xref: /freebsd/sys/security/audit/bsm_token.c (revision 7431dfd4580e850375fe5478d92ec770344db098)
1 /*-
2  * Copyright (c) 2004-2009 Apple Inc.
3  * Copyright (c) 2005 SPARTA, Inc.
4  * All rights reserved.
5  *
6  * This code was developed in part by Robert N. M. Watson, Senior Principal
7  * Scientist, SPARTA, Inc.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1.  Redistributions of source code must retain the above copyright
13  *     notice, this list of conditions and the following disclaimer.
14  * 2.  Redistributions in binary form must reproduce the above copyright
15  *     notice, this list of conditions and the following disclaimer in the
16  *     documentation and/or other materials provided with the distribution.
17  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
18  *     its contributors may be used to endorse or promote products derived
19  *     from this software without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31  * POSSIBILITY OF SUCH DAMAGE.
32  *
33  * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#99
34  */
35 
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
38 
39 #include <sys/param.h>
40 #include <sys/types.h>
41 #include <sys/endian.h>
42 #include <sys/queue.h>
43 #include <sys/socket.h>
44 #include <sys/time.h>
45 
46 #include <sys/ipc.h>
47 #include <sys/libkern.h>
48 #include <sys/malloc.h>
49 #include <sys/un.h>
50 
51 #include <netinet/in.h>
52 #include <netinet/in_systm.h>
53 #include <netinet/ip.h>
54 
55 
56 #include <bsm/audit.h>
57 #include <bsm/audit_internal.h>
58 #include <bsm/audit_record.h>
59 #include <security/audit/audit.h>
60 #include <security/audit/audit_private.h>
61 
62 #define	GET_TOKEN_AREA(t, dptr, length) do {				\
63 	t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK);		\
64 	t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO);	\
65 	t->len = length;						\
66 	dptr = t->t_data;						\
67 } while (0)
68 
69 /*
70  * token ID                1 byte
71  * success/failure         1 byte
72  * privstrlen              2 bytes
73  * privstr                 N bytes + 1 (\0 byte)
74  */
75 token_t *
76 au_to_upriv(char sorf, char *priv)
77 {
78 	u_int16_t textlen;
79 	u_char *dptr;
80 	token_t *t;
81 
82 	textlen = strlen(priv) + 1;
83 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) +
84 	    sizeof(u_int16_t) + textlen);
85 
86 	ADD_U_CHAR(dptr, AUT_UPRIV);
87 	ADD_U_CHAR(dptr, sorf);
88 	ADD_U_INT16(dptr, textlen);
89 	ADD_STRING(dptr, priv, textlen);
90 	return (t);
91 }
92 
93 /*
94  * token ID		1 byte
95  * privtstrlen		2 bytes
96  * privtstr		N bytes + 1
97  * privstrlen		2 bytes
98  * privstr		N bytes + 1
99  */
100 token_t *
101 au_to_privset(char *privtypestr, char *privstr)
102 {
103 	u_int16_t	 type_len, priv_len;
104 	u_char		*dptr;
105 	token_t		*t;
106 
107 	type_len = strlen(privtypestr) + 1;
108 	priv_len = strlen(privstr) + 1;
109 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
110 	    sizeof(u_int16_t) + type_len + priv_len);
111 
112 	ADD_U_CHAR(dptr, AUT_PRIV);
113 	ADD_U_INT16(dptr, type_len);
114 	ADD_STRING(dptr, privtypestr, type_len);
115 	ADD_U_INT16(dptr, priv_len);
116 	ADD_STRING(dptr, privstr, priv_len);
117 	return (t);
118 }
119 
120 /*
121  * token ID                1 byte
122  * argument #              1 byte
123  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
124  * text length             2 bytes
125  * text                    N bytes + 1 terminating NULL byte
126  */
127 token_t *
128 au_to_arg32(char n, const char *text, u_int32_t v)
129 {
130 	token_t *t;
131 	u_char *dptr = NULL;
132 	u_int16_t textlen;
133 
134 	textlen = strlen(text);
135 	textlen += 1;
136 
137 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
138 	    sizeof(u_int16_t) + textlen);
139 
140 	ADD_U_CHAR(dptr, AUT_ARG32);
141 	ADD_U_CHAR(dptr, n);
142 	ADD_U_INT32(dptr, v);
143 	ADD_U_INT16(dptr, textlen);
144 	ADD_STRING(dptr, text, textlen);
145 
146 	return (t);
147 }
148 
149 token_t *
150 au_to_arg64(char n, const char *text, u_int64_t v)
151 {
152 	token_t *t;
153 	u_char *dptr = NULL;
154 	u_int16_t textlen;
155 
156 	textlen = strlen(text);
157 	textlen += 1;
158 
159 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
160 	    sizeof(u_int16_t) + textlen);
161 
162 	ADD_U_CHAR(dptr, AUT_ARG64);
163 	ADD_U_CHAR(dptr, n);
164 	ADD_U_INT64(dptr, v);
165 	ADD_U_INT16(dptr, textlen);
166 	ADD_STRING(dptr, text, textlen);
167 
168 	return (t);
169 }
170 
171 token_t *
172 au_to_arg(char n, const char *text, u_int32_t v)
173 {
174 
175 	return (au_to_arg32(n, text, v));
176 }
177 
178 #if defined(_KERNEL) || defined(KERNEL)
179 /*
180  * token ID                1 byte
181  * file access mode        4 bytes
182  * owner user ID           4 bytes
183  * owner group ID          4 bytes
184  * file system ID          4 bytes
185  * node ID                 8 bytes
186  * device                  4 bytes/8 bytes (32-bit/64-bit)
187  */
188 token_t *
189 au_to_attr32(struct vnode_au_info *vni)
190 {
191 	token_t *t;
192 	u_char *dptr = NULL;
193 	u_int16_t pad0_16 = 0;
194 	u_int32_t pad0_32 = 0;
195 
196 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
197 	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
198 
199 	ADD_U_CHAR(dptr, AUT_ATTR32);
200 
201 	/*
202 	 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
203 	 * so pad with 0.
