1 /*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * All rights reserved. 5 * 6 * This code was developed in part by Robert N. M. Watson, Senior Principal 7 * Scientist, SPARTA, Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 18 * its contributors may be used to endorse or promote products derived 19 * from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 * 33 * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#99 34 */ 35 36 #include <sys/cdefs.h> 37 __FBSDID("$FreeBSD$"); 38 39 #include <sys/param.h> 40 #include <sys/types.h> 41 #include <sys/endian.h> 42 #include <sys/queue.h> 43 #include <sys/socket.h> 44 #include <sys/time.h> 45 46 #include <sys/ipc.h> 47 #include <sys/libkern.h> 48 #include <sys/malloc.h> 49 #include <sys/un.h> 50 51 #include <netinet/in.h> 52 #include <netinet/in_systm.h> 53 #include <netinet/ip.h> 54 55 56 #include <bsm/audit.h> 57 #include <bsm/audit_internal.h> 58 #include <bsm/audit_record.h> 59 #include <security/audit/audit.h> 60 #include <security/audit/audit_private.h> 61 62 #define GET_TOKEN_AREA(t, dptr, length) do { \ 63 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \ 64 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \ 65 t->len = length; \ 66 dptr = t->t_data; \ 67 } while (0) 68 69 /* 70 * token ID 1 byte 71 * success/failure 1 byte 72 * privstrlen 2 bytes 73 * privstr N bytes + 1 (\0 byte) 74 */ 75 token_t * 76 au_to_upriv(char sorf, char *priv) 77 { 78 u_int16_t textlen; 79 u_char *dptr; 80 token_t *t; 81 82 textlen = strlen(priv) + 1; 83 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) + 84 sizeof(u_int16_t) + textlen); 85 86 ADD_U_CHAR(dptr, AUT_UPRIV); 87 ADD_U_CHAR(dptr, sorf); 88 ADD_U_INT16(dptr, textlen); 89 ADD_STRING(dptr, priv, textlen); 90 return (t); 91 } 92 93 /* 94 * token ID 1 byte 95 * privtstrlen 2 bytes 96 * privtstr N bytes + 1 97 * privstrlen 2 bytes 98 * privstr N bytes + 1 99 */ 100 token_t * 101 au_to_privset(char *privtypestr, char *privstr) 102 { 103 u_int16_t type_len, priv_len; 104 u_char *dptr; 105 token_t *t; 106 107 type_len = strlen(privtypestr) + 1; 108 priv_len = strlen(privstr) + 1; 109 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 110 sizeof(u_int16_t) + type_len + priv_len); 111 112 ADD_U_CHAR(dptr, AUT_PRIV); 113 ADD_U_INT16(dptr, type_len); 114 ADD_STRING(dptr, privtypestr, type_len); 115 ADD_U_INT16(dptr, priv_len); 116 ADD_STRING(dptr, privstr, priv_len); 117 return (t); 118 } 119 120 /* 121 * token ID 1 byte 122 * argument # 1 byte 123 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 124 * text length 2 bytes 125 * text N bytes + 1 terminating NULL byte 126 */ 127 token_t * 128 au_to_arg32(char n, const char *text, u_int32_t v) 129 { 130 token_t *t; 131 u_char *dptr = NULL; 132 u_int16_t textlen; 133 134 textlen = strlen(text); 135 textlen += 1; 136 137 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + 138 sizeof(u_int16_t) + textlen); 139 140 ADD_U_CHAR(dptr, AUT_ARG32); 141 ADD_U_CHAR(dptr, n); 142 ADD_U_INT32(dptr, v); 143 ADD_U_INT16(dptr, textlen); 144 ADD_STRING(dptr, text, textlen); 145 146 return (t); 147 } 148 149 token_t * 150 au_to_arg64(char n, const char *text, u_int64_t v) 151 { 152 token_t *t; 153 u_char *dptr = NULL; 154 u_int16_t textlen; 155 156 textlen = strlen(text); 157 textlen += 1; 158 159 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + 160 sizeof(u_int16_t) + textlen); 161 162 ADD_U_CHAR(dptr, AUT_ARG64); 163 ADD_U_CHAR(dptr, n); 164 ADD_U_INT64(dptr, v); 165 ADD_U_INT16(dptr, textlen); 166 ADD_STRING(dptr, text, textlen); 167 168 return (t); 169 } 170 171 token_t * 172 au_to_arg(char n, const char *text, u_int32_t v) 173 { 174 175 return (au_to_arg32(n, text, v)); 176 } 177 178 #if defined(_KERNEL) || defined(KERNEL) 179 /* 180 * token ID 1 byte 181 * file access mode 4 bytes 182 * owner user ID 4 bytes 183 * owner group ID 4 bytes 184 * file system ID 4 bytes 185 * node ID 8 bytes 186 * device 4 bytes/8 bytes (32-bit/64-bit) 187 */ 188 token_t * 189 au_to_attr32(struct vnode_au_info *vni) 190 { 191 token_t *t; 192 u_char *dptr = NULL; 193 u_int16_t pad0_16 = 0; 194 u_int32_t pad0_32 = 0; 195 196 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 197 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); 198 199 ADD_U_CHAR(dptr, AUT_ATTR32); 200 201 /* 202 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 203 * so pad with 0. 204 * 205 * XXXRW: Possibly should be conditionally compiled. 206 * 207 * XXXRW: Should any conversions take place on the mode? 208 */ 209 ADD_U_INT16(dptr, pad0_16); 210 ADD_U_INT16(dptr, vni->vn_mode); 211 212 ADD_U_INT32(dptr, vni->vn_uid); 213 ADD_U_INT32(dptr, vni->vn_gid); 214 ADD_U_INT32(dptr, vni->vn_fsid); 215 216 /* 217 * Some systems use 32-bit file ID's, others use 64-bit file IDs. 218 * Attempt to handle both, and let the compiler sort it out. If we 219 * could pick this out at compile-time, it would be better, so as to 220 * avoid the else case below. 