1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 2004-2009 Apple Inc. 5 * Copyright (c) 2005 SPARTA, Inc. 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 #include <sys/param.h> 38 #include <sys/types.h> 39 #include <sys/endian.h> 40 #include <sys/queue.h> 41 #include <sys/socket.h> 42 #include <sys/time.h> 43 44 #include <sys/ipc.h> 45 #include <sys/libkern.h> 46 #include <sys/malloc.h> 47 #include <sys/un.h> 48 49 #include <netinet/in.h> 50 #include <netinet/in_systm.h> 51 #include <netinet/ip.h> 52 53 #include <bsm/audit.h> 54 #include <bsm/audit_internal.h> 55 #include <bsm/audit_record.h> 56 #include <security/audit/audit.h> 57 #include <security/audit/audit_private.h> 58 59 #define GET_TOKEN_AREA(t, dptr, length) do { \ 60 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \ 61 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \ 62 t->len = length; \ 63 dptr = t->t_data; \ 64 } while (0) 65 66 /* 67 * token ID 1 byte 68 * success/failure 1 byte 69 * privstrlen 2 bytes 70 * privstr N bytes + 1 (\0 byte) 71 */ 72 token_t * 73 au_to_upriv(char sorf, char *priv) 74 { 75 u_int16_t textlen; 76 u_char *dptr; 77 token_t *t; 78 79 textlen = strlen(priv) + 1; 80 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) + 81 sizeof(u_int16_t) + textlen); 82 83 ADD_U_CHAR(dptr, AUT_UPRIV); 84 ADD_U_CHAR(dptr, sorf); 85 ADD_U_INT16(dptr, textlen); 86 ADD_STRING(dptr, priv, textlen); 87 return (t); 88 } 89 90 /* 91 * token ID 1 byte 92 * privtstrlen 2 bytes 93 * privtstr N bytes + 1 94 * privstrlen 2 bytes 95 * privstr N bytes + 1 96 */ 97 token_t * 98 au_to_privset(char *privtypestr, char *privstr) 99 { 100 u_int16_t type_len, priv_len; 101 u_char *dptr; 102 token_t *t; 103 104 type_len = strlen(privtypestr) + 1; 105 priv_len = strlen(privstr) + 1; 106 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 107 sizeof(u_int16_t) + type_len + priv_len); 108 109 ADD_U_CHAR(dptr, AUT_PRIV); 110 ADD_U_INT16(dptr, type_len); 111 ADD_STRING(dptr, privtypestr, type_len); 112 ADD_U_INT16(dptr, priv_len); 113 ADD_STRING(dptr, privstr, priv_len); 114 return (t); 115 } 116 117 /* 118 * token ID 1 byte 119 * argument # 1 byte 120 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 121 * text length 2 bytes 122 * text N bytes + 1 terminating NULL byte 123 */ 124 token_t * 125 au_to_arg32(char n, const char *text, u_int32_t v) 126 { 127 token_t *t; 128 u_char *dptr = NULL; 129 u_int16_t textlen; 130 131 textlen = strlen(text); 132 textlen += 1; 133 134 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + 135 sizeof(u_int16_t) + textlen); 136 137 ADD_U_CHAR(dptr, AUT_ARG32); 138 ADD_U_CHAR(dptr, n); 139 ADD_U_INT32(dptr, v); 140 ADD_U_INT16(dptr, textlen); 141 ADD_STRING(dptr, text, textlen); 142 143 return (t); 144 } 145 146 token_t * 147 au_to_arg64(char n, const char *text, u_int64_t v) 148 { 149 token_t *t; 150 u_char *dptr = NULL; 151 u_int16_t textlen; 152 153 textlen = strlen(text); 154 textlen += 1; 155 156 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + 157 sizeof(u_int16_t) + textlen); 158 159 ADD_U_CHAR(dptr, AUT_ARG64); 160 ADD_U_CHAR(dptr, n); 161 ADD_U_INT64(dptr, v); 162 ADD_U_INT16(dptr, textlen); 163 ADD_STRING(dptr, text, textlen); 164 165 return (t); 166 } 167 168 token_t * 169 au_to_arg(char n, const char *text, u_int32_t v) 170 { 171 172 return (au_to_arg32(n, text, v)); 173 } 174 175 #if defined(_KERNEL) || defined(KERNEL) 176 /* 177 * token ID 1 byte 178 * file access mode 4 bytes 179 * owner user ID 4 bytes 180 * owner group ID 4 bytes 181 * file system ID 4 bytes 182 * node ID 8 bytes 183 * device 4 bytes/8 bytes (32-bit/64-bit) 184 */ 185 token_t * 186 au_to_attr32(struct vnode_au_info *vni) 187 { 188 token_t *t; 189 u_char *dptr = NULL; 190 u_int16_t pad0_16 = 0; 191 u_int32_t pad0_32 = 0; 192 193 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 194 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); 195 196 ADD_U_CHAR(dptr, AUT_ATTR32); 197 198 /* 199 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 200 * so pad with 0. 201 * 202 * XXXRW: Possibly should be conditionally compiled. 203 * 204 * XXXRW: Should any conversions take place on the mode? 205 */ 206 ADD_U_INT16(dptr, pad0_16); 207 ADD_U_INT16(dptr, vni->vn_mode); 208 209 ADD_U_INT32(dptr, vni->vn_uid); 210 ADD_U_INT32(dptr, vni->vn_gid); 211 ADD_U_INT32(dptr, vni->vn_fsid); 212 213 /* 214 * Some systems use 32-bit file ID's, others use 64-bit file IDs. 215 * Attempt to handle both, and let the compiler sort it out. If we 216 * could pick this out at compile-time, it would be better, so as to 217 * avoid the else case below. 218 */ 219 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 220 ADD_U_INT32(dptr, pad0_32); 221 ADD_U_INT32(dptr, vni->vn_fileid); 222 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 223 ADD_U_INT64(dptr, vni->vn_fileid); 224 else 225 ADD_U_INT64(dptr, 0LL); 226 227 ADD_U_INT32(dptr, vni->vn_dev); 228 229 return (t); 230 } 231 232 token_t * 233 au_to_attr64(struct vnode_au_info *vni) 234 { 235 token_t *t; 236 u_char *dptr = NULL; 237 u_int16_t pad0_16 = 0; 238 u_int32_t pad0_32 = 0; 239 240 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 241 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); 242 243 ADD_U_CHAR(dptr, AUT_ATTR64); 244 245 /* 246 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 247 * so pad with 0. 