1 /*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * All rights reserved. 5 * 6 * This code was developed in part by Robert N. M. Watson, Senior Principal 7 * Scientist, SPARTA, Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 18 * its contributors may be used to endorse or promote products derived 19 * from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 * 33 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#93 $ 34 */ 35 36 #include <sys/types.h> 37 38 #include <config/config.h> 39 #if defined(HAVE_SYS_ENDIAN_H) && defined(HAVE_BE32ENC) 40 #include <sys/endian.h> 41 #else /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 42 #ifdef HAVE_MACHINE_ENDIAN_H 43 #include <machine/endian.h> 44 #else /* !HAVE_MACHINE_ENDIAN_H */ 45 #ifdef HAVE_ENDIAN_H 46 #include <endian.h> 47 #else /* !HAVE_ENDIAN_H */ 48 #error "No supported endian.h" 49 #endif /* !HAVE_ENDIAN_H */ 50 #endif /* !HAVE_MACHINE_ENDIAN_H */ 51 #include <compat/endian.h> 52 #endif /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 53 #ifdef HAVE_FULL_QUEUE_H 54 #include <sys/queue.h> 55 #else /* !HAVE_FULL_QUEUE_H */ 56 #include <compat/queue.h> 57 #endif /* !HAVE_FULL_QUEUE_H */ 58 59 #include <sys/socket.h> 60 #include <sys/time.h> 61 #include <sys/un.h> 62 63 #include <sys/ipc.h> 64 65 #include <netinet/in.h> 66 #include <netinet/in_systm.h> 67 #include <netinet/ip.h> 68 69 #include <assert.h> 70 #include <errno.h> 71 #include <string.h> 72 #include <stdlib.h> 73 #include <unistd.h> 74 75 #include <bsm/audit_internal.h> 76 #include <bsm/libbsm.h> 77 78 #define GET_TOKEN_AREA(t, dptr, length) do { \ 79 (t) = malloc(sizeof(token_t)); \ 80 if ((t) != NULL) { \ 81 (t)->len = (length); \ 82 (dptr) = (t->t_data) = malloc((length) * sizeof(u_char)); \ 83 if ((dptr) == NULL) { \ 84 free(t); \ 85 (t) = NULL; \ 86 } else \ 87 memset((dptr), 0, (length)); \ 88 } else \ 89 (dptr) = NULL; \ 90 assert((t) == NULL || (dptr) != NULL); \ 91 } while (0) 92 93 /* 94 * token ID 1 byte 95 * argument # 1 byte 96 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 97 * text length 2 bytes 98 * text N bytes + 1 terminating NULL byte 99 */ 100 token_t * 101 au_to_arg32(char n, const char *text, u_int32_t v) 102 { 103 token_t *t; 104 u_char *dptr = NULL; 105 u_int16_t textlen; 106 107 textlen = strlen(text); 108 textlen += 1; 109 110 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + 111 sizeof(u_int16_t) + textlen); 112 if (t == NULL) 113 return (NULL); 114 115 ADD_U_CHAR(dptr, AUT_ARG32); 116 ADD_U_CHAR(dptr, n); 117 ADD_U_INT32(dptr, v); 118 ADD_U_INT16(dptr, textlen); 119 ADD_STRING(dptr, text, textlen); 120 121 return (t); 122 } 123 124 token_t * 125 au_to_arg64(char n, const char *text, u_int64_t v) 126 { 127 token_t *t; 128 u_char *dptr = NULL; 129 u_int16_t textlen; 130 131 textlen = strlen(text); 132 textlen += 1; 133 134 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + 135 sizeof(u_int16_t) + textlen); 136 if (t == NULL) 137 return (NULL); 138 139 ADD_U_CHAR(dptr, AUT_ARG64); 140 ADD_U_CHAR(dptr, n); 141 ADD_U_INT64(dptr, v); 142 ADD_U_INT16(dptr, textlen); 143 ADD_STRING(dptr, text, textlen); 144 145 return (t); 146 } 147 148 token_t * 149 au_to_arg(char n, const char *text, u_int32_t v) 150 { 151 152 return (au_to_arg32(n, text, v)); 153 } 154 155 #if defined(_KERNEL) || defined(KERNEL) 156 /* 157 * token ID 1 byte 158 * file access mode 4 bytes 159 * owner user ID 4 bytes 160 * owner group ID 4 bytes 161 * file system ID 4 bytes 162 * node ID 8 bytes 163 * device 4 bytes/8 bytes (32-bit/64-bit) 164 */ 165 token_t * 166 au_to_attr32(struct vnode_au_info *vni) 167 { 168 token_t *t; 169 u_char *dptr = NULL; 170 u_int16_t pad0_16 = 0; 171 u_int32_t pad0_32 = 0; 172 173 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 174 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); 175 if (t == NULL) 176 return (NULL); 177 178 ADD_U_CHAR(dptr, AUT_ATTR32); 179 180 /* 181 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 182 * so pad with 0. 183 * 184 * XXXRW: Possibly should be conditionally compiled. 185 * 186 * XXXRW: Should any conversions take place on the mode? 187 */ 188 ADD_U_INT16(dptr, pad0_16); 189 ADD_U_INT16(dptr, vni->vn_mode); 190 191 ADD_U_INT32(dptr, vni->vn_uid); 192 ADD_U_INT32(dptr, vni->vn_gid); 193 ADD_U_INT32(dptr, vni->vn_fsid); 194 195 /* 196 * Some systems use 32-bit file ID's, others use 64-bit file IDs. 197 * Attempt to handle both, and let the compiler sort it out. If we 198 * could pick this out at compile-time, it would be better, so as to 199 * avoid the else case below. 