221 */ 222 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 223 ADD_U_INT32(dptr, pad0_32); 224 ADD_U_INT32(dptr, vni->vn_fileid); 225 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 226 ADD_U_INT64(dptr, vni->vn_fileid); 227 else 228 ADD_U_INT64(dptr, 0LL); 229 230 ADD_U_INT32(dptr, vni->vn_dev); 231 232 return (t); 233 } 234 235 token_t * 236 au_to_attr64(struct vnode_au_info *vni) 237 { 238 token_t *t; 239 u_char *dptr = NULL; 240 u_int16_t pad0_16 = 0; 241 u_int32_t pad0_32 = 0; 242 243 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 244 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); 245 246 ADD_U_CHAR(dptr, AUT_ATTR64); 247 248 /* 249 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 250 * so pad with 0. 251 * 252 * XXXRW: Possibly should be conditionally compiled. 253 * 254 * XXXRW: Should any conversions take place on the mode? 255 */ 256 ADD_U_INT16(dptr, pad0_16); 257 ADD_U_INT16(dptr, vni->vn_mode); 258 259 ADD_U_INT32(dptr, vni->vn_uid); 260 ADD_U_INT32(dptr, vni->vn_gid); 261 ADD_U_INT32(dptr, vni->vn_fsid); 262 263 /* 264 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 265 * Attempt to handle both, and let the compiler sort it out. If we 266 * could pick this out at compile-time, it would be better, so as to 267 * avoid the else case below. 268 */ 269 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 270 ADD_U_INT32(dptr, pad0_32); 271 ADD_U_INT32(dptr, vni->vn_fileid); 272 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 273 ADD_U_INT64(dptr, vni->vn_fileid); 274 else 275 ADD_U_INT64(dptr, 0LL); 276 277 ADD_U_INT64(dptr, vni->vn_dev); 278 279 return (t); 280 } 281 282 token_t * 283 au_to_attr(struct vnode_au_info *vni) 284 { 285 286 return (au_to_attr32(vni)); 287 } 288 #endif /* !(defined(_KERNEL) || defined(KERNEL) */ 289 290 /* 291 * token ID 1 byte 292 * how to print 1 byte 293 * basic unit 1 byte 294 * unit count 1 byte 295 * data items (depends on basic unit) 296 */ 297 token_t * 298 au_to_data(char unit_print, char unit_type, char unit_count, const char *p) 299 { 300 token_t *t; 301 u_char *dptr = NULL; 302 size_t datasize, totdata; 303 304 /* Determine the size of the basic unit. */ 305 switch (unit_type) { 306 case AUR_BYTE: 307 /* case AUR_CHAR: */ 308 datasize = AUR_BYTE_SIZE; 309 break; 310 311 case AUR_SHORT: 312 datasize = AUR_SHORT_SIZE; 313 break; 314 315 case AUR_INT32: 316 /* case AUR_INT: */ 317 datasize = AUR_INT32_SIZE; 318 break; 319 320 case AUR_INT64: 321 datasize = AUR_INT64_SIZE; 322 break; 323 324 default: 325 return (NULL); 326 } 327 328 totdata = datasize * unit_count; 329 330 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata); 331 332 /* 333 * XXXRW: We should be byte-swapping each data item for multi-byte 334 * types. 335 */ 336 ADD_U_CHAR(dptr, AUT_DATA); 337 ADD_U_CHAR(dptr, unit_print); 338 ADD_U_CHAR(dptr, unit_type); 339 ADD_U_CHAR(dptr, unit_count); 340 ADD_MEM(dptr, p, totdata); 341 342 return (t); 343 } 344 345 346 /* 347 * token ID 1 byte 348 * status 4 bytes 349 * return value 4 bytes 350 */ 351 token_t * 352 au_to_exit(int retval, int err) 353 { 354 token_t *t; 355 u_char *dptr = NULL; 356 357 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); 358 359 ADD_U_CHAR(dptr, AUT_EXIT); 360 ADD_U_INT32(dptr, err); 361 ADD_U_INT32(dptr, retval); 362 363 return (t); 364 } 365 366 /* 367 */ 368 token_t * 369 au_to_groups(int *groups) 370 { 371 372 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups)); 373 } 374 375 /* 376 * token ID 1 byte 377 * number groups 2 bytes 378 * group list count * 4 bytes 379 */ 380 token_t * 381 au_to_newgroups(u_int16_t n, gid_t *groups) 382 { 383 token_t *t; 384 u_char *dptr = NULL; 385 int i; 386 387 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 388 n * sizeof(u_int32_t)); 389 390 ADD_U_CHAR(dptr, AUT_NEWGROUPS); 391 ADD_U_INT16(dptr, n); 392 for (i = 0; i < n; i++) 393 ADD_U_INT32(dptr, groups[i]); 394 395 return (t); 396 } 397 398 /* 399 * token ID 1 byte 400 * internet address 4 bytes 401 */ 402 token_t * 403 au_to_in_addr(struct in_addr *internet_addr) 404 { 405 token_t *t; 406 u_char *dptr = NULL; 407 408 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); 409 410 ADD_U_CHAR(dptr, AUT_IN_ADDR); 411 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); 412 413 return (t); 414 } 415 416 /* 417 * token ID 1 byte 418 * address type/length 4 bytes 419 * address 16 bytes 420 */ 421 token_t * 422 au_to_in_addr_ex(struct in6_addr *internet_addr) 423 { 424 token_t *t; 425 u_char *dptr = NULL; 426 u_int32_t type = AU_IPv6; 427 428 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); 429 430 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); 431 ADD_U_INT32(dptr, type); 432 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t)); 433 434 return (t); 435 } 436 437 /* 438 * token ID 1 byte 439 * ip header 20 bytes 440 * 441 * The IP header should be submitted in network byte order. 