1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 2004-2009 Apple Inc. 5 * Copyright (c) 2005 SPARTA, Inc. 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 __FBSDID("$FreeBSD$"); 38 39 #include <sys/param.h> 40 #include <sys/types.h> 41 #include <sys/endian.h> 42 #include <sys/queue.h> 43 #include <sys/socket.h> 44 #include <sys/time.h> 45 46 #include <sys/ipc.h> 47 #include <sys/libkern.h> 48 #include <sys/malloc.h> 49 #include <sys/un.h> 50 51 #include <netinet/in.h> 52 #include <netinet/in_systm.h> 53 #include <netinet/ip.h> 54 55 56 #include <bsm/audit.h> 57 #include <bsm/audit_internal.h> 58 #include <bsm/audit_record.h> 59 #include <security/audit/audit.h> 60 #include <security/audit/audit_private.h> 61 62 #define GET_TOKEN_AREA(t, dptr, length) do { \ 63 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \ 64 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \ 65 t->len = length; \ 66 dptr = t->t_data; \ 67 } while (0) 68 69 /* 70 * token ID 1 byte 71 * success/failure 1 byte 72 * privstrlen 2 bytes 73 * privstr N bytes + 1 (\0 byte) 74 */ 75 token_t * 76 au_to_upriv(char sorf, char *priv) 77 { 78 u_int16_t textlen; 79 u_char *dptr; 80 token_t *t; 81 82 textlen = strlen(priv) + 1; 83 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) + 84 sizeof(u_int16_t) + textlen); 85 86 ADD_U_CHAR(dptr, AUT_UPRIV); 87 ADD_U_CHAR(dptr, sorf); 88 ADD_U_INT16(dptr, textlen); 89 ADD_STRING(dptr, priv, textlen); 90 return (t); 91 } 92 93 /* 94 * token ID 1 byte 95 * privtstrlen 2 bytes 96 * privtstr N bytes + 1 97 * privstrlen 2 bytes 98 * privstr N bytes + 1 99 */ 100 token_t * 101 au_to_privset(char *privtypestr, char *privstr) 102 { 103 u_int16_t type_len, priv_len; 104 u_char *dptr; 105 token_t *t; 106 107 type_len = strlen(privtypestr) + 1; 108 priv_len = strlen(privstr) + 1; 109 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 110 sizeof(u_int16_t) + type_len + priv_len); 111 112 ADD_U_CHAR(dptr, AUT_PRIV); 113 ADD_U_INT16(dptr, type_len); 114 ADD_STRING(dptr, privtypestr, type_len); 115 ADD_U_INT16(dptr, priv_len); 116 ADD_STRING(dptr, privstr, priv_len); 117 return (t); 118 } 119 120 /* 121 * token ID 1 byte 122 * argument # 1 byte 123 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 124 * text length 2 bytes 125 * text N bytes + 1 terminating NULL byte 126 */ 127 token_t * 128 au_to_arg32(char n, const char *text, u_int32_t v) 129 { 130 token_t *t; 131 u_char *dptr = NULL; 132 u_int16_t textlen; 133 134 textlen = strlen(text); 135 textlen += 1; 136 137 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + 138 sizeof(u_int16_t) + textlen); 139 140 ADD_U_CHAR(dptr, AUT_ARG32); 141 ADD_U_CHAR(dptr, n); 142 ADD_U_INT32(dptr, v); 143 ADD_U_INT16(dptr, textlen); 144 ADD_STRING(dptr, text, textlen); 145 146 return (t); 147 } 148 149 token_t * 150 au_to_arg64(char n, const char *text, u_int64_t v) 151 { 152 token_t *t; 153 u_char *dptr = NULL; 154 u_int16_t textlen; 155 156 textlen = strlen(text); 157 textlen += 1; 158 159 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + 160 sizeof(u_int16_t) + textlen); 161 162 ADD_U_CHAR(dptr, AUT_ARG64); 163 ADD_U_CHAR(dptr, n); 164 ADD_U_INT64(dptr, v); 165 ADD_U_INT16(dptr, textlen); 166 ADD_STRING(dptr, text, textlen); 167 168 return (t); 169 } 170 171 token_t * 172 au_to_arg(char n, const char *text, u_int32_t v) 173 { 174 175 return (au_to_arg32(n, text, v)); 176 } 177 178 #if defined(_KERNEL) || defined(KERNEL) 179 /* 180 * token ID 1 byte 181 * file access mode 4 bytes 182 * owner user ID 4 bytes 183 * owner group ID 4 bytes 184 * file system ID 4 bytes 185 * node ID 8 bytes 186 * device 4 bytes/8 bytes (32-bit/64-bit) 187 */ 188 token_t * 189 au_to_attr32(struct vnode_au_info *vni) 190 { 191 token_t *t; 192 u_char *dptr = NULL; 193 u_int16_t pad0_16 = 0; 194 u_int32_t pad0_32 = 0; 195 196 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 197 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); 198 199 ADD_U_CHAR(dptr, AUT_ATTR32); 200 201 /* 202 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 203 * so pad with 0. 204 * 205 * XXXRW: Possibly should be conditionally compiled. 206 * 207 * XXXRW: Should any conversions take place on the mode? 208 */ 209 ADD_U_INT16(dptr, pad0_16); 210 ADD_U_INT16(dptr, vni->vn_mode); 211 212 ADD_U_INT32(dptr, vni->vn_uid); 213 ADD_U_INT32(dptr, vni->vn_gid); 214 ADD_U_INT32(dptr, vni->vn_fsid); 215 216 /* 217 * Some systems use 32-bit file ID's, others use 64-bit file IDs. 218 * Attempt to handle both, and let the compiler sort it out. If we 219 * could pick this out at compile-time, it would be better, so as to 220 * avoid the else case below. 