xref: /freebsd/sys/security/audit/bsm_token.c (revision 3f0efe05432b1633991114ca4ca330102a561959)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 2004-2009 Apple Inc.
5  * Copyright (c) 2005 SPARTA, Inc.
6  * All rights reserved.
7  *
8  * This code was developed in part by Robert N. M. Watson, Senior Principal
9  * Scientist, SPARTA, Inc.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1.  Redistributions of source code must retain the above copyright
15  *     notice, this list of conditions and the following disclaimer.
16  * 2.  Redistributions in binary form must reproduce the above copyright
17  *     notice, this list of conditions and the following disclaimer in the
18  *     documentation and/or other materials provided with the distribution.
19  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
20  *     its contributors may be used to endorse or promote products derived
21  *     from this software without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 #include <sys/param.h>
37 #include <sys/types.h>
38 #include <sys/endian.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
41 #include <sys/time.h>
42 
43 #include <sys/ipc.h>
44 #include <sys/libkern.h>
45 #include <sys/malloc.h>
46 #include <sys/un.h>
47 
48 #include <netinet/in.h>
49 #include <netinet/in_systm.h>
50 #include <netinet/ip.h>
51 
52 #include <bsm/audit.h>
53 #include <bsm/audit_internal.h>
54 #include <bsm/audit_record.h>
55 #include <security/audit/audit.h>
56 #include <security/audit/audit_private.h>
57 
58 #define	GET_TOKEN_AREA(t, dptr, length) do {				\
59 	t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK);		\
60 	t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO);	\
61 	t->len = length;						\
62 	dptr = t->t_data;						\
63 } while (0)
64 
65 /*
66  * token ID                1 byte
67  * success/failure         1 byte
68  * privstrlen              2 bytes
69  * privstr                 N bytes + 1 (\0 byte)
70  */
71 token_t *
72 au_to_upriv(char sorf, char *priv)
73 {
74 	u_int16_t textlen;
75 	u_char *dptr;
76 	token_t *t;
77 
78 	textlen = strlen(priv) + 1;
79 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) +
80 	    sizeof(u_int16_t) + textlen);
81 
82 	ADD_U_CHAR(dptr, AUT_UPRIV);
83 	ADD_U_CHAR(dptr, sorf);
84 	ADD_U_INT16(dptr, textlen);
85 	ADD_STRING(dptr, priv, textlen);
86 	return (t);
87 }
88 
89 /*
90  * token ID		1 byte
91  * privtstrlen		2 bytes
92  * privtstr		N bytes + 1
93  * privstrlen		2 bytes
94  * privstr		N bytes + 1
95  */
96 token_t *
97 au_to_privset(char *privtypestr, char *privstr)
98 {
99 	u_int16_t	 type_len, priv_len;
100 	u_char		*dptr;
101 	token_t		*t;
102 
103 	type_len = strlen(privtypestr) + 1;
104 	priv_len = strlen(privstr) + 1;
105 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
106 	    sizeof(u_int16_t) + type_len + priv_len);
107 
108 	ADD_U_CHAR(dptr, AUT_PRIV);
109 	ADD_U_INT16(dptr, type_len);
110 	ADD_STRING(dptr, privtypestr, type_len);
111 	ADD_U_INT16(dptr, priv_len);
112 	ADD_STRING(dptr, privstr, priv_len);
113 	return (t);
114 }
115 
116 /*
117  * token ID                1 byte
118  * argument #              1 byte
119  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
120  * text length             2 bytes
121  * text                    N bytes + 1 terminating NULL byte
122  */
123 token_t *
124 au_to_arg32(char n, const char *text, u_int32_t v)
125 {
126 	token_t *t;
127 	u_char *dptr = NULL;
128 	u_int16_t textlen;
129 
130 	textlen = strlen(text);
131 	textlen += 1;
132 
133 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
134 	    sizeof(u_int16_t) + textlen);
135 
136 	ADD_U_CHAR(dptr, AUT_ARG32);
137 	ADD_U_CHAR(dptr, n);
138 	ADD_U_INT32(dptr, v);
139 	ADD_U_INT16(dptr, textlen);
140 	ADD_STRING(dptr, text, textlen);
141 
142 	return (t);
143 }
144 
145 token_t *
146 au_to_arg64(char n, const char *text, u_int64_t v)
147 {
148 	token_t *t;
149 	u_char *dptr = NULL;
150 	u_int16_t textlen;
151 
152 	textlen = strlen(text);
153 	textlen += 1;
154 
155 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
156 	    sizeof(u_int16_t) + textlen);
157 
158 	ADD_U_CHAR(dptr, AUT_ARG64);
159 	ADD_U_CHAR(dptr, n);
160 	ADD_U_INT64(dptr, v);
161 	ADD_U_INT16(dptr, textlen);
162 	ADD_STRING(dptr, text, textlen);
163 
164 	return (t);
165 }
166 
167 token_t *
168 au_to_arg(char n, const char *text, u_int32_t v)
169 {
170 
171 	return (au_to_arg32(n, text, v));
172 }
173 
174 #if defined(_KERNEL) || defined(KERNEL)
175 /*
176  * token ID                1 byte
177  * file access mode        4 bytes
178  * owner user ID           4 bytes
179  * owner group ID          4 bytes
180  * file system ID          4 bytes
181  * node ID                 8 bytes
182  * device                  4 bytes/8 bytes (32-bit/64-bit)
183  */
184 token_t *
185 au_to_attr32(struct vnode_au_info *vni)
186 {
187 	token_t *t;
188 	u_char *dptr = NULL;
189 	u_int16_t pad0_16 = 0;
190 	u_int32_t pad0_32 = 0;
191 
192 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
193 	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
194 
195 	ADD_U_CHAR(dptr, AUT_ATTR32);
196 
197 	/*
198 	 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
199 	 * so pad with 0.
200 	 *
201 	 * XXXRW: Possibly should be conditionally compiled.
