1 /*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * All rights reserved. 5 * 6 * This code was developed in part by Robert N. M. Watson, Senior Principal 7 * Scientist, SPARTA, Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 18 * its contributors may be used to endorse or promote products derived 19 * from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 * 33 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#99 $ 34 */ 35 36 #include <sys/types.h> 37 38 #include <config/config.h> 39 40 #ifdef USE_ENDIAN_H 41 #include <endian.h> 42 #endif 43 #ifdef USE_SYS_ENDIAN_H 44 #include <sys/endian.h> 45 #endif 46 #ifdef USE_MACHINE_ENDIAN_H 47 #include <machine/endian.h> 48 #endif 49 #ifdef USE_COMPAT_ENDIAN_H 50 #include <compat/endian.h> 51 #endif 52 #ifdef USE_COMPAT_ENDIAN_ENC_H 53 #include <compat/endian_enc.h> 54 #endif 55 56 #ifdef HAVE_FULL_QUEUE_H 57 #include <sys/queue.h> 58 #else /* !HAVE_FULL_QUEUE_H */ 59 #include <compat/queue.h> 60 #endif /* !HAVE_FULL_QUEUE_H */ 61 62 #include <sys/socket.h> 63 #include <sys/time.h> 64 #include <sys/un.h> 65 66 #include <sys/ipc.h> 67 68 #include <netinet/in.h> 69 #include <netinet/in_systm.h> 70 #include <netinet/ip.h> 71 72 #include <assert.h> 73 #include <errno.h> 74 #include <string.h> 75 #include <stdlib.h> 76 #include <unistd.h> 77 78 #include <bsm/audit_internal.h> 79 #include <bsm/libbsm.h> 80 81 #define GET_TOKEN_AREA(t, dptr, length) do { \ 82 (t) = malloc(sizeof(token_t)); \ 83 if ((t) != NULL) { \ 84 (t)->len = (length); \ 85 (dptr) = (t->t_data) = calloc((length), sizeof(u_char)); \ 86 if ((dptr) == NULL) { \ 87 free(t); \ 88 (t) = NULL; \ 89 } \ 90 } else \ 91 (dptr) = NULL; \ 92 assert((t) == NULL || (dptr) != NULL); \ 93 } while (0) 94 95 /* 96 * token ID 1 byte 97 * success/failure 1 byte 98 * privstrlen 2 bytes 99 * privstr N bytes + 1 (\0 byte) 100 */ 101 token_t * 102 au_to_upriv(char sorf, char *priv) 103 { 104 u_int16_t textlen; 105 u_char *dptr; 106 token_t *t; 107 108 textlen = strlen(priv) + 1; 109 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) + 110 sizeof(u_int16_t) + textlen); 111 if (t == NULL) 112 return (NULL); 113 ADD_U_CHAR(dptr, AUT_UPRIV); 114 ADD_U_CHAR(dptr, sorf); 115 ADD_U_INT16(dptr, textlen); 116 ADD_STRING(dptr, priv, textlen); 117 return (t); 118 } 119 120 /* 121 * token ID 1 byte 122 * privtstrlen 2 bytes 123 * privtstr N bytes + 1 124 * privstrlen 2 bytes 125 * privstr N bytes + 1 126 */ 127 token_t * 128 au_to_privset(char *privtypestr, char *privstr) 129 { 130 u_int16_t type_len, priv_len; 131 u_char *dptr; 132 token_t *t; 133 134 type_len = strlen(privtypestr) + 1; 135 priv_len = strlen(privstr) + 1; 136 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 137 sizeof(u_int16_t) + type_len + priv_len); 138 if (t == NULL) 139 return (NULL); 140 ADD_U_CHAR(dptr, AUT_PRIV); 141 ADD_U_INT16(dptr, type_len); 142 ADD_STRING(dptr, privtypestr, type_len); 143 ADD_U_INT16(dptr, priv_len); 144 ADD_STRING(dptr, privstr, priv_len); 145 return (t); 146 } 147 148 /* 149 * token ID 1 byte 150 * argument # 1 byte 151 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 152 * text length 2 bytes 153 * text N bytes + 1 terminating NULL byte 154 */ 155 token_t * 156 au_to_arg32(char n, const char *text, u_int32_t v) 157 { 158 token_t *t; 159 u_char *dptr = NULL; 160 u_int16_t textlen; 161 162 textlen = strlen(text); 163 textlen += 1; 164 165 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + 166 sizeof(u_int16_t) + textlen); 167 if (t == NULL) 168 return (NULL); 169 170 ADD_U_CHAR(dptr, AUT_ARG32); 171 ADD_U_CHAR(dptr, n); 172 ADD_U_INT32(dptr, v); 173 ADD_U_INT16(dptr, textlen); 174 ADD_STRING(dptr, text, textlen); 175 176 return (t); 177 } 178 179 token_t * 180 au_to_arg64(char n, const char *text, u_int64_t v) 181 { 182 token_t *t; 183 u_char *dptr = NULL; 184 u_int16_t textlen; 185 186 textlen = strlen(text); 187 textlen += 1; 188 189 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + 190 sizeof(u_int16_t) + textlen); 191 if (t == NULL) 192 return (NULL); 193 194 ADD_U_CHAR(dptr, AUT_ARG64); 195 ADD_U_CHAR(dptr, n); 196 ADD_U_INT64(dptr, v); 197 ADD_U_INT16(dptr, textlen); 198 ADD_STRING(dptr, text, textlen); 199 200 return (t); 201 } 202 203 token_t * 204 au_to_arg(char n, const char *text, u_int32_t v) 205 { 206 207 return (au_to_arg32(n, text, v)); 208 } 209 210 #if defined(_KERNEL) || defined(KERNEL) 211 /* 212 * token ID 1 byte 213 * file access mode 4 bytes 214 * owner user ID 4 bytes 215 * owner group ID 4 bytes 216 * file system ID 4 bytes 217 * node ID 8 bytes 218 * device 4 bytes/8 bytes (32-bit/64-bit) 219 */ 220 token_t * 221 au_to_attr32(struct vnode_au_info *vni) 222 { 223 token_t *t; 224 u_char *dptr = NULL; 225 u_int16_t pad0_16 = 0; 226 u_int32_t pad0_32 = 0; 227 228 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 229 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); 230 if (t == NULL) 231 return (NULL); 232 233 ADD_U_CHAR(dptr, AUT_ATTR32); 234 235 /* 236 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 237 * so pad with 0. 