200 */ 201 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 202 ADD_U_INT32(dptr, pad0_32); 203 ADD_U_INT32(dptr, vni->vn_fileid); 204 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 205 ADD_U_INT64(dptr, vni->vn_fileid); 206 else 207 ADD_U_INT64(dptr, 0LL); 208 209 ADD_U_INT32(dptr, vni->vn_dev); 210 211 return (t); 212 } 213 214 token_t * 215 au_to_attr64(struct vnode_au_info *vni) 216 { 217 token_t *t; 218 u_char *dptr = NULL; 219 u_int16_t pad0_16 = 0; 220 u_int32_t pad0_32 = 0; 221 222 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 223 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); 224 if (t == NULL) 225 return (NULL); 226 227 ADD_U_CHAR(dptr, AUT_ATTR64); 228 229 /* 230 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 231 * so pad with 0. 232 * 233 * XXXRW: Possibly should be conditionally compiled. 234 * 235 * XXXRW: Should any conversions take place on the mode? 236 */ 237 ADD_U_INT16(dptr, pad0_16); 238 ADD_U_INT16(dptr, vni->vn_mode); 239 240 ADD_U_INT32(dptr, vni->vn_uid); 241 ADD_U_INT32(dptr, vni->vn_gid); 242 ADD_U_INT32(dptr, vni->vn_fsid); 243 244 /* 245 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 246 * Attempt to handle both, and let the compiler sort it out. If we 247 * could pick this out at compile-time, it would be better, so as to 248 * avoid the else case below. 249 */ 250 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 251 ADD_U_INT32(dptr, pad0_32); 252 ADD_U_INT32(dptr, vni->vn_fileid); 253 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 254 ADD_U_INT64(dptr, vni->vn_fileid); 255 else 256 ADD_U_INT64(dptr, 0LL); 257 258 ADD_U_INT64(dptr, vni->vn_dev); 259 260 return (t); 261 } 262 263 token_t * 264 au_to_attr(struct vnode_au_info *vni) 265 { 266 267 return (au_to_attr32(vni)); 268 } 269 #endif /* !(defined(_KERNEL) || defined(KERNEL) */ 270 271 /* 272 * token ID 1 byte 273 * how to print 1 byte 274 * basic unit 1 byte 275 * unit count 1 byte 276 * data items (depends on basic unit) 277 */ 278 token_t * 279 au_to_data(char unit_print, char unit_type, char unit_count, const char *p) 280 { 281 token_t *t; 282 u_char *dptr = NULL; 283 size_t datasize, totdata; 284 285 /* Determine the size of the basic unit. */ 286 switch (unit_type) { 287 case AUR_BYTE: 288 /* case AUR_CHAR: */ 289 datasize = AUR_BYTE_SIZE; 290 break; 291 292 case AUR_SHORT: 293 datasize = AUR_SHORT_SIZE; 294 break; 295 296 case AUR_INT32: 297 /* case AUR_INT: */ 298 datasize = AUR_INT32_SIZE; 299 break; 300 301 case AUR_INT64: 302 datasize = AUR_INT64_SIZE; 303 break; 304 305 default: 306 errno = EINVAL; 307 return (NULL); 308 } 309 310 totdata = datasize * unit_count; 311 312 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata); 313 if (t == NULL) 314 return (NULL); 315 316 /* 317 * XXXRW: We should be byte-swapping each data item for multi-byte 318 * types. 319 */ 320 ADD_U_CHAR(dptr, AUT_DATA); 321 ADD_U_CHAR(dptr, unit_print); 322 ADD_U_CHAR(dptr, unit_type); 323 ADD_U_CHAR(dptr, unit_count); 324 ADD_MEM(dptr, p, totdata); 325 326 return (t); 327 } 328 329 330 /* 331 * token ID 1 byte 332 * status 4 bytes 333 * return value 4 bytes 334 */ 335 token_t * 336 au_to_exit(int retval, int err) 337 { 338 token_t *t; 339 u_char *dptr = NULL; 340 341 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); 342 if (t == NULL) 343 return (NULL); 344 345 ADD_U_CHAR(dptr, AUT_EXIT); 346 ADD_U_INT32(dptr, err); 347 ADD_U_INT32(dptr, retval); 348 349 return (t); 350 } 351 352 /* 353 */ 354 token_t * 355 au_to_groups(int *groups) 356 { 357 358 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups)); 359 } 360 361 /* 362 * token ID 1 byte 363 * number groups 2 bytes 364 * group list count * 4 bytes 365 */ 366 token_t * 367 au_to_newgroups(u_int16_t n, gid_t *groups) 368 { 369 token_t *t; 370 u_char *dptr = NULL; 371 int i; 372 373 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 374 n * sizeof(u_int32_t)); 375 if (t == NULL) 376 return (NULL); 377 378 ADD_U_CHAR(dptr, AUT_NEWGROUPS); 379 ADD_U_INT16(dptr, n); 380 for (i = 0; i < n; i++) 381 ADD_U_INT32(dptr, groups[i]); 382 383 return (t); 384 } 385 386 /* 387 * token ID 1 byte 388 * internet address 4 bytes 389 */ 390 token_t * 391 au_to_in_addr(struct in_addr *internet_addr) 392 { 393 token_t *t; 394 u_char *dptr = NULL; 395 396 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); 397 if (t == NULL) 398 return (NULL); 399 400 ADD_U_CHAR(dptr, AUT_IN_ADDR); 401 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); 402 403 return (t); 404 } 405 406 /* 407 * token ID 1 byte 408 * address type/length 4 bytes 409 * address 16 bytes 410 */ 411 token_t * 412 au_to_in_addr_ex(struct in6_addr *internet_addr) 413 { 414 token_t *t; 415 u_char *dptr = NULL; 416 u_int32_t type = AU_IPv6; 417 418 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); 419 if (t == NULL) 420 return (NULL); 421 422 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); 423 ADD_U_INT32(dptr, type); 424 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t)); 425 426 return (t); 427 } 428 429 /* 430 * token ID 1 byte 431 * ip header 20 bytes 432 * 433 * The IP header should be submitted in network byte order. 