248 * 249 * XXXRW: Possibly should be conditionally compiled. 250 * 251 * XXXRW: Should any conversions take place on the mode? 252 */ 253 ADD_U_INT16(dptr, pad0_16); 254 ADD_U_INT16(dptr, vni->vn_mode); 255 256 ADD_U_INT32(dptr, vni->vn_uid); 257 ADD_U_INT32(dptr, vni->vn_gid); 258 ADD_U_INT32(dptr, vni->vn_fsid); 259 260 /* 261 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 262 * Attempt to handle both, and let the compiler sort it out. If we 263 * could pick this out at compile-time, it would be better, so as to 264 * avoid the else case below. 265 */ 266 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 267 ADD_U_INT32(dptr, pad0_32); 268 ADD_U_INT32(dptr, vni->vn_fileid); 269 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 270 ADD_U_INT64(dptr, vni->vn_fileid); 271 else 272 ADD_U_INT64(dptr, 0LL); 273 274 ADD_U_INT64(dptr, vni->vn_dev); 275 276 return (t); 277 } 278 279 token_t * 280 au_to_attr(struct vnode_au_info *vni) 281 { 282 283 return (au_to_attr32(vni)); 284 } 285 #endif /* !(defined(_KERNEL) || defined(KERNEL) */ 286 287 /* 288 * token ID 1 byte 289 * how to print 1 byte 290 * basic unit 1 byte 291 * unit count 1 byte 292 * data items (depends on basic unit) 293 */ 294 token_t * 295 au_to_data(char unit_print, char unit_type, char unit_count, const char *p) 296 { 297 token_t *t; 298 u_char *dptr = NULL; 299 size_t datasize, totdata; 300 301 /* Determine the size of the basic unit. */ 302 switch (unit_type) { 303 case AUR_BYTE: 304 /* case AUR_CHAR: */ 305 datasize = AUR_BYTE_SIZE; 306 break; 307 308 case AUR_SHORT: 309 datasize = AUR_SHORT_SIZE; 310 break; 311 312 case AUR_INT32: 313 /* case AUR_INT: */ 314 datasize = AUR_INT32_SIZE; 315 break; 316 317 case AUR_INT64: 318 datasize = AUR_INT64_SIZE; 319 break; 320 321 default: 322 return (NULL); 323 } 324 325 totdata = datasize * unit_count; 326 327 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata); 328 329 /* 330 * XXXRW: We should be byte-swapping each data item for multi-byte 331 * types. 332 */ 333 ADD_U_CHAR(dptr, AUT_DATA); 334 ADD_U_CHAR(dptr, unit_print); 335 ADD_U_CHAR(dptr, unit_type); 336 ADD_U_CHAR(dptr, unit_count); 337 ADD_MEM(dptr, p, totdata); 338 339 return (t); 340 } 341 342 /* 343 * token ID 1 byte 344 * status 4 bytes 345 * return value 4 bytes 346 */ 347 token_t * 348 au_to_exit(int retval, int err) 349 { 350 token_t *t; 351 u_char *dptr = NULL; 352 353 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); 354 355 ADD_U_CHAR(dptr, AUT_EXIT); 356 ADD_U_INT32(dptr, err); 357 ADD_U_INT32(dptr, retval); 358 359 return (t); 360 } 361 362 /* 363 */ 364 token_t * 365 au_to_groups(int *groups) 366 { 367 368 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups)); 369 } 370 371 /* 372 * token ID 1 byte 373 * number groups 2 bytes 374 * group list count * 4 bytes 375 */ 376 token_t * 377 au_to_newgroups(u_int16_t n, gid_t *groups) 378 { 379 token_t *t; 380 u_char *dptr = NULL; 381 int i; 382 383 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 384 n * sizeof(u_int32_t)); 385 386 ADD_U_CHAR(dptr, AUT_NEWGROUPS); 387 ADD_U_INT16(dptr, n); 388 for (i = 0; i < n; i++) 389 ADD_U_INT32(dptr, groups[i]); 390 391 return (t); 392 } 393 394 /* 395 * token ID 1 byte 396 * internet address 4 bytes 397 */ 398 token_t * 399 au_to_in_addr(struct in_addr *internet_addr) 400 { 401 token_t *t; 402 u_char *dptr = NULL; 403 404 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); 405 406 ADD_U_CHAR(dptr, AUT_IN_ADDR); 407 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); 408 409 return (t); 410 } 411 412 /* 413 * token ID 1 byte 414 * address type/length 4 bytes 415 * address 16 bytes 416 */ 417 token_t * 418 au_to_in_addr_ex(struct in6_addr *internet_addr) 419 { 420 token_t *t; 421 u_char *dptr = NULL; 422 u_int32_t type = AU_IPv6; 423 424 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); 425 426 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); 427 ADD_U_INT32(dptr, type); 428 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t)); 429 430 return (t); 431 } 432 433 /* 434 * token ID 1 byte 435 * ip header 20 bytes 436 * 437 * The IP header should be submitted in network byte order. 