xref: /freebsd/sys/security/audit/bsm_token.c (revision faf25f48d601ae39f5752602f3020e2e92605625)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 2004-2009 Apple Inc.
5  * Copyright (c) 2005 SPARTA, Inc.
6  * All rights reserved.
7  *
8  * This code was developed in part by Robert N. M. Watson, Senior Principal
9  * Scientist, SPARTA, Inc.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1.  Redistributions of source code must retain the above copyright
15  *     notice, this list of conditions and the following disclaimer.
16  * 2.  Redistributions in binary form must reproduce the above copyright
17  *     notice, this list of conditions and the following disclaimer in the
18  *     documentation and/or other materials provided with the distribution.
19  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
20  *     its contributors may be used to endorse or promote products derived
21  *     from this software without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
38 
39 #include <sys/param.h>
40 #include <sys/types.h>
41 #include <sys/endian.h>
42 #include <sys/queue.h>
43 #include <sys/socket.h>
44 #include <sys/time.h>
45 
46 #include <sys/ipc.h>
47 #include <sys/libkern.h>
48 #include <sys/malloc.h>
49 #include <sys/un.h>
50 
51 #include <netinet/in.h>
52 #include <netinet/in_systm.h>
53 #include <netinet/ip.h>
54 
55 #include <bsm/audit.h>
56 #include <bsm/audit_internal.h>
57 #include <bsm/audit_record.h>
58 #include <security/audit/audit.h>
59 #include <security/audit/audit_private.h>
60 
61 #define	GET_TOKEN_AREA(t, dptr, length) do {				\
62 	t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK);		\
63 	t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO);	\
64 	t->len = length;						\
65 	dptr = t->t_data;						\
66 } while (0)
67 
68 /*
69  * token ID                1 byte
70  * success/failure         1 byte
71  * privstrlen              2 bytes
72  * privstr                 N bytes + 1 (\0 byte)
73  */
74 token_t *
75 au_to_upriv(char sorf, char *priv)
76 {
77 	u_int16_t textlen;
78 	u_char *dptr;
79 	token_t *t;
80 
81 	textlen = strlen(priv) + 1;
82 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) +
83 	    sizeof(u_int16_t) + textlen);
84 
85 	ADD_U_CHAR(dptr, AUT_UPRIV);
86 	ADD_U_CHAR(dptr, sorf);
87 	ADD_U_INT16(dptr, textlen);
88 	ADD_STRING(dptr, priv, textlen);
89 	return (t);
90 }
91 
92 /*
93  * token ID		1 byte
94  * privtstrlen		2 bytes
95  * privtstr		N bytes + 1
96  * privstrlen		2 bytes
97  * privstr		N bytes + 1
98  */
99 token_t *
100 au_to_privset(char *privtypestr, char *privstr)
101 {
102 	u_int16_t	 type_len, priv_len;
103 	u_char		*dptr;
104 	token_t		*t;
105 
106 	type_len = strlen(privtypestr) + 1;
107 	priv_len = strlen(privstr) + 1;
108 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
109 	    sizeof(u_int16_t) + type_len + priv_len);
110 
111 	ADD_U_CHAR(dptr, AUT_PRIV);
112 	ADD_U_INT16(dptr, type_len);
113 	ADD_STRING(dptr, privtypestr, type_len);
114 	ADD_U_INT16(dptr, priv_len);
115 	ADD_STRING(dptr, privstr, priv_len);
116 	return (t);
117 }
118 
119 /*
120  * token ID                1 byte
121  * argument #              1 byte
122  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
123  * text length             2 bytes
124  * text                    N bytes + 1 terminating NULL byte
125  */
126 token_t *
127 au_to_arg32(char n, const char *text, u_int32_t v)
128 {
129 	token_t *t;
130 	u_char *dptr = NULL;
131 	u_int16_t textlen;
132 
133 	textlen = strlen(text);
134 	textlen += 1;
135 
136 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
137 	    sizeof(u_int16_t) + textlen);
138 
139 	ADD_U_CHAR(dptr, AUT_ARG32);
140 	ADD_U_CHAR(dptr, n);
141 	ADD_U_INT32(dptr, v);
142 	ADD_U_INT16(dptr, textlen);
143 	ADD_STRING(dptr, text, textlen);
144 
145 	return (t);
146 }
147 
148 token_t *
149 au_to_arg64(char n, const char *text, u_int64_t v)
150 {
151 	token_t *t;
152 	u_char *dptr = NULL;
153 	u_int16_t textlen;
154 
155 	textlen = strlen(text);
156 	textlen += 1;
157 
158 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
159 	    sizeof(u_int16_t) + textlen);
160 
161 	ADD_U_CHAR(dptr, AUT_ARG64);
162 	ADD_U_CHAR(dptr, n);
163 	ADD_U_INT64(dptr, v);
164 	ADD_U_INT16(dptr, textlen);
165 	ADD_STRING(dptr, text, textlen);
166 
167 	return (t);
168 }
169 
170 token_t *
171 au_to_arg(char n, const char *text, u_int32_t v)
172 {
173 
174 	return (au_to_arg32(n, text, v));
175 }
176 
177 #if defined(_KERNEL) || defined(KERNEL)
178 /*
179  * token ID                1 byte
180  * file access mode        4 bytes
181  * owner user ID           4 bytes
182  * owner group ID          4 bytes
183  * file system ID          4 bytes
184  * node ID                 8 bytes
185  * device                  4 bytes/8 bytes (32-bit/64-bit)
186  */
187 token_t *
188 au_to_attr32(struct vnode_au_info *vni)
189 {
190 	token_t *t;
191 	u_char *dptr = NULL;
192 	u_int16_t pad0_16 = 0;
193 	u_int32_t pad0_32 = 0;
194 
195 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
196 	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
197 
198 	ADD_U_CHAR(dptr, AUT_ATTR32);
199 
200 	/*
201 	 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
202 	 * so pad with 0.
203 	 *
204 	 * XXXRW: Possibly should be conditionally compiled.