434 */ 435 token_t * 436 au_to_ip(struct ip *ip) 437 { 438 token_t *t; 439 u_char *dptr = NULL; 440 441 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); 442 if (t == NULL) 443 return (NULL); 444 445 ADD_U_CHAR(dptr, AUT_IP); 446 ADD_MEM(dptr, ip, sizeof(struct ip)); 447 448 return (t); 449 } 450 451 /* 452 * token ID 1 byte 453 * object ID type 1 byte 454 * object ID 4 bytes 455 */ 456 token_t * 457 au_to_ipc(char type, int id) 458 { 459 token_t *t; 460 u_char *dptr = NULL; 461 462 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 463 if (t == NULL) 464 return (NULL); 465 466 ADD_U_CHAR(dptr, AUT_IPC); 467 ADD_U_CHAR(dptr, type); 468 ADD_U_INT32(dptr, id); 469 470 return (t); 471 } 472 473 /* 474 * token ID 1 byte 475 * owner user ID 4 bytes 476 * owner group ID 4 bytes 477 * creator user ID 4 bytes 478 * creator group ID 4 bytes 479 * access mode 4 bytes 480 * slot sequence # 4 bytes 481 * key 4 bytes 482 */ 483 token_t * 484 au_to_ipc_perm(struct ipc_perm *perm) 485 { 486 token_t *t; 487 u_char *dptr = NULL; 488 u_int16_t pad0 = 0; 489 490 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) + 491 sizeof(u_int32_t)); 492 if (t == NULL) 493 return (NULL); 494 495 ADD_U_CHAR(dptr, AUT_IPC_PERM); 496 497 /* 498 * Systems vary significantly in what types they use in struct 499 * ipc_perm; at least a few still use 16-bit uid's and gid's, so 500 * allow for that, as BSM define 32-bit values here. 501 * Some systems define the sizes for ipc_perm members as 2 bytes; 502 * BSM defines 4 so pad with 0. 503 * 504 * XXXRW: Possibly shoulid be conditionally compiled, and more cases 505 * need to be handled. 506 */ 507 if (sizeof(perm->uid) != sizeof(u_int32_t)) { 508 ADD_U_INT16(dptr, pad0); 509 ADD_U_INT16(dptr, perm->uid); 510 ADD_U_INT16(dptr, pad0); 511 ADD_U_INT16(dptr, perm->gid); 512 ADD_U_INT16(dptr, pad0); 513 ADD_U_INT16(dptr, perm->cuid); 514 ADD_U_INT16(dptr, pad0); 515 ADD_U_INT16(dptr, perm->cgid); 516 } else { 517 ADD_U_INT32(dptr, perm->uid); 518 ADD_U_INT32(dptr, perm->gid); 519 ADD_U_INT32(dptr, perm->cuid); 520 ADD_U_INT32(dptr, perm->cgid); 521 } 522 523 ADD_U_INT16(dptr, pad0); 524 ADD_U_INT16(dptr, perm->mode); 525 526 ADD_U_INT16(dptr, pad0); 527 528 #ifdef HAVE_IPC_PERM___SEQ 529 ADD_U_INT16(dptr, perm->__seq); 530 #else /* HAVE_IPC_PERM___SEQ */ 531 #ifdef HAVE_IPC_PERM__SEQ 532 ADD_U_INT16(dptr, perm->_seq); 533 #else /* HAVE_IPC_PERM__SEQ */ 534 ADD_U_INT16(dptr, perm->seq); 535 #endif /* HAVE_IPC_PERM__SEQ */ 536 #endif /* HAVE_IPC_PERM___SEQ */ 537 538 #ifdef HAVE_IPC_PERM___KEY 539 ADD_U_INT32(dptr, perm->__key); 540 #else /* HAVE_IPC_PERM___KEY */ 541 #ifdef HAVE_IPC_PERM__KEY 542 ADD_U_INT32(dptr, perm->_key); 543 #else /* HAVE_IPC_PERM__KEY */ 544 ADD_U_INT32(dptr, perm->key); 545 #endif /* HAVE_IPC_PERM__KEY */ 546 #endif /* HAVE_IPC_PERM___KEY */ 547 548 return (t); 549 } 550 551 /* 552 * token ID 1 byte 553 * port IP address 2 bytes 554 */ 555 token_t * 556 au_to_iport(u_int16_t iport) 557 { 558 token_t *t; 559 u_char *dptr = NULL; 560 561 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); 562 if (t == NULL) 563 return (NULL); 564 565 ADD_U_CHAR(dptr, AUT_IPORT); 566 ADD_U_INT16(dptr, iport); 567 568 return (t); 569 } 570 571 /* 572 * token ID 1 byte 573 * size 2 bytes 574 * data size bytes 575 */ 576 token_t * 577 au_to_opaque(const char *data, u_int16_t bytes) 578 { 579 token_t *t; 580 u_char *dptr = NULL; 581 582 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); 583 if (t == NULL) 584 return (NULL); 585 586 ADD_U_CHAR(dptr, AUT_OPAQUE); 587 ADD_U_INT16(dptr, bytes); 588 ADD_MEM(dptr, data, bytes); 589 590 return (t); 591 } 592 593 /* 594 * token ID 1 byte 595 * seconds of time 4 bytes 596 * milliseconds of time 4 bytes 597 * file name len 2 bytes 598 * file pathname N bytes + 1 terminating NULL byte 599 */ 600 token_t * 601 au_to_file(const char *file, struct timeval tm) 602 { 603 token_t *t; 604 u_char *dptr = NULL; 605 u_int16_t filelen; 606 u_int32_t timems; 607 608 filelen = strlen(file); 609 filelen += 1; 610 611 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + 612 sizeof(u_int16_t) + filelen); 613 if (t == NULL) 614 return (NULL); 615 616 timems = tm.tv_usec/1000; 617 618 ADD_U_CHAR(dptr, AUT_OTHER_FILE32); 619 ADD_U_INT32(dptr, tm.tv_sec); 620 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 621 ADD_U_INT16(dptr, filelen); 622 ADD_STRING(dptr, file, filelen); 623 624 return (t); 625 } 626 627 /* 628 * token ID 1 byte 629 * text length 2 bytes 630 * text N bytes + 1 terminating NULL byte 631 */ 632 token_t * 633 au_to_text(const char *text) 634 { 635 token_t *t; 636 u_char *dptr = NULL; 637 u_int16_t textlen; 638 639 textlen = strlen(text); 640 textlen += 1; 641 642 /* XXXRW: Should validate length against token size limit. */ 643 644 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 645 if (t == NULL) 646 return (NULL); 647 648 ADD_U_CHAR(dptr, AUT_TEXT); 649 ADD_U_INT16(dptr, textlen); 650 ADD_STRING(dptr, text, textlen); 651 652 return (t); 653 } 654 655 /* 656 * token ID 1 byte 657 * path length 2 