1 /*-
2 * Copyright (c) 2004-2009 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * All rights reserved.
5 *
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 #include <sys/types.h>
35
36 #include <config/config.h>
37
38 #ifdef USE_ENDIAN_H
39 #include <endian.h>
40 #endif
41 #ifdef USE_SYS_ENDIAN_H
42 #include <sys/endian.h>
43 #endif
44 #ifdef USE_MACHINE_ENDIAN_H
45 #include <machine/endian.h>
46 #endif
47 #ifdef USE_COMPAT_ENDIAN_H
48 #include <compat/endian.h>
49 #endif
50 #ifdef USE_COMPAT_ENDIAN_ENC_H
51 #include <compat/endian_enc.h>
52 #endif
53
54 #ifdef HAVE_FULL_QUEUE_H
55 #include <sys/queue.h>
56 #else /* !HAVE_FULL_QUEUE_H */
57 #include <compat/queue.h>
58 #endif /* !HAVE_FULL_QUEUE_H */
59
60 #include <sys/socket.h>
61 #include <sys/time.h>
62 #include <sys/un.h>
63
64 #include <sys/ipc.h>
65
66 #include <netinet/in.h>
67 #include <netinet/in_systm.h>
68 #include <netinet/ip.h>
69
70 #include <assert.h>
71 #include <errno.h>
72 #include <string.h>
73 #include <stdlib.h>
74 #include <unistd.h>
75
76 #include <bsm/audit_internal.h>
77 #include <bsm/libbsm.h>
78
79 #define GET_TOKEN_AREA(t, dptr, length) do { \
80 (t) = malloc(sizeof(token_t)); \
81 if ((t) != NULL) { \
82 (t)->len = (length); \
83 (dptr) = (t->t_data) = calloc((length), sizeof(u_char)); \
84 if ((dptr) == NULL) { \
85 free(t); \
86 (t) = NULL; \
87 } \
88 } else \
89 (dptr) = NULL; \
90 assert((t) == NULL || (dptr) != NULL); \
91 } while (0)
92
93 /*
94 * token ID 1 byte
95 * success/failure 1 byte
96 * privstrlen 2 bytes
97 * privstr N bytes + 1 (\0 byte)
98 */
99 token_t *
au_to_upriv(char sorf,char * priv)100 au_to_upriv(char sorf, char *priv)
101 {
102 u_int16_t textlen;
103 u_char *dptr;
104 token_t *t;
105
106 textlen = strlen(priv) + 1;
107 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) +
108 sizeof(u_int16_t) + textlen);
109 if (t == NULL)
110 return (NULL);
111 ADD_U_CHAR(dptr, AUT_UPRIV);
112 ADD_U_CHAR(dptr, sorf);
113 ADD_U_INT16(dptr, textlen);
114 ADD_STRING(dptr, priv, textlen);
115 return (t);
116 }
117
118 /*
119 * token ID 1 byte
120 * privtstrlen 2 bytes
121 * privtstr N bytes + 1
122 * privstrlen 2 bytes
123 * privstr N bytes + 1
124 */
125 token_t *
au_to_privset(char * privtypestr,char * privstr)126 au_to_privset(char *privtypestr, char *privstr)
127 {
128 u_int16_t type_len, priv_len;
129 u_char *dptr;
130 token_t *t;
131
132 type_len = strlen(privtypestr) + 1;
133 priv_len = strlen(privstr) + 1;
134 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
135 sizeof(u_int16_t) + type_len + priv_len);
136 if (t == NULL)
137 return (NULL);
138 ADD_U_CHAR(dptr, AUT_PRIV);
139 ADD_U_INT16(dptr, type_len);
140 ADD_STRING(dptr, privtypestr, type_len);
141 ADD_U_INT16(dptr, priv_len);
142 ADD_STRING(dptr, privstr, priv_len);
143 return (t);
144 }
145
146 /*
147 * token ID 1 byte
148 * argument # 1 byte
149 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
150 * text length 2 bytes
151 * text N bytes + 1 terminating NULL byte
152 */
153 token_t *
au_to_arg32(char n,const char * text,u_int32_t v)154 au_to_arg32(char n, const char *text, u_int32_t v)
155 {
156 token_t *t;
157 u_char *dptr = NULL;
158 u_int16_t textlen;
159
160 textlen = strlen(text);
161 textlen += 1;
162
163 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
164 sizeof(u_int16_t) + textlen);
165 if (t == NULL)
166 return (NULL);
167
168 ADD_U_CHAR(dptr, AUT_ARG32);
169 ADD_U_CHAR(dptr, n);
170 ADD_U_INT32(dptr, v);
171 ADD_U_INT16(dptr, textlen);
172 ADD_STRING(dptr, text, textlen);
173
174 return (t);
175 }
176
177 token_t *
au_to_arg64(char n,const char * text,u_int64_t v)178 au_to_arg64(char n, const char *text, u_int64_t v)
179 {
180 token_t *t;
181 u_char *dptr = NULL;
182 u_int16_t textlen;
183
184 textlen = strlen(text);
185 textlen += 1;
186
187 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
188 sizeof(u_int16_t) + textlen);
189 if (t == NULL)
190 return (NULL);
191
192 ADD_U_CHAR(dptr, AUT_ARG64);
193 ADD_U_CHAR(dptr, n);
194 ADD_U_INT64(dptr, v);
195 ADD_U_INT16(dptr, textlen);
196 ADD_STRING(dptr, text, textlen);
197
198 return (t);
199 }
200
201 token_t *
au_to_arg(char n,const char * text,u_int32_t v)202 au_to_arg(char n, const char *text, u_int32_t v)
203 {
204
205 return (au_to_arg32(n, text, v));
206 }
207
208 #if defined(_KERNEL) || defined(KERNEL)
209 /*
210 * token ID 1 byte
211 * file access mode 4 bytes
212 * owner user ID 4 bytes
213 * owner group ID 4 bytes
214 * file system ID 4 bytes
215 * node ID 8 bytes
216 * device 4 bytes/8 bytes (32-bit/64-bit)
217 */
218 token_t *
au_to_attr32(struct vnode_au_info * vni)219 au_to_attr32(struct vnode_au_info *vni)
220 {
221 token_t *t;
222 u_char *dptr = NULL;
223 u_int16_t pad0_16 = 0;
224 u_int32_t pad0_32 = 0;
225
226 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
227 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
228 if (t == NULL)
229 return (NULL);
230
231 ADD_U_CHAR(dptr, AUT_ATTR32);
232
233 /*
234 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
235 * so pad with 0.