204 	 *
205 	 * XXXRW: Possibly should be conditionally compiled.
206 	 *
207 	 * XXXRW: Should any conversions take place on the mode?
208 	 */
209 	ADD_U_INT16(dptr, pad0_16);
210 	ADD_U_INT16(dptr, vni->vn_mode);
211 
212 	ADD_U_INT32(dptr, vni->vn_uid);
213 	ADD_U_INT32(dptr, vni->vn_gid);
214 	ADD_U_INT32(dptr, vni->vn_fsid);
215 
216 	/*
217 	 * Some systems use 32-bit file ID's, others use 64-bit file IDs.
218 	 * Attempt to handle both, and let the compiler sort it out.  If we
219 	 * could pick this out at compile-time, it would be better, so as to
220 	 * avoid the else case below.
221 	 */
222 	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
223 		ADD_U_INT32(dptr, pad0_32);
224 		ADD_U_INT32(dptr, vni->vn_fileid);
225 	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
226 		ADD_U_INT64(dptr, vni->vn_fileid);
227 	else
228 		ADD_U_INT64(dptr, 0LL);
229 
230 	ADD_U_INT32(dptr, vni->vn_dev);
231 
232 	return (t);
233 }
234 
235 token_t *
236 au_to_attr64(struct vnode_au_info *vni)
237 {
238 	token_t *t;
239 	u_char *dptr = NULL;
240 	u_int16_t pad0_16 = 0;
241 	u_int32_t pad0_32 = 0;
242 
243 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
244 	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
245 
246 	ADD_U_CHAR(dptr, AUT_ATTR64);
247 
248 	/*
249 	 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
250 	 * so pad with 0.
251 	 *
252 	 * XXXRW: Possibly should be conditionally compiled.
253 	 *
254 	 * XXXRW: Should any conversions take place on the mode?
255 	 */
256 	ADD_U_INT16(dptr, pad0_16);
257 	ADD_U_INT16(dptr, vni->vn_mode);
258 
259 	ADD_U_INT32(dptr, vni->vn_uid);
260 	ADD_U_INT32(dptr, vni->vn_gid);
261 	ADD_U_INT32(dptr, vni->vn_fsid);
262 
263 	/*
264 	 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
265 	 * Attempt to handle both, and let the compiler sort it out.  If we
266 	 * could pick this out at compile-time, it would be better, so as to
267 	 * avoid the else case below.
268 	 */
269 	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
270 		ADD_U_INT32(dptr, pad0_32);
271 		ADD_U_INT32(dptr, vni->vn_fileid);
272 	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
273 		ADD_U_INT64(dptr, vni->vn_fileid);
274 	else
275 		ADD_U_INT64(dptr, 0LL);
276 
277 	ADD_U_INT64(dptr, vni->vn_dev);
278 
279 	return (t);
280 }
281 
282 token_t *
283 au_to_attr(struct vnode_au_info *vni)
284 {
285 
286 	return (au_to_attr32(vni));
287 }
288 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
289 
290 /*
291  * token ID                1 byte
292  * how to print            1 byte
293  * basic unit              1 byte
294  * unit count              1 byte
295  * data items              (depends on basic unit)
296  */
297 token_t *
298 au_to_data(char unit_print, char unit_type, char unit_count, const char *p)
299 {
300 	token_t *t;
301 	u_char *dptr = NULL;
302 	size_t datasize, totdata;
303 
304 	/* Determine the size of the basic unit. */
305 	switch (unit_type) {
306 	case AUR_BYTE:
307 	/* case AUR_CHAR: */
308 		datasize = AUR_BYTE_SIZE;
309 		break;
310 
311 	case AUR_SHORT:
312 		datasize = AUR_SHORT_SIZE;
313 		break;
314 
315 	case AUR_INT32:
316 	/* case AUR_INT: */
317 		datasize = AUR_INT32_SIZE;
318 		break;
319 
320 	case AUR_INT64:
321 		datasize = AUR_INT64_SIZE;
322 		break;
323 
324 	default:
325 		return (NULL);
326 	}
327 
328 	totdata = datasize * unit_count;
329 
330 	GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
331 
332 	/*
333 	 * XXXRW: We should be byte-swapping each data item for multi-byte
334 	 * types.
335 	 */
336 	ADD_U_CHAR(dptr, AUT_DATA);
337 	ADD_U_CHAR(dptr, unit_print);
338 	ADD_U_CHAR(dptr, unit_type);
339 	ADD_U_CHAR(dptr, unit_count);
340 	ADD_MEM(dptr, p, totdata);
341 
342 	return (t);
343 }
344 
345 
346 /*
347  * token ID                1 byte
348  * status		   4 bytes
349  * return value            4 bytes
350  */
351 token_t *
352 au_to_exit(int retval, int err)
353 {
354 	token_t *t;
355 	u_char *dptr = NULL;
356 
357 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
358 
359 	ADD_U_CHAR(dptr, AUT_EXIT);
360 	ADD_U_INT32(dptr, err);
361 	ADD_U_INT32(dptr, retval);
362 
363 	return (t);
364 }
365 
366 /*
367  */
368 token_t *
369 au_to_groups(int *groups)
370 {
371 
372 	return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups));
373 }
374 
375 /*
376  * token ID                1 byte
377  * number groups           2 bytes
378  * group list              count * 4 bytes
379  */
380 token_t *
381 au_to_newgroups(u_int16_t n, gid_t *groups)
382 {
383 	token_t *t;
384 	u_char *dptr = NULL;
385 	int i;
386 
387 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
388 	    n * sizeof(u_int32_t));
389 
390 	ADD_U_CHAR(dptr, AUT_NEWGROUPS);
391 	ADD_U_INT16(dptr, n);
392 	for (i = 0; i < n; i++)
393 		ADD_U_INT32(dptr, groups[i]);
394 
395 	return (t);
396 }
397 
398 /*
399  * token ID                1 byte
400  * internet address        4 bytes
401  */
402 token_t *
403 au_to_in_addr(struct in_addr *internet_addr)
404 {
405 	token_t *t;
406 	u_char *dptr = NULL;
407 
408 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
409 
410 	ADD_U_CHAR(dptr, AUT_IN_ADDR);
411 	ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
412 
413 	return (t);
414 }
415 
416 /*
417  * token ID                1 byte
418  * address type/length     4 bytes
419  * address                16 bytes
420  */
421 token_t *
422 au_to_in_addr_ex(struct in6_addr *internet_addr)
423 {
424 	token_t *t;
425 	u_char *dptr = NULL;
426 	u_int32_t type = AU_IPv6;
427 
428 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
429 
430 	ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
431 	ADD_U_INT32(dptr, type);
432 	ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
433 
434 	return (t);
435 }
436 
437 /*
438  * token ID                1 byte
439  * ip header		   20 bytes
440  *
441  * The IP header should be submitted in network byte order.