bytes 658 * path N bytes + 1 terminating NULL byte 659 */ 660 token_t * 661 au_to_path(const char *text) 662 { 663 token_t *t; 664 u_char *dptr = NULL; 665 u_int16_t textlen; 666 667 textlen = strlen(text); 668 textlen += 1; 669 670 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 671 if (t == NULL) 672 return (NULL); 673 674 ADD_U_CHAR(dptr, AUT_PATH); 675 ADD_U_INT16(dptr, textlen); 676 ADD_STRING(dptr, text, textlen); 677 678 return (t); 679 } 680 681 /* 682 * token ID 1 byte 683 * audit ID 4 bytes 684 * effective user ID 4 bytes 685 * effective group ID 4 bytes 686 * real user ID 4 bytes 687 * real group ID 4 bytes 688 * process ID 4 bytes 689 * session ID 4 bytes 690 * terminal ID 691 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 692 * machine address 4 bytes 693 */ 694 token_t * 695 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 696 pid_t pid, au_asid_t sid, au_tid_t *tid) 697 { 698 token_t *t; 699 u_char *dptr = NULL; 700 701 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 702 if (t == NULL) 703 return (NULL); 704 705 ADD_U_CHAR(dptr, AUT_PROCESS32); 706 ADD_U_INT32(dptr, auid); 707 ADD_U_INT32(dptr, euid); 708 ADD_U_INT32(dptr, egid); 709 ADD_U_INT32(dptr, ruid); 710 ADD_U_INT32(dptr, rgid); 711 ADD_U_INT32(dptr, pid); 712 ADD_U_INT32(dptr, sid); 713 ADD_U_INT32(dptr, tid->port); 714 715 /* 716 * Note: Solaris will write out IPv6 addresses here as a 32-bit 717 * address type and 16 bytes of address, but for IPv4 addresses it 718 * simply writes the 4-byte address directly. We support only IPv4 719 * addresses for process32 tokens. 720 */ 721 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 722 723 return (t); 724 } 725 726 token_t * 727 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 728 pid_t pid, au_asid_t sid, au_tid_t *tid) 729 { 730 token_t *t; 731 u_char *dptr = NULL; 732 733 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + 734 sizeof(u_int64_t)); 735 if (t == NULL) 736 return (NULL); 737 738 ADD_U_CHAR(dptr, AUT_PROCESS64); 739 ADD_U_INT32(dptr, auid); 740 ADD_U_INT32(dptr, euid); 741 ADD_U_INT32(dptr, egid); 742 ADD_U_INT32(dptr, ruid); 743 ADD_U_INT32(dptr, rgid); 744 ADD_U_INT32(dptr, pid); 745 ADD_U_INT32(dptr, sid); 746 ADD_U_INT64(dptr, tid->port); 747 748 /* 749 * Note: Solaris will write out IPv6 addresses here as a 32-bit 750 * address type and 16 bytes of address, but for IPv4 addresses it 751 * simply writes the 4-byte address directly. We support only IPv4 752 * addresses for process64 tokens. 753 */ 754 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 755 756 return (t); 757 } 758 759 token_t * 760 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 761 pid_t pid, au_asid_t sid, au_tid_t *tid) 762 { 763 764 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, 765 tid)); 766 } 767 768 /* 769 * token ID 1 byte 770 * audit ID 4 bytes 771 * effective user ID 4 bytes 772 * effective group ID 4 bytes 773 * real user ID 4 bytes 774 * real group ID 4 bytes 775 * process ID 4 bytes 776 * session ID 4 bytes 777 * terminal ID 778 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 779 * address type-len 4 bytes 780 * machine address 16 bytes 781 */ 782 token_t * 783 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 784 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 785 { 786 token_t *t; 787 u_char *dptr = NULL; 788 789 if (tid->at_type == AU_IPv4) 790 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 791 10 * sizeof(u_int32_t)); 792 else if (tid->at_type == AU_IPv6) 793 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 794 13 * sizeof(u_int32_t)); 795 else { 796 errno = EINVAL; 797 return (NULL); 798 } 799 if (t == NULL) 800 return (NULL); 801 802 ADD_U_CHAR(dptr, AUT_PROCESS32_EX); 803 ADD_U_INT32(dptr, auid); 804 ADD_U_INT32(dptr, euid); 805 ADD_U_INT32(dptr, egid); 806 ADD_U_INT32(dptr, ruid); 807 ADD_U_INT32(dptr, rgid); 808 ADD_U_INT32(dptr, pid); 809 ADD_U_INT32(dptr, sid); 810 ADD_U_INT32(dptr, tid->at_port); 811 ADD_U_INT32(dptr, tid->at_type); 812 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 813 if (tid->at_type == AU_IPv6) { 814 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 815 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 816 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 817 } 818 819 return (t); 820 } 821 822 token_t * 823 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 824 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 825 { 826 token_t *t; 827 u_char *dptr = NULL; 828 829 if (tid->at_type == AU_IPv4) 830 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 831 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 832 2 * sizeof(u_int32_t)); 833 else if (tid->at_type == AU_IPv6) 834 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 835 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 836 5 * sizeof(u_int32_t)); 837 else { 838 errno = EINVAL; 839 return (NULL); 840 } 841 if (t == NULL) 842 