438 */ 439 token_t * 440 au_to_ip(struct ip *ip) 441 { 442 token_t *t; 443 u_char *dptr = NULL; 444 445 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); 446 447 ADD_U_CHAR(dptr, AUT_IP); 448 ADD_MEM(dptr, ip, sizeof(struct ip)); 449 450 return (t); 451 } 452 453 /* 454 * token ID 1 byte 455 * object ID type 1 byte 456 * object ID 4 bytes 457 */ 458 token_t * 459 au_to_ipc(char type, int id) 460 { 461 token_t *t; 462 u_char *dptr = NULL; 463 464 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 465 466 ADD_U_CHAR(dptr, AUT_IPC); 467 ADD_U_CHAR(dptr, type); 468 ADD_U_INT32(dptr, id); 469 470 return (t); 471 } 472 473 /* 474 * token ID 1 byte 475 * owner user ID 4 bytes 476 * owner group ID 4 bytes 477 * creator user ID 4 bytes 478 * creator group ID 4 bytes 479 * access mode 4 bytes 480 * slot sequence # 4 bytes 481 * key 4 bytes 482 */ 483 token_t * 484 au_to_ipc_perm(struct ipc_perm *perm) 485 { 486 token_t *t; 487 u_char *dptr = NULL; 488 u_int16_t pad0 = 0; 489 490 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) + 491 sizeof(u_int32_t)); 492 493 ADD_U_CHAR(dptr, AUT_IPC_PERM); 494 495 /* 496 * Systems vary significantly in what types they use in struct 497 * ipc_perm; at least a few still use 16-bit uid's and gid's, so 498 * allow for that, as BSM define 32-bit values here. 499 * Some systems define the sizes for ipc_perm members as 2 bytes; 500 * BSM defines 4 so pad with 0. 501 * 502 * XXXRW: Possibly shoulid be conditionally compiled, and more cases 503 * need to be handled. 504 */ 505 if (sizeof(perm->uid) != sizeof(u_int32_t)) { 506 ADD_U_INT16(dptr, pad0); 507 ADD_U_INT16(dptr, perm->uid); 508 ADD_U_INT16(dptr, pad0); 509 ADD_U_INT16(dptr, perm->gid); 510 ADD_U_INT16(dptr, pad0); 511 ADD_U_INT16(dptr, perm->cuid); 512 ADD_U_INT16(dptr, pad0); 513 ADD_U_INT16(dptr, perm->cgid); 514 } else { 515 ADD_U_INT32(dptr, perm->uid); 516 ADD_U_INT32(dptr, perm->gid); 517 ADD_U_INT32(dptr, perm->cuid); 518 ADD_U_INT32(dptr, perm->cgid); 519 } 520 521 ADD_U_INT16(dptr, pad0); 522 ADD_U_INT16(dptr, perm->mode); 523 524 ADD_U_INT16(dptr, pad0); 525 526 ADD_U_INT16(dptr, perm->seq); 527 528 ADD_U_INT32(dptr, perm->key); 529 530 return (t); 531 } 532 533 /* 534 * token ID 1 byte 535 * port IP address 2 bytes 536 */ 537 token_t * 538 au_to_iport(u_int16_t iport) 539 { 540 token_t *t; 541 u_char *dptr = NULL; 542 543 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); 544 545 ADD_U_CHAR(dptr, AUT_IPORT); 546 ADD_U_INT16(dptr, iport); 547 548 return (t); 549 } 550 551 /* 552 * token ID 1 byte 553 * size 2 bytes 554 * data size bytes 555 */ 556 token_t * 557 au_to_opaque(const char *data, u_int16_t bytes) 558 { 559 token_t *t; 560 u_char *dptr = NULL; 561 562 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); 563 564 ADD_U_CHAR(dptr, AUT_OPAQUE); 565 ADD_U_INT16(dptr, bytes); 566 ADD_MEM(dptr, data, bytes); 567 568 return (t); 569 } 570 571 /* 572 * token ID 1 byte 573 * seconds of time 4 bytes 574 * milliseconds of time 4 bytes 575 * file name len 2 bytes 576 * file pathname N bytes + 1 terminating NULL byte 577 */ 578 token_t * 579 au_to_file(const char *file, struct timeval tm) 580 { 581 token_t *t; 582 u_char *dptr = NULL; 583 u_int16_t filelen; 584 u_int32_t timems; 585 586 filelen = strlen(file); 587 filelen += 1; 588 589 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + 590 sizeof(u_int16_t) + filelen); 591 592 timems = tm.tv_usec/1000; 593 594 ADD_U_CHAR(dptr, AUT_OTHER_FILE32); 595 ADD_U_INT32(dptr, tm.tv_sec); 596 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 597 ADD_U_INT16(dptr, filelen); 598 ADD_STRING(dptr, file, filelen); 599 600 return (t); 601 } 602 603 /* 604 * token ID 1 byte 605 * text length 2 bytes 606 * text N bytes + 1 terminating NULL byte 607 */ 608 token_t * 609 au_to_text(const char *text) 610 { 611 token_t *t; 612 u_char *dptr = NULL; 613 u_int16_t textlen; 614 615 textlen = strlen(text); 616 textlen += 1; 617 618 /* XXXRW: Should validate length against token size limit. */ 619 620 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 621 622 ADD_U_CHAR(dptr, AUT_TEXT); 623 ADD_U_INT16(dptr, textlen); 624 ADD_STRING(dptr, text, textlen); 625 626 return (t); 627 } 628 629 /* 630 * token ID 1 byte 631 * path length 2 bytes 632 * path N bytes + 1 terminating NULL byte 633 */ 634 token_t * 635 au_to_path(const char *text) 636 { 637 token_t *t; 638 u_char *dptr = NULL; 639 u_int16_t textlen; 640 641 textlen = strlen(text); 642 textlen += 1; 643 644 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 645 646 ADD_U_CHAR(dptr, AUT_PATH); 647 ADD_U_INT16(dptr, textlen); 648 ADD_STRING(dptr, text, textlen); 649 650 return (t); 651 } 652 653 /* 654 * token ID 1 byte 655 * audit ID 4 bytes 656 * effective user ID 4 bytes 657 * effective group ID 4 bytes 658 * real user ID 4 bytes 659 * real group ID 4 bytes 660 * process ID 4 bytes 661 * session ID 4 bytes 662 * terminal ID 663 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 664 * machine address 4 bytes 665 */ 666 token_t * 667 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 668 pid_t pid, au_asid_t sid, au_tid_t *tid) 669 { 670 token_t *t; 671 u_char *dptr = NULL; 672 673 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 674 675 ADD_U_CHAR(dptr, AUT_PROCESS32); 676 ADD_U_INT32(dptr, auid); 677 ADD_U_INT32(dptr, euid); 678 ADD_U_INT32(dptr, egid); 679 ADD_U_INT32(dptr, ruid); 680 ADD_U_INT32(dptr, rgid); 681 ADD_U_INT32(dptr, pid); 682 ADD_U_INT32(dptr, sid); 683 ADD_U_INT32(dptr, tid->port); 684 685 /* 686 * Note: Solaris will write out IPv6 addresses here as a 32-bit 687 * address type and 16 bytes of address, but for IPv4 addresses it 688 * simply writes the 4-byte address directly. We support only IPv4 689 * addresses for process32 tokens. 