36 */
37
38#include <sys/types.h>
39
40#include <config/config.h>
41#ifdef HAVE_SYS_ENDIAN_H
42#include <sys/endian.h>
43#else /* !HAVE_SYS_ENDIAN_H */
44#ifdef HAVE_MACHINE_ENDIAN_H
45#include <machine/endian.h>
46#else /* !HAVE_MACHINE_ENDIAN_H */
47#ifdef HAVE_ENDIAN_H
48#include <endian.h>
49#else /* !HAVE_ENDIAN_H */
50#error "No supported endian.h"
51#endif /* !HAVE_ENDIAN_H */
52#endif /* !HAVE_MACHINE_ENDIAN_H */
53#include <compat/endian.h>
54#endif /* !HAVE_SYS_ENDIAN_H */
55#ifdef HAVE_FULL_QUEUE_H
56#include <sys/queue.h>
57#else /* !HAVE_FULL_QUEUE_H */
58#include <compat/queue.h>
59#endif /* !HAVE_FULL_QUEUE_H */
60
61#include <sys/stat.h>
62#include <sys/socket.h>
63
64#include <bsm/libbsm.h>
65
66#include <unistd.h>
67#include <netinet/in.h>
68#include <arpa/inet.h>
69#include <errno.h>
70#include <time.h>
71#include <stdlib.h>
72#include <stdio.h>
73#include <string.h>
74#include <pwd.h>
75#include <grp.h>
76
77#include <bsm/audit_internal.h>
78
79#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
80 if (bytesread + size > len) { \
81 err = 1; \
82 } else { \
83 memcpy(dest, buf + bytesread, size); \
84 bytesread += size; \
85 } \
86} while (0)
87
88#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
89 if (bytesread + sizeof(u_char) <= len) { \
90 dest = buf[bytesread]; \
91 bytesread += sizeof(u_char); \
92 } else \
93 err = 1; \
94} while (0)
95
96#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
97 if (bytesread + sizeof(u_int16_t) <= len) { \
98 dest = be16dec(buf + bytesread); \
99 bytesread += sizeof(u_int16_t); \
100 } else \
101 err = 1; \
102} while (0)
103
104#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
105 if (bytesread + sizeof(u_int32_t) <= len) { \
106 dest = be32dec(buf + bytesread); \
107 bytesread += sizeof(u_int32_t); \
108 } else \
109 err = 1; \
110} while (0)
111
112#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
113 if (bytesread + sizeof(u_int64_t) <= len) { \
114 dest = be64dec(buf + bytesread); \
115 bytesread += sizeof(u_int64_t); \
116 } else \
117 err = 1; \
118} while (0)
119
120#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
121 if ((bytesread) + (size) > (len)) \
122 (err) = 1; \
123 else { \
124 (ptr) = (buf) + (bytesread); \
125 (bytesread) += (size); \
126 } \
127} while (0)
128
129/*
130 * XML option.
131 */
132#define AU_PLAIN 0
133#define AU_XML 1
134
135/*
136 * Prints the delimiter string.
137 */
138static void
139print_delim(FILE *fp, const char *del)
140{
141
142 fprintf(fp, "%s", del);
143}
144
145/*
146 * Prints a single byte in the given format.
147 */
148static void
149print_1_byte(FILE *fp, u_char val, const char *format)
150{
151
152 fprintf(fp, format, val);
153}
154
155/*
156 * Print 2 bytes in the given format.
157 */
158static void
159print_2_bytes(FILE *fp, u_int16_t val, const char *format)
160{
161
162 fprintf(fp, format, val);
163}
164
165/*
166 * Prints 4 bytes in the given format.
167 */
168static void
169print_4_bytes(FILE *fp, u_int32_t val, const char *format)
170{
171
172 fprintf(fp, format, val);
173}
174
175/*
176 * Prints 8 bytes in the given format.
177 */
178static void
179print_8_bytes(FILE *fp, u_int64_t val, const char *format)
180{
181
182 fprintf(fp, format, val);
183}
184
185/*
186 * Prints the given size of data bytes in hex.
187 */
188static void
189print_mem(FILE *fp, u_char *data, size_t len)
190{
191 int i;
192
193 if (len > 0) {
194 fprintf(fp, "0x");
195 for (i = 0; i < len; i++)
196 fprintf(fp, "%x", data[i]);
197 }
198}
199
200/*
201 * Prints the given data bytes as a string.
202 */
203static void
204print_string(FILE *fp, const char *str, size_t len)
205{
206 int i;
207
208 if (len > 0) {
209 for (i = 0; i < len; i++) {
210 if (str[i] != '\0')
211 fprintf(fp, "%c", str[i]);
212 }
213 }
214}
215
216/*
217 * Prints the beggining of attribute.
218 */
219static void
220open_attr(FILE *fp, const char *str)
221{
222
223 fprintf(fp,"%s=\"", str);
224}
225
226/*
227 * Prints the end of attribute.
228 */
229static void
230close_attr(FILE *fp)
231{
232
233 fprintf(fp,"\" ");
234}
235
236/*
237 * Prints the end of tag.
238 */
239static void
240close_tag(FILE *fp, u_char type)
241{
242
243 switch(type) {
244 case AUT_HEADER32:
245 fprintf(fp, ">");
246 break;
247
248 case AUT_HEADER32_EX:
249 fprintf(fp, ">");
250 break;
251
252 case AUT_HEADER64:
253 fprintf(fp, ">");
254 break;
255
256 case AUT_HEADER64_EX:
257 fprintf(fp, ">");
258 break;
259
260 case AUT_ARG32:
261 fprintf(fp, "/>");
262 break;
263
264 case AUT_ARG64:
265 fprintf(fp, "/>");
266 break;
267
268 case AUT_ATTR32:
269 fprintf(fp, "/>");
270 break;
271
272 case AUT_ATTR64:
273 fprintf(fp, "/>");
274 break;
275
276 case AUT_EXIT:
277 fprintf(fp, "/>");
278 break;
279
280 case AUT_EXEC_ARGS:
281 fprintf(fp, "</exec_args>");
282 break;
283
284 case AUT_EXEC_ENV:
285 fprintf(fp, "</exec_env>");
286 break;
287
288 case AUT_OTHER_FILE32:
289 fprintf(fp, "</file>");
290 break;
291
292 case AUT_NEWGROUPS:
293 fprintf(fp, "</group>");
294 break;
295
296 case AUT_IN_ADDR:
297 fprintf(fp, "</ip_address>");
298 break;
299
300 case AUT_IN_ADDR_EX:
301 fprintf(fp, "</ip_address>");
302 break;
303
304 case AUT_IP:
305 fprintf(fp, "/>");
306 break;
307
308 case AUT_IPC:
309 fprintf(fp, "/>");
310 break;
311
312 case AUT_IPC_PERM:
313 fprintf(fp, "/>");
314 break;
315
316 case AUT_IPORT:
317 fprintf(fp, "</ip_port>");
318 break;
319
320 case AUT_OPAQUE:
321 fprintf(fp, "</opaque>");
322 break;
323
324 case AUT_PATH:
325 fprintf(fp, "</path>");
326 break;
327
328 case AUT_PROCESS32:
329 fprintf(fp, "/>");
330 break;
331
332 case AUT_PROCESS32_EX:
333 fprintf(fp, "/>");
334 break;
335
336 case AUT_PROCESS64:
337 fprintf(fp, "/>");
338 break;
339
340 case AUT_PROCESS64_EX:
341 fprintf(fp, "/>");
342 break;
343
344 case AUT_RETURN32:
345 fprintf(fp, "/>");
346 break;
347
348 case AUT_RETURN64:
349 fprintf(fp, "/>");
350 break;
351
352 case AUT_SEQ:
353 fprintf(fp, "/>");
354 break;
355
356 case AUT_SOCKET:
357 fprintf(fp, "/>");
358 break;
359
360 case AUT_SOCKINET32:
361 fprintf(fp, "/>");
362 break;
363
364 case AUT_SOCKUNIX:
365 fprintf(fp, "/>");
366 break;
367
368 case AUT_SUBJECT32:
369 fprintf(fp, "/>");
370 break;
371
372 case AUT_SUBJECT64:
373 fprintf(fp, "/>");
374 break;
375
376 case AUT_SUBJECT32_EX:
377 fprintf(fp, "/>");
378 break;
379
380 case AUT_SUBJECT64_EX:
381 fprintf(fp, "/>");
382 break;
383
384 case AUT_TEXT:
385 fprintf(fp, "</text>");
386 break;
387
388 case AUT_SOCKET_EX:
389 fprintf(fp, "/>");
390 break;
391
392 case AUT_DATA:
393 fprintf(fp, "</arbitrary>");
394 break;
395
396 case AUT_ZONENAME:
397 fprintf(fp, "/>");
398 break;
399 }
400}
401
402/*
403 * Prints the token type in either the raw or the default form.
404 */
405static void
406print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
407{
408
409 if (xml) {
410 switch(type) {
411 case AUT_HEADER32:
412 fprintf(fp, "<record ");
413 break;
414
415 case AUT_HEADER32_EX:
416 fprintf(fp, "<record ");
417 break;
418
419 case AUT_HEADER64:
420 fprintf(fp, "<record ");
421 break;
422
423 case AUT_HEADER64_EX:
424 fprintf(fp, "<record ");
425 break;
426
427 case AUT_TRAILER:
428 fprintf(fp, "</record>");
429 break;
430
431 case AUT_ARG32:
432 fprintf(fp, "<argument ");
433 break;
434
435 case AUT_ARG64:
436 fprintf(fp, "<argument ");
437 break;
438
439 case AUT_ATTR32:
440 fprintf(fp, "<attribute ");
441 break;
442
443 case AUT_ATTR64:
444 fprintf(fp, "<attribute ");
445 break;
446
447 case AUT_EXIT:
448 fprintf(fp, "<exit ");
449 break;
450
451 case AUT_EXEC_ARGS:
452 fprintf(fp, "<exec_args>");
453 break;
454
455 case AUT_EXEC_ENV:
456 fprintf(fp, "<exec_env>");
457 break;
458
459 case AUT_OTHER_FILE32:
460 fprintf(fp, "<file ");
461 break;
462
463 case AUT_NEWGROUPS:
464 fprintf(fp, "<group>");
465 break;
466
467 case AUT_IN_ADDR:
468 fprintf(fp, "<ip_address>");
469 break;
470
471 case AUT_IN_ADDR_EX:
472 fprintf(fp, "<ip_address>");
473 break;
474
475 case AUT_IP:
476 fprintf(fp, "<ip ");
477 break;
478
479 case AUT_IPC:
480 fprintf(fp, "<IPC");
481 break;
482
483 case AUT_IPC_PERM:
484 fprintf(fp, "<IPC_perm ");
485 break;
486
487 case AUT_IPORT:
488 fprintf(fp, "<ip_port>");
489 break;
490
491 case AUT_OPAQUE:
492 fprintf(fp, "<opaque>");
493 break;
494
495 case AUT_PATH:
496 fprintf(fp, "<path>");
497 break;
498
499 case AUT_PROCESS32:
500 fprintf(fp, "<process ");
501 break;
502
503 case AUT_PROCESS32_EX:
504 fprintf(fp, "<process ");
505 break;
506
507 case AUT_PROCESS64:
508 fprintf(fp, "<process ");
509 break;
510
511 case AUT_PROCESS64_EX:
512 fprintf(fp, "<process ");
513 break;
514
515 case AUT_RETURN32:
516 fprintf(fp, "<return ");
517 break;
518
519 case AUT_RETURN64:
520 fprintf(fp, "<return ");
521 break;
522
523 case AUT_SEQ:
524 fprintf(fp, "<sequence ");
525 break;
526
527 case AUT_SOCKET:
528 fprintf(fp, "<socket ");
529 break;
530
531 case AUT_SOCKINET32:
532 fprintf(fp, "<old_socket");
533 break;
534
535 case AUT_SOCKUNIX:
536 fprintf(fp, "<old_socket");
537 break;
538
539 case AUT_SUBJECT32:
540 fprintf(fp, "<subject ");
541 break;
542
543 case AUT_SUBJECT64:
544 fprintf(fp, "<subject ");
545 break;
546
547 case AUT_SUBJECT32_EX:
548 fprintf(fp, "<subject ");
549 break;
550
551 case AUT_SUBJECT64_EX:
552 fprintf(fp, "<subject ");
553 break;
554
555 case AUT_TEXT:
556 fprintf(fp, "<text>");
557 break;
558
559 case AUT_SOCKET_EX:
560 fprintf(fp, "<socket ");
561 break;
562
563 case AUT_DATA:
564 fprintf(fp, "<arbitrary ");
565 break;
566
567 case AUT_ZONENAME:
568 fprintf(fp, "<zone ");
569 break;
570 }
571 } else {
572 if (raw)
573 fprintf(fp, "%u", type);
574 else
575 fprintf(fp, "%s", tokname);
576 }
577}
578
579/*
580 * Prints a user value.
581 */
582static void
583print_user(FILE *fp, u_int32_t usr, char raw)
584{
585 struct passwd *pwent;
586
587 if (raw)
588 fprintf(fp, "%d", usr);
589 else {
590 pwent = getpwuid(usr);
591 if (pwent != NULL)
592 fprintf(fp, "%s", pwent->pw_name);
593 else
594 fprintf(fp, "%d", usr);
595 }
596}
597
598/*
599 * Prints a group value.
600 */
601static void
602print_group(FILE *fp, u_int32_t grp, char raw)
603{
604 struct group *grpent;
605
606 if (raw)
607 fprintf(fp, "%d", grp);
608 else {
609 grpent = getgrgid(grp);
610 if (grpent != NULL)
611 fprintf(fp, "%s", grpent->gr_name);
612 else
613 fprintf(fp, "%d", grp);
614 }
615}
616
617/*
618 * Prints the event from the header token in either the short, default or raw
619 * form.
620 */
621static void
622print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
623{
624 char event_ent_name[AU_EVENT_NAME_MAX];
625 char event_ent_desc[AU_EVENT_DESC_MAX];
626 struct au_event_ent e, *ep;
627
628 bzero(&e, sizeof(e));
629 bzero(event_ent_name, sizeof(event_ent_name));
630 bzero(event_ent_desc, sizeof(event_ent_desc));
631 e.ae_name = event_ent_name;
632 e.ae_desc = event_ent_desc;
633
634 ep = getauevnum_r(&e, ev);
635 if (ep == NULL) {
636 fprintf(fp, "%u", ev);
637 return;
638 }
639
640 if (raw)
641 fprintf(fp, "%u", ev);
642 else if (sfrm)
643 fprintf(fp, "%s", e.ae_name);
644 else
645 fprintf(fp, "%s", e.ae_desc);
646}
647
648
649/*
650 * Prints the event modifier from the header token in either the default or
651 * raw form.
652 */
653static void
654print_evmod(FILE *fp, u_int16_t evmod, char raw)
655{
656 if (raw)
657 fprintf(fp, "%u", evmod);
658 else
659 fprintf(fp, "%u", evmod);
660}
661
662/*
663 * Prints seconds in the ctime format.
664 */
665static void
666print_sec32(FILE *fp, u_int32_t sec, char raw)
667{
668 time_t timestamp;
669 char timestr[26];
670
671 if (raw)
672 fprintf(fp, "%u", sec);
673 else {
674 timestamp = (time_t)sec;
675 ctime_r(×tamp, timestr);
676 timestr[24] = '\0'; /* No new line */
677 fprintf(fp, "%s", timestr);
678 }
679}
680
681/*
682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
683 * assume a 32-bit time_t, we simply truncate for now.
684 */
685static void
686print_sec64(FILE *fp, u_int64_t sec, char raw)
687{
688 time_t timestamp;
689 char timestr[26];
690
691 if (raw)
692 fprintf(fp, "%u", (u_int32_t)sec);
693 else {
694 timestamp = (time_t)sec;
695 ctime_r(×tamp, timestr);
696 timestr[24] = '\0'; /* No new line */
697 fprintf(fp, "%s", timestr);
698 }
699}
700
701/*
702 * Prints the excess milliseconds.
703 */
704static void
705print_msec32(FILE *fp, u_int32_t msec, char raw)
706{
707 if (raw)
708 fprintf(fp, "%u", msec);
709 else
710 fprintf(fp, " + %u msec", msec);
711}
712
713/*
714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
715 * a 32-bit msec, we simply truncate for now.
716 */
717static void
718print_msec64(FILE *fp, u_int64_t msec, char raw)
719{
720
721 msec &= 0xffffffff;
722 if (raw)
723 fprintf(fp, "%u", (u_int32_t)msec);
724 else
725 fprintf(fp, " + %u msec", (u_int32_t)msec);
726}
727
728/*
729 * Prints a dotted form for the IP address.
730 */
731static void
732print_ip_address(FILE *fp, u_int32_t ip)
733{
734 struct in_addr ipaddr;
735
736 ipaddr.s_addr = ip;
737 fprintf(fp, "%s", inet_ntoa(ipaddr));
738}
739
740/*
741 * Prints a string value for the given ip address.
742 */
743static void
744print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
745{
746 struct in_addr ipv4;
747 struct in6_addr ipv6;
748 char dst[INET6_ADDRSTRLEN];
749
750 switch (type) {
751 case AU_IPv4:
752 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
754 INET6_ADDRSTRLEN));
755 break;
756
757 case AU_IPv6:
758 bcopy(ipaddr, &ipv6, sizeof(ipv6));
759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
760 INET6_ADDRSTRLEN));
761 break;
762
763 default:
764 fprintf(fp, "invalid");
765 }
766}
767
768/*
769 * Prints return value as success or failure.
770 */
771static void
772print_retval(FILE *fp, u_char status, char raw)
773{
774 if (raw)
775 fprintf(fp, "%u", status);
776 else {
777 if (status == 0)
778 fprintf(fp, "success");
779 else
780 fprintf(fp, "failure : %s", strerror(status));
781 }
782}
783
784/*
785 * Prints the exit value.
786 */
787static void
788print_errval(FILE *fp, u_int32_t val)
789{
790
791 fprintf(fp, "Error %u", val);
792}
793
794/*
795 * Prints IPC type.
796 */
797static void
798print_ipctype(FILE *fp, u_char type, char raw)
799{
800 if (raw)
801 fprintf(fp, "%u", type);
802 else {
803 if (type == AT_IPC_MSG)
804 fprintf(fp, "Message IPC");
805 else if (type == AT_IPC_SEM)
806 fprintf(fp, "Semaphore IPC");
807 else if (type == AT_IPC_SHM)
808 fprintf(fp, "Shared Memory IPC");
809 else
810 fprintf(fp, "%u", type);
811 }
812}
813
814/*
815 * Print XML header.
816 */
817void
818au_print_xml_header(FILE *outfp)
819{
820
821 fprintf(outfp, "<?xml version='1.0' ?>\n");
822 fprintf(outfp, "<audit>\n");
823}
824
825/*
826 * Print XML footer.
827 */
828void
829au_print_xml_footer(FILE *outfp)
830{
831
832 fprintf(outfp, "</audit>\n");
833}
834
835/*
836 * record byte count 4 bytes
837 * version # 1 byte [2]
838 * event type 2 bytes
839 * event modifier 2 bytes
840 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
841 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
842 */
843static int
844fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
845{
846 int err = 0;
847
848 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
849 if (err)
850 return (-1);
851
852 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
853 if (err)
854 return (-1);
855
856 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
857 if (err)
858 return (-1);
859
860 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
861 if (err)
862 return (-1);
863
864 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
865 if (err)
866 return (-1);
867
868 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
869 if (err)
870 return (-1);
871
872 return (0);
873}
874
875static void
876print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
877 int xml)
878{
879
880 print_tok_type(fp, tok->id, "header", raw, xml);
881 if (xml) {
882 open_attr(fp, "version");
883 print_1_byte(fp, tok->tt.hdr32.version, "%u");
884 close_attr(fp);
885 open_attr(fp, "event");
886 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
887 close_attr(fp);
888 open_attr(fp, "modifier");
889 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
890 close_attr(fp);
891 open_attr(fp, "time");
892 print_sec32(fp, tok->tt.hdr32.s, raw);
893 close_attr(fp);
894 open_attr(fp, "msec");
895 print_msec32(fp, tok->tt.hdr32.ms, 1);
896 close_attr(fp);
897 close_tag(fp, tok->id);
898 } else {
899 print_delim(fp, del);
900 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
901 print_delim(fp, del);
902 print_1_byte(fp, tok->tt.hdr32.version, "%u");
903 print_delim(fp, del);
904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
905 print_delim(fp, del);
906 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
907 print_delim(fp, del);
908 print_sec32(fp, tok->tt.hdr32.s, raw);
909 print_delim(fp, del);
910 print_msec32(fp, tok->tt.hdr32.ms, raw);
911 }
912}
913
914/*
915 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
916 * depending on the bit of the specifications found. The OpenSolaris source
917 * code uses a 4-byte address length, followed by some number of bytes of
918 * address data. This contrasts with the Solaris audit.log.5 man page, which
919 * specifies a 1-byte length field. We use the Solaris 10 definition so that
920 * we can parse audit trails from that system.