236 *
237 * XXXRW: Possibly should be conditionally compiled.
238 *
239 * XXXRW: Should any conversions take place on the mode?
240 */
241 ADD_U_INT16(dptr, pad0_16);
242 ADD_U_INT16(dptr, vni->vn_mode);
243
244 ADD_U_INT32(dptr, vni->vn_uid);
245 ADD_U_INT32(dptr, vni->vn_gid);
246 ADD_U_INT32(dptr, vni->vn_fsid);
247
248 /*
249 * Some systems use 32-bit file ID's, others use 64-bit file IDs.
250 * Attempt to handle both, and let the compiler sort it out. If we
251 * could pick this out at compile-time, it would be better, so as to
252 * avoid the else case below.
253 */
254 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
255 ADD_U_INT32(dptr, pad0_32);
256 ADD_U_INT32(dptr, vni->vn_fileid);
257 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
258 ADD_U_INT64(dptr, vni->vn_fileid);
259 else
260 ADD_U_INT64(dptr, 0LL);
261
262 ADD_U_INT32(dptr, vni->vn_dev);
263
264 return (t);
265 }
266
267 token_t *
au_to_attr64(struct vnode_au_info * vni)268 au_to_attr64(struct vnode_au_info *vni)
269 {
270 token_t *t;
271 u_char *dptr = NULL;
272 u_int16_t pad0_16 = 0;
273 u_int32_t pad0_32 = 0;
274
275 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
276 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
277 if (t == NULL)
278 return (NULL);
279
280 ADD_U_CHAR(dptr, AUT_ATTR64);
281
282 /*
283 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
284 * so pad with 0.
285 *
286 * XXXRW: Possibly should be conditionally compiled.
287 *
288 * XXXRW: Should any conversions take place on the mode?
289 */
290 ADD_U_INT16(dptr, pad0_16);
291 ADD_U_INT16(dptr, vni->vn_mode);
292
293 ADD_U_INT32(dptr, vni->vn_uid);
294 ADD_U_INT32(dptr, vni->vn_gid);
295 ADD_U_INT32(dptr, vni->vn_fsid);
296
297 /*
298 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
299 * Attempt to handle both, and let the compiler sort it out. If we
300 * could pick this out at compile-time, it would be better, so as to
301 * avoid the else case below.
302 */
303 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
304 ADD_U_INT32(dptr, pad0_32);
305 ADD_U_INT32(dptr, vni->vn_fileid);
306 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
307 ADD_U_INT64(dptr, vni->vn_fileid);
308 else
309 ADD_U_INT64(dptr, 0LL);
310
311 ADD_U_INT64(dptr, vni->vn_dev);
312
313 return (t);
314 }
315
316 token_t *
au_to_attr(struct vnode_au_info * vni)317 au_to_attr(struct vnode_au_info *vni)
318 {
319
320 return (au_to_attr32(vni));
321 }
322 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
323
324 /*
325 * token ID 1 byte
326 * how to print 1 byte
327 * basic unit 1 byte
328 * unit count 1 byte
329 * data items (depends on basic unit)
330 */
331 token_t *
au_to_data(char unit_print,char unit_type,char unit_count,const char * p)332 au_to_data(char unit_print, char unit_type, char unit_count, const char *p)
333 {
334 token_t *t;
335 u_char *dptr = NULL;
336 size_t datasize, totdata;
337
338 /* Determine the size of the basic unit. */
339 switch (unit_type) {
340 case AUR_BYTE:
341 /* case AUR_CHAR: */
342 datasize = AUR_BYTE_SIZE;
343 break;
344
345 case AUR_SHORT:
346 datasize = AUR_SHORT_SIZE;
347 break;
348
349 case AUR_INT32:
350 /* case AUR_INT: */
351 datasize = AUR_INT32_SIZE;
352 break;
353
354 case AUR_INT64:
355 datasize = AUR_INT64_SIZE;
356 break;
357
358 default:
359 errno = EINVAL;
360 return (NULL);
361 }
362
363 totdata = datasize * unit_count;
364
365 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
366 if (t == NULL)
367 return (NULL);
368
369 /*
370 * XXXRW: We should be byte-swapping each data item for multi-byte
371 * types.
372 */
373 ADD_U_CHAR(dptr, AUT_DATA);
374 ADD_U_CHAR(dptr, unit_print);
375 ADD_U_CHAR(dptr, unit_type);
376 ADD_U_CHAR(dptr, unit_count);
377 ADD_MEM(dptr, p, totdata);
378
379 return (t);
380 }
381
382
383 /*
384 * token ID 1 byte
385 * status 4 bytes
386 * return value 4 bytes
387 */
388 token_t *
au_to_exit(int retval,int err)389 au_to_exit(int retval, int err)
390 {
391 token_t *t;
392 u_char *dptr = NULL;
393
394 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
395 if (t == NULL)
396 return (NULL);
397
398 ADD_U_CHAR(dptr, AUT_EXIT);
399 ADD_U_INT32(dptr, err);
400 ADD_U_INT32(dptr, retval);
401
402 return (t);
403 }
404
405 /*
406 */
407 token_t *
au_to_groups(int * groups)408 au_to_groups(int *groups)
409 {
410
411 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups));
412 }
413
414 /*
415 * token ID 1 byte
416 * number groups 2 bytes
417 * group list count * 4 bytes
418 */
419 token_t *
au_to_newgroups(u_int16_t n,gid_t * groups)420 au_to_newgroups(u_int16_t n, gid_t *groups)
421 {
422 token_t *t;
423 u_char *dptr = NULL;
424 int i;
425
426 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
427 n * sizeof(u_int32_t));
428 if (t == NULL)
429 return (NULL);
430
431 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
432 ADD_U_INT16(dptr, n);
433 for (i = 0; i < n; i++)
434 ADD_U_INT32(dptr, groups[i]);
435
436 return (t);
437 }
438
439 /*
440 * token ID 1 byte
441 * internet address 4 bytes
442 */
443 token_t *
au_to_in_addr(struct in_addr * internet_addr)444 au_to_in_addr(struct in_addr *internet_addr)
445 {
446 token_t *t;
447 u_char *dptr = NULL;
448
449 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
450 if (t == NULL)
451 return (NULL);
452
453 ADD_U_CHAR(dptr, AUT_IN_ADDR);
454 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
455
456 return (t);
457 }
458
459 /*
460 * token ID 1 byte
461 * address type/length 4 bytes
462 * address 16 bytes
463 */
464 token_t *
au_to_in_addr_ex(struct in6_addr * internet_addr)465 au_to_in_addr_ex(struct in6_addr *internet_addr)
466 {
467 token_t *t;
468 u_char *dptr = NULL;
469 u_int32_t type = AU_IPv6;
470
471 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
472 if (t == NULL)
473 return (NULL);
474
475 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
476 ADD_U_INT32(dptr, type);
477 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
478
479 return (t);
480 }
481
482 /*
483 * token ID 1 byte
484 * ip header 20 bytes
485 *
486 * The IP header should be submitted in network byte order.