221 */ 222 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 223 ADD_U_INT32(dptr, pad0_32); 224 ADD_U_INT32(dptr, vni->vn_fileid); 225 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 226 ADD_U_INT64(dptr, vni->vn_fileid); 227 else 228 ADD_U_INT64(dptr, 0LL); 229 230 ADD_U_INT32(dptr, vni->vn_dev); 231 232 return (t); 233 } 234 235 token_t * 236 au_to_attr64(struct vnode_au_info *vni) 237 { 238 token_t *t; 239 u_char *dptr = NULL; 240 u_int16_t pad0_16 = 0; 241 u_int32_t pad0_32 = 0; 242 243 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 244 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); 245 246 ADD_U_CHAR(dptr, AUT_ATTR64); 247 248 /* 249 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 250 * so pad with 0. 251 * 252 * XXXRW: Possibly should be conditionally compiled. 253 * 254 * XXXRW: Should any conversions take place on the mode? 255 */ 256 ADD_U_INT16(dptr, pad0_16); 257 ADD_U_INT16(dptr, vni->vn_mode); 258 259 ADD_U_INT32(dptr, vni->vn_uid); 260 ADD_U_INT32(dptr, vni->vn_gid); 261 ADD_U_INT32(dptr, vni->vn_fsid); 262 263 /* 264 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 265 * Attempt to handle both, and let the compiler sort it out. If we 266 * could pick this out at compile-time, it would be better, so as to 267 * avoid the else case below. 268 */ 269 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 270 ADD_U_INT32(dptr, pad0_32); 271 ADD_U_INT32(dptr, vni->vn_fileid); 272 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 273 ADD_U_INT64(dptr, vni->vn_fileid); 274 else 275 ADD_U_INT64(dptr, 0LL); 276 277 ADD_U_INT64(dptr, vni->vn_dev); 278 279 return (t); 280 } 281 282 token_t * 283 au_to_attr(struct vnode_au_info *vni) 284 { 285 286 return (au_to_attr32(vni)); 287 } 288 #endif /* !(defined(_KERNEL) || defined(KERNEL) */ 289 290 /* 291 * token ID 1 byte 292 * how to print 1 byte 293 * basic unit 1 byte 294 * unit count 1 byte 295 * data items (depends on basic unit) 296 */ 297 token_t * 298 au_to_data(char unit_print, char unit_type, char unit_count, const char *p) 299 { 300 token_t *t; 301 u_char *dptr = NULL; 302 size_t datasize, totdata; 303 304 /* Determine the size of the basic unit. */ 305 switch (unit_type) { 306 case AUR_BYTE: 307 /* case AUR_CHAR: */ 308 datasize = AUR_BYTE_SIZE; 309 break; 310 311 case AUR_SHORT: 312 datasize = AUR_SHORT_SIZE; 313 break; 314 315 case AUR_INT32: 316 /* case AUR_INT: */ 317 datasize = AUR_INT32_SIZE; 318 break; 319 320 case AUR_INT64: 321 datasize = AUR_INT64_SIZE; 322 break; 323 324 default: 325 return (NULL); 326 } 327 328 totdata = datasize * unit_count; 329 330 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata); 331 332 /* 333 * XXXRW: We should be byte-swapping each data item for multi-byte 334 * types. 335 */ 336 ADD_U_CHAR(dptr, AUT_DATA); 337 ADD_U_CHAR(dptr, unit_print); 338 ADD_U_CHAR(dptr, unit_type); 339 ADD_U_CHAR(dptr, unit_count); 340 ADD_MEM(dptr, p, totdata); 341 342 return (t); 343 } 344 345 346 /* 347 * token ID 1 byte 348 * status 4 bytes 349 * return value 4 bytes 350 */ 351 token_t * 352 au_to_exit(int retval, int err) 353 { 354 token_t *t; 355 u_char *dptr = NULL; 356 357 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); 358 359 ADD_U_CHAR(dptr, AUT_EXIT); 360 ADD_U_INT32(dptr, err); 361 ADD_U_INT32(dptr, retval); 362 363 return (t); 364 } 365 366 /* 367 */ 368 token_t * 369 au_to_groups(int *groups) 370 { 371 372 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups)); 373 } 374 375 /* 376 * token ID 1 byte 377 * number groups 2 bytes 378 * group list count * 4 bytes 379 */ 380 token_t * 381 au_to_newgroups(u_int16_t n, gid_t *groups) 382 { 383 token_t *t; 384 u_char *dptr = NULL; 385 int i; 386 387 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 388 n * sizeof(u_int32_t)); 389 390 ADD_U_CHAR(dptr, AUT_NEWGROUPS); 391 ADD_U_INT16(dptr, n); 392 for (i = 0; i < n; i++) 393 ADD_U_INT32(dptr, groups[i]); 394 395 return (t); 396 } 397 398 /* 399 * token ID 1 byte 400 * internet address 4 bytes 401 */ 402 token_t * 403 au_to_in_addr(struct in_addr *internet_addr) 404 { 405 token_t *t; 406 u_char *dptr = NULL; 407 408 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); 409 410 ADD_U_CHAR(dptr, AUT_IN_ADDR); 411 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); 412 413 return (t); 414 } 415 416 /* 417 * token ID 1 byte 418 * address type/length 4 bytes 419 * address 16 bytes 420 */ 421 token_t * 422 au_to_in_addr_ex(struct in6_addr *internet_addr) 423 { 424 token_t *t; 425 u_char *dptr = NULL; 426 u_int32_t type = AU_IPv6; 427 428 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); 429 430 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); 431 ADD_U_INT32(dptr, type); 432 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t)); 433 434 return (t); 435 } 436 437 /* 438 * token ID 1 byte 439 * ip header 20 bytes 440 * 441 * The IP header should be submitted in network byte order. 