921 *
922 * record byte count 4 bytes
923 * version # 1 byte [2]
924 * event type 2 bytes
925 * event modifier 2 bytes
926 * address type/length 4 bytes
927 * [ Solaris man page: address type/length 1 byte]
928 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
929 * seconds of time 4 bytes/8 bytes (32/64-bits)
930 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
931 */
932static int
933fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
934{
935 int err = 0;
936
937 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
938 if (err)
939 return (-1);
940
941 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
942 if (err)
943 return (-1);
944
945 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
946 if (err)
947 return (-1);
948
949 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
950 if (err)
951 return (-1);
952
953 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
954 if (err)
955 return (-1);
956
957 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
958 switch (tok->tt.hdr32_ex.ad_type) {
959 case AU_IPv4:
960 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
961 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
962 if (err)
963 return (-1);
964 break;
965
966 case AU_IPv6:
967 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
968 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
969 break;
970 }
971
972 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
973 if (err)
974 return (-1);
975
976 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
977 if (err)
978 return (-1);
979
980 return (0);
981}
982
983static void
984print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
985 char sfrm, int xml)
986{
987
988 print_tok_type(fp, tok->id, "header_ex", raw, xml);
989 if (xml) {
990 open_attr(fp, "version");
991 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
992 close_attr(fp);
993 open_attr(fp, "event");
994 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
995 close_attr(fp);
996 open_attr(fp, "modifier");
997 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
998 close_attr(fp);
999 /*
1000 * No attribute for additional types.
1001 *
1002 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1003 tok->tt.hdr32_ex.addr);
1004 */
1005 open_attr(fp, "time");
1006 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1007 close_attr(fp);
1008 open_attr(fp, "msec");
1009 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1010 close_attr(fp);
1011 close_tag(fp, tok->id);
1012 } else {
1013 print_delim(fp, del);
1014 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1015 print_delim(fp, del);
1016 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1017 print_delim(fp, del);
1018 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1019 print_delim(fp, del);
1020 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1021 print_delim(fp, del);
1022 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1023 tok->tt.hdr32_ex.addr);
1024 print_delim(fp, del);
1025 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1026 print_delim(fp, del);
1027 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1028 }
1029}
1030
1031/*
1032 * record byte count 4 bytes
1033 * event type 2 bytes
1034 * event modifier 2 bytes
1035 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1036 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1037 * version #
1038 */
1039static int
1040fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1041{
1042 int err = 0;
1043
1044 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1045 if (err)
1046 return (-1);
1047
1048 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1049 if (err)
1050 return (-1);
1051
1052 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1053 if (err)
1054 return (-1);
1055
1056 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1057 if (err)
1058 return (-1);
1059
1060 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1061 if (err)
1062 return (-1);
1063
1064 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1065 if (err)
1066 return (-1);
1067
1068 return (0);
1069}
1070
1071static void
1072print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
1073 int xml)
1074{
1075
1076 print_tok_type(fp, tok->id, "header", raw, xml);
1077 if (xml) {
1078 open_attr(fp, "version");
1079 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1080 close_attr(fp);
1081 open_attr(fp, "event");
1082 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1083 close_attr(fp);
1084 open_attr(fp, "modifier");
1085 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1086 close_attr(fp);
1087 open_attr(fp, "time");
1088 print_sec64(fp, tok->tt.hdr64.s, raw);
1089 close_attr(fp);
1090 open_attr(fp, "msec");
1091 print_msec64(fp, tok->tt.hdr64.ms, raw);
1092 close_attr(fp);
1093 close_tag(fp, tok->id);
1094 } else {
1095 print_delim(fp, del);
1096 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1097 print_delim(fp, del);
1098 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1099 print_delim(fp, del);
1100 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1101 print_delim(fp, del);
1102 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1103 print_delim(fp, del);
1104 print_sec64(fp, tok->tt.hdr64.s, raw);
1105 print_delim(fp, del);
1106 print_msec64(fp, tok->tt.hdr64.ms, raw);
1107 }
1108}
1109
1110/*
1111 * record byte count 4 bytes
1112 * version # 1 byte [2]
1113 * event type 2 bytes
1114 * event modifier 2 bytes
1115 * address type/length 4 bytes
1116 * [ Solaris man page: address type/length 1 byte]
1117 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1118 * seconds of time 4 bytes/8 bytes (32/64-bits)
1119 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1120 *
1121 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1122 * accuracy of the BSM spec.
1123 */
1124static int
1125fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1126{
1127 int err = 0;
1128
1129 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1130 if (err)
1131 return (-1);
1132
1133 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1134 if (err)
1135 return (-1);
1136
1137 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1138 if (err)
1139 return (-1);
1140
1141 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1142 if (err)
1143 return (-1);
1144
1145 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1146 if (err)
1147 return (-1);
1148
1149 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1150 switch (tok->tt.hdr64_ex.ad_type) {
1151 case AU_IPv4:
1152 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1153 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1154 if (err)
1155 return (-1);
1156 break;
1157
1158 case AU_IPv6:
1159 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1160 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1161 break;
1162 }
1163
1164 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1165 if (err)
1166 return (-1);
1167
1168 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1169 if (err)
1170 return (-1);
1171
1172 return (0);
1173}
1174
1175static void
1176print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1177 char sfrm, int xml)
1178{
1179
1180 print_tok_type(fp, tok->id, "header_ex", raw, xml);
1181 if (xml) {
1182 open_attr(fp, "version");
1183 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1184 close_attr(fp);
1185 open_attr(fp, "event");
1186 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1187 close_attr(fp);
1188 open_attr(fp, "modifier");
1189 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1190 close_attr(fp);
1191 /*
1192 * No attribute for additional types.
1193 *
1194 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1195 tok->tt.hdr64_ex.addr);
1196 */
1197 open_attr(fp, "time");
1198 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1199 close_attr(fp);
1200 open_attr(fp, "msec");
1201 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1202 close_attr(fp);
1203 close_tag(fp, tok->id);
1204 } else {
1205 print_delim(fp, del);
1206 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1207 print_delim(fp, del);
1208 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1209 print_delim(fp, del);
1210 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1211 print_delim(fp, del);
1212 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1213 print_delim(fp, del);
1214 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1215 tok->tt.hdr64_ex.addr);
1216 print_delim(fp, del);
1217 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1218 print_delim(fp, del);
1219 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1220 }
1221}
1222
1223/*
1224 * trailer magic 2 bytes
1225 * record size 4 bytes
1226 */
1227static int
1228fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1229{
1230 int err = 0;
1231
1232 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1233 if (err)
1234 return (-1);
1235
1236 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1237 if (err)
1238 return (-1);
1239
1240 return (0);
1241}
1242
1243static void
1244print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1245 __unused char sfrm, int xml)
1246{
1247
1248 print_tok_type(fp, tok->id, "trailer", raw, xml);
1249 if (!xml) {
1250 print_delim(fp, del);
1251 print_4_bytes(fp, tok->tt.trail.count, "%u");
1252 }
1253}
1254
1255/*
1256 * argument # 1 byte
1257 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1258 * text length 2 bytes
1259 * text N bytes + 1 terminating NULL byte
1260 */
1261static int
1262fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1263{
1264 int err = 0;
1265
1266 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1267 if (err)
1268 return (-1);
1269
1270 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1271 if (err)
1272 return (-1);
1273
1274 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1275 if (err)
1276 return (-1);
1277
1278 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1279 tok->len, err);
1280 if (err)
1281 return (-1);
1282
1283 return (0);
1284}
1285
1286static void
1287print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1288 __unused char sfrm, int xml)
1289{
1290
1291 print_tok_type(fp, tok->id, "argument", raw, xml);
1292 if (xml) {
1293 open_attr(fp, "arg-num");
1294 print_1_byte(fp, tok->tt.arg32.no, "%u");
1295 close_attr(fp);
1296 open_attr(fp, "value");
1297 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1298 close_attr(fp);
1299 open_attr(fp, "desc");
1300 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1301 close_attr(fp);
1302 close_tag(fp, tok->id);
1303 } else {
1304 print_delim(fp, del);
1305 print_1_byte(fp, tok->tt.arg32.no, "%u");
1306 print_delim(fp, del);
1307 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1308 print_delim(fp, del);
| 36 */
37
38#include <sys/types.h>
39
40#include <config/config.h>
41#ifdef HAVE_SYS_ENDIAN_H
42#include <sys/endian.h>
43#else /* !HAVE_SYS_ENDIAN_H */
44#ifdef HAVE_MACHINE_ENDIAN_H
45#include <machine/endian.h>
46#else /* !HAVE_MACHINE_ENDIAN_H */
47#ifdef HAVE_ENDIAN_H
48#include <endian.h>
49#else /* !HAVE_ENDIAN_H */
50#error "No supported endian.h"
51#endif /* !HAVE_ENDIAN_H */
52#endif /* !HAVE_MACHINE_ENDIAN_H */
53#include <compat/endian.h>
54#endif /* !HAVE_SYS_ENDIAN_H */
55#ifdef HAVE_FULL_QUEUE_H
56#include <sys/queue.h>
57#else /* !HAVE_FULL_QUEUE_H */
58#include <compat/queue.h>
59#endif /* !HAVE_FULL_QUEUE_H */
60
61#include <sys/stat.h>
62#include <sys/socket.h>
63
64#include <bsm/libbsm.h>
65
66#include <unistd.h>
67#include <netinet/in.h>
68#include <arpa/inet.h>
69#include <errno.h>
70#include <time.h>
71#include <stdlib.h>
72#include <stdio.h>
73#include <string.h>
74#include <pwd.h>
75#include <grp.h>
76
77#include <bsm/audit_internal.h>
78
79#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
80 if (bytesread + size > len) { \
81 err = 1; \
82 } else { \
83 memcpy(dest, buf + bytesread, size); \
84 bytesread += size; \
85 } \
86} while (0)
87
88#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
89 if (bytesread + sizeof(u_char) <= len) { \
90 dest = buf[bytesread]; \
91 bytesread += sizeof(u_char); \
92 } else \
93 err = 1; \
94} while (0)
95
96#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
97 if (bytesread + sizeof(u_int16_t) <= len) { \
98 dest = be16dec(buf + bytesread); \
99 bytesread += sizeof(u_int16_t); \
100 } else \
101 err = 1; \
102} while (0)
103
104#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
105 if (bytesread + sizeof(u_int32_t) <= len) { \
106 dest = be32dec(buf + bytesread); \
107 bytesread += sizeof(u_int32_t); \
108 } else \
109 err = 1; \
110} while (0)
111
112#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
113 if (bytesread + sizeof(u_int64_t) <= len) { \
114 dest = be64dec(buf + bytesread); \
115 bytesread += sizeof(u_int64_t); \
116 } else \
117 err = 1; \
118} while (0)
119
120#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
121 if ((bytesread) + (size) > (len)) \
122 (err) = 1; \
123 else { \
124 (ptr) = (buf) + (bytesread); \
125 (bytesread) += (size); \
126 } \
127} while (0)
128
129/*
130 * XML option.
131 */
132#define AU_PLAIN 0
133#define AU_XML 1
134
135/*
136 * Prints the delimiter string.
137 */
138static void
139print_delim(FILE *fp, const char *del)
140{
141
142 fprintf(fp, "%s", del);
143}
144
145/*
146 * Prints a single byte in the given format.
147 */
148static void
149print_1_byte(FILE *fp, u_char val, const char *format)
150{
151
152 fprintf(fp, format, val);
153}
154
155/*
156 * Print 2 bytes in the given format.
157 */
158static void
159print_2_bytes(FILE *fp, u_int16_t val, const char *format)
160{
161
162 fprintf(fp, format, val);
163}
164
165/*
166 * Prints 4 bytes in the given format.
167 */
168static void
169print_4_bytes(FILE *fp, u_int32_t val, const char *format)
170{
171
172 fprintf(fp, format, val);
173}
174
175/*
176 * Prints 8 bytes in the given format.
177 */
178static void
179print_8_bytes(FILE *fp, u_int64_t val, const char *format)
180{
181
182 fprintf(fp, format, val);
183}
184
185/*
186 * Prints the given size of data bytes in hex.
187 */
188static void
189print_mem(FILE *fp, u_char *data, size_t len)
190{
191 int i;
192
193 if (len > 0) {
194 fprintf(fp, "0x");
195 for (i = 0; i < len; i++)
196 fprintf(fp, "%x", data[i]);
197 }
198}
199
200/*
201 * Prints the given data bytes as a string.
202 */
203static void
204print_string(FILE *fp, const char *str, size_t len)
205{
206 int i;
207
208 if (len > 0) {
209 for (i = 0; i < len; i++) {
210 if (str[i] != '\0')
211 fprintf(fp, "%c", str[i]);
212 }
213 }
214}
215
216/*
217 * Prints the beggining of attribute.
218 */
219static void
220open_attr(FILE *fp, const char *str)
221{
222
223 fprintf(fp,"%s=\"", str);
224}
225
226/*
227 * Prints the end of attribute.
228 */
229static void
230close_attr(FILE *fp)
231{
232
233 fprintf(fp,"\" ");
234}
235
236/*
237 * Prints the end of tag.
238 */
239static void
240close_tag(FILE *fp, u_char type)
241{
242
243 switch(type) {
244 case AUT_HEADER32:
245 fprintf(fp, ">");
246 break;
247
248 case AUT_HEADER32_EX:
249 fprintf(fp, ">");
250 break;
251
252 case AUT_HEADER64:
253 fprintf(fp, ">");
254 break;
255
256 case AUT_HEADER64_EX:
257 fprintf(fp, ">");
258 break;
259
260 case AUT_ARG32:
261 fprintf(fp, "/>");
262 break;
263
264 case AUT_ARG64:
265 fprintf(fp, "/>");
266 break;
267
268 case AUT_ATTR32:
269 fprintf(fp, "/>");
270 break;
271
272 case AUT_ATTR64:
273 fprintf(fp, "/>");
274 break;
275
276 case AUT_EXIT:
277 fprintf(fp, "/>");
278 break;
279
280 case AUT_EXEC_ARGS:
281 fprintf(fp, "</exec_args>");
282 break;
283
284 case AUT_EXEC_ENV:
285 fprintf(fp, "</exec_env>");
286 break;
287
288 case AUT_OTHER_FILE32:
289 fprintf(fp, "</file>");
290 break;
291
292 case AUT_NEWGROUPS:
293 fprintf(fp, "</group>");
294 break;
295
296 case AUT_IN_ADDR:
297 fprintf(fp, "</ip_address>");
298 break;
299
300 case AUT_IN_ADDR_EX:
301 fprintf(fp, "</ip_address>");
302 break;
303
304 case AUT_IP:
305 fprintf(fp, "/>");
306 break;
307
308 case AUT_IPC:
309 fprintf(fp, "/>");
310 break;
311
312 case AUT_IPC_PERM:
313 fprintf(fp, "/>");
314 break;
315
316 case AUT_IPORT:
317 fprintf(fp, "</ip_port>");
318 break;
319
320 case AUT_OPAQUE:
321 fprintf(fp, "</opaque>");
322 break;
323
324 case AUT_PATH:
325 fprintf(fp, "</path>");
326 break;
327
328 case AUT_PROCESS32:
329 fprintf(fp, "/>");
330 break;
331
332 case AUT_PROCESS32_EX:
333 fprintf(fp, "/>");
334 break;
335
336 case AUT_PROCESS64:
337 fprintf(fp, "/>");
338 break;
339
340 case AUT_PROCESS64_EX:
341 fprintf(fp, "/>");
342 break;
343
344 case AUT_RETURN32:
345 fprintf(fp, "/>");
346 break;
347
348 case AUT_RETURN64:
349 fprintf(fp, "/>");
350 break;
351
352 case AUT_SEQ:
353 fprintf(fp, "/>");
354 break;
355
356 case AUT_SOCKET:
357 fprintf(fp, "/>");
358 break;
359
360 case AUT_SOCKINET32:
361 fprintf(fp, "/>");
362 break;
363
364 case AUT_SOCKUNIX:
365 fprintf(fp, "/>");
366 break;
367
368 case AUT_SUBJECT32:
369 fprintf(fp, "/>");
370 break;
371
372 case AUT_SUBJECT64:
373 fprintf(fp, "/>");
374 break;
375
376 case AUT_SUBJECT32_EX:
377 fprintf(fp, "/>");
378 break;
379
380 case AUT_SUBJECT64_EX:
381 fprintf(fp, "/>");
382 break;
383
384 case AUT_TEXT:
385 fprintf(fp, "</text>");
386 break;
387
388 case AUT_SOCKET_EX:
389 fprintf(fp, "/>");
390 break;
391
392 case AUT_DATA:
393 fprintf(fp, "</arbitrary>");
394 break;
395
396 case AUT_ZONENAME:
397 fprintf(fp, "/>");
398 break;
399 }
400}
401
402/*
403 * Prints the token type in either the raw or the default form.
404 */
405static void
406print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
407{
408
409 if (xml) {
410 switch(type) {
411 case AUT_HEADER32:
412 fprintf(fp, "<record ");
413 break;
414
415 case AUT_HEADER32_EX:
416 fprintf(fp, "<record ");
417 break;
418
419 case AUT_HEADER64:
420 fprintf(fp, "<record ");
421 break;
422
423 case AUT_HEADER64_EX:
424 fprintf(fp, "<record ");
425 break;
426
427 case AUT_TRAILER:
428 fprintf(fp, "</record>");
429 break;
430
431 case AUT_ARG32:
432 fprintf(fp, "<argument ");
433 break;
434
435 case AUT_ARG64:
436 fprintf(fp, "<argument ");
437 break;
438
439 case AUT_ATTR32:
440 fprintf(fp, "<attribute ");
441 break;
442
443 case AUT_ATTR64:
444 fprintf(fp, "<attribute ");
445 break;
446
447 case AUT_EXIT:
448 fprintf(fp, "<exit ");
449 break;
450
451 case AUT_EXEC_ARGS:
452 fprintf(fp, "<exec_args>");
453 break;
454
455 case AUT_EXEC_ENV:
456 fprintf(fp, "<exec_env>");
457 break;
458
459 case AUT_OTHER_FILE32:
460 fprintf(fp, "<file ");
461 break;
462
463 case AUT_NEWGROUPS:
464 fprintf(fp, "<group>");
465 break;
466
467 case AUT_IN_ADDR:
468 fprintf(fp, "<ip_address>");
469 break;
470
471 case AUT_IN_ADDR_EX:
472 fprintf(fp, "<ip_address>");
473 break;
474
475 case AUT_IP:
476 fprintf(fp, "<ip ");
477 break;
478
479 case AUT_IPC:
480 fprintf(fp, "<IPC");
481 break;
482
483 case AUT_IPC_PERM:
484 fprintf(fp, "<IPC_perm ");
485 break;
486
487 case AUT_IPORT:
488 fprintf(fp, "<ip_port>");
489 break;
490
491 case AUT_OPAQUE:
492 fprintf(fp, "<opaque>");
493 break;
494
495 case AUT_PATH:
496 fprintf(fp, "<path>");
497 break;
498
499 case AUT_PROCESS32:
500 fprintf(fp, "<process ");
501 break;
502
503 case AUT_PROCESS32_EX:
504 fprintf(fp, "<process ");
505 break;
506
507 case AUT_PROCESS64:
508 fprintf(fp, "<process ");
509 break;
510
511 case AUT_PROCESS64_EX:
512 fprintf(fp, "<process ");
513 break;
514
515 case AUT_RETURN32:
516 fprintf(fp, "<return ");
517 break;
518
519 case AUT_RETURN64:
520 fprintf(fp, "<return ");
521 break;
522
523 case AUT_SEQ:
524 fprintf(fp, "<sequence ");
525 break;
526
527 case AUT_SOCKET:
528 fprintf(fp, "<socket ");
529 break;
530
531 case AUT_SOCKINET32:
532 fprintf(fp, "<old_socket");
533 break;
534
535 case AUT_SOCKUNIX:
536 fprintf(fp, "<old_socket");
537 break;
538
539 case AUT_SUBJECT32:
540 fprintf(fp, "<subject ");
541 break;
542
543 case AUT_SUBJECT64:
544 fprintf(fp, "<subject ");
545 break;
546
547 case AUT_SUBJECT32_EX:
548 fprintf(fp, "<subject ");
549 break;
550
551 case AUT_SUBJECT64_EX:
552 fprintf(fp, "<subject ");
553 break;
554
555 case AUT_TEXT:
556 fprintf(fp, "<text>");
557 break;
558
559 case AUT_SOCKET_EX:
560 fprintf(fp, "<socket ");
561 break;
562
563 case AUT_DATA:
564 fprintf(fp, "<arbitrary ");
565 break;
566
567 case AUT_ZONENAME:
568 fprintf(fp, "<zone ");
569 break;
570 }
571 } else {
572 if (raw)
573 fprintf(fp, "%u", type);
574 else
575 fprintf(fp, "%s", tokname);
576 }
577}
578
579/*
580 * Prints a user value.