return (NULL); 843 844 ADD_U_CHAR(dptr, AUT_PROCESS64_EX); 845 ADD_U_INT32(dptr, auid); 846 ADD_U_INT32(dptr, euid); 847 ADD_U_INT32(dptr, egid); 848 ADD_U_INT32(dptr, ruid); 849 ADD_U_INT32(dptr, rgid); 850 ADD_U_INT32(dptr, pid); 851 ADD_U_INT32(dptr, sid); 852 ADD_U_INT64(dptr, tid->at_port); 853 ADD_U_INT32(dptr, tid->at_type); 854 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 855 if (tid->at_type == AU_IPv6) { 856 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 857 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 858 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 859 } 860 861 return (t); 862 } 863 864 token_t * 865 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 866 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 867 { 868 869 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, 870 tid)); 871 } 872 873 /* 874 * token ID 1 byte 875 * error status 1 byte 876 * return value 4 bytes/8 bytes (32-bit/64-bit value) 877 */ 878 token_t * 879 au_to_return32(char status, u_int32_t ret) 880 { 881 token_t *t; 882 u_char *dptr = NULL; 883 884 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 885 if (t == NULL) 886 return (NULL); 887 888 ADD_U_CHAR(dptr, AUT_RETURN32); 889 ADD_U_CHAR(dptr, status); 890 ADD_U_INT32(dptr, ret); 891 892 return (t); 893 } 894 895 token_t * 896 au_to_return64(char status, u_int64_t ret) 897 { 898 token_t *t; 899 u_char *dptr = NULL; 900 901 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); 902 if (t == NULL) 903 return (NULL); 904 905 ADD_U_CHAR(dptr, AUT_RETURN64); 906 ADD_U_CHAR(dptr, status); 907 ADD_U_INT64(dptr, ret); 908 909 return (t); 910 } 911 912 token_t * 913 au_to_return(char status, u_int32_t ret) 914 { 915 916 return (au_to_return32(status, ret)); 917 } 918 919 /* 920 * token ID 1 byte 921 * sequence number 4 bytes 922 */ 923 token_t * 924 au_to_seq(long audit_count) 925 { 926 token_t *t; 927 u_char *dptr = NULL; 928 929 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); 930 if (t == NULL) 931 return (NULL); 932 933 ADD_U_CHAR(dptr, AUT_SEQ); 934 ADD_U_INT32(dptr, audit_count); 935 936 return (t); 937 } 938 939 /* 940 * token ID 1 byte 941 * socket domain 2 bytes 942 * socket type 2 bytes 943 * address type 2 byte 944 * local port 2 bytes 945 * local address 4 bytes/16 bytes (IPv4/IPv6 address) 946 * remote port 2 bytes 947 * remote address 4 bytes/16 bytes (IPv4/IPv6 address) 948 * 949 * Domain and type arguments to this routine are assumed to already have been 950 * converted to the BSM constant space, so we don't do that here. 951 */ 952 token_t * 953 au_to_socket_ex(u_short so_domain, u_short so_type, 954 struct sockaddr *sa_local, struct sockaddr *sa_remote) 955 { 956 token_t *t; 957 u_char *dptr = NULL; 958 struct sockaddr_in *sin; 959 struct sockaddr_in6 *sin6; 960 961 if (so_domain == AF_INET) 962 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 963 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 964 else if (so_domain == AF_INET6) 965 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 966 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t)); 967 else { 968 errno = EINVAL; 969 return (NULL); 970 } 971 972 ADD_U_CHAR(dptr, AUT_SOCKET_EX); 973 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain)); 974 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type)); 975 if (so_domain == AF_INET) { 976 ADD_U_INT16(dptr, AU_IPv4); 977 sin = (struct sockaddr_in *)sa_local; 978 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 979 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 980 sin = (struct sockaddr_in *)sa_remote; 981 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 982 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 983 } else { 984 ADD_U_INT16(dptr, AU_IPv6); 985 sin6 = (struct sockaddr_in6 *)sa_local; 986 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 987 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 988 sin6 = (struct sockaddr_in6 *)sa_remote; 989 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 990 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 991 } 992 993 return (t); 994 } 995 996 /* 997 * token ID 1 byte 998 * socket family 2 bytes 999 * path (up to) 104 bytes + NULL (NULL terminated string) 1000 */ 1001 token_t * 1002 au_to_sock_unix(struct sockaddr_un *so) 1003 { 1004 token_t *t; 1005 u_char *dptr; 1006 1007 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); 1008 if (t == NULL) 1009 return (NULL); 1010 1011 ADD_U_CHAR(dptr, AUT_SOCKUNIX); 1012 /* BSM token has two bytes for family */ 1013 ADD_U_CHAR(dptr, 0); 1014 ADD_U_CHAR(dptr, so->sun_family); 1015 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); 1016 1017 return (t); 1018 } 1019 1020 /* 1021 * token ID 1 byte 1022 * socket family 2 bytes 1023 * local port 2 bytes 1024 * socket address 4 bytes 1025 */ 1026 token_t * 1027 au_to_sock_inet32(struct sockaddr_in *so) 1028 { 1029 token_t *t; 1030 u_char *dptr = NULL; 1031 uint16_t family; 1032 1033 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + 1034 sizeof(uint32_t)); 1035 if (t == NULL) 1036 return (NULL); 1037 1038 ADD_U_CHAR(dptr, AUT_SOCKINET32); 1039 /* 1040 * BSM defines the family field as 16 bits, but many operating 1041 * systems have an 8-bit sin_family field. Extend to 16 bits before 1042 * writing into the token. Assume that both the port and the address 1043 * in the sockaddr_in are already in network byte order, but family 1044 * is in local byte order. 