1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 2004-2009 Apple Inc. 5 * Copyright (c) 2005 SPARTA, Inc. 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 __FBSDID("$FreeBSD$"); 38 39 #include <sys/param.h> 40 #include <sys/types.h> 41 #include <sys/endian.h> 42 #include <sys/queue.h> 43 #include <sys/socket.h> 44 #include <sys/time.h> 45 46 #include <sys/ipc.h> 47 #include <sys/libkern.h> 48 #include <sys/malloc.h> 49 #include <sys/un.h> 50 51 #include <netinet/in.h> 52 #include <netinet/in_systm.h> 53 #include <netinet/ip.h> 54 55 #include <bsm/audit.h> 56 #include <bsm/audit_internal.h> 57 #include <bsm/audit_record.h> 58 #include <security/audit/audit.h> 59 #include <security/audit/audit_private.h> 60 61 #define GET_TOKEN_AREA(t, dptr, length) do { \ 62 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \ 63 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \ 64 t->len = length; \ 65 dptr = t->t_data; \ 66 } while (0) 67 68 /* 69 * token ID 1 byte 70 * success/failure 1 byte 71 * privstrlen 2 bytes 72 * privstr N bytes + 1 (\0 byte) 73 */ 74 token_t * 75 au_to_upriv(char sorf, char *priv) 76 { 77 u_int16_t textlen; 78 u_char *dptr; 79 token_t *t; 80 81 textlen = strlen(priv) + 1; 82 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) + 83 sizeof(u_int16_t) + textlen); 84 85 ADD_U_CHAR(dptr, AUT_UPRIV); 86 ADD_U_CHAR(dptr, sorf); 87 ADD_U_INT16(dptr, textlen); 88 ADD_STRING(dptr, priv, textlen); 89 return (t); 90 } 91 92 /* 93 * token ID 1 byte 94 * privtstrlen 2 bytes 95 * privtstr N bytes + 1 96 * privstrlen 2 bytes 97 * privstr N bytes + 1 98 */ 99 token_t * 100 au_to_privset(char *privtypestr, char *privstr) 101 { 102 u_int16_t type_len, priv_len; 103 u_char *dptr; 104 token_t *t; 105 106 type_len = strlen(privtypestr) + 1; 107 priv_len = strlen(privstr) + 1; 108 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 109 sizeof(u_int16_t) + type_len + priv_len); 110 111 ADD_U_CHAR(dptr, AUT_PRIV); 112 ADD_U_INT16(dptr, type_len); 113 ADD_STRING(dptr, privtypestr, type_len); 114 ADD_U_INT16(dptr, priv_len); 115 ADD_STRING(dptr, privstr, priv_len); 116 return (t); 117 } 118 119 /* 120 * token ID 1 byte 121 * argument # 1 byte 122 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 123 * text length 2 bytes 124 * text N bytes + 1 terminating NULL byte 125 */ 126 token_t * 127 au_to_arg32(char n, const char *text, u_int32_t v) 128 { 129 token_t *t; 130 u_char *dptr = NULL; 131 u_int16_t textlen; 132 133 textlen = strlen(text); 134 textlen += 1; 135 136 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + 137 sizeof(u_int16_t) + textlen); 138 139 ADD_U_CHAR(dptr, AUT_ARG32); 140 ADD_U_CHAR(dptr, n); 141 ADD_U_INT32(dptr, v); 142 ADD_U_INT16(dptr, textlen); 143 ADD_STRING(dptr, text, textlen); 144 145 return (t); 146 } 147 148 token_t * 149 au_to_arg64(char n, const char *text, u_int64_t v) 150 { 151 token_t *t; 152 u_char *dptr = NULL; 153 u_int16_t textlen; 154 155 textlen = strlen(text); 156 textlen += 1; 157 158 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + 159 sizeof(u_int16_t) + textlen); 160 161 ADD_U_CHAR(dptr, AUT_ARG64); 162 ADD_U_CHAR(dptr, n); 163 ADD_U_INT64(dptr, v); 164 ADD_U_INT16(dptr, textlen); 165 ADD_STRING(dptr, text, textlen); 166 167 return (t); 168 } 169 170 token_t * 171 au_to_arg(char n, const char *text, u_int32_t v) 172 { 173 174 return (au_to_arg32(n, text, v)); 175 } 176 177 #if defined(_KERNEL) || defined(KERNEL) 178 /* 179 * token ID 1 byte 180 * file access mode 4 bytes 181 * owner user ID 4 bytes 182 * owner group ID 4 bytes 183 * file system ID 4 bytes 184 * node ID 8 bytes 185 * device 4 bytes/8 bytes (32-bit/64-bit) 186 */ 187 token_t * 188 au_to_attr32(struct vnode_au_info *vni) 189 { 190 token_t *t; 191 u_char *dptr = NULL; 192 u_int16_t pad0_16 = 0; 193 u_int32_t pad0_32 = 0; 194 195 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 196 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); 197 198 ADD_U_CHAR(dptr, AUT_ATTR32); 199 200 /* 201 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 202 * so pad with 0. 203 * 204 * XXXRW: Possibly should be conditionally compiled. 205 * 206 * XXXRW: Should any conversions take place on the mode? 207 */ 208 ADD_U_INT16(dptr, pad0_16); 209 ADD_U_INT16(dptr, vni->vn_mode); 210 211 ADD_U_INT32(dptr, vni->vn_uid); 212 ADD_U_INT32(dptr, vni->vn_gid); 213 ADD_U_INT32(dptr, vni->vn_fsid); 214 215 /* 216 * Some systems use 32-bit file ID's, others use 64-bit file IDs. 217 * Attempt to handle both, and let the compiler sort it out. If we 218 * could pick this out at compile-time, it would be better, so as to 219 * avoid the else case below. 