202 	 *
203 	 * XXXRW: Should any conversions take place on the mode?
204 	 */
205 	ADD_U_INT16(dptr, pad0_16);
206 	ADD_U_INT16(dptr, vni->vn_mode);
207 
208 	ADD_U_INT32(dptr, vni->vn_uid);
209 	ADD_U_INT32(dptr, vni->vn_gid);
210 	ADD_U_INT32(dptr, vni->vn_fsid);
211 
212 	/*
213 	 * Some systems use 32-bit file ID's, others use 64-bit file IDs.
214 	 * Attempt to handle both, and let the compiler sort it out.  If we
215 	 * could pick this out at compile-time, it would be better, so as to
216 	 * avoid the else case below.
217 	 */
218 	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
219 		ADD_U_INT32(dptr, pad0_32);
220 		ADD_U_INT32(dptr, vni->vn_fileid);
221 	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
222 		ADD_U_INT64(dptr, vni->vn_fileid);
223 	else
224 		ADD_U_INT64(dptr, 0LL);
225 
226 	ADD_U_INT32(dptr, vni->vn_dev);
227 
228 	return (t);
229 }
230 
231 token_t *
232 au_to_attr64(struct vnode_au_info *vni)
233 {
234 	token_t *t;
235 	u_char *dptr = NULL;
236 	u_int16_t pad0_16 = 0;
237 	u_int32_t pad0_32 = 0;
238 
239 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
240 	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
241 
242 	ADD_U_CHAR(dptr, AUT_ATTR64);
243 
244 	/*
245 	 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
246 	 * so pad with 0.
247 	 *
248 	 * XXXRW: Possibly should be conditionally compiled.
249 	 *
250 	 * XXXRW: Should any conversions take place on the mode?
251 	 */
252 	ADD_U_INT16(dptr, pad0_16);
253 	ADD_U_INT16(dptr, vni->vn_mode);
254 
255 	ADD_U_INT32(dptr, vni->vn_uid);
256 	ADD_U_INT32(dptr, vni->vn_gid);
257 	ADD_U_INT32(dptr, vni->vn_fsid);
258 
259 	/*
260 	 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
261 	 * Attempt to handle both, and let the compiler sort it out.  If we
262 	 * could pick this out at compile-time, it would be better, so as to
263 	 * avoid the else case below.
264 	 */
265 	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
266 		ADD_U_INT32(dptr, pad0_32);
267 		ADD_U_INT32(dptr, vni->vn_fileid);
268 	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
269 		ADD_U_INT64(dptr, vni->vn_fileid);
270 	else
271 		ADD_U_INT64(dptr, 0LL);
272 
273 	ADD_U_INT64(dptr, vni->vn_dev);
274 
275 	return (t);
276 }
277 
278 token_t *
279 au_to_attr(struct vnode_au_info *vni)
280 {
281 
282 	return (au_to_attr32(vni));
283 }
284 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
285 
286 /*
287  * token ID                1 byte
288  * how to print            1 byte
289  * basic unit              1 byte
290  * unit count              1 byte
291  * data items              (depends on basic unit)
292  */
293 token_t *
294 au_to_data(char unit_print, char unit_type, char unit_count, const char *p)
295 {
296 	token_t *t;
297 	u_char *dptr = NULL;
298 	size_t datasize, totdata;
299 
300 	/* Determine the size of the basic unit. */
301 	switch (unit_type) {
302 	case AUR_BYTE:
303 	/* case AUR_CHAR: */
304 		datasize = AUR_BYTE_SIZE;
305 		break;
306 
307 	case AUR_SHORT:
308 		datasize = AUR_SHORT_SIZE;
309 		break;
310 
311 	case AUR_INT32:
312 	/* case AUR_INT: */
313 		datasize = AUR_INT32_SIZE;
314 		break;
315 
316 	case AUR_INT64:
317 		datasize = AUR_INT64_SIZE;
318 		break;
319 
320 	default:
321 		return (NULL);
322 	}
323 
324 	totdata = datasize * unit_count;
325 
326 	GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
327 
328 	/*
329 	 * XXXRW: We should be byte-swapping each data item for multi-byte
330 	 * types.
331 	 */
332 	ADD_U_CHAR(dptr, AUT_DATA);
333 	ADD_U_CHAR(dptr, unit_print);
334 	ADD_U_CHAR(dptr, unit_type);
335 	ADD_U_CHAR(dptr, unit_count);
336 	ADD_MEM(dptr, p, totdata);
337 
338 	return (t);
339 }
340 
341 /*
342  * token ID                1 byte
343  * status		   4 bytes
344  * return value            4 bytes
345  */
346 token_t *
347 au_to_exit(int retval, int err)
348 {
349 	token_t *t;
350 	u_char *dptr = NULL;
351 
352 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
353 
354 	ADD_U_CHAR(dptr, AUT_EXIT);
355 	ADD_U_INT32(dptr, err);
356 	ADD_U_INT32(dptr, retval);
357 
358 	return (t);
359 }
360 
361 /*
362  */
363 token_t *
364 au_to_groups(int *groups)
365 {
366 
367 	return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups));
368 }
369 
370 /*
371  * token ID                1 byte
372  * number groups           2 bytes
373  * group list              count * 4 bytes
374  */
375 token_t *
376 au_to_newgroups(u_int16_t n, gid_t *groups)
377 {
378 	token_t *t;
379 	u_char *dptr = NULL;
380 	int i;
381 
382 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
383 	    n * sizeof(u_int32_t));
384 
385 	ADD_U_CHAR(dptr, AUT_NEWGROUPS);
386 	ADD_U_INT16(dptr, n);
387 	for (i = 0; i < n; i++)
388 		ADD_U_INT32(dptr, groups[i]);
389 
390 	return (t);
391 }
392 
393 /*
394  * token ID                1 byte
395  * internet address        4 bytes
396  */
397 token_t *
398 au_to_in_addr(struct in_addr *internet_addr)
399 {
400 	token_t *t;
401 	u_char *dptr = NULL;
402 
403 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
404 
405 	ADD_U_CHAR(dptr, AUT_IN_ADDR);
406 	ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
407 
408 	return (t);
409 }
410 
411 /*
412  * token ID                1 byte
413  * address type/length     4 bytes
414  * address                16 bytes
415  */
416 token_t *
417 au_to_in_addr_ex(struct in6_addr *internet_addr)
418 {
419 	token_t *t;
420 	u_char *dptr = NULL;
421 	u_int32_t type = AU_IPv6;
422 
423 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
424 
425 	ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
426 	ADD_U_INT32(dptr, type);
427 	ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
428 
429 	return (t);
430 }
431 
432 /*
433  * token ID                1 byte
434  * ip header		   20 bytes
435  *
436  * The IP header should be submitted in network byte order.