487 */
488 token_t *
au_to_ip(struct ip * ip)489 au_to_ip(struct ip *ip)
490 {
491 token_t *t;
492 u_char *dptr = NULL;
493
494 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
495 if (t == NULL)
496 return (NULL);
497
498 ADD_U_CHAR(dptr, AUT_IP);
499 ADD_MEM(dptr, ip, sizeof(struct ip));
500
501 return (t);
502 }
503
504 /*
505 * token ID 1 byte
506 * object ID type 1 byte
507 * object ID 4 bytes
508 */
509 token_t *
au_to_ipc(char type,int id)510 au_to_ipc(char type, int id)
511 {
512 token_t *t;
513 u_char *dptr = NULL;
514
515 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
516 if (t == NULL)
517 return (NULL);
518
519 ADD_U_CHAR(dptr, AUT_IPC);
520 ADD_U_CHAR(dptr, type);
521 ADD_U_INT32(dptr, id);
522
523 return (t);
524 }
525
526 /*
527 * token ID 1 byte
528 * owner user ID 4 bytes
529 * owner group ID 4 bytes
530 * creator user ID 4 bytes
531 * creator group ID 4 bytes
532 * access mode 4 bytes
533 * slot sequence # 4 bytes
534 * key 4 bytes
535 */
536 token_t *
au_to_ipc_perm(struct ipc_perm * perm)537 au_to_ipc_perm(struct ipc_perm *perm)
538 {
539 token_t *t;
540 u_char *dptr = NULL;
541 u_int16_t pad0 = 0;
542
543 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
544 sizeof(u_int32_t));
545 if (t == NULL)
546 return (NULL);
547
548 ADD_U_CHAR(dptr, AUT_IPC_PERM);
549
550 /*
551 * Systems vary significantly in what types they use in struct
552 * ipc_perm; at least a few still use 16-bit uid's and gid's, so
553 * allow for that, as BSM define 32-bit values here.
554 * Some systems define the sizes for ipc_perm members as 2 bytes;
555 * BSM defines 4 so pad with 0.
556 *
557 * XXXRW: Possibly shoulid be conditionally compiled, and more cases
558 * need to be handled.
559 */
560 if (sizeof(perm->uid) != sizeof(u_int32_t)) {
561 ADD_U_INT16(dptr, pad0);
562 ADD_U_INT16(dptr, perm->uid);
563 ADD_U_INT16(dptr, pad0);
564 ADD_U_INT16(dptr, perm->gid);
565 ADD_U_INT16(dptr, pad0);
566 ADD_U_INT16(dptr, perm->cuid);
567 ADD_U_INT16(dptr, pad0);
568 ADD_U_INT16(dptr, perm->cgid);
569 } else {
570 ADD_U_INT32(dptr, perm->uid);
571 ADD_U_INT32(dptr, perm->gid);
572 ADD_U_INT32(dptr, perm->cuid);
573 ADD_U_INT32(dptr, perm->cgid);
574 }
575
576 ADD_U_INT16(dptr, pad0);
577 ADD_U_INT16(dptr, perm->mode);
578
579 ADD_U_INT16(dptr, pad0);
580
581 #ifdef HAVE_IPC_PERM___SEQ
582 ADD_U_INT16(dptr, perm->__seq);
583 #else /* HAVE_IPC_PERM___SEQ */
584 #ifdef HAVE_IPC_PERM__SEQ
585 ADD_U_INT16(dptr, perm->_seq);
586 #else /* HAVE_IPC_PERM__SEQ */
587 ADD_U_INT16(dptr, perm->seq);
588 #endif /* HAVE_IPC_PERM__SEQ */
589 #endif /* HAVE_IPC_PERM___SEQ */
590
591 #ifdef HAVE_IPC_PERM___KEY
592 ADD_U_INT32(dptr, perm->__key);
593 #else /* HAVE_IPC_PERM___KEY */
594 #ifdef HAVE_IPC_PERM__KEY
595 ADD_U_INT32(dptr, perm->_key);
596 #else /* HAVE_IPC_PERM__KEY */
597 ADD_U_INT32(dptr, perm->key);
598 #endif /* HAVE_IPC_PERM__KEY */
599 #endif /* HAVE_IPC_PERM___KEY */
600
601 return (t);
602 }
603
604 /*
605 * token ID 1 byte
606 * port IP address 2 bytes
607 */
608 token_t *
au_to_iport(u_int16_t iport)609 au_to_iport(u_int16_t iport)
610 {
611 token_t *t;
612 u_char *dptr = NULL;
613
614 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
615 if (t == NULL)
616 return (NULL);
617
618 ADD_U_CHAR(dptr, AUT_IPORT);
619 ADD_U_INT16(dptr, iport);
620
621 return (t);
622 }
623
624 /*
625 * token ID 1 byte
626 * size 2 bytes
627 * data size bytes
628 */
629 token_t *
au_to_opaque(const char * data,u_int16_t bytes)630 au_to_opaque(const char *data, u_int16_t bytes)
631 {
632 token_t *t;
633 u_char *dptr = NULL;
634
635 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
636 if (t == NULL)
637 return (NULL);
638
639 ADD_U_CHAR(dptr, AUT_OPAQUE);
640 ADD_U_INT16(dptr, bytes);
641 ADD_MEM(dptr, data, bytes);
642
643 return (t);
644 }
645
646 /*
647 * token ID 1 byte
648 * seconds of time 4 bytes
649 * milliseconds of time 4 bytes
650 * file name len 2 bytes
651 * file pathname N bytes + 1 terminating NULL byte
652 */
653 token_t *