581 */
582static void
583print_user(FILE *fp, u_int32_t usr, char raw)
584{
585 struct passwd *pwent;
586
587 if (raw)
588 fprintf(fp, "%d", usr);
589 else {
590 pwent = getpwuid(usr);
591 if (pwent != NULL)
592 fprintf(fp, "%s", pwent->pw_name);
593 else
594 fprintf(fp, "%d", usr);
595 }
596}
597
598/*
599 * Prints a group value.
600 */
601static void
602print_group(FILE *fp, u_int32_t grp, char raw)
603{
604 struct group *grpent;
605
606 if (raw)
607 fprintf(fp, "%d", grp);
608 else {
609 grpent = getgrgid(grp);
610 if (grpent != NULL)
611 fprintf(fp, "%s", grpent->gr_name);
612 else
613 fprintf(fp, "%d", grp);
614 }
615}
616
617/*
618 * Prints the event from the header token in either the short, default or raw
619 * form.
620 */
621static void
622print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
623{
624 char event_ent_name[AU_EVENT_NAME_MAX];
625 char event_ent_desc[AU_EVENT_DESC_MAX];
626 struct au_event_ent e, *ep;
627
628 bzero(&e, sizeof(e));
629 bzero(event_ent_name, sizeof(event_ent_name));
630 bzero(event_ent_desc, sizeof(event_ent_desc));
631 e.ae_name = event_ent_name;
632 e.ae_desc = event_ent_desc;
633
634 ep = getauevnum_r(&e, ev);
635 if (ep == NULL) {
636 fprintf(fp, "%u", ev);
637 return;
638 }
639
640 if (raw)
641 fprintf(fp, "%u", ev);
642 else if (sfrm)
643 fprintf(fp, "%s", e.ae_name);
644 else
645 fprintf(fp, "%s", e.ae_desc);
646}
647
648
649/*
650 * Prints the event modifier from the header token in either the default or
651 * raw form.
652 */
653static void
654print_evmod(FILE *fp, u_int16_t evmod, char raw)
655{
656 if (raw)
657 fprintf(fp, "%u", evmod);
658 else
659 fprintf(fp, "%u", evmod);
660}
661
662/*
663 * Prints seconds in the ctime format.
664 */
665static void
666print_sec32(FILE *fp, u_int32_t sec, char raw)
667{
668 time_t timestamp;
669 char timestr[26];
670
671 if (raw)
672 fprintf(fp, "%u", sec);
673 else {
674 timestamp = (time_t)sec;
675 ctime_r(×tamp, timestr);
676 timestr[24] = '\0'; /* No new line */
677 fprintf(fp, "%s", timestr);
678 }
679}
680
681/*
682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
683 * assume a 32-bit time_t, we simply truncate for now.
684 */
685static void
686print_sec64(FILE *fp, u_int64_t sec, char raw)
687{
688 time_t timestamp;
689 char timestr[26];
690
691 if (raw)
692 fprintf(fp, "%u", (u_int32_t)sec);
693 else {
694 timestamp = (time_t)sec;
695 ctime_r(×tamp, timestr);
696 timestr[24] = '\0'; /* No new line */
697 fprintf(fp, "%s", timestr);
698 }
699}
700
701/*
702 * Prints the excess milliseconds.
703 */
704static void
705print_msec32(FILE *fp, u_int32_t msec, char raw)
706{
707 if (raw)
708 fprintf(fp, "%u", msec);
709 else
710 fprintf(fp, " + %u msec", msec);
711}
712
713/*
714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
715 * a 32-bit msec, we simply truncate for now.
716 */
717static void
718print_msec64(FILE *fp, u_int64_t msec, char raw)
719{
720
721 msec &= 0xffffffff;
722 if (raw)
723 fprintf(fp, "%u", (u_int32_t)msec);
724 else
725 fprintf(fp, " + %u msec", (u_int32_t)msec);
726}
727
728/*
729 * Prints a dotted form for the IP address.
730 */
731static void
732print_ip_address(FILE *fp, u_int32_t ip)
733{
734 struct in_addr ipaddr;
735
736 ipaddr.s_addr = ip;
737 fprintf(fp, "%s", inet_ntoa(ipaddr));
738}
739
740/*
741 * Prints a string value for the given ip address.
742 */
743static void
744print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
745{
746 struct in_addr ipv4;
747 struct in6_addr ipv6;
748 char dst[INET6_ADDRSTRLEN];
749
750 switch (type) {
751 case AU_IPv4:
752 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
754 INET6_ADDRSTRLEN));
755 break;
756
757 case AU_IPv6:
758 bcopy(ipaddr, &ipv6, sizeof(ipv6));
759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
760 INET6_ADDRSTRLEN));
761 break;
762
763 default:
764 fprintf(fp, "invalid");
765 }
766}
767
768/*
769 * Prints return value as success or failure.
770 */
771static void
772print_retval(FILE *fp, u_char status, char raw)
773{
774 if (raw)
775 fprintf(fp, "%u", status);
776 else {
777 if (status == 0)
778 fprintf(fp, "success");
779 else
780 fprintf(fp, "failure : %s", strerror(status));
781 }
782}
783
784/*
785 * Prints the exit value.
786 */
787static void
788print_errval(FILE *fp, u_int32_t val)
789{
790
791 fprintf(fp, "Error %u", val);
792}
793
794/*
795 * Prints IPC type.
796 */
797static void
798print_ipctype(FILE *fp, u_char type, char raw)
799{
800 if (raw)
801 fprintf(fp, "%u", type);
802 else {
803 if (type == AT_IPC_MSG)
804 fprintf(fp, "Message IPC");
805 else if (type == AT_IPC_SEM)
806 fprintf(fp, "Semaphore IPC");
807 else if (type == AT_IPC_SHM)
808 fprintf(fp, "Shared Memory IPC");
809 else
810 fprintf(fp, "%u", type);
811 }
812}
813
814/*
815 * Print XML header.
816 */
817void
818au_print_xml_header(FILE *outfp)
819{
820
821 fprintf(outfp, "<?xml version='1.0' ?>\n");
822 fprintf(outfp, "<audit>\n");
823}
824
825/*
826 * Print XML footer.
827 */
828void
829au_print_xml_footer(FILE *outfp)
830{
831
832 fprintf(outfp, "</audit>\n");
833}
834
835/*
836 * record byte count 4 bytes
837 * version # 1 byte [2]
838 * event type 2 bytes
839 * event modifier 2 bytes
840 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
841 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
842 */
843static int
844fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
845{
846 int err = 0;
847
848 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
849 if (err)
850 return (-1);
851
852 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
853 if (err)
854 return (-1);
855
856 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
857 if (err)
858 return (-1);
859
860 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
861 if (err)
862 return (-1);
863
864 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
865 if (err)
866 return (-1);
867
868 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
869 if (err)
870 return (-1);
871
872 return (0);
873}
874
875static void
876print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
877 int xml)
878{
879
880 print_tok_type(fp, tok->id, "header", raw, xml);
881 if (xml) {
882 open_attr(fp, "version");
883 print_1_byte(fp, tok->tt.hdr32.version, "%u");
884 close_attr(fp);
885 open_attr(fp, "event");
886 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
887 close_attr(fp);
888 open_attr(fp, "modifier");
889 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
890 close_attr(fp);
891 open_attr(fp, "time");
892 print_sec32(fp, tok->tt.hdr32.s, raw);
893 close_attr(fp);
894 open_attr(fp, "msec");
895 print_msec32(fp, tok->tt.hdr32.ms, 1);
896 close_attr(fp);
897 close_tag(fp, tok->id);
898 } else {
899 print_delim(fp, del);
900 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
901 print_delim(fp, del);
902 print_1_byte(fp, tok->tt.hdr32.version, "%u");
903 print_delim(fp, del);
904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
905 print_delim(fp, del);
906 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
907 print_delim(fp, del);
908 print_sec32(fp, tok->tt.hdr32.s, raw);
909 print_delim(fp, del);
910 print_msec32(fp, tok->tt.hdr32.ms, raw);
911 }
912}
913
914/*
915 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
916 * depending on the bit of the specifications found. The OpenSolaris source
917 * code uses a 4-byte address length, followed by some number of bytes of
918 * address data. This contrasts with the Solaris audit.log.5 man page, which
919 * specifies a 1-byte length field. We use the Solaris 10 definition so that
920 * we can parse audit trails from that system.
921 *
922 * record byte count 4 bytes
923 * version # 1 byte [2]
924 * event type 2 bytes
925 * event modifier 2 bytes
926 * address type/length 4 bytes
927 * [ Solaris man page: address type/length 1 byte]
928 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
929 * seconds of time 4 bytes/8 bytes (32/64-bits)
930 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
931 */
932static int
933fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
934{
935 int err = 0;
936
937 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
938 if (err)
939 return (-1);
940
941 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
942 if (err)
943 return (-1);
944
945 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
946 if (err)
947 return (-1);
948
949 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
950 if (err)
951 return (-1);
952
953 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
954 if (err)
955 return (-1);
956
957 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
958 switch (tok->tt.hdr32_ex.ad_type) {
959 case AU_IPv4:
960 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
961 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
962 if (err)
963 return (-1);
964 break;
965
966 case AU_IPv6:
967 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
968 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
969 break;
970 }
971
972 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
973 if (err)
974 return (-1);
975
976 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
977 if (err)
978 return (-1);
979
980 return (0);
981}
982
983static void
984print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
985 char sfrm, int xml)
986{
987
988 print_tok_type(fp, tok->id, "header_ex", raw, xml);
989 if (xml) {
990 open_attr(fp, "version");
991 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
992 close_attr(fp);
993 open_attr(fp, "event");
994 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
995 close_attr(fp);
996 open_attr(fp, "modifier");
997 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
998 close_attr(fp);
999 /*
1000 * No attribute for additional types.
1001 *
1002 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1003 tok->tt.hdr32_ex.addr);
1004 */
1005 open_attr(fp, "time");
1006 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1007 close_attr(fp);
1008 open_attr(fp, "msec");
1009 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1010 close_attr(fp);
1011 close_tag(fp, tok->id);
1012 } else {
1013 print_delim(fp, del);
1014 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1015 print_delim(fp, del);
1016 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1017 print_delim(fp, del);
1018 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1019 print_delim(fp, del);
1020 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1021 print_delim(fp, del);
1022 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1023 tok->tt.hdr32_ex.addr);
1024 print_delim(fp, del);
1025 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1026 print_delim(fp, del);
1027 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1028 }
1029}
1030
1031/*
1032 * record byte count 4 bytes
1033 * event type 2 bytes
1034 * event modifier 2 bytes
1035 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1036 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1037 * version #
1038 */
1039static int
1040fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1041{
1042 int err = 0;
1043
1044 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1045 if (err)
1046 return (-1);
1047
1048 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1049 if (err)
1050 return (-1);
1051
1052 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1053 if (err)
1054 return (-1);
1055
1056 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1057 if (err)
1058 return (-1);
1059
1060 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1061 if (err)
1062 return (-1);
1063
1064 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1065 if (err)
1066 return (-1);
1067
1068 return (0);
1069}
1070
1071static void
1072print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
1073 int xml)
1074{
1075
1076 print_tok_type(fp, tok->id, "header", raw, xml);
1077 if (xml) {
1078 open_attr(fp, "version");
1079 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1080 close_attr(fp);
1081 open_attr(fp, "event");
1082 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1083 close_attr(fp);
1084 open_attr(fp, "modifier");
1085 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1086 close_attr(fp);
1087 open_attr(fp, "time");
1088 print_sec64(fp, tok->tt.hdr64.s, raw);
1089 close_attr(fp);
1090 open_attr(fp, "msec");
1091 print_msec64(fp, tok->tt.hdr64.ms, raw);
1092 close_attr(fp);
1093 close_tag(fp, tok->id);
1094 } else {
1095 print_delim(fp, del);
1096 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1097 print_delim(fp, del);
1098 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1099 print_delim(fp, del);
1100 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1101 print_delim(fp, del);
1102 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1103 print_delim(fp, del);
1104 print_sec64(fp, tok->tt.hdr64.s, raw);
1105 print_delim(fp, del);
1106 print_msec64(fp, tok->tt.hdr64.ms, raw);
1107 }
1108}
1109
1110/*
1111 * record byte count 4 bytes
1112 * version # 1 byte [2]
1113 * event type 2 bytes
1114 * event modifier 2 bytes
1115 * address type/length 4 bytes
1116 * [ Solaris man page: address type/length 1 byte]
1117 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1118 * seconds of time 4 bytes/8 bytes (32/64-bits)
1119 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1120 *
1121 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1122 * accuracy of the BSM spec.
1123 */
1124static int
1125fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1126{
1127 int err = 0;
1128
1129 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1130 if (err)
1131 return (-1);
1132
1133 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1134 if (err)
1135 return (-1);
1136
1137 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1138 if (err)
1139 return (-1);
1140
1141 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1142 if (err)
1143 return (-1);
1144
1145 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1146 if (err)
1147 return (-1);
1148
1149 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1150 switch (tok->tt.hdr64_ex.ad_type) {
1151 case AU_IPv4:
1152 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1153 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1154 if (err)
1155 return (-1);
1156 break;
1157
1158 case AU_IPv6:
1159 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1160 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1161 break;
1162 }
1163
1164 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1165 if (err)
1166 return (-1);
1167
1168 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1169 if (err)
1170 return (-1);
1171
1172 return (0);
1173}
1174
1175static void
1176print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1177 char sfrm, int xml)
1178{
1179
1180 print_tok_type(fp, tok->id, "header_ex", raw, xml);
1181 if (xml) {
1182 open_attr(fp, "version");
1183 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1184 close_attr(fp);
1185 open_attr(fp, "event");
1186 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1187 close_attr(fp);
1188 open_attr(fp, "modifier");
1189 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1190 close_attr(fp);
1191 /*
1192 * No attribute for additional types.
1193 *
1194 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1195 tok->tt.hdr64_ex.addr);
1196 */
1197 open_attr(fp, "time");
1198 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1199 close_attr(fp);
1200 open_attr(fp, "msec");
1201 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1202 close_attr(fp);
1203 close_tag(fp, tok->id);
1204 } else {
1205 print_delim(fp, del);
1206 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1207 print_delim(fp, del);
1208 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1209 print_delim(fp, del);
1210 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1211 print_delim(fp, del);
1212 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1213 print_delim(fp, del);
1214 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1215 tok->tt.hdr64_ex.addr);
1216 print_delim(fp, del);
1217 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1218 print_delim(fp, del);
1219 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1220 }
1221}
1222
1223/*
1224 * trailer magic 2 bytes
1225 * record size 4 bytes
1226 */
1227static int
1228fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1229{
1230 int err = 0;
1231
1232 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1233 if (err)
1234 return (-1);
1235
1236 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1237 if (err)
1238 return (-1);
1239
1240 return (0);
1241}
1242
1243static void
1244print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1245 __unused char sfrm, int xml)
1246{
1247
1248 print_tok_type(fp, tok->id, "trailer", raw, xml);
1249 if (!xml) {
1250 print_delim(fp, del);
1251 print_4_bytes(fp, tok->tt.trail.count, "%u");
1252 }
1253}
1254
1255/*
1256 * argument # 1 byte
1257 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1258 * text length 2 bytes
1259 * text N bytes + 1 terminating NULL byte
1260 */
1261static int
1262fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1263{
1264 int err = 0;
1265
1266 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1267 if (err)
1268 return (-1);
1269
1270 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1271 if (err)
1272 return (-1);
1273
1274 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1275 if (err)
1276 return (-1);
1277
1278 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1279 tok->len, err);
1280 if (err)
1281 return (-1);
1282
1283 return (0);
1284}
1285
1286static void
1287print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1288 __unused char sfrm, int xml)
1289{
1290
1291 print_tok_type(fp, tok->id, "argument", raw, xml);
1292 if (xml) {
1293 open_attr(fp, "arg-num");
1294 print_1_byte(fp, tok->tt.arg32.no, "%u");
1295 close_attr(fp);
1296 open_attr(fp, "value");
1297 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1298 close_attr(fp);
1299 open_attr(fp, "desc");
1300 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1301 close_attr(fp);
1302 close_tag(fp, tok->id);
1303 } else {
1304 print_delim(fp, del);
1305 print_1_byte(fp, tok->tt.arg32.no, "%u");
1306 print_delim(fp, del);
1307 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1308 print_delim(fp, del);
|
1309 }
1310}
1311
1312static int
1313fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1314{
1315 int err = 0;
1316
1317 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1318 if (err)
1319 return (-1);
1320
1321 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1322 if (err)
1323 return (-1);
1324
1325 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1326 if (err)
1327 return (-1);
1328
1329 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1330 tok->len, err);
1331 if (err)
1332 return (-1);
1333
1334 return (0);
1335}
1336
1337static void
1338print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1339 __unused char sfrm, int xml)
1340{
1341
1342 print_tok_type(fp, tok->id, "argument", raw, xml);
1343 if (xml) {
1344 open_attr(fp, "arg-num");
1345 print_1_byte(fp, tok->tt.arg64.no, "%u");
1346 close_attr(fp);
1347 open_attr(fp, "value");
1348 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1349 close_attr(fp);
1350 open_attr(fp, "desc");
1351 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1352 close_attr(fp);
1353 close_tag(fp, tok->id);
1354 } else {
1355 print_delim(fp, del);
1356 print_1_byte(fp, tok->tt.arg64.no, "%u");
1357 print_delim(fp, del);
1358 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1359 print_delim(fp, del);
1360 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1361 }
1362}
1363
1364/*
1365 * how to print 1 byte
1366 * basic unit 1 byte
1367 * unit count 1 byte
1368 * data items (depends on basic unit)
1369 */
1370static int
1371fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1372{
1373 int err = 0;
1374 int datasize;
1375
1376 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1377 if (err)
1378 return (-1);
1379
1380 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1381 if (err)
1382 return (-1);
1383
1384 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1385 if (err)
1386 return (-1);
1387
1388 /*
1389 * Determine the size of the basic unit.
