.socket_ex32.atype == AU_IPv4) {
3980 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3981 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
3982 if (err)
3983 return (-1);
3984 } else {
3985 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3986 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3987 if (err)
3988 return (-1);
3989 }
3990
3991 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3992 sizeof(uint16_t), tok->len, err);
3993 if (err)
3994 return (-1);
3995
3996 if (tok->tt.socket_ex32.atype == AU_IPv4) {
3997 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3998 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
3999 if (err)
4000 return (-1);
4001 } else {
4002 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
4003 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
4004 if (err)
4005 return (-1);
4006 }
4007
4008 return (0);
4009 }
4010
4011 static void
print_socketex32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)4012 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4013 {
4014
4015 /*
4016 * This print routine prints BSM constant space domains and socket
4017 * types rather than converting them. If we add string printers for
4018 * these constants in the future, we may want to call conversion
4019 * routines.
4020 */
4021 print_tok_type(fp, tok->id, "socket", oflags);
4022 if (oflags & AU_OFLAG_XML) {
4023 open_attr(fp, "sock_dom");
4024 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4025 close_attr(fp);
4026 open_attr(fp, "sock_type");
4027 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4028 close_attr(fp);
4029 open_attr(fp, "lport");
4030 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4031 close_attr(fp);
4032 open_attr(fp, "laddr");
4033 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4034 tok->tt.socket_ex32.l_addr);
4035 close_attr(fp);
4036 open_attr(fp, "faddr");
4037 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4038 tok->tt.socket_ex32.r_addr);
4039 close_attr(fp);
4040 open_attr(fp, "fport");
4041 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4042 close_attr(fp);
4043 close_tag(fp, tok->id);
4044 } else {
4045 print_delim(fp, del);
4046 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4047 print_delim(fp, del);
4048 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4049 print_delim(fp, del);
4050 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4051 print_delim(fp, del);
4052 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4053 tok->tt.socket_ex32.l_addr);
4054 print_delim(fp, del);
4055 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4056 print_delim(fp, del);
4057 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4058 tok->tt.socket_ex32.r_addr);
4059 }
4060 }
4061
4062 static int
fetch_invalid_tok(tokenstr_t * tok,u_char * buf,int len)4063 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
4064 {
4065 int err = 0;
4066 int recoversize;
4067
4068 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
4069 if (recoversize <= 0)
4070 return (-1);
4071
4072 tok->tt.invalid.length = recoversize;
4073
4074 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
4075 err);
4076 if (err)
4077 return (-1);
4078
4079 return (0);
4080 }
4081
4082 static void
print_invalid_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)4083 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4084 {
4085
4086 if (!(oflags & AU_OFLAG_XML)) {
4087 print_tok_type(fp, tok->id, "unknown", oflags);
4088 print_delim(fp, del);
4089 print_mem(fp, (u_char*)tok->tt.invalid.data,
4090 tok->tt.invalid.length);
4091 }
4092 }
4093
4094
4095 /*
4096 * size 2 bytes;
4097 * zonename size bytes;
4098 */
4099 static int
fetch_zonename_tok(tokenstr_t * tok,u_char * buf,int len)4100 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
4101 {
4102 int err = 0;
4103
4104 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
4105 if (err)
4106 return (-1);
4107 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
4108 tok->len, err);
4109 if (err)
4110 return (-1);
4111 return (0);
4112 }
4113
4114 static void
print_zonename_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)4115 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4116 {
4117
4118 print_tok_type(fp, tok->id, "zone", oflags);
4119 if (oflags & AU_OFLAG_XML) {
4120 open_attr(fp, "name");
4121 print_string(fp, tok->tt.zonename.zonename,
4122 tok->tt.zonename.len);
4123 close_attr(fp);
4124 close_tag(fp, tok->id);
4125 } else {
4126 print_delim(fp, del);
4127 print_string(fp, tok->tt.zonename.zonename,
4128 tok->tt.zonename.len);
4129 }
4130 }
4131
4132 /*
4133 * Reads the token beginning at buf into tok.