442 */ 443 token_t * 444 au_to_ip(struct ip *ip) 445 { 446 token_t *t; 447 u_char *dptr = NULL; 448 449 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); 450 451 ADD_U_CHAR(dptr, AUT_IP); 452 ADD_MEM(dptr, ip, sizeof(struct ip)); 453 454 return (t); 455 } 456 457 /* 458 * token ID 1 byte 459 * object ID type 1 byte 460 * object ID 4 bytes 461 */ 462 token_t * 463 au_to_ipc(char type, int id) 464 { 465 token_t *t; 466 u_char *dptr = NULL; 467 468 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 469 470 ADD_U_CHAR(dptr, AUT_IPC); 471 ADD_U_CHAR(dptr, type); 472 ADD_U_INT32(dptr, id); 473 474 return (t); 475 } 476 477 /* 478 * token ID 1 byte 479 * owner user ID 4 bytes 480 * owner group ID 4 bytes 481 * creator user ID 4 bytes 482 * creator group ID 4 bytes 483 * access mode 4 bytes 484 * slot sequence # 4 bytes 485 * key 4 bytes 486 */ 487 token_t * 488 au_to_ipc_perm(struct ipc_perm *perm) 489 { 490 token_t *t; 491 u_char *dptr = NULL; 492 u_int16_t pad0 = 0; 493 494 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) + 495 sizeof(u_int32_t)); 496 497 ADD_U_CHAR(dptr, AUT_IPC_PERM); 498 499 /* 500 * Systems vary significantly in what types they use in struct 501 * ipc_perm; at least a few still use 16-bit uid's and gid's, so 502 * allow for that, as BSM define 32-bit values here. 503 * Some systems define the sizes for ipc_perm members as 2 bytes; 504 * BSM defines 4 so pad with 0. 505 * 506 * XXXRW: Possibly shoulid be conditionally compiled, and more cases 507 * need to be handled. 508 */ 509 if (sizeof(perm->uid) != sizeof(u_int32_t)) { 510 ADD_U_INT16(dptr, pad0); 511 ADD_U_INT16(dptr, perm->uid); 512 ADD_U_INT16(dptr, pad0); 513 ADD_U_INT16(dptr, perm->gid); 514 ADD_U_INT16(dptr, pad0); 515 ADD_U_INT16(dptr, perm->cuid); 516 ADD_U_INT16(dptr, pad0); 517 ADD_U_INT16(dptr, perm->cgid); 518 } else { 519 ADD_U_INT32(dptr, perm->uid); 520 ADD_U_INT32(dptr, perm->gid); 521 ADD_U_INT32(dptr, perm->cuid); 522 ADD_U_INT32(dptr, perm->cgid); 523 } 524 525 ADD_U_INT16(dptr, pad0); 526 ADD_U_INT16(dptr, perm->mode); 527 528 ADD_U_INT16(dptr, pad0); 529 530 ADD_U_INT16(dptr, perm->seq); 531 532 ADD_U_INT32(dptr, perm->key); 533 534 return (t); 535 } 536 537 /* 538 * token ID 1 byte 539 * port IP address 2 bytes 540 */ 541 token_t * 542 au_to_iport(u_int16_t iport) 543 { 544 token_t *t; 545 u_char *dptr = NULL; 546 547 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); 548 549 ADD_U_CHAR(dptr, AUT_IPORT); 550 ADD_U_INT16(dptr, iport); 551 552 return (t); 553 } 554 555 /* 556 * token ID 1 byte 557 * size 2 bytes 558 * data size bytes 559 */ 560 token_t * 561 au_to_opaque(const char *data, u_int16_t bytes) 562 { 563 token_t *t; 564 u_char *dptr = NULL; 565 566 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); 567 568 ADD_U_CHAR(dptr, AUT_OPAQUE); 569 ADD_U_INT16(dptr, bytes); 570 ADD_MEM(dptr, data, bytes); 571 572 return (t); 573 } 574 575 /* 576 * token ID 1 byte 577 * seconds of time 4 bytes 578 * milliseconds of time 4 bytes 579 * file name len 2 bytes 580 * file pathname N bytes + 1 terminating NULL byte 581 */ 582 token_t * 583 au_to_file(const char *file, struct timeval tm) 584 { 585 token_t *t; 586 u_char *dptr = NULL; 587 u_int16_t filelen; 588 u_int32_t timems; 589 590 filelen = strlen(file); 591 filelen += 1; 592 593 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + 594 sizeof(u_int16_t) + filelen); 595 596 timems = tm.tv_usec/1000; 597 598 ADD_U_CHAR(dptr, AUT_OTHER_FILE32); 599 ADD_U_INT32(dptr, tm.tv_sec); 600 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 601 ADD_U_INT16(dptr, filelen); 602 ADD_STRING(dptr, file, filelen); 603 604 return (t); 605 } 606 607 /* 608 * token ID 1 byte 609 * text length 2 bytes 610 * text N bytes + 1 terminating NULL byte 611 */ 612 token_t * 613 au_to_text(const char *text) 614 { 615 token_t *t; 616 u_char *dptr = NULL; 617 u_int16_t textlen; 618 619 textlen = strlen(text); 620 textlen += 1; 621 622 /* XXXRW: Should validate length against token size limit. */ 623 624 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 625 626 ADD_U_CHAR(dptr, AUT_TEXT); 627 ADD_U_INT16(dptr, textlen); 628 ADD_STRING(dptr, text, textlen); 629 630 return (t); 631 } 632 633 /* 634 * token ID 1 byte 635 * path length 2 bytes 636 * path N bytes + 1 terminating NULL byte 637 */ 638 token_t * 639 au_to_path(const char *text) 640 { 641 token_t *t; 642 u_char *dptr = NULL; 643 u_int16_t textlen; 644 645 textlen = strlen(text); 646 textlen += 1; 647 648 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 649 650 ADD_U_CHAR(dptr, AUT_PATH); 651 ADD_U_INT16(dptr, textlen); 652 ADD_STRING(dptr, text, textlen); 653 654 return (t); 655 } 656 657 /* 658 * token ID 1 byte 659 * audit ID 4 bytes 660 * effective user ID 4 bytes 661 * effective group ID 4 bytes 662 * real user ID 4 bytes 663 * real group ID 4 bytes 664 * process ID 4 bytes 665 * session ID 4 bytes 666 * terminal ID 667 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 668 * machine address 4 bytes 669 */ 670 token_t * 671 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 672 pid_t pid, au_asid_t sid, au_tid_t *tid) 673 { 674 token_t *t; 675 u_char *dptr = NULL; 676 677 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 678 679 ADD_U_CHAR(dptr, AUT_PROCESS32); 680 ADD_U_INT32(dptr, auid); 681 ADD_U_INT32(dptr, euid); 682 ADD_U_INT32(dptr, egid); 683 ADD_U_INT32(dptr, ruid); 684 ADD_U_INT32(dptr, rgid); 685 ADD_U_INT32(dptr, pid); 686 ADD_U_INT32(dptr, sid); 687 ADD_U_INT32(dptr, tid->port); 688 689 /* 690 * Note: Solaris will write out IPv6 addresses here as a 32-bit 691 * address type and 16 bytes of address, but for IPv4 addresses it 692 * simply writes the 4-byte address directly. We support only IPv4 693 * addresses for process32 tokens. 