690 */ 691 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 692 693 return (t); 694 } 695 696 token_t * 697 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 698 pid_t pid, au_asid_t sid, au_tid_t *tid) 699 { 700 token_t *t; 701 u_char *dptr = NULL; 702 703 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + 704 sizeof(u_int64_t)); 705 706 ADD_U_CHAR(dptr, AUT_PROCESS64); 707 ADD_U_INT32(dptr, auid); 708 ADD_U_INT32(dptr, euid); 709 ADD_U_INT32(dptr, egid); 710 ADD_U_INT32(dptr, ruid); 711 ADD_U_INT32(dptr, rgid); 712 ADD_U_INT32(dptr, pid); 713 ADD_U_INT32(dptr, sid); 714 ADD_U_INT64(dptr, tid->port); 715 716 /* 717 * Note: Solaris will write out IPv6 addresses here as a 32-bit 718 * address type and 16 bytes of address, but for IPv4 addresses it 719 * simply writes the 4-byte address directly. We support only IPv4 720 * addresses for process64 tokens. 721 */ 722 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 723 724 return (t); 725 } 726 727 token_t * 728 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 729 pid_t pid, au_asid_t sid, au_tid_t *tid) 730 { 731 732 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, 733 tid)); 734 } 735 736 /* 737 * token ID 1 byte 738 * audit ID 4 bytes 739 * effective user ID 4 bytes 740 * effective group ID 4 bytes 741 * real user ID 4 bytes 742 * real group ID 4 bytes 743 * process ID 4 bytes 744 * session ID 4 bytes 745 * terminal ID 746 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 747 * address type-len 4 bytes 748 * machine address 16 bytes 749 */ 750 token_t * 751 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 752 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 753 { 754 token_t *t; 755 u_char *dptr = NULL; 756 757 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 758 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type)); 759 if (tid->at_type == AU_IPv4) 760 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 761 10 * sizeof(u_int32_t)); 762 else 763 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 764 13 * sizeof(u_int32_t)); 765 766 ADD_U_CHAR(dptr, AUT_PROCESS32_EX); 767 ADD_U_INT32(dptr, auid); 768 ADD_U_INT32(dptr, euid); 769 ADD_U_INT32(dptr, egid); 770 ADD_U_INT32(dptr, ruid); 771 ADD_U_INT32(dptr, rgid); 772 ADD_U_INT32(dptr, pid); 773 ADD_U_INT32(dptr, sid); 774 ADD_U_INT32(dptr, tid->at_port); 775 ADD_U_INT32(dptr, tid->at_type); 776 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 777 if (tid->at_type == AU_IPv6) { 778 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 779 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 780 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 781 } 782 783 return (t); 784 } 785 786 token_t * 787 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 788 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 789 { 790 token_t *t; 791 u_char *dptr = NULL; 792 793 if (tid->at_type == AU_IPv4) 794 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 795 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 796 2 * sizeof(u_int32_t)); 797 else if (tid->at_type == AU_IPv6) 798 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 799 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 800 5 * sizeof(u_int32_t)); 801 else 802 panic("au_to_process64_ex: invalidate at_type (%d)", 803 tid->at_type); 804 805 ADD_U_CHAR(dptr, AUT_PROCESS64_EX); 806 ADD_U_INT32(dptr, auid); 807 ADD_U_INT32(dptr, euid); 808 ADD_U_INT32(dptr, egid); 809 ADD_U_INT32(dptr, ruid); 810 ADD_U_INT32(dptr, rgid); 811 ADD_U_INT32(dptr, pid); 812 ADD_U_INT32(dptr, sid); 813 ADD_U_INT64(dptr, tid->at_port); 814 ADD_U_INT32(dptr, tid->at_type); 815 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 816 if (tid->at_type == AU_IPv6) { 817 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 818 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 819 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 820 } 821 822 return (t); 823 } 824 825 token_t * 826 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 827 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 828 { 829 830 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, 831 tid)); 832 } 833 834 token_t * 835 au_to_rights(cap_rights_t *rightsp) 836 { 837 token_t *t; 838 u_char *dptr; 839 int i; 840 841 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(*rightsp)); 842 843 ADD_U_CHAR(dptr, AUT_RIGHTS); 844 for (i = 0; i < nitems(rightsp->cr_rights); i++) 845 ADD_U_INT64(dptr, rightsp->cr_rights[i]); 846 847 return (t); 848 } 849 850 /* 851 * token ID 1 byte 852 * error status 1 byte 853 * return value 4 bytes/8 bytes (32-bit/64-bit value) 854 */ 855 token_t * 856 au_to_return32(char