4134 */
4135 int
au_fetch_tok(tokenstr_t * tok,u_char * buf,int len)4136 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
4137 {
4138
4139 if (len <= 0)
4140 return (-1);
4141
4142 tok->len = 1;
4143 tok->data = buf;
4144 tok->id = *buf;
4145
4146 switch(tok->id) {
4147 case AUT_HEADER32:
4148 return (fetch_header32_tok(tok, buf, len));
4149
4150 case AUT_HEADER32_EX:
4151 return (fetch_header32_ex_tok(tok, buf, len));
4152
4153 case AUT_HEADER64:
4154 return (fetch_header64_tok(tok, buf, len));
4155
4156 case AUT_HEADER64_EX:
4157 return (fetch_header64_ex_tok(tok, buf, len));
4158
4159 case AUT_TRAILER:
4160 return (fetch_trailer_tok(tok, buf, len));
4161
4162 case AUT_ARG32:
4163 return (fetch_arg32_tok(tok, buf, len));
4164
4165 case AUT_ARG64:
4166 return (fetch_arg64_tok(tok, buf, len));
4167
4168 case AUT_ATTR32:
4169 return (fetch_attr32_tok(tok, buf, len));
4170
4171 case AUT_ATTR64:
4172 return (fetch_attr64_tok(tok, buf, len));
4173
4174 case AUT_EXIT:
4175 return (fetch_exit_tok(tok, buf, len));
4176
4177 case AUT_EXEC_ARGS:
4178 return (fetch_execarg_tok(tok, buf, len));
4179
4180 case AUT_EXEC_ENV:
4181 return (fetch_execenv_tok(tok, buf, len));
4182
4183 case AUT_OTHER_FILE32:
4184 return (fetch_file_tok(tok, buf, len));
4185
4186 case AUT_NEWGROUPS:
4187 return (fetch_newgroups_tok(tok, buf, len));
4188
4189 case AUT_IN_ADDR:
4190 return (fetch_inaddr_tok(tok, buf, len));
4191
4192 case AUT_IN_ADDR_EX:
4193 return (fetch_inaddr_ex_tok(tok, buf, len));
4194
4195 case AUT_IP:
4196 return (fetch_ip_tok(tok, buf, len));
4197
4198 case AUT_IPC:
4199 return (fetch_ipc_tok(tok, buf, len));
4200
4201 case AUT_IPC_PERM:
4202 return (fetch_ipcperm_tok(tok, buf, len));
4203
4204 case AUT_IPORT:
4205 return (fetch_iport_tok(tok, buf, len));
4206
4207 case AUT_OPAQUE:
4208 return (fetch_opaque_tok(tok, buf, len));
4209
4210 case AUT_PATH:
4211 return (fetch_path_tok(tok, buf, len));
4212
4213 case AUT_PROCESS32:
4214 return (fetch_process32_tok(tok, buf, len));
4215
4216 case AUT_PROCESS32_EX:
4217 return (fetch_process32ex_tok(tok, buf, len));
4218
4219 case AUT_PROCESS64:
4220 return (fetch_process64_tok(tok, buf, len));
4221
4222 case AUT_PROCESS64_EX:
4223 return (fetch_process64ex_tok(tok, buf, len));
4224
4225 case AUT_RETURN32:
4226 return (fetch_return32_tok(tok, buf, len));
4227
4228 case AUT_RETURN64:
4229 return (fetch_return64_tok(tok, buf, len));
4230
4231 case AUT_SEQ:
4232 return (fetch_seq_tok(tok, buf, len));
4233
4234 case AUT_SOCKET:
4235 return (fetch_socket_tok(tok, buf, len));
4236
4237 case AUT_SOCKINET32:
4238 return (fetch_sock_inet32_tok(tok, buf, len));
4239
4240 case AUT_SOCKUNIX:
4241 return (fetch_sock_unix_tok(tok, buf, len));
4242
4243 case AUT_SOCKINET128:
4244 return (fetch_sock_inet128_tok(tok, buf, len));
4245
4246 case AUT_SUBJECT32:
4247 return (fetch_subject32_tok(tok, buf, len));
4248
4249 case AUT_SUBJECT32_EX:
4250 return (fetch_subject32ex_tok(tok, buf, len));
4251
4252 case AUT_SUBJECT64:
4253 return (fetch_subject64_tok(tok, buf, len));
4254
4255 case AUT_SUBJECT64_EX:
4256 return (fetch_subject64ex_tok(tok, buf, len));
4257
4258 case AUT_TEXT:
4259 return (fetch_text_tok(tok, buf, len));
4260
4261 case AUT_SOCKET_EX:
4262 return (fetch_socketex32_tok(tok, buf, len));
4263
4264 case AUT_DATA:
4265 return (fetch_arb_tok(tok, buf, len));
4266
4267 case AUT_ZONENAME:
4268 return (fetch_zonename_tok(tok, buf, len));
4269
4270 case AUT_UPRIV:
4271 return (fetch_priv_tok(tok, buf, len));
4272
4273 case AUT_PRIV:
4274 return (fetch_privset_tok(tok, buf, len));
4275
4276 default:
4277 return (fetch_invalid_tok(tok, buf, len));
4278 }
4279 }
4280
4281 void
au_print_flags_tok(FILE * outfp,tokenstr_t * tok,char * del,int oflags)4282 au_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags)
4283 {
4284
4285 switch(tok->id) {
4286 case AUT_HEADER32:
4287 print_header32_tok(outfp, tok, del, oflags);
4288 return;
4289
4290 case AUT_HEADER32_EX:
4291 print_header32_ex_tok(outfp, tok, del, oflags);
4292 return;
4293
4294 case AUT_HEADER64:
4295 print_header64_tok(outfp, tok, del, oflags);
4296 return;
4297
4298 case AUT_HEADER64_EX:
4299 print_header64_ex_tok(outfp, tok, del, oflags);
4300 return;
4301
4302 case AUT_TRAILER:
4303 print_trailer_tok(outfp, tok, del, oflags);
4304 return;
4305
4306 case AUT_ARG32:
4307 print_arg32_tok(outfp, tok, del, oflags);
4308 return;
4309
4310 case AUT_ARG64:
4311 print_arg64_tok(outfp, tok, del, oflags);
4312 return;
4313
4314 case AUT_DATA:
4315 print_arb_tok(outfp, tok, del, oflags);
4316 return;
4317
4318 case AUT_ATTR32:
4319 print_attr32_tok(outfp, tok, del, oflags);
4320 return;
4321
4322 case AUT_ATTR64:
4323 print_attr64_tok(outfp, tok, del, oflags);
4324 return;
4325
4326 case AUT_EXIT:
4327 print_exit_tok(outfp, tok, del, oflags);
4328 return;
4329
4330 case AUT_EXEC_ARGS:
4331 print_execarg_tok(outfp, tok, del, oflags);
4332 return;
4333
4334 case AUT_EXEC_ENV:
4335 print_execenv_tok(outfp, tok, del, oflags);
4336 return;
4337
4338 case AUT_OTHER_FILE32:
4339 print_file_tok(outfp, tok, del, oflags);
4340 return;
4341
4342 case AUT_NEWGROUPS:
4343 print_newgroups_tok(outfp, tok, del, oflags);
4344 return;
4345
4346 case AUT_IN_ADDR:
4347 print_inaddr_tok(outfp, tok, del, oflags);
4348 return;
4349
4350 case AUT_IN_ADDR_EX:
4351 print_inaddr_ex_tok(outfp, tok, del, oflags);
4352 return;
4353
4354 case AUT_IP:
4355 print_ip_tok(outfp, tok, del, oflags);
4356 return;
4357
4358 case AUT_IPC:
4359 print_ipc_tok(outfp, tok, del, oflags);