220 */ 221 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 222 ADD_U_INT32(dptr, pad0_32); 223 ADD_U_INT32(dptr, vni->vn_fileid); 224 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 225 ADD_U_INT64(dptr, vni->vn_fileid); 226 else 227 ADD_U_INT64(dptr, 0LL); 228 229 ADD_U_INT32(dptr, vni->vn_dev); 230 231 return (t); 232 } 233 234 token_t * 235 au_to_attr64(struct vnode_au_info *vni) 236 { 237 token_t *t; 238 u_char *dptr = NULL; 239 u_int16_t pad0_16 = 0; 240 u_int32_t pad0_32 = 0; 241 242 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 243 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); 244 245 ADD_U_CHAR(dptr, AUT_ATTR64); 246 247 /* 248 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 249 * so pad with 0. 250 * 251 * XXXRW: Possibly should be conditionally compiled. 252 * 253 * XXXRW: Should any conversions take place on the mode? 254 */ 255 ADD_U_INT16(dptr, pad0_16); 256 ADD_U_INT16(dptr, vni->vn_mode); 257 258 ADD_U_INT32(dptr, vni->vn_uid); 259 ADD_U_INT32(dptr, vni->vn_gid); 260 ADD_U_INT32(dptr, vni->vn_fsid); 261 262 /* 263 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 264 * Attempt to handle both, and let the compiler sort it out. If we 265 * could pick this out at compile-time, it would be better, so as to 266 * avoid the else case below. 267 */ 268 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 269 ADD_U_INT32(dptr, pad0_32); 270 ADD_U_INT32(dptr, vni->vn_fileid); 271 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 272 ADD_U_INT64(dptr, vni->vn_fileid); 273 else 274 ADD_U_INT64(dptr, 0LL); 275 276 ADD_U_INT64(dptr, vni->vn_dev); 277 278 return (t); 279 } 280 281 token_t * 282 au_to_attr(struct vnode_au_info *vni) 283 { 284 285 return (au_to_attr32(vni)); 286 } 287 #endif /* !(defined(_KERNEL) || defined(KERNEL) */ 288 289 /* 290 * token ID 1 byte 291 * how to print 1 byte 292 * basic unit 1 byte 293 * unit count 1 byte 294 * data items (depends on basic unit) 295 */ 296 token_t * 297 au_to_data(char unit_print, char unit_type, char unit_count, const char *p) 298 { 299 token_t *t; 300 u_char *dptr = NULL; 301 size_t datasize, totdata; 302 303 /* Determine the size of the basic unit. */ 304 switch (unit_type) { 305 case AUR_BYTE: 306 /* case AUR_CHAR: */ 307 datasize = AUR_BYTE_SIZE; 308 break; 309 310 case AUR_SHORT: 311 datasize = AUR_SHORT_SIZE; 312 break; 313 314 case AUR_INT32: 315 /* case AUR_INT: */ 316 datasize = AUR_INT32_SIZE; 317 break; 318 319 case AUR_INT64: 320 datasize = AUR_INT64_SIZE; 321 break; 322 323 default: 324 return (NULL); 325 } 326 327 totdata = datasize * unit_count; 328 329 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata); 330 331 /* 332 * XXXRW: We should be byte-swapping each data item for multi-byte 333 * types. 334 */ 335 ADD_U_CHAR(dptr, AUT_DATA); 336 ADD_U_CHAR(dptr, unit_print); 337 ADD_U_CHAR(dptr, unit_type); 338 ADD_U_CHAR(dptr, unit_count); 339 ADD_MEM(dptr, p, totdata); 340 341 return (t); 342 } 343 344 /* 345 * token ID 1 byte 346 * status 4 bytes 347 * return value 4 bytes 348 */ 349 token_t * 350 au_to_exit(int retval, int err) 351 { 352 token_t *t; 353 u_char *dptr = NULL; 354 355 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); 356 357 ADD_U_CHAR(dptr, AUT_EXIT); 358 ADD_U_INT32(dptr, err); 359 ADD_U_INT32(dptr, retval); 360 361 return (t); 362 } 363 364 /* 365 */ 366 token_t * 367 au_to_groups(int *groups) 368 { 369 370 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups)); 371 } 372 373 /* 374 * token ID 1 byte 375 * number groups 2 bytes 376 * group list count * 4 bytes 377 */ 378 token_t * 379 au_to_newgroups(u_int16_t n, gid_t *groups) 380 { 381 token_t *t; 382 u_char *dptr = NULL; 383 int i; 384 385 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 386 n * sizeof(u_int32_t)); 387 388 ADD_U_CHAR(dptr, AUT_NEWGROUPS); 389 ADD_U_INT16(dptr, n); 390 for (i = 0; i < n; i++) 391 ADD_U_INT32(dptr, groups[i]); 392 393 return (t); 394 } 395 396 /* 397 * token ID 1 byte 398 * internet address 4 bytes 399 */ 400 token_t * 401 au_to_in_addr(struct in_addr *internet_addr) 402 { 403 token_t *t; 404 u_char *dptr = NULL; 405 406 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); 407 408 ADD_U_CHAR(dptr, AUT_IN_ADDR); 409 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); 410 411 return (t); 412 } 413 414 /* 415 * token ID 1 byte 416 * address type/length 4 bytes 417 * address 16 bytes 418 */ 419 token_t * 420 au_to_in_addr_ex(struct in6_addr *internet_addr) 421 { 422 token_t *t; 423 u_char *dptr = NULL; 424 u_int32_t type = AU_IPv6; 425 426 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); 427 428 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); 429 ADD_U_INT32(dptr, type); 430 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t)); 431 432 return (t); 433 } 434 435 /* 436 * token ID 1 byte 437 * ip header 20 bytes 438 * 439 * The IP header should be submitted in network byte order. 