205 	 *
206 	 * XXXRW: Should any conversions take place on the mode?
207 	 */
208 	ADD_U_INT16(dptr, pad0_16);
209 	ADD_U_INT16(dptr, vni->vn_mode);
210 
211 	ADD_U_INT32(dptr, vni->vn_uid);
212 	ADD_U_INT32(dptr, vni->vn_gid);
213 	ADD_U_INT32(dptr, vni->vn_fsid);
214 
215 	/*
216 	 * Some systems use 32-bit file ID's, others use 64-bit file IDs.
217 	 * Attempt to handle both, and let the compiler sort it out.  If we
218 	 * could pick this out at compile-time, it would be better, so as to
219 	 * avoid the else case below.
220 	 */
221 	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
222 		ADD_U_INT32(dptr, pad0_32);
223 		ADD_U_INT32(dptr, vni->vn_fileid);
224 	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
225 		ADD_U_INT64(dptr, vni->vn_fileid);
226 	else
227 		ADD_U_INT64(dptr, 0LL);
228 
229 	ADD_U_INT32(dptr, vni->vn_dev);
230 
231 	return (t);
232 }
233 
234 token_t *
235 au_to_attr64(struct vnode_au_info *vni)
236 {
237 	token_t *t;
238 	u_char *dptr = NULL;
239 	u_int16_t pad0_16 = 0;
240 	u_int32_t pad0_32 = 0;
241 
242 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
243 	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
244 
245 	ADD_U_CHAR(dptr, AUT_ATTR64);
246 
247 	/*
248 	 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
249 	 * so pad with 0.
250 	 *
251 	 * XXXRW: Possibly should be conditionally compiled.
252 	 *
253 	 * XXXRW: Should any conversions take place on the mode?
254 	 */
255 	ADD_U_INT16(dptr, pad0_16);
256 	ADD_U_INT16(dptr, vni->vn_mode);
257 
258 	ADD_U_INT32(dptr, vni->vn_uid);
259 	ADD_U_INT32(dptr, vni->vn_gid);
260 	ADD_U_INT32(dptr, vni->vn_fsid);
261 
262 	/*
263 	 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
264 	 * Attempt to handle both, and let the compiler sort it out.  If we
265 	 * could pick this out at compile-time, it would be better, so as to
266 	 * avoid the else case below.
267 	 */
268 	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
269 		ADD_U_INT32(dptr, pad0_32);
270 		ADD_U_INT32(dptr, vni->vn_fileid);
271 	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
272 		ADD_U_INT64(dptr, vni->vn_fileid);
273 	else
274 		ADD_U_INT64(dptr, 0LL);
275 
276 	ADD_U_INT64(dptr, vni->vn_dev);
277 
278 	return (t);
279 }
280 
281 token_t *
282 au_to_attr(struct vnode_au_info *vni)
283 {
284 
285 	return (au_to_attr32(vni));
286 }
287 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
288 
289 /*
290  * token ID                1 byte
291  * how to print            1 byte
292  * basic unit              1 byte
293  * unit count              1 byte
294  * data items              (depends on basic unit)
295  */
296 token_t *
297 au_to_data(char unit_print, char unit_type, char unit_count, const char *p)
298 {
299 	token_t *t;
300 	u_char *dptr = NULL;
301 	size_t datasize, totdata;
302 
303 	/* Determine the size of the basic unit. */
304 	switch (unit_type) {
305 	case AUR_BYTE:
306 	/* case AUR_CHAR: */
307 		datasize = AUR_BYTE_SIZE;
308 		break;
309 
310 	case AUR_SHORT:
311 		datasize = AUR_SHORT_SIZE;
312 		break;
313 
314 	case AUR_INT32:
315 	/* case AUR_INT: */
316 		datasize = AUR_INT32_SIZE;
317 		break;
318 
319 	case AUR_INT64:
320 		datasize = AUR_INT64_SIZE;
321 		break;
322 
323 	default:
324 		return (NULL);
325 	}
326 
327 	totdata = datasize * unit_count;
328 
329 	GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
330 
331 	/*
332 	 * XXXRW: We should be byte-swapping each data item for multi-byte
333 	 * types.
334 	 */
335 	ADD_U_CHAR(dptr, AUT_DATA);
336 	ADD_U_CHAR(dptr, unit_print);
337 	ADD_U_CHAR(dptr, unit_type);
338 	ADD_U_CHAR(dptr, unit_count);
339 	ADD_MEM(dptr, p, totdata);
340 
341 	return (t);
342 }
343 
344 /*
345  * token ID                1 byte
346  * status		   4 bytes
347  * return value            4 bytes
348  */
349 token_t *
350 au_to_exit(int retval, int err)
351 {
352 	token_t *t;
353 	u_char *dptr = NULL;
354 
355 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
356 
357 	ADD_U_CHAR(dptr, AUT_EXIT);
358 	ADD_U_INT32(dptr, err);
359 	ADD_U_INT32(dptr, retval);
360 
361 	return (t);
362 }
363 
364 /*
365  */
366 token_t *
367 au_to_groups(int *groups)
368 {
369 
370 	return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups));
371 }
372 
373 /*
374  * token ID                1 byte
375  * number groups           2 bytes
376  * group list              count * 4 bytes
377  */
378 token_t *
379 au_to_newgroups(u_int16_t n, gid_t *groups)
380 {
381 	token_t *t;
382 	u_char *dptr = NULL;
383 	int i;
384 
385 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
386 	    n * sizeof(u_int32_t));
387 
388 	ADD_U_CHAR(dptr, AUT_NEWGROUPS);
389 	ADD_U_INT16(dptr, n);
390 	for (i = 0; i < n; i++)
391 		ADD_U_INT32(dptr, groups[i]);
392 
393 	return (t);
394 }
395 
396 /*
397  * token ID                1 byte
398  * internet address        4 bytes
399  */
400 token_t *
401 au_to_in_addr(struct in_addr *internet_addr)
402 {
403 	token_t *t;
404 	u_char *dptr = NULL;
405 
406 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
407 
408 	ADD_U_CHAR(dptr, AUT_IN_ADDR);
409 	ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
410 
411 	return (t);
412 }
413 
414 /*
415  * token ID                1 byte
416  * address type/length     4 bytes
417  * address                16 bytes
418  */
419 token_t *
420 au_to_in_addr_ex(struct in6_addr *internet_addr)
421 {
422 	token_t *t;
423 	u_char *dptr = NULL;
424 	u_int32_t type = AU_IPv6;
425 
426 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
427 
428 	ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
429 	ADD_U_INT32(dptr, type);
430 	ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
431 
432 	return (t);
433 }
434 
435 /*
436  * token ID                1 byte
437  * ip header		   20 bytes
438  *
439  * The IP header should be submitted in network byte order.