238 * 239 * XXXRW: Possibly should be conditionally compiled. 240 * 241 * XXXRW: Should any conversions take place on the mode? 242 */ 243 ADD_U_INT16(dptr, pad0_16); 244 ADD_U_INT16(dptr, vni->vn_mode); 245 246 ADD_U_INT32(dptr, vni->vn_uid); 247 ADD_U_INT32(dptr, vni->vn_gid); 248 ADD_U_INT32(dptr, vni->vn_fsid); 249 250 /* 251 * Some systems use 32-bit file ID's, others use 64-bit file IDs. 252 * Attempt to handle both, and let the compiler sort it out. If we 253 * could pick this out at compile-time, it would be better, so as to 254 * avoid the else case below. 255 */ 256 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 257 ADD_U_INT32(dptr, pad0_32); 258 ADD_U_INT32(dptr, vni->vn_fileid); 259 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 260 ADD_U_INT64(dptr, vni->vn_fileid); 261 else 262 ADD_U_INT64(dptr, 0LL); 263 264 ADD_U_INT32(dptr, vni->vn_dev); 265 266 return (t); 267 } 268 269 token_t * 270 au_to_attr64(struct vnode_au_info *vni) 271 { 272 token_t *t; 273 u_char *dptr = NULL; 274 u_int16_t pad0_16 = 0; 275 u_int32_t pad0_32 = 0; 276 277 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 278 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); 279 if (t == NULL) 280 return (NULL); 281 282 ADD_U_CHAR(dptr, AUT_ATTR64); 283 284 /* 285 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 286 * so pad with 0. 287 * 288 * XXXRW: Possibly should be conditionally compiled. 289 * 290 * XXXRW: Should any conversions take place on the mode? 291 */ 292 ADD_U_INT16(dptr, pad0_16); 293 ADD_U_INT16(dptr, vni->vn_mode); 294 295 ADD_U_INT32(dptr, vni->vn_uid); 296 ADD_U_INT32(dptr, vni->vn_gid); 297 ADD_U_INT32(dptr, vni->vn_fsid); 298 299 /* 300 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 301 * Attempt to handle both, and let the compiler sort it out. If we 302 * could pick this out at compile-time, it would be better, so as to 303 * avoid the else case below. 304 */ 305 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 306 ADD_U_INT32(dptr, pad0_32); 307 ADD_U_INT32(dptr, vni->vn_fileid); 308 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 309 ADD_U_INT64(dptr, vni->vn_fileid); 310 else 311 ADD_U_INT64(dptr, 0LL); 312 313 ADD_U_INT64(dptr, vni->vn_dev); 314 315 return (t); 316 } 317 318 token_t * 319 au_to_attr(struct vnode_au_info *vni) 320 { 321 322 return (au_to_attr32(vni)); 323 } 324 #endif /* !(defined(_KERNEL) || defined(KERNEL) */ 325 326 /* 327 * token ID 1 byte 328 * how to print 1 byte 329 * basic unit 1 byte 330 * unit count 1 byte 331 * data items (depends on basic unit) 332 */ 333 token_t * 334 au_to_data(char unit_print, char unit_type, char unit_count, const char *p) 335 { 336 token_t *t; 337 u_char *dptr = NULL; 338 size_t datasize, totdata; 339 340 /* Determine the size of the basic unit. */ 341 switch (unit_type) { 342 case AUR_BYTE: 343 /* case AUR_CHAR: */ 344 datasize = AUR_BYTE_SIZE; 345 break; 346 347 case AUR_SHORT: 348 datasize = AUR_SHORT_SIZE; 349 break; 350 351 case AUR_INT32: 352 /* case AUR_INT: */ 353 datasize = AUR_INT32_SIZE; 354 break; 355 356 case AUR_INT64: 357 datasize = AUR_INT64_SIZE; 358 break; 359 360 default: 361 errno = EINVAL; 362 return (NULL); 363 } 364 365 totdata = datasize * unit_count; 366 367 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata); 368 if (t == NULL) 369 return (NULL); 370 371 /* 372 * XXXRW: We should be byte-swapping each data item for multi-byte 373 * types. 374 */ 375 ADD_U_CHAR(dptr, AUT_DATA); 376 ADD_U_CHAR(dptr, unit_print); 377 ADD_U_CHAR(dptr, unit_type); 378 ADD_U_CHAR(dptr, unit_count); 379 ADD_MEM(dptr, p, totdata); 380 381 return (t); 382 } 383 384 385 /* 386 * token ID 1 byte 387 * status 4 bytes 388 * return value 4 bytes 389 */ 390 token_t * 391 au_to_exit(int retval, int err) 392 { 393 token_t *t; 394 u_char *dptr = NULL; 395 396 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); 397 if (t == NULL) 398 return (NULL); 399 400 ADD_U_CHAR(dptr, AUT_EXIT); 401 ADD_U_INT32(dptr, err); 402 ADD_U_INT32(dptr, retval); 403 404 return (t); 405 } 406 407 /* 408 */ 409 token_t * 410 au_to_groups(int *groups) 411 { 412 413 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups)); 414 } 415 416 /* 417 * token ID 1 byte 418 * number groups 2 bytes 419 * group list count * 4 bytes 420 */ 421 token_t * 422 au_to_newgroups(u_int16_t n, gid_t *groups) 423 { 424 token_t *t; 425 u_char *dptr = NULL; 426 int i; 427 428 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 429 n * sizeof(u_int32_t)); 430 if (t == NULL) 431 return (NULL); 432 433 ADD_U_CHAR(dptr, AUT_NEWGROUPS); 434 ADD_U_INT16(dptr, n); 435 for (i = 0; i < n; i++) 436 ADD_U_INT32(dptr, groups[i]); 437 438 return (t); 439 } 440 441 /* 442 * token ID 1 byte 443 * internet address 4 bytes 444 */ 445 token_t * 446 au_to_in_addr(struct in_addr *internet_addr) 447 { 448 token_t *t; 449 u_char *dptr = NULL; 450 451 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); 452 if (t == NULL) 453 return (NULL); 454 455 ADD_U_CHAR(dptr, AUT_IN_ADDR); 456 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); 457 458 return (t); 459 } 460 461 /* 462 * token ID 1 byte 463 * address type/length 4 bytes 464 * address 16 bytes 465 */ 466 token_t * 467 au_to_in_addr_ex(struct in6_addr *internet_addr) 468 { 469 token_t *t; 470 u_char *dptr = NULL; 471 u_int32_t type = AU_IPv6; 472 473 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); 474 if (t == NULL) 475 return (NULL); 476 477 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); 478 ADD_U_INT32(dptr, type); 479 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t)); 480 481 return (t); 482 } 483 484 /* 485 * token ID 1 byte 486 * ip header 20 bytes 487 * 488 * The IP header should be submitted in network byte order. 