440 */ 441 token_t * 442 au_to_ip(struct ip *ip) 443 { 444 token_t *t; 445 u_char *dptr = NULL; 446 447 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); 448 449 ADD_U_CHAR(dptr, AUT_IP); 450 ADD_MEM(dptr, ip, sizeof(struct ip)); 451 452 return (t); 453 } 454 455 /* 456 * token ID 1 byte 457 * object ID type 1 byte 458 * object ID 4 bytes 459 */ 460 token_t * 461 au_to_ipc(char type, int id) 462 { 463 token_t *t; 464 u_char *dptr = NULL; 465 466 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 467 468 ADD_U_CHAR(dptr, AUT_IPC); 469 ADD_U_CHAR(dptr, type); 470 ADD_U_INT32(dptr, id); 471 472 return (t); 473 } 474 475 /* 476 * token ID 1 byte 477 * owner user ID 4 bytes 478 * owner group ID 4 bytes 479 * creator user ID 4 bytes 480 * creator group ID 4 bytes 481 * access mode 4 bytes 482 * slot sequence # 4 bytes 483 * key 4 bytes 484 */ 485 token_t * 486 au_to_ipc_perm(struct ipc_perm *perm) 487 { 488 token_t *t; 489 u_char *dptr = NULL; 490 u_int16_t pad0 = 0; 491 492 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) + 493 sizeof(u_int32_t)); 494 495 ADD_U_CHAR(dptr, AUT_IPC_PERM); 496 497 /* 498 * Systems vary significantly in what types they use in struct 499 * ipc_perm; at least a few still use 16-bit uid's and gid's, so 500 * allow for that, as BSM define 32-bit values here. 501 * Some systems define the sizes for ipc_perm members as 2 bytes; 502 * BSM defines 4 so pad with 0. 503 * 504 * XXXRW: Possibly shoulid be conditionally compiled, and more cases 505 * need to be handled. 506 */ 507 if (sizeof(perm->uid) != sizeof(u_int32_t)) { 508 ADD_U_INT16(dptr, pad0); 509 ADD_U_INT16(dptr, perm->uid); 510 ADD_U_INT16(dptr, pad0); 511 ADD_U_INT16(dptr, perm->gid); 512 ADD_U_INT16(dptr, pad0); 513 ADD_U_INT16(dptr, perm->cuid); 514 ADD_U_INT16(dptr, pad0); 515 ADD_U_INT16(dptr, perm->cgid); 516 } else { 517 ADD_U_INT32(dptr, perm->uid); 518 ADD_U_INT32(dptr, perm->gid); 519 ADD_U_INT32(dptr, perm->cuid); 520 ADD_U_INT32(dptr, perm->cgid); 521 } 522 523 ADD_U_INT16(dptr, pad0); 524 ADD_U_INT16(dptr, perm->mode); 525 526 ADD_U_INT16(dptr, pad0); 527 528 ADD_U_INT16(dptr, perm->seq); 529 530 ADD_U_INT32(dptr, perm->key); 531 532 return (t); 533 } 534 535 /* 536 * token ID 1 byte 537 * port IP address 2 bytes 538 */ 539 token_t * 540 au_to_iport(u_int16_t iport) 541 { 542 token_t *t; 543 u_char *dptr = NULL; 544 545 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); 546 547 ADD_U_CHAR(dptr, AUT_IPORT); 548 ADD_U_INT16(dptr, iport); 549 550 return (t); 551 } 552 553 /* 554 * token ID 1 byte 555 * size 2 bytes 556 * data size bytes 557 */ 558 token_t * 559 au_to_opaque(const char *data, u_int16_t bytes) 560 { 561 token_t *t; 562 u_char *dptr = NULL; 563 564 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); 565 566 ADD_U_CHAR(dptr, AUT_OPAQUE); 567 ADD_U_INT16(dptr, bytes); 568 ADD_MEM(dptr, data, bytes); 569 570 return (t); 571 } 572 573 /* 574 * token ID 1 byte 575 * seconds of time 4 bytes 576 * milliseconds of time 4 bytes 577 * file name len 2 bytes 578 * file pathname N bytes + 1 terminating NULL byte 579 */ 580 token_t * 581 au_to_file(const char *file, struct timeval tm) 582 { 583 token_t *t; 584 u_char *dptr = NULL; 585 u_int16_t filelen; 586 u_int32_t timems; 587 588 filelen = strlen(file); 589 filelen += 1; 590 591 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + 592 sizeof(u_int16_t) + filelen); 593 594 timems = tm.tv_usec/1000; 595 596 ADD_U_CHAR(dptr, AUT_OTHER_FILE32); 597 ADD_U_INT32(dptr, tm.tv_sec); 598 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 599 ADD_U_INT16(dptr, filelen); 600 ADD_STRING(dptr, file, filelen); 601 602 return (t); 603 } 604 605 /* 606 * token ID 1 byte 607 * text length 2 bytes 608 * text N bytes + 1 terminating NULL byte 609 */ 610 token_t * 611 au_to_text(const char *text) 612 { 613 token_t *t; 614 u_char *dptr = NULL; 615 u_int16_t textlen; 616 617 textlen = strlen(text); 618 textlen += 1; 619 620 /* XXXRW: Should validate length against token size limit. */ 621 622 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 623 624 ADD_U_CHAR(dptr, AUT_TEXT); 625 ADD_U_INT16(dptr, textlen); 626 ADD_STRING(dptr, text, textlen); 627 628 return (t); 629 } 630 631 /* 632 * token ID 1 byte 633 * path length 2 bytes 634 * path N bytes + 1 terminating NULL byte 635 */ 636 token_t * 637 au_to_path(const char *text) 638 { 639 token_t *t; 640 u_char *dptr = NULL; 641 u_int16_t textlen; 642 643 textlen = strlen(text); 644 textlen += 1; 645 646 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 647 648 ADD_U_CHAR(dptr, AUT_PATH); 649 ADD_U_INT16(dptr, textlen); 650 ADD_STRING(dptr, text, textlen); 651 652 return (t); 653 } 654 655 /* 656 * token ID 1 byte 657 * audit ID 4 bytes 658 * effective user ID 4 bytes 659 * effective group ID 4 bytes 660 * real user ID 4 bytes 661 * real group ID 4 bytes 662 * process ID 4 bytes 663 * session ID 4 bytes 664 * terminal ID 665 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 666 * machine address 4 bytes 667 */ 668 token_t * 669 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 670 pid_t pid, au_asid_t sid, au_tid_t *tid) 671 { 672 token_t *t; 673 u_char *dptr = NULL; 674 675 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 676 677 ADD_U_CHAR(dptr, AUT_PROCESS32); 678 ADD_U_INT32(dptr, auid); 679 ADD_U_INT32(dptr, euid); 680 ADD_U_INT32(dptr, egid); 681 ADD_U_INT32(dptr, ruid); 682 ADD_U_INT32(dptr, rgid); 683 ADD_U_INT32(dptr, pid); 684 ADD_U_INT32(dptr, sid); 685 ADD_U_INT32(dptr, tid->port); 686 687 /* 688 * Note: Solaris will write out IPv6 addresses here as a 32-bit 689 * address type and 16 bytes of address, but for IPv4 addresses it 690 * simply writes the 4-byte address directly. We support only IPv4 691 * addresses for process32 tokens. 