437  */
438 token_t *
439 au_to_ip(struct ip *ip)
440 {
441 	token_t *t;
442 	u_char *dptr = NULL;
443 
444 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
445 
446 	ADD_U_CHAR(dptr, AUT_IP);
447 	ADD_MEM(dptr, ip, sizeof(struct ip));
448 
449 	return (t);
450 }
451 
452 /*
453  * token ID                1 byte
454  * object ID type          1 byte
455  * object ID               4 bytes
456  */
457 token_t *
458 au_to_ipc(char type, int id)
459 {
460 	token_t *t;
461 	u_char *dptr = NULL;
462 
463 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
464 
465 	ADD_U_CHAR(dptr, AUT_IPC);
466 	ADD_U_CHAR(dptr, type);
467 	ADD_U_INT32(dptr, id);
468 
469 	return (t);
470 }
471 
472 /*
473  * token ID                1 byte
474  * owner user ID           4 bytes
475  * owner group ID          4 bytes
476  * creator user ID         4 bytes
477  * creator group ID        4 bytes
478  * access mode             4 bytes
479  * slot sequence #         4 bytes
480  * key                     4 bytes
481  */
482 token_t *
483 au_to_ipc_perm(struct ipc_perm *perm)
484 {
485 	token_t *t;
486 	u_char *dptr = NULL;
487 	u_int16_t pad0 = 0;
488 
489 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
490 	    sizeof(u_int32_t));
491 
492 	ADD_U_CHAR(dptr, AUT_IPC_PERM);
493 
494 	/*
495 	 * Systems vary significantly in what types they use in struct
496 	 * ipc_perm; at least a few still use 16-bit uid's and gid's, so
497 	 * allow for that, as BSM define 32-bit values here.
498 	 * Some systems define the sizes for ipc_perm members as 2 bytes;
499 	 * BSM defines 4 so pad with 0.
500 	 *
501 	 * XXXRW: Possibly shoulid be conditionally compiled, and more cases
502 	 * need to be handled.
503 	 */
504 	if (sizeof(perm->uid) != sizeof(u_int32_t)) {
505 		ADD_U_INT16(dptr, pad0);
506 		ADD_U_INT16(dptr, perm->uid);
507 		ADD_U_INT16(dptr, pad0);
508 		ADD_U_INT16(dptr, perm->gid);
509 		ADD_U_INT16(dptr, pad0);
510 		ADD_U_INT16(dptr, perm->cuid);
511 		ADD_U_INT16(dptr, pad0);
512 		ADD_U_INT16(dptr, perm->cgid);
513 	} else {
514 		ADD_U_INT32(dptr, perm->uid);
515 		ADD_U_INT32(dptr, perm->gid);
516 		ADD_U_INT32(dptr, perm->cuid);
517 		ADD_U_INT32(dptr, perm->cgid);
518 	}
519 
520 	ADD_U_INT16(dptr, pad0);
521 	ADD_U_INT16(dptr, perm->mode);
522 
523 	ADD_U_INT16(dptr, pad0);
524 
525 	ADD_U_INT16(dptr, perm->seq);
526 
527 	ADD_U_INT32(dptr, perm->key);
528 
529 	return (t);
530 }
531 
532 /*
533  * token ID                1 byte
534  * port IP address         2 bytes
535  */
536 token_t *
537 au_to_iport(u_int16_t iport)
538 {
539 	token_t *t;
540 	u_char *dptr = NULL;
541 
542 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
543 
544 	ADD_U_CHAR(dptr, AUT_IPORT);
545 	ADD_U_INT16(dptr, iport);
546 
547 	return (t);
548 }
549 
550 /*
551  * token ID                1 byte
552  * size                    2 bytes
553  * data                    size bytes
554  */
555 token_t *
556 au_to_opaque(const char *data, u_int16_t bytes)
557 {
558 	token_t *t;
559 	u_char *dptr = NULL;
560 
561 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
562 
563 	ADD_U_CHAR(dptr, AUT_OPAQUE);
564 	ADD_U_INT16(dptr, bytes);
565 	ADD_MEM(dptr, data, bytes);
566 
567 	return (t);
568 }
569 
570 /*
571  * token ID                1 byte
572  * seconds of time         4 bytes
573  * milliseconds of time    4 bytes
574  * file name len           2 bytes
575  * file pathname           N bytes + 1 terminating NULL byte
576  */
577 token_t *
578 au_to_file(const char *file, struct timeval tm)
579 {
580 	token_t *t;
581 	u_char *dptr = NULL;
582 	u_int16_t filelen;
583 	u_int32_t timems;
584 
585 	filelen = strlen(file);
586 	filelen += 1;
587 
588 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
589 	    sizeof(u_int16_t) + filelen);
590 
591 	timems = tm.tv_usec/1000;
592 
593 	ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
594 	ADD_U_INT32(dptr, tm.tv_sec);
595 	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
596 	ADD_U_INT16(dptr, filelen);
597 	ADD_STRING(dptr, file, filelen);
598 
599 	return (t);
600 }
601 
602 /*
603  * token ID                1 byte
604  * text length             2 bytes
605  * text                    N bytes + 1 terminating NULL byte
606  */
607 token_t *
608 au_to_text(const char *text)
609 {
610 	token_t *t;
611 	u_char *dptr = NULL;
612 	u_int16_t textlen;
613 
614 	textlen = strlen(text);
615 	textlen += 1;
616 
617 	/* XXXRW: Should validate length against token size limit. */
618 
619 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
620 
621 	ADD_U_CHAR(dptr, AUT_TEXT);
622 	ADD_U_INT16(dptr, textlen);
623 	ADD_STRING(dptr, text, textlen);
624 
625 	return (t);
626 }
627 
628 /*
629  * token ID                1 byte
630  * path length             2 bytes
631  * path                    N bytes + 1 terminating NULL byte
632  */
633 token_t *
634 au_to_path(const char *text)
635 {
636 	token_t *t;
637 	u_char *dptr = NULL;
638 	u_int16_t textlen;
639 
640 	textlen = strlen(text);
641 	textlen += 1;
642 
643 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
644 
645 	ADD_U_CHAR(dptr, AUT_PATH);
646 	ADD_U_INT16(dptr, textlen);
647 	ADD_STRING(dptr, text, textlen);
648 
649 	return (t);
650 }
651 
652 /*
653  * token ID                1 byte
654  * audit ID                4 bytes
655  * effective user ID       4 bytes
656  * effective group ID      4 bytes
657  * real user ID            4 bytes
658  * real group ID           4 bytes
659  * process ID              4 bytes
660  * session ID              4 bytes
661  * terminal ID
662  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