1045 * 1046 * XXXRW: Should a name space conversion be taking place on the value 1047 * of sin_family? 1048 */ 1049 family = so->sin_family; 1050 ADD_U_INT16(dptr, family); 1051 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); 1052 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); 1053 1054 return (t); 1055 } 1056 1057 token_t * 1058 au_to_sock_inet128(struct sockaddr_in6 *so) 1059 { 1060 token_t *t; 1061 u_char *dptr = NULL; 1062 1063 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + 1064 4 * sizeof(u_int32_t)); 1065 if (t == NULL) 1066 return (NULL); 1067 1068 ADD_U_CHAR(dptr, AUT_SOCKINET128); 1069 /* 1070 * In BSD, sin6_family is one octet, but BSM defines the token to 1071 * store two. So we copy in a 0 first. XXXRW: Possibly should be 1072 * conditionally compiled. 1073 */ 1074 ADD_U_CHAR(dptr, 0); 1075 ADD_U_CHAR(dptr, so->sin6_family); 1076 1077 ADD_U_INT16(dptr, so->sin6_port); 1078 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); 1079 1080 return (t); 1081 } 1082 1083 token_t * 1084 au_to_sock_inet(struct sockaddr_in *so) 1085 { 1086 1087 return (au_to_sock_inet32(so)); 1088 } 1089 1090 /* 1091 * token ID 1 byte 1092 * audit ID 4 bytes 1093 * effective user ID 4 bytes 1094 * effective group ID 4 bytes 1095 * real user ID 4 bytes 1096 * real group ID 4 bytes 1097 * process ID 4 bytes 1098 * session ID 4 bytes 1099 * terminal ID 1100 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1101 * machine address 4 bytes 1102 */ 1103 token_t * 1104 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1105 pid_t pid, au_asid_t sid, au_tid_t *tid) 1106 { 1107 token_t *t; 1108 u_char *dptr = NULL; 1109 1110 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 1111 if (t == NULL) 1112 return (NULL); 1113 1114 ADD_U_CHAR(dptr, AUT_SUBJECT32); 1115 ADD_U_INT32(dptr, auid); 1116 ADD_U_INT32(dptr, euid); 1117 ADD_U_INT32(dptr, egid); 1118 ADD_U_INT32(dptr, ruid); 1119 ADD_U_INT32(dptr, rgid); 1120 ADD_U_INT32(dptr, pid); 1121 ADD_U_INT32(dptr, sid); 1122 ADD_U_INT32(dptr, tid->port); 1123 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1124 1125 return (t); 1126 } 1127 1128 token_t * 1129 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1130 pid_t pid, au_asid_t sid, au_tid_t *tid) 1131 { 1132 token_t *t; 1133 u_char *dptr = NULL; 1134 1135 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + 1136 sizeof(u_int64_t) + sizeof(u_int32_t)); 1137 if (t == NULL) 1138 return (NULL); 1139 1140 ADD_U_CHAR(dptr, AUT_SUBJECT64); 1141 ADD_U_INT32(dptr, auid); 1142 ADD_U_INT32(dptr, euid); 1143 ADD_U_INT32(dptr, egid); 1144 ADD_U_INT32(dptr, ruid); 1145 ADD_U_INT32(dptr, rgid); 1146 ADD_U_INT32(dptr, pid); 1147 ADD_U_INT32(dptr, sid); 1148 ADD_U_INT64(dptr, tid->port); 1149 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1150 1151 return (t); 1152 } 1153 1154 token_t * 1155 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1156 pid_t pid, au_asid_t sid, au_tid_t *tid) 1157 { 1158 1159 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, 1160 tid)); 1161 } 1162 1163 /* 1164 * token ID 1 byte 1165 * audit ID 4 bytes 1166 * effective user ID 4 bytes 1167 * effective group ID 4 bytes 1168 * real user ID 4 bytes 1169 * real group ID 4 bytes 1170 * process ID 4 bytes 1171 * session ID 4 bytes 1172 * terminal ID 1173 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1174 * address type/length 4 bytes 1175 * machine address 16 bytes 1176 */ 1177 token_t * 1178 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1179 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1180 { 1181 token_t *t; 1182 u_char *dptr = NULL; 1183 1184 if (tid->at_type == AU_IPv4) 1185 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 1186 sizeof(u_int32_t)); 1187 else if (tid->at_type == AU_IPv6) 1188 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 1189 sizeof(u_int32_t)); 1190 else { 1191 errno = EINVAL; 1192 return (NULL); 1193 } 1194 if (t == NULL) 1195 return (NULL); 1196 1197 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); 1198 ADD_U_INT32(dptr, auid); 1199 ADD_U_INT32(dptr, euid); 1200 ADD_U_INT32(dptr, egid); 1201 ADD_U_INT32(dptr, ruid); 1202 ADD_U_INT32(dptr, rgid); 1203 ADD_U_INT32(dptr, pid); 1204 ADD_U_INT32(dptr, sid); 1205 ADD_U_INT32(dptr, tid->at_port); 1206 ADD_U_INT32(dptr, tid->at_type); 1207 if (tid->at_type == AU_IPv6) 1208 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1209 else 1210 