440  */
441 token_t *
442 au_to_ip(struct ip *ip)
443 {
444 	token_t *t;
445 	u_char *dptr = NULL;
446 
447 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
448 
449 	ADD_U_CHAR(dptr, AUT_IP);
450 	ADD_MEM(dptr, ip, sizeof(struct ip));
451 
452 	return (t);
453 }
454 
455 /*
456  * token ID                1 byte
457  * object ID type          1 byte
458  * object ID               4 bytes
459  */
460 token_t *
461 au_to_ipc(char type, int id)
462 {
463 	token_t *t;
464 	u_char *dptr = NULL;
465 
466 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
467 
468 	ADD_U_CHAR(dptr, AUT_IPC);
469 	ADD_U_CHAR(dptr, type);
470 	ADD_U_INT32(dptr, id);
471 
472 	return (t);
473 }
474 
475 /*
476  * token ID                1 byte
477  * owner user ID           4 bytes
478  * owner group ID          4 bytes
479  * creator user ID         4 bytes
480  * creator group ID        4 bytes
481  * access mode             4 bytes
482  * slot sequence #         4 bytes
483  * key                     4 bytes
484  */
485 token_t *
486 au_to_ipc_perm(struct ipc_perm *perm)
487 {
488 	token_t *t;
489 	u_char *dptr = NULL;
490 	u_int16_t pad0 = 0;
491 
492 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
493 	    sizeof(u_int32_t));
494 
495 	ADD_U_CHAR(dptr, AUT_IPC_PERM);
496 
497 	/*
498 	 * Systems vary significantly in what types they use in struct
499 	 * ipc_perm; at least a few still use 16-bit uid's and gid's, so
500 	 * allow for that, as BSM define 32-bit values here.
501 	 * Some systems define the sizes for ipc_perm members as 2 bytes;
502 	 * BSM defines 4 so pad with 0.
503 	 *
504 	 * XXXRW: Possibly shoulid be conditionally compiled, and more cases
505 	 * need to be handled.
506 	 */
507 	if (sizeof(perm->uid) != sizeof(u_int32_t)) {
508 		ADD_U_INT16(dptr, pad0);
509 		ADD_U_INT16(dptr, perm->uid);
510 		ADD_U_INT16(dptr, pad0);
511 		ADD_U_INT16(dptr, perm->gid);
512 		ADD_U_INT16(dptr, pad0);
513 		ADD_U_INT16(dptr, perm->cuid);
514 		ADD_U_INT16(dptr, pad0);
515 		ADD_U_INT16(dptr, perm->cgid);
516 	} else {
517 		ADD_U_INT32(dptr, perm->uid);
518 		ADD_U_INT32(dptr, perm->gid);
519 		ADD_U_INT32(dptr, perm->cuid);
520 		ADD_U_INT32(dptr, perm->cgid);
521 	}
522 
523 	ADD_U_INT16(dptr, pad0);
524 	ADD_U_INT16(dptr, perm->mode);
525 
526 	ADD_U_INT16(dptr, pad0);
527 
528 	ADD_U_INT16(dptr, perm->seq);
529 
530 	ADD_U_INT32(dptr, perm->key);
531 
532 	return (t);
533 }
534 
535 /*
536  * token ID                1 byte
537  * port IP address         2 bytes
538  */
539 token_t *
540 au_to_iport(u_int16_t iport)
541 {
542 	token_t *t;
543 	u_char *dptr = NULL;
544 
545 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
546 
547 	ADD_U_CHAR(dptr, AUT_IPORT);
548 	ADD_U_INT16(dptr, iport);
549 
550 	return (t);
551 }
552 
553 /*
554  * token ID                1 byte
555  * size                    2 bytes
556  * data                    size bytes
557  */
558 token_t *
559 au_to_opaque(const char *data, u_int16_t bytes)
560 {
561 	token_t *t;
562 	u_char *dptr = NULL;
563 
564 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
565 
566 	ADD_U_CHAR(dptr, AUT_OPAQUE);
567 	ADD_U_INT16(dptr, bytes);
568 	ADD_MEM(dptr, data, bytes);
569 
570 	return (t);
571 }
572 
573 /*
574  * token ID                1 byte
575  * seconds of time         4 bytes
576  * milliseconds of time    4 bytes
577  * file name len           2 bytes
578  * file pathname           N bytes + 1 terminating NULL byte
579  */
580 token_t *
581 au_to_file(const char *file, struct timeval tm)
582 {
583 	token_t *t;
584 	u_char *dptr = NULL;
585 	u_int16_t filelen;
586 	u_int32_t timems;
587 
588 	filelen = strlen(file);
589 	filelen += 1;
590 
591 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
592 	    sizeof(u_int16_t) + filelen);
593 
594 	timems = tm.tv_usec/1000;
595 
596 	ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
597 	ADD_U_INT32(dptr, tm.tv_sec);
598 	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
599 	ADD_U_INT16(dptr, filelen);
600 	ADD_STRING(dptr, file, filelen);
601 
602 	return (t);
603 }
604 
605 /*
606  * token ID                1 byte
607  * text length             2 bytes
608  * text                    N bytes + 1 terminating NULL byte
609  */
610 token_t *
611 au_to_text(const char *text)
612 {
613 	token_t *t;
614 	u_char *dptr = NULL;
615 	u_int16_t textlen;
616 
617 	textlen = strlen(text);
618 	textlen += 1;
619 
620 	/* XXXRW: Should validate length against token size limit. */
621 
622 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
623 
624 	ADD_U_CHAR(dptr, AUT_TEXT);
625 	ADD_U_INT16(dptr, textlen);
626 	ADD_STRING(dptr, text, textlen);
627 
628 	return (t);
629 }
630 
631 /*
632  * token ID                1 byte
633  * path length             2 bytes
634  * path                    N bytes + 1 terminating NULL byte
635  */
636 token_t *
637 au_to_path(const char *text)
638 {
639 	token_t *t;
640 	u_char *dptr = NULL;
641 	u_int16_t textlen;
642 
643 	textlen = strlen(text);
644 	textlen += 1;
645 
646 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
647 
648 	ADD_U_CHAR(dptr, AUT_PATH);
649 	ADD_U_INT16(dptr, textlen);
650 	ADD_STRING(dptr, text, textlen);
651 
652 	return (t);
653 }
654 
655 /*
656  * token ID                1 byte
657  * audit ID                4 bytes
658  * effective user ID       4 bytes
659  * effective group ID      4 bytes
660  * real user ID            4 bytes
661  * real group ID           4 bytes
662  * process ID              4 bytes
663  * session ID              4 bytes
664  * terminal ID
665  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