692 */ 693 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 694 695 return (t); 696 } 697 698 token_t * 699 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 700 pid_t pid, au_asid_t sid, au_tid_t *tid) 701 { 702 token_t *t; 703 u_char *dptr = NULL; 704 705 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + 706 sizeof(u_int64_t)); 707 708 ADD_U_CHAR(dptr, AUT_PROCESS64); 709 ADD_U_INT32(dptr, auid); 710 ADD_U_INT32(dptr, euid); 711 ADD_U_INT32(dptr, egid); 712 ADD_U_INT32(dptr, ruid); 713 ADD_U_INT32(dptr, rgid); 714 ADD_U_INT32(dptr, pid); 715 ADD_U_INT32(dptr, sid); 716 ADD_U_INT64(dptr, tid->port); 717 718 /* 719 * Note: Solaris will write out IPv6 addresses here as a 32-bit 720 * address type and 16 bytes of address, but for IPv4 addresses it 721 * simply writes the 4-byte address directly. We support only IPv4 722 * addresses for process64 tokens. 723 */ 724 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 725 726 return (t); 727 } 728 729 token_t * 730 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 731 pid_t pid, au_asid_t sid, au_tid_t *tid) 732 { 733 734 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, 735 tid)); 736 } 737 738 /* 739 * token ID 1 byte 740 * audit ID 4 bytes 741 * effective user ID 4 bytes 742 * effective group ID 4 bytes 743 * real user ID 4 bytes 744 * real group ID 4 bytes 745 * process ID 4 bytes 746 * session ID 4 bytes 747 * terminal ID 748 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 749 * address type-len 4 bytes 750 * machine address 16 bytes 751 */ 752 token_t * 753 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 754 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 755 { 756 token_t *t; 757 u_char *dptr = NULL; 758 759 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 760 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type)); 761 if (tid->at_type == AU_IPv4) 762 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 763 10 * sizeof(u_int32_t)); 764 else 765 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 766 13 * sizeof(u_int32_t)); 767 768 ADD_U_CHAR(dptr, AUT_PROCESS32_EX); 769 ADD_U_INT32(dptr, auid); 770 ADD_U_INT32(dptr, euid); 771 ADD_U_INT32(dptr, egid); 772 ADD_U_INT32(dptr, ruid); 773 ADD_U_INT32(dptr, rgid); 774 ADD_U_INT32(dptr, pid); 775 ADD_U_INT32(dptr, sid); 776 ADD_U_INT32(dptr, tid->at_port); 777 ADD_U_INT32(dptr, tid->at_type); 778 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 779 if (tid->at_type == AU_IPv6) { 780 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 781 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 782 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 783 } 784 785 return (t); 786 } 787 788 token_t * 789 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 790 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 791 { 792 token_t *t; 793 u_char *dptr = NULL; 794 795 if (tid->at_type == AU_IPv4) 796 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 797 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 798 2 * sizeof(u_int32_t)); 799 else if (tid->at_type == AU_IPv6) 800 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 801 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 802 5 * sizeof(u_int32_t)); 803 else 804 panic("au_to_process64_ex: invalidate at_type (%d)", 805 tid->at_type); 806 807 ADD_U_CHAR(dptr, AUT_PROCESS64_EX); 808 ADD_U_INT32(dptr, auid); 809 ADD_U_INT32(dptr, euid); 810 ADD_U_INT32(dptr, egid); 811 ADD_U_INT32(dptr, ruid); 812 ADD_U_INT32(dptr, rgid); 813 ADD_U_INT32(dptr, pid); 814 ADD_U_INT32(dptr, sid); 815 ADD_U_INT64(dptr, tid->at_port); 816 ADD_U_INT32(dptr, tid->at_type); 817 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 818 if (tid->at_type == AU_IPv6) { 819 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 820 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 821 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 822 } 823 824 return (t); 825 } 826 827 token_t * 828 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 829 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 830 { 831 832 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, 833 tid)); 834 } 835 836 token_t * 837 au_to_rights(cap_rights_t *rightsp) 838 { 839 token_t *t; 840 u_char *dptr; 841 int i; 842 843 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(*rightsp)); 844 845 ADD_U_CHAR(dptr, AUT_RIGHTS); 846 for (i = 0; i < nitems(rightsp->cr_rights); i++) 847 ADD_U_INT64(dptr, rightsp->cr_rights[i]); 848 849 return (t); 850 } 851 852 /* 853 * token ID 1 byte 854 * error status 1 byte 855 * return value 4 bytes/8 bytes (32-bit/64-bit value) 856 */ 857 token_t * 858 