442  */
443 token_t *
444 au_to_ip(struct ip *ip)
445 {
446 	token_t *t;
447 	u_char *dptr = NULL;
448 
449 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
450 
451 	ADD_U_CHAR(dptr, AUT_IP);
452 	ADD_MEM(dptr, ip, sizeof(struct ip));
453 
454 	return (t);
455 }
456 
457 /*
458  * token ID                1 byte
459  * object ID type          1 byte
460  * object ID               4 bytes
461  */
462 token_t *
463 au_to_ipc(char type, int id)
464 {
465 	token_t *t;
466 	u_char *dptr = NULL;
467 
468 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
469 
470 	ADD_U_CHAR(dptr, AUT_IPC);
471 	ADD_U_CHAR(dptr, type);
472 	ADD_U_INT32(dptr, id);
473 
474 	return (t);
475 }
476 
477 /*
478  * token ID                1 byte
479  * owner user ID           4 bytes
480  * owner group ID          4 bytes
481  * creator user ID         4 bytes
482  * creator group ID        4 bytes
483  * access mode             4 bytes
484  * slot sequence #         4 bytes
485  * key                     4 bytes
486  */
487 token_t *
488 au_to_ipc_perm(struct ipc_perm *perm)
489 {
490 	token_t *t;
491 	u_char *dptr = NULL;
492 	u_int16_t pad0 = 0;
493 
494 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
495 	    sizeof(u_int32_t));
496 
497 	ADD_U_CHAR(dptr, AUT_IPC_PERM);
498 
499 	/*
500 	 * Systems vary significantly in what types they use in struct
501 	 * ipc_perm; at least a few still use 16-bit uid's and gid's, so
502 	 * allow for that, as BSM define 32-bit values here.
503 	 * Some systems define the sizes for ipc_perm members as 2 bytes;
504 	 * BSM defines 4 so pad with 0.
505 	 *
506 	 * XXXRW: Possibly shoulid be conditionally compiled, and more cases
507 	 * need to be handled.
508 	 */
509 	if (sizeof(perm->uid) != sizeof(u_int32_t)) {
510 		ADD_U_INT16(dptr, pad0);
511 		ADD_U_INT16(dptr, perm->uid);
512 		ADD_U_INT16(dptr, pad0);
513 		ADD_U_INT16(dptr, perm->gid);
514 		ADD_U_INT16(dptr, pad0);
515 		ADD_U_INT16(dptr, perm->cuid);
516 		ADD_U_INT16(dptr, pad0);
517 		ADD_U_INT16(dptr, perm->cgid);
518 	} else {
519 		ADD_U_INT32(dptr, perm->uid);
520 		ADD_U_INT32(dptr, perm->gid);
521 		ADD_U_INT32(dptr, perm->cuid);
522 		ADD_U_INT32(dptr, perm->cgid);
523 	}
524 
525 	ADD_U_INT16(dptr, pad0);
526 	ADD_U_INT16(dptr, perm->mode);
527 
528 	ADD_U_INT16(dptr, pad0);
529 
530 	ADD_U_INT16(dptr, perm->seq);
531 
532 	ADD_U_INT32(dptr, perm->key);
533 
534 	return (t);
535 }
536 
537 /*
538  * token ID                1 byte
539  * port IP address         2 bytes
540  */
541 token_t *
542 au_to_iport(u_int16_t iport)
543 {
544 	token_t *t;
545 	u_char *dptr = NULL;
546 
547 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
548 
549 	ADD_U_CHAR(dptr, AUT_IPORT);
550 	ADD_U_INT16(dptr, iport);
551 
552 	return (t);
553 }
554 
555 /*
556  * token ID                1 byte
557  * size                    2 bytes
558  * data                    size bytes
559  */
560 token_t *
561 au_to_opaque(const char *data, u_int16_t bytes)
562 {
563 	token_t *t;
564 	u_char *dptr = NULL;
565 
566 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
567 
568 	ADD_U_CHAR(dptr, AUT_OPAQUE);
569 	ADD_U_INT16(dptr, bytes);
570 	ADD_MEM(dptr, data, bytes);
571 
572 	return (t);
573 }
574 
575 /*
576  * token ID                1 byte
577  * seconds of time         4 bytes
578  * milliseconds of time    4 bytes
579  * file name len           2 bytes
580  * file pathname           N bytes + 1 terminating NULL byte
581  */
582 token_t *
583 au_to_file(const char *file, struct timeval tm)
584 {
585 	token_t *t;
586 	u_char *dptr = NULL;
587 	u_int16_t filelen;
588 	u_int32_t timems;
589 
590 	filelen = strlen(file);
591 	filelen += 1;
592 
593 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
594 	    sizeof(u_int16_t) + filelen);
595 
596 	timems = tm.tv_usec/1000;
597 
598 	ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
599 	ADD_U_INT32(dptr, tm.tv_sec);
600 	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
601 	ADD_U_INT16(dptr, filelen);
602 	ADD_STRING(dptr, file, filelen);
603 
604 	return (t);
605 }
606 
607 /*
608  * token ID                1 byte
609  * text length             2 bytes
610  * text                    N bytes + 1 terminating NULL byte
611  */
612 token_t *
613 au_to_text(const char *text)
614 {
615 	token_t *t;
616 	u_char *dptr = NULL;
617 	u_int16_t textlen;
618 
619 	textlen = strlen(text);
620 	textlen += 1;
621 
622 	/* XXXRW: Should validate length against token size limit. */
623 
624 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
625 
626 	ADD_U_CHAR(dptr, AUT_TEXT);
627 	ADD_U_INT16(dptr, textlen);
628 	ADD_STRING(dptr, text, textlen);
629 
630 	return (t);
631 }
632 
633 /*
634  * token ID                1 byte
635  * path length             2 bytes
636  * path                    N bytes + 1 terminating NULL byte
637  */
638 token_t *
639 au_to_path(const char *text)
640 {
641 	token_t *t;
642 	u_char *dptr = NULL;
643 	u_int16_t textlen;
644 
645 	textlen = strlen(text);
646 	textlen += 1;
647 
648 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
649 
650 	ADD_U_CHAR(dptr, AUT_PATH);
651 	ADD_U_INT16(dptr, textlen);
652 	ADD_STRING(dptr, text, textlen);
653 
654 	return (t);
655 }
656 
657 /*
658  * token ID                1 byte
659  * audit ID                4 bytes
660  * effective user ID       4 bytes
661  * effective group ID      4 bytes
662  * real user ID            4 bytes
663  * real group ID           4 bytes
664  * process ID              4 bytes
665  * session ID              4 bytes
666  * terminal ID
667  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