au_to_file(const char * file,struct timeval tm)654 au_to_file(const char *file, struct timeval tm)
655 {
656 token_t *t;
657 u_char *dptr = NULL;
658 u_int16_t filelen;
659 u_int32_t timems;
660
661 filelen = strlen(file);
662 filelen += 1;
663
664 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
665 sizeof(u_int16_t) + filelen);
666 if (t == NULL)
667 return (NULL);
668
669 timems = tm.tv_usec/1000;
670
671 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
672 ADD_U_INT32(dptr, tm.tv_sec);
673 ADD_U_INT32(dptr, timems); /* We need time in ms. */
674 ADD_U_INT16(dptr, filelen);
675 ADD_STRING(dptr, file, filelen);
676
677 return (t);
678 }
679
680 /*
681 * token ID 1 byte
682 * text length 2 bytes
683 * text N bytes + 1 terminating NULL byte
684 */
685 token_t *
au_to_text(const char * text)686 au_to_text(const char *text)
687 {
688 token_t *t;
689 u_char *dptr = NULL;
690 u_int16_t textlen;
691
692 textlen = strlen(text);
693 textlen += 1;
694
695 /* XXXRW: Should validate length against token size limit. */
696
697 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
698 if (t == NULL)
699 return (NULL);
700
701 ADD_U_CHAR(dptr, AUT_TEXT);
702 ADD_U_INT16(dptr, textlen);
703 ADD_STRING(dptr, text, textlen);
704
705 return (t);
706 }
707
708 /*
709 * token ID 1 byte
710 * path length 2 bytes
711 * path N bytes + 1 terminating NULL byte
712 */
713 token_t *
au_to_path(const char * text)714 au_to_path(const char *text)
715 {
716 token_t *t;
717 u_char *dptr = NULL;
718 u_int16_t textlen;
719
720 textlen = strlen(text);
721 textlen += 1;
722
723 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
724 if (t == NULL)
725 return (NULL);
726
727 ADD_U_CHAR(dptr, AUT_PATH);
728 ADD_U_INT16(dptr, textlen);
729 ADD_STRING(dptr, text, textlen);
730
731 return (t);
732 }
733
734 /*
735 * token ID 1 byte
736 * audit ID 4 bytes
737 * effective user ID 4 bytes
738 * effective group ID 4 bytes
739 * real user ID 4 bytes
740 * real group ID 4 bytes
741 * process ID 4 bytes
742 * session ID 4 bytes
743 * terminal ID
744 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
745 * machine address 4 bytes
746 */
747 token_t *
au_to_process32(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)748 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
749 pid_t pid, au_asid_t sid, au_tid_t *tid)
750 {
751 token_t *t;
752 u_char *dptr = NULL;
753
754 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
755 if (t == NULL)
756 return (NULL);
757
758 ADD_U_CHAR(dptr, AUT_PROCESS32);
759 ADD_U_INT32(dptr, auid);
760 ADD_U_INT32(dptr, euid);
761 ADD_U_INT32(dptr, egid);
762 ADD_U_INT32(dptr, ruid);
763 ADD_U_INT32(dptr, rgid);
764 ADD_U_INT32(dptr, pid);
765 ADD_U_INT32(dptr, sid);
766 ADD_U_INT32(dptr, tid->port);
767
768 /*
769 * Note: Solaris will write out IPv6 addresses here as a 32-bit
770 * address type and 16 bytes of address, but for IPv4 addresses it
771 * simply writes the 4-byte address directly. We support only IPv4
772 * addresses for process32 tokens.
773 */
774 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
775
776 return (t);
777 }
778
779 token_t *
au_to_process64(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)780 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
781 pid_t pid, au_asid_t sid, au_tid_t *tid)
782 {
783 token_t *t;
784 u_char *dptr = NULL;
785
786 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
787 sizeof(u_int64_t));
788 if (t == NULL)
789 return (NULL);
790
791 ADD_U_CHAR(dptr, AUT_PROCESS64);
792 ADD_U_INT32(dptr, auid);
793 ADD_U_INT32(dptr, euid);
794 ADD_U_INT32(dptr, egid);
795 ADD_U_INT32(dptr, ruid);
796 ADD_U_INT32(dptr, rgid);
797 ADD_U_INT32(dptr, pid);
798 ADD_U_INT32(dptr, sid);
799 ADD_U_INT64(dptr, tid->port);
800
801 /*
802 * Note: Solaris will write out IPv6 addresses here as a 32-bit
803 * address type and 16 bytes of address, but for IPv4 addresses it
804 * simply writes the 4-byte address directly. We support only IPv4
805 * addresses for process64 tokens.