442 */ 443 token_t * 444 au_to_ip(struct ip *ip) 445 { 446 token_t *t; 447 u_char *dptr = NULL; 448 449 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); 450 451 ADD_U_CHAR(dptr, AUT_IP); 452 ADD_MEM(dptr, ip, sizeof(struct ip)); 453 454 return (t); 455 } 456 457 /* 458 * token ID 1 byte 459 * object ID type 1 byte 460 * object ID 4 bytes 461 */ 462 token_t * 463 au_to_ipc(char type, int id) 464 { 465 token_t *t; 466 u_char *dptr = NULL; 467 468 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 469 470 ADD_U_CHAR(dptr, AUT_IPC); 471 ADD_U_CHAR(dptr, type); 472 ADD_U_INT32(dptr, id); 473 474 return (t); 475 } 476 477 /* 478 * token ID 1 byte 479 * owner user ID 4 bytes 480 * owner group ID 4 bytes 481 * creator user ID 4 bytes 482 * creator group ID 4 bytes 483 * access mode 4 bytes 484 * slot sequence # 4 bytes 485 * key 4 bytes 486 */ 487 token_t * 488 au_to_ipc_perm(struct ipc_perm *perm) 489 { 490 token_t *t; 491 u_char *dptr = NULL; 492 u_int16_t pad0 = 0; 493 494 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) + 495 sizeof(u_int32_t)); 496 497 ADD_U_CHAR(dptr, AUT_IPC_PERM); 498 499 /* 500 * Systems vary significantly in what types they use in struct 501 * ipc_perm; at least a few still use 16-bit uid's and gid's, so 502 * allow for that, as BSM define 32-bit values here. 503 * Some systems define the sizes for ipc_perm members as 2 bytes; 504 * BSM defines 4 so pad with 0. 505 * 506 * XXXRW: Possibly shoulid be conditionally compiled, and more cases 507 * need to be handled. 508 */ 509 if (sizeof(perm->uid) != sizeof(u_int32_t)) { 510 ADD_U_INT16(dptr, pad0); 511 ADD_U_INT16(dptr, perm->uid); 512 ADD_U_INT16(dptr, pad0); 513 ADD_U_INT16(dptr, perm->gid); 514 ADD_U_INT16(dptr, pad0); 515 ADD_U_INT16(dptr, perm->cuid); 516 ADD_U_INT16(dptr, pad0); 517 ADD_U_INT16(dptr, perm->cgid); 518 } else { 519 ADD_U_INT32(dptr, perm->uid); 520 ADD_U_INT32(dptr, perm->gid); 521 ADD_U_INT32(dptr, perm->cuid); 522 ADD_U_INT32(dptr, perm->cgid); 523 } 524 525 ADD_U_INT16(dptr, pad0); 526 ADD_U_INT16(dptr, perm->mode); 527 528 ADD_U_INT16(dptr, pad0); 529 530 ADD_U_INT16(dptr, perm->seq); 531 532 ADD_U_INT32(dptr, perm->key); 533 534 return (t); 535 } 536 537 /* 538 * token ID 1 byte 539 * port IP address 2 bytes 540 */ 541 token_t * 542 au_to_iport(u_int16_t iport) 543 { 544 token_t *t; 545 u_char *dptr = NULL; 546 547 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); 548 549 ADD_U_CHAR(dptr, AUT_IPORT); 550 ADD_U_INT16(dptr, iport); 551 552 return (t); 553 } 554 555 /* 556 * token ID 1 byte 557 * size 2 bytes 558 * data size bytes 559 */ 560 token_t * 561 au_to_opaque(const char *data, u_int16_t bytes) 562 { 563 token_t *t; 564 u_char *dptr = NULL; 565 566 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); 567 568 ADD_U_CHAR(dptr, AUT_OPAQUE); 569 ADD_U_INT16(dptr, bytes); 570 ADD_MEM(dptr, data, bytes); 571 572 return (t); 573 } 574 575 /* 576 * token ID 1 byte 577 * seconds of time 4 bytes 578 * milliseconds of time 4 bytes 579 * file name len 2 bytes 580 * file pathname N bytes + 1 terminating NULL byte 581 */ 582 token_t * 583 au_to_file(const char *file, struct timeval tm) 584 { 585 token_t *t; 586 u_char *dptr = NULL; 587 u_int16_t filelen; 588 u_int32_t timems; 589 590 filelen = strlen(file); 591 filelen += 1; 592 593 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + 594 sizeof(u_int16_t) + filelen); 595 596 timems = tm.tv_usec/1000; 597 598 ADD_U_CHAR(dptr, AUT_OTHER_FILE32); 599 ADD_U_INT32(dptr, tm.tv_sec); 600 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 601 ADD_U_INT16(dptr, filelen); 602 ADD_STRING(dptr, file, filelen); 603 604 return (t); 605 } 606 607 /* 608 * token ID 1 byte 609 * text length 2 bytes 610 * text N bytes + 1 terminating NULL byte 611 */ 612 token_t * 613 au_to_text(const char *text) 614 { 615 token_t *t; 616 u_char *dptr = NULL; 617 u_int16_t textlen; 618 619 textlen = strlen(text); 620 textlen += 1; 621 622 /* XXXRW: Should validate length against token size limit. */ 623 624 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 625 626 ADD_U_CHAR(dptr, AUT_TEXT); 627 ADD_U_INT16(dptr, textlen); 628 ADD_STRING(dptr, text, textlen); 629 630 return (t); 631 } 632 633 /* 634 * token ID 1 byte 635 * path length 2 bytes 636 * path N bytes + 1 terminating NULL byte 637 */ 638 token_t * 639 au_to_path(const char *text) 640 { 641 token_t *t; 642 u_char *dptr = NULL; 643 u_int16_t textlen; 644 645 textlen = strlen(text); 646 textlen += 1; 647 648 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 649 650 ADD_U_CHAR(dptr, AUT_PATH); 651 ADD_U_INT16(dptr, textlen); 652 ADD_STRING(dptr, text, textlen); 653 654 return (t); 655 } 656 657 /* 658 * token ID 1 byte 659 * audit ID 4 bytes 660 * effective user ID 4 bytes 661 * effective group ID 4 bytes 662 * real user ID 4 bytes 663 * real group ID 4 bytes 664 * process ID 4 bytes 665 * session ID 4 bytes 666 * terminal ID 667 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 668 * machine address 4 bytes 669 */ 670 token_t * 671 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 672 pid_t pid, au_asid_t sid, au_tid_t *tid) 673 { 674 token_t *t; 675 u_char *dptr = NULL; 676 677 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 678 679 ADD_U_CHAR(dptr, AUT_PROCESS32); 680 ADD_U_INT32(dptr, auid); 681 ADD_U_INT32(dptr, euid); 682 ADD_U_INT32(dptr, egid); 683 ADD_U_INT32(dptr, ruid); 684 ADD_U_INT32(dptr, rgid); 685 ADD_U_INT32(dptr, pid); 686 ADD_U_INT32(dptr, sid); 687 ADD_U_INT32(dptr, tid->port); 688 689 /* 690 * Note: Solaris will write out IPv6 addresses here as a 32-bit 691 * address type and 16 bytes of address, but for IPv4 addresses it 692 * simply writes the 4-byte address directly. We support only IPv4 693 * addresses for process32 tokens. 