668  *   machine address       4 bytes
669  */
670 token_t *
671 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
672     pid_t pid, au_asid_t sid, au_tid_t *tid)
673 {
674 	token_t *t;
675 	u_char *dptr = NULL;
676 
677 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
678 
679 	ADD_U_CHAR(dptr, AUT_PROCESS32);
680 	ADD_U_INT32(dptr, auid);
681 	ADD_U_INT32(dptr, euid);
682 	ADD_U_INT32(dptr, egid);
683 	ADD_U_INT32(dptr, ruid);
684 	ADD_U_INT32(dptr, rgid);
685 	ADD_U_INT32(dptr, pid);
686 	ADD_U_INT32(dptr, sid);
687 	ADD_U_INT32(dptr, tid->port);
688 
689 	/*
690 	 * Note: Solaris will write out IPv6 addresses here as a 32-bit
691 	 * address type and 16 bytes of address, but for IPv4 addresses it
692 	 * simply writes the 4-byte address directly.  We support only IPv4
693 	 * addresses for process32 tokens.
694 	 */
695 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
696 
697 	return (t);
698 }
699 
700 token_t *
701 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
702     pid_t pid, au_asid_t sid, au_tid_t *tid)
703 {
704 	token_t *t;
705 	u_char *dptr = NULL;
706 
707 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
708 	    sizeof(u_int64_t));
709 
710 	ADD_U_CHAR(dptr, AUT_PROCESS64);
711 	ADD_U_INT32(dptr, auid);
712 	ADD_U_INT32(dptr, euid);
713 	ADD_U_INT32(dptr, egid);
714 	ADD_U_INT32(dptr, ruid);
715 	ADD_U_INT32(dptr, rgid);
716 	ADD_U_INT32(dptr, pid);
717 	ADD_U_INT32(dptr, sid);
718 	ADD_U_INT64(dptr, tid->port);
719 
720 	/*
721 	 * Note: Solaris will write out IPv6 addresses here as a 32-bit
722 	 * address type and 16 bytes of address, but for IPv4 addresses it
723 	 * simply writes the 4-byte address directly.  We support only IPv4
724 	 * addresses for process64 tokens.
725 	 */
726 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
727 
728 	return (t);
729 }
730 
731 token_t *
732 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
733     pid_t pid, au_asid_t sid, au_tid_t *tid)
734 {
735 
736 	return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
737 	    tid));
738 }
739 
740 /*
741  * token ID                1 byte
742  * audit ID                4 bytes
743  * effective user ID       4 bytes
744  * effective group ID      4 bytes
745  * real user ID            4 bytes
746  * real group ID           4 bytes
747  * process ID              4 bytes
748  * session ID              4 bytes
749  * terminal ID
750  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
751  *   address type-len      4 bytes
752  *   machine address      16 bytes
753  */
754 token_t *
755 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
756     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
757 {
758 	token_t *t;
759 	u_char *dptr = NULL;
760 
761 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
762 	    ("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
763 	if (tid->at_type == AU_IPv4)
764 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
765 		    10 * sizeof(u_int32_t));
766 	else
767 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
768 		    13 * sizeof(u_int32_t));
769 
770 	ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
771 	ADD_U_INT32(dptr, auid);
772 	ADD_U_INT32(dptr, euid);
773 	ADD_U_INT32(dptr, egid);
774 	ADD_U_INT32(dptr, ruid);
775 	ADD_U_INT32(dptr, rgid);
776 	ADD_U_INT32(dptr, pid);
777 	ADD_U_INT32(dptr, sid);
778 	ADD_U_INT32(dptr, tid->at_port);
779 	ADD_U_INT32(dptr, tid->at_type);
780 	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
781 	if (tid->at_type == AU_IPv6) {
782 		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
783 		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
784 		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
785 	}
786 
787 	return (t);
788 }
789 
790 token_t *
791 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
792     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
793 {
794 	token_t *t;
795 	u_char *dptr = NULL;
796 
797 	if (tid->at_type == AU_IPv4)
798 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
799 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
800 		    2 * sizeof(u_int32_t));
801 	else if (tid->at_type == AU_IPv6)
802 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
803 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
804 		    5 * sizeof(u_int32_t));
805 	else
806 		panic("au_to_process64_ex: invalidate at_type (%d)",
807 		    tid->at_type);
808 
809 	ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
810 	ADD_U_INT32(dptr, auid);
811 	ADD_U_INT32(dptr, euid);
812 	ADD_U_INT32(dptr, egid);
813 	ADD_U_INT32(dptr, ruid);
814 	ADD_U_INT32(dptr, rgid);
815 	ADD_U_INT32(dptr, pid);
816 	ADD_U_INT32(dptr, sid);
817 	ADD_U_INT64(dptr, tid->at_port);
818 	ADD_U_INT32(dptr, tid->at_type);
819 	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
820 	if (tid->at_type == AU_IPv6) {
821 		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
822 		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
823 		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
824 	}
825 
826 	return (t);
827 }
828 
829 token_t *
830 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
831     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
832 {
833 
834 	return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
835 	    tid));
836 }
837 
838 token_t *
839 au_to_rights(cap_rights_t *rightsp)
840 {
841 	token_t *t;
842 	u_char *dptr;
843 	int i;
844 
845 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(*rightsp));
846 
847 	ADD_U_CHAR(dptr, AUT_RIGHTS);
848 	for (i = 0; i < nitems(rightsp->cr_rights); i++)