status, u_int32_t ret) 857 { 858 token_t *t; 859 u_char *dptr = NULL; 860 861 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 862 863 ADD_U_CHAR(dptr, AUT_RETURN32); 864 ADD_U_CHAR(dptr, status); 865 ADD_U_INT32(dptr, ret); 866 867 return (t); 868 } 869 870 token_t * 871 au_to_return64(char status, u_int64_t ret) 872 { 873 token_t *t; 874 u_char *dptr = NULL; 875 876 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); 877 878 ADD_U_CHAR(dptr, AUT_RETURN64); 879 ADD_U_CHAR(dptr, status); 880 ADD_U_INT64(dptr, ret); 881 882 return (t); 883 } 884 885 token_t * 886 au_to_return(char status, u_int32_t ret) 887 { 888 889 return (au_to_return32(status, ret)); 890 } 891 892 /* 893 * token ID 1 byte 894 * sequence number 4 bytes 895 */ 896 token_t * 897 au_to_seq(long audit_count) 898 { 899 token_t *t; 900 u_char *dptr = NULL; 901 902 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); 903 904 ADD_U_CHAR(dptr, AUT_SEQ); 905 ADD_U_INT32(dptr, audit_count); 906 907 return (t); 908 } 909 910 /* 911 * token ID 1 byte 912 * socket domain 2 bytes 913 * socket type 2 bytes 914 * address type 2 byte 915 * local port 2 bytes 916 * local address 4 bytes/16 bytes (IPv4/IPv6 address) 917 * remote port 2 bytes 918 * remote address 4 bytes/16 bytes (IPv4/IPv6 address) 919 * 920 * Domain and type arguments to this routine are assumed to already have been 921 * converted to the BSM constant space, so we don't do that here. 922 */ 923 token_t * 924 au_to_socket_ex(u_short so_domain, u_short so_type, 925 struct sockaddr *sa_local, struct sockaddr *sa_remote) 926 { 927 token_t *t; 928 u_char *dptr = NULL; 929 struct sockaddr_in *sin; 930 struct sockaddr_in6 *sin6; 931 932 if (so_domain == AF_INET) 933 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 934 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 935 else if (so_domain == AF_INET6) 936 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 937 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t)); 938 else 939 return (NULL); 940 941 ADD_U_CHAR(dptr, AUT_SOCKET_EX); 942 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain)); 943 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type)); 944 if (so_domain == AF_INET) { 945 ADD_U_INT16(dptr, AU_IPv4); 946 sin = (struct sockaddr_in *)sa_local; 947 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 948 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 949 sin = (struct sockaddr_in *)sa_remote; 950 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 951 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 952 } else { 953 ADD_U_INT16(dptr, AU_IPv6); 954 sin6 = (struct sockaddr_in6 *)sa_local; 955 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 956 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 957 sin6 = (struct sockaddr_in6 *)sa_remote; 958 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 959 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 960 } 961 962 return (t); 963 } 964 965 /* 966 * Kernel-specific version of the above function. 967 * 968 * XXXRW: Should now use au_to_socket_ex() here. 969 */ 970 #ifdef _KERNEL 971 token_t * 972 kau_to_socket(struct socket_au_info *soi) 973 { 974 token_t *t; 975 u_char *dptr; 976 u_int16_t so_type; 977 978 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 979 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t)); 980 981 ADD_U_CHAR(dptr, AUT_SOCKET); 982 /* Coerce the socket type into a short value */ 983 so_type = soi->so_type; 984 ADD_U_INT16(dptr, so_type); 985 ADD_U_INT16(dptr, soi->so_lport); 986 ADD_U_INT32(dptr, soi->so_laddr); 987 ADD_U_INT16(dptr, soi->so_rport); 988 ADD_U_INT32(dptr, soi->so_raddr); 989 990 return (t); 991 } 992 #endif 993 994 /* 995 * token ID 1 byte 996 * socket family 2 bytes 997 * path (up to) 104 bytes + NULL (NULL terminated string) 998 */ 999 token_t * 1000 au_to_sock_unix(struct sockaddr_un *so) 1001 { 1002 token_t *t; 1003 u_char *dptr; 1004 1005 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); 1006 1007 ADD_U_CHAR(dptr, AUT_SOCKUNIX); 1008 /* BSM token has two bytes for family */ 1009 ADD_U_CHAR(dptr, 0); 1010 ADD_U_CHAR(dptr, so->sun_family); 1011 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); 1012 1013 return (t); 1014 } 1015 1016 /* 1017 * token ID 1 byte 1018 * socket family 2 bytes 1019 * local port 2 bytes 1020 * socket address 4 bytes 1021 */ 1022 token_t * 1023 au_to_sock_inet32(struct sockaddr_in *so) 1024 { 1025 token_t *t; 1026 u_char *dptr = NULL; 1027 uint16_t family; 1028 1029 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + 1030 sizeof(uint32_t)); 1031 1032 ADD_U_CHAR(dptr, AUT_SOCKINET32); 1033 /* 1034 * BSM defines the family field as 16 bits, but many operating 1035 * systems have an 8-bit sin_family field. Extend to 16 bits before 1036 * writing into the token. Assume that both the port and the address 1037 * in the sockaddr_in are already in network byte order, but family 1038 * is in local byte order. 