806 */
807 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
808
809 return (t);
810 }
811
812 token_t *
au_to_process(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)813 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
814 pid_t pid, au_asid_t sid, au_tid_t *tid)
815 {
816
817 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
818 tid));
819 }
820
821 /*
822 * token ID 1 byte
823 * audit ID 4 bytes
824 * effective user ID 4 bytes
825 * effective group ID 4 bytes
826 * real user ID 4 bytes
827 * real group ID 4 bytes
828 * process ID 4 bytes
829 * session ID 4 bytes
830 * terminal ID
831 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
832 * address type-len 4 bytes
833 * machine address 16 bytes
834 */
835 token_t *
au_to_process32_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)836 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
837 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
838 {
839 token_t *t;
840 u_char *dptr = NULL;
841
842 if (tid->at_type == AU_IPv4)
843 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
844 10 * sizeof(u_int32_t));
845 else if (tid->at_type == AU_IPv6)
846 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
847 13 * sizeof(u_int32_t));
848 else {
849 errno = EINVAL;
850 return (NULL);
851 }
852 if (t == NULL)
853 return (NULL);
854
855 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
856 ADD_U_INT32(dptr, auid);
857 ADD_U_INT32(dptr, euid);
858 ADD_U_INT32(dptr, egid);
859 ADD_U_INT32(dptr, ruid);
860 ADD_U_INT32(dptr, rgid);
861 ADD_U_INT32(dptr, pid);
862 ADD_U_INT32(dptr, sid);
863 ADD_U_INT32(dptr, tid->at_port);
864 ADD_U_INT32(dptr, tid->at_type);
865 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
866 if (tid->at_type == AU_IPv6) {
867 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
868 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
869 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
870 }
871
872 return (t);
873 }
874
875 token_t *
au_to_process64_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)876 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
877 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
878 {
879 token_t *t;
880 u_char *dptr = NULL;
881
882 if (tid->at_type == AU_IPv4)
883 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
884 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
885 2 * sizeof(u_int32_t));
886 else if (tid->at_type == AU_IPv6)
887 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
888 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
889 5 * sizeof(u_int32_t));
890 else {
891 errno = EINVAL;
892 return (NULL);
893 }
894 if (t == NULL)
895 return (NULL);
896
897 ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
898 ADD_U_INT32(dptr, auid);
899 ADD_U_INT32(dptr, euid);
900 ADD_U_INT32(dptr, egid);
901 ADD_U_INT32(dptr, ruid);
902 ADD_U_INT32(dptr, rgid);
903 ADD_U_INT32(dptr, pid);
904 ADD_U_INT32(dptr, sid);
905 ADD_U_INT64(dptr, tid->at_port);
906 ADD_U_INT32(dptr, tid->at_type);
907 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
908 if (tid->at_type == AU_IPv6) {
909 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
910 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
911 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
912 }
913
914 return (t);
915 }
916
917 token_t *
au_to_process_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)918 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
919 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
920 {
921
922 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
923 tid));
924 }
925
926 /*
927 * token ID 1 byte
928 * error status 1 byte
929 * return value 4 bytes/8 bytes (32-bit/64-bit value)
930 */
931 token_t *
au_to_return32(char status,u_int32_t ret)932 au_to_return32(char status, u_int32_t ret)
933 {
934 token_t *t;
935 u_char *dptr = NULL;
936
937 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
938 if (t == NULL)
939 return (NULL);
940
941 ADD_U_CHAR(dptr, AUT_RETURN32);
942 ADD_U_CHAR(dptr, status);
943 ADD_U_INT32(dptr, ret);
944
945 return (t);
946 }
947
948 token_t *
au_to_return64(char status,u_int64_t ret)949 au_to_return64(char status, u_int64_t ret)
950 {
951 token_t *t;
952 u_char *dptr = NULL;
953
954 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
955 if (t == NULL)
956 return (NULL);
957
958 ADD_U_CHAR(dptr, AUT_RETURN64);
959 ADD_U_CHAR(dptr, status);
960 ADD_U_INT64(dptr, ret);
961
962 return (t);
963 }
964
965 token_t *
au_to_return(char status,u_int32_t ret)966 au_to_return(char status, u_int32_t ret)
967 {
968
969 return (au_to_return32(status, ret));
970 }
971
972 /*
973 * token ID 1 byte
974 * sequence number 4 bytes
975 */
976 token_t *
au_to_seq(long audit_count)977 au_to_seq(long audit_count)
978 {
979 token_t *t;
980 u_char *dptr = NULL;
981
982 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
983 if (t == NULL)
984 return (NULL);
985
986 ADD_U_CHAR(dptr, AUT_SEQ);
987 ADD_U_INT32(dptr, audit_count);
988
989 return (t);
990 }
991
992 /*
993 * token ID 1 byte
994 * socket domain 2 bytes
995 * socket type 2 bytes
996 * address type 2 byte
997 * local port 2 bytes
998 * local address 4 bytes/16 bytes (IPv4/IPv6 address)
999 * remote port 2 bytes
1000 * remote address 4 bytes/16 bytes (IPv4/IPv6 address)
1001 *
1002 * Domain and type arguments to this routine are assumed to already have been
1003 * converted to the BSM constant space, so we don't do that here.