849 		ADD_U_INT64(dptr, rightsp->cr_rights[i]);
850 
851 	return (t);
852 }
853 
854 /*
855  * token ID                1 byte
856  * error status            1 byte
857  * return value            4 bytes/8 bytes (32-bit/64-bit value)
858  */
859 token_t *
860 au_to_return32(char status, u_int32_t ret)
861 {
862 	token_t *t;
863 	u_char *dptr = NULL;
864 
865 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
866 
867 	ADD_U_CHAR(dptr, AUT_RETURN32);
868 	ADD_U_CHAR(dptr, status);
869 	ADD_U_INT32(dptr, ret);
870 
871 	return (t);
872 }
873 
874 token_t *
875 au_to_return64(char status, u_int64_t ret)
876 {
877 	token_t *t;
878 	u_char *dptr = NULL;
879 
880 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
881 
882 	ADD_U_CHAR(dptr, AUT_RETURN64);
883 	ADD_U_CHAR(dptr, status);
884 	ADD_U_INT64(dptr, ret);
885 
886 	return (t);
887 }
888 
889 token_t *
890 au_to_return(char status, u_int32_t ret)
891 {
892 
893 	return (au_to_return32(status, ret));
894 }
895 
896 /*
897  * token ID                1 byte
898  * sequence number         4 bytes
899  */
900 token_t *
901 au_to_seq(long audit_count)
902 {
903 	token_t *t;
904 	u_char *dptr = NULL;
905 
906 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
907 
908 	ADD_U_CHAR(dptr, AUT_SEQ);
909 	ADD_U_INT32(dptr, audit_count);
910 
911 	return (t);
912 }
913 
914 /*
915  * token ID                1 byte
916  * socket domain           2 bytes
917  * socket type             2 bytes
918  * address type            2 byte
919  * local port              2 bytes
920  * local address           4 bytes/16 bytes (IPv4/IPv6 address)
921  * remote port             2 bytes
922  * remote address          4 bytes/16 bytes (IPv4/IPv6 address)
923  *
924  * Domain and type arguments to this routine are assumed to already have been
925  * converted to the BSM constant space, so we don't do that here.
926  */
927 token_t *
928 au_to_socket_ex(u_short so_domain, u_short so_type,
929     struct sockaddr *sa_local, struct sockaddr *sa_remote)
930 {
931 	token_t *t;
932 	u_char *dptr = NULL;
933 	struct sockaddr_in *sin;
934 	struct sockaddr_in6 *sin6;
935 
936 	if (so_domain == AF_INET)
937 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
938 		    5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
939 	else if (so_domain == AF_INET6)
940 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
941 		    5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
942 	else
943 		return (NULL);
944 
945 	ADD_U_CHAR(dptr, AUT_SOCKET_EX);
946 	ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
947 	ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
948 	if (so_domain == AF_INET) {
949 		ADD_U_INT16(dptr, AU_IPv4);
950 		sin = (struct sockaddr_in *)sa_local;
951 		ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
952 		ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
953 		sin = (struct sockaddr_in *)sa_remote;
954 		ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
955 		ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
956 	} else {
957 		ADD_U_INT16(dptr, AU_IPv6);
958 		sin6 = (struct sockaddr_in6 *)sa_local;
959 		ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
960 		ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
961 		sin6 = (struct sockaddr_in6 *)sa_remote;
962 		ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
963 		ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
964 	}
965 
966 	return (t);
967 }
968 
969 /*
970  * Kernel-specific version of the above function.
971  *
972  * XXXRW: Should now use au_to_socket_ex() here.
973  */
974 #ifdef _KERNEL
975 token_t *
976 kau_to_socket(struct socket_au_info *soi)
977 {
978 	token_t *t;
979 	u_char *dptr;
980 	u_int16_t so_type;
981 
982 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
983 	    sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
984 
985 	ADD_U_CHAR(dptr, AUT_SOCKET);
986 	/* Coerce the socket type into a short value */
987 	so_type = soi->so_type;
988 	ADD_U_INT16(dptr, so_type);
989 	ADD_U_INT16(dptr, soi->so_lport);
990 	ADD_U_INT32(dptr, soi->so_laddr);
991 	ADD_U_INT16(dptr, soi->so_rport);
992 	ADD_U_INT32(dptr, soi->so_raddr);
993 
994 	return (t);
995 }
996 #endif
997 
998 /*
999  * token ID                1 byte
1000  * socket family           2 bytes
1001  * path                    (up to) 104 bytes + NULL  (NULL terminated string)
1002  */
1003 token_t *
1004 au_to_sock_unix(struct sockaddr_un *so)
1005 {
1006 	token_t *t;
1007 	u_char *dptr;
1008 
1009 	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
1010 
1011 	ADD_U_CHAR(dptr, AUT_SOCKUNIX);
1012 	/* BSM token has two bytes for family */
1013 	ADD_U_CHAR(dptr, 0);
1014 	ADD_U_CHAR(dptr, so->sun_family);
1015 	ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
1016 
1017 	return (t);
1018 }
1019 
1020 /*
1021  * token ID                1 byte
1022  * socket family           2 bytes
1023  * local port              2 bytes
1024  * socket address          4 bytes
1025  */
1026 token_t *
1027 au_to_sock_inet32(struct sockaddr_in *so)
1028 {
1029 	token_t *t;
1030 	u_char *dptr = NULL;
1031 	uint16_t family;
1032 
1033 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
1034 	    sizeof(uint32_t));
1035 
1036 	ADD_U_CHAR(dptr, AUT_SOCKINET32);
1037 	/*
1038 	 * BSM defines the family field as 16 bits, but many operating
1039 	 * systems have an 8-bit sin_family field.  Extend to 16 bits before
1040 	 * writing into the token.  Assume that both the port and the address
1041 	 * in the sockaddr_in are already in network byte order, but family
1042 	 * is in local byte order.