au_to_return32(char status, u_int32_t ret) 859 { 860 token_t *t; 861 u_char *dptr = NULL; 862 863 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 864 865 ADD_U_CHAR(dptr, AUT_RETURN32); 866 ADD_U_CHAR(dptr, status); 867 ADD_U_INT32(dptr, ret); 868 869 return (t); 870 } 871 872 token_t * 873 au_to_return64(char status, u_int64_t ret) 874 { 875 token_t *t; 876 u_char *dptr = NULL; 877 878 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); 879 880 ADD_U_CHAR(dptr, AUT_RETURN64); 881 ADD_U_CHAR(dptr, status); 882 ADD_U_INT64(dptr, ret); 883 884 return (t); 885 } 886 887 token_t * 888 au_to_return(char status, u_int32_t ret) 889 { 890 891 return (au_to_return32(status, ret)); 892 } 893 894 /* 895 * token ID 1 byte 896 * sequence number 4 bytes 897 */ 898 token_t * 899 au_to_seq(long audit_count) 900 { 901 token_t *t; 902 u_char *dptr = NULL; 903 904 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); 905 906 ADD_U_CHAR(dptr, AUT_SEQ); 907 ADD_U_INT32(dptr, audit_count); 908 909 return (t); 910 } 911 912 /* 913 * token ID 1 byte 914 * socket domain 2 bytes 915 * socket type 2 bytes 916 * address type 2 byte 917 * local port 2 bytes 918 * local address 4 bytes/16 bytes (IPv4/IPv6 address) 919 * remote port 2 bytes 920 * remote address 4 bytes/16 bytes (IPv4/IPv6 address) 921 * 922 * Domain and type arguments to this routine are assumed to already have been 923 * converted to the BSM constant space, so we don't do that here. 924 */ 925 token_t * 926 au_to_socket_ex(u_short so_domain, u_short so_type, 927 struct sockaddr *sa_local, struct sockaddr *sa_remote) 928 { 929 token_t *t; 930 u_char *dptr = NULL; 931 struct sockaddr_in *sin; 932 struct sockaddr_in6 *sin6; 933 934 if (so_domain == AF_INET) 935 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 936 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 937 else if (so_domain == AF_INET6) 938 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 939 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t)); 940 else 941 return (NULL); 942 943 ADD_U_CHAR(dptr, AUT_SOCKET_EX); 944 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain)); 945 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type)); 946 if (so_domain == AF_INET) { 947 ADD_U_INT16(dptr, AU_IPv4); 948 sin = (struct sockaddr_in *)sa_local; 949 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 950 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 951 sin = (struct sockaddr_in *)sa_remote; 952 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 953 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 954 } else { 955 ADD_U_INT16(dptr, AU_IPv6); 956 sin6 = (struct sockaddr_in6 *)sa_local; 957 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 958 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 959 sin6 = (struct sockaddr_in6 *)sa_remote; 960 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 961 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 962 } 963 964 return (t); 965 } 966 967 /* 968 * Kernel-specific version of the above function. 969 * 970 * XXXRW: Should now use au_to_socket_ex() here. 971 */ 972 #ifdef _KERNEL 973 token_t * 974 kau_to_socket(struct socket_au_info *soi) 975 { 976 token_t *t; 977 u_char *dptr; 978 u_int16_t so_type; 979 980 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 981 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t)); 982 983 ADD_U_CHAR(dptr, AUT_SOCKET); 984 /* Coerce the socket type into a short value */ 985 so_type = soi->so_type; 986 ADD_U_INT16(dptr, so_type); 987 ADD_U_INT16(dptr, soi->so_lport); 988 ADD_U_INT32(dptr, soi->so_laddr); 989 ADD_U_INT16(dptr, soi->so_rport); 990 ADD_U_INT32(dptr, soi->so_raddr); 991 992 return (t); 993 } 994 #endif 995 996 /* 997 * token ID 1 byte 998 * socket family 2 bytes 999 * path (up to) 104 bytes + NULL (NULL terminated string) 1000 */ 1001 token_t * 1002 au_to_sock_unix(struct sockaddr_un *so) 1003 { 1004 token_t *t; 1005 u_char *dptr; 1006 1007 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); 1008 1009 ADD_U_CHAR(dptr, AUT_SOCKUNIX); 1010 /* BSM token has two bytes for family */ 1011 ADD_U_CHAR(dptr, 0); 1012 ADD_U_CHAR(dptr, so->sun_family); 1013 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); 1014 1015 return (t); 1016 } 1017 1018 /* 1019 * token ID 1 byte 1020 * socket family 2 bytes 1021 * local port 2 bytes 1022 * socket address 4 bytes 1023 */ 1024 token_t * 1025 au_to_sock_inet32(struct sockaddr_in *so) 1026 { 1027 token_t *t; 1028 u_char *dptr = NULL; 1029 uint16_t family; 1030 1031 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + 1032 sizeof(uint32_t)); 1033 1034 ADD_U_CHAR(dptr, AUT_SOCKINET32); 1035 /* 1036 * BSM defines the family field as 16 bits, but many operating 1037 * systems have an 8-bit sin_family field. Extend to 16 bits before 1038 * writing into the token. Assume that both the port and the address 1039 * in the sockaddr_in are already in network byte order, but family 1040 * is in local byte order. 