1039 * 1040 * XXXRW: Should a name space conversion be taking place on the value 1041 * of sin_family? 1042 */ 1043 family = so->sin_family; 1044 ADD_U_INT16(dptr, family); 1045 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); 1046 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); 1047 1048 return (t); 1049 } 1050 1051 token_t * 1052 au_to_sock_inet128(struct sockaddr_in6 *so) 1053 { 1054 token_t *t; 1055 u_char *dptr = NULL; 1056 1057 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + 1058 4 * sizeof(u_int32_t)); 1059 1060 ADD_U_CHAR(dptr, AUT_SOCKINET128); 1061 /* 1062 * In BSD, sin6_family is one octet, but BSM defines the token to 1063 * store two. So we copy in a 0 first. XXXRW: Possibly should be 1064 * conditionally compiled. 1065 */ 1066 ADD_U_CHAR(dptr, 0); 1067 ADD_U_CHAR(dptr, so->sin6_family); 1068 1069 ADD_U_INT16(dptr, so->sin6_port); 1070 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); 1071 1072 return (t); 1073 } 1074 1075 token_t * 1076 au_to_sock_inet(struct sockaddr_in *so) 1077 { 1078 1079 return (au_to_sock_inet32(so)); 1080 } 1081 1082 /* 1083 * token ID 1 byte 1084 * audit ID 4 bytes 1085 * effective user ID 4 bytes 1086 * effective group ID 4 bytes 1087 * real user ID 4 bytes 1088 * real group ID 4 bytes 1089 * process ID 4 bytes 1090 * session ID 4 bytes 1091 * terminal ID 1092 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1093 * machine address 4 bytes 1094 */ 1095 token_t * 1096 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1097 pid_t pid, au_asid_t sid, au_tid_t *tid) 1098 { 1099 token_t *t; 1100 u_char *dptr = NULL; 1101 1102 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 1103 1104 ADD_U_CHAR(dptr, AUT_SUBJECT32); 1105 ADD_U_INT32(dptr, auid); 1106 ADD_U_INT32(dptr, euid); 1107 ADD_U_INT32(dptr, egid); 1108 ADD_U_INT32(dptr, ruid); 1109 ADD_U_INT32(dptr, rgid); 1110 ADD_U_INT32(dptr, pid); 1111 ADD_U_INT32(dptr, sid); 1112 ADD_U_INT32(dptr, tid->port); 1113 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1114 1115 return (t); 1116 } 1117 1118 token_t * 1119 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1120 pid_t pid, au_asid_t sid, au_tid_t *tid) 1121 { 1122 token_t *t; 1123 u_char *dptr = NULL; 1124 1125 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + 1126 sizeof(u_int64_t) + sizeof(u_int32_t)); 1127 1128 ADD_U_CHAR(dptr, AUT_SUBJECT64); 1129 ADD_U_INT32(dptr, auid); 1130 ADD_U_INT32(dptr, euid); 1131 ADD_U_INT32(dptr, egid); 1132 ADD_U_INT32(dptr, ruid); 1133 ADD_U_INT32(dptr, rgid); 1134 ADD_U_INT32(dptr, pid); 1135 ADD_U_INT32(dptr, sid); 1136 ADD_U_INT64(dptr, tid->port); 1137 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1138 1139 return (t); 1140 } 1141 1142 token_t * 1143 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1144 pid_t pid, au_asid_t sid, au_tid_t *tid) 1145 { 1146 1147 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, 1148 tid)); 1149 } 1150 1151 /* 1152 * token ID 1 byte 1153 * audit ID 4 bytes 1154 * effective user ID 4 bytes 1155 * effective group ID 4 bytes 1156 * real user ID 4 bytes 1157 * real group ID 4 bytes 1158 * process ID 4 bytes 1159 * session ID 4 bytes 1160 * terminal ID 1161 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1162 * address type/length 4 bytes 1163 * machine address 16 bytes 1164 */ 1165 token_t * 1166 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1167 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1168 { 1169 token_t *t; 1170 u_char *dptr = NULL; 1171 1172 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1173 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type)); 1174 1175 if (tid->at_type == AU_IPv4) 1176 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 1177 sizeof(u_int32_t)); 1178 else 1179 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 1180 sizeof(u_int32_t)); 1181 1182 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); 1183 ADD_U_INT32(dptr, auid); 1184 ADD_U_INT32(dptr, euid); 1185 ADD_U_INT32(dptr, egid); 1186 ADD_U_INT32(dptr, ruid); 1187 ADD_U_INT32(dptr, rgid); 1188 ADD_U_INT32(dptr, pid); 1189 ADD_U_INT32(dptr, sid); 1190 ADD_U_INT32(dptr, tid->at_port); 1191 ADD_U_INT32(dptr, tid->at_type); 1192 if (tid->at_type == AU_IPv6) 1193 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1194 else 1195 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1196 1197 return (t); 1198 } 1199 1200 token_t * 1201 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1202 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1203 { 1204 token_t *t; 1205 u_char *dptr = NULL; 1206 1207 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1208 ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type)); 1209 1210 if (tid->at_type == AU_IPv4) 1211 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1212 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1213 2 * sizeof(u_int32_t)); 1214 else 1215 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1216 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1217 5 * sizeof(u_int32_t)); 