694 */ 695 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 696 697 return (t); 698 } 699 700 token_t * 701 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 702 pid_t pid, au_asid_t sid, au_tid_t *tid) 703 { 704 token_t *t; 705 u_char *dptr = NULL; 706 707 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + 708 sizeof(u_int64_t)); 709 710 ADD_U_CHAR(dptr, AUT_PROCESS64); 711 ADD_U_INT32(dptr, auid); 712 ADD_U_INT32(dptr, euid); 713 ADD_U_INT32(dptr, egid); 714 ADD_U_INT32(dptr, ruid); 715 ADD_U_INT32(dptr, rgid); 716 ADD_U_INT32(dptr, pid); 717 ADD_U_INT32(dptr, sid); 718 ADD_U_INT64(dptr, tid->port); 719 720 /* 721 * Note: Solaris will write out IPv6 addresses here as a 32-bit 722 * address type and 16 bytes of address, but for IPv4 addresses it 723 * simply writes the 4-byte address directly. We support only IPv4 724 * addresses for process64 tokens. 725 */ 726 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 727 728 return (t); 729 } 730 731 token_t * 732 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 733 pid_t pid, au_asid_t sid, au_tid_t *tid) 734 { 735 736 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, 737 tid)); 738 } 739 740 /* 741 * token ID 1 byte 742 * audit ID 4 bytes 743 * effective user ID 4 bytes 744 * effective group ID 4 bytes 745 * real user ID 4 bytes 746 * real group ID 4 bytes 747 * process ID 4 bytes 748 * session ID 4 bytes 749 * terminal ID 750 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 751 * address type-len 4 bytes 752 * machine address 16 bytes 753 */ 754 token_t * 755 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 756 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 757 { 758 token_t *t; 759 u_char *dptr = NULL; 760 761 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 762 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type)); 763 if (tid->at_type == AU_IPv4) 764 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 765 10 * sizeof(u_int32_t)); 766 else 767 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 768 13 * sizeof(u_int32_t)); 769 770 ADD_U_CHAR(dptr, AUT_PROCESS32_EX); 771 ADD_U_INT32(dptr, auid); 772 ADD_U_INT32(dptr, euid); 773 ADD_U_INT32(dptr, egid); 774 ADD_U_INT32(dptr, ruid); 775 ADD_U_INT32(dptr, rgid); 776 ADD_U_INT32(dptr, pid); 777 ADD_U_INT32(dptr, sid); 778 ADD_U_INT32(dptr, tid->at_port); 779 ADD_U_INT32(dptr, tid->at_type); 780 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 781 if (tid->at_type == AU_IPv6) { 782 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 783 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 784 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 785 } 786 787 return (t); 788 } 789 790 token_t * 791 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 792 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 793 { 794 token_t *t; 795 u_char *dptr = NULL; 796 797 if (tid->at_type == AU_IPv4) 798 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 799 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 800 2 * sizeof(u_int32_t)); 801 else if (tid->at_type == AU_IPv6) 802 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 803 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 804 5 * sizeof(u_int32_t)); 805 else 806 panic("au_to_process64_ex: invalidate at_type (%d)", 807 tid->at_type); 808 809 ADD_U_CHAR(dptr, AUT_PROCESS64_EX); 810 ADD_U_INT32(dptr, auid); 811 ADD_U_INT32(dptr, euid); 812 ADD_U_INT32(dptr, egid); 813 ADD_U_INT32(dptr, ruid); 814 ADD_U_INT32(dptr, rgid); 815 ADD_U_INT32(dptr, pid); 816 ADD_U_INT32(dptr, sid); 817 ADD_U_INT64(dptr, tid->at_port); 818 ADD_U_INT32(dptr, tid->at_type); 819 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 820 if (tid->at_type == AU_IPv6) { 821 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 822 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 823 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 824 } 825 826 return (t); 827 } 828 829 token_t * 830 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 831 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 832 { 833 834 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, 835 tid)); 836 } 837 838 /* 839 * token ID 1 byte 840 * error status 1 byte 841 * return value 4 bytes/8 bytes (32-bit/64-bit value) 842 */ 843 token_t * 844 au_to_return32(char