1041 * 1042 * XXXRW: Should a name space conversion be taking place on the value 1043 * of sin_family? 1044 */ 1045 family = so->sin_family; 1046 ADD_U_INT16(dptr, family); 1047 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); 1048 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); 1049 1050 return (t); 1051 } 1052 1053 token_t * 1054 au_to_sock_inet128(struct sockaddr_in6 *so) 1055 { 1056 token_t *t; 1057 u_char *dptr = NULL; 1058 1059 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + 1060 4 * sizeof(u_int32_t)); 1061 1062 ADD_U_CHAR(dptr, AUT_SOCKINET128); 1063 /* 1064 * In BSD, sin6_family is one octet, but BSM defines the token to 1065 * store two. So we copy in a 0 first. XXXRW: Possibly should be 1066 * conditionally compiled. 1067 */ 1068 ADD_U_CHAR(dptr, 0); 1069 ADD_U_CHAR(dptr, so->sin6_family); 1070 1071 ADD_U_INT16(dptr, so->sin6_port); 1072 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); 1073 1074 return (t); 1075 } 1076 1077 token_t * 1078 au_to_sock_inet(struct sockaddr_in *so) 1079 { 1080 1081 return (au_to_sock_inet32(so)); 1082 } 1083 1084 /* 1085 * token ID 1 byte 1086 * audit ID 4 bytes 1087 * effective user ID 4 bytes 1088 * effective group ID 4 bytes 1089 * real user ID 4 bytes 1090 * real group ID 4 bytes 1091 * process ID 4 bytes 1092 * session ID 4 bytes 1093 * terminal ID 1094 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1095 * machine address 4 bytes 1096 */ 1097 token_t * 1098 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1099 pid_t pid, au_asid_t sid, au_tid_t *tid) 1100 { 1101 token_t *t; 1102 u_char *dptr = NULL; 1103 1104 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 1105 1106 ADD_U_CHAR(dptr, AUT_SUBJECT32); 1107 ADD_U_INT32(dptr, auid); 1108 ADD_U_INT32(dptr, euid); 1109 ADD_U_INT32(dptr, egid); 1110 ADD_U_INT32(dptr, ruid); 1111 ADD_U_INT32(dptr, rgid); 1112 ADD_U_INT32(dptr, pid); 1113 ADD_U_INT32(dptr, sid); 1114 ADD_U_INT32(dptr, tid->port); 1115 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1116 1117 return (t); 1118 } 1119 1120 token_t * 1121 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1122 pid_t pid, au_asid_t sid, au_tid_t *tid) 1123 { 1124 token_t *t; 1125 u_char *dptr = NULL; 1126 1127 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + 1128 sizeof(u_int64_t) + sizeof(u_int32_t)); 1129 1130 ADD_U_CHAR(dptr, AUT_SUBJECT64); 1131 ADD_U_INT32(dptr, auid); 1132 ADD_U_INT32(dptr, euid); 1133 ADD_U_INT32(dptr, egid); 1134 ADD_U_INT32(dptr, ruid); 1135 ADD_U_INT32(dptr, rgid); 1136 ADD_U_INT32(dptr, pid); 1137 ADD_U_INT32(dptr, sid); 1138 ADD_U_INT64(dptr, tid->port); 1139 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1140 1141 return (t); 1142 } 1143 1144 token_t * 1145 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1146 pid_t pid, au_asid_t sid, au_tid_t *tid) 1147 { 1148 1149 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, 1150 tid)); 1151 } 1152 1153 /* 1154 * token ID 1 byte 1155 * audit ID 4 bytes 1156 * effective user ID 4 bytes 1157 * effective group ID 4 bytes 1158 * real user ID 4 bytes 1159 * real group ID 4 bytes 1160 * process ID 4 bytes 1161 * session ID 4 bytes 1162 * terminal ID 1163 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1164 * address type/length 4 bytes 1165 * machine address 16 bytes 1166 */ 1167 token_t * 1168 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1169 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1170 { 1171 token_t *t; 1172 u_char *dptr = NULL; 1173 1174 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1175 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type)); 1176 1177 if (tid->at_type == AU_IPv4) 1178 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 1179 sizeof(u_int32_t)); 1180 else 1181 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 1182 sizeof(u_int32_t)); 1183 1184 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); 1185 ADD_U_INT32(dptr, auid); 1186 ADD_U_INT32(dptr, euid); 1187 ADD_U_INT32(dptr, egid); 1188 ADD_U_INT32(dptr, ruid); 1189 ADD_U_INT32(dptr, rgid); 1190 ADD_U_INT32(dptr, pid); 1191 ADD_U_INT32(dptr, sid); 1192 ADD_U_INT32(dptr, tid->at_port); 1193 ADD_U_INT32(dptr, tid->at_type); 1194 if (tid->at_type == AU_IPv6) 1195 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1196 else 1197 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1198 1199 return (t); 1200 } 1201 1202 token_t * 1203 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1204 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1205 { 1206 token_t *t; 1207 u_char *dptr = NULL; 1208 1209 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1210 ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type)); 1211 1212 if (tid->at_type == AU_IPv4) 1213 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1214 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1215 2 * sizeof(u_int32_t)); 1216 else 1217 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1218 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1219 5 * sizeof(u_int32_t)); 