4360 return;
4361
4362 case AUT_IPC_PERM:
4363 print_ipcperm_tok(outfp, tok, del, oflags);
4364 return;
4365
4366 case AUT_IPORT:
4367 print_iport_tok(outfp, tok, del, oflags);
4368 return;
4369
4370 case AUT_OPAQUE:
4371 print_opaque_tok(outfp, tok, del, oflags);
4372 return;
4373
4374 case AUT_PATH:
4375 print_path_tok(outfp, tok, del, oflags);
4376 return;
4377
4378 case AUT_PROCESS32:
4379 print_process32_tok(outfp, tok, del, oflags);
4380 return;
4381
4382 case AUT_PROCESS32_EX:
4383 print_process32ex_tok(outfp, tok, del, oflags);
4384 return;
4385
4386 case AUT_PROCESS64:
4387 print_process64_tok(outfp, tok, del, oflags);
4388 return;
4389
4390 case AUT_PROCESS64_EX:
4391 print_process64ex_tok(outfp, tok, del, oflags);
4392 return;
4393
4394 case AUT_RETURN32:
4395 print_return32_tok(outfp, tok, del, oflags);
4396 return;
4397
4398 case AUT_RETURN64:
4399 print_return64_tok(outfp, tok, del, oflags);
4400 return;
4401
4402 case AUT_SEQ:
4403 print_seq_tok(outfp, tok, del, oflags);
4404 return;
4405
4406 case AUT_SOCKET:
4407 print_socket_tok(outfp, tok, del, oflags);
4408 return;
4409
4410 case AUT_SOCKINET32:
4411 print_sock_inet32_tok(outfp, tok, del, oflags);
4412 return;
4413
4414 case AUT_SOCKUNIX:
4415 print_sock_unix_tok(outfp, tok, del, oflags);
4416 return;
4417
4418 case AUT_SOCKINET128:
4419 print_sock_inet128_tok(outfp, tok, del, oflags);
4420 return;
4421
4422 case AUT_SUBJECT32:
4423 print_subject32_tok(outfp, tok, del, oflags);
4424 return;
4425
4426 case AUT_SUBJECT64:
4427 print_subject64_tok(outfp, tok, del, oflags);
4428 return;
4429
4430 case AUT_SUBJECT32_EX:
4431 print_subject32ex_tok(outfp, tok, del, oflags);
4432 return;
4433
4434 case AUT_SUBJECT64_EX:
4435 print_subject64ex_tok(outfp, tok, del, oflags);
4436 return;
4437
4438 case AUT_TEXT:
4439 print_text_tok(outfp, tok, del, oflags);
4440 return;
4441
4442 case AUT_SOCKET_EX:
4443 print_socketex32_tok(outfp, tok, del, oflags);
4444 return;
4445
4446 case AUT_ZONENAME:
4447 print_zonename_tok(outfp, tok, del, oflags);
4448 return;
4449
4450 case AUT_UPRIV:
4451 print_upriv_tok(outfp, tok, del, oflags);
4452 return;
4453
4454 case AUT_PRIV:
4455 print_privset_tok(outfp, tok, del, oflags);
4456 return;
4457
4458 default:
4459 print_invalid_tok(outfp, tok, del, oflags);
4460 }
4461 }
4462
4463 /*
4464 * 'prints' the token out to outfp.
4465 */
4466 void
au_print_tok(FILE * outfp,tokenstr_t * tok,char * del,char raw,char sfrm)4467 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4468 {
4469 int oflags = AU_OFLAG_NONE;
4470
4471 if (raw)
4472 oflags |= AU_OFLAG_RAW;
4473 if (sfrm)
4474 oflags |= AU_OFLAG_SHORT;
4475
4476 au_print_flags_tok(outfp, tok, del, oflags);
4477 }
4478
4479 /*
4480 * 'prints' the token out to outfp in XML format.