status, u_int32_t ret) 845 { 846 token_t *t; 847 u_char *dptr = NULL; 848 849 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 850 851 ADD_U_CHAR(dptr, AUT_RETURN32); 852 ADD_U_CHAR(dptr, status); 853 ADD_U_INT32(dptr, ret); 854 855 return (t); 856 } 857 858 token_t * 859 au_to_return64(char status, u_int64_t ret) 860 { 861 token_t *t; 862 u_char *dptr = NULL; 863 864 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); 865 866 ADD_U_CHAR(dptr, AUT_RETURN64); 867 ADD_U_CHAR(dptr, status); 868 ADD_U_INT64(dptr, ret); 869 870 return (t); 871 } 872 873 token_t * 874 au_to_return(char status, u_int32_t ret) 875 { 876 877 return (au_to_return32(status, ret)); 878 } 879 880 /* 881 * token ID 1 byte 882 * sequence number 4 bytes 883 */ 884 token_t * 885 au_to_seq(long audit_count) 886 { 887 token_t *t; 888 u_char *dptr = NULL; 889 890 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); 891 892 ADD_U_CHAR(dptr, AUT_SEQ); 893 ADD_U_INT32(dptr, audit_count); 894 895 return (t); 896 } 897 898 /* 899 * token ID 1 byte 900 * socket domain 2 bytes 901 * socket type 2 bytes 902 * address type 2 byte 903 * local port 2 bytes 904 * local address 4 bytes/16 bytes (IPv4/IPv6 address) 905 * remote port 2 bytes 906 * remote address 4 bytes/16 bytes (IPv4/IPv6 address) 907 * 908 * Domain and type arguments to this routine are assumed to already have been 909 * converted to the BSM constant space, so we don't do that here. 910 */ 911 token_t * 912 au_to_socket_ex(u_short so_domain, u_short so_type, 913 struct sockaddr *sa_local, struct sockaddr *sa_remote) 914 { 915 token_t *t; 916 u_char *dptr = NULL; 917 struct sockaddr_in *sin; 918 struct sockaddr_in6 *sin6; 919 920 if (so_domain == AF_INET) 921 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 922 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 923 else if (so_domain == AF_INET6) 924 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 925 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t)); 926 else 927 return (NULL); 928 929 ADD_U_CHAR(dptr, AUT_SOCKET_EX); 930 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain)); 931 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type)); 932 if (so_domain == AF_INET) { 933 ADD_U_INT16(dptr, AU_IPv4); 934 sin = (struct sockaddr_in *)sa_local; 935 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 936 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 937 sin = (struct sockaddr_in *)sa_remote; 938 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 939 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 940 } else { 941 ADD_U_INT16(dptr, AU_IPv6); 942 sin6 = (struct sockaddr_in6 *)sa_local; 943 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 944 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 945 sin6 = (struct sockaddr_in6 *)sa_remote; 946 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 947 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 948 } 949 950 return (t); 951 } 952 953 /* 954 * Kernel-specific version of the above function. 955 * 956 * XXXRW: Should now use au_to_socket_ex() here. 957 */ 958 #ifdef _KERNEL 959 token_t * 960 kau_to_socket(struct socket_au_info *soi) 961 { 962 token_t *t; 963 u_char *dptr; 964 u_int16_t so_type; 965 966 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 967 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t)); 968 969 ADD_U_CHAR(dptr, AUT_SOCKET); 970 /* Coerce the socket type into a short value */ 971 so_type = soi->so_type; 972 ADD_U_INT16(dptr, so_type); 973 ADD_U_INT16(dptr, soi->so_lport); 974 ADD_U_INT32(dptr, soi->so_laddr); 975 ADD_U_INT16(dptr, soi->so_rport); 976 ADD_U_INT32(dptr, soi->so_raddr); 977 978 return (t); 979 } 980 #endif 981 982 /* 983 * token ID 1 byte 984 * socket family 2 bytes 985 * path (up to) 104 bytes + NULL (NULL terminated string) 986 */ 987 token_t * 988 au_to_sock_unix(struct sockaddr_un *so) 989 { 990 token_t *t; 991 u_char *dptr; 992 993 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); 994 995 ADD_U_CHAR(dptr, AUT_SOCKUNIX); 996 /* BSM token has two bytes for family */ 997 ADD_U_CHAR(dptr, 0); 998 ADD_U_CHAR(dptr, so->sun_family); 999 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); 1000 1001 return (t); 1002 } 1003 1004 /* 1005 * token ID 1 byte 1006 * socket family 2 bytes 1007 * local port 2 bytes 1008 * socket address 4 bytes 1009 */ 1010 token_t * 1011 au_to_sock_inet32(struct sockaddr_in *so) 1012 { 1013 token_t *t; 1014 u_char *dptr = NULL; 1015 uint16_t family; 1016 1017 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + 1018 sizeof(uint32_t)); 1019 1020 ADD_U_CHAR(dptr, AUT_SOCKINET32); 1021 /* 1022 * BSM defines the family field as 16 bits, but many operating 1023 * systems have an 8-bit sin_family field. Extend to 16 bits before 1024 * writing into the token. Assume that both the port and the address 1025 * in the sockaddr_in are already in network byte order, but family 1026 * is in local byte order. 