1218 1219 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); 1220 ADD_U_INT32(dptr, auid); 1221 ADD_U_INT32(dptr, euid); 1222 ADD_U_INT32(dptr, egid); 1223 ADD_U_INT32(dptr, ruid); 1224 ADD_U_INT32(dptr, rgid); 1225 ADD_U_INT32(dptr, pid); 1226 ADD_U_INT32(dptr, sid); 1227 ADD_U_INT64(dptr, tid->at_port); 1228 ADD_U_INT32(dptr, tid->at_type); 1229 if (tid->at_type == AU_IPv6) 1230 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1231 else 1232 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1233 1234 return (t); 1235 } 1236 1237 token_t * 1238 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1239 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1240 { 1241 1242 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, 1243 tid)); 1244 } 1245 1246 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) 1247 /* 1248 * Collects audit information for the current process and creates a subject 1249 * token from it. 1250 */ 1251 token_t * 1252 au_to_me(void) 1253 { 1254 auditinfo_t auinfo; 1255 auditinfo_addr_t aia; 1256 1257 /* 1258 * Try to use getaudit_addr(2) first. If this kernel does not support 1259 * it, then fall back on to getaudit(2). 1260 */ 1261 if (getaudit_addr(&aia, sizeof(aia)) != 0) { 1262 if (errno == ENOSYS) { 1263 if (getaudit(&auinfo) != 0) 1264 return (NULL); 1265 return (au_to_subject32(auinfo.ai_auid, geteuid(), 1266 getegid(), getuid(), getgid(), getpid(), 1267 auinfo.ai_asid, &auinfo.ai_termid)); 1268 } else { 1269 /* getaudit_addr(2) failed for some other reason. */ 1270 return (NULL); 1271 } 1272 } 1273 1274 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), 1275 getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); 1276 } 1277 #endif 1278 1279 #if defined(_KERNEL) || defined(KERNEL) 1280 static token_t * 1281 au_to_exec_strings(char *strs, int count, u_char type) 1282 { 1283 token_t *t; 1284 u_char *dptr = NULL; 1285 u_int32_t totlen; 1286 int ctr; 1287 char *p; 1288 1289 totlen = 0; 1290 ctr = count; 1291 p = strs; 1292 while (ctr-- > 0) { 1293 totlen += strlen(p) + 1; 1294 p = strs + totlen; 1295 } 1296 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1297 ADD_U_CHAR(dptr, type); 1298 ADD_U_INT32(dptr, count); 1299 ADD_STRING(dptr, strs, totlen); 1300 1301 return (t); 1302 } 1303 1304 /* 1305 * token ID 1 byte 1306 * count 4 bytes 1307 * text count null-terminated strings 1308 */ 1309 token_t * 1310 au_to_exec_args(char *args, int argc) 1311 { 1312 1313 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS)); 1314 } 1315 1316 /* 1317 * token ID 1 byte 1318 * count 4 bytes 1319 * text count null-terminated strings 1320 */ 1321 token_t * 1322 au_to_exec_env(char *envs, int envc) 1323 { 1324 1325 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV)); 1326 } 1327 #else 1328 /* 1329 * token ID 1 byte 1330 * count 4 bytes 1331 * text count null-terminated strings 1332 */ 1333 token_t * 1334 au_to_exec_args(char **argv) 1335 { 1336 token_t *t; 1337 u_char *dptr = NULL; 1338 const char *nextarg; 1339 int i, count = 0; 1340 size_t totlen = 0; 1341 1342 nextarg = *argv; 1343 1344 while (nextarg != NULL) { 1345 int nextlen; 1346 1347 nextlen = strlen(nextarg); 1348 totlen += nextlen + 1; 1349 count++; 1350 nextarg = *(argv + count); 1351 } 1352 1353 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1354 1355 ADD_U_CHAR(dptr, AUT_EXEC_ARGS); 1356 ADD_U_INT32(dptr, count); 1357 1358 for (i = 0; i < count; i++) { 1359 nextarg = *(argv + i); 1360 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); 1361 } 1362 1363 return (t); 1364 } 1365 1366 /* 1367 * token ID 1 byte 1368 * count 4 bytes 1369 * text count null-terminated strings 1370 */ 1371 token_t * 1372 au_to_exec_env(char **envp) 1373 { 1374 token_t *t; 1375 u_char *dptr = NULL; 1376 int i, count = 0; 1377 size_t totlen = 0; 1378 const char *nextenv; 1379 1380 nextenv = *envp; 1381 1382 while (nextenv != NULL) { 1383 int nextlen; 1384 1385 nextlen = strlen(nextenv); 1386 totlen += nextlen + 1; 1387 count++; 1388 nextenv = *(envp + count); 1389 } 1390 1391 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1392 1393 ADD_U_CHAR(dptr, AUT_EXEC_ENV); 1394 ADD_U_INT32(dptr, count); 1395 1396 for (i = 0; i < count; i++) { 1397 nextenv = *(envp + i); 1398 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); 1399 } 1400 1401 return (t); 1402 } 1403 #endif 1404 1405 /* 1406 * token ID 1 byte 1407 * zonename length 2 bytes 1408 * zonename N bytes + 1 terminating NULL byte 1409 */ 1410 token_t * 1411 au_to_zonename(const char *zonename) 1412 { 1413 u_char *dptr = NULL; 1414 u_int16_t textlen; 1415 token_t *t; 1416 1417 textlen = strlen(zonename) + 1; 1418 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 1419 1420 ADD_U_CHAR(dptr, AUT_ZONENAME); 1421 ADD_U_INT16(dptr, textlen); 1422 ADD_STRING(dptr, zonename, textlen); 1423 return (t); 1424 } 1425 1426 /* 1427 * token ID 1 byte 1428 * record byte count 4 bytes 1429 * version # 1 byte [2] 1430 * event type 2 bytes 1431 * event modifier 2 bytes 