4481 */
4482 void
au_print_tok_xml(FILE * outfp,tokenstr_t * tok,char * del,char raw,char sfrm)4483 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4484 char sfrm)
4485 {
4486 int oflags = AU_OFLAG_XML;
4487
4488 if (raw)
4489 oflags |= AU_OFLAG_RAW;
4490 if (sfrm)
4491 oflags |= AU_OFLAG_SHORT;
4492
4493 au_print_flags_tok(outfp, tok, del, oflags);
4494 }
4495
4496 /*
4497 * Read a record from the file pointer, store data in buf memory for buf is
4498 * also allocated in this function and has to be free'd outside this call.
4499 *
4500 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4501 * complete audit record.
4502 *
4503 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4504 * state, because it will be partly offset into a record. We should rewind
4505 * or do something more intelligent. Particularly interesting is the case
4506 * where we perform a partial read of a record from a non-blockable file
4507 * descriptor. We should return the partial read and continue...?
4508 */
4509 int
au_read_rec(FILE * fp,u_char ** buf)4510 au_read_rec(FILE *fp, u_char **buf)
4511 {
4512 u_char *bptr;
4513 u_int32_t recsize;
4514 u_int32_t bytestoread;
4515 u_char type;
4516
4517 u_int32_t sec, msec;
4518 u_int16_t filenamelen;
4519
4520 type = fgetc(fp);
4521
4522 switch (type) {
4523 case AUT_HEADER32:
4524 case AUT_HEADER32_EX:
4525 case AUT_HEADER64:
4526 case AUT_HEADER64_EX:
4527 /* read the record size from the token */
4528 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4529 sizeof(u_int32_t)) {
4530 errno = EINVAL;
4531 return (-1);
4532 }
4533 recsize = be32toh(recsize);
4534
4535 /* Check for recsize sanity */
4536 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4537 errno = EINVAL;
4538 return (-1);
4539 }
4540
4541 *buf = calloc(recsize, sizeof(u_char));
4542 if (*buf == NULL)
4543 return (-1);
4544 bptr = *buf;
4545
4546 /* store the token contents already read, back to the buffer*/
4547 *bptr = type;
4548 bptr++;
4549 be32enc(bptr, recsize);
4550 bptr += sizeof(u_int32_t);
4551
4552 /* now read remaining record bytes */
4553 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4554
4555 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4556 free(*buf);
4557 errno = EINVAL;
4558 return (-1);
4559 }
4560 break;
4561
4562 case AUT_OTHER_FILE32:
4563 /*
4564 * The file token is variable-length, as it includes a
4565 * pathname. As a result, we have to read incrementally
4566 * until we know the total length, then allocate space and
4567 * read the rest.
4568 */
4569 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4570 errno = EINVAL;
4571 return (-1);
4572 }
4573 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4574 errno = EINVAL;
4575 return (-1);
4576 }
4577 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4578 sizeof(filenamelen)) {
4579 errno = EINVAL;
4580 return (-1);
4581 }
4582 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4583 sizeof(filenamelen) + ntohs(filenamelen);
4584 *buf = malloc(recsize);
4585 if (*buf == NULL)
4586 return (-1);
4587 bptr = *buf;
4588
4589 bcopy(&type, bptr, sizeof(type));
4590 bptr += sizeof(type);
4591 bcopy(&sec, bptr, sizeof(sec));
4592 bptr += sizeof(sec);
4593 bcopy(&msec, bptr, sizeof(msec));
4594 bptr += sizeof(msec);
4595 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4596 bptr += sizeof(filenamelen);
4597
4598 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4599 ntohs(filenamelen)) {
4600 free(*buf);
4601 errno = EINVAL;
4602 return (-1);
4603 }
4604 break;
4605
4606 default:
4607 errno = EINVAL;
4608 return (-1);
4609 }
4610
4611 return (recsize);
4612 }
4613