489 */ 490 token_t * 491 au_to_ip(struct ip *ip) 492 { 493 token_t *t; 494 u_char *dptr = NULL; 495 496 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); 497 if (t == NULL) 498 return (NULL); 499 500 ADD_U_CHAR(dptr, AUT_IP); 501 ADD_MEM(dptr, ip, sizeof(struct ip)); 502 503 return (t); 504 } 505 506 /* 507 * token ID 1 byte 508 * object ID type 1 byte 509 * object ID 4 bytes 510 */ 511 token_t * 512 au_to_ipc(char type, int id) 513 { 514 token_t *t; 515 u_char *dptr = NULL; 516 517 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 518 if (t == NULL) 519 return (NULL); 520 521 ADD_U_CHAR(dptr, AUT_IPC); 522 ADD_U_CHAR(dptr, type); 523 ADD_U_INT32(dptr, id); 524 525 return (t); 526 } 527 528 /* 529 * token ID 1 byte 530 * owner user ID 4 bytes 531 * owner group ID 4 bytes 532 * creator user ID 4 bytes 533 * creator group ID 4 bytes 534 * access mode 4 bytes 535 * slot sequence # 4 bytes 536 * key 4 bytes 537 */ 538 token_t * 539 au_to_ipc_perm(struct ipc_perm *perm) 540 { 541 token_t *t; 542 u_char *dptr = NULL; 543 u_int16_t pad0 = 0; 544 545 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) + 546 sizeof(u_int32_t)); 547 if (t == NULL) 548 return (NULL); 549 550 ADD_U_CHAR(dptr, AUT_IPC_PERM); 551 552 /* 553 * Systems vary significantly in what types they use in struct 554 * ipc_perm; at least a few still use 16-bit uid's and gid's, so 555 * allow for that, as BSM define 32-bit values here. 556 * Some systems define the sizes for ipc_perm members as 2 bytes; 557 * BSM defines 4 so pad with 0. 558 * 559 * XXXRW: Possibly shoulid be conditionally compiled, and more cases 560 * need to be handled. 561 */ 562 if (sizeof(perm->uid) != sizeof(u_int32_t)) { 563 ADD_U_INT16(dptr, pad0); 564 ADD_U_INT16(dptr, perm->uid); 565 ADD_U_INT16(dptr, pad0); 566 ADD_U_INT16(dptr, perm->gid); 567 ADD_U_INT16(dptr, pad0); 568 ADD_U_INT16(dptr, perm->cuid); 569 ADD_U_INT16(dptr, pad0); 570 ADD_U_INT16(dptr, perm->cgid); 571 } else { 572 ADD_U_INT32(dptr, perm->uid); 573 ADD_U_INT32(dptr, perm->gid); 574 ADD_U_INT32(dptr, perm->cuid); 575 ADD_U_INT32(dptr, perm->cgid); 576 } 577 578 ADD_U_INT16(dptr, pad0); 579 ADD_U_INT16(dptr, perm->mode); 580 581 ADD_U_INT16(dptr, pad0); 582 583 #ifdef HAVE_IPC_PERM___SEQ 584 ADD_U_INT16(dptr, perm->__seq); 585 #else /* HAVE_IPC_PERM___SEQ */ 586 #ifdef HAVE_IPC_PERM__SEQ 587 ADD_U_INT16(dptr, perm->_seq); 588 #else /* HAVE_IPC_PERM__SEQ */ 589 ADD_U_INT16(dptr, perm->seq); 590 #endif /* HAVE_IPC_PERM__SEQ */ 591 #endif /* HAVE_IPC_PERM___SEQ */ 592 593 #ifdef HAVE_IPC_PERM___KEY 594 ADD_U_INT32(dptr, perm->__key); 595 #else /* HAVE_IPC_PERM___KEY */ 596 #ifdef HAVE_IPC_PERM__KEY 597 ADD_U_INT32(dptr, perm->_key); 598 #else /* HAVE_IPC_PERM__KEY */ 599 ADD_U_INT32(dptr, perm->key); 600 #endif /* HAVE_IPC_PERM__KEY */ 601 #endif /* HAVE_IPC_PERM___KEY */ 602 603 return (t); 604 } 605 606 /* 607 * token ID 1 byte 608 * port IP address 2 bytes 609 */ 610 token_t * 611 au_to_iport(u_int16_t iport) 612 { 613 token_t *t; 614 u_char *dptr = NULL; 615 616 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); 617 if (t == NULL) 618 return (NULL); 619 620 ADD_U_CHAR(dptr, AUT_IPORT); 621 ADD_U_INT16(dptr, iport); 622 623 return (t); 624 } 625 626 /* 627 * token ID 1 byte 628 * size 2 bytes 629 * data size bytes 630 */ 631 token_t * 632 au_to_opaque(const char *data, u_int16_t bytes) 633 { 634 token_t *t; 635 u_char *dptr = NULL; 636 637 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); 638 if (t == NULL) 639 return (NULL); 640 641 ADD_U_CHAR(dptr, AUT_OPAQUE); 642 ADD_U_INT16(dptr, bytes); 643 ADD_MEM(dptr, data, bytes); 644 645 return (t); 646 } 647 648 /* 649 * token ID 1 byte 650 * seconds of time 4 bytes 651 * milliseconds of time 4 bytes 652 * file name len 2 bytes 653 * file pathname N bytes + 1 terminating NULL byte 654 */ 655 token_t * 656 au_to_file(const char *file, struct timeval tm) 657 { 658 token_t *t; 659 u_char *dptr = NULL; 660 u_int16_t filelen; 661 u_int32_t timems; 662 663 filelen = strlen(file); 664 filelen += 1; 665 666 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + 667 sizeof(u_int16_t) + filelen); 668 if (t == NULL) 669 return (NULL); 670 671 timems = tm.tv_usec/1000; 672 673 ADD_U_CHAR(dptr, AUT_OTHER_FILE32); 674 ADD_U_INT32(dptr, tm.tv_sec); 675 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 676 ADD_U_INT16(dptr, filelen); 677 ADD_STRING(dptr, file, filelen); 678 679 return (t); 680 } 681 