1390 */
1391 switch(tok->tt.arb.bu) {
1392 case AUR_BYTE:
1393 /* case AUR_CHAR: */
1394 datasize = AUR_BYTE_SIZE;
1395 break;
1396
1397 case AUR_SHORT:
1398 datasize = AUR_SHORT_SIZE;
1399 break;
1400
1401 case AUR_INT32:
1402 /* case AUR_INT: */
1403 datasize = AUR_INT32_SIZE;
1404 break;
1405
1406 case AUR_INT64:
1407 datasize = AUR_INT64_SIZE;
1408 break;
1409
1410 default:
1411 return (-1);
1412 }
1413
1414 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1415 tok->len, err);
1416 if (err)
1417 return (-1);
1418
1419 return (0);
1420}
1421
1422static void
1423print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1424 __unused char sfrm, int xml)
1425{
1426 char *str;
1427 char *format;
1428 size_t size;
1429 int i;
1430
1431 print_tok_type(fp, tok->id, "arbitrary", raw, xml);
1432 if (!xml)
1433 print_delim(fp, del);
1434
1435 switch(tok->tt.arb.howtopr) {
1436 case AUP_BINARY:
1437 str = "binary";
1438 format = " %c";
1439 break;
1440
1441 case AUP_OCTAL:
1442 str = "octal";
1443 format = " %o";
1444 break;
1445
1446 case AUP_DECIMAL:
1447 str = "decimal";
1448 format = " %d";
1449 break;
1450
1451 case AUP_HEX:
1452 str = "hex";
1453 format = " %x";
1454 break;
1455
1456 case AUP_STRING:
1457 str = "string";
1458 format = "%c";
1459 break;
1460
1461 default:
1462 return;
1463 }
1464
1465 if (xml) {
1466 open_attr(fp, "print");
1467 fprintf(fp, "%s",str);
1468 close_attr(fp);
1469 } else {
1470 print_string(fp, str, strlen(str));
1471 print_delim(fp, del);
1472 }
1473 switch(tok->tt.arb.bu) {
1474 case AUR_BYTE:
1475 /* case AUR_CHAR: */
1476 str = "byte";
1477 size = AUR_BYTE_SIZE;
1478 if (xml) {
1479 open_attr(fp, "type");
1480 fprintf(fp, "%u", size);
1481 close_attr(fp);
1482 open_attr(fp, "count");
1483 print_1_byte(fp, tok->tt.arb.uc, "%u");
1484 close_attr(fp);
1485 fprintf(fp, ">");
1486 for (i = 0; i<tok->tt.arb.uc; i++)
1487 fprintf(fp, format, *(tok->tt.arb.data +
1488 (size * i)));
1489 close_tag(fp, tok->id);
1490 } else {
1491 print_string(fp, str, strlen(str));
1492 print_delim(fp, del);
1493 print_1_byte(fp, tok->tt.arb.uc, "%u");
1494 print_delim(fp, del);
1495 for (i = 0; i<tok->tt.arb.uc; i++)
1496 fprintf(fp, format, *(tok->tt.arb.data +
1497 (size * i)));
1498 }
1499 break;
1500
1501 case AUR_SHORT:
1502 str = "short";
1503 size = AUR_SHORT_SIZE;
1504 if (xml) {
1505 open_attr(fp, "type");
1506 fprintf(fp, "%u", size);
1507 close_attr(fp);
1508 open_attr(fp, "count");
1509 print_1_byte(fp, tok->tt.arb.uc, "%u");
1510 close_attr(fp);
1511 fprintf(fp, ">");
1512 for (i = 0; i < tok->tt.arb.uc; i++)
1513 fprintf(fp, format,
1514 *((u_int16_t *)(tok->tt.arb.data +
1515 (size * i))));
1516 close_tag(fp, tok->id);
1517 } else {
1518 print_string(fp, str, strlen(str));
1519 print_delim(fp, del);
1520 print_1_byte(fp, tok->tt.arb.uc, "%u");
1521 print_delim(fp, del);
1522 for (i = 0; i < tok->tt.arb.uc; i++)
1523 fprintf(fp, format,
1524 *((u_int16_t *)(tok->tt.arb.data +
1525 (size * i))));
1526 }
1527 break;
1528
1529 case AUR_INT32:
1530 /* case AUR_INT: */
1531 str = "int";
1532 size = AUR_INT32_SIZE;
1533 if (xml) {
1534 open_attr(fp, "type");
1535 fprintf(fp, "%u", size);
1536 close_attr(fp);
1537 open_attr(fp, "count");
1538 print_1_byte(fp, tok->tt.arb.uc, "%u");
1539 close_attr(fp);
1540 fprintf(fp, ">");
1541 for (i = 0; i < tok->tt.arb.uc; i++)
1542 fprintf(fp, format,
1543 *((u_int32_t *)(tok->tt.arb.data +
1544 (size * i))));
1545 close_tag(fp, tok->id);
1546 } else {
1547 print_string(fp, str, strlen(str));
1548 print_delim(fp, del);
1549 print_1_byte(fp, tok->tt.arb.uc, "%u");
1550 print_delim(fp, del);
1551 for (i = 0; i < tok->tt.arb.uc; i++)
1552 fprintf(fp, format,
1553 *((u_int32_t *)(tok->tt.arb.data +
1554 (size * i))));
1555 }
1556 break;
1557
1558 case AUR_INT64:
1559 str = "int64";
1560 size = AUR_INT64_SIZE;
1561 if (xml) {
1562 open_attr(fp, "type");
1563 fprintf(fp, "%u", size);
1564 close_attr(fp);
1565 open_attr(fp, "count");
1566 print_1_byte(fp, tok->tt.arb.uc, "%u");
1567 close_attr(fp);
1568 fprintf(fp, ">");
1569 for (i = 0; i < tok->tt.arb.uc; i++)
1570 fprintf(fp, format,
1571 *((u_int64_t *)(tok->tt.arb.data +
1572 (size * i))));
1573 close_tag(fp, tok->id);
1574 } else {
1575 print_string(fp, str, strlen(str));
1576 print_delim(fp, del);
1577 print_1_byte(fp, tok->tt.arb.uc, "%u");
1578 print_delim(fp, del);
1579 for (i = 0; i < tok->tt.arb.uc; i++)
1580 fprintf(fp, format,
1581 *((u_int64_t *)(tok->tt.arb.data +
1582 (size * i))));
1583 }
1584 break;
1585
1586 default:
1587 return;
1588 }
1589}
1590
1591/*
1592 * file access mode 4 bytes
1593 * owner user ID 4 bytes
1594 * owner group ID 4 bytes
1595 * file system ID 4 bytes
1596 * node ID 8 bytes
1597 * device 4 bytes/8 bytes (32-bit/64-bit)
1598 */
1599static int
1600fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1601{
1602 int err = 0;
1603
1604 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1605 if (err)
1606 return (-1);
1607
1608 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1609 if (err)
1610 return (-1);
1611
1612 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1613 if (err)
1614 return (-1);
1615
1616 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1617 if (err)
1618 return (-1);
1619
1620 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1621 if (err)
1622 return (-1);
1623
1624 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1625 if (err)
1626 return (-1);
1627
1628 return (0);
1629}
1630
1631static void
1632print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1633 __unused char sfrm, int xml)
1634{
1635
1636 print_tok_type(fp, tok->id, "attribute", raw, xml);
1637 if (xml) {
1638 open_attr(fp, "mode");
1639 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1640 close_attr(fp);
1641 open_attr(fp, "uid");
1642 print_user(fp, tok->tt.attr32.uid, raw);
1643 close_attr(fp);
1644 open_attr(fp, "gid");
1645 print_group(fp, tok->tt.attr32.gid, raw);
1646 close_attr(fp);
1647 open_attr(fp, "fsid");
1648 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1649 close_attr(fp);
1650 open_attr(fp, "nodeid");
1651 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1652 close_attr(fp);
1653 open_attr(fp, "device");
1654 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1655 close_attr(fp);
1656 close_tag(fp, tok->id);
1657 } else {
1658 print_delim(fp, del);
1659 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1660 print_delim(fp, del);
1661 print_user(fp, tok->tt.attr32.uid, raw);
1662 print_delim(fp, del);
1663 print_group(fp, tok->tt.attr32.gid, raw);
1664 print_delim(fp, del);
1665 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1666 print_delim(fp, del);
1667 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1668 print_delim(fp, del);
1669 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1670 }
1671}
1672
1673/*
1674 * file access mode 4 bytes
1675 * owner user ID 4 bytes
1676 * owner group ID 4 bytes
1677 * file system ID 4 bytes
1678 * node ID 8 bytes
1679 * device 4 bytes/8 bytes (32-bit/64-bit)
1680 */
1681static int
1682fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1683{
1684 int err = 0;
1685
1686 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1687 if (err)
1688 return (-1);
1689
1690 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1691 if (err)
1692 return (-1);
1693
1694 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1695 if (err)
1696 return (-1);
1697
1698 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1699 if (err)
1700 return (-1);
1701
1702 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1703 if (err)
1704 return (-1);
1705
1706 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1707 if (err)
1708 return (-1);
1709
1710 return (0);
1711}
1712
1713static void
1714print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1715 __unused char sfrm, int xml)
1716{
1717
1718 print_tok_type(fp, tok->id, "attribute", raw, xml);
1719 if (xml) {
1720 open_attr(fp, "mode");
1721 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1722 close_attr(fp);
1723 open_attr(fp, "uid");
1724 print_user(fp, tok->tt.attr64.uid, raw);
1725 close_attr(fp);
1726 open_attr(fp, "gid");
1727 print_group(fp, tok->tt.attr64.gid, raw);
1728 close_attr(fp);
1729 open_attr(fp, "fsid");
1730 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1731 close_attr(fp);
1732 open_attr(fp, "nodeid");
1733 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1734 close_attr(fp);
1735 open_attr(fp, "device");
1736 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1737 close_attr(fp);
1738 close_tag(fp, tok->id);
1739 } else {
1740 print_delim(fp, del);
1741 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1742 print_delim(fp, del);
1743 print_user(fp, tok->tt.attr64.uid, raw);
1744 print_delim(fp, del);
1745 print_group(fp, tok->tt.attr64.gid, raw);
1746 print_delim(fp, del);
1747 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1748 print_delim(fp, del);
1749 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1750 print_delim(fp, del);
1751 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1752 }
1753}
1754
1755/*
1756 * status 4 bytes
1757 * return value 4 bytes
1758 */
1759static int
1760fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1761{
1762 int err = 0;
1763
1764 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1765 if (err)
1766 return (-1);
1767
1768 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1769 if (err)
1770 return (-1);
1771
1772 return (0);
1773}
1774
1775static void
1776print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1777 __unused char sfrm, int xml)
1778{
1779
1780 print_tok_type(fp, tok->id, "exit", raw, xml);
1781 if (xml) {
1782 open_attr(fp, "errval");
1783 print_errval(fp, tok->tt.exit.status);
1784 close_attr(fp);
1785 open_attr(fp, "retval");
1786 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1787 close_attr(fp);
1788 close_tag(fp, tok->id);
1789 } else {
1790 print_delim(fp, del);
1791 print_errval(fp, tok->tt.exit.status);
1792 print_delim(fp, del);
1793 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1794 }
1795}
1796
1797/*
1798 * count 4 bytes
1799 * text count null-terminated string(s)
1800 */
1801static int
1802fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1803{
1804 int err = 0;
1805 int i;
1806 u_char *bptr;
1807
1808 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1809 if (err)
1810 return (-1);
1811
1812 for (i = 0; i < tok->tt.execarg.count; i++) {
1813 bptr = buf + tok->len;
1814 if (i < AUDIT_MAX_ARGS)
1815 tok->tt.execarg.text[i] = (char*)bptr;
1816
1817 /* Look for a null terminated string. */
1818 while (bptr && (*bptr != '\0')) {
1819 if (++tok->len >=len)
1820 return (-1);
1821 bptr = buf + tok->len;
1822 }
1823 if (!bptr)
1824 return (-1);
1825 tok->len++; /* \0 character */
1826 }
1827 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1828 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1829
1830 return (0);
1831}
1832
1833static void
1834print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1835 __unused char sfrm, int xml)
1836{
1837 int i;
1838
1839 print_tok_type(fp, tok->id, "exec arg", raw, xml);
1840 for (i = 0; i < tok->tt.execarg.count; i++) {
1841 if (xml) {
1842 fprintf(fp, "<arg>");
1843 print_string(fp, tok->tt.execarg.text[i],
1844 strlen(tok->tt.execarg.text[i]));
1845 fprintf(fp, "</arg>");
1846 } else {
1847 print_delim(fp, del);
1848 print_string(fp, tok->tt.execarg.text[i],
1849 strlen(tok->tt.execarg.text[i]));
1850 }
1851 }
1852 if (xml)
1853 close_tag(fp, tok->id);
1854}
1855
1856/*
1857 * count 4 bytes
1858 * text count null-terminated string(s)
1859 */
1860static int
1861fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1862{
1863 int err = 0;
1864 int i;
1865 u_char *bptr;
1866
1867 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1868 if (err)
1869 return (-1);
1870
1871 for (i = 0; i < tok->tt.execenv.count; i++) {
1872 bptr = buf + tok->len;
1873 if (i < AUDIT_MAX_ENV)
1874 tok->tt.execenv.text[i] = (char*)bptr;
1875
1876 /* Look for a null terminated string. */
1877 while (bptr && (*bptr != '\0')) {
1878 if (++tok->len >=len)
1879 return (-1);
1880 bptr = buf + tok->len;
1881 }
1882 if (!bptr)
1883 return (-1);
1884 tok->len++; /* \0 character */
1885 }
1886 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1887 tok->tt.execenv.count = AUDIT_MAX_ENV;
1888
1889 return (0);
1890}
1891
1892static void
1893print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1894 __unused char sfrm, int xml)
1895{
1896 int i;
1897
1898 print_tok_type(fp, tok->id, "exec env", raw, xml);
1899 for (i = 0; i< tok->tt.execenv.count; i++) {
1900 if (xml) {
1901 fprintf(fp, "<env>");
1902 print_string(fp, tok->tt.execenv.text[i],
1903 strlen(tok->tt.execenv.text[i]));
1904 fprintf(fp, "</env>");
1905 } else {
1906 print_delim(fp, del);
1907 print_string(fp, tok->tt.execenv.text[i],
1908 strlen(tok->tt.execenv.text[i]));
1909 }
1910 }
1911 if (xml)
1912 close_tag(fp, tok->id);
1913}
1914
1915/*
1916 * seconds of time 4 bytes
1917 * milliseconds of time 4 bytes
1918 * file name len 2 bytes
1919 * file pathname N bytes + 1 terminating NULL byte
1920 */
1921static int
1922fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1923{
1924 int err = 0;
1925
1926 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1927 if (err)
1928 return (-1);
1929
1930 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1931 if (err)
1932 return (-1);
1933
1934 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1935 if (err)
1936 return (-1);
1937
1938 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1939 err);
1940 if (err)
1941 return (-1);
1942
1943 return (0);
1944}
1945
1946static void
1947print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1948 __unused char sfrm, int xml)
1949{
1950
1951 print_tok_type(fp, tok->id, "file", raw, xml);
1952 if (xml) {
1953 open_attr(fp, "time");
1954 print_sec32(fp, tok->tt.file.s, raw);
1955 close_attr(fp);
1956 open_attr(fp, "msec");
1957 print_msec32(fp, tok->tt.file.ms, raw);
1958 close_attr(fp);
1959 fprintf(fp, ">");
1960 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1961 close_tag(fp, tok->id);
1962 } else {
1963 print_delim(fp, del);
1964 print_sec32(fp, tok->tt.file.s, raw);
1965 print_delim(fp, del);
1966 print_msec32(fp, tok->tt.file.ms, raw);
1967 print_delim(fp, del);
1968 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1969 }
1970}
1971
1972/*
1973 * number groups 2 bytes
1974 * group list count * 4 bytes
1975 */
1976static int
1977fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
1978{
1979 int i;
1980 int err = 0;
1981
1982 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1983 if (err)
1984 return (-1);
1985
1986 for (i = 0; i<tok->tt.grps.no; i++) {
1987 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
1988 err);
1989 if (err)
1990 return (-1);
1991 }
1992
1993 return (0);
1994}
1995
1996static void
1997print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1998 __unused char sfrm, int xml)
1999{
2000 int i;
2001
2002 print_tok_type(fp, tok->id, "group", raw, xml);
2003 for (i = 0; i < tok->tt.grps.no; i++) {
2004 if (xml) {
2005 fprintf(fp, "<gid>");
2006 print_group(fp, tok->tt.grps.list[i], raw);
2007 fprintf(fp, "</gid>");
2008 close_tag(fp, tok->id);
2009 } else {
2010 print_delim(fp, del);
2011 print_group(fp, tok->tt.grps.list[i], raw);
2012 }
2013 }
2014}
2015
2016/*
2017 * Internet addr 4 bytes
2018 */
2019static int
2020fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2021{
2022 int err = 0;
2023
2024 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2025 tok->len, err);
2026 if (err)
2027 return (-1);
2028
2029 return (0);
2030
2031}
2032
2033static void
2034print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2035 __unused char sfrm, int xml)
2036{
2037
2038 print_tok_type(fp, tok->id, "ip addr", raw, xml);
2039 if (xml) {
2040 print_ip_address(fp, tok->tt.inaddr.addr);
2041 close_tag(fp, tok->id);
2042 } else {
2043 print_delim(fp, del);
2044 print_ip_address(fp, tok->tt.inaddr.addr);
2045 }
2046}
2047
2048/*
2049 * type 4 bytes
2050 * address 16 bytes
2051 */
2052static int
2053fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2054{
2055 int err = 0;
2056
2057 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2058 if (err)
2059 return (-1);
2060
2061 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2062 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2063 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2064 if (err)
2065 return (-1);
2066 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2067 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2068 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2069 if (err)
2070 return (-1);
2071 } else
2072 return (-1);
2073
2074 return (0);
2075}
2076
2077static void
2078print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2079 __unused char sfrm, int xml)
2080{
2081
2082 print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
2083 if (xml) {
2084 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2085 tok->tt.inaddr_ex.addr);
2086 close_tag(fp, tok->id);
2087 } else {
2088 print_delim(fp, del);
2089 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2090 tok->tt.inaddr_ex.addr);
2091 }
2092}
2093
2094/*
2095 * ip header 20 bytes
2096 */
2097static int
2098fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2099{
2100 int err = 0;
2101
2102 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2103 if (err)
2104 return (-1);
2105
2106 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2107 if (err)
2108 return (-1);
2109
2110 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2111 tok->len, err);
2112 if (err)
2113 return (-1);
2114
2115 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2116 tok->len, err);
2117 if (err)
2118 return (-1);
2119
2120 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2121 tok->len, err);
2122 if (err)
2123 return (-1);
2124
2125 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2126 if (err)
2127 return (-1);
2128
2129 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2130 if (err)
2131 return (-1);
2132
2133 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2134 tok->len, err);
2135 if (err)
2136 return (-1);
2137
2138 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2139 tok->len, err);
2140 if (err)
2141 return (-1);
2142
2143 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2144 tok->len, err);
2145 if (err)
2146 return (-1);
2147
2148 return (0);
2149}
2150
2151static void
2152print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2153 __unused char sfrm, int xml)
2154{
2155
2156 print_tok_type(fp, tok->id, "ip", raw, xml);
2157 if (xml) {
2158 open_attr(fp, "version");
2159 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2160 sizeof(u_char));
2161 close_attr(fp);
2162 open_attr(fp, "service_type");
2163 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2164 close_attr(fp);
2165 open_attr(fp, "len");
2166 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2167 close_attr(fp);
2168 open_attr(fp, "id");
2169 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2170 close_attr(fp);
2171 open_attr(fp, "offset");
2172 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2173 close_attr(fp);
2174 open_attr(fp, "time_to_live");
2175 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2176 close_attr(fp);
2177 open_attr(fp, "protocol");
2178 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2179 close_attr(fp);
2180 open_attr(fp, "cksum");
2181 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2182 close_attr(fp);
2183 open_attr(fp, "src_addr");
2184 print_ip_address(fp, tok->tt.ip.src);
2185 close_attr(fp);
2186 open_attr(fp, "dest_addr");
2187 print_ip_address(fp, tok->tt.ip.dest);
2188 close_attr(fp);
2189 close_tag(fp, tok->id);
2190 } else {
2191 print_delim(fp, del);
2192 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2193 sizeof(u_char));
2194 print_delim(fp, del);
2195 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2196 print_delim(fp, del);
2197 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2198 print_delim(fp, del);
2199 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2200 print_delim(fp, del);
2201 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2202 print_delim(fp, del);
2203 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2204 print_delim(fp, del);
2205 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2206 print_delim(fp, del);
2207 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2208 print_delim(fp, del);
2209 print_ip_address(fp, tok->tt.ip.src);
2210 print_delim(fp, del);
2211 print_ip_address(fp, tok->tt.ip.dest);
2212 }
2213}
2214
2215/*
2216 * object ID type 1 byte
2217 * Object ID 4 bytes
2218 */
2219static int
2220fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2221{
2222 int err = 0;
2223
2224 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2225 if (err)
2226 return (-1);
2227
2228 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2229 if (err)
2230 return (-1);
2231
2232 return (0);
2233}
2234
2235static void
2236print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2237 __unused char sfrm, int xml)
2238{
2239
2240 print_tok_type(fp, tok->id, "IPC", raw, xml);
2241 if (xml) {
2242 open_attr(fp, "ipc-type");
2243 print_ipctype(fp, tok->tt.ipc.type, raw);
2244 close_attr(fp);
2245 open_attr(fp, "ipc-id");
2246 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2247 close_attr(fp);
2248 close_tag(fp, tok->id);
2249 } else {
2250 print_delim(fp, del);
2251 print_ipctype(fp, tok->tt.ipc.type, raw);
2252 print_delim(fp, del);
2253 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2254 }
2255}
2256
2257/*
2258 * owner user id 4 bytes
2259 * owner group id 4 bytes
2260 * creator user id 4 bytes
2261 * creator group id 4 bytes
2262 * access mode 4 bytes
2263 * slot seq 4 bytes
2264 * key 4 bytes
2265 */
2266static int
2267fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2268{
2269 int err = 0;
2270
2271 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2272 if (err)
2273 return (-1);
2274
2275 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2276 if (err)
2277 return (-1);
2278
2279 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2280 if (err)
2281 return (-1);
2282
2283 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2284 if (err)
2285 return (-1);
2286
2287 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2288 if (err)
2289 return (-1);
2290
2291 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2292 if (err)
2293 return (-1);
2294
2295 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2296 if (err)
2297 return (-1);
2298
2299 return (0);
2300}
2301
2302static void
2303print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2304 __unused char sfrm, int xml)
2305{
2306
2307 print_tok_type(fp, tok->id, "IPC perm", raw, xml);
2308 if (xml) {
2309 open_attr(fp, "uid");
2310 print_user(fp, tok->tt.ipcperm.uid, raw);
2311 close_attr(fp);
2312 open_attr(fp, "gid");
2313 print_group(fp, tok->tt.ipcperm.gid, raw);
2314 close_attr(fp);
2315 open_attr(fp, "creator-uid");
2316 print_user(fp, tok->tt.ipcperm.puid, raw);
2317 close_attr(fp);
2318 open_attr(fp, "creator-gid");