1004 */
1005 token_t *
au_to_socket_ex(u_short so_domain,u_short so_type,struct sockaddr * sa_local,struct sockaddr * sa_remote)1006 au_to_socket_ex(u_short so_domain, u_short so_type,
1007 struct sockaddr *sa_local, struct sockaddr *sa_remote)
1008 {
1009 token_t *t;
1010 u_char *dptr = NULL;
1011 struct sockaddr_in *sin;
1012 struct sockaddr_in6 *sin6;
1013
1014 if (so_domain == AF_INET)
1015 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1016 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1017 else if (so_domain == AF_INET6)
1018 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1019 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
1020 else {
1021 errno = EINVAL;
1022 return (NULL);
1023 }
1024 if (t == NULL)
1025 return (NULL);
1026
1027 ADD_U_CHAR(dptr, AUT_SOCKET_EX);
1028 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
1029 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
1030 if (so_domain == AF_INET) {
1031 ADD_U_INT16(dptr, AU_IPv4);
1032 sin = (struct sockaddr_in *)sa_local;
1033 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
1034 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
1035 sin = (struct sockaddr_in *)sa_remote;
1036 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
1037 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
1038 } else {
1039 ADD_U_INT16(dptr, AU_IPv6);
1040 sin6 = (struct sockaddr_in6 *)sa_local;
1041 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
1042 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
1043 sin6 = (struct sockaddr_in6 *)sa_remote;
1044 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
1045 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
1046 }
1047
1048 return (t);
1049 }
1050
1051 /*
1052 * token ID 1 byte
1053 * socket family 2 bytes
1054 * path (up to) 104 bytes + NULL (NULL terminated string)
1055 */
1056 token_t *
au_to_sock_unix(struct sockaddr_un * so)1057 au_to_sock_unix(struct sockaddr_un *so)
1058 {
1059 token_t *t;
1060 u_char *dptr;
1061
1062 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
1063 if (t == NULL)
1064 return (NULL);
1065
1066 ADD_U_CHAR(dptr, AUT_SOCKUNIX);
1067 /* BSM token has two bytes for family */
1068 ADD_U_CHAR(dptr, 0);
1069 ADD_U_CHAR(dptr, so->sun_family);
1070 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
1071
1072 return (t);
1073 }
1074
1075 /*
1076 * token ID 1 byte
1077 * socket family 2 bytes
1078 * local port 2 bytes
1079 * socket address 4 bytes
1080 */
1081 token_t *
au_to_sock_inet32(struct sockaddr_in * so)1082 au_to_sock_inet32(struct sockaddr_in *so)
1083 {
1084 token_t *t;
1085 u_char *dptr = NULL;
1086 uint16_t family;
1087
1088 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
1089 sizeof(uint32_t));
1090 if (t == NULL)
1091 return (NULL);
1092
1093 ADD_U_CHAR(dptr, AUT_SOCKINET32);
1094 /*
1095 * BSM defines the family field as 16 bits, but many operating
1096 * systems have an 8-bit sin_family field. Extend to 16 bits before
1097 * writing into the token. Assume that both the port and the address
1098 * in the sockaddr_in are already in network byte order, but family
1099 * is in local byte order.
1100 *
1101 * XXXRW: Should a name space conversion be taking place on the value
1102 * of sin_family?
1103 */
1104 family = so->sin_family;
1105 ADD_U_INT16(dptr, family);
1106 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
1107 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
1108
1109 return (t);
1110 }
1111
1112 token_t *
au_to_sock_inet128(struct sockaddr_in6 * so)1113 au_to_sock_inet128(struct sockaddr_in6 *so)
1114 {
1115 token_t *t;
1116 u_char *dptr = NULL;
1117
1118 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
1119 4 * sizeof(u_int32_t));
1120 if (t == NULL)
1121 return (NULL);
1122
1123 ADD_U_CHAR(dptr, AUT_SOCKINET128);
1124 /*
1125 * In BSD, sin6_family is one octet, but BSM defines the token to
1126 * store two. So we copy in a 0 first. XXXRW: Possibly should be
1127 * conditionally compiled.
1128 */
1129 ADD_U_CHAR(dptr, 0);
1130 ADD_U_CHAR(dptr, so->sin6_family);
1131
1132 ADD_U_INT16(dptr, so->sin6_port);
1133 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
1134
1135 return (t);
1136 }
1137
1138 token_t *
au_to_sock_inet(struct sockaddr_in * so)1139 au_to_sock_inet(struct sockaddr_in *so)
1140 {
1141
1142 return (au_to_sock_inet32(so));
1143 }
1144
1145 /*
1146 * token ID 1 byte
1147 * audit ID 4 bytes
1148 * effective user ID 4 bytes
1149 * effective group ID 4 bytes
1150 * real user ID 4 bytes
1151 * real group ID 4 bytes
1152 * process ID 4 bytes
1153 * session ID 4 bytes
1154 * terminal ID
1155 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1156 * machine address 4 bytes
1157 */
1158 token_t *
au_to_subject32(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)1159 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1160 pid_t pid, au_asid_t sid, au_tid_t *tid)
1161 {
1162 token_t *t;
1163 u_char *dptr = NULL;
1164
1165 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
1166 if (t == NULL)
1167 return (NULL);
1168
1169 ADD_U_CHAR(dptr, AUT_SUBJECT32);
1170 ADD_U_INT32(dptr, auid);
1171 ADD_U_INT32(dptr, euid);
1172 ADD_U_INT32(dptr, egid);
1173 ADD_U_INT32(dptr, ruid);
1174 ADD_U_INT32(dptr, rgid);
1175 ADD_U_INT32(dptr, pid);
1176 ADD_U_INT32(dptr, sid);
1177 ADD_U_INT32(dptr, tid->port);
1178 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1179
1180 return (t);
1181 }
1182
1183 token_t *
au_to_subject64(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)1184 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1185 pid_t pid, au_asid_t sid, au_tid_t *tid)
1186 {
1187 token_t *t;
1188 u_char *dptr = NULL;
1189
1190 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1191 sizeof(u_int64_t) + sizeof(u_int32_t));
1192 if (t == NULL)
1193 return (NULL);
1194
1195 ADD_U_CHAR(dptr, AUT_SUBJECT64);
1196 ADD_U_INT32(dptr, auid);
1197 ADD_U_INT32(dptr, euid);
1198 ADD_U_INT32(dptr, egid);
1199 ADD_U_INT32(dptr, ruid);
1200 ADD_U_INT32(dptr, rgid);
1201 ADD_U_INT32(dptr, pid);
1202 ADD_U_INT32(dptr, sid);
1203 ADD_U_INT64(dptr, tid->port);
1204 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1205
1206 return (t);
1207 }
1208
1209 token_t *