663  *   machine address       4 bytes
664  */
665 token_t *
666 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
667     pid_t pid, au_asid_t sid, au_tid_t *tid)
668 {
669 	token_t *t;
670 	u_char *dptr = NULL;
671 
672 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
673 
674 	ADD_U_CHAR(dptr, AUT_PROCESS32);
675 	ADD_U_INT32(dptr, auid);
676 	ADD_U_INT32(dptr, euid);
677 	ADD_U_INT32(dptr, egid);
678 	ADD_U_INT32(dptr, ruid);
679 	ADD_U_INT32(dptr, rgid);
680 	ADD_U_INT32(dptr, pid);
681 	ADD_U_INT32(dptr, sid);
682 	ADD_U_INT32(dptr, tid->port);
683 
684 	/*
685 	 * Note: Solaris will write out IPv6 addresses here as a 32-bit
686 	 * address type and 16 bytes of address, but for IPv4 addresses it
687 	 * simply writes the 4-byte address directly.  We support only IPv4
688 	 * addresses for process32 tokens.
689 	 */
690 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
691 
692 	return (t);
693 }
694 
695 token_t *
696 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
697     pid_t pid, au_asid_t sid, au_tid_t *tid)
698 {
699 	token_t *t;
700 	u_char *dptr = NULL;
701 
702 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
703 	    sizeof(u_int64_t));
704 
705 	ADD_U_CHAR(dptr, AUT_PROCESS64);
706 	ADD_U_INT32(dptr, auid);
707 	ADD_U_INT32(dptr, euid);
708 	ADD_U_INT32(dptr, egid);
709 	ADD_U_INT32(dptr, ruid);
710 	ADD_U_INT32(dptr, rgid);
711 	ADD_U_INT32(dptr, pid);
712 	ADD_U_INT32(dptr, sid);
713 	ADD_U_INT64(dptr, tid->port);
714 
715 	/*
716 	 * Note: Solaris will write out IPv6 addresses here as a 32-bit
717 	 * address type and 16 bytes of address, but for IPv4 addresses it
718 	 * simply writes the 4-byte address directly.  We support only IPv4
719 	 * addresses for process64 tokens.
720 	 */
721 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
722 
723 	return (t);
724 }
725 
726 token_t *
727 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
728     pid_t pid, au_asid_t sid, au_tid_t *tid)
729 {
730 
731 	return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
732 	    tid));
733 }
734 
735 /*
736  * token ID                1 byte
737  * audit ID                4 bytes
738  * effective user ID       4 bytes
739  * effective group ID      4 bytes
740  * real user ID            4 bytes
741  * real group ID           4 bytes
742  * process ID              4 bytes
743  * session ID              4 bytes
744  * terminal ID
745  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
746  *   address type-len      4 bytes
747  *   machine address      16 bytes
748  */
749 token_t *
750 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
751     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
752 {
753 	token_t *t;
754 	u_char *dptr = NULL;
755 
756 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
757 	    ("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
758 	if (tid->at_type == AU_IPv4)
759 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
760 		    10 * sizeof(u_int32_t));
761 	else
762 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
763 		    13 * sizeof(u_int32_t));
764 
765 	ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
766 	ADD_U_INT32(dptr, auid);
767 	ADD_U_INT32(dptr, euid);
768 	ADD_U_INT32(dptr, egid);
769 	ADD_U_INT32(dptr, ruid);
770 	ADD_U_INT32(dptr, rgid);
771 	ADD_U_INT32(dptr, pid);
772 	ADD_U_INT32(dptr, sid);
773 	ADD_U_INT32(dptr, tid->at_port);
774 	ADD_U_INT32(dptr, tid->at_type);
775 	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
776 	if (tid->at_type == AU_IPv6) {
777 		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
778 		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
779 		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
780 	}
781 
782 	return (t);
783 }
784 
785 token_t *
786 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
787     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
788 {
789 	token_t *t;
790 	u_char *dptr = NULL;
791 
792 	if (tid->at_type == AU_IPv4)
793 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
794 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
795 		    2 * sizeof(u_int32_t));
796 	else if (tid->at_type == AU_IPv6)
797 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
798 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
799 		    5 * sizeof(u_int32_t));
800 	else
801 		panic("au_to_process64_ex: invalidate at_type (%d)",
802 		    tid->at_type);
803 
804 	ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
805 	ADD_U_INT32(dptr, auid);
806 	ADD_U_INT32(dptr, euid);
807 	ADD_U_INT32(dptr, egid);
808 	ADD_U_INT32(dptr, ruid);
809 	ADD_U_INT32(dptr, rgid);
810 	ADD_U_INT32(dptr, pid);
811 	ADD_U_INT32(dptr, sid);
812 	ADD_U_INT64(dptr, tid->at_port);
813 	ADD_U_INT32(dptr, tid->at_type);
814 	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
815 	if (tid->at_type == AU_IPv6) {
816 		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
817 		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
818 		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
819 	}
820 
821 	return (t);
822 }
823 
824 token_t *
825 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
826     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
827 {
828 
829 	return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
830 	    tid));
831 }
832 
833 token_t *
834 au_to_rights(cap_rights_t *rightsp)
835 {
836 	token_t *t;
837 	u_char *dptr;
838 	int i;
839 
840 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(*rightsp));
841 
842 	ADD_U_CHAR(dptr, AUT_RIGHTS);
843 	for (i = 0; i < nitems(rightsp->cr_rights); i++)