2319 print_group(fp, tok->tt.ipcperm.pgid, raw);
2320 close_attr(fp);
2321 open_attr(fp, "mode");
2322 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2323 close_attr(fp);
2324 open_attr(fp, "seq");
2325 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2326 close_attr(fp);
2327 open_attr(fp, "key");
2328 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2329 close_attr(fp);
2330 close_tag(fp, tok->id);
2331 } else {
2332 print_delim(fp, del);
2333 print_user(fp, tok->tt.ipcperm.uid, raw);
2334 print_delim(fp, del);
2335 print_group(fp, tok->tt.ipcperm.gid, raw);
2336 print_delim(fp, del);
2337 print_user(fp, tok->tt.ipcperm.puid, raw);
2338 print_delim(fp, del);
2339 print_group(fp, tok->tt.ipcperm.pgid, raw);
2340 print_delim(fp, del);
2341 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2342 print_delim(fp, del);
2343 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2344 print_delim(fp, del);
2345 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2346 }
2347}
2348
2349/*
2350 * port Ip address 2 bytes
2351 */
2352static int
2353fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2354{
2355 int err = 0;
2356
2357 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2358 tok->len, err);
2359 if (err)
2360 return (-1);
2361
2362 return (0);
2363}
2364
2365static void
2366print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2367 __unused char sfrm, int xml)
2368{
2369
2370 print_tok_type(fp, tok->id, "ip port", raw, xml);
2371 if (xml) {
2372 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2373 close_tag(fp, tok->id);
2374 } else {
2375 print_delim(fp, del);
2376 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2377 }
2378}
2379
2380/*
2381 * size 2 bytes
2382 * data size bytes
2383 */
2384static int
2385fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2386{
2387 int err = 0;
2388
2389 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2390 if (err)
2391 return (-1);
2392
2393 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2394 tok->len, err);
2395 if (err)
2396 return (-1);
2397
2398 return (0);
2399}
2400
2401static void
2402print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2403 __unused char sfrm, int xml)
2404{
2405
2406 print_tok_type(fp, tok->id, "opaque", raw, xml);
2407 if (xml) {
2408 print_mem(fp, (u_char*)tok->tt.opaque.data,
2409 tok->tt.opaque.size);
2410 close_tag(fp, tok->id);
2411 } else {
2412 print_delim(fp, del);
2413 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2414 print_delim(fp, del);
2415 print_mem(fp, (u_char*)tok->tt.opaque.data,
2416 tok->tt.opaque.size);
2417 }
2418}
2419
2420/*
2421 * size 2 bytes
2422 * data size bytes
2423 */
2424static int
2425fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2426{
2427 int err = 0;
2428
2429 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2430 if (err)
2431 return (-1);
2432
2433 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2434 err);
2435 if (err)
2436 return (-1);
2437
2438 return (0);
2439}
2440
2441static void
2442print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2443 __unused char sfrm, int xml)
2444{
2445
2446 print_tok_type(fp, tok->id, "path", raw, xml);
2447 if (xml) {
2448 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2449 close_tag(fp, tok->id);
2450 } else {
2451 print_delim(fp, del);
2452 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2453 }
2454}
2455
2456/*
2457 * token ID 1 byte
2458 * audit ID 4 bytes
2459 * euid 4 bytes
2460 * egid 4 bytes
2461 * ruid 4 bytes
2462 * rgid 4 bytes
2463 * pid 4 bytes
2464 * sessid 4 bytes
2465 * terminal ID
2466 * portid 4 bytes
2467 * machine id 4 bytes
2468 */
2469static int
2470fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2471{
2472 int err = 0;
2473
2474 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2475 if (err)
2476 return (-1);
2477
2478 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2479 if (err)
2480 return (-1);
2481
2482 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2483 if (err)
2484 return (-1);
2485
2486 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2487 if (err)
2488 return (-1);
2489
2490 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2491 if (err)
2492 return (-1);
2493
2494 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2495 if (err)
2496 return (-1);
2497
2498 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2499 if (err)
2500 return (-1);
2501
2502 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2503 if (err)
2504 return (-1);
2505
2506 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2507 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2508 if (err)
2509 return (-1);
2510
2511 return (0);
2512}
2513
2514static void
2515print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2516 __unused char sfrm, int xml)
2517{
2518
2519 print_tok_type(fp, tok->id, "process", raw, xml);
2520 if (xml) {
2521 open_attr(fp, "audit-uid");
2522 print_user(fp, tok->tt.proc32.auid, raw);
2523 close_attr(fp);
2524 open_attr(fp, "uid");
2525 print_user(fp, tok->tt.proc32.euid, raw);
2526 close_attr(fp);
2527 open_attr(fp, "gid");
2528 print_group(fp, tok->tt.proc32.egid, raw);
2529 close_attr(fp);
2530 open_attr(fp, "ruid");
2531 print_user(fp, tok->tt.proc32.ruid, raw);
2532 close_attr(fp);
2533 open_attr(fp, "rgid");
2534 print_group(fp, tok->tt.proc32.rgid, raw);
2535 close_attr(fp);
2536 open_attr(fp, "pid");
2537 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2538 close_attr(fp);
2539 open_attr(fp, "sid");
2540 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2541 close_attr(fp);
2542 open_attr(fp, "tid");
2543 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2544 print_ip_address(fp, tok->tt.proc32.tid.addr);
2545 close_attr(fp);
2546 close_tag(fp, tok->id);
2547 } else {
2548 print_delim(fp, del);
2549 print_user(fp, tok->tt.proc32.auid, raw);
2550 print_delim(fp, del);
2551 print_user(fp, tok->tt.proc32.euid, raw);
2552 print_delim(fp, del);
2553 print_group(fp, tok->tt.proc32.egid, raw);
2554 print_delim(fp, del);
2555 print_user(fp, tok->tt.proc32.ruid, raw);
2556 print_delim(fp, del);
2557 print_group(fp, tok->tt.proc32.rgid, raw);
2558 print_delim(fp, del);
2559 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2560 print_delim(fp, del);
2561 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2562 print_delim(fp, del);
2563 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2564 print_delim(fp, del);
2565 print_ip_address(fp, tok->tt.proc32.tid.addr);
2566 }
2567}
2568
2569/*
2570 * token ID 1 byte
2571 * audit ID 4 bytes
2572 * euid 4 bytes
2573 * egid 4 bytes
2574 * ruid 4 bytes
2575 * rgid 4 bytes
2576 * pid 4 bytes
2577 * sessid 4 bytes
2578 * terminal ID
2579 * portid 8 bytes
2580 * machine id 4 bytes
2581 */
2582static int
2583fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2584{
2585 int err = 0;
2586
2587 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2588 if (err)
2589 return (-1);
2590
2591 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2592 if (err)
2593 return (-1);
2594
2595 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2596 if (err)
2597 return (-1);
2598
2599 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2600 if (err)
2601 return (-1);
2602
2603 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2604 if (err)
2605 return (-1);
2606
2607 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2608 if (err)
2609 return (-1);
2610
2611 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2612 if (err)
2613 return (-1);
2614
2615 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2616 if (err)
2617 return (-1);
2618
2619 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2620 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2621 if (err)
2622 return (-1);
2623
2624 return (0);
2625}
2626
2627static void
2628print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2629 __unused char sfrm, int xml)
2630{
2631 print_tok_type(fp, tok->id, "process", raw, xml);
2632 if (xml) {
2633 open_attr(fp, "audit-uid");
2634 print_user(fp, tok->tt.proc64.auid, raw);
2635 close_attr(fp);
2636 open_attr(fp, "uid");
2637 print_user(fp, tok->tt.proc64.euid, raw);
2638 close_attr(fp);
2639 open_attr(fp, "gid");
2640 print_group(fp, tok->tt.proc64.egid, raw);
2641 close_attr(fp);
2642 open_attr(fp, "ruid");
2643 print_user(fp, tok->tt.proc64.ruid, raw);
2644 close_attr(fp);
2645 open_attr(fp, "rgid");
2646 print_group(fp, tok->tt.proc64.rgid, raw);
2647 close_attr(fp);
2648 open_attr(fp, "pid");
2649 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2650 close_attr(fp);
2651 open_attr(fp, "sid");
2652 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2653 close_attr(fp);
2654 open_attr(fp, "tid");
2655 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2656 print_ip_address(fp, tok->tt.proc64.tid.addr);
2657 close_attr(fp);
2658 close_tag(fp, tok->id);
2659 } else {
2660 print_delim(fp, del);
2661 print_user(fp, tok->tt.proc64.auid, raw);
2662 print_delim(fp, del);
2663 print_user(fp, tok->tt.proc64.euid, raw);
2664 print_delim(fp, del);
2665 print_group(fp, tok->tt.proc64.egid, raw);
2666 print_delim(fp, del);
2667 print_user(fp, tok->tt.proc64.ruid, raw);
2668 print_delim(fp, del);
2669 print_group(fp, tok->tt.proc64.rgid, raw);
2670 print_delim(fp, del);
2671 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2672 print_delim(fp, del);
2673 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2674 print_delim(fp, del);
2675 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2676 print_delim(fp, del);
2677 print_ip_address(fp, tok->tt.proc64.tid.addr);
2678 }
2679}
2680
2681/*
2682 * token ID 1 byte
2683 * audit ID 4 bytes
2684 * effective user ID 4 bytes
2685 * effective group ID 4 bytes
2686 * real user ID 4 bytes
2687 * real group ID 4 bytes
2688 * process ID 4 bytes
2689 * session ID 4 bytes
2690 * terminal ID
2691 * port ID 4 bytes
2692 * address type-len 4 bytes
2693 * machine address 16 bytes
2694 */
2695static int
2696fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2697{
2698 int err = 0;
2699
2700 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2701 if (err)
2702 return (-1);
2703
2704 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2705 if (err)
2706 return (-1);
2707
2708 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2709 if (err)
2710 return (-1);
2711
2712 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2713 if (err)
2714 return (-1);
2715
2716 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2717 if (err)
2718 return (-1);
2719
2720 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2721 if (err)
2722 return (-1);
2723
2724 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2725 if (err)
2726 return (-1);
2727
2728 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2729 err);
2730 if (err)
2731 return (-1);
2732
2733 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2734 err);
2735 if (err)
2736 return (-1);
2737
2738 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2739 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2740 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2741 if (err)
2742 return (-1);
2743 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2744 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2745 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2746 if (err)
2747 return (-1);
2748 } else
2749 return (-1);
2750
2751 return (0);
2752}
2753
2754static void
2755print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2756 __unused char sfrm, int xml)
2757{
2758
2759 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2760 if (xml) {
2761 open_attr(fp, "audit-uid");
2762 print_user(fp, tok->tt.proc32_ex.auid, raw);
2763 close_attr(fp);
2764 open_attr(fp, "uid");
2765 print_user(fp, tok->tt.proc32_ex.euid, raw);
2766 close_attr(fp);
2767 open_attr(fp, "gid");
2768 print_group(fp, tok->tt.proc32_ex.egid, raw);
2769 close_attr(fp);
2770 open_attr(fp, "ruid");
2771 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2772 close_attr(fp);
2773 open_attr(fp, "rgid");
2774 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2775 close_attr(fp);
2776 open_attr(fp, "pid");
2777 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2778 close_attr(fp);
2779 open_attr(fp, "sid");
2780 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2781 close_attr(fp);
2782 open_attr(fp, "tid");
2783 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2784 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2785 tok->tt.proc32_ex.tid.addr);
2786 close_attr(fp);
2787 close_tag(fp, tok->id);
2788 } else {
2789 print_delim(fp, del);
2790 print_user(fp, tok->tt.proc32_ex.auid, raw);
2791 print_delim(fp, del);
2792 print_user(fp, tok->tt.proc32_ex.euid, raw);
2793 print_delim(fp, del);
2794 print_group(fp, tok->tt.proc32_ex.egid, raw);
2795 print_delim(fp, del);
2796 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2797 print_delim(fp, del);
2798 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2799 print_delim(fp, del);
2800 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2801 print_delim(fp, del);
2802 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2803 print_delim(fp, del);
2804 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2805 print_delim(fp, del);
2806 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2807 tok->tt.proc32_ex.tid.addr);
2808 }
2809}
2810
2811/*
2812 * token ID 1 byte
2813 * audit ID 4 bytes
2814 * effective user ID 4 bytes
2815 * effective group ID 4 bytes
2816 * real user ID 4 bytes
2817 * real group ID 4 bytes
2818 * process ID 4 bytes
2819 * session ID 4 bytes
2820 * terminal ID
2821 * port ID 8 bytes
2822 * address type-len 4 bytes
2823 * machine address 16 bytes
2824 */
2825static int
2826fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2827{
2828 int err = 0;
2829
2830 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2831 if (err)
2832 return (-1);
2833
2834 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2835 if (err)
2836 return (-1);
2837
2838 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2839 if (err)
2840 return (-1);
2841
2842 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2843 if (err)
2844 return (-1);
2845
2846 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2847 if (err)
2848 return (-1);
2849
2850 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2851 if (err)
2852 return (-1);
2853
2854 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2855 if (err)
2856 return (-1);
2857
2858 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2859 err);
2860 if (err)
2861 return (-1);
2862
2863 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2864 err);
2865 if (err)
2866 return (-1);
2867
2868 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2869 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2870 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2871 if (err)
2872 return (-1);
2873 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2874 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2875 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2876 if (err)
2877 return (-1);
2878 } else
2879 return (-1);
2880
2881 return (0);
2882}
2883
2884static void
2885print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2886 __unused char sfrm, int xml)
2887{
2888 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2889 if (xml) {
2890 open_attr(fp, "audit-uid");
2891 print_user(fp, tok->tt.proc64_ex.auid, raw);
2892 close_attr(fp);
2893 open_attr(fp, "uid");
2894 print_user(fp, tok->tt.proc64_ex.euid, raw);
2895 close_attr(fp);
2896 open_attr(fp, "gid");
2897 print_group(fp, tok->tt.proc64_ex.egid, raw);
2898 close_attr(fp);
2899 open_attr(fp, "ruid");
2900 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2901 close_attr(fp);
2902 open_attr(fp, "rgid");
2903 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2904 close_attr(fp);
2905 open_attr(fp, "pid");
2906 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2907 close_attr(fp);
2908 open_attr(fp, "sid");
2909 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2910 close_attr(fp);
2911 open_attr(fp, "tid");
2912 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2913 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2914 tok->tt.proc64_ex.tid.addr);
2915 close_attr(fp);
2916 close_tag(fp, tok->id);
2917 } else {
2918 print_delim(fp, del);
2919 print_user(fp, tok->tt.proc64_ex.auid, raw);
2920 print_delim(fp, del);
2921 print_user(fp, tok->tt.proc64_ex.euid, raw);
2922 print_delim(fp, del);
2923 print_group(fp, tok->tt.proc64_ex.egid, raw);
2924 print_delim(fp, del);
2925 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2926 print_delim(fp, del);
2927 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2928 print_delim(fp, del);
2929 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2930 print_delim(fp, del);
2931 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2932 print_delim(fp, del);
2933 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2934 print_delim(fp, del);
2935 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2936 tok->tt.proc64_ex.tid.addr);
2937 }
2938}
2939
2940/*
2941 * errno 1 byte
2942 * return value 4 bytes
2943 */
2944static int
2945fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2946{
2947 int err = 0;
2948
2949 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2950 if (err)
2951 return (-1);
2952
2953 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2954 if (err)
2955 return (-1);
2956
2957 return (0);
2958}
2959
2960static void
2961print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2962 __unused char sfrm, int xml)
2963{
2964
2965 print_tok_type(fp, tok->id, "return", raw, xml);
2966 if (xml) {
2967 open_attr(fp ,"errval");
2968 print_retval(fp, tok->tt.ret32.status, raw);
2969 close_attr(fp);
2970 open_attr(fp, "retval");
2971 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2972 close_attr(fp);
2973 close_tag(fp, tok->id);
2974 } else {
2975 print_delim(fp, del);
2976 print_retval(fp, tok->tt.ret32.status, raw);
2977 print_delim(fp, del);
2978 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2979 }
2980}
2981
2982static int
2983fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
2984{
2985 int err = 0;
2986
2987 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
2988 if (err)
2989 return (-1);
2990
2991 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
2992 if (err)
2993 return (-1);
2994
2995 return (0);
2996}
2997
2998static void
2999print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3000 __unused char sfrm, int xml)
3001{
3002
3003 print_tok_type(fp, tok->id, "return", raw, xml);
3004 if (xml) {
3005 open_attr(fp, "errval");
3006 print_retval(fp, tok->tt.ret64.err, raw);
3007 close_attr(fp);
3008 open_attr(fp, "retval");
3009 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3010 close_attr(fp);
3011 close_tag(fp, tok->id);
3012 } else {
3013 print_delim(fp, del);
3014 print_retval(fp, tok->tt.ret64.err, raw);
3015 print_delim(fp, del);
3016 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3017 }
3018}
3019
3020/*
3021 * seq 4 bytes
3022 */
3023static int
3024fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3025{
3026 int err = 0;
3027
3028 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3029 if (err)
3030 return (-1);
3031
3032 return (0);
3033}
3034
3035static void
3036print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3037 __unused char sfrm, int xml)
3038{
3039
3040 print_tok_type(fp, tok->id, "sequence", raw, xml);
3041 if (xml) {
3042 open_attr(fp, "seq-num");
3043 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3044 close_attr(fp);
3045 close_tag(fp, tok->id);
3046 } else {
3047 print_delim(fp, del);
3048 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3049 }
3050}
3051
3052/*
3053 * socket family 2 bytes
3054 * local port 2 bytes
3055 * socket address 4 bytes
3056 */
3057static int
3058fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3059{
3060 int err = 0;
3061
3062 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
3063 err);
3064 if (err)
3065 return (-1);
3066
3067 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port,
3068 sizeof(uint16_t), tok->len, err);
3069 if (err)
3070 return (-1);
3071
3072 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
3073 sizeof(tok->tt.sockinet32.addr), tok->len, err);
3074 if (err)
3075 return (-1);
3076
3077 return (0);
3078}
3079
3080static void
3081print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3082 __unused char sfrm, int xml)
3083{
3084
3085 print_tok_type(fp, tok->id, "socket-inet", raw, xml);
3086 if (xml) {
3087 open_attr(fp, "type");
3088 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3089 close_attr(fp);
3090 open_attr(fp, "port");
3091 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3092 close_attr(fp);
3093 open_attr(fp, "addr");
3094 print_ip_address(fp, tok->tt.sockinet32.addr);
3095 close_attr(fp);
3096 close_tag(fp, tok->id);
3097 } else {
3098 print_delim(fp, del);
3099 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3100 print_delim(fp, del);
3101 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3102 print_delim(fp, del);
3103 print_ip_address(fp, tok->tt.sockinet32.addr);
3104 }
3105}
3106
3107/*
3108 * socket family 2 bytes
3109 * path 104 bytes
3110 */
3111static int
3112fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3113{
3114 int err = 0;
3115
3116 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3117 if (err)
3118 return (-1);
3119
3120 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
3121 err);
3122 if (err)
3123 return (-1);
3124
3125 return (0);
3126}
3127
3128static void
3129print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3130 __unused char sfrm, int xml)
3131{
3132
3133 print_tok_type(fp, tok->id, "socket-unix", raw, xml);
3134 if (xml) {
3135 open_attr(fp, "type");
3136 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3137 close_attr(fp);
3138 open_attr(fp, "port");
3139 close_attr(fp);
3140 open_attr(fp, "addr");
3141 print_string(fp, tok->tt.sockunix.path,
3142 strlen(tok->tt.sockunix.path));
3143 close_attr(fp);
3144 close_tag(fp, tok->id);
3145 } else {
3146 print_delim(fp, del);
3147 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3148 print_delim(fp, del);
3149 print_string(fp, tok->tt.sockunix.path,
3150 strlen(tok->tt.sockunix.path));
3151 }
3152}
3153
3154/*
3155 * socket type 2 bytes
3156 * local port 2 bytes
3157 * local address 4 bytes
3158 * remote port 2 bytes
3159 * remote address 4 bytes
3160 */
3161static int
3162fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3163{
3164 int err = 0;
3165
3166 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3167 if (err)
3168 return (-1);
3169
3170 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3171 tok->len, err);
3172 if (err)
3173 return (-1);
3174
3175 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3176 sizeof(tok->tt.socket.l_addr), tok->len, err);
3177 if (err)
3178 return (-1);
3179
3180 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3181 tok->len, err);
3182 if (err)
3183 return (-1);
3184
3185 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3186 sizeof(tok->tt.socket.r_addr), tok->len, err);