666  *   machine address       4 bytes
667  */
668 token_t *
669 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
670     pid_t pid, au_asid_t sid, au_tid_t *tid)
671 {
672 	token_t *t;
673 	u_char *dptr = NULL;
674 
675 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
676 
677 	ADD_U_CHAR(dptr, AUT_PROCESS32);
678 	ADD_U_INT32(dptr, auid);
679 	ADD_U_INT32(dptr, euid);
680 	ADD_U_INT32(dptr, egid);
681 	ADD_U_INT32(dptr, ruid);
682 	ADD_U_INT32(dptr, rgid);
683 	ADD_U_INT32(dptr, pid);
684 	ADD_U_INT32(dptr, sid);
685 	ADD_U_INT32(dptr, tid->port);
686 
687 	/*
688 	 * Note: Solaris will write out IPv6 addresses here as a 32-bit
689 	 * address type and 16 bytes of address, but for IPv4 addresses it
690 	 * simply writes the 4-byte address directly.  We support only IPv4
691 	 * addresses for process32 tokens.
692 	 */
693 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
694 
695 	return (t);
696 }
697 
698 token_t *
699 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
700     pid_t pid, au_asid_t sid, au_tid_t *tid)
701 {
702 	token_t *t;
703 	u_char *dptr = NULL;
704 
705 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
706 	    sizeof(u_int64_t));
707 
708 	ADD_U_CHAR(dptr, AUT_PROCESS64);
709 	ADD_U_INT32(dptr, auid);
710 	ADD_U_INT32(dptr, euid);
711 	ADD_U_INT32(dptr, egid);
712 	ADD_U_INT32(dptr, ruid);
713 	ADD_U_INT32(dptr, rgid);
714 	ADD_U_INT32(dptr, pid);
715 	ADD_U_INT32(dptr, sid);
716 	ADD_U_INT64(dptr, tid->port);
717 
718 	/*
719 	 * Note: Solaris will write out IPv6 addresses here as a 32-bit
720 	 * address type and 16 bytes of address, but for IPv4 addresses it
721 	 * simply writes the 4-byte address directly.  We support only IPv4
722 	 * addresses for process64 tokens.
723 	 */
724 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
725 
726 	return (t);
727 }
728 
729 token_t *
730 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
731     pid_t pid, au_asid_t sid, au_tid_t *tid)
732 {
733 
734 	return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
735 	    tid));
736 }
737 
738 /*
739  * token ID                1 byte
740  * audit ID                4 bytes
741  * effective user ID       4 bytes
742  * effective group ID      4 bytes
743  * real user ID            4 bytes
744  * real group ID           4 bytes
745  * process ID              4 bytes
746  * session ID              4 bytes
747  * terminal ID
748  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
749  *   address type-len      4 bytes
750  *   machine address      16 bytes
751  */
752 token_t *
753 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
754     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
755 {
756 	token_t *t;
757 	u_char *dptr = NULL;
758 
759 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
760 	    ("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
761 	if (tid->at_type == AU_IPv4)
762 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
763 		    10 * sizeof(u_int32_t));
764 	else
765 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
766 		    13 * sizeof(u_int32_t));
767 
768 	ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
769 	ADD_U_INT32(dptr, auid);
770 	ADD_U_INT32(dptr, euid);
771 	ADD_U_INT32(dptr, egid);
772 	ADD_U_INT32(dptr, ruid);
773 	ADD_U_INT32(dptr, rgid);
774 	ADD_U_INT32(dptr, pid);
775 	ADD_U_INT32(dptr, sid);
776 	ADD_U_INT32(dptr, tid->at_port);
777 	ADD_U_INT32(dptr, tid->at_type);
778 	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
779 	if (tid->at_type == AU_IPv6) {
780 		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
781 		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
782 		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
783 	}
784 
785 	return (t);
786 }
787 
788 token_t *
789 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
790     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
791 {
792 	token_t *t;
793 	u_char *dptr = NULL;
794 
795 	if (tid->at_type == AU_IPv4)
796 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
797 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
798 		    2 * sizeof(u_int32_t));
799 	else if (tid->at_type == AU_IPv6)
800 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
801 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
802 		    5 * sizeof(u_int32_t));
803 	else
804 		panic("au_to_process64_ex: invalidate at_type (%d)",
805 		    tid->at_type);
806 
807 	ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
808 	ADD_U_INT32(dptr, auid);
809 	ADD_U_INT32(dptr, euid);
810 	ADD_U_INT32(dptr, egid);
811 	ADD_U_INT32(dptr, ruid);
812 	ADD_U_INT32(dptr, rgid);
813 	ADD_U_INT32(dptr, pid);
814 	ADD_U_INT32(dptr, sid);
815 	ADD_U_INT64(dptr, tid->at_port);
816 	ADD_U_INT32(dptr, tid->at_type);
817 	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
818 	if (tid->at_type == AU_IPv6) {
819 		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
820 		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
821 		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
822 	}
823 
824 	return (t);
825 }
826 
827 token_t *
828 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
829     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
830 {
831 
832 	return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
833 	    tid));
834 }
835 
836 token_t *
837 au_to_rights(cap_rights_t *rightsp)
838 {
839 	token_t *t;
840 	u_char *dptr;
841 	int i;
842 
843 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(*rightsp));
844 
845 	ADD_U_CHAR(dptr, AUT_RIGHTS);
846 	for (i = 0; i < nitems(rightsp->cr_rights); i++)