694 */ 695 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 696 697 return (t); 698 } 699 700 token_t * 701 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 702 pid_t pid, au_asid_t sid, au_tid_t *tid) 703 { 704 token_t *t; 705 u_char *dptr = NULL; 706 707 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + 708 sizeof(u_int64_t)); 709 710 ADD_U_CHAR(dptr, AUT_PROCESS64); 711 ADD_U_INT32(dptr, auid); 712 ADD_U_INT32(dptr, euid); 713 ADD_U_INT32(dptr, egid); 714 ADD_U_INT32(dptr, ruid); 715 ADD_U_INT32(dptr, rgid); 716 ADD_U_INT32(dptr, pid); 717 ADD_U_INT32(dptr, sid); 718 ADD_U_INT64(dptr, tid->port); 719 720 /* 721 * Note: Solaris will write out IPv6 addresses here as a 32-bit 722 * address type and 16 bytes of address, but for IPv4 addresses it 723 * simply writes the 4-byte address directly. We support only IPv4 724 * addresses for process64 tokens. 725 */ 726 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 727 728 return (t); 729 } 730 731 token_t * 732 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 733 pid_t pid, au_asid_t sid, au_tid_t *tid) 734 { 735 736 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, 737 tid)); 738 } 739 740 /* 741 * token ID 1 byte 742 * audit ID 4 bytes 743 * effective user ID 4 bytes 744 * effective group ID 4 bytes 745 * real user ID 4 bytes 746 * real group ID 4 bytes 747 * process ID 4 bytes 748 * session ID 4 bytes 749 * terminal ID 750 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 751 * address type-len 4 bytes 752 * machine address 16 bytes 753 */ 754 token_t * 755 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 756 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 757 { 758 token_t *t; 759 u_char *dptr = NULL; 760 761 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 762 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type)); 763 if (tid->at_type == AU_IPv4) 764 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 765 10 * sizeof(u_int32_t)); 766 else 767 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 768 13 * sizeof(u_int32_t)); 769 770 ADD_U_CHAR(dptr, AUT_PROCESS32_EX); 771 ADD_U_INT32(dptr, auid); 772 ADD_U_INT32(dptr, euid); 773 ADD_U_INT32(dptr, egid); 774 ADD_U_INT32(dptr, ruid); 775 ADD_U_INT32(dptr, rgid); 776 ADD_U_INT32(dptr, pid); 777 ADD_U_INT32(dptr, sid); 778 ADD_U_INT32(dptr, tid->at_port); 779 ADD_U_INT32(dptr, tid->at_type); 780 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 781 if (tid->at_type == AU_IPv6) { 782 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 783 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 784 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 785 } 786 787 return (t); 788 } 789 790 token_t * 791 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 792 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 793 { 794 token_t *t; 795 u_char *dptr = NULL; 796 797 if (tid->at_type == AU_IPv4) 798 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 799 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 800 2 * sizeof(u_int32_t)); 801 else if (tid->at_type == AU_IPv6) 802 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 803 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 804 5 * sizeof(u_int32_t)); 805 else 806 panic("au_to_process64_ex: invalidate at_type (%d)", 807 tid->at_type); 808 809 ADD_U_CHAR(dptr, AUT_PROCESS64_EX); 810 ADD_U_INT32(dptr, auid); 811 ADD_U_INT32(dptr, euid); 812 ADD_U_INT32(dptr, egid); 813 ADD_U_INT32(dptr, ruid); 814 ADD_U_INT32(dptr, rgid); 815 ADD_U_INT32(dptr, pid); 816 ADD_U_INT32(dptr, sid); 817 ADD_U_INT64(dptr, tid->at_port); 818 ADD_U_INT32(dptr, tid->at_type); 819 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 820 if (tid->at_type == AU_IPv6) { 821 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 822 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 823 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 824 } 825 826 return (t); 827 } 828 829 token_t * 830 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 831 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 832 { 833 834 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, 835 tid)); 836 } 837 838 token_t * 839 au_to_rights(cap_rights_t *rightsp) 840 { 841 token_t *t; 842 u_char *dptr; 843 int i; 844 845 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(*rightsp)); 846 847 ADD_U_CHAR(dptr, AUT_RIGHTS); 848 for (i = 0; i < nitems(rightsp->cr_rights); i++) 849 ADD_U_INT64(dptr, rightsp->cr_rights[i]); 850 851 return (t); 852 } 853 854 /* 855 * token ID 1 byte 856 * error status 1 byte 857 * return value 4 bytes/8 bytes (32-bit/64-bit value) 858 */ 859 token_t * 860 