1220 1221 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); 1222 ADD_U_INT32(dptr, auid); 1223 ADD_U_INT32(dptr, euid); 1224 ADD_U_INT32(dptr, egid); 1225 ADD_U_INT32(dptr, ruid); 1226 ADD_U_INT32(dptr, rgid); 1227 ADD_U_INT32(dptr, pid); 1228 ADD_U_INT32(dptr, sid); 1229 ADD_U_INT64(dptr, tid->at_port); 1230 ADD_U_INT32(dptr, tid->at_type); 1231 if (tid->at_type == AU_IPv6) 1232 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1233 else 1234 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1235 1236 return (t); 1237 } 1238 1239 token_t * 1240 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1241 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1242 { 1243 1244 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, 1245 tid)); 1246 } 1247 1248 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) 1249 /* 1250 * Collects audit information for the current process and creates a subject 1251 * token from it. 1252 */ 1253 token_t * 1254 au_to_me(void) 1255 { 1256 auditinfo_t auinfo; 1257 auditinfo_addr_t aia; 1258 1259 /* 1260 * Try to use getaudit_addr(2) first. If this kernel does not support 1261 * it, then fall back on to getaudit(2). 1262 */ 1263 if (getaudit_addr(&aia, sizeof(aia)) != 0) { 1264 if (errno == ENOSYS) { 1265 if (getaudit(&auinfo) != 0) 1266 return (NULL); 1267 return (au_to_subject32(auinfo.ai_auid, geteuid(), 1268 getegid(), getuid(), getgid(), getpid(), 1269 auinfo.ai_asid, &auinfo.ai_termid)); 1270 } else { 1271 /* getaudit_addr(2) failed for some other reason. */ 1272 return (NULL); 1273 } 1274 } 1275 1276 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), 1277 getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); 1278 } 1279 #endif 1280 1281 #if defined(_KERNEL) || defined(KERNEL) 1282 static token_t * 1283 au_to_exec_strings(char *strs, int count, u_char type) 1284 { 1285 token_t *t; 1286 u_char *dptr = NULL; 1287 u_int32_t totlen; 1288 int ctr; 1289 char *p; 1290 1291 totlen = 0; 1292 ctr = count; 1293 p = strs; 1294 while (ctr-- > 0) { 1295 totlen += strlen(p) + 1; 1296 p = strs + totlen; 1297 } 1298 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1299 ADD_U_CHAR(dptr, type); 1300 ADD_U_INT32(dptr, count); 1301 ADD_STRING(dptr, strs, totlen); 1302 1303 return (t); 1304 } 1305 1306 /* 1307 * token ID 1 byte 1308 * count 4 bytes 1309 * text count null-terminated strings 1310 */ 1311 token_t * 1312 au_to_exec_args(char *args, int argc) 1313 { 1314 1315 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS)); 1316 } 1317 1318 /* 1319 * token ID 1 byte 1320 * count 4 bytes 1321 * text count null-terminated strings 1322 */ 1323 token_t * 1324 au_to_exec_env(char *envs, int envc) 1325 { 1326 1327 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV)); 1328 } 1329 #else 1330 /* 1331 * token ID 1 byte 1332 * count 4 bytes 1333 * text count null-terminated strings 1334 */ 1335 token_t * 1336 au_to_exec_args(char **argv) 1337 { 1338 token_t *t; 1339 u_char *dptr = NULL; 1340 const char *nextarg; 1341 int i, count = 0; 1342 size_t totlen = 0; 1343 1344 nextarg = *argv; 1345 1346 while (nextarg != NULL) { 1347 int nextlen; 1348 1349 nextlen = strlen(nextarg); 1350 totlen += nextlen + 1; 1351 count++; 1352 nextarg = *(argv + count); 1353 } 1354 1355 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1356 1357 ADD_U_CHAR(dptr, AUT_EXEC_ARGS); 1358 ADD_U_INT32(dptr, count); 1359 1360 for (i = 0; i < count; i++) { 1361 nextarg = *(argv + i); 1362 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); 1363 } 1364 1365 return (t); 1366 } 1367 1368 /* 1369 * token ID 1 byte 1370 * count 4 bytes 1371 * text count null-terminated strings 1372 */ 1373 token_t * 1374 au_to_exec_env(char **envp) 1375 { 1376 token_t *t; 1377 u_char *dptr = NULL; 1378 int i, count = 0; 1379 size_t totlen = 0; 1380 const char *nextenv; 1381 1382 nextenv = *envp; 1383 1384 while (nextenv != NULL) { 1385 int nextlen; 1386 1387 nextlen = strlen(nextenv); 1388 totlen += nextlen + 1; 1389 count++; 1390 nextenv = *(envp + count); 1391 } 1392 1393 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1394 1395 ADD_U_CHAR(dptr, AUT_EXEC_ENV); 1396 ADD_U_INT32(dptr, count); 1397 1398 for (i = 0; i < count; i++) { 1399 nextenv = *(envp + i); 1400 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); 1401 } 1402 1403 return (t); 1404 } 1405 #endif 1406 1407 /* 1408 * token ID 1 byte 1409 * zonename length 2 bytes 1410 * zonename N bytes + 1 terminating NULL byte 1411 */ 1412 token_t * 1413 au_to_zonename(const char *zonename) 1414 { 1415 u_char *dptr = NULL; 1416 u_int16_t textlen; 1417 token_t *t; 1418 1419 textlen = strlen(zonename) + 1; 1420 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 1421 1422 ADD_U_CHAR(dptr, AUT_ZONENAME); 1423 ADD_U_INT16(dptr, textlen); 1424 ADD_STRING(dptr, zonename, textlen); 1425 return (t); 1426 } 1427 1428 /* 1429 * token ID 1 byte 1430 * record byte count 4 bytes 1431 * version # 1 byte [2] 1432 * event type 2 bytes 1433 * event modifier 2 