847 		ADD_U_INT64(dptr, rightsp->cr_rights[i]);
848 
849 	return (t);
850 }
851 
852 /*
853  * token ID                1 byte
854  * error status            1 byte
855  * return value            4 bytes/8 bytes (32-bit/64-bit value)
856  */
857 token_t *
858 au_to_return32(char status, u_int32_t ret)
859 {
860 	token_t *t;
861 	u_char *dptr = NULL;
862 
863 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
864 
865 	ADD_U_CHAR(dptr, AUT_RETURN32);
866 	ADD_U_CHAR(dptr, status);
867 	ADD_U_INT32(dptr, ret);
868 
869 	return (t);
870 }
871 
872 token_t *
873 au_to_return64(char status, u_int64_t ret)
874 {
875 	token_t *t;
876 	u_char *dptr = NULL;
877 
878 	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
879 
880 	ADD_U_CHAR(dptr, AUT_RETURN64);
881 	ADD_U_CHAR(dptr, status);
882 	ADD_U_INT64(dptr, ret);
883 
884 	return (t);
885 }
886 
887 token_t *
888 au_to_return(char status, u_int32_t ret)
889 {
890 
891 	return (au_to_return32(status, ret));
892 }
893 
894 /*
895  * token ID                1 byte
896  * sequence number         4 bytes
897  */
898 token_t *
899 au_to_seq(long audit_count)
900 {
901 	token_t *t;
902 	u_char *dptr = NULL;
903 
904 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
905 
906 	ADD_U_CHAR(dptr, AUT_SEQ);
907 	ADD_U_INT32(dptr, audit_count);
908 
909 	return (t);
910 }
911 
912 /*
913  * token ID                1 byte
914  * socket domain           2 bytes
915  * socket type             2 bytes
916  * address type            2 byte
917  * local port              2 bytes
918  * local address           4 bytes/16 bytes (IPv4/IPv6 address)
919  * remote port             2 bytes
920  * remote address          4 bytes/16 bytes (IPv4/IPv6 address)
921  *
922  * Domain and type arguments to this routine are assumed to already have been
923  * converted to the BSM constant space, so we don't do that here.
924  */
925 token_t *
926 au_to_socket_ex(u_short so_domain, u_short so_type,
927     struct sockaddr *sa_local, struct sockaddr *sa_remote)
928 {
929 	token_t *t;
930 	u_char *dptr = NULL;
931 	struct sockaddr_in *sin;
932 	struct sockaddr_in6 *sin6;
933 
934 	if (so_domain == AF_INET)
935 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
936 		    5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
937 	else if (so_domain == AF_INET6)
938 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
939 		    5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
940 	else
941 		return (NULL);
942 
943 	ADD_U_CHAR(dptr, AUT_SOCKET_EX);
944 	ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
945 	ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
946 	if (so_domain == AF_INET) {
947 		ADD_U_INT16(dptr, AU_IPv4);
948 		sin = (struct sockaddr_in *)sa_local;
949 		ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
950 		ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
951 		sin = (struct sockaddr_in *)sa_remote;
952 		ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
953 		ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
954 	} else {
955 		ADD_U_INT16(dptr, AU_IPv6);
956 		sin6 = (struct sockaddr_in6 *)sa_local;
957 		ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
958 		ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
959 		sin6 = (struct sockaddr_in6 *)sa_remote;
960 		ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
961 		ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
962 	}
963 
964 	return (t);
965 }
966 
967 /*
968  * Kernel-specific version of the above function.
969  *
970  * XXXRW: Should now use au_to_socket_ex() here.
971  */
972 #ifdef _KERNEL
973 token_t *
974 kau_to_socket(struct socket_au_info *soi)
975 {
976 	token_t *t;
977 	u_char *dptr;
978 	u_int16_t so_type;
979 
980 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
981 	    sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
982 
983 	ADD_U_CHAR(dptr, AUT_SOCKET);
984 	/* Coerce the socket type into a short value */
985 	so_type = soi->so_type;
986 	ADD_U_INT16(dptr, so_type);
987 	ADD_U_INT16(dptr, soi->so_lport);
988 	ADD_U_INT32(dptr, soi->so_laddr);
989 	ADD_U_INT16(dptr, soi->so_rport);
990 	ADD_U_INT32(dptr, soi->so_raddr);
991 
992 	return (t);
993 }
994 #endif
995 
996 /*
997  * token ID                1 byte
998  * socket family           2 bytes
999  * path                    (up to) 104 bytes + NULL  (NULL terminated string)
1000  */
1001 token_t *
1002 au_to_sock_unix(struct sockaddr_un *so)
1003 {
1004 	token_t *t;
1005 	u_char *dptr;
1006 
1007 	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
1008 
1009 	ADD_U_CHAR(dptr, AUT_SOCKUNIX);
1010 	/* BSM token has two bytes for family */
1011 	ADD_U_CHAR(dptr, 0);
1012 	ADD_U_CHAR(dptr, so->sun_family);
1013 	ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
1014 
1015 	return (t);
1016 }
1017 
1018 /*
1019  * token ID                1 byte
1020  * socket family           2 bytes
1021  * local port              2 bytes
1022  * socket address          4 bytes
1023  */
1024 token_t *
1025 au_to_sock_inet32(struct sockaddr_in *so)
1026 {
1027 	token_t *t;
1028 	u_char *dptr = NULL;
1029 	uint16_t family;
1030 
1031 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
1032 	    sizeof(uint32_t));
1033 
1034 	ADD_U_CHAR(dptr, AUT_SOCKINET32);
1035 	/*
1036 	 * BSM defines the family field as 16 bits, but many operating
1037 	 * systems have an 8-bit sin_family field.  Extend to 16 bits before
1038 	 * writing into the token.  Assume that both the port and the address
1039 	 * in the sockaddr_in are already in network byte order, but family
1040 	 * is in local byte order.