1432 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1433 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1434 */ 1435 token_t * 1436 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1437 struct timeval tm) 1438 { 1439 token_t *t; 1440 u_char *dptr = NULL; 1441 u_int32_t timems; 1442 1443 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1444 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1445 1446 ADD_U_CHAR(dptr, AUT_HEADER32); 1447 ADD_U_INT32(dptr, rec_size); 1448 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1449 ADD_U_INT16(dptr, e_type); 1450 ADD_U_INT16(dptr, e_mod); 1451 1452 timems = tm.tv_usec/1000; 1453 /* Add the timestamp */ 1454 ADD_U_INT32(dptr, tm.tv_sec); 1455 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1456 1457 return (t); 1458 } 1459 1460 /* 1461 * token ID 1 byte 1462 * record byte count 4 bytes 1463 * version # 1 byte [2] 1464 * event type 2 bytes 1465 * event modifier 2 bytes 1466 * address type/length 4 bytes 1467 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1468 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1469 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1470 */ 1471 token_t * 1472 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1473 struct timeval tm, struct auditinfo_addr *aia) 1474 { 1475 token_t *t; 1476 u_char *dptr = NULL; 1477 u_int32_t timems; 1478 au_tid_addr_t *tid; 1479 1480 tid = &aia->ai_termid; 1481 KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6, 1482 ("au_to_header32_ex_tm: invalid address family")); 1483 1484 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1485 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * 1486 sizeof(u_int32_t) + tid->at_type); 1487 1488 ADD_U_CHAR(dptr, AUT_HEADER32_EX); 1489 ADD_U_INT32(dptr, rec_size); 1490 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1491 ADD_U_INT16(dptr, e_type); 1492 ADD_U_INT16(dptr, e_mod); 1493 1494 ADD_U_INT32(dptr, tid->at_type); 1495 if (tid->at_type == AU_IPv6) 1496 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1497 else 1498 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1499 timems = tm.tv_usec/1000; 1500 /* Add the timestamp */ 1501 ADD_U_INT32(dptr, tm.tv_sec); 1502 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1503 1504 return (t); 1505 } 1506 1507 token_t * 1508 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1509 struct timeval tm) 1510 { 1511 token_t *t; 1512 u_char *dptr = NULL; 1513 u_int32_t timems; 1514 1515 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1516 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); 1517 1518 ADD_U_CHAR(dptr, AUT_HEADER64); 1519 ADD_U_INT32(dptr, rec_size); 1520 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1521 ADD_U_INT16(dptr, e_type); 1522 ADD_U_INT16(dptr, e_mod); 1523 1524 timems = tm.tv_usec/1000; 1525 /* Add the timestamp */ 1526 ADD_U_INT64(dptr, tm.tv_sec); 1527 ADD_U_INT64(dptr, timems); /* We need time in ms. */ 1528 1529 return (t); 1530 } 1531 1532 #if !defined(KERNEL) && !defined(_KERNEL) 1533 #ifdef HAVE_AUDIT_SYSCALLS 1534 token_t * 1535 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1536 { 1537 struct timeval tm; 1538 struct auditinfo_addr aia; 1539 1540 if (gettimeofday(&tm, NULL) == -1) 1541 return (NULL); 1542 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) { 1543 if (errno != ENOSYS) 1544 return (NULL); 1545 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1546 } 1547 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia)); 1548 } 1549 #endif /* HAVE_AUDIT_SYSCALLS */ 1550 1551 token_t * 1552 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) 1553 { 1554 struct timeval tm; 1555 1556 if (gettimeofday(&tm, NULL) == -1) 1557 return (NULL); 1558 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1559 } 1560 1561 token_t * 1562 au_to_header64(__unused int rec_size, __unused au_event_t e_type, 1563 __unused au_emod_t e_mod) 1564 { 1565 struct timeval tm; 1566 1567 if (gettimeofday(&tm, NULL) == -1) 1568 return (NULL); 1569 return (au_to_header64_tm(rec_size, e_type, e_mod, tm)); 1570 } 1571 1572 token_t * 1573 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod) 1574 { 1575 1576 return (au_to_header32(rec_size, e_type, e_mod)); 1577 } 1578 1579 #ifdef HAVE_AUDIT_SYSCALLS 1580 token_t * 1581 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1582 { 1583 1584 return (au_to_header32_ex(rec_size, e_type, e_mod)); 1585 } 1586 #endif /* HAVE_AUDIT_SYSCALLS */ 1587 #endif /* !defined(KERNEL) && !defined(_KERNEL) */ 1588 1589 /* 1590 * token ID 1 byte 1591 * trailer magic number 2 bytes 1592 * record byte count 4 bytes 1593 */ 1594 token_t * 1595 au_to_trailer(int rec_size) 1596 { 1597 token_t *t; 1598 u_char *dptr = NULL; 1599 u_int16_t magic = AUT_TRAILER_MAGIC; 1600 1601 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 1602 sizeof(u_int32_t)); 1603 1604 ADD_U_CHAR(dptr, AUT_TRAILER); 1605 ADD_U_INT16(dptr, magic); 1606 ADD_U_INT32(dptr, rec_size); 1607 1608 return (t); 1609 } 1610