bytes 1434 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1435 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1436 */ 1437 token_t * 1438 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1439 struct timeval tm) 1440 { 1441 token_t *t; 1442 u_char *dptr = NULL; 1443 u_int32_t timems; 1444 1445 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1446 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1447 1448 ADD_U_CHAR(dptr, AUT_HEADER32); 1449 ADD_U_INT32(dptr, rec_size); 1450 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1451 ADD_U_INT16(dptr, e_type); 1452 ADD_U_INT16(dptr, e_mod); 1453 1454 timems = tm.tv_usec/1000; 1455 /* Add the timestamp */ 1456 ADD_U_INT32(dptr, tm.tv_sec); 1457 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1458 1459 return (t); 1460 } 1461 1462 /* 1463 * token ID 1 byte 1464 * record byte count 4 bytes 1465 * version # 1 byte [2] 1466 * event type 2 bytes 1467 * event modifier 2 bytes 1468 * address type/length 4 bytes 1469 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1470 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1471 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1472 */ 1473 token_t * 1474 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1475 struct timeval tm, struct auditinfo_addr *aia) 1476 { 1477 token_t *t; 1478 u_char *dptr = NULL; 1479 u_int32_t timems; 1480 au_tid_addr_t *tid; 1481 1482 tid = &aia->ai_termid; 1483 KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6, 1484 ("au_to_header32_ex_tm: invalid address family")); 1485 1486 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1487 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * 1488 sizeof(u_int32_t) + tid->at_type); 1489 1490 ADD_U_CHAR(dptr, AUT_HEADER32_EX); 1491 ADD_U_INT32(dptr, rec_size); 1492 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1493 ADD_U_INT16(dptr, e_type); 1494 ADD_U_INT16(dptr, e_mod); 1495 1496 ADD_U_INT32(dptr, tid->at_type); 1497 if (tid->at_type == AU_IPv6) 1498 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1499 else 1500 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1501 timems = tm.tv_usec/1000; 1502 /* Add the timestamp */ 1503 ADD_U_INT32(dptr, tm.tv_sec); 1504 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1505 1506 return (t); 1507 } 1508 1509 token_t * 1510 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1511 struct timeval tm) 1512 { 1513 token_t *t; 1514 u_char *dptr = NULL; 1515 u_int32_t timems; 1516 1517 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1518 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); 1519 1520 ADD_U_CHAR(dptr, AUT_HEADER64); 1521 ADD_U_INT32(dptr, rec_size); 1522 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1523 ADD_U_INT16(dptr, e_type); 1524 ADD_U_INT16(dptr, e_mod); 1525 1526 timems = tm.tv_usec/1000; 1527 /* Add the timestamp */ 1528 ADD_U_INT64(dptr, tm.tv_sec); 1529 ADD_U_INT64(dptr, timems); /* We need time in ms. */ 1530 1531 return (t); 1532 } 1533 1534 #if !defined(KERNEL) && !defined(_KERNEL) 1535 #ifdef HAVE_AUDIT_SYSCALLS 1536 token_t * 1537 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1538 { 1539 struct timeval tm; 1540 struct auditinfo_addr aia; 1541 1542 if (gettimeofday(&tm, NULL) == -1) 1543 return (NULL); 1544 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) { 1545 if (errno != ENOSYS) 1546 return (NULL); 1547 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1548 } 1549 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia)); 1550 } 1551 #endif /* HAVE_AUDIT_SYSCALLS */ 1552 1553 token_t * 1554 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) 1555 { 1556 struct timeval tm; 1557 1558 if (gettimeofday(&tm, NULL) == -1) 1559 return (NULL); 1560 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1561 } 1562 1563 token_t * 1564 au_to_header64(__unused int rec_size, __unused au_event_t e_type, 1565 __unused au_emod_t e_mod) 1566 { 1567 struct timeval tm; 1568 1569 if (gettimeofday(&tm, NULL) == -1) 1570 return (NULL); 1571 return (au_to_header64_tm(rec_size, e_type, e_mod, tm)); 1572 } 1573 1574 token_t * 1575 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod) 1576 { 1577 1578 return (au_to_header32(rec_size, e_type, e_mod)); 1579 } 1580 1581 #ifdef HAVE_AUDIT_SYSCALLS 1582 token_t * 1583 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1584 { 1585 1586 return (au_to_header32_ex(rec_size, e_type, e_mod)); 1587 } 1588 #endif /* HAVE_AUDIT_SYSCALLS */ 1589 #endif /* !defined(KERNEL) && !defined(_KERNEL) */ 1590 1591 /* 1592 * token ID 1 byte 1593 * trailer magic number 2 bytes 1594 * record byte count 4 bytes 1595 */ 1596 token_t * 1597 au_to_trailer(int rec_size) 1598 { 1599 token_t *t; 1600 u_char *dptr = NULL; 1601 u_int16_t magic = AUT_TRAILER_MAGIC; 1602 1603 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 1604 sizeof(u_int32_t)); 1605 1606 ADD_U_CHAR(dptr, AUT_TRAILER); 1607 ADD_U_INT16(dptr, magic); 1608 ADD_U_INT32(dptr, rec_size); 1609 1610 return (t); 1611 } 1612