au_to_return32(char status, u_int32_t ret) 861 { 862 token_t *t; 863 u_char *dptr = NULL; 864 865 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 866 867 ADD_U_CHAR(dptr, AUT_RETURN32); 868 ADD_U_CHAR(dptr, status); 869 ADD_U_INT32(dptr, ret); 870 871 return (t); 872 } 873 874 token_t * 875 au_to_return64(char status, u_int64_t ret) 876 { 877 token_t *t; 878 u_char *dptr = NULL; 879 880 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); 881 882 ADD_U_CHAR(dptr, AUT_RETURN64); 883 ADD_U_CHAR(dptr, status); 884 ADD_U_INT64(dptr, ret); 885 886 return (t); 887 } 888 889 token_t * 890 au_to_return(char status, u_int32_t ret) 891 { 892 893 return (au_to_return32(status, ret)); 894 } 895 896 /* 897 * token ID 1 byte 898 * sequence number 4 bytes 899 */ 900 token_t * 901 au_to_seq(long audit_count) 902 { 903 token_t *t; 904 u_char *dptr = NULL; 905 906 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); 907 908 ADD_U_CHAR(dptr, AUT_SEQ); 909 ADD_U_INT32(dptr, audit_count); 910 911 return (t); 912 } 913 914 /* 915 * token ID 1 byte 916 * socket domain 2 bytes 917 * socket type 2 bytes 918 * address type 2 byte 919 * local port 2 bytes 920 * local address 4 bytes/16 bytes (IPv4/IPv6 address) 921 * remote port 2 bytes 922 * remote address 4 bytes/16 bytes (IPv4/IPv6 address) 923 * 924 * Domain and type arguments to this routine are assumed to already have been 925 * converted to the BSM constant space, so we don't do that here. 926 */ 927 token_t * 928 au_to_socket_ex(u_short so_domain, u_short so_type, 929 struct sockaddr *sa_local, struct sockaddr *sa_remote) 930 { 931 token_t *t; 932 u_char *dptr = NULL; 933 struct sockaddr_in *sin; 934 struct sockaddr_in6 *sin6; 935 936 if (so_domain == AF_INET) 937 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 938 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 939 else if (so_domain == AF_INET6) 940 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 941 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t)); 942 else 943 return (NULL); 944 945 ADD_U_CHAR(dptr, AUT_SOCKET_EX); 946 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain)); 947 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type)); 948 if (so_domain == AF_INET) { 949 ADD_U_INT16(dptr, AU_IPv4); 950 sin = (struct sockaddr_in *)sa_local; 951 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 952 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 953 sin = (struct sockaddr_in *)sa_remote; 954 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 955 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 956 } else { 957 ADD_U_INT16(dptr, AU_IPv6); 958 sin6 = (struct sockaddr_in6 *)sa_local; 959 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 960 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 961 sin6 = (struct sockaddr_in6 *)sa_remote; 962 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 963 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 964 } 965 966 return (t); 967 } 968 969 /* 970 * Kernel-specific version of the above function. 971 * 972 * XXXRW: Should now use au_to_socket_ex() here. 973 */ 974 #ifdef _KERNEL 975 token_t * 976 kau_to_socket(struct socket_au_info *soi) 977 { 978 token_t *t; 979 u_char *dptr; 980 u_int16_t so_type; 981 982 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 983 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t)); 984 985 ADD_U_CHAR(dptr, AUT_SOCKET); 986 /* Coerce the socket type into a short value */ 987 so_type = soi->so_type; 988 ADD_U_INT16(dptr, so_type); 989 ADD_U_INT16(dptr, soi->so_lport); 990 ADD_U_INT32(dptr, soi->so_laddr); 991 ADD_U_INT16(dptr, soi->so_rport); 992 ADD_U_INT32(dptr, soi->so_raddr); 993 994 return (t); 995 } 996 #endif 997 998 /* 999 * token ID 1 byte 1000 * socket family 2 bytes 1001 * path (up to) 104 bytes + NULL (NULL terminated string) 1002 */ 1003 token_t * 1004 au_to_sock_unix(struct sockaddr_un *so) 1005 { 1006 token_t *t; 1007 u_char *dptr; 1008 1009 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); 1010 1011 ADD_U_CHAR(dptr, AUT_SOCKUNIX); 1012 /* BSM token has two bytes for family */ 1013 ADD_U_CHAR(dptr, 0); 1014 ADD_U_CHAR(dptr, so->sun_family); 1015 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); 1016 1017 return (t); 1018 } 1019 1020 /* 1021 * token ID 1 byte 1022 * socket family 2 bytes 1023 * local port 2 bytes 1024 * socket address 4 bytes 1025 */ 1026 token_t * 1027 au_to_sock_inet32(struct sockaddr_in *so) 1028 { 1029 token_t *t; 1030 u_char *dptr = NULL; 1031 uint16_t family; 1032 1033 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + 1034 sizeof(uint32_t)); 1035 1036 ADD_U_CHAR(dptr, AUT_SOCKINET32); 1037 /* 1038 * BSM defines the family field as 16 bits, but many operating 1039 * systems have an 8-bit sin_family field. Extend to 16 bits before 1040 * writing into the token. Assume that both the port and the address 1041 * in the sockaddr_in are already in network byte order, but family 1042 * is in local byte order. 