682 /* 683 * token ID 1 byte 684 * text length 2 bytes 685 * text N bytes + 1 terminating NULL byte 686 */ 687 token_t * 688 au_to_text(const char *text) 689 { 690 token_t *t; 691 u_char *dptr = NULL; 692 u_int16_t textlen; 693 694 textlen = strlen(text); 695 textlen += 1; 696 697 /* XXXRW: Should validate length against token size limit. */ 698 699 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 700 if (t == NULL) 701 return (NULL); 702 703 ADD_U_CHAR(dptr, AUT_TEXT); 704 ADD_U_INT16(dptr, textlen); 705 ADD_STRING(dptr, text, textlen); 706 707 return (t); 708 } 709 710 /* 711 * token ID 1 byte 712 * path length 2 bytes 713 * path N bytes + 1 terminating NULL byte 714 */ 715 token_t * 716 au_to_path(const char *text) 717 { 718 token_t *t; 719 u_char *dptr = NULL; 720 u_int16_t textlen; 721 722 textlen = strlen(text); 723 textlen += 1; 724 725 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 726 if (t == NULL) 727 return (NULL); 728 729 ADD_U_CHAR(dptr, AUT_PATH); 730 ADD_U_INT16(dptr, textlen); 731 ADD_STRING(dptr, text, textlen); 732 733 return (t); 734 } 735 736 /* 737 * token ID 1 byte 738 * audit ID 4 bytes 739 * effective user ID 4 bytes 740 * effective group ID 4 bytes 741 * real user ID 4 bytes 742 * real group ID 4 bytes 743 * process ID 4 bytes 744 * session ID 4 bytes 745 * terminal ID 746 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 747 * machine address 4 bytes 748 */ 749 token_t * 750 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 751 pid_t pid, au_asid_t sid, au_tid_t *tid) 752 { 753 token_t *t; 754 u_char *dptr = NULL; 755 756 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 757 if (t == NULL) 758 return (NULL); 759 760 ADD_U_CHAR(dptr, AUT_PROCESS32); 761 ADD_U_INT32(dptr, auid); 762 ADD_U_INT32(dptr, euid); 763 ADD_U_INT32(dptr, egid); 764 ADD_U_INT32(dptr, ruid); 765 ADD_U_INT32(dptr, rgid); 766 ADD_U_INT32(dptr, pid); 767 ADD_U_INT32(dptr, sid); 768 ADD_U_INT32(dptr, tid->port); 769 770 /* 771 * Note: Solaris will write out IPv6 addresses here as a 32-bit 772 * address type and 16 bytes of address, but for IPv4 addresses it 773 * simply writes the 4-byte address directly. We support only IPv4 774 * addresses for process32 tokens. 775 */ 776 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 777 778 return (t); 779 } 780 781 token_t * 782 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 783 pid_t pid, au_asid_t sid, au_tid_t *tid) 784 { 785 token_t *t; 786 u_char *dptr = NULL; 787 788 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + 789 sizeof(u_int64_t)); 790 if (t == NULL) 791 return (NULL); 792 793 ADD_U_CHAR(dptr, AUT_PROCESS64); 794 ADD_U_INT32(dptr, auid); 795 ADD_U_INT32(dptr, euid); 796 ADD_U_INT32(dptr, egid); 797 ADD_U_INT32(dptr, ruid); 798 ADD_U_INT32(dptr, rgid); 799 ADD_U_INT32(dptr, pid); 800 ADD_U_INT32(dptr, sid); 801 ADD_U_INT64(dptr, tid->port); 802 803 /* 804 * Note: Solaris will write out IPv6 addresses here as a 32-bit 805 * address type and 16 bytes of address, but for IPv4 addresses it 806 * simply writes the 4-byte address directly. We support only IPv4 807 * addresses for process64 tokens. 808 */ 809 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 810 811 return (t); 812 } 813 814 token_t * 815 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 816 pid_t pid, au_asid_t sid, au_tid_t *tid) 817 { 818 819 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, 820 tid)); 821 } 822 823 /* 824 * token ID 1 byte 825 * audit ID 4 bytes 826 * effective user ID 4 bytes 827 * effective group ID 4 bytes 828 * real user ID 4 bytes 829 * real group ID 4 bytes 830 * process ID 4 bytes 831 * session ID 4 bytes 832 * terminal ID 833 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 834 * address type-len 4 bytes 835 * machine address 16 bytes 836 */ 837 token_t * 838 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 839 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 840 { 841 token_t *t; 842 u_char *dptr = NULL; 843 844 if (tid->at_type == AU_IPv4) 845 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 846 10 * sizeof(u_int32_t)); 847 else if (tid->at_type == AU_IPv6) 848 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 849 13 * sizeof(u_int32_t)); 850 else { 851 errno = EINVAL; 852 return (NULL); 853 } 854 if (t == NULL) 855 return (NULL); 856 857 ADD_U_CHAR(dptr, AUT_PROCESS32_EX); 858 ADD_U_INT32(dptr, auid); 859 ADD_U_INT32(dptr, euid); 860 ADD_U_INT32(dptr, egid); 861 ADD_U_INT32(dptr, ruid); 862 ADD_U_INT32(dptr, rgid); 863 ADD_U_INT32(dptr, pid); 864 ADD_U_INT32(dptr, sid); 865 ADD_U_INT32(dptr, tid->at_port); 866 ADD_U_INT32(dptr, tid->at_type); 867 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 868 if (tid->at_type == AU_IPv6) { 869 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 870 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 871 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 872 } 873 874 return (t); 875 } 876 877 token_t * 878 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 879 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 880 { 