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1211 1212 return (t); 1213 } 1214 1215 token_t * 1216 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1217 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1218 { 1219 token_t *t; 1220 u_char *dptr = NULL; 1221 1222 if (tid->at_type == AU_IPv4) 1223 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1224 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1225 2 * sizeof(u_int32_t)); 1226 else if (tid->at_type == AU_IPv6) 1227 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1228 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1229 5 * sizeof(u_int32_t)); 1230 else { 1231 errno = EINVAL; 1232 return (NULL); 1233 } 1234 if (t == NULL) 1235 return (NULL); 1236 1237 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); 1238 ADD_U_INT32(dptr, auid); 1239 ADD_U_INT32(dptr, euid); 1240 ADD_U_INT32(dptr, egid); 1241 ADD_U_INT32(dptr, ruid); 1242 ADD_U_INT32(dptr, rgid); 1243 ADD_U_INT32(dptr, pid); 1244 ADD_U_INT32(dptr, sid); 1245 ADD_U_INT64(dptr, tid->at_port); 1246 ADD_U_INT32(dptr, tid->at_type); 1247 if (tid->at_type == AU_IPv6) 1248 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1249 else 1250 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1251 1252 return (t); 1253 } 1254 1255 token_t * 1256 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1257 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1258 { 1259 1260 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, 1261 tid)); 1262 } 1263 1264 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) 1265 /* 1266 * Collects audit information for the current process and creates a subject 1267 * token from it. 1268 */ 1269 token_t * 1270 au_to_me(void) 1271 { 1272 auditinfo_t auinfo; 1273 auditinfo_addr_t aia; 1274 1275 /* 1276 * Try to use getaudit_addr(2) first. If this kernel does not support 1277 * it, then fall back on to getaudit(2). 1278 */ 1279 if (getaudit_addr(&aia, sizeof(aia)) != 0) { 1280 if (errno == ENOSYS) { 1281 if (getaudit(&auinfo) != 0) 1282 return (NULL); 1283 return (au_to_subject32(auinfo.ai_auid, geteuid(), 1284 getegid(), getuid(), getgid(), getpid(), 1285 auinfo.ai_asid, &auinfo.ai_termid)); 1286 } else { 1287 /* getaudit_addr(2) failed for some other reason. */ 1288 return (NULL); 1289 } 1290 } 1291 1292 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), 1293 getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); 1294 } 1295 #endif 1296 1297 /* 1298 * token ID 1 byte 1299 * count 4 bytes 1300 * text count null-terminated strings 1301 */ 1302 token_t * 1303 au_to_exec_args(char **argv) 1304 { 1305 token_t *t; 1306 u_char *dptr = NULL; 1307 const char *nextarg; 1308 int i, count = 0; 1309 size_t totlen = 0; 1310 1311 nextarg = *argv; 1312 1313 while (nextarg != NULL) { 1314 int nextlen; 1315 1316 nextlen = strlen(nextarg); 1317 totlen += nextlen + 1; 1318 count++; 1319 nextarg = *(argv + count); 1320 } 1321 1322 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1323 if (t == NULL) 1324 return (NULL); 1325 1326 ADD_U_CHAR(dptr, AUT_EXEC_ARGS); 1327 ADD_U_INT32(dptr, count); 1328 1329 for (i = 0; i < count; i++) { 1330 nextarg = *(argv + i); 1331 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); 1332 } 1333 1334 return (t); 1335 } 1336 1337 /* 1338 * token ID 1 byte 1339 * count 4 bytes 1340 * text count null-terminated strings 1341 */ 1342 token_t * 1343 au_to_exec_env(char **envp) 1344 { 1345 token_t *t; 1346 u_char *dptr = NULL; 1347 int i, count = 0; 1348 size_t totlen = 0; 1349 const char *nextenv; 1350 1351 nextenv = *envp; 1352 1353 while (nextenv != NULL) { 1354 int nextlen; 1355 1356 nextlen = strlen(nextenv); 1357 totlen += nextlen + 1; 1358 count++; 1359 nextenv = *(envp + count); 1360 } 1361 1362 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1363 if (t == NULL) 1364 return (NULL); 1365 1366 ADD_U_CHAR(dptr, AUT_EXEC_ENV); 1367 ADD_U_INT32(dptr, count); 1368 1369 for (i = 0; i < count; i++) { 1370 nextenv = *(envp + i); 1371 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); 1372 } 1373 1374 return (t); 1375 } 1376 1377 /* 1378 * token ID 1 byte 1379 * zonename length 2 bytes 1380 * zonename N bytes + 1 terminating NULL byte 1381 */ 1382 token_t * 1383 au_to_zonename(const char *zonename) 1384 { 1385 u_char *dptr = NULL; 1386 u_int16_t textlen; 1387 token_t *t; 1388 1389 textlen = strlen(zonename) + 1; 1390 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 1391 if (t == NULL) 1392 return (NULL); 1393 1394 ADD_U_CHAR(dptr, AUT_ZONENAME); 1395 ADD_U_INT16(dptr, textlen); 1396 ADD_STRING(dptr, zonename, textlen); 1397 return (t); 1398 } 1399 1400 /* 1401 * token ID 1 byte 1402 * record byte count 4 bytes 1403 * version # 1 byte [2] 1404 * event type 2 bytes 1405 * event modifier 2 bytes 1406 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1407 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1408 */ 1409 token_t * 1410 