844 		ADD_U_INT64(dptr, rightsp->cr_rights[i]);
845 
846 	return (t);
847 }
848 
849 /*
850  * token ID                1 byte
851  * error status            1 byte
852  * return value            4 bytes/8 bytes (32-bit/64-bit value)
853  */
854 token_t *
855 au_to_return32(char status, u_int32_t ret)
856 {
857 	token_t *t;
858 	u_char *dptr = NULL;
859 
860 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
861 
862 	ADD_U_CHAR(dptr, AUT_RETURN32);
863 	ADD_U_CHAR(dptr, status);
864 	ADD_U_INT32(dptr, ret);
865 
866 	return (t);
867 }
868 
869 token_t *
870 au_to_return64(char status, u_int64_t ret)
871 {
872 	token_t *t;
873 	u_char *dptr = NULL;
874 
875 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
876 
877 	ADD_U_CHAR(dptr, AUT_RETURN64);
878 	ADD_U_CHAR(dptr, status);
879 	ADD_U_INT64(dptr, ret);
880 
881 	return (t);
882 }
883 
884 token_t *
885 au_to_return(char status, u_int32_t ret)
886 {
887 
888 	return (au_to_return32(status, ret));
889 }
890 
891 /*
892  * token ID                1 byte
893  * sequence number         4 bytes
894  */
895 token_t *
896 au_to_seq(long audit_count)
897 {
898 	token_t *t;
899 	u_char *dptr = NULL;
900 
901 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
902 
903 	ADD_U_CHAR(dptr, AUT_SEQ);
904 	ADD_U_INT32(dptr, audit_count);
905 
906 	return (t);
907 }
908 
909 /*
910  * token ID                1 byte
911  * socket domain           2 bytes
912  * socket type             2 bytes
913  * address type            2 byte
914  * local port              2 bytes
915  * local address           4 bytes/16 bytes (IPv4/IPv6 address)
916  * remote port             2 bytes
917  * remote address          4 bytes/16 bytes (IPv4/IPv6 address)
918  *
919  * Domain and type arguments to this routine are assumed to already have been
920  * converted to the BSM constant space, so we don't do that here.
921  */
922 token_t *
923 au_to_socket_ex(u_short so_domain, u_short so_type,
924     struct sockaddr *sa_local, struct sockaddr *sa_remote)
925 {
926 	token_t *t;
927 	u_char *dptr = NULL;
928 	struct sockaddr_in *sin;
929 	struct sockaddr_in6 *sin6;
930 
931 	if (so_domain == AF_INET)
932 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
933 		    5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
934 	else if (so_domain == AF_INET6)
935 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
936 		    5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
937 	else
938 		return (NULL);
939 
940 	ADD_U_CHAR(dptr, AUT_SOCKET_EX);
941 	ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
942 	ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
943 	if (so_domain == AF_INET) {
944 		ADD_U_INT16(dptr, AU_IPv4);
945 		sin = (struct sockaddr_in *)sa_local;
946 		ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
947 		ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
948 		sin = (struct sockaddr_in *)sa_remote;
949 		ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
950 		ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
951 	} else {
952 		ADD_U_INT16(dptr, AU_IPv6);
953 		sin6 = (struct sockaddr_in6 *)sa_local;
954 		ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
955 		ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
956 		sin6 = (struct sockaddr_in6 *)sa_remote;
957 		ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
958 		ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
959 	}
960 
961 	return (t);
962 }
963 
964 /*
965  * Kernel-specific version of the above function.
966  *
967  * XXXRW: Should now use au_to_socket_ex() here.
968  */
969 #ifdef _KERNEL
970 token_t *
971 kau_to_socket(struct socket_au_info *soi)
972 {
973 	token_t *t;
974 	u_char *dptr;
975 	u_int16_t so_type;
976 
977 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
978 	    sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
979 
980 	ADD_U_CHAR(dptr, AUT_SOCKET);
981 	/* Coerce the socket type into a short value */
982 	so_type = soi->so_type;
983 	ADD_U_INT16(dptr, so_type);
984 	ADD_U_INT16(dptr, soi->so_lport);
985 	ADD_U_INT32(dptr, soi->so_laddr);
986 	ADD_U_INT16(dptr, soi->so_rport);
987 	ADD_U_INT32(dptr, soi->so_raddr);
988 
989 	return (t);
990 }
991 #endif
992 
993 /*
994  * token ID                1 byte
995  * socket family           2 bytes
996  * path                    (up to) 104 bytes + NULL  (NULL terminated string)
997  */
998 token_t *
999 au_to_sock_unix(struct sockaddr_un *so)
1000 {
1001 	token_t *t;
1002 	u_char *dptr;
1003 
1004 	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
1005 
1006 	ADD_U_CHAR(dptr, AUT_SOCKUNIX);
1007 	/* BSM token has two bytes for family */
1008 	ADD_U_CHAR(dptr, 0);
1009 	ADD_U_CHAR(dptr, so->sun_family);
1010 	ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
1011 
1012 	return (t);
1013 }
1014 
1015 /*
1016  * token ID                1 byte
1017  * socket family           2 bytes
1018  * local port              2 bytes
1019  * socket address          4 bytes
1020  */
1021 token_t *
1022 au_to_sock_inet32(struct sockaddr_in *so)
1023 {
1024 	token_t *t;
1025 	u_char *dptr = NULL;
1026 	uint16_t family;
1027 
1028 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
1029 	    sizeof(uint32_t));
1030 
1031 	ADD_U_CHAR(dptr, AUT_SOCKINET32);
1032 	/*
1033 	 * BSM defines the family field as 16 bits, but many operating
1034 	 * systems have an 8-bit sin_family field.  Extend to 16 bits before
1035 	 * writing into the token.  Assume that both the port and the address
1036 	 * in the sockaddr_in are already in network byte order, but family
1037 	 * is in local byte order.