1043 * 1044 * XXXRW: Should a name space conversion be taking place on the value 1045 * of sin_family? 1046 */ 1047 family = so->sin_family; 1048 ADD_U_INT16(dptr, family); 1049 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); 1050 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); 1051 1052 return (t); 1053 } 1054 1055 token_t * 1056 au_to_sock_inet128(struct sockaddr_in6 *so) 1057 { 1058 token_t *t; 1059 u_char *dptr = NULL; 1060 1061 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + 1062 4 * sizeof(u_int32_t)); 1063 1064 ADD_U_CHAR(dptr, AUT_SOCKINET128); 1065 /* 1066 * In BSD, sin6_family is one octet, but BSM defines the token to 1067 * store two. So we copy in a 0 first. XXXRW: Possibly should be 1068 * conditionally compiled. 1069 */ 1070 ADD_U_CHAR(dptr, 0); 1071 ADD_U_CHAR(dptr, so->sin6_family); 1072 1073 ADD_U_INT16(dptr, so->sin6_port); 1074 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); 1075 1076 return (t); 1077 } 1078 1079 token_t * 1080 au_to_sock_inet(struct sockaddr_in *so) 1081 { 1082 1083 return (au_to_sock_inet32(so)); 1084 } 1085 1086 /* 1087 * token ID 1 byte 1088 * audit ID 4 bytes 1089 * effective user ID 4 bytes 1090 * effective group ID 4 bytes 1091 * real user ID 4 bytes 1092 * real group ID 4 bytes 1093 * process ID 4 bytes 1094 * session ID 4 bytes 1095 * terminal ID 1096 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1097 * machine address 4 bytes 1098 */ 1099 token_t * 1100 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1101 pid_t pid, au_asid_t sid, au_tid_t *tid) 1102 { 1103 token_t *t; 1104 u_char *dptr = NULL; 1105 1106 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 1107 1108 ADD_U_CHAR(dptr, AUT_SUBJECT32); 1109 ADD_U_INT32(dptr, auid); 1110 ADD_U_INT32(dptr, euid); 1111 ADD_U_INT32(dptr, egid); 1112 ADD_U_INT32(dptr, ruid); 1113 ADD_U_INT32(dptr, rgid); 1114 ADD_U_INT32(dptr, pid); 1115 ADD_U_INT32(dptr, sid); 1116 ADD_U_INT32(dptr, tid->port); 1117 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1118 1119 return (t); 1120 } 1121 1122 token_t * 1123 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1124 pid_t pid, au_asid_t sid, au_tid_t *tid) 1125 { 1126 token_t *t; 1127 u_char *dptr = NULL; 1128 1129 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + 1130 sizeof(u_int64_t) + sizeof(u_int32_t)); 1131 1132 ADD_U_CHAR(dptr, AUT_SUBJECT64); 1133 ADD_U_INT32(dptr, auid); 1134 ADD_U_INT32(dptr, euid); 1135 ADD_U_INT32(dptr, egid); 1136 ADD_U_INT32(dptr, ruid); 1137 ADD_U_INT32(dptr, rgid); 1138 ADD_U_INT32(dptr, pid); 1139 ADD_U_INT32(dptr, sid); 1140 ADD_U_INT64(dptr, tid->port); 1141 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1142 1143 return (t); 1144 } 1145 1146 token_t * 1147 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1148 pid_t pid, au_asid_t sid, au_tid_t *tid) 1149 { 1150 1151 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, 1152 tid)); 1153 } 1154 1155 /* 1156 * token ID 1 byte 1157 * audit ID 4 bytes 1158 * effective user ID 4 bytes 1159 * effective group ID 4 bytes 1160 * real user ID 4 bytes 1161 * real group ID 4 bytes 1162 * process ID 4 bytes 1163 * session ID 4 bytes 1164 * terminal ID 1165 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1166 * address type/length 4 bytes 1167 * machine address 16 bytes 1168 */ 1169 token_t * 1170 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1171 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1172 { 1173 token_t *t; 1174 u_char *dptr = NULL; 1175 1176 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1177 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type)); 1178 1179 if (tid->at_type == AU_IPv4) 1180 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 1181 sizeof(u_int32_t)); 1182 else 1183 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 1184 sizeof(u_int32_t)); 1185 1186 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); 1187 ADD_U_INT32(dptr, auid); 1188 ADD_U_INT32(dptr, euid); 1189 ADD_U_INT32(dptr, egid); 1190 ADD_U_INT32(dptr, ruid); 1191 ADD_U_INT32(dptr, rgid); 1192 ADD_U_INT32(dptr, pid); 1193 ADD_U_INT32(dptr, sid); 1194 ADD_U_INT32(dptr, tid->at_port); 1195 ADD_U_INT32(dptr, tid->at_type); 1196 if (tid->at_type == AU_IPv6) 1197 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1198 else 1199 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1200 1201 return (t); 1202 } 1203 1204 token_t * 1205 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1206 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1207 { 1208 token_t *t; 1209 u_char *dptr = NULL; 1210 1211 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1212 ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type)); 1213 1214 if (tid->at_type == AU_IPv4) 1215 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1216 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1217 2 * sizeof(u_int32_t)); 1218 else 1219 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1220 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1221 5 * sizeof(u_int32_t)); 1222 1223 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); 1224 ADD_U_INT32(dptr, auid); 1225 ADD_U_INT32(dptr, euid); 1226 ADD_U_INT32(dptr, egid); 1227 ADD_U_INT32(dptr, ruid); 1228 ADD_U_INT32(dptr, rgid); 1229 ADD_U_INT32(dptr, pid); 1230 ADD_U_INT32(dptr, sid); 1231 ADD_U_INT64(dptr, tid->at_port); 1232 ADD_U_INT32(dptr, tid->at_type); 1233 if (tid->at_type == AU_IPv6) 1234 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1235 else 1236 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1237 1238 return (t); 1239 } 1240 1241 token_t * 1242 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1243 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1244 { 1245 1246 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, 1247 tid)); 1248 } 1249 1250 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) 1251 /* 1252 * Collects audit information for the current process and creates a subject 1253 * token from it. 1254 */ 1255 token_t * 1256 au_to_me(void) 1257 { 1258 auditinfo_t auinfo; 1259 auditinfo_addr_t aia; 1260 1261 /* 1262 * Try to use getaudit_addr(2) first. If this kernel does not support 1263 * it, then fall back on to getaudit(2). 1264 */ 1265 if (getaudit_addr(&aia, sizeof(aia)) != 0) { 1266 if (errno == ENOSYS) { 1267 if (getaudit(&auinfo) != 0) 1268 return (NULL); 1269 return (au_to_subject32(auinfo.ai_auid, geteuid(), 1270 getegid(), getuid(), getgid(), getpid(), 1271 auinfo.ai_asid, &auinfo.ai_termid)); 1272 } else { 1273 /* getaudit_addr(2) failed for some other reason. */ 1274 return (NULL); 1275 } 1276 } 1277 1278 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), 1279 getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); 1280 } 1281 #endif 1282 1283 #if defined(_KERNEL) || defined(KERNEL) 1284 static token_t * 1285 au_to_exec_strings(char *strs, int count, u_char type) 1286 { 1287 token_t *t; 1288 u_char *dptr = NULL; 1289 u_int32_t totlen; 1290 int ctr; 1291 char *p; 1292 1293 totlen = 0; 1294 ctr = count; 1295 p = strs; 1296 while (ctr-- > 0) { 1297 totlen += strlen(p) + 1; 1298 p = strs + totlen; 1299 } 1300 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1301 ADD_U_CHAR(dptr, type); 1302 ADD_U_INT32(dptr, count); 1303 ADD_STRING(dptr, strs, totlen); 1304 1305 return (t); 1306 } 1307 1308 /* 1309 * token ID 1 byte 1310 * count 4 bytes 1311 * text count null-terminated strings 1312 */ 1313 token_t * 1314 au_to_exec_args(char *args, int argc) 1315 { 1316 1317 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS)); 1318 } 1319 1320 /* 1321 * token ID 1 byte 1322 * count 4 bytes 1323 * text count null-terminated strings 1324 */ 1325 token_t * 1326 au_to_exec_env(char *envs, int envc) 1327 { 1328 1329 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV)); 1330 } 1331 #else 1332 /* 1333 * token ID 1 byte 1334 * count 4 bytes 1335 * text count null-terminated strings 1336 */ 1337 token_t * 1338 au_to_exec_args(char **argv) 1339 { 1340 token_t *t; 1341 u_char *dptr = NULL; 1342 const char *nextarg; 1343 int i, count = 0; 1344 size_t totlen = 0; 1345 1346 nextarg = *argv; 1347 1348 while (nextarg != NULL) { 1349 int nextlen; 1350 1351 nextlen = strlen(nextarg); 1352 totlen += nextlen + 1; 1353 count++; 1354 nextarg = *(argv + count); 1355 } 1356 1357 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1358 1359 ADD_U_CHAR(dptr, AUT_EXEC_ARGS); 1360 ADD_U_INT32(dptr, count); 1361 1362 for (i = 0; i < count; i++) { 1363 nextarg = *(argv + i); 1364 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); 1365 } 1366 1367 return (t); 1368 } 1369 1370 /* 1371 * token ID 1 byte 1372 * count 4 bytes 1373 * text count null-terminated strings 1374 */ 1375 token_t * 1376 au_to_exec_env(char **envp) 1377 { 1378 token_t *t; 1379 u_char *dptr = NULL; 1380 int i, count = 0; 1381 size_t totlen = 0; 1382 const char *nextenv; 1383 1384 nextenv = *envp; 1385 1386 while (nextenv != NULL) { 1387 int nextlen; 1388 1389 nextlen = strlen(nextenv); 1390 totlen += nextlen + 1; 1391 count++; 1392 nextenv = *(envp + count); 1393 } 1394 1395 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1396 1397 ADD_U_CHAR(dptr, AUT_EXEC_ENV); 1398 ADD_U_INT32(dptr, count); 1399 1400 for (i = 0; i < count; i++) { 1401 nextenv = *(envp + i); 1402 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); 1403 } 1404 1405 return (t); 1406 } 1407 #endif 1408 1409 /* 1410 * token ID 1 byte 1411 * zonename length 2 bytes 1412 * zonename N bytes + 1 terminating NULL byte 1413 */ 1414 token_t * 1415 au_to_zonename(const char *zonename) 1416 { 1417 u_char *dptr = NULL; 1418 u_int16_t textlen; 1419 token_t *t; 1420 1421 textlen = strlen(zonename) + 1; 1422 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 1423 1424 ADD_U_CHAR(dptr, AUT_ZONENAME); 1425 ADD_U_INT16(dptr, textlen); 1426 ADD_STRING(dptr, zonename, textlen); 1427 return (t); 1428 } 1429 1430 /* 1431 * token ID 1 byte 1432 * record byte count 4 bytes 1433 * version # 1 byte [2] 1434 * event type 2 bytes 1435 * event modifier 