au_to_subject(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)1210 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1211 pid_t pid, au_asid_t sid, au_tid_t *tid)
1212 {
1213
1214 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1215 tid));
1216 }
1217
1218 /*
1219 * token ID 1 byte
1220 * audit ID 4 bytes
1221 * effective user ID 4 bytes
1222 * effective group ID 4 bytes
1223 * real user ID 4 bytes
1224 * real group ID 4 bytes
1225 * process ID 4 bytes
1226 * session ID 4 bytes
1227 * terminal ID
1228 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1229 * address type/length 4 bytes
1230 * machine address 16 bytes
1231 */
1232 token_t *
au_to_subject32_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)1233 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1234 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1235 {
1236 token_t *t;
1237 u_char *dptr = NULL;
1238
1239 if (tid->at_type == AU_IPv4)
1240 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1241 sizeof(u_int32_t));
1242 else if (tid->at_type == AU_IPv6)
1243 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1244 sizeof(u_int32_t));
1245 else {
1246 errno = EINVAL;
1247 return (NULL);
1248 }
1249 if (t == NULL)
1250 return (NULL);
1251
1252 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1253 ADD_U_INT32(dptr, auid);
1254 ADD_U_INT32(dptr, euid);
1255 ADD_U_INT32(dptr, egid);
1256 ADD_U_INT32(dptr, ruid);
1257 ADD_U_INT32(dptr, rgid);
1258 ADD_U_INT32(dptr, pid);
1259 ADD_U_INT32(dptr, sid);
1260 ADD_U_INT32(dptr, tid->at_port);
1261 ADD_U_INT32(dptr, tid->at_type);
1262 if (tid->at_type == AU_IPv6)
1263 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1264 else
1265 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1266
1267 return (t);
1268 }
1269
1270 token_t *
au_to_subject64_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)1271 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1272 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1273 {
1274 token_t *t;
1275 u_char *dptr = NULL;
1276
1277 if (tid->at_type == AU_IPv4)
1278 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1279 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1280 2 * sizeof(u_int32_t));
1281 else if (tid->at_type == AU_IPv6)
1282 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1283 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1284 5 * sizeof(u_int32_t));
1285 else {
1286 errno = EINVAL;
1287 return (NULL);
1288 }
1289 if (t == NULL)
1290 return (NULL);
1291
1292 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1293 ADD_U_INT32(dptr, auid);
1294 ADD_U_INT32(dptr, euid);
1295 ADD_U_INT32(dptr, egid);
1296 ADD_U_INT32(dptr, ruid);
1297 ADD_U_INT32(dptr, rgid);
1298 ADD_U_INT32(dptr, pid);
1299 ADD_U_INT32(dptr, sid);
1300 ADD_U_INT64(dptr, tid->at_port);
1301 ADD_U_INT32(dptr, tid->at_type);
1302 if (tid->at_type == AU_IPv6)
1303 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1304 else
1305 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1306
1307 return (t);
1308 }
1309
1310 token_t *
au_to_subject_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)1311 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1312 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1313 {
1314
1315 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1316 tid));
1317 }
1318
1319 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1320 /*
1321 * Collects audit information for the current process and creates a subject
1322 * token from it.
1323 */
1324 token_t *
au_to_me(void)1325 au_to_me(void)
1326 {
1327 auditinfo_t auinfo;
1328 auditinfo_addr_t aia;
1329
1330 /*
1331 * Try to use getaudit_addr(2) first. If this kernel does not support
1332 * it, then fall back on to getaudit(2).
1333 */
1334 if (getaudit_addr(&aia, sizeof(aia)) != 0) {
1335 if (errno == ENOSYS) {
1336 if (getaudit(&auinfo) != 0)
1337 return (NULL);
1338 return (au_to_subject32(auinfo.ai_auid, geteuid(),
1339 getegid(), getuid(), getgid(), getpid(),
1340 auinfo.ai_asid, &auinfo.ai_termid));
1341 } else {
1342 /* getaudit_addr(2) failed for some other reason. */
1343 return (NULL);
1344 }
1345 }
1346
1347 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(),
1348 getgid(), getpid(), aia.ai_asid, &aia.ai_termid));
1349 }
1350 #endif
1351
1352 /*
1353 * token ID 1 byte
1354 * count 4 bytes
1355 * text count null-terminated strings
1356 */
1357 token_t *
au_to_exec_args(char ** argv)1358 au_to_exec_args(char **argv)
1359 {
1360 token_t *t;
1361 u_char *dptr = NULL;
1362 const char *nextarg;
1363 int i, count = 0;
1364 size_t totlen = 0;
1365
1366 nextarg = *argv;
1367
1368 while (nextarg != NULL) {
1369 int nextlen;
1370
1371 nextlen = strlen(nextarg);
1372 totlen += nextlen + 1;
1373 count++;
1374 nextarg = *(argv + count);
1375 }
1376
1377 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1378 if (t == NULL)
1379 return (NULL);
1380
1381 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1382 ADD_U_INT32(dptr, count);
1383
1384 for (i = 0; i < count; i++) {
1385 nextarg = *(argv + i);
1386 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1387 }
1388
1389 return (t);
1390 }
1391
1392 /*
1393 * token ID 1 byte
1394 * count 4 bytes
1395 * text count null-terminated strings
1396 */
1397 token_t *
au_to_exec_env(char ** envp)1398 au_to_exec_env(char **envp)
1399 {
1400 token_t *t;
1401 u_char *dptr = NULL;
1402 int i, count = 0;
1403 size_t totlen = 0;
1404 const char *nextenv;
1405
1406 nextenv = *envp;
1407
1408 while (nextenv != NULL) {
1409 int nextlen;
1410
1411 nextlen = strlen(nextenv);
1412 totlen += nextlen + 1;
1413 count++;
1414 nextenv = *(envp + count);
1415 }
1416
1417 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1418 if (t == NULL)
1419 return (NULL);
1420
1421 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1422 ADD_U_INT32(dptr, count);
1423
1424 for (i = 0; i < count; i++) {
1425 nextenv = *(envp + i);
1426 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1427 }
1428
1429 return (t);
1430 }
1431
1432 /*
1433 * token ID 1 byte
1434 * zonename length 2 bytes
1435 * zonename N bytes + 1 terminating NULL byte
1436 */
1437 token_t *
au_to_zonename(const char * zonename)1438 au_to_zonename(const char *zonename)
1439 {
1440 u_char *dptr = NULL;