3187 if (err)
3188 return (-1);
3189
3190 return (0);
3191}
3192
3193static void
3194print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3195 __unused char sfrm, int xml)
3196{
3197
3198 print_tok_type(fp, tok->id, "socket", raw, xml);
3199 if (xml) {
3200 open_attr(fp, "sock_type");
3201 print_2_bytes(fp, tok->tt.socket.type, "%u");
3202 close_attr(fp);
3203 open_attr(fp, "lport");
3204 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3205 close_attr(fp);
3206 open_attr(fp, "laddr");
3207 print_ip_address(fp, tok->tt.socket.l_addr);
3208 close_attr(fp);
3209 open_attr(fp, "fport");
3210 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3211 close_attr(fp);
3212 open_attr(fp, "faddr");
3213 print_ip_address(fp, tok->tt.socket.r_addr);
3214 close_attr(fp);
3215 close_tag(fp, tok->id);
3216 } else {
3217 print_delim(fp, del);
3218 print_2_bytes(fp, tok->tt.socket.type, "%u");
3219 print_delim(fp, del);
3220 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3221 print_delim(fp, del);
3222 print_ip_address(fp, tok->tt.socket.l_addr);
3223 print_delim(fp, del);
3224 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3225 print_delim(fp, del);
3226 print_ip_address(fp, tok->tt.socket.r_addr);
3227 }
3228}
3229
3230/*
3231 * audit ID 4 bytes
3232 * euid 4 bytes
3233 * egid 4 bytes
3234 * ruid 4 bytes
3235 * rgid 4 bytes
3236 * pid 4 bytes
3237 * sessid 4 bytes
3238 * terminal ID
3239 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3240 * machine id 4 bytes
3241 */
3242static int
3243fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3244{
3245 int err = 0;
3246
3247 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3248 if (err)
3249 return (-1);
3250
3251 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3252 if (err)
3253 return (-1);
3254
3255 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3256 if (err)
3257 return (-1);
3258
3259 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3260 if (err)
3261 return (-1);
3262
3263 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3264 if (err)
3265 return (-1);
3266
3267 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3268 if (err)
3269 return (-1);
3270
3271 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3272 if (err)
3273 return (-1);
3274
3275 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3276 if (err)
3277 return (-1);
3278
3279 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3280 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3281 if (err)
3282 return (-1);
3283
3284 return (0);
3285}
3286
3287static void
3288print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3289 __unused char sfrm, int xml)
3290{
3291
3292 print_tok_type(fp, tok->id, "subject", raw, xml);
3293 if (xml) {
3294 open_attr(fp, "audit-uid");
3295 print_user(fp, tok->tt.subj32.auid, raw);
3296 close_attr(fp);
3297 open_attr(fp, "uid");
3298 print_user(fp, tok->tt.subj32.euid, raw);
3299 close_attr(fp);
3300 open_attr(fp, "gid");
3301 print_group(fp, tok->tt.subj32.egid, raw);
3302 close_attr(fp);
3303 open_attr(fp, "ruid");
3304 print_user(fp, tok->tt.subj32.ruid, raw);
3305 close_attr(fp);
3306 open_attr(fp, "rgid");
3307 print_group(fp, tok->tt.subj32.rgid, raw);
3308 close_attr(fp);
3309 open_attr(fp,"pid");
3310 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3311 close_attr(fp);
3312 open_attr(fp,"sid");
3313 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3314 close_attr(fp);
3315 open_attr(fp,"tid");
3316 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3317 print_ip_address(fp, tok->tt.subj32.tid.addr);
3318 close_attr(fp);
3319 close_tag(fp, tok->id);
3320 } else {
3321 print_delim(fp, del);
3322 print_user(fp, tok->tt.subj32.auid, raw);
3323 print_delim(fp, del);
3324 print_user(fp, tok->tt.subj32.euid, raw);
3325 print_delim(fp, del);
3326 print_group(fp, tok->tt.subj32.egid, raw);
3327 print_delim(fp, del);
3328 print_user(fp, tok->tt.subj32.ruid, raw);
3329 print_delim(fp, del);
3330 print_group(fp, tok->tt.subj32.rgid, raw);
3331 print_delim(fp, del);
3332 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3333 print_delim(fp, del);
3334 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3335 print_delim(fp, del);
3336 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3337 print_delim(fp, del);
3338 print_ip_address(fp, tok->tt.subj32.tid.addr);
3339 }
3340}
3341
3342/*
3343 * audit ID 4 bytes
3344 * euid 4 bytes
3345 * egid 4 bytes
3346 * ruid 4 bytes
3347 * rgid 4 bytes
3348 * pid 4 bytes
3349 * sessid 4 bytes
3350 * terminal ID
3351 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3352 * machine id 4 bytes
3353 */
3354static int
3355fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3356{
3357 int err = 0;
3358
3359 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3360 if (err)
3361 return (-1);
3362
3363 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3364 if (err)
3365 return (-1);
3366
3367 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3368 if (err)
3369 return (-1);
3370
3371 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3372 if (err)
3373 return (-1);
3374
3375 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3376 if (err)
3377 return (-1);
3378
3379 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3380 if (err)
3381 return (-1);
3382
3383 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3384 if (err)
3385 return (-1);
3386
3387 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3388 if (err)
3389 return (-1);
3390
3391 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3392 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3393 if (err)
3394 return (-1);
3395
3396 return (0);
3397}
3398
3399static void
3400print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3401 __unused char sfrm, int xml)
3402{
3403
3404 print_tok_type(fp, tok->id, "subject", raw, xml);
3405 if (xml) {
3406 open_attr(fp, "audit-uid");
3407 print_user(fp, tok->tt.subj64.auid, raw);
3408 close_attr(fp);
3409 open_attr(fp, "uid");
3410 print_user(fp, tok->tt.subj64.euid, raw);
3411 close_attr(fp);
3412 open_attr(fp, "gid");
3413 print_group(fp, tok->tt.subj64.egid, raw);
3414 close_attr(fp);
3415 open_attr(fp, "ruid");
3416 print_user(fp, tok->tt.subj64.ruid, raw);
3417 close_attr(fp);
3418 open_attr(fp, "rgid");
3419 print_group(fp, tok->tt.subj64.rgid, raw);
3420 close_attr(fp);
3421 open_attr(fp, "pid");
3422 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3423 close_attr(fp);
3424 open_attr(fp, "sid");
3425 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3426 close_attr(fp);
3427 open_attr(fp, "tid");
3428 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3429 print_ip_address(fp, tok->tt.subj64.tid.addr);
3430 close_attr(fp);
3431 close_tag(fp, tok->id);
3432 } else {
3433 print_delim(fp, del);
3434 print_user(fp, tok->tt.subj64.auid, raw);
3435 print_delim(fp, del);
3436 print_user(fp, tok->tt.subj64.euid, raw);
3437 print_delim(fp, del);
3438 print_group(fp, tok->tt.subj64.egid, raw);
3439 print_delim(fp, del);
3440 print_user(fp, tok->tt.subj64.ruid, raw);
3441 print_delim(fp, del);
3442 print_group(fp, tok->tt.subj64.rgid, raw);
3443 print_delim(fp, del);
3444 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3445 print_delim(fp, del);
3446 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3447 print_delim(fp, del);
3448 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3449 print_delim(fp, del);
3450 print_ip_address(fp, tok->tt.subj64.tid.addr);
3451 }
3452}
3453
3454/*
3455 * audit ID 4 bytes
3456 * euid 4 bytes
3457 * egid 4 bytes
3458 * ruid 4 bytes
3459 * rgid 4 bytes
3460 * pid 4 bytes
3461 * sessid 4 bytes
3462 * terminal ID
3463 * portid 4 bytes
3464 * type 4 bytes
3465 * machine id 16 bytes
3466 */
3467static int
3468fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3469{
3470 int err = 0;
3471
3472 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3473 if (err)
3474 return (-1);
3475
3476 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3477 if (err)
3478 return (-1);
3479
3480 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3481 if (err)
3482 return (-1);
3483
3484 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3485 if (err)
3486 return (-1);
3487
3488 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3489 if (err)
3490 return (-1);
3491
3492 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3493 if (err)
3494 return (-1);
3495
3496 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3497 if (err)
3498 return (-1);
3499
3500 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3501 err);
3502 if (err)
3503 return (-1);
3504
3505 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3506 err);
3507 if (err)
3508 return (-1);
3509
3510 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3511 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3512 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3513 if (err)
3514 return (-1);
3515 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3516 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3517 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3518 if (err)
3519 return (-1);
3520 } else
3521 return (-1);
3522
3523 return (0);
3524}
3525
3526static void
3527print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3528 __unused char sfrm, int xml)
3529{
3530
3531 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3532 if (xml) {
3533 open_attr(fp, "audit-uid");
3534 print_user(fp, tok->tt.subj32_ex.auid, raw);
3535 close_attr(fp);
3536 open_attr(fp, "uid");
3537 print_user(fp, tok->tt.subj32_ex.euid, raw);
3538 close_attr(fp);
3539 open_attr(fp, "gid");
3540 print_group(fp, tok->tt.subj32_ex.egid, raw);
3541 close_attr(fp);
3542 open_attr(fp, "ruid");
3543 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3544 close_attr(fp);
3545 open_attr(fp, "rgid");
3546 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3547 close_attr(fp);
3548 open_attr(fp, "pid");
3549 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3550 close_attr(fp);
3551 open_attr(fp, "sid");
3552 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3553 close_attr(fp);
3554 open_attr(fp, "tid");
3555 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3556 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3557 tok->tt.subj32_ex.tid.addr);
3558 close_attr(fp);
3559 close_tag(fp, tok->id);
3560 } else {
3561 print_delim(fp, del);
3562 print_user(fp, tok->tt.subj32_ex.auid, raw);
3563 print_delim(fp, del);
3564 print_user(fp, tok->tt.subj32_ex.euid, raw);
3565 print_delim(fp, del);
3566 print_group(fp, tok->tt.subj32_ex.egid, raw);
3567 print_delim(fp, del);
3568 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3569 print_delim(fp, del);
3570 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3571 print_delim(fp, del);
3572 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3573 print_delim(fp, del);
3574 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3575 print_delim(fp, del);
3576 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3577 print_delim(fp, del);
3578 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3579 tok->tt.subj32_ex.tid.addr);
3580 }
3581}
3582
3583/*
3584 * audit ID 4 bytes
3585 * euid 4 bytes
3586 * egid 4 bytes
3587 * ruid 4 bytes
3588 * rgid 4 bytes
3589 * pid 4 bytes
3590 * sessid 4 bytes
3591 * terminal ID
3592 * portid 8 bytes
3593 * type 4 bytes
3594 * machine id 16 bytes
3595 */
3596static int
3597fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3598{
3599 int err = 0;
3600
3601 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3602 if (err)
3603 return (-1);
3604
3605 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3606 if (err)
3607 return (-1);
3608
3609 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3610 if (err)
3611 return (-1);
3612
3613 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3614 if (err)
3615 return (-1);
3616
3617 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3618 if (err)
3619 return (-1);
3620
3621 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3622 if (err)
3623 return (-1);
3624
3625 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3626 if (err)
3627 return (-1);
3628
3629 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3630 err);
3631 if (err)
3632 return (-1);
3633
3634 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3635 err);
3636 if (err)
3637 return (-1);
3638
3639 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3640 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3641 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3642 if (err)
3643 return (-1);
3644 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3645 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3646 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3647 if (err)
3648 return (-1);
3649 } else
3650 return (-1);
3651
3652 return (0);
3653}
3654
3655static void
3656print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3657 __unused char sfrm, int xml)
3658{
3659 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3660 if (xml) {
3661 open_attr(fp, "audit-uid");
3662 print_user(fp, tok->tt.subj64_ex.auid, raw);
3663 close_attr(fp);
3664 open_attr(fp, "uid");
3665 print_user(fp, tok->tt.subj64_ex.euid, raw);
3666 close_attr(fp);
3667 open_attr(fp, "gid");
3668 print_group(fp, tok->tt.subj64_ex.egid, raw);
3669 close_attr(fp);
3670 open_attr(fp, "ruid");
3671 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3672 close_attr(fp);
3673 open_attr(fp, "rgid");
3674 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3675 close_attr(fp);
3676 open_attr(fp, "pid");
3677 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3678 close_attr(fp);
3679 open_attr(fp, "sid");
3680 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3681 close_attr(fp);
3682 open_attr(fp, "tid");
3683 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3684 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3685 tok->tt.subj64_ex.tid.addr);
3686 close_attr(fp);
3687 close_tag(fp, tok->id);
3688 } else {
3689 print_delim(fp, del);
3690 print_user(fp, tok->tt.subj64_ex.auid, raw);
3691 print_delim(fp, del);
3692 print_user(fp, tok->tt.subj64_ex.euid, raw);
3693 print_delim(fp, del);
3694 print_group(fp, tok->tt.subj64_ex.egid, raw);
3695 print_delim(fp, del);
3696 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3697 print_delim(fp, del);
3698 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3699 print_delim(fp, del);
3700 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3701 print_delim(fp, del);
3702 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3703 print_delim(fp, del);
3704 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3705 print_delim(fp, del);
3706 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3707 tok->tt.subj64_ex.tid.addr);
3708 }
3709}
3710
3711/*
3712 * size 2 bytes
3713 * data size bytes
3714 */
3715static int
3716fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3717{
3718 int err = 0;
3719
3720 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3721 if (err)
3722 return (-1);
3723
3724 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3725 err);
3726 if (err)
3727 return (-1);
3728
3729 return (0);
3730}
3731
3732static void
3733print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3734 __unused char sfrm, int xml)
3735{
3736
3737 print_tok_type(fp, tok->id, "text", raw, xml);
3738 if (xml) {
3739 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3740 close_tag(fp, tok->id);
3741 } else {
3742 print_delim(fp, del);
3743 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3744 }
3745}
3746
3747/*
3748 * socket type 2 bytes
3749 * local port 2 bytes
3750 * address type/length 4 bytes
3751 * local Internet address 4 bytes
3752 * remote port 4 bytes
3753 * address type/length 4 bytes
3754 * remote Internet address 4 bytes
3755 */
3756static int
3757fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3758{
3759 int err = 0;
3760
3761 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3762 err);
3763 if (err)
3764 return (-1);
3765
3766 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3767 sizeof(uint16_t), tok->len, err);
3768 if (err)
3769 return (-1);
3770
3771 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
3772 err);
3773 if (err)
3774 return (-1);
3775
3776 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3777 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3778 if (err)
3779 return (-1);
3780
3781 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3782 sizeof(uint16_t), tok->len, err);
3783 if (err)
3784 return (-1);
3785
3786 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
3787 err);
3788 if (err)
3789 return (-1);
3790
3791 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3792 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
3793 if (err)
3794 return (-1);
3795
3796 return (0);
3797}
3798
3799static void
3800print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3801 __unused char sfrm, int xml)
3802{
3803
3804 print_tok_type(fp, tok->id, "socket", raw, xml);
3805 if (xml) {
3806 open_attr(fp, "sock_type");
3807 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3808 close_attr(fp);
3809 open_attr(fp, "lport");
3810 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3811 close_attr(fp);
3812 open_attr(fp, "laddr");
3813 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3814 close_attr(fp);
3815 open_attr(fp, "faddr");
3816 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3817 close_attr(fp);
3818 open_attr(fp, "fport");
3819 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3820 close_attr(fp);
3821 close_tag(fp, tok->id);
3822 } else {
3823 print_delim(fp, del);
3824 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3825 print_delim(fp, del);
3826 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3827 print_delim(fp, del);
3828 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3829 print_delim(fp, del);
3830 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3831 print_delim(fp, del);
3832 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3833 }
3834}
3835
3836static int
3837fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
3838{
3839 int err = 0;
3840 int recoversize;
3841
3842 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
3843 if (recoversize <= 0)
3844 return (-1);
3845
3846 tok->tt.invalid.length = recoversize;
3847
3848 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
3849 err);
3850 if (err)
3851 return (-1);
3852
3853 return (0);
3854}
3855
3856static void
3857print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3858 __unused char sfrm, int xml)
3859{
3860
3861 if (!xml) {
3862 print_tok_type(fp, tok->id, "unknown", raw, 0);
3863 print_delim(fp, del);
3864 print_mem(fp, (u_char*)tok->tt.invalid.data,
3865 tok->tt.invalid.length);
3866 }
3867}
3868
3869
3870/*
3871 * size 2 bytes;
3872 * zonename size bytes;
3873 */
3874static int
3875fetch_zonename_tok(tokenstr_t *tok, char *buf, int len)
3876{
3877 int err = 0;
3878
3879 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
3880 if (err)
3881 return (-1);
3882 SET_PTR(buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
3883 tok->len, err);
3884 if (err)
3885 return (-1);
3886 return (0);
3887}
3888
3889static void
3890print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3891 __unused char sfrm, int xml)
3892{
3893
3894 print_tok_type(fp, tok->id, "zone", raw, xml);
3895 if (xml) {
3896 open_attr(fp, "name");
3897 print_string(fp, tok->tt.zonename.zonename,
3898 tok->tt.zonename.len);
3899 close_attr(fp);
3900 close_tag(fp, tok->id);
3901 } else {
3902 print_delim(fp, del);
3903 print_string(fp, tok->tt.zonename.zonename,
3904 tok->tt.zonename.len);
3905 }
3906}
3907
3908/*
3909 * Reads the token beginning at buf into tok.
3910 */
3911int
3912au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
3913{
3914
3915 if (len <= 0)
3916 return (-1);
3917
3918 tok->len = 1;
3919 tok->data = buf;
3920 tok->id = *buf;
3921
3922 switch(tok->id) {
3923 case AUT_HEADER32:
3924 return (fetch_header32_tok(tok, buf, len));
3925
3926 case AUT_HEADER32_EX:
3927 return (fetch_header32_ex_tok(tok, buf, len));
3928
3929 case AUT_HEADER64:
3930 return (fetch_header64_tok(tok, buf, len));
3931
3932 case AUT_HEADER64_EX:
3933 return (fetch_header64_ex_tok(tok, buf, len));
3934
3935 case AUT_TRAILER:
3936 return (fetch_trailer_tok(tok, buf, len));
3937
3938 case AUT_ARG32:
3939 return (fetch_arg32_tok(tok, buf, len));
3940
3941 case AUT_ARG64:
3942 return (fetch_arg64_tok(tok, buf, len));
3943
3944 case AUT_ATTR32:
3945 return (fetch_attr32_tok(tok, buf, len));
3946
3947 case AUT_ATTR64:
3948 return (fetch_attr64_tok(tok, buf, len));
3949
3950 case AUT_EXIT:
3951 return (fetch_exit_tok(tok, buf, len));
3952
3953 case AUT_EXEC_ARGS:
3954 return (fetch_execarg_tok(tok, buf, len));
3955
3956 case AUT_EXEC_ENV:
3957 return (fetch_execenv_tok(tok, buf, len));
3958
3959 case AUT_OTHER_FILE32:
3960 return (fetch_file_tok(tok, buf, len));
3961
3962 case AUT_NEWGROUPS:
3963 return (fetch_newgroups_tok(tok, buf, len));
3964
3965 case AUT_IN_ADDR:
3966 return (fetch_inaddr_tok(tok, buf, len));
3967
3968 case AUT_IN_ADDR_EX:
3969 return (fetch_inaddr_ex_tok(tok, buf, len));
3970
3971 case AUT_IP:
3972 return (fetch_ip_tok(tok, buf, len));
3973
3974 case AUT_IPC:
3975 return (fetch_ipc_tok(tok, buf, len));
3976
3977 case AUT_IPC_PERM:
3978 return (fetch_ipcperm_tok(tok, buf, len));
3979
3980 case AUT_IPORT:
3981 return (fetch_iport_tok(tok, buf, len));
3982
3983 case AUT_OPAQUE:
3984 return (fetch_opaque_tok(tok, buf, len));
3985
3986 case AUT_PATH:
3987 return (fetch_path_tok(tok, buf, len));
3988
3989 case AUT_PROCESS32:
3990 return (fetch_process32_tok(tok, buf, len));
3991
3992 case AUT_PROCESS32_EX:
3993 return (fetch_process32ex_tok(tok, buf, len));
3994
3995 case AUT_PROCESS64:
3996 return (fetch_process64_tok(tok, buf, len));
3997
3998 case AUT_PROCESS64_EX:
3999 return (fetch_process64ex_tok(tok, buf, len));
4000
4001 case AUT_RETURN32:
4002 return (fetch_return32_tok(tok, buf, len));
4003
4004 case AUT_RETURN64:
4005 return (fetch_return64_tok(tok, buf, len));
4006
4007 case AUT_SEQ:
4008 return (fetch_seq_tok(tok, buf, len));
4009
4010 case AUT_SOCKET:
4011 return (fetch_socket_tok(tok, buf, len));
4012
4013 case AUT_SOCKINET32:
4014 return (fetch_sock_inet32_tok(tok, buf, len));
4015
4016 case AUT_SOCKUNIX:
4017 return (fetch_sock_unix_tok(tok, buf, len));
4018
4019 case AUT_SUBJECT32:
4020 return (fetch_subject32_tok(tok, buf, len));
4021
4022 case AUT_SUBJECT32_EX:
4023 return (fetch_subject32ex_tok(tok, buf, len));
4024
4025 case AUT_SUBJECT64:
4026 return (fetch_subject64_tok(tok, buf, len));
4027
4028 case AUT_SUBJECT64_EX:
4029 return (fetch_subject64ex_tok(tok, buf, len));
4030
4031 case AUT_TEXT:
4032 return (fetch_text_tok(tok, buf, len));
4033
4034 case AUT_SOCKET_EX:
4035 return (fetch_socketex32_tok(tok, buf, len));
4036
4037 case AUT_DATA:
4038 return (fetch_arb_tok(tok, buf, len));
4039
4040 case AUT_ZONENAME:
4041 return (fetch_zonename_tok(tok, buf, len));
4042
4043 default:
4044 return (fetch_invalid_tok(tok, buf, len));
4045 }
4046}
4047
4048/*
4049 * 'prints' the token out to outfp.