1027 * 1028 * XXXRW: Should a name space conversion be taking place on the value 1029 * of sin_family? 1030 */ 1031 family = so->sin_family; 1032 ADD_U_INT16(dptr, family); 1033 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); 1034 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); 1035 1036 return (t); 1037 } 1038 1039 token_t * 1040 au_to_sock_inet128(struct sockaddr_in6 *so) 1041 { 1042 token_t *t; 1043 u_char *dptr = NULL; 1044 1045 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + 1046 4 * sizeof(u_int32_t)); 1047 1048 ADD_U_CHAR(dptr, AUT_SOCKINET128); 1049 /* 1050 * In BSD, sin6_family is one octet, but BSM defines the token to 1051 * store two. So we copy in a 0 first. XXXRW: Possibly should be 1052 * conditionally compiled. 1053 */ 1054 ADD_U_CHAR(dptr, 0); 1055 ADD_U_CHAR(dptr, so->sin6_family); 1056 1057 ADD_U_INT16(dptr, so->sin6_port); 1058 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); 1059 1060 return (t); 1061 } 1062 1063 token_t * 1064 au_to_sock_inet(struct sockaddr_in *so) 1065 { 1066 1067 return (au_to_sock_inet32(so)); 1068 } 1069 1070 /* 1071 * token ID 1 byte 1072 * audit ID 4 bytes 1073 * effective user ID 4 bytes 1074 * effective group ID 4 bytes 1075 * real user ID 4 bytes 1076 * real group ID 4 bytes 1077 * process ID 4 bytes 1078 * session ID 4 bytes 1079 * terminal ID 1080 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1081 * machine address 4 bytes 1082 */ 1083 token_t * 1084 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1085 pid_t pid, au_asid_t sid, au_tid_t *tid) 1086 { 1087 token_t *t; 1088 u_char *dptr = NULL; 1089 1090 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 1091 1092 ADD_U_CHAR(dptr, AUT_SUBJECT32); 1093 ADD_U_INT32(dptr, auid); 1094 ADD_U_INT32(dptr, euid); 1095 ADD_U_INT32(dptr, egid); 1096 ADD_U_INT32(dptr, ruid); 1097 ADD_U_INT32(dptr, rgid); 1098 ADD_U_INT32(dptr, pid); 1099 ADD_U_INT32(dptr, sid); 1100 ADD_U_INT32(dptr, tid->port); 1101 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1102 1103 return (t); 1104 } 1105 1106 token_t * 1107 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1108 pid_t pid, au_asid_t sid, au_tid_t *tid) 1109 { 1110 token_t *t; 1111 u_char *dptr = NULL; 1112 1113 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + 1114 sizeof(u_int64_t) + sizeof(u_int32_t)); 1115 1116 ADD_U_CHAR(dptr, AUT_SUBJECT64); 1117 ADD_U_INT32(dptr, auid); 1118 ADD_U_INT32(dptr, euid); 1119 ADD_U_INT32(dptr, egid); 1120 ADD_U_INT32(dptr, ruid); 1121 ADD_U_INT32(dptr, rgid); 1122 ADD_U_INT32(dptr, pid); 1123 ADD_U_INT32(dptr, sid); 1124 ADD_U_INT64(dptr, tid->port); 1125 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1126 1127 return (t); 1128 } 1129 1130 token_t * 1131 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1132 pid_t pid, au_asid_t sid, au_tid_t *tid) 1133 { 1134 1135 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, 1136 tid)); 1137 } 1138 1139 /* 1140 * token ID 1 byte 1141 * audit ID 4 bytes 1142 * effective user ID 4 bytes 1143 * effective group ID 4 bytes 1144 * real user ID 4 bytes 1145 * real group ID 4 bytes 1146 * process ID 4 bytes 1147 * session ID 4 bytes 1148 * terminal ID 1149 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1150 * address type/length 4 bytes 1151 * machine address 16 bytes 1152 */ 1153 token_t * 1154 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1155 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1156 { 1157 token_t *t; 1158 u_char *dptr = NULL; 1159 1160 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1161 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type)); 1162 1163 if (tid->at_type == AU_IPv4) 1164 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 1165 sizeof(u_int32_t)); 1166 else 1167 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 1168 sizeof(u_int32_t)); 1169 1170 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); 1171 ADD_U_INT32(dptr, auid); 1172 ADD_U_INT32(dptr, euid); 1173 ADD_U_INT32(dptr, egid); 1174 ADD_U_INT32(dptr, ruid); 1175 ADD_U_INT32(dptr, rgid); 1176 ADD_U_INT32(dptr, pid); 1177 ADD_U_INT32(dptr, sid); 1178 ADD_U_INT32(dptr, tid->at_port); 1179 ADD_U_INT32(dptr, tid->at_type); 1180 if (tid->at_type == AU_IPv6) 1181 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1182 else 1183 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1184 1185 return (t); 1186 } 1187 1188 token_t * 1189 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1190 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1191 { 1192 token_t *t; 1193 u_char *dptr = NULL; 1194 1195 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1196 ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type)); 1197 1198 if (tid->at_type == AU_IPv4) 1199 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1200 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1201 2 * sizeof(u_int32_t)); 1202 else 1203 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1204 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1205 5 * sizeof(u_int32_t)); 