1043 	 *
1044 	 * XXXRW: Should a name space conversion be taking place on the value
1045 	 * of sin_family?
1046 	 */
1047 	family = so->sin_family;
1048 	ADD_U_INT16(dptr, family);
1049 	ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
1050 	ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
1051 
1052 	return (t);
1053 }
1054 
1055 token_t *
1056 au_to_sock_inet128(struct sockaddr_in6 *so)
1057 {
1058 	token_t *t;
1059 	u_char *dptr = NULL;
1060 
1061 	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
1062 	    4 * sizeof(u_int32_t));
1063 
1064 	ADD_U_CHAR(dptr, AUT_SOCKINET128);
1065 	/*
1066 	 * In BSD, sin6_family is one octet, but BSM defines the token to
1067 	 * store two. So we copy in a 0 first.  XXXRW: Possibly should be
1068 	 * conditionally compiled.
1069 	 */
1070 	ADD_U_CHAR(dptr, 0);
1071 	ADD_U_CHAR(dptr, so->sin6_family);
1072 
1073 	ADD_U_INT16(dptr, so->sin6_port);
1074 	ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
1075 
1076 	return (t);
1077 }
1078 
1079 token_t *
1080 au_to_sock_inet(struct sockaddr_in *so)
1081 {
1082 
1083 	return (au_to_sock_inet32(so));
1084 }
1085 
1086 /*
1087  * token ID                1 byte
1088  * audit ID                4 bytes
1089  * effective user ID       4 bytes
1090  * effective group ID      4 bytes
1091  * real user ID            4 bytes
1092  * real group ID           4 bytes
1093  * process ID              4 bytes
1094  * session ID              4 bytes
1095  * terminal ID
1096  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
1097  *   machine address       4 bytes
1098  */
1099 token_t *
1100 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1101     pid_t pid, au_asid_t sid, au_tid_t *tid)
1102 {
1103 	token_t *t;
1104 	u_char *dptr = NULL;
1105 
1106 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
1107 
1108 	ADD_U_CHAR(dptr, AUT_SUBJECT32);
1109 	ADD_U_INT32(dptr, auid);
1110 	ADD_U_INT32(dptr, euid);
1111 	ADD_U_INT32(dptr, egid);
1112 	ADD_U_INT32(dptr, ruid);
1113 	ADD_U_INT32(dptr, rgid);
1114 	ADD_U_INT32(dptr, pid);
1115 	ADD_U_INT32(dptr, sid);
1116 	ADD_U_INT32(dptr, tid->port);
1117 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1118 
1119 	return (t);
1120 }
1121 
1122 token_t *
1123 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1124     pid_t pid, au_asid_t sid, au_tid_t *tid)
1125 {
1126 	token_t *t;
1127 	u_char *dptr = NULL;
1128 
1129 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1130 	    sizeof(u_int64_t) + sizeof(u_int32_t));
1131 
1132 	ADD_U_CHAR(dptr, AUT_SUBJECT64);
1133 	ADD_U_INT32(dptr, auid);
1134 	ADD_U_INT32(dptr, euid);
1135 	ADD_U_INT32(dptr, egid);
1136 	ADD_U_INT32(dptr, ruid);
1137 	ADD_U_INT32(dptr, rgid);
1138 	ADD_U_INT32(dptr, pid);
1139 	ADD_U_INT32(dptr, sid);
1140 	ADD_U_INT64(dptr, tid->port);
1141 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1142 
1143 	return (t);
1144 }
1145 
1146 token_t *
1147 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1148     pid_t pid, au_asid_t sid, au_tid_t *tid)
1149 {
1150 
1151 	return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1152 	    tid));
1153 }
1154 
1155 /*
1156  * token ID                1 byte
1157  * audit ID                4 bytes
1158  * effective user ID       4 bytes
1159  * effective group ID      4 bytes
1160  * real user ID            4 bytes
1161  * real group ID           4 bytes
1162  * process ID              4 bytes
1163  * session ID              4 bytes
1164  * terminal ID
1165  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
1166  *   address type/length   4 bytes
1167  *   machine address      16 bytes
1168  */
1169 token_t *
1170 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1171     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1172 {
1173 	token_t *t;
1174 	u_char *dptr = NULL;
1175 
1176 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1177 	    ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
1178 
1179 	if (tid->at_type == AU_IPv4)
1180 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1181 		    sizeof(u_int32_t));
1182 	else
1183 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1184 		    sizeof(u_int32_t));
1185 
1186 	ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1187 	ADD_U_INT32(dptr, auid);
1188 	ADD_U_INT32(dptr, euid);
1189 	ADD_U_INT32(dptr, egid);
1190 	ADD_U_INT32(dptr, ruid);
1191 	ADD_U_INT32(dptr, rgid);
1192 	ADD_U_INT32(dptr, pid);
1193 	ADD_U_INT32(dptr, sid);
1194 	ADD_U_INT32(dptr, tid->at_port);
1195 	ADD_U_INT32(dptr, tid->at_type);
1196 	if (tid->at_type == AU_IPv6)
1197 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1198 	else
1199 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1200 
1201 	return (t);
1202 }
1203 
1204 token_t *
1205 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1206     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1207 {
1208 	token_t *t;
1209 	u_char *dptr = NULL;
1210 
1211 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1212 	    ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type));
1213 
1214 	if (tid->at_type == AU_IPv4)
1215 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1216 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1217 		    2 * sizeof(u_int32_t));
1218 	else
1219 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1220 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1221 		    5 * sizeof(u_int32_t));
1222 
1223 	ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1224 	ADD_U_INT32(dptr, auid);
1225 	ADD_U_INT32(dptr, euid);
1226 	ADD_U_INT32(dptr, egid);
1227 	ADD_U_INT32(dptr, ruid);
1228 	ADD_U_INT32(dptr, rgid);
1229 	ADD_U_INT32(dptr, pid);
1230 	ADD_U_INT32(dptr, sid);
1231 	ADD_U_INT64(dptr, tid->at_port);
1232 	ADD_U_INT32(dptr, tid->at_type);
1233 	if (tid->at_type == AU_IPv6)
1234 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1235 	else
1236 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1237 
1238 	return (t);
1239 }
1240 
1241 token_t *
1242 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1243     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1244 {
1245 
1246 	return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1247 	    tid));
1248 }
1249 
1250 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1251 /*
1252  * Collects audit information for the current process and creates a subject
1253  * token from it.