1038 	 *
1039 	 * XXXRW: Should a name space conversion be taking place on the value
1040 	 * of sin_family?
1041 	 */
1042 	family = so->sin_family;
1043 	ADD_U_INT16(dptr, family);
1044 	ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
1045 	ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
1046 
1047 	return (t);
1048 }
1049 
1050 token_t *
1051 au_to_sock_inet128(struct sockaddr_in6 *so)
1052 {
1053 	token_t *t;
1054 	u_char *dptr = NULL;
1055 
1056 	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
1057 	    4 * sizeof(u_int32_t));
1058 
1059 	ADD_U_CHAR(dptr, AUT_SOCKINET128);
1060 	/*
1061 	 * In BSD, sin6_family is one octet, but BSM defines the token to
1062 	 * store two. So we copy in a 0 first.  XXXRW: Possibly should be
1063 	 * conditionally compiled.
1064 	 */
1065 	ADD_U_CHAR(dptr, 0);
1066 	ADD_U_CHAR(dptr, so->sin6_family);
1067 
1068 	ADD_U_INT16(dptr, so->sin6_port);
1069 	ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
1070 
1071 	return (t);
1072 }
1073 
1074 token_t *
1075 au_to_sock_inet(struct sockaddr_in *so)
1076 {
1077 
1078 	return (au_to_sock_inet32(so));
1079 }
1080 
1081 /*
1082  * token ID                1 byte
1083  * audit ID                4 bytes
1084  * effective user ID       4 bytes
1085  * effective group ID      4 bytes
1086  * real user ID            4 bytes
1087  * real group ID           4 bytes
1088  * process ID              4 bytes
1089  * session ID              4 bytes
1090  * terminal ID
1091  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
1092  *   machine address       4 bytes
1093  */
1094 token_t *
1095 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1096     pid_t pid, au_asid_t sid, au_tid_t *tid)
1097 {
1098 	token_t *t;
1099 	u_char *dptr = NULL;
1100 
1101 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
1102 
1103 	ADD_U_CHAR(dptr, AUT_SUBJECT32);
1104 	ADD_U_INT32(dptr, auid);
1105 	ADD_U_INT32(dptr, euid);
1106 	ADD_U_INT32(dptr, egid);
1107 	ADD_U_INT32(dptr, ruid);
1108 	ADD_U_INT32(dptr, rgid);
1109 	ADD_U_INT32(dptr, pid);
1110 	ADD_U_INT32(dptr, sid);
1111 	ADD_U_INT32(dptr, tid->port);
1112 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1113 
1114 	return (t);
1115 }
1116 
1117 token_t *
1118 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1119     pid_t pid, au_asid_t sid, au_tid_t *tid)
1120 {
1121 	token_t *t;
1122 	u_char *dptr = NULL;
1123 
1124 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1125 	    sizeof(u_int64_t) + sizeof(u_int32_t));
1126 
1127 	ADD_U_CHAR(dptr, AUT_SUBJECT64);
1128 	ADD_U_INT32(dptr, auid);
1129 	ADD_U_INT32(dptr, euid);
1130 	ADD_U_INT32(dptr, egid);
1131 	ADD_U_INT32(dptr, ruid);
1132 	ADD_U_INT32(dptr, rgid);
1133 	ADD_U_INT32(dptr, pid);
1134 	ADD_U_INT32(dptr, sid);
1135 	ADD_U_INT64(dptr, tid->port);
1136 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1137 
1138 	return (t);
1139 }
1140 
1141 token_t *
1142 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1143     pid_t pid, au_asid_t sid, au_tid_t *tid)
1144 {
1145 
1146 	return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1147 	    tid));
1148 }
1149 
1150 /*
1151  * token ID                1 byte
1152  * audit ID                4 bytes
1153  * effective user ID       4 bytes
1154  * effective group ID      4 bytes
1155  * real user ID            4 bytes
1156  * real group ID           4 bytes
1157  * process ID              4 bytes
1158  * session ID              4 bytes
1159  * terminal ID
1160  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
1161  *   address type/length   4 bytes
1162  *   machine address      16 bytes
1163  */
1164 token_t *
1165 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1166     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1167 {
1168 	token_t *t;
1169 	u_char *dptr = NULL;
1170 
1171 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1172 	    ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
1173 
1174 	if (tid->at_type == AU_IPv4)
1175 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1176 		    sizeof(u_int32_t));
1177 	else
1178 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1179 		    sizeof(u_int32_t));
1180 
1181 	ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1182 	ADD_U_INT32(dptr, auid);
1183 	ADD_U_INT32(dptr, euid);
1184 	ADD_U_INT32(dptr, egid);
1185 	ADD_U_INT32(dptr, ruid);
1186 	ADD_U_INT32(dptr, rgid);
1187 	ADD_U_INT32(dptr, pid);
1188 	ADD_U_INT32(dptr, sid);
1189 	ADD_U_INT32(dptr, tid->at_port);
1190 	ADD_U_INT32(dptr, tid->at_type);
1191 	if (tid->at_type == AU_IPv6)
1192 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1193 	else
1194 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1195 
1196 	return (t);
1197 }
1198 
1199 token_t *
1200 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1201     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1202 {
1203 	token_t *t;
1204 	u_char *dptr = NULL;
1205 
1206 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1207 	    ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type));
1208 
1209 	if (tid->at_type == AU_IPv4)
1210 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1211 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1212 		    2 * sizeof(u_int32_t));
1213 	else
1214 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1215 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1216 		    5 * sizeof(u_int32_t));
1217 
1218 	ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1219 	ADD_U_INT32(dptr, auid);
1220 	ADD_U_INT32(dptr, euid);
1221 	ADD_U_INT32(dptr, egid);
1222 	ADD_U_INT32(dptr, ruid);
1223 	ADD_U_INT32(dptr, rgid);
1224 	ADD_U_INT32(dptr, pid);
1225 	ADD_U_INT32(dptr, sid);
1226 	ADD_U_INT64(dptr, tid->at_port);
1227 	ADD_U_INT32(dptr, tid->at_type);
1228 	if (tid->at_type == AU_IPv6)
1229 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1230 	else
1231 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1232 
1233 	return (t);
1234 }
1235 
1236 token_t *
1237 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1238     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1239 {
1240 
1241 	return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1242 	    tid));
1243 }
1244 
1245 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1246 /*
1247  * Collects audit information for the current process and creates a subject
1248  * token from it.