1206 1207 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); 1208 ADD_U_INT32(dptr, auid); 1209 ADD_U_INT32(dptr, euid); 1210 ADD_U_INT32(dptr, egid); 1211 ADD_U_INT32(dptr, ruid); 1212 ADD_U_INT32(dptr, rgid); 1213 ADD_U_INT32(dptr, pid); 1214 ADD_U_INT32(dptr, sid); 1215 ADD_U_INT64(dptr, tid->at_port); 1216 ADD_U_INT32(dptr, tid->at_type); 1217 if (tid->at_type == AU_IPv6) 1218 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1219 else 1220 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1221 1222 return (t); 1223 } 1224 1225 token_t * 1226 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1227 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1228 { 1229 1230 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, 1231 tid)); 1232 } 1233 1234 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) 1235 /* 1236 * Collects audit information for the current process and creates a subject 1237 * token from it. 1238 */ 1239 token_t * 1240 au_to_me(void) 1241 { 1242 auditinfo_t auinfo; 1243 auditinfo_addr_t aia; 1244 1245 /* 1246 * Try to use getaudit_addr(2) first. If this kernel does not support 1247 * it, then fall back on to getaudit(2). 1248 */ 1249 if (getaudit_addr(&aia, sizeof(aia)) != 0) { 1250 if (errno == ENOSYS) { 1251 if (getaudit(&auinfo) != 0) 1252 return (NULL); 1253 return (au_to_subject32(auinfo.ai_auid, geteuid(), 1254 getegid(), getuid(), getgid(), getpid(), 1255 auinfo.ai_asid, &auinfo.ai_termid)); 1256 } else { 1257 /* getaudit_addr(2) failed for some other reason. */ 1258 return (NULL); 1259 } 1260 } 1261 1262 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), 1263 getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); 1264 } 1265 #endif 1266 1267 #if defined(_KERNEL) || defined(KERNEL) 1268 static token_t * 1269 au_to_exec_strings(char *strs, int count, u_char type) 1270 { 1271 token_t *t; 1272 u_char *dptr = NULL; 1273 u_int32_t totlen; 1274 int ctr; 1275 char *p; 1276 1277 totlen = 0; 1278 ctr = count; 1279 p = strs; 1280 while (ctr-- > 0) { 1281 totlen += strlen(p) + 1; 1282 p = strs + totlen; 1283 } 1284 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1285 ADD_U_CHAR(dptr, type); 1286 ADD_U_INT32(dptr, count); 1287 ADD_STRING(dptr, strs, totlen); 1288 1289 return (t); 1290 } 1291 1292 /* 1293 * token ID 1 byte 1294 * count 4 bytes 1295 * text count null-terminated strings 1296 */ 1297 token_t * 1298 au_to_exec_args(char *args, int argc) 1299 { 1300 1301 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS)); 1302 } 1303 1304 /* 1305 * token ID 1 byte 1306 * count 4 bytes 1307 * text count null-terminated strings 1308 */ 1309 token_t * 1310 au_to_exec_env(char *envs, int envc) 1311 { 1312 1313 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV)); 1314 } 1315 #else 1316 /* 1317 * token ID 1 byte 1318 * count 4 bytes 1319 * text count null-terminated strings 1320 */ 1321 token_t * 1322 au_to_exec_args(char **argv) 1323 { 1324 token_t *t; 1325 u_char *dptr = NULL; 1326 const char *nextarg; 1327 int i, count = 0; 1328 size_t totlen = 0; 1329 1330 nextarg = *argv; 1331 1332 while (nextarg != NULL) { 1333 int nextlen; 1334 1335 nextlen = strlen(nextarg); 1336 totlen += nextlen + 1; 1337 count++; 1338 nextarg = *(argv + count); 1339 } 1340 1341 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1342 1343 ADD_U_CHAR(dptr, AUT_EXEC_ARGS); 1344 ADD_U_INT32(dptr, count); 1345 1346 for (i = 0; i < count; i++) { 1347 nextarg = *(argv + i); 1348 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); 1349 } 1350 1351 return (t); 1352 } 1353 1354 /* 1355 * token ID 1 byte 1356 * count 4 bytes 1357 * text count null-terminated strings 1358 */ 1359 token_t * 1360 au_to_exec_env(char **envp) 1361 { 1362 token_t *t; 1363 u_char *dptr = NULL; 1364 int i, count = 0; 1365 size_t totlen = 0; 1366 const char *nextenv; 1367 1368 nextenv = *envp; 1369 1370 while (nextenv != NULL) { 1371 int nextlen; 1372 1373 nextlen = strlen(nextenv); 1374 totlen += nextlen + 1; 1375 count++; 1376 nextenv = *(envp + count); 1377 } 1378 1379 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1380 1381 ADD_U_CHAR(dptr, AUT_EXEC_ENV); 1382 ADD_U_INT32(dptr, count); 1383 1384 for (i = 0; i < count; i++) { 1385 nextenv = *(envp + i); 1386 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); 1387 } 1388 1389 return (t); 1390 } 1391 #endif 1392 1393 /* 1394 * token ID 1 byte 1395 * zonename length 2 bytes 1396 * zonename N bytes + 1 terminating NULL byte 1397 */ 1398 token_t * 1399 au_to_zonename(const char *zonename) 1400 { 1401 u_char *dptr = NULL; 1402 u_int16_t textlen; 1403 token_t *t; 1404 1405 textlen = strlen(zonename) + 1; 1406 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 1407 1408 ADD_U_CHAR(dptr, AUT_ZONENAME); 1409 ADD_U_INT16(dptr, textlen); 1410 ADD_STRING(dptr, zonename, textlen); 1411 return (t); 1412 } 1413 1414 /* 1415 * token ID 1 byte 1416 * record byte count 4 bytes 1417 * version # 1 byte [2] 1418 * event type 2 bytes 1419 * event modifier 2 bytes 