1254  */
1255 token_t *
1256 au_to_me(void)
1257 {
1258 	auditinfo_t auinfo;
1259 	auditinfo_addr_t aia;
1260 
1261 	/*
1262 	 * Try to use getaudit_addr(2) first.  If this kernel does not support
1263 	 * it, then fall back on to getaudit(2).
1264 	 */
1265 	if (getaudit_addr(&aia, sizeof(aia)) != 0) {
1266 		if (errno == ENOSYS) {
1267 			if (getaudit(&auinfo) != 0)
1268 				return (NULL);
1269 			return (au_to_subject32(auinfo.ai_auid, geteuid(),
1270 				getegid(), getuid(), getgid(), getpid(),
1271 				auinfo.ai_asid, &auinfo.ai_termid));
1272 		} else {
1273 			/* getaudit_addr(2) failed for some other reason. */
1274 			return (NULL);
1275 		}
1276 	}
1277 
1278 	return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(),
1279 		getgid(), getpid(), aia.ai_asid, &aia.ai_termid));
1280 }
1281 #endif
1282 
1283 #if defined(_KERNEL) || defined(KERNEL)
1284 static token_t *
1285 au_to_exec_strings(char *strs, int count, u_char type)
1286 {
1287 	token_t *t;
1288 	u_char *dptr = NULL;
1289 	u_int32_t totlen;
1290 	int ctr;
1291 	char *p;
1292 
1293 	totlen = 0;
1294 	ctr = count;
1295 	p = strs;
1296 	while (ctr-- > 0) {
1297 		totlen += strlen(p) + 1;
1298 		p = strs + totlen;
1299 	}
1300 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1301 	ADD_U_CHAR(dptr, type);
1302 	ADD_U_INT32(dptr, count);
1303 	ADD_STRING(dptr, strs, totlen);
1304 
1305 	return (t);
1306 }
1307 
1308 /*
1309  * token ID				1 byte
1310  * count				4 bytes
1311  * text					count null-terminated strings
1312  */
1313 token_t *
1314 au_to_exec_args(char *args, int argc)
1315 {
1316 
1317 	return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1318 }
1319 
1320 /*
1321  * token ID				1 byte
1322  * count				4 bytes
1323  * text					count null-terminated strings
1324  */
1325 token_t *
1326 au_to_exec_env(char *envs, int envc)
1327 {
1328 
1329 	return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1330 }
1331 #else
1332 /*
1333  * token ID				1 byte
1334  * count				4 bytes
1335  * text					count null-terminated strings
1336  */
1337 token_t *
1338 au_to_exec_args(char **argv)
1339 {
1340 	token_t *t;
1341 	u_char *dptr = NULL;
1342 	const char *nextarg;
1343 	int i, count = 0;
1344 	size_t totlen = 0;
1345 
1346 	nextarg = *argv;
1347 
1348 	while (nextarg != NULL) {
1349 		int nextlen;
1350 
1351 		nextlen = strlen(nextarg);
1352 		totlen += nextlen + 1;
1353 		count++;
1354 		nextarg = *(argv + count);
1355 	}
1356 
1357 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1358 
1359 	ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1360 	ADD_U_INT32(dptr, count);
1361 
1362 	for (i = 0; i < count; i++) {
1363 		nextarg = *(argv + i);
1364 		ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1365 	}
1366 
1367 	return (t);
1368 }
1369 
1370 /*
1371  * token ID				1 byte
1372  * count				4 bytes
1373  * text					count null-terminated strings
1374  */
1375 token_t *
1376 au_to_exec_env(char **envp)
1377 {
1378 	token_t *t;
1379 	u_char *dptr = NULL;
1380 	int i, count = 0;
1381 	size_t totlen = 0;
1382 	const char *nextenv;
1383 
1384 	nextenv = *envp;
1385 
1386 	while (nextenv != NULL) {
1387 		int nextlen;
1388 
1389 		nextlen = strlen(nextenv);
1390 		totlen += nextlen + 1;
1391 		count++;
1392 		nextenv = *(envp + count);
1393 	}
1394 
1395 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1396 
1397 	ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1398 	ADD_U_INT32(dptr, count);
1399 
1400 	for (i = 0; i < count; i++) {
1401 		nextenv = *(envp + i);
1402 		ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1403 	}
1404 
1405 	return (t);
1406 }
1407 #endif
1408 
1409 /*
1410  * token ID                1 byte
1411  * zonename length         2 bytes
1412  * zonename                N bytes + 1 terminating NULL byte
1413  */
1414 token_t *
1415 au_to_zonename(const char *zonename)
1416 {
1417 	u_char *dptr = NULL;
1418 	u_int16_t textlen;
1419 	token_t *t;
1420 
1421 	textlen = strlen(zonename) + 1;
1422 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1423 
1424 	ADD_U_CHAR(dptr, AUT_ZONENAME);
1425 	ADD_U_INT16(dptr, textlen);
1426 	ADD_STRING(dptr, zonename, textlen);
1427 	return (t);
1428 }
1429 
1430 /*
1431  * token ID                1 byte
1432  * record byte count       4 bytes
1433  * version #               1 byte    [2]
1434  * event type              2 bytes
1435  * event modifier          2 bytes
1436  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1437  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1438  */
1439 token_t *
1440 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1441     struct timeval tm)
1442 {
1443 	token_t *t;
1444 	u_char *dptr = NULL;
1445 	u_int32_t timems;
1446 
1447 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1448 	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1449 