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1411 struct timeval tm) 1412 { 1413 token_t *t; 1414 u_char *dptr = NULL; 1415 u_int32_t timems; 1416 1417 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1418 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1419 if (t == NULL) 1420 return (NULL); 1421 1422 ADD_U_CHAR(dptr, AUT_HEADER32); 1423 ADD_U_INT32(dptr, rec_size); 1424 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1425 ADD_U_INT16(dptr, e_type); 1426 ADD_U_INT16(dptr, e_mod); 1427 1428 timems = tm.tv_usec/1000; 1429 /* Add the timestamp */ 1430 ADD_U_INT32(dptr, tm.tv_sec); 1431 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1432 1433 return (t); 1434 } 1435 1436 /* 1437 * token ID 1 byte 1438 * record byte count 4 bytes 1439 * version # 1 byte [2] 1440 * event type 2 bytes 1441 * event modifier 2 bytes 1442 * address type/length 4 bytes 1443 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1444 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1445 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1446 */ 1447 token_t * 1448 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1449 struct timeval tm, struct auditinfo_addr *aia) 1450 { 1451 token_t *t; 1452 u_char *dptr = NULL; 1453 u_int32_t timems; 1454 au_tid_addr_t *tid; 1455 1456 tid = &aia->ai_termid; 1457 if (tid->at_type != AU_IPv4 && tid->at_type != AU_IPv6) 1458 return (NULL); 1459 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1460 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * 1461 sizeof(u_int32_t) + tid->at_type); 1462 if (t == NULL) 1463 return (NULL); 1464 1465 ADD_U_CHAR(dptr, AUT_HEADER32_EX); 1466 ADD_U_INT32(dptr, rec_size); 1467 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1468 ADD_U_INT16(dptr, e_type); 1469 ADD_U_INT16(dptr, e_mod); 1470 1471 ADD_U_INT32(dptr, tid->at_type); 1472 if (tid->at_type == AU_IPv6) 1473 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1474 else 1475 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1476 timems = tm.tv_usec/1000; 1477 /* Add the timestamp */ 1478 ADD_U_INT32(dptr, tm.tv_sec); 1479 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1480 1481 return (t); 1482 } 1483 1484 token_t * 1485 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1486 struct timeval tm) 1487 { 1488 token_t *t; 1489 u_char *dptr = NULL; 1490 u_int32_t timems; 1491 1492 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1493 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); 1494 if (t == NULL) 1495 return (NULL); 1496 1497 ADD_U_CHAR(dptr, AUT_HEADER64); 1498 ADD_U_INT32(dptr, rec_size); 1499 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1500 ADD_U_INT16(dptr, e_type); 1501 ADD_U_INT16(dptr, e_mod); 1502 1503 timems = tm.tv_usec/1000; 1504 /* Add the timestamp */ 1505 ADD_U_INT64(dptr, tm.tv_sec); 1506 ADD_U_INT64(dptr, timems); /* We need time in ms. */ 1507 1508 return (t); 1509 } 1510 1511 #if !defined(KERNEL) && !defined(_KERNEL) 1512 #ifdef HAVE_AUDIT_SYSCALLS 1513 token_t * 1514 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1515 { 1516 struct timeval tm; 1517 struct auditinfo_addr aia; 1518 1519 if (gettimeofday(&tm, NULL) == -1) 1520 return (NULL); 1521 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) { 1522 if (errno != ENOSYS) 1523 return (NULL); 1524 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1525 } 1526 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia)); 1527 } 1528 #endif /* HAVE_AUDIT_SYSCALLS */ 1529 1530 token_t * 1531 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) 1532 { 1533 struct timeval tm; 1534 1535 if (gettimeofday(&tm, NULL) == -1) 1536 return (NULL); 1537 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1538 } 1539 1540 token_t * 1541 au_to_header64(__unused int rec_size, __unused au_event_t e_type, 1542 __unused au_emod_t e_mod) 1543 { 1544 struct timeval tm; 1545 1546 if (gettimeofday(&tm, NULL) == -1) 1547 return (NULL); 1548 return (au_to_header64_tm(rec_size, e_type, e_mod, tm)); 1549 } 1550 1551 token_t * 1552 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod) 1553 { 1554 1555 return (au_to_header32(rec_size, e_type, e_mod)); 1556 } 1557 1558 #ifdef HAVE_AUDIT_SYSCALLS 1559 token_t * 1560 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1561 { 1562 1563 return (au_to_header32_ex(rec_size, e_type, e_mod)); 1564 } 1565 #endif /* HAVE_AUDIT_SYSCALLS */ 1566 #endif /* !defined(KERNEL) && !defined(_KERNEL) */ 1567 1568 /* 1569 * token ID 1 byte 1570 * trailer magic number 2 bytes 1571 * record byte count 4 bytes 1572 */ 1573 token_t * 1574 au_to_trailer(int rec_size) 1575 { 1576 token_t *t; 1577 u_char *dptr = NULL; 1578 u_int16_t magic = AUT_TRAILER_MAGIC; 1579 1580 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 1581 sizeof(u_int32_t)); 1582 if (t == NULL) 1583 return (NULL); 1584 1585 ADD_U_CHAR(dptr, AUT_TRAILER); 1586 ADD_U_INT16(dptr, magic); 1587 ADD_U_INT32(dptr, rec_size); 1588 1589 return (t); 1590 } 1591