1249  */
1250 token_t *
1251 au_to_me(void)
1252 {
1253 	auditinfo_t auinfo;
1254 	auditinfo_addr_t aia;
1255 
1256 	/*
1257 	 * Try to use getaudit_addr(2) first.  If this kernel does not support
1258 	 * it, then fall back on to getaudit(2).
1259 	 */
1260 	if (getaudit_addr(&aia, sizeof(aia)) != 0) {
1261 		if (errno == ENOSYS) {
1262 			if (getaudit(&auinfo) != 0)
1263 				return (NULL);
1264 			return (au_to_subject32(auinfo.ai_auid, geteuid(),
1265 				getegid(), getuid(), getgid(), getpid(),
1266 				auinfo.ai_asid, &auinfo.ai_termid));
1267 		} else {
1268 			/* getaudit_addr(2) failed for some other reason. */
1269 			return (NULL);
1270 		}
1271 	}
1272 
1273 	return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(),
1274 		getgid(), getpid(), aia.ai_asid, &aia.ai_termid));
1275 }
1276 #endif
1277 
1278 #if defined(_KERNEL) || defined(KERNEL)
1279 static token_t *
1280 au_to_exec_strings(char *strs, int count, u_char type)
1281 {
1282 	token_t *t;
1283 	u_char *dptr = NULL;
1284 	u_int32_t totlen;
1285 	int ctr;
1286 	char *p;
1287 
1288 	totlen = 0;
1289 	ctr = count;
1290 	p = strs;
1291 	while (ctr-- > 0) {
1292 		totlen += strlen(p) + 1;
1293 		p = strs + totlen;
1294 	}
1295 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1296 	ADD_U_CHAR(dptr, type);
1297 	ADD_U_INT32(dptr, count);
1298 	ADD_STRING(dptr, strs, totlen);
1299 
1300 	return (t);
1301 }
1302 
1303 /*
1304  * token ID				1 byte
1305  * count				4 bytes
1306  * text					count null-terminated strings
1307  */
1308 token_t *
1309 au_to_exec_args(char *args, int argc)
1310 {
1311 
1312 	return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1313 }
1314 
1315 /*
1316  * token ID				1 byte
1317  * count				4 bytes
1318  * text					count null-terminated strings
1319  */
1320 token_t *
1321 au_to_exec_env(char *envs, int envc)
1322 {
1323 
1324 	return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1325 }
1326 #else
1327 /*
1328  * token ID				1 byte
1329  * count				4 bytes
1330  * text					count null-terminated strings
1331  */
1332 token_t *
1333 au_to_exec_args(char **argv)
1334 {
1335 	token_t *t;
1336 	u_char *dptr = NULL;
1337 	const char *nextarg;
1338 	int i, count = 0;
1339 	size_t totlen = 0;
1340 
1341 	nextarg = *argv;
1342 
1343 	while (nextarg != NULL) {
1344 		int nextlen;
1345 
1346 		nextlen = strlen(nextarg);
1347 		totlen += nextlen + 1;
1348 		count++;
1349 		nextarg = *(argv + count);
1350 	}
1351 
1352 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1353 
1354 	ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1355 	ADD_U_INT32(dptr, count);
1356 
1357 	for (i = 0; i < count; i++) {
1358 		nextarg = *(argv + i);
1359 		ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1360 	}
1361 
1362 	return (t);
1363 }
1364 
1365 /*
1366  * token ID				1 byte
1367  * count				4 bytes
1368  * text					count null-terminated strings
1369  */
1370 token_t *
1371 au_to_exec_env(char **envp)
1372 {
1373 	token_t *t;
1374 	u_char *dptr = NULL;
1375 	int i, count = 0;
1376 	size_t totlen = 0;
1377 	const char *nextenv;
1378 
1379 	nextenv = *envp;
1380 
1381 	while (nextenv != NULL) {
1382 		int nextlen;
1383 
1384 		nextlen = strlen(nextenv);
1385 		totlen += nextlen + 1;
1386 		count++;
1387 		nextenv = *(envp + count);
1388 	}
1389 
1390 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1391 
1392 	ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1393 	ADD_U_INT32(dptr, count);
1394 
1395 	for (i = 0; i < count; i++) {
1396 		nextenv = *(envp + i);
1397 		ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1398 	}
1399 
1400 	return (t);
1401 }
1402 #endif
1403 
1404 /*
1405  * token ID                1 byte
1406  * zonename length         2 bytes
1407  * zonename                N bytes + 1 terminating NULL byte
1408  */
1409 token_t *
1410 au_to_zonename(const char *zonename)
1411 {
1412 	u_char *dptr = NULL;
1413 	u_int16_t textlen;
1414 	token_t *t;
1415 
1416 	textlen = strlen(zonename) + 1;
1417 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1418 
1419 	ADD_U_CHAR(dptr, AUT_ZONENAME);
1420 	ADD_U_INT16(dptr, textlen);
1421 	ADD_STRING(dptr, zonename, textlen);
1422 	return (t);
1423 }
1424 
1425 /*
1426  * token ID                1 byte
1427  * record byte count       4 bytes
1428  * version #               1 byte    [2]
1429  * event type              2 bytes
1430  * event modifier          2 bytes
1431  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1432  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1433  */
1434 token_t *
1435 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1436     struct timeval tm)
1437 {
1438 	token_t *t;
1439 	u_char *dptr = NULL;
1440 	u_int32_t timems;
1441 
1442 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1443 	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1444 