1041 	 *
1042 	 * XXXRW: Should a name space conversion be taking place on the value
1043 	 * of sin_family?
1044 	 */
1045 	family = so->sin_family;
1046 	ADD_U_INT16(dptr, family);
1047 	ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
1048 	ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
1049 
1050 	return (t);
1051 }
1052 
1053 token_t *
1054 au_to_sock_inet128(struct sockaddr_in6 *so)
1055 {
1056 	token_t *t;
1057 	u_char *dptr = NULL;
1058 
1059 	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
1060 	    4 * sizeof(u_int32_t));
1061 
1062 	ADD_U_CHAR(dptr, AUT_SOCKINET128);
1063 	/*
1064 	 * In BSD, sin6_family is one octet, but BSM defines the token to
1065 	 * store two. So we copy in a 0 first.  XXXRW: Possibly should be
1066 	 * conditionally compiled.
1067 	 */
1068 	ADD_U_CHAR(dptr, 0);
1069 	ADD_U_CHAR(dptr, so->sin6_family);
1070 
1071 	ADD_U_INT16(dptr, so->sin6_port);
1072 	ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
1073 
1074 	return (t);
1075 }
1076 
1077 token_t *
1078 au_to_sock_inet(struct sockaddr_in *so)
1079 {
1080 
1081 	return (au_to_sock_inet32(so));
1082 }
1083 
1084 /*
1085  * token ID                1 byte
1086  * audit ID                4 bytes
1087  * effective user ID       4 bytes
1088  * effective group ID      4 bytes
1089  * real user ID            4 bytes
1090  * real group ID           4 bytes
1091  * process ID              4 bytes
1092  * session ID              4 bytes
1093  * terminal ID
1094  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
1095  *   machine address       4 bytes
1096  */
1097 token_t *
1098 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1099     pid_t pid, au_asid_t sid, au_tid_t *tid)
1100 {
1101 	token_t *t;
1102 	u_char *dptr = NULL;
1103 
1104 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
1105 
1106 	ADD_U_CHAR(dptr, AUT_SUBJECT32);
1107 	ADD_U_INT32(dptr, auid);
1108 	ADD_U_INT32(dptr, euid);
1109 	ADD_U_INT32(dptr, egid);
1110 	ADD_U_INT32(dptr, ruid);
1111 	ADD_U_INT32(dptr, rgid);
1112 	ADD_U_INT32(dptr, pid);
1113 	ADD_U_INT32(dptr, sid);
1114 	ADD_U_INT32(dptr, tid->port);
1115 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1116 
1117 	return (t);
1118 }
1119 
1120 token_t *
1121 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1122     pid_t pid, au_asid_t sid, au_tid_t *tid)
1123 {
1124 	token_t *t;
1125 	u_char *dptr = NULL;
1126 
1127 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1128 	    sizeof(u_int64_t) + sizeof(u_int32_t));
1129 
1130 	ADD_U_CHAR(dptr, AUT_SUBJECT64);
1131 	ADD_U_INT32(dptr, auid);
1132 	ADD_U_INT32(dptr, euid);
1133 	ADD_U_INT32(dptr, egid);
1134 	ADD_U_INT32(dptr, ruid);
1135 	ADD_U_INT32(dptr, rgid);
1136 	ADD_U_INT32(dptr, pid);
1137 	ADD_U_INT32(dptr, sid);
1138 	ADD_U_INT64(dptr, tid->port);
1139 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1140 
1141 	return (t);
1142 }
1143 
1144 token_t *
1145 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1146     pid_t pid, au_asid_t sid, au_tid_t *tid)
1147 {
1148 
1149 	return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1150 	    tid));
1151 }
1152 
1153 /*
1154  * token ID                1 byte
1155  * audit ID                4 bytes
1156  * effective user ID       4 bytes
1157  * effective group ID      4 bytes
1158  * real user ID            4 bytes
1159  * real group ID           4 bytes
1160  * process ID              4 bytes
1161  * session ID              4 bytes
1162  * terminal ID
1163  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
1164  *   address type/length   4 bytes
1165  *   machine address      16 bytes
1166  */
1167 token_t *
1168 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1169     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1170 {
1171 	token_t *t;
1172 	u_char *dptr = NULL;
1173 
1174 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1175 	    ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
1176 
1177 	if (tid->at_type == AU_IPv4)
1178 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1179 		    sizeof(u_int32_t));
1180 	else
1181 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1182 		    sizeof(u_int32_t));
1183 
1184 	ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1185 	ADD_U_INT32(dptr, auid);
1186 	ADD_U_INT32(dptr, euid);
1187 	ADD_U_INT32(dptr, egid);
1188 	ADD_U_INT32(dptr, ruid);
1189 	ADD_U_INT32(dptr, rgid);
1190 	ADD_U_INT32(dptr, pid);
1191 	ADD_U_INT32(dptr, sid);
1192 	ADD_U_INT32(dptr, tid->at_port);
1193 	ADD_U_INT32(dptr, tid->at_type);
1194 	if (tid->at_type == AU_IPv6)
1195 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1196 	else
1197 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1198 
1199 	return (t);
1200 }
1201 
1202 token_t *
1203 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1204     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1205 {
1206 	token_t *t;
1207 	u_char *dptr = NULL;
1208 
1209 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1210 	    ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type));
1211 
1212 	if (tid->at_type == AU_IPv4)
1213 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1214 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1215 		    2 * sizeof(u_int32_t));
1216 	else
1217 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1218 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1219 		    5 * sizeof(u_int32_t));
1220 
1221 	ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1222 	ADD_U_INT32(dptr, auid);
1223 	ADD_U_INT32(dptr, euid);
1224 	ADD_U_INT32(dptr, egid);
1225 	ADD_U_INT32(dptr, ruid);
1226 	ADD_U_INT32(dptr, rgid);
1227 	ADD_U_INT32(dptr, pid);
1228 	ADD_U_INT32(dptr, sid);
1229 	ADD_U_INT64(dptr, tid->at_port);
1230 	ADD_U_INT32(dptr, tid->at_type);
1231 	if (tid->at_type == AU_IPv6)
1232 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1233 	else
1234 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1235 
1236 	return (t);
1237 }
1238 
1239 token_t *
1240 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1241     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1242 {
1243 
1244 	return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1245 	    tid));
1246 }
1247 
1248 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1249 /*
1250  * Collects audit information for the current process and creates a subject
1251  * token from it.