881 token_t *t; 882 u_char *dptr = NULL; 883 884 if (tid->at_type == AU_IPv4) 885 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 886 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 887 2 * sizeof(u_int32_t)); 888 else if (tid->at_type == AU_IPv6) 889 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 890 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 891 5 * sizeof(u_int32_t)); 892 else { 893 errno = EINVAL; 894 return (NULL); 895 } 896 if (t == NULL) 897 return (NULL); 898 899 ADD_U_CHAR(dptr, AUT_PROCESS64_EX); 900 ADD_U_INT32(dptr, auid); 901 ADD_U_INT32(dptr, euid); 902 ADD_U_INT32(dptr, egid); 903 ADD_U_INT32(dptr, ruid); 904 ADD_U_INT32(dptr, rgid); 905 ADD_U_INT32(dptr, pid); 906 ADD_U_INT32(dptr, sid); 907 ADD_U_INT64(dptr, tid->at_port); 908 ADD_U_INT32(dptr, tid->at_type); 909 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 910 if (tid->at_type == AU_IPv6) { 911 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 912 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 913 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 914 } 915 916 return (t); 917 } 918 919 token_t * 920 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 921 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 922 { 923 924 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, 925 tid)); 926 } 927 928 /* 929 * token ID 1 byte 930 * error status 1 byte 931 * return value 4 bytes/8 bytes (32-bit/64-bit value) 932 */ 933 token_t * 934 au_to_return32(char status, u_int32_t ret) 935 { 936 token_t *t; 937 u_char *dptr = NULL; 938 939 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 940 if (t == NULL) 941 return (NULL); 942 943 ADD_U_CHAR(dptr, AUT_RETURN32); 944 ADD_U_CHAR(dptr, status); 945 ADD_U_INT32(dptr, ret); 946 947 return (t); 948 } 949 950 token_t * 951 au_to_return64(char status, u_int64_t ret) 952 { 953 token_t *t; 954 u_char *dptr = NULL; 955 956 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); 957 if (t == NULL) 958 return (NULL); 959 960 ADD_U_CHAR(dptr, AUT_RETURN64); 961 ADD_U_CHAR(dptr, status); 962 ADD_U_INT64(dptr, ret); 963 964 return (t); 965 } 966 967 token_t * 968 au_to_return(char status, u_int32_t ret) 969 { 970 971 return (au_to_return32(status, ret)); 972 } 973 974 /* 975 * token ID 1 byte 976 * sequence number 4 bytes 977 */ 978 token_t * 979 au_to_seq(long audit_count) 980 { 981 token_t *t; 982 u_char *dptr = NULL; 983 984 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); 985 if (t == NULL) 986 return (NULL); 987 988 ADD_U_CHAR(dptr, AUT_SEQ); 989 ADD_U_INT32(dptr, audit_count); 990 991 return (t); 992 } 993 994 /* 995 * token ID 1 byte 996 * socket domain 2 bytes 997 * socket type 2 bytes 998 * address type 2 byte 999 * local port 2 bytes 1000 * local address 4 bytes/16 bytes (IPv4/IPv6 address) 1001 * remote port 2 bytes 1002 * remote address 4 bytes/16 bytes (IPv4/IPv6 address) 1003 * 1004 * Domain and type arguments to this routine are assumed to already have been 1005 * converted to the BSM constant space, so we don't do that here. 1006 */ 1007 token_t * 1008 au_to_socket_ex(u_short so_domain, u_short so_type, 1009 struct sockaddr *sa_local, struct sockaddr *sa_remote) 1010 { 1011 token_t *t; 1012 u_char *dptr = NULL; 1013 struct sockaddr_in *sin; 1014 struct sockaddr_in6 *sin6; 1015 1016 if (so_domain == AF_INET) 1017 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1018 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1019 else if (so_domain == AF_INET6) 1020 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1021 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t)); 1022 else { 1023 errno = EINVAL; 1024 return (NULL); 1025 } 1026 if (t == NULL) 1027 return (NULL); 1028 1029 ADD_U_CHAR(dptr, AUT_SOCKET_EX); 1030 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain)); 1031 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type)); 1032 if (so_domain == AF_INET) { 1033 ADD_U_INT16(dptr, AU_IPv4); 1034 sin = (struct sockaddr_in *)sa_local; 1035 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 1036 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 1037 sin = (struct sockaddr_in *)sa_remote; 1038 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 1039 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 1040 } else { 1041 ADD_U_INT16(dptr, AU_IPv6); 1042 sin6 = (struct sockaddr_in6 *)sa_local; 1043 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 1044 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 1045 sin6 = (struct sockaddr_in6 *)sa_remote; 1046 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 1047 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 1048 } 1049 1050 return (t); 1051 } 1052 1053 /* 1054 * token ID 1 byte 1055 * socket family 2 bytes 1056 * path (up to) 104 bytes + NULL (NULL terminated string) 1057 */ 1058 token_t * 1059 au_to_sock_unix(struct sockaddr_un *so) 1060 { 1061 token_t *t; 1062 u_char *dptr; 1063 1064 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); 1065 if (t == NULL) 1066 return (NULL); 1067 1068 ADD_U_CHAR(dptr, AUT_SOCKUNIX); 1069 /* BSM token has two bytes for family */ 1070 ADD_U_CHAR(dptr, 0); 1071 ADD_U_CHAR(dptr, so->sun_family); 1072 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); 1073 1074 return (t); 1075 } 1076 1077 /* 1078 * token ID 1 byte 1079 * socket family 2 bytes 1080 * local port 2 bytes 1081 * socket address 4 bytes 1082 */ 1083 token_t * 1084 au_to_sock_inet32(struct sockaddr_in *so) 1085 { 1086 token_t *t; 1087 u_char *dptr = NULL; 1088 uint16_t family; 1089 1090 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + 1091 sizeof(uint32_t)); 1092 if (t == NULL) 1093 return (NULL); 1094 1095 ADD_U_CHAR(dptr, AUT_SOCKINET32); 1096 /* 1097 * BSM defines the family field as 16 bits, but many operating 1098 * systems have an 8-bit sin_family field. Extend to 16 bits before 1099 * writing into the token. Assume that both the port and the address 1100 * in the sockaddr_in are already in network byte order, but family 1101 * is in local byte order. 1102 * 1103 * XXXRW: Should a name space conversion be taking place on the value 1104 * of sin_family? 1105 */ 1106 family = so->sin_family; 1107 ADD_U_INT16(dptr, family); 1108 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); 1109 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); 1110 1111 return (t); 1112 } 1113 1114 token_t * 1115 au_to_sock_inet128(struct sockaddr_in6 *so) 1116 { 1117 token_t *t; 1118 u_char *dptr = NULL; 1119 1120 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + 1121 4 * sizeof(u_int32_t)); 1122 if (t == NULL) 1123 return (NULL); 1124 1125 ADD_U_CHAR(dptr, AUT_SOCKINET128); 1126 /* 1127 * In BSD, sin6_family is one octet, but BSM defines the token to 1128 * store two. So we copy in a 0 first. XXXRW: Possibly should be 1129 * conditionally compiled. 1130 */ 1131 ADD_U_CHAR(dptr, 0); 1132 ADD_U_CHAR(dptr, so->sin6_family); 1133 1134 ADD_U_INT16(dptr, so->sin6_port); 1135 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); 1136 1137 return (t); 1138 } 1139 1140 token_t * 1141 au_to_sock_inet(struct sockaddr_in *so) 1142 { 1143 1144 return (au_to_sock_inet32(so)); 1145 } 1146 1147 /* 1148 * token ID 1 byte 1149 * audit ID 4 bytes 1150 * effective user ID 4 bytes 1151 * effective group ID 4 bytes 1152 * real user ID 4 bytes 1153 * real group ID 4 bytes 1154 * process ID 4 bytes 1155 * session ID 4 bytes 1156 * terminal ID 1157 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1158 * machine address 4 bytes 1159 */ 1160 token_t * 1161 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1162 pid_t pid, au_asid_t sid, au_tid_t *tid) 1163 { 1164 token_t *t; 1165 u_char *dptr = NULL; 1166 1167 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 1168 if (t == NULL) 1169 return (NULL); 1170 1171 ADD_U_CHAR(dptr, AUT_SUBJECT32); 1172 ADD_U_INT32(dptr, auid); 1173 ADD_U_INT32(dptr, euid); 1174 ADD_U_INT32(dptr, egid); 1175 ADD_U_INT32(dptr, ruid); 1176 ADD_U_INT32(dptr, rgid); 1177 ADD_U_INT32(dptr, pid); 1178 ADD_U_INT32(dptr, sid); 1179 ADD_U_INT32(dptr, tid->port); 1180 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1181 1182 return (t); 1183 } 1184 1185 token_t * 1186 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1187 pid_t pid, au_asid_t sid, au_tid_t *tid) 1188 { 1189 token_t *t; 1190 u_char *dptr = NULL; 1191 1192 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + 1193 sizeof(u_int64_t) + sizeof(u_int32_t)); 1194 if (t == NULL) 1195 return (NULL); 1196 1197 ADD_U_CHAR(dptr, AUT_SUBJECT64); 1198 ADD_U_INT32(dptr, auid); 1199 ADD_U_INT32(dptr, euid); 1200 ADD_U_INT32(dptr, egid); 1201 ADD_U_INT32(dptr, ruid); 1202 ADD_U_INT32(dptr, rgid); 1203 ADD_U_INT32(dptr, pid); 1204 ADD_U_INT32(dptr, sid); 1205 ADD_U_INT64(dptr, tid->port); 1206 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1207 1208 return (t); 1209 } 1210 1211 token_t * 1212 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1213 pid_t pid, au_asid_t sid, au_tid_t *tid) 1214 { 1215 1216 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, 1217 tid)); 1218 } 1219 1220 /* 1221 * token ID 1 byte 1222 * audit ID 4 bytes 1223 * effective user ID 4 bytes 1224 * effective group ID 4 bytes 1225 * real user ID 4 bytes 1226 * real group ID 4 bytes 1227 * process ID 4 bytes 1228 * session ID 4 bytes 1229 * terminal ID 1230 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1231 * address type/length 4 bytes 1232 * machine address 16 bytes 1233 */ 1234 token_t * 1235 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1236 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1237 { 1238 token_t *t; 1239 u_char *dptr = NULL; 1240 1241 if (tid->at_type == AU_IPv4) 1242 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 1243 sizeof(u_int32_t)); 1244 else if (tid->at_type == AU_IPv6) 1245 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 1246 sizeof(u_int32_t)); 1247 else { 1248 errno = EINVAL; 1249 return (NULL); 1250 } 1251 if (t == NULL) 1252 return (NULL); 1253 1254 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); 1255 ADD_U_INT32(dptr, auid); 1256 ADD_U_INT32(dptr, euid); 1257 ADD_U_INT32(dptr, egid); 1258 ADD_U_INT32(dptr, ruid); 