1450 	ADD_U_CHAR(dptr, AUT_HEADER32);
1451 	ADD_U_INT32(dptr, rec_size);
1452 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1453 	ADD_U_INT16(dptr, e_type);
1454 	ADD_U_INT16(dptr, e_mod);
1455 
1456 	timems = tm.tv_usec/1000;
1457 	/* Add the timestamp */
1458 	ADD_U_INT32(dptr, tm.tv_sec);
1459 	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
1460 
1461 	return (t);
1462 }
1463 
1464 /*
1465  * token ID                1 byte
1466  * record byte count       4 bytes
1467  * version #               1 byte    [2]
1468  * event type              2 bytes
1469  * event modifier          2 bytes
1470  * address type/length     4 bytes
1471  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
1472  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1473  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1474  */
1475 token_t *
1476 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1477     struct timeval tm, struct auditinfo_addr *aia)
1478 {
1479 	token_t *t;
1480 	u_char *dptr = NULL;
1481 	u_int32_t timems;
1482 	au_tid_addr_t *tid;
1483 
1484 	tid = &aia->ai_termid;
1485 	KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6,
1486 	    ("au_to_header32_ex_tm: invalid address family"));
1487 
1488 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1489 	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 *
1490 	    sizeof(u_int32_t) + tid->at_type);
1491 
1492 	ADD_U_CHAR(dptr, AUT_HEADER32_EX);
1493 	ADD_U_INT32(dptr, rec_size);
1494 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1495 	ADD_U_INT16(dptr, e_type);
1496 	ADD_U_INT16(dptr, e_mod);
1497 
1498 	ADD_U_INT32(dptr, tid->at_type);
1499 	if (tid->at_type == AU_IPv6)
1500 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1501 	else
1502 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1503 	timems = tm.tv_usec/1000;
1504 	/* Add the timestamp */
1505 	ADD_U_INT32(dptr, tm.tv_sec);
1506 	ADD_U_INT32(dptr, timems);      /* We need time in ms. */
1507 
1508 	return (t);
1509 }
1510 
1511 token_t *
1512 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1513     struct timeval tm)
1514 {
1515 	token_t *t;
1516 	u_char *dptr = NULL;
1517 	u_int32_t timems;
1518 
1519 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1520 	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1521 
1522 	ADD_U_CHAR(dptr, AUT_HEADER64);
1523 	ADD_U_INT32(dptr, rec_size);
1524 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1525 	ADD_U_INT16(dptr, e_type);
1526 	ADD_U_INT16(dptr, e_mod);
1527 
1528 	timems = tm.tv_usec/1000;
1529 	/* Add the timestamp */
1530 	ADD_U_INT64(dptr, tm.tv_sec);
1531 	ADD_U_INT64(dptr, timems);	/* We need time in ms. */
1532 
1533 	return (t);
1534 }
1535 
1536 #if !defined(KERNEL) && !defined(_KERNEL)
1537 #ifdef HAVE_AUDIT_SYSCALLS
1538 token_t *
1539 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1540 {
1541 	struct timeval tm;
1542 	struct auditinfo_addr aia;
1543 
1544 	if (gettimeofday(&tm, NULL) == -1)
1545 		return (NULL);
1546 	if (audit_get_kaudit(&aia, sizeof(aia)) != 0) {
1547 		if (errno != ENOSYS)
1548 			return (NULL);
1549 		return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1550 	}
1551 	return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia));
1552 }
1553 #endif /* HAVE_AUDIT_SYSCALLS */
1554 
1555 token_t *
1556 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
1557 {
1558 	struct timeval tm;
1559 
1560 	if (gettimeofday(&tm, NULL) == -1)
1561 		return (NULL);
1562 	return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1563 }
1564 
1565 token_t *
1566 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
1567     __unused au_emod_t e_mod)
1568 {
1569 	struct timeval tm;
1570 
1571 	if (gettimeofday(&tm, NULL) == -1)
1572 		return (NULL);
1573 	return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
1574 }
1575 
1576 token_t *
1577 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
1578 {
1579 
1580 	return (au_to_header32(rec_size, e_type, e_mod));
1581 }
1582 
1583 #ifdef HAVE_AUDIT_SYSCALLS
1584 token_t *
1585 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1586 {
1587 
1588 	return (au_to_header32_ex(rec_size, e_type, e_mod));
1589 }
1590 #endif /* HAVE_AUDIT_SYSCALLS */
1591 #endif /* !defined(KERNEL) && !defined(_KERNEL) */
1592 
1593 /*
1594  * token ID                1 byte
1595  * trailer magic number    2 bytes
1596  * record byte count       4 bytes
1597  */
1598 token_t *
1599 au_to_trailer(int rec_size)
1600 {
1601 	token_t *t;
1602 	u_char *dptr = NULL;
1603 	u_int16_t magic = AUT_TRAILER_MAGIC;
1604 
1605 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1606 	    sizeof(u_int32_t));
1607 
1608 	ADD_U_CHAR(dptr, AUT_TRAILER);
1609 	ADD_U_INT16(dptr, magic);
1610 	ADD_U_INT32(dptr, rec_size);
1611 
1612 	return (t);
1613 }
1614