2 bytes 1436 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1437 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1438 */ 1439 token_t * 1440 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1441 struct timeval tm) 1442 { 1443 token_t *t; 1444 u_char *dptr = NULL; 1445 u_int32_t timems; 1446 1447 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1448 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1449 1450 ADD_U_CHAR(dptr, AUT_HEADER32); 1451 ADD_U_INT32(dptr, rec_size); 1452 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1453 ADD_U_INT16(dptr, e_type); 1454 ADD_U_INT16(dptr, e_mod); 1455 1456 timems = tm.tv_usec/1000; 1457 /* Add the timestamp */ 1458 ADD_U_INT32(dptr, tm.tv_sec); 1459 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1460 1461 return (t); 1462 } 1463 1464 /* 1465 * token ID 1 byte 1466 * record byte count 4 bytes 1467 * version # 1 byte [2] 1468 * event type 2 bytes 1469 * event modifier 2 bytes 1470 * address type/length 4 bytes 1471 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1472 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1473 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1474 */ 1475 token_t * 1476 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1477 struct timeval tm, struct auditinfo_addr *aia) 1478 { 1479 token_t *t; 1480 u_char *dptr = NULL; 1481 u_int32_t timems; 1482 au_tid_addr_t *tid; 1483 1484 tid = &aia->ai_termid; 1485 KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6, 1486 ("au_to_header32_ex_tm: invalid address family")); 1487 1488 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1489 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * 1490 sizeof(u_int32_t) + tid->at_type); 1491 1492 ADD_U_CHAR(dptr, AUT_HEADER32_EX); 1493 ADD_U_INT32(dptr, rec_size); 1494 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1495 ADD_U_INT16(dptr, e_type); 1496 ADD_U_INT16(dptr, e_mod); 1497 1498 ADD_U_INT32(dptr, tid->at_type); 1499 if (tid->at_type == AU_IPv6) 1500 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1501 else 1502 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1503 timems = tm.tv_usec/1000; 1504 /* Add the timestamp */ 1505 ADD_U_INT32(dptr, tm.tv_sec); 1506 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1507 1508 return (t); 1509 } 1510 1511 token_t * 1512 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1513 struct timeval tm) 1514 { 1515 token_t *t; 1516 u_char *dptr = NULL; 1517 u_int32_t timems; 1518 1519 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1520 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); 1521 1522 ADD_U_CHAR(dptr, AUT_HEADER64); 1523 ADD_U_INT32(dptr, rec_size); 1524 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1525 ADD_U_INT16(dptr, e_type); 1526 ADD_U_INT16(dptr, e_mod); 1527 1528 timems = tm.tv_usec/1000; 1529 /* Add the timestamp */ 1530 ADD_U_INT64(dptr, tm.tv_sec); 1531 ADD_U_INT64(dptr, timems); /* We need time in ms. */ 1532 1533 return (t); 1534 } 1535 1536 #if !defined(KERNEL) && !defined(_KERNEL) 1537 #ifdef HAVE_AUDIT_SYSCALLS 1538 token_t * 1539 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1540 { 1541 struct timeval tm; 1542 struct auditinfo_addr aia; 1543 1544 if (gettimeofday(&tm, NULL) == -1) 1545 return (NULL); 1546 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) { 1547 if (errno != ENOSYS) 1548 return (NULL); 1549 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1550 } 1551 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia)); 1552 } 1553 #endif /* HAVE_AUDIT_SYSCALLS */ 1554 1555 token_t * 1556 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) 1557 { 1558 struct timeval tm; 1559 1560 if (gettimeofday(&tm, NULL) == -1) 1561 return (NULL); 1562 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1563 } 1564 1565 token_t * 1566 au_to_header64(__unused int rec_size, __unused au_event_t e_type, 1567 __unused au_emod_t e_mod) 1568 { 1569 struct timeval tm; 1570 1571 if (gettimeofday(&tm, NULL) == -1) 1572 return (NULL); 1573 return (au_to_header64_tm(rec_size, e_type, e_mod, tm)); 1574 } 1575 1576 token_t * 1577 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod) 1578 { 1579 1580 return (au_to_header32(rec_size, e_type, e_mod)); 1581 } 1582 1583 #ifdef HAVE_AUDIT_SYSCALLS 1584 token_t * 1585 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1586 { 1587 1588 return (au_to_header32_ex(rec_size, e_type, e_mod)); 1589 } 1590 #endif /* HAVE_AUDIT_SYSCALLS */ 1591 #endif /* !defined(KERNEL) && !defined(_KERNEL) */ 1592 1593 /* 1594 * token ID 1 byte 1595 * trailer magic number 2 bytes 1596 * record byte count 4 bytes 1597 */ 1598 token_t * 1599 au_to_trailer(int rec_size) 1600 { 1601 token_t *t; 1602 u_char *dptr = NULL; 1603 u_int16_t magic = AUT_TRAILER_MAGIC; 1604 1605 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 1606 sizeof(u_int32_t)); 1607 1608 ADD_U_CHAR(dptr, AUT_TRAILER); 1609 ADD_U_INT16(dptr, magic); 1610 ADD_U_INT32(dptr, rec_size); 1611 1612 return (t); 1613 } 1614