1259 ADD_U_INT32(dptr, rgid); 1260 ADD_U_INT32(dptr, pid); 1261 ADD_U_INT32(dptr, sid); 1262 ADD_U_INT32(dptr, tid->at_port); 1263 ADD_U_INT32(dptr, tid->at_type); 1264 if (tid->at_type == AU_IPv6) 1265 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1266 else 1267 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1268 1269 return (t); 1270 } 1271 1272 token_t * 1273 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1274 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1275 { 1276 token_t *t; 1277 u_char *dptr = NULL; 1278 1279 if (tid->at_type == AU_IPv4) 1280 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1281 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1282 2 * sizeof(u_int32_t)); 1283 else if (tid->at_type == AU_IPv6) 1284 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1285 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1286 5 * sizeof(u_int32_t)); 1287 else { 1288 errno = EINVAL; 1289 return (NULL); 1290 } 1291 if (t == NULL) 1292 return (NULL); 1293 1294 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); 1295 ADD_U_INT32(dptr, auid); 1296 ADD_U_INT32(dptr, euid); 1297 ADD_U_INT32(dptr, egid); 1298 ADD_U_INT32(dptr, ruid); 1299 ADD_U_INT32(dptr, rgid); 1300 ADD_U_INT32(dptr, pid); 1301 ADD_U_INT32(dptr, sid); 1302 ADD_U_INT64(dptr, tid->at_port); 1303 ADD_U_INT32(dptr, tid->at_type); 1304 if (tid->at_type == AU_IPv6) 1305 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1306 else 1307 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1308 1309 return (t); 1310 } 1311 1312 token_t * 1313 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1314 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1315 { 1316 1317 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, 1318 tid)); 1319 } 1320 1321 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) 1322 /* 1323 * Collects audit information for the current process and creates a subject 1324 * token from it. 1325 */ 1326 token_t * 1327 au_to_me(void) 1328 { 1329 auditinfo_t auinfo; 1330 auditinfo_addr_t aia; 1331 1332 /* 1333 * Try to use getaudit_addr(2) first. If this kernel does not support 1334 * it, then fall back on to getaudit(2). 1335 */ 1336 if (getaudit_addr(&aia, sizeof(aia)) != 0) { 1337 if (errno == ENOSYS) { 1338 if (getaudit(&auinfo) != 0) 1339 return (NULL); 1340 return (au_to_subject32(auinfo.ai_auid, geteuid(), 1341 getegid(), getuid(), getgid(), getpid(), 1342 auinfo.ai_asid, &auinfo.ai_termid)); 1343 } else { 1344 /* getaudit_addr(2) failed for some other reason. */ 1345 return (NULL); 1346 } 1347 } 1348 1349 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), 1350 getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); 1351 } 1352 #endif 1353 1354 /* 1355 * token ID 1 byte 1356 * count 4 bytes 1357 * text count null-terminated strings 1358 */ 1359 token_t * 1360 au_to_exec_args(char **argv) 1361 { 1362 token_t *t; 1363 u_char *dptr = NULL; 1364 const char *nextarg; 1365 int i, count = 0; 1366 size_t totlen = 0; 1367 1368 nextarg = *argv; 1369 1370 while (nextarg != NULL) { 1371 int nextlen; 1372 1373 nextlen = strlen(nextarg); 1374 totlen += nextlen + 1; 1375 count++; 1376 nextarg = *(argv + count); 1377 } 1378 1379 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1380 if (t == NULL) 1381 return (NULL); 1382 1383 ADD_U_CHAR(dptr, AUT_EXEC_ARGS); 1384 ADD_U_INT32(dptr, count); 1385 1386 for (i = 0; i < count; i++) { 1387 nextarg = *(argv + i); 1388 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); 1389 } 1390 1391 return (t); 1392 } 1393 1394 /* 1395 * token ID 1 byte 1396 * count 4 bytes 1397 * text count null-terminated strings 1398 */ 1399 token_t * 1400 au_to_exec_env(char **envp) 1401 { 1402 token_t *t; 1403 u_char *dptr = NULL; 1404 int i, count = 0; 1405 size_t totlen = 0; 1406 const char *nextenv; 1407 1408 nextenv = *envp; 1409 1410 while (nextenv != NULL) { 1411 int nextlen; 1412 1413 nextlen = strlen(nextenv); 1414 totlen += nextlen + 1; 1415 count++; 1416 nextenv = *(envp + count); 1417 } 1418 1419 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1420 if (t == NULL) 1421 return (NULL); 1422 1423 ADD_U_CHAR(dptr, AUT_EXEC_ENV); 1424 ADD_U_INT32(dptr, count); 1425 1426 for (i = 0; i < count; i++) { 1427 nextenv = *(envp + i); 1428 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); 1429 } 1430 1431 return (t); 1432 } 1433 1434 /* 1435 * token ID 1 byte 1436 * zonename length 2 bytes 1437 * zonename N bytes + 1 terminating NULL byte 1438 */ 1439 token_t * 1440 au_to_zonename(const char *zonename) 1441 { 1442 u_char *dptr = NULL; 1443 u_int16_t textlen; 1444 token_t *t; 1445 1446 textlen = strlen(zonename) + 1; 1447 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 1448 if (t == NULL) 1449 return (NULL); 1450 1451 ADD_U_CHAR(dptr, AUT_ZONENAME); 1452 ADD_U_INT16(dptr, textlen); 1453 ADD_STRING(dptr, zonename, textlen); 1454 return (t); 1455 } 1456 1457 /* 1458 * token ID 1 byte 1459 * record byte count 4 bytes 1460 * version # 1 byte [2] 1461 * event type 2 bytes 1462 * event modifier 2 bytes 1463 