4050 */
4051void
4052au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4053{
4054
4055 switch(tok->id) {
4056 case AUT_HEADER32:
4057 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4058 return;
4059
4060 case AUT_HEADER32_EX:
4061 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4062 return;
4063
4064 case AUT_HEADER64:
4065 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4066 return;
4067
4068 case AUT_HEADER64_EX:
4069 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4070 return;
4071
4072 case AUT_TRAILER:
4073 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4074 return;
4075
4076 case AUT_ARG32:
4077 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4078 return;
4079
4080 case AUT_ARG64:
4081 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4082 return;
4083
4084 case AUT_DATA:
4085 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4086 return;
4087
4088 case AUT_ATTR32:
4089 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4090 return;
4091
4092 case AUT_ATTR64:
4093 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4094 return;
4095
4096 case AUT_EXIT:
4097 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4098 return;
4099
4100 case AUT_EXEC_ARGS:
4101 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4102 return;
4103
4104 case AUT_EXEC_ENV:
4105 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4106 return;
4107
4108 case AUT_OTHER_FILE32:
4109 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4110 return;
4111
4112 case AUT_NEWGROUPS:
4113 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4114 return;
4115
4116 case AUT_IN_ADDR:
4117 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4118 return;
4119
4120 case AUT_IN_ADDR_EX:
4121 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4122 return;
4123
4124 case AUT_IP:
4125 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4126 return;
4127
4128 case AUT_IPC:
4129 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4130 return;
4131
4132 case AUT_IPC_PERM:
4133 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4134 return;
4135
4136 case AUT_IPORT:
4137 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4138 return;
4139
4140 case AUT_OPAQUE:
4141 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4142 return;
4143
4144 case AUT_PATH:
4145 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4146 return;
4147
4148 case AUT_PROCESS32:
4149 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4150 return;
4151
4152 case AUT_PROCESS32_EX:
4153 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4154 return;
4155
4156 case AUT_PROCESS64:
4157 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4158 return;
4159
4160 case AUT_PROCESS64_EX:
4161 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4162 return;
4163
4164 case AUT_RETURN32:
4165 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4166 return;
4167
4168 case AUT_RETURN64:
4169 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4170 return;
4171
4172 case AUT_SEQ:
4173 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4174 return;
4175
4176 case AUT_SOCKET:
4177 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4178 return;
4179
4180 case AUT_SOCKINET32:
4181 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4182 return;
4183
4184 case AUT_SOCKUNIX:
4185 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4186 return;
4187
4188 case AUT_SUBJECT32:
4189 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4190 return;
4191
4192 case AUT_SUBJECT64:
4193 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4194 return;
4195
4196 case AUT_SUBJECT32_EX:
4197 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4198 return;
4199
4200 case AUT_SUBJECT64_EX:
4201 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4202 return;
4203
4204 case AUT_TEXT:
4205 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4206 return;
4207
4208 case AUT_SOCKET_EX:
4209 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4210 return;
4211
4212 case AUT_ZONENAME:
4213 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4214 return;
4215
4216 default:
4217 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4218 }
4219}
4220
4221/*
4222 * 'prints' the token out to outfp in XML format.
4223 */
4224void
4225au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4226 char sfrm)
4227{
4228
4229 switch(tok->id) {
4230 case AUT_HEADER32:
4231 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4232 return;
4233
4234 case AUT_HEADER32_EX:
4235 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4236 return;
4237
4238 case AUT_HEADER64:
4239 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4240 return;
4241
4242 case AUT_HEADER64_EX:
4243 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4244 return;
4245
4246 case AUT_TRAILER:
4247 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
4248 return;
4249
4250 case AUT_ARG32:
4251 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4252 return;
4253
4254 case AUT_ARG64:
4255 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4256 return;
4257
4258 case AUT_DATA:
4259 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
4260 return;
4261
4262 case AUT_ATTR32:
4263 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4264 return;
4265
4266 case AUT_ATTR64:
4267 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4268 return;
4269
4270 case AUT_EXIT:
4271 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
4272 return;
4273
4274 case AUT_EXEC_ARGS:
4275 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
4276 return;
4277
4278 case AUT_EXEC_ENV:
4279 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
4280 return;
4281
4282 case AUT_OTHER_FILE32:
4283 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
4284 return;
4285
4286 case AUT_NEWGROUPS:
4287 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
4288 return;
4289
4290 case AUT_IN_ADDR:
4291 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
4292 return;
4293
4294 case AUT_IN_ADDR_EX:
4295 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4296 return;
4297
4298 case AUT_IP:
4299 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
4300 return;
4301
4302 case AUT_IPC:
4303 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
4304 return;
4305
4306 case AUT_IPC_PERM:
4307 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
4308 return;
4309
4310 case AUT_IPORT:
4311 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
4312 return;
4313
4314 case AUT_OPAQUE:
4315 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
4316 return;
4317
4318 case AUT_PATH:
4319 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
4320 return;
4321
4322 case AUT_PROCESS32:
4323 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4324 return;
4325
4326 case AUT_PROCESS32_EX:
4327 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4328 return;
4329
4330 case AUT_PROCESS64:
4331 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4332 return;
4333
4334 case AUT_PROCESS64_EX:
4335 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4336 return;
4337
4338 case AUT_RETURN32:
4339 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4340 return;
4341
4342 case AUT_RETURN64:
4343 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4344 return;
4345
4346 case AUT_SEQ:
4347 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
4348 return;
4349
4350 case AUT_SOCKET:
4351 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
4352 return;
4353
4354 case AUT_SOCKINET32:
4355 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4356 return;
4357
4358 case AUT_SOCKUNIX:
4359 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
4360 return;
4361
4362 case AUT_SUBJECT32:
4363 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4364 return;
4365
4366 case AUT_SUBJECT64:
4367 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4368 return;
4369
4370 case AUT_SUBJECT32_EX:
4371 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4372 return;
4373
4374 case AUT_SUBJECT64_EX:
4375 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4376 return;
4377
4378 case AUT_TEXT:
4379 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
4380 return;
4381
4382 case AUT_SOCKET_EX:
4383 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4384 return;
4385
4386 case AUT_ZONENAME:
4387 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
4388 return;
4389
4390 default:
4391 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
4392 }
4393}
4394
4395/*
4396 * Read a record from the file pointer, store data in buf memory for buf is
4397 * also allocated in this function and has to be free'd outside this call.
4398 *
4399 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4400 * complete audit record.
4401 *
4402 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4403 * state, because it will be partly offset into a record. We should rewind
4404 * or do something more intelligent. Particularly interesting is the case
4405 * where we perform a partial read of a record from a non-blockable file
4406 * descriptor. We should return the partial read and continue...?
4407 */
4408int
4409au_read_rec(FILE *fp, u_char **buf)
4410{
4411 u_char *bptr;
4412 u_int32_t recsize;
4413 u_int32_t bytestoread;
4414 u_char type;
4415
4416 u_int32_t sec, msec;
4417 u_int16_t filenamelen;
4418
4419 type = fgetc(fp);
4420
4421 switch (type) {
4422 case AUT_HEADER32:
4423 case AUT_HEADER32_EX:
4424 case AUT_HEADER64:
4425 case AUT_HEADER64_EX:
4426 /* read the record size from the token */
4427 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4428 sizeof(u_int32_t)) {
4429 errno = EINVAL;
4430 return (-1);
4431 }
4432 recsize = be32toh(recsize);
4433
4434 /* Check for recsize sanity */
4435 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4436 errno = EINVAL;
4437 return (-1);
4438 }
4439
4440 *buf = malloc(recsize * sizeof(u_char));
4441 if (*buf == NULL)
4442 return (-1);
4443 bptr = *buf;
4444 memset(bptr, 0, recsize);
4445
4446 /* store the token contents already read, back to the buffer*/
4447 *bptr = type;
4448 bptr++;
4449 be32enc(bptr, recsize);
4450 bptr += sizeof(u_int32_t);
4451
4452 /* now read remaining record bytes */
4453 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4454
4455 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4456 free(*buf);
4457 errno = EINVAL;
4458 return (-1);
4459 }
4460 break;
4461
4462 case AUT_OTHER_FILE32:
4463 /*
4464 * The file token is variable-length, as it includes a
4465 * pathname. As a result, we have to read incrementally
4466 * until we know the total length, then allocate space and
4467 * read the rest.
4468 */
4469 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4470 errno = EINVAL;
4471 return (-1);
4472 }
4473 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4474 errno = EINVAL;
4475 return (-1);
4476 }
4477 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4478 sizeof(filenamelen)) {
4479 errno = EINVAL;
4480 return (-1);
4481 }
4482 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4483 sizeof(filenamelen) + ntohs(filenamelen);
4484 *buf = malloc(recsize);
4485 if (*buf == NULL)
4486 return (-1);
4487 bptr = *buf;
4488
4489 bcopy(&type, bptr, sizeof(type));
4490 bptr += sizeof(type);
4491 bcopy(&sec, bptr, sizeof(sec));
4492 bptr += sizeof(sec);
4493 bcopy(&msec, bptr, sizeof(msec));
4494 bptr += sizeof(msec);
4495 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4496 bptr += sizeof(filenamelen);
4497
4498 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4499 ntohs(filenamelen)) {
4500 free(buf);
4501 errno = EINVAL;
4502 return (-1);
4503 }
4504 break;
4505
4506 default:
4507 errno = EINVAL;
4508 return (-1);
4509 }
4510
4511 return (recsize);
4512}
| 1310 }
1311}
1312
1313static int
1314fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1315{
1316 int err = 0;
1317
1318 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1319 if (err)
1320 return (-1);
1321
1322 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1323 if (err)
1324 return (-1);
1325
1326 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1327 if (err)
1328 return (-1);
1329
1330 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1331 tok->len, err);
1332 if (err)
1333 return (-1);
1334
1335 return (0);
1336}
1337
1338static void
1339print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1340 __unused char sfrm, int xml)
1341{
1342
1343 print_tok_type(fp, tok->id, "argument", raw, xml);
1344 if (xml) {
1345 open_attr(fp, "arg-num");
1346 print_1_byte(fp, tok->tt.arg64.no, "%u");
1347 close_attr(fp);
1348 open_attr(fp, "value");
1349 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1350 close_attr(fp);
1351 open_attr(fp, "desc");
1352 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1353 close_attr(fp);
1354 close_tag(fp, tok->id);
1355 } else {
1356 print_delim(fp, del);
1357 print_1_byte(fp, tok->tt.arg64.no, "%u");
1358 print_delim(fp, del);
1359 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1360 print_delim(fp, del);
1361 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1362 }
1363}
1364
1365/*
1366 * how to print 1 byte
1367 * basic unit 1 byte
1368 * unit count 1 byte
1369 * data items (depends on basic unit)
1370 */
1371static int
1372fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1373{
1374 int err = 0;
1375 int datasize;
1376
1377 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1378 if (err)
1379 return (-1);
1380
1381 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1382 if (err)
1383 return (-1);
1384
1385 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1386 if (err)
1387 return (-1);
1388
1389 /*
1390 * Determine the size of the basic unit.
1391 */
1392 switch(tok->tt.arb.bu) {
1393 case AUR_BYTE:
1394 /* case AUR_CHAR: */
1395 datasize = AUR_BYTE_SIZE;
1396 break;
1397
1398 case AUR_SHORT:
1399 datasize = AUR_SHORT_SIZE;
1400 break;
1401
1402 case AUR_INT32:
1403 /* case AUR_INT: */
1404 datasize = AUR_INT32_SIZE;
1405 break;
1406
1407 case AUR_INT64:
1408 datasize = AUR_INT64_SIZE;
1409 break;
1410
1411 default:
1412 return (-1);
1413 }
1414
1415 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1416 tok->len, err);
1417 if (err)
1418 return (-1);
1419
1420 return (0);
1421}
1422
1423static void
1424print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1425 __unused char sfrm, int xml)
1426{
1427 char *str;
1428 char *format;
1429 size_t size;
1430 int i;
1431
1432 print_tok_type(fp, tok->id, "arbitrary", raw, xml);
1433 if (!xml)
1434 print_delim(fp, del);
1435
1436 switch(tok->tt.arb.howtopr) {
1437 case AUP_BINARY:
1438 str = "binary";
1439 format = " %c";
1440 break;
1441
1442 case AUP_OCTAL:
1443 str = "octal";
1444 format = " %o";
1445 break;
1446
1447 case AUP_DECIMAL:
1448 str = "decimal";
1449 format = " %d";
1450 break;
1451
1452 case AUP_HEX:
1453 str = "hex";
1454 format = " %x";
1455 break;
1456
1457 case AUP_STRING:
1458 str = "string";
1459 format = "%c";
1460 break;
1461
1462 default:
1463 return;
1464 }
1465
1466 if (xml) {
1467 open_attr(fp, "print");
1468 fprintf(fp, "%s",str);
1469 close_attr(fp);
1470 } else {
1471 print_string(fp, str, strlen(str));
1472 print_delim(fp, del);
1473 }
1474 switch(tok->tt.arb.bu) {
1475 case AUR_BYTE:
1476 /* case AUR_CHAR: */
1477 str = "byte";
1478 size = AUR_BYTE_SIZE;
1479 if (xml) {
1480 open_attr(fp, "type");
1481 fprintf(fp, "%u", size);
1482 close_attr(fp);
1483 open_attr(fp, "count");
1484 print_1_byte(fp, tok->tt.arb.uc, "%u");
1485 close_attr(fp);
1486 fprintf(fp, ">");
1487 for (i = 0; i<tok->tt.arb.uc; i++)
1488 fprintf(fp, format, *(tok->tt.arb.data +
1489 (size * i)));
1490 close_tag(fp, tok->id);
1491 } else {
1492 print_string(fp, str, strlen(str));
1493 print_delim(fp, del);
1494 print_1_byte(fp, tok->tt.arb.uc, "%u");
1495 print_delim(fp, del);
1496 for (i = 0; i<tok->tt.arb.uc; i++)
1497 fprintf(fp, format, *(tok->tt.arb.data +
1498 (size * i)));
1499 }
1500 break;
1501
1502 case AUR_SHORT:
1503 str = "short";
1504 size = AUR_SHORT_SIZE;
1505 if (xml) {
1506 open_attr(fp, "type");
1507 fprintf(fp, "%u", size);
1508 close_attr(fp);
1509 open_attr(fp, "count");
1510 print_1_byte(fp, tok->tt.arb.uc, "%u");
1511 close_attr(fp);
1512 fprintf(fp, ">");
1513 for (i = 0; i < tok->tt.arb.uc; i++)
1514 fprintf(fp, format,
1515 *((u_int16_t *)(tok->tt.arb.data +
1516 (size * i))));
1517 close_tag(fp, tok->id);
1518 } else {
1519 print_string(fp, str, strlen(str));
1520 print_delim(fp, del);
1521 print_1_byte(fp, tok->tt.arb.uc, "%u");
1522 print_delim(fp, del);
1523 for (i = 0; i < tok->tt.arb.uc; i++)
1524 fprintf(fp, format,
1525 *((u_int16_t *)(tok->tt.arb.data +
1526 (size * i))));
1527 }
1528 break;
1529
1530 case AUR_INT32:
1531 /* case AUR_INT: */
1532 str = "int";
1533 size = AUR_INT32_SIZE;
1534 if (xml) {
1535 open_attr(fp, "type");
1536 fprintf(fp, "%u", size);
1537 close_attr(fp);
1538 open_attr(fp, "count");
1539 print_1_byte(fp, tok->tt.arb.uc, "%u");
1540 close_attr(fp);
1541 fprintf(fp, ">");
1542 for (i = 0; i < tok->tt.arb.uc; i++)
1543 fprintf(fp, format,
1544 *((u_int32_t *)(tok->tt.arb.data +
1545 (size * i))));
1546 close_tag(fp, tok->id);
1547 } else {
1548 print_string(fp, str, strlen(str));
1549 print_delim(fp, del);
1550 print_1_byte(fp, tok->tt.arb.uc, "%u");
1551 print_delim(fp, del);
1552 for (i = 0; i < tok->tt.arb.uc; i++)
1553 fprintf(fp, format,
1554 *((u_int32_t *)(tok->tt.arb.data +
1555 (size * i))));
1556 }
1557 break;
1558
1559 case AUR_INT64:
1560 str = "int64";
1561 size = AUR_INT64_SIZE;
1562 if (xml) {
1563 open_attr(fp, "type");
1564 fprintf(fp, "%u", size);
1565 close_attr(fp);
1566 open_attr(fp, "count");
1567 print_1_byte(fp, tok->tt.arb.uc, "%u");
1568 close_attr(fp);
1569 fprintf(fp, ">");
1570 for (i = 0; i < tok->tt.arb.uc; i++)
1571 fprintf(fp, format,
1572 *((u_int64_t *)(tok->tt.arb.data +
1573 (size * i))));
1574 close_tag(fp, tok->id);
1575 } else {
1576 print_string(fp, str, strlen(str));
1577 print_delim(fp, del);
1578 print_1_byte(fp, tok->tt.arb.uc, "%u");
1579 print_delim(fp, del);
1580 for (i = 0; i < tok->tt.arb.uc; i++)
1581 fprintf(fp, format,
1582 *((u_int64_t *)(tok->tt.arb.data +
1583 (size * i))));
1584 }
1585 break;
1586
1587 default:
1588 return;
1589 }
1590}
1591
1592/*
1593 * file access mode 4 bytes
1594 * owner user ID 4 bytes
1595 * owner group ID 4 bytes
1596 * file system ID 4 bytes
1597 * node ID 8 bytes
1598 * device 4 bytes/8 bytes (32-bit/64-bit)
1599 */
1600static int
1601fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1602{
1603 int err = 0;
1604
1605 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1606 if (err)
1607 return (-1);
1608
1609 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1610 if (err)
1611 return (-1);
1612
1613 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1614 if (err)
1615 return (-1);
1616
1617 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1618 if (err)
1619 return (-1);
1620
1621 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1622 if (err)
1623 return (-1);
1624
1625 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1626 if (err)
1627 return (-1);
1628
1629 return (0);
1630}
1631
1632static void
1633print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1634 __unused char sfrm, int xml)
1635{
1636
1637 print_tok_type(fp, tok->id, "attribute", raw, xml);
1638 if (xml) {
1639 open_attr(fp, "mode");
1640 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1641 close_attr(fp);
1642 open_attr(fp, "uid");
1643 print_user(fp, tok->tt.attr32.uid, raw);
1644 close_attr(fp);
1645 open_attr(fp, "gid");
1646 print_group(fp, tok->tt.attr32.gid, raw);
1647 close_attr(fp);
1648 open_attr(fp, "fsid");
1649 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1650 close_attr(fp);
1651 open_attr(fp, "nodeid");
1652 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1653 close_attr(fp);
1654 open_attr(fp, "device");
1655 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1656 close_attr(fp);
1657 close_tag(fp, tok->id);
1658 } else {
1659 print_delim(fp, del);
1660 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1661 print_delim(fp, del);
1662 print_user(fp, tok->tt.attr32.uid, raw);
1663 print_delim(fp, del);
1664 print_group(fp, tok->tt.attr32.gid, raw);
1665 print_delim(fp, del);
1666 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1667 print_delim(fp, del);
1668 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1669 print_delim(fp, del);
1670 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1671 }
1672}
1673
1674/*
1675 * file access mode 4 bytes
1676 * owner user ID 4 bytes
1677 * owner group ID 4 bytes
1678 * file system ID 4 bytes
1679 * node ID 8 bytes
1680 * device 4 bytes/8 bytes (32-bit/64-bit)
1681 */
1682static int
1683fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1684{
1685 int err = 0;
1686
1687 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1688 if (err)
1689 return (-1);
1690
1691 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1692 if (err)
1693 return (-1);
1694
1695 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1696 if (err)
1697 return (-1);
1698
1699 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1700 if (err)
1701 return (-1);
1702
1703 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1704 if (err)
1705 return (-1);
1706
1707 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1708 if (err)
1709 return (-1);
1710
1711 return (0);
1712}
1713
1714static void
1715print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1716 __unused char sfrm, int xml)
1717{
1718
1719 print_tok_type(fp, tok->id, "attribute", raw, xml);
1720 if (xml) {
1721 open_attr(fp, "mode");
1722 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1723 close_attr(fp);
1724 open_attr(fp, "uid");
1725 print_user(fp, tok->tt.attr64.uid, raw);
1726 close_attr(fp);
1727 open_attr(fp, "gid");
1728 print_group(fp, tok->tt.attr64.gid, raw);
1729 close_attr(fp);
1730 open_attr(fp, "fsid");
1731 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1732 close_attr(fp);