1420 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1421 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1422 */ 1423 token_t * 1424 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1425 struct timeval tm) 1426 { 1427 token_t *t; 1428 u_char *dptr = NULL; 1429 u_int32_t timems; 1430 1431 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1432 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1433 1434 ADD_U_CHAR(dptr, AUT_HEADER32); 1435 ADD_U_INT32(dptr, rec_size); 1436 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1437 ADD_U_INT16(dptr, e_type); 1438 ADD_U_INT16(dptr, e_mod); 1439 1440 timems = tm.tv_usec/1000; 1441 /* Add the timestamp */ 1442 ADD_U_INT32(dptr, tm.tv_sec); 1443 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1444 1445 return (t); 1446 } 1447 1448 /* 1449 * token ID 1 byte 1450 * record byte count 4 bytes 1451 * version # 1 byte [2] 1452 * event type 2 bytes 1453 * event modifier 2 bytes 1454 * address type/length 4 bytes 1455 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1456 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1457 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1458 */ 1459 token_t * 1460 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1461 struct timeval tm, struct auditinfo_addr *aia) 1462 { 1463 token_t *t; 1464 u_char *dptr = NULL; 1465 u_int32_t timems; 1466 au_tid_addr_t *tid; 1467 1468 tid = &aia->ai_termid; 1469 KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6, 1470 ("au_to_header32_ex_tm: invalid address family")); 1471 1472 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1473 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * 1474 sizeof(u_int32_t) + tid->at_type); 1475 1476 ADD_U_CHAR(dptr, AUT_HEADER32_EX); 1477 ADD_U_INT32(dptr, rec_size); 1478 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1479 ADD_U_INT16(dptr, e_type); 1480 ADD_U_INT16(dptr, e_mod); 1481 1482 ADD_U_INT32(dptr, tid->at_type); 1483 if (tid->at_type == AU_IPv6) 1484 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1485 else 1486 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1487 timems = tm.tv_usec/1000; 1488 /* Add the timestamp */ 1489 ADD_U_INT32(dptr, tm.tv_sec); 1490 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1491 1492 return (t); 1493 } 1494 1495 token_t * 1496 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1497 struct timeval tm) 1498 { 1499 token_t *t; 1500 u_char *dptr = NULL; 1501 u_int32_t timems; 1502 1503 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1504 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); 1505 1506 ADD_U_CHAR(dptr, AUT_HEADER64); 1507 ADD_U_INT32(dptr, rec_size); 1508 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1509 ADD_U_INT16(dptr, e_type); 1510 ADD_U_INT16(dptr, e_mod); 1511 1512 timems = tm.tv_usec/1000; 1513 /* Add the timestamp */ 1514 ADD_U_INT64(dptr, tm.tv_sec); 1515 ADD_U_INT64(dptr, timems); /* We need time in ms. */ 1516 1517 return (t); 1518 } 1519 1520 #if !defined(KERNEL) && !defined(_KERNEL) 1521 #ifdef HAVE_AUDIT_SYSCALLS 1522 token_t * 1523 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1524 { 1525 struct timeval tm; 1526 struct auditinfo_addr aia; 1527 1528 if (gettimeofday(&tm, NULL) == -1) 1529 return (NULL); 1530 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) { 1531 if (errno != ENOSYS) 1532 return (NULL); 1533 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1534 } 1535 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia)); 1536 } 1537 #endif /* HAVE_AUDIT_SYSCALLS */ 1538 1539 token_t * 1540 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) 1541 { 1542 struct timeval tm; 1543 1544 if (gettimeofday(&tm, NULL) == -1) 1545 return (NULL); 1546 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1547 } 1548 1549 token_t * 1550 au_to_header64(__unused int rec_size, __unused au_event_t e_type, 1551 __unused au_emod_t e_mod) 1552 { 1553 struct timeval tm; 1554 1555 if (gettimeofday(&tm, NULL) == -1) 1556 return (NULL); 1557 return (au_to_header64_tm(rec_size, e_type, e_mod, tm)); 1558 } 1559 1560 token_t * 1561 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod) 1562 { 1563 1564 return (au_to_header32(rec_size, e_type, e_mod)); 1565 } 1566 1567 #ifdef HAVE_AUDIT_SYSCALLS 1568 token_t * 1569 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1570 { 1571 1572 return (au_to_header32_ex(rec_size, e_type, e_mod)); 1573 } 1574 #endif /* HAVE_AUDIT_SYSCALLS */ 1575 #endif /* !defined(KERNEL) && !defined(_KERNEL) */ 1576 1577 /* 1578 * token ID 1 byte 1579 * trailer magic number 2 bytes 1580 * record byte count 4 bytes 1581 */ 1582 token_t * 1583 au_to_trailer(int rec_size) 1584 { 1585 token_t *t; 1586 u_char *dptr = NULL; 1587 u_int16_t magic = AUT_TRAILER_MAGIC; 1588 1589 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 1590 sizeof(u_int32_t)); 1591 1592 ADD_U_CHAR(dptr, AUT_TRAILER); 1593 ADD_U_INT16(dptr, magic); 1594 ADD_U_INT32(dptr, rec_size); 1595 1596 return (t); 1597 } 1598