1252  */
1253 token_t *
1254 au_to_me(void)
1255 {
1256 	auditinfo_t auinfo;
1257 	auditinfo_addr_t aia;
1258 
1259 	/*
1260 	 * Try to use getaudit_addr(2) first.  If this kernel does not support
1261 	 * it, then fall back on to getaudit(2).
1262 	 */
1263 	if (getaudit_addr(&aia, sizeof(aia)) != 0) {
1264 		if (errno == ENOSYS) {
1265 			if (getaudit(&auinfo) != 0)
1266 				return (NULL);
1267 			return (au_to_subject32(auinfo.ai_auid, geteuid(),
1268 				getegid(), getuid(), getgid(), getpid(),
1269 				auinfo.ai_asid, &auinfo.ai_termid));
1270 		} else {
1271 			/* getaudit_addr(2) failed for some other reason. */
1272 			return (NULL);
1273 		}
1274 	}
1275 
1276 	return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(),
1277 		getgid(), getpid(), aia.ai_asid, &aia.ai_termid));
1278 }
1279 #endif
1280 
1281 #if defined(_KERNEL) || defined(KERNEL)
1282 static token_t *
1283 au_to_exec_strings(char *strs, int count, u_char type)
1284 {
1285 	token_t *t;
1286 	u_char *dptr = NULL;
1287 	u_int32_t totlen;
1288 	int ctr;
1289 	char *p;
1290 
1291 	totlen = 0;
1292 	ctr = count;
1293 	p = strs;
1294 	while (ctr-- > 0) {
1295 		totlen += strlen(p) + 1;
1296 		p = strs + totlen;
1297 	}
1298 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1299 	ADD_U_CHAR(dptr, type);
1300 	ADD_U_INT32(dptr, count);
1301 	ADD_STRING(dptr, strs, totlen);
1302 
1303 	return (t);
1304 }
1305 
1306 /*
1307  * token ID				1 byte
1308  * count				4 bytes
1309  * text					count null-terminated strings
1310  */
1311 token_t *
1312 au_to_exec_args(char *args, int argc)
1313 {
1314 
1315 	return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1316 }
1317 
1318 /*
1319  * token ID				1 byte
1320  * count				4 bytes
1321  * text					count null-terminated strings
1322  */
1323 token_t *
1324 au_to_exec_env(char *envs, int envc)
1325 {
1326 
1327 	return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1328 }
1329 #else
1330 /*
1331  * token ID				1 byte
1332  * count				4 bytes
1333  * text					count null-terminated strings
1334  */
1335 token_t *
1336 au_to_exec_args(char **argv)
1337 {
1338 	token_t *t;
1339 	u_char *dptr = NULL;
1340 	const char *nextarg;
1341 	int i, count = 0;
1342 	size_t totlen = 0;
1343 
1344 	nextarg = *argv;
1345 
1346 	while (nextarg != NULL) {
1347 		int nextlen;
1348 
1349 		nextlen = strlen(nextarg);
1350 		totlen += nextlen + 1;
1351 		count++;
1352 		nextarg = *(argv + count);
1353 	}
1354 
1355 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1356 
1357 	ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1358 	ADD_U_INT32(dptr, count);
1359 
1360 	for (i = 0; i < count; i++) {
1361 		nextarg = *(argv + i);
1362 		ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1363 	}
1364 
1365 	return (t);
1366 }
1367 
1368 /*
1369  * token ID				1 byte
1370  * count				4 bytes
1371  * text					count null-terminated strings
1372  */
1373 token_t *
1374 au_to_exec_env(char **envp)
1375 {
1376 	token_t *t;
1377 	u_char *dptr = NULL;
1378 	int i, count = 0;
1379 	size_t totlen = 0;
1380 	const char *nextenv;
1381 
1382 	nextenv = *envp;
1383 
1384 	while (nextenv != NULL) {
1385 		int nextlen;
1386 
1387 		nextlen = strlen(nextenv);
1388 		totlen += nextlen + 1;
1389 		count++;
1390 		nextenv = *(envp + count);
1391 	}
1392 
1393 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1394 
1395 	ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1396 	ADD_U_INT32(dptr, count);
1397 
1398 	for (i = 0; i < count; i++) {
1399 		nextenv = *(envp + i);
1400 		ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1401 	}
1402 
1403 	return (t);
1404 }
1405 #endif
1406 
1407 /*
1408  * token ID                1 byte
1409  * zonename length         2 bytes
1410  * zonename                N bytes + 1 terminating NULL byte
1411  */
1412 token_t *
1413 au_to_zonename(const char *zonename)
1414 {
1415 	u_char *dptr = NULL;
1416 	u_int16_t textlen;
1417 	token_t *t;
1418 
1419 	textlen = strlen(zonename) + 1;
1420 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1421 
1422 	ADD_U_CHAR(dptr, AUT_ZONENAME);
1423 	ADD_U_INT16(dptr, textlen);
1424 	ADD_STRING(dptr, zonename, textlen);
1425 	return (t);
1426 }
1427 
1428 /*
1429  * token ID                1 byte
1430  * record byte count       4 bytes
1431  * version #               1 byte    [2]
1432  * event type              2 bytes
1433  * event modifier          2 bytes
1434  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1435  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1436  */
1437 token_t *
1438 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1439     struct timeval tm)
1440 {
1441 	token_t *t;
1442 	u_char *dptr = NULL;
1443 	u_int32_t timems;
1444 
1445 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1446 	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1447 