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1464 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1465 */ 1466 token_t * 1467 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1468 struct timeval tm) 1469 { 1470 token_t *t; 1471 u_char *dptr = NULL; 1472 u_int32_t timems; 1473 1474 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1475 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1476 if (t == NULL) 1477 return (NULL); 1478 1479 ADD_U_CHAR(dptr, AUT_HEADER32); 1480 ADD_U_INT32(dptr, rec_size); 1481 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1482 ADD_U_INT16(dptr, e_type); 1483 ADD_U_INT16(dptr, e_mod); 1484 1485 timems = tm.tv_usec/1000; 1486 /* Add the timestamp */ 1487 ADD_U_INT32(dptr, tm.tv_sec); 1488 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1489 1490 return (t); 1491 } 1492 1493 /* 1494 * token ID 1 byte 1495 * record byte count 4 bytes 1496 * version # 1 byte [2] 1497 * event type 2 bytes 1498 * event modifier 2 bytes 1499 * address type/length 4 bytes 1500 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1501 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1502 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1503 */ 1504 token_t * 1505 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1506 struct timeval tm, struct auditinfo_addr *aia) 1507 { 1508 token_t *t; 1509 u_char *dptr = NULL; 1510 u_int32_t timems; 1511 au_tid_addr_t *tid; 1512 1513 tid = &aia->ai_termid; 1514 if (tid->at_type != AU_IPv4 && tid->at_type != AU_IPv6) 1515 return (NULL); 1516 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1517 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * 1518 sizeof(u_int32_t) + tid->at_type); 1519 if (t == NULL) 1520 return (NULL); 1521 1522 ADD_U_CHAR(dptr, AUT_HEADER32_EX); 1523 ADD_U_INT32(dptr, rec_size); 1524 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1525 ADD_U_INT16(dptr, e_type); 1526 ADD_U_INT16(dptr, e_mod); 1527 1528 ADD_U_INT32(dptr, tid->at_type); 1529 if (tid->at_type == AU_IPv6) 1530 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1531 else 1532 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1533 timems = tm.tv_usec/1000; 1534 /* Add the timestamp */ 1535 ADD_U_INT32(dptr, tm.tv_sec); 1536 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1537 1538 return (t); 1539 } 1540 1541 token_t * 1542 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1543 struct timeval tm) 1544 { 1545 token_t *t; 1546 u_char *dptr = NULL; 1547 u_int32_t timems; 1548 1549 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1550 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); 1551 if (t == NULL) 1552 return (NULL); 1553 1554 ADD_U_CHAR(dptr, AUT_HEADER64); 1555 ADD_U_INT32(dptr, rec_size); 1556 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1557 ADD_U_INT16(dptr, e_type); 1558 ADD_U_INT16(dptr, e_mod); 1559 1560 timems = tm.tv_usec/1000; 1561 /* Add the timestamp */ 1562 ADD_U_INT64(dptr, tm.tv_sec); 1563 ADD_U_INT64(dptr, timems); /* We need time in ms. */ 1564 1565 return (t); 1566 } 1567 1568 #if !defined(KERNEL) && !defined(_KERNEL) 1569 #ifdef HAVE_AUDIT_SYSCALLS 1570 token_t * 1571 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1572 { 1573 struct timeval tm; 1574 struct auditinfo_addr aia; 1575 1576 if (gettimeofday(&tm, NULL) == -1) 1577 return (NULL); 1578 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) { 1579 if (errno != ENOSYS) 1580 return (NULL); 1581 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1582 } 1583 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia)); 1584 } 1585 #endif /* HAVE_AUDIT_SYSCALLS */ 1586 1587 token_t * 1588 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) 1589 { 1590 struct timeval tm; 1591 1592 if (gettimeofday(&tm, NULL) == -1) 1593 return (NULL); 1594 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1595 } 1596 1597 token_t * 1598 au_to_header64(__unused int rec_size, __unused au_event_t e_type, 1599 __unused au_emod_t e_mod) 1600 { 1601 struct timeval tm; 1602 1603 if (gettimeofday(&tm, NULL) == -1) 1604 return (NULL); 1605 return (au_to_header64_tm(rec_size, e_type, e_mod, tm)); 1606 } 1607 1608 token_t * 1609 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod) 1610 { 1611 1612 return (au_to_header32(rec_size, e_type, e_mod)); 1613 } 1614 1615 #ifdef HAVE_AUDIT_SYSCALLS 1616 token_t * 1617 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1618 { 1619 1620 return (au_to_header32_ex(rec_size, e_type, e_mod)); 1621 } 1622 #endif /* HAVE_AUDIT_SYSCALLS */ 1623 #endif /* !defined(KERNEL) && !defined(_KERNEL) */ 1624 1625 /* 1626 * token ID 1 byte 1627 * trailer magic number 2 bytes 1628 * record byte count 4 bytes 1629 */ 1630 token_t * 1631 au_to_trailer(int rec_size) 1632 { 1633 token_t *t; 1634 u_char *dptr = NULL; 1635 u_int16_t magic = AUT_TRAILER_MAGIC; 1636 1637 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 1638 sizeof(u_int32_t)); 1639 if (t == NULL) 1640 return (NULL); 1641 1642 ADD_U_CHAR(dptr, AUT_TRAILER); 1643 ADD_U_INT16(dptr, magic); 1644 ADD_U_INT32(dptr, rec_size); 1645 1646 return (t); 1647 } 1648