1445 	ADD_U_CHAR(dptr, AUT_HEADER32);
1446 	ADD_U_INT32(dptr, rec_size);
1447 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1448 	ADD_U_INT16(dptr, e_type);
1449 	ADD_U_INT16(dptr, e_mod);
1450 
1451 	timems = tm.tv_usec/1000;
1452 	/* Add the timestamp */
1453 	ADD_U_INT32(dptr, tm.tv_sec);
1454 	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
1455 
1456 	return (t);
1457 }
1458 
1459 /*
1460  * token ID                1 byte
1461  * record byte count       4 bytes
1462  * version #               1 byte    [2]
1463  * event type              2 bytes
1464  * event modifier          2 bytes
1465  * address type/length     4 bytes
1466  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
1467  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1468  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1469  */
1470 token_t *
1471 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1472     struct timeval tm, struct auditinfo_addr *aia)
1473 {
1474 	token_t *t;
1475 	u_char *dptr = NULL;
1476 	u_int32_t timems;
1477 	au_tid_addr_t *tid;
1478 
1479 	tid = &aia->ai_termid;
1480 	KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6,
1481 	    ("au_to_header32_ex_tm: invalid address family"));
1482 
1483 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1484 	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 *
1485 	    sizeof(u_int32_t) + tid->at_type);
1486 
1487 	ADD_U_CHAR(dptr, AUT_HEADER32_EX);
1488 	ADD_U_INT32(dptr, rec_size);
1489 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1490 	ADD_U_INT16(dptr, e_type);
1491 	ADD_U_INT16(dptr, e_mod);
1492 
1493 	ADD_U_INT32(dptr, tid->at_type);
1494 	if (tid->at_type == AU_IPv6)
1495 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1496 	else
1497 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1498 	timems = tm.tv_usec/1000;
1499 	/* Add the timestamp */
1500 	ADD_U_INT32(dptr, tm.tv_sec);
1501 	ADD_U_INT32(dptr, timems);      /* We need time in ms. */
1502 
1503 	return (t);
1504 }
1505 
1506 token_t *
1507 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1508     struct timeval tm)
1509 {
1510 	token_t *t;
1511 	u_char *dptr = NULL;
1512 	u_int32_t timems;
1513 
1514 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1515 	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1516 
1517 	ADD_U_CHAR(dptr, AUT_HEADER64);
1518 	ADD_U_INT32(dptr, rec_size);
1519 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1520 	ADD_U_INT16(dptr, e_type);
1521 	ADD_U_INT16(dptr, e_mod);
1522 
1523 	timems = tm.tv_usec/1000;
1524 	/* Add the timestamp */
1525 	ADD_U_INT64(dptr, tm.tv_sec);
1526 	ADD_U_INT64(dptr, timems);	/* We need time in ms. */
1527 
1528 	return (t);
1529 }
1530 
1531 #if !defined(KERNEL) && !defined(_KERNEL)
1532 #ifdef HAVE_AUDIT_SYSCALLS
1533 token_t *
1534 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1535 {
1536 	struct timeval tm;
1537 	struct auditinfo_addr aia;
1538 
1539 	if (gettimeofday(&tm, NULL) == -1)
1540 		return (NULL);
1541 	if (audit_get_kaudit(&aia, sizeof(aia)) != 0) {
1542 		if (errno != ENOSYS)
1543 			return (NULL);
1544 		return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1545 	}
1546 	return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia));
1547 }
1548 #endif /* HAVE_AUDIT_SYSCALLS */
1549 
1550 token_t *
1551 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
1552 {
1553 	struct timeval tm;
1554 
1555 	if (gettimeofday(&tm, NULL) == -1)
1556 		return (NULL);
1557 	return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1558 }
1559 
1560 token_t *
1561 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
1562     __unused au_emod_t e_mod)
1563 {
1564 	struct timeval tm;
1565 
1566 	if (gettimeofday(&tm, NULL) == -1)
1567 		return (NULL);
1568 	return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
1569 }
1570 
1571 token_t *
1572 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
1573 {
1574 
1575 	return (au_to_header32(rec_size, e_type, e_mod));
1576 }
1577 
1578 #ifdef HAVE_AUDIT_SYSCALLS
1579 token_t *
1580 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1581 {
1582 
1583 	return (au_to_header32_ex(rec_size, e_type, e_mod));
1584 }
1585 #endif /* HAVE_AUDIT_SYSCALLS */
1586 #endif /* !defined(KERNEL) && !defined(_KERNEL) */
1587 
1588 /*
1589  * token ID                1 byte
1590  * trailer magic number    2 bytes
1591  * record byte count       4 bytes
1592  */
1593 token_t *
1594 au_to_trailer(int rec_size)
1595 {
1596 	token_t *t;
1597 	u_char *dptr = NULL;
1598 	u_int16_t magic = AUT_TRAILER_MAGIC;
1599 
1600 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1601 	    sizeof(u_int32_t));
1602 
1603 	ADD_U_CHAR(dptr, AUT_TRAILER);
1604 	ADD_U_INT16(dptr, magic);
1605 	ADD_U_INT32(dptr, rec_size);
1606 
1607 	return (t);
1608 }
1609