1448 	ADD_U_CHAR(dptr, AUT_HEADER32);
1449 	ADD_U_INT32(dptr, rec_size);
1450 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1451 	ADD_U_INT16(dptr, e_type);
1452 	ADD_U_INT16(dptr, e_mod);
1453 
1454 	timems = tm.tv_usec/1000;
1455 	/* Add the timestamp */
1456 	ADD_U_INT32(dptr, tm.tv_sec);
1457 	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
1458 
1459 	return (t);
1460 }
1461 
1462 /*
1463  * token ID                1 byte
1464  * record byte count       4 bytes
1465  * version #               1 byte    [2]
1466  * event type              2 bytes
1467  * event modifier          2 bytes
1468  * address type/length     4 bytes
1469  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
1470  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1471  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1472  */
1473 token_t *
1474 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1475     struct timeval tm, struct auditinfo_addr *aia)
1476 {
1477 	token_t *t;
1478 	u_char *dptr = NULL;
1479 	u_int32_t timems;
1480 	au_tid_addr_t *tid;
1481 
1482 	tid = &aia->ai_termid;
1483 	KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6,
1484 	    ("au_to_header32_ex_tm: invalid address family"));
1485 
1486 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1487 	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 *
1488 	    sizeof(u_int32_t) + tid->at_type);
1489 
1490 	ADD_U_CHAR(dptr, AUT_HEADER32_EX);
1491 	ADD_U_INT32(dptr, rec_size);
1492 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1493 	ADD_U_INT16(dptr, e_type);
1494 	ADD_U_INT16(dptr, e_mod);
1495 
1496 	ADD_U_INT32(dptr, tid->at_type);
1497 	if (tid->at_type == AU_IPv6)
1498 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1499 	else
1500 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1501 	timems = tm.tv_usec/1000;
1502 	/* Add the timestamp */
1503 	ADD_U_INT32(dptr, tm.tv_sec);
1504 	ADD_U_INT32(dptr, timems);      /* We need time in ms. */
1505 
1506 	return (t);
1507 }
1508 
1509 token_t *
1510 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1511     struct timeval tm)
1512 {
1513 	token_t *t;
1514 	u_char *dptr = NULL;
1515 	u_int32_t timems;
1516 
1517 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1518 	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1519 
1520 	ADD_U_CHAR(dptr, AUT_HEADER64);
1521 	ADD_U_INT32(dptr, rec_size);
1522 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1523 	ADD_U_INT16(dptr, e_type);
1524 	ADD_U_INT16(dptr, e_mod);
1525 
1526 	timems = tm.tv_usec/1000;
1527 	/* Add the timestamp */
1528 	ADD_U_INT64(dptr, tm.tv_sec);
1529 	ADD_U_INT64(dptr, timems);	/* We need time in ms. */
1530 
1531 	return (t);
1532 }
1533 
1534 #if !defined(KERNEL) && !defined(_KERNEL)
1535 #ifdef HAVE_AUDIT_SYSCALLS
1536 token_t *
1537 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1538 {
1539 	struct timeval tm;
1540 	struct auditinfo_addr aia;
1541 
1542 	if (gettimeofday(&tm, NULL) == -1)
1543 		return (NULL);
1544 	if (audit_get_kaudit(&aia, sizeof(aia)) != 0) {
1545 		if (errno != ENOSYS)
1546 			return (NULL);
1547 		return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1548 	}
1549 	return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia));
1550 }
1551 #endif /* HAVE_AUDIT_SYSCALLS */
1552 
1553 token_t *
1554 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
1555 {
1556 	struct timeval tm;
1557 
1558 	if (gettimeofday(&tm, NULL) == -1)
1559 		return (NULL);
1560 	return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1561 }
1562 
1563 token_t *
1564 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
1565     __unused au_emod_t e_mod)
1566 {
1567 	struct timeval tm;
1568 
1569 	if (gettimeofday(&tm, NULL) == -1)
1570 		return (NULL);
1571 	return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
1572 }
1573 
1574 token_t *
1575 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
1576 {
1577 
1578 	return (au_to_header32(rec_size, e_type, e_mod));
1579 }
1580 
1581 #ifdef HAVE_AUDIT_SYSCALLS
1582 token_t *
1583 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1584 {
1585 
1586 	return (au_to_header32_ex(rec_size, e_type, e_mod));
1587 }
1588 #endif /* HAVE_AUDIT_SYSCALLS */
1589 #endif /* !defined(KERNEL) && !defined(_KERNEL) */
1590 
1591 /*
1592  * token ID                1 byte
1593  * trailer magic number    2 bytes
1594  * record byte count       4 bytes
1595  */
1596 token_t *
1597 au_to_trailer(int rec_size)
1598 {
1599 	token_t *t;
1600 	u_char *dptr = NULL;
1601 	u_int16_t magic = AUT_TRAILER_MAGIC;
1602 
1603 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1604 	    sizeof(u_int32_t));
1605 
1606 	ADD_U_CHAR(dptr, AUT_TRAILER);
1607 	ADD_U_INT16(dptr, magic);
1608 	ADD_U_INT32(dptr, rec_size);
1609 
1610 	return (t);
1611 }
1612