1441 u_int16_t textlen;
1442 token_t *t;
1443
1444 textlen = strlen(zonename) + 1;
1445 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1446 if (t == NULL)
1447 return (NULL);
1448
1449 ADD_U_CHAR(dptr, AUT_ZONENAME);
1450 ADD_U_INT16(dptr, textlen);
1451 ADD_STRING(dptr, zonename, textlen);
1452 return (t);
1453 }
1454
1455 /*
1456 * token ID 1 byte
1457 * record byte count 4 bytes
1458 * version # 1 byte [2]
1459 * event type 2 bytes
1460 * event modifier 2 bytes
1461 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1462 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1463 */
1464 token_t *
au_to_header32_tm(int rec_size,au_event_t e_type,au_emod_t e_mod,struct timeval tm)1465 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1466 struct timeval tm)
1467 {
1468 token_t *t;
1469 u_char *dptr = NULL;
1470 u_int32_t timems;
1471
1472 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1473 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1474 if (t == NULL)
1475 return (NULL);
1476
1477 ADD_U_CHAR(dptr, AUT_HEADER32);
1478 ADD_U_INT32(dptr, rec_size);
1479 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1480 ADD_U_INT16(dptr, e_type);
1481 ADD_U_INT16(dptr, e_mod);
1482
1483 timems = tm.tv_usec/1000;
1484 /* Add the timestamp */
1485 ADD_U_INT32(dptr, tm.tv_sec);
1486 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1487
1488 return (t);
1489 }
1490
1491 /*
1492 * token ID 1 byte
1493 * record byte count 4 bytes
1494 * version # 1 byte [2]
1495 * event type 2 bytes
1496 * event modifier 2 bytes
1497 * address type/length 4 bytes
1498 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1499 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1500 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1501 */
1502 token_t *
au_to_header32_ex_tm(int rec_size,au_event_t e_type,au_emod_t e_mod,struct timeval tm,struct auditinfo_addr * aia)1503 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1504 struct timeval tm, struct auditinfo_addr *aia)
1505 {
1506 token_t *t;
1507 u_char *dptr = NULL;
1508 u_int32_t timems;
1509 au_tid_addr_t *tid;
1510
1511 tid = &aia->ai_termid;
1512 if (tid->at_type != AU_IPv4 && tid->at_type != AU_IPv6)
1513 return (NULL);
1514 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1515 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 *
1516 sizeof(u_int32_t) + tid->at_type);
1517 if (t == NULL)
1518 return (NULL);
1519
1520 ADD_U_CHAR(dptr, AUT_HEADER32_EX);
1521 ADD_U_INT32(dptr, rec_size);
1522 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1523 ADD_U_INT16(dptr, e_type);
1524 ADD_U_INT16(dptr, e_mod);
1525
1526 ADD_U_INT32(dptr, tid->at_type);
1527 if (tid->at_type == AU_IPv6)
1528 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1529 else
1530 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1531 timems = tm.tv_usec/1000;
1532 /* Add the timestamp */
1533 ADD_U_INT32(dptr, tm.tv_sec);
1534 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1535
1536 return (t);
1537 }
1538
1539 token_t *
au_to_header64_tm(int rec_size,au_event_t e_type,au_emod_t e_mod,struct timeval tm)1540 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1541 struct timeval tm)
1542 {
1543 token_t *t;
1544 u_char *dptr = NULL;
1545 u_int32_t timems;
1546
1547 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1548 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1549 if (t == NULL)
1550 return (NULL);
1551
1552 ADD_U_CHAR(dptr, AUT_HEADER64);
1553 ADD_U_INT32(dptr, rec_size);
1554 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1555 ADD_U_INT16(dptr, e_type);
1556 ADD_U_INT16(dptr, e_mod);
1557
1558 timems = tm.tv_usec/1000;
1559 /* Add the timestamp */
1560 ADD_U_INT64(dptr, tm.tv_sec);
1561 ADD_U_INT64(dptr, timems); /* We need time in ms. */
1562
1563 return (t);
1564 }
1565
1566 #if !defined(KERNEL) && !defined(_KERNEL)
1567 #ifdef HAVE_AUDIT_SYSCALLS
1568 token_t *
au_to_header32_ex(int rec_size,au_event_t e_type,au_emod_t e_mod)1569 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1570 {
1571 struct timeval tm;
1572 struct auditinfo_addr aia;
1573
1574 if (gettimeofday(&tm, NULL) == -1)
1575 return (NULL);
1576 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) {
1577 if (errno != ENOSYS)
1578 return (NULL);
1579 return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1580 }
1581 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia));
1582 }
1583 #endif /* HAVE_AUDIT_SYSCALLS */
1584
1585 token_t *
au_to_header32(int rec_size,au_event_t e_type,au_emod_t e_mod)1586 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
1587 {
1588 struct timeval tm;
1589
1590 if (gettimeofday(&tm, NULL) == -1)
1591 return (NULL);
1592 return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1593 }
1594
1595 token_t *
au_to_header64(__unused int rec_size,__unused au_event_t e_type,__unused au_emod_t e_mod)1596 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
1597 __unused au_emod_t e_mod)
1598 {
1599 struct timeval tm;
1600
1601 if (gettimeofday(&tm, NULL) == -1)
1602 return (NULL);
1603 return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
1604 }
1605
1606 token_t *
au_to_header(int rec_size,au_event_t e_type,au_emod_t e_mod)1607 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
1608 {
1609
1610 return (au_to_header32(rec_size, e_type, e_mod));
1611 }
1612
1613 #ifdef HAVE_AUDIT_SYSCALLS
1614 token_t *
au_to_header_ex(int rec_size,au_event_t e_type,au_emod_t e_mod)1615 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1616 {
1617
1618 return (au_to_header32_ex(rec_size, e_type, e_mod));
1619 }
1620 #endif /* HAVE_AUDIT_SYSCALLS */
1621 #endif /* !defined(KERNEL) && !defined(_KERNEL) */
1622
1623 /*
1624 * token ID 1 byte
1625 * trailer magic number 2 bytes
1626 * record byte count 4 bytes
1627 */
1628 token_t *
au_to_trailer(int rec_size)1629 au_to_trailer(int rec_size)
1630 {
1631 token_t *t;
1632 u_char *dptr = NULL;
1633 u_int16_t magic = AUT_TRAILER_MAGIC;
1634
1635 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1636 sizeof(u_int32_t));
1637 if (t == NULL)
1638 return (NULL);
1639
1640 ADD_U_CHAR(dptr, AUT_TRAILER);
1641 ADD_U_INT16(dptr, magic);
1642 ADD_U_INT32(dptr, rec_size);
1643
1644 return (t);
1645 }
1646