1733 open_attr(fp, "nodeid");
1734 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1735 close_attr(fp);
1736 open_attr(fp, "device");
1737 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1738 close_attr(fp);
1739 close_tag(fp, tok->id);
1740 } else {
1741 print_delim(fp, del);
1742 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1743 print_delim(fp, del);
1744 print_user(fp, tok->tt.attr64.uid, raw);
1745 print_delim(fp, del);
1746 print_group(fp, tok->tt.attr64.gid, raw);
1747 print_delim(fp, del);
1748 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1749 print_delim(fp, del);
1750 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1751 print_delim(fp, del);
1752 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1753 }
1754}
1755
1756/*
1757 * status 4 bytes
1758 * return value 4 bytes
1759 */
1760static int
1761fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1762{
1763 int err = 0;
1764
1765 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1766 if (err)
1767 return (-1);
1768
1769 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1770 if (err)
1771 return (-1);
1772
1773 return (0);
1774}
1775
1776static void
1777print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1778 __unused char sfrm, int xml)
1779{
1780
1781 print_tok_type(fp, tok->id, "exit", raw, xml);
1782 if (xml) {
1783 open_attr(fp, "errval");
1784 print_errval(fp, tok->tt.exit.status);
1785 close_attr(fp);
1786 open_attr(fp, "retval");
1787 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1788 close_attr(fp);
1789 close_tag(fp, tok->id);
1790 } else {
1791 print_delim(fp, del);
1792 print_errval(fp, tok->tt.exit.status);
1793 print_delim(fp, del);
1794 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1795 }
1796}
1797
1798/*
1799 * count 4 bytes
1800 * text count null-terminated string(s)
1801 */
1802static int
1803fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1804{
1805 int err = 0;
1806 int i;
1807 u_char *bptr;
1808
1809 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1810 if (err)
1811 return (-1);
1812
1813 for (i = 0; i < tok->tt.execarg.count; i++) {
1814 bptr = buf + tok->len;
1815 if (i < AUDIT_MAX_ARGS)
1816 tok->tt.execarg.text[i] = (char*)bptr;
1817
1818 /* Look for a null terminated string. */
1819 while (bptr && (*bptr != '\0')) {
1820 if (++tok->len >=len)
1821 return (-1);
1822 bptr = buf + tok->len;
1823 }
1824 if (!bptr)
1825 return (-1);
1826 tok->len++; /* \0 character */
1827 }
1828 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1829 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1830
1831 return (0);
1832}
1833
1834static void
1835print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1836 __unused char sfrm, int xml)
1837{
1838 int i;
1839
1840 print_tok_type(fp, tok->id, "exec arg", raw, xml);
1841 for (i = 0; i < tok->tt.execarg.count; i++) {
1842 if (xml) {
1843 fprintf(fp, "<arg>");
1844 print_string(fp, tok->tt.execarg.text[i],
1845 strlen(tok->tt.execarg.text[i]));
1846 fprintf(fp, "</arg>");
1847 } else {
1848 print_delim(fp, del);
1849 print_string(fp, tok->tt.execarg.text[i],
1850 strlen(tok->tt.execarg.text[i]));
1851 }
1852 }
1853 if (xml)
1854 close_tag(fp, tok->id);
1855}
1856
1857/*
1858 * count 4 bytes
1859 * text count null-terminated string(s)
1860 */
1861static int
1862fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1863{
1864 int err = 0;
1865 int i;
1866 u_char *bptr;
1867
1868 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1869 if (err)
1870 return (-1);
1871
1872 for (i = 0; i < tok->tt.execenv.count; i++) {
1873 bptr = buf + tok->len;
1874 if (i < AUDIT_MAX_ENV)
1875 tok->tt.execenv.text[i] = (char*)bptr;
1876
1877 /* Look for a null terminated string. */
1878 while (bptr && (*bptr != '\0')) {
1879 if (++tok->len >=len)
1880 return (-1);
1881 bptr = buf + tok->len;
1882 }
1883 if (!bptr)
1884 return (-1);
1885 tok->len++; /* \0 character */
1886 }
1887 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1888 tok->tt.execenv.count = AUDIT_MAX_ENV;
1889
1890 return (0);
1891}
1892
1893static void
1894print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1895 __unused char sfrm, int xml)
1896{
1897 int i;
1898
1899 print_tok_type(fp, tok->id, "exec env", raw, xml);
1900 for (i = 0; i< tok->tt.execenv.count; i++) {
1901 if (xml) {
1902 fprintf(fp, "<env>");
1903 print_string(fp, tok->tt.execenv.text[i],
1904 strlen(tok->tt.execenv.text[i]));
1905 fprintf(fp, "</env>");
1906 } else {
1907 print_delim(fp, del);
1908 print_string(fp, tok->tt.execenv.text[i],
1909 strlen(tok->tt.execenv.text[i]));
1910 }
1911 }
1912 if (xml)
1913 close_tag(fp, tok->id);
1914}
1915
1916/*
1917 * seconds of time 4 bytes
1918 * milliseconds of time 4 bytes
1919 * file name len 2 bytes
1920 * file pathname N bytes + 1 terminating NULL byte
1921 */
1922static int
1923fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1924{
1925 int err = 0;
1926
1927 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1928 if (err)
1929 return (-1);
1930
1931 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1932 if (err)
1933 return (-1);
1934
1935 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1936 if (err)
1937 return (-1);
1938
1939 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1940 err);
1941 if (err)
1942 return (-1);
1943
1944 return (0);
1945}
1946
1947static void
1948print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1949 __unused char sfrm, int xml)
1950{
1951
1952 print_tok_type(fp, tok->id, "file", raw, xml);
1953 if (xml) {
1954 open_attr(fp, "time");
1955 print_sec32(fp, tok->tt.file.s, raw);
1956 close_attr(fp);
1957 open_attr(fp, "msec");
1958 print_msec32(fp, tok->tt.file.ms, raw);
1959 close_attr(fp);
1960 fprintf(fp, ">");
1961 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1962 close_tag(fp, tok->id);
1963 } else {
1964 print_delim(fp, del);
1965 print_sec32(fp, tok->tt.file.s, raw);
1966 print_delim(fp, del);
1967 print_msec32(fp, tok->tt.file.ms, raw);
1968 print_delim(fp, del);
1969 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1970 }
1971}
1972
1973/*
1974 * number groups 2 bytes
1975 * group list count * 4 bytes
1976 */
1977static int
1978fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
1979{
1980 int i;
1981 int err = 0;
1982
1983 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1984 if (err)
1985 return (-1);
1986
1987 for (i = 0; i<tok->tt.grps.no; i++) {
1988 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
1989 err);
1990 if (err)
1991 return (-1);
1992 }
1993
1994 return (0);
1995}
1996
1997static void
1998print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1999 __unused char sfrm, int xml)
2000{
2001 int i;
2002
2003 print_tok_type(fp, tok->id, "group", raw, xml);
2004 for (i = 0; i < tok->tt.grps.no; i++) {
2005 if (xml) {
2006 fprintf(fp, "<gid>");
2007 print_group(fp, tok->tt.grps.list[i], raw);
2008 fprintf(fp, "</gid>");
2009 close_tag(fp, tok->id);
2010 } else {
2011 print_delim(fp, del);
2012 print_group(fp, tok->tt.grps.list[i], raw);
2013 }
2014 }
2015}
2016
2017/*
2018 * Internet addr 4 bytes
2019 */
2020static int
2021fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2022{
2023 int err = 0;
2024
2025 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2026 tok->len, err);
2027 if (err)
2028 return (-1);
2029
2030 return (0);
2031
2032}
2033
2034static void
2035print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2036 __unused char sfrm, int xml)
2037{
2038
2039 print_tok_type(fp, tok->id, "ip addr", raw, xml);
2040 if (xml) {
2041 print_ip_address(fp, tok->tt.inaddr.addr);
2042 close_tag(fp, tok->id);
2043 } else {
2044 print_delim(fp, del);
2045 print_ip_address(fp, tok->tt.inaddr.addr);
2046 }
2047}
2048
2049/*
2050 * type 4 bytes
2051 * address 16 bytes
2052 */
2053static int
2054fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2055{
2056 int err = 0;
2057
2058 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2059 if (err)
2060 return (-1);
2061
2062 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2063 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2064 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2065 if (err)
2066 return (-1);
2067 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2068 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2069 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2070 if (err)
2071 return (-1);
2072 } else
2073 return (-1);
2074
2075 return (0);
2076}
2077
2078static void
2079print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2080 __unused char sfrm, int xml)
2081{
2082
2083 print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
2084 if (xml) {
2085 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2086 tok->tt.inaddr_ex.addr);
2087 close_tag(fp, tok->id);
2088 } else {
2089 print_delim(fp, del);
2090 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2091 tok->tt.inaddr_ex.addr);
2092 }
2093}
2094
2095/*
2096 * ip header 20 bytes
2097 */
2098static int
2099fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2100{
2101 int err = 0;
2102
2103 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2104 if (err)
2105 return (-1);
2106
2107 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2108 if (err)
2109 return (-1);
2110
2111 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2112 tok->len, err);
2113 if (err)
2114 return (-1);
2115
2116 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2117 tok->len, err);
2118 if (err)
2119 return (-1);
2120
2121 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2122 tok->len, err);
2123 if (err)
2124 return (-1);
2125
2126 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2127 if (err)
2128 return (-1);
2129
2130 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2131 if (err)
2132 return (-1);
2133
2134 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2135 tok->len, err);
2136 if (err)
2137 return (-1);
2138
2139 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2140 tok->len, err);
2141 if (err)
2142 return (-1);
2143
2144 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2145 tok->len, err);
2146 if (err)
2147 return (-1);
2148
2149 return (0);
2150}
2151
2152static void
2153print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2154 __unused char sfrm, int xml)
2155{
2156
2157 print_tok_type(fp, tok->id, "ip", raw, xml);
2158 if (xml) {
2159 open_attr(fp, "version");
2160 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2161 sizeof(u_char));
2162 close_attr(fp);
2163 open_attr(fp, "service_type");
2164 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2165 close_attr(fp);
2166 open_attr(fp, "len");
2167 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2168 close_attr(fp);
2169 open_attr(fp, "id");
2170 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2171 close_attr(fp);
2172 open_attr(fp, "offset");
2173 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2174 close_attr(fp);
2175 open_attr(fp, "time_to_live");
2176 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2177 close_attr(fp);
2178 open_attr(fp, "protocol");
2179 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2180 close_attr(fp);
2181 open_attr(fp, "cksum");
2182 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2183 close_attr(fp);
2184 open_attr(fp, "src_addr");
2185 print_ip_address(fp, tok->tt.ip.src);
2186 close_attr(fp);
2187 open_attr(fp, "dest_addr");
2188 print_ip_address(fp, tok->tt.ip.dest);
2189 close_attr(fp);
2190 close_tag(fp, tok->id);
2191 } else {
2192 print_delim(fp, del);
2193 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2194 sizeof(u_char));
2195 print_delim(fp, del);
2196 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2197 print_delim(fp, del);
2198 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2199 print_delim(fp, del);
2200 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2201 print_delim(fp, del);
2202 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2203 print_delim(fp, del);
2204 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2205 print_delim(fp, del);
2206 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2207 print_delim(fp, del);
2208 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2209 print_delim(fp, del);
2210 print_ip_address(fp, tok->tt.ip.src);
2211 print_delim(fp, del);
2212 print_ip_address(fp, tok->tt.ip.dest);
2213 }
2214}
2215
2216/*
2217 * object ID type 1 byte
2218 * Object ID 4 bytes
2219 */
2220static int
2221fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2222{
2223 int err = 0;
2224
2225 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2226 if (err)
2227 return (-1);
2228
2229 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2230 if (err)
2231 return (-1);
2232
2233 return (0);
2234}
2235
2236static void
2237print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2238 __unused char sfrm, int xml)
2239{
2240
2241 print_tok_type(fp, tok->id, "IPC", raw, xml);
2242 if (xml) {
2243 open_attr(fp, "ipc-type");
2244 print_ipctype(fp, tok->tt.ipc.type, raw);
2245 close_attr(fp);
2246 open_attr(fp, "ipc-id");
2247 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2248 close_attr(fp);
2249 close_tag(fp, tok->id);
2250 } else {
2251 print_delim(fp, del);
2252 print_ipctype(fp, tok->tt.ipc.type, raw);
2253 print_delim(fp, del);
2254 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2255 }
2256}
2257
2258/*
2259 * owner user id 4 bytes
2260 * owner group id 4 bytes
2261 * creator user id 4 bytes
2262 * creator group id 4 bytes
2263 * access mode 4 bytes
2264 * slot seq 4 bytes
2265 * key 4 bytes
2266 */
2267static int
2268fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2269{
2270 int err = 0;
2271
2272 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2273 if (err)
2274 return (-1);
2275
2276 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2277 if (err)
2278 return (-1);
2279
2280 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2281 if (err)
2282 return (-1);
2283
2284 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2285 if (err)
2286 return (-1);
2287
2288 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2289 if (err)
2290 return (-1);
2291
2292 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2293 if (err)
2294 return (-1);
2295
2296 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2297 if (err)
2298 return (-1);
2299
2300 return (0);
2301}
2302
2303static void
2304print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2305 __unused char sfrm, int xml)
2306{
2307
2308 print_tok_type(fp, tok->id, "IPC perm", raw, xml);
2309 if (xml) {
2310 open_attr(fp, "uid");
2311 print_user(fp, tok->tt.ipcperm.uid, raw);
2312 close_attr(fp);
2313 open_attr(fp, "gid");
2314 print_group(fp, tok->tt.ipcperm.gid, raw);
2315 close_attr(fp);
2316 open_attr(fp, "creator-uid");
2317 print_user(fp, tok->tt.ipcperm.puid, raw);
2318 close_attr(fp);
2319 open_attr(fp, "creator-gid");
2320 print_group(fp, tok->tt.ipcperm.pgid, raw);
2321 close_attr(fp);
2322 open_attr(fp, "mode");
2323 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2324 close_attr(fp);
2325 open_attr(fp, "seq");
2326 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2327 close_attr(fp);
2328 open_attr(fp, "key");
2329 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2330 close_attr(fp);
2331 close_tag(fp, tok->id);
2332 } else {
2333 print_delim(fp, del);
2334 print_user(fp, tok->tt.ipcperm.uid, raw);
2335 print_delim(fp, del);
2336 print_group(fp, tok->tt.ipcperm.gid, raw);
2337 print_delim(fp, del);
2338 print_user(fp, tok->tt.ipcperm.puid, raw);
2339 print_delim(fp, del);
2340 print_group(fp, tok->tt.ipcperm.pgid, raw);
2341 print_delim(fp, del);
2342 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2343 print_delim(fp, del);
2344 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2345 print_delim(fp, del);
2346 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2347 }
2348}
2349
2350/*
2351 * port Ip address 2 bytes
2352 */
2353static int
2354fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2355{
2356 int err = 0;
2357
2358 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2359 tok->len, err);
2360 if (err)
2361 return (-1);
2362
2363 return (0);
2364}
2365
2366static void
2367print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2368 __unused char sfrm, int xml)
2369{
2370
2371 print_tok_type(fp, tok->id, "ip port", raw, xml);
2372 if (xml) {
2373 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2374 close_tag(fp, tok->id);
2375 } else {
2376 print_delim(fp, del);
2377 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2378 }
2379}
2380
2381/*
2382 * size 2 bytes
2383 * data size bytes
2384 */
2385static int
2386fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2387{
2388 int err = 0;
2389
2390 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2391 if (err)
2392 return (-1);
2393
2394 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2395 tok->len, err);
2396 if (err)
2397 return (-1);
2398
2399 return (0);
2400}
2401
2402static void
2403print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2404 __unused char sfrm, int xml)
2405{
2406
2407 print_tok_type(fp, tok->id, "opaque", raw, xml);
2408 if (xml) {
2409 print_mem(fp, (u_char*)tok->tt.opaque.data,
2410 tok->tt.opaque.size);
2411 close_tag(fp, tok->id);
2412 } else {
2413 print_delim(fp, del);
2414 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2415 print_delim(fp, del);
2416 print_mem(fp, (u_char*)tok->tt.opaque.data,
2417 tok->tt.opaque.size);
2418 }
2419}
2420
2421/*
2422 * size 2 bytes
2423 * data size bytes
2424 */
2425static int
2426fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2427{
2428 int err = 0;
2429
2430 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2431 if (err)
2432 return (-1);
2433
2434 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2435 err);
2436 if (err)
2437 return (-1);
2438
2439 return (0);
2440}
2441
2442static void
2443print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2444 __unused char sfrm, int xml)
2445{
2446
2447 print_tok_type(fp, tok->id, "path", raw, xml);
2448 if (xml) {
2449 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2450 close_tag(fp, tok->id);
2451 } else {
2452 print_delim(fp, del);
2453 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2454 }
2455}
2456
2457/*
2458 * token ID 1 byte
2459 * audit ID 4 bytes
2460 * euid 4 bytes
2461 * egid 4 bytes
2462 * ruid 4 bytes
2463 * rgid 4 bytes
2464 * pid 4 bytes
2465 * sessid 4 bytes
2466 * terminal ID
2467 * portid 4 bytes
2468 * machine id 4 bytes
2469 */
2470static int
2471fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2472{
2473 int err = 0;
2474
2475 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2476 if (err)
2477 return (-1);
2478
2479 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2480 if (err)
2481 return (-1);
2482
2483 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2484 if (err)
2485 return (-1);
2486
2487 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2488 if (err)
2489 return (-1);
2490
2491 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2492 if (err)
2493 return (-1);
2494
2495 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2496 if (err)
2497 return (-1);
2498
2499 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2500 if (err)
2501 return (-1);
2502
2503 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2504 if (err)
2505 return (-1);
2506
2507 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2508 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2509 if (err)
2510 return (-1);
2511
2512 return (0);
2513}
2514
2515static void
2516print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2517 __unused char sfrm, int xml)
2518{
2519
2520 print_tok_type(fp, tok->id, "process", raw, xml);
2521 if (xml) {
2522 open_attr(fp, "audit-uid");
2523 print_user(fp, tok->tt.proc32.auid, raw);
2524 close_attr(fp);
2525 open_attr(fp, "uid");
2526 print_user(fp, tok->tt.proc32.euid, raw);
2527 close_attr(fp);
2528 open_attr(fp, "gid");
2529 print_group(fp, tok->tt.proc32.egid, raw);
2530 close_attr(fp);
2531 open_attr(fp, "ruid");
2532 print_user(fp, tok->tt.proc32.ruid, raw);
2533 close_attr(fp);
2534 open_attr(fp, "rgid");
2535 print_group(fp, tok->tt.proc32.rgid, raw);
2536 close_attr(fp);
2537 open_attr(fp, "pid");
2538 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2539 close_attr(fp);
2540 open_attr(fp, "sid");
2541 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2542 close_attr(fp);
2543 open_attr(fp, "tid");
2544 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2545 print_ip_address(fp, tok->tt.proc32.tid.addr);
2546 close_attr(fp);
2547 close_tag(fp, tok->id);
2548 } else {
2549 print_delim(fp, del);
2550 print_user(fp, tok->tt.proc32.auid, raw);
2551 print_delim(fp, del);
2552 print_user(fp, tok->tt.proc32.euid, raw);
2553 print_delim(fp, del);
2554 print_group(fp, tok->tt.proc32.egid, raw);
2555 print_delim(fp, del);
2556 print_user(fp, tok->tt.proc32.ruid, raw);
2557 print_delim(fp, del);
2558 print_group(fp, tok->tt.proc32.rgid, raw);
2559 print_delim(fp, del);
2560 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2561 print_delim(fp, del);
2562 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2563 print_delim(fp, del);
2564 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2565 print_delim(fp, del);
2566 print_ip_address(fp, tok->tt.proc32.tid.addr);
2567 }
2568}
2569
2570/*
2571 * token ID 1 byte
2572 * audit ID 4 bytes
2573 * euid 4 bytes
2574 * egid 4 bytes
2575 * ruid 4 bytes
2576 * rgid 4 bytes
2577 * pid 4 bytes
2578 * sessid 4 bytes
2579 * terminal ID
2580 * portid 8 bytes
2581 * machine id 4 bytes
2582 */
2583static int
2584fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2585{
2586 int err = 0;
2587
2588 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2589 if (err)
2590 return (-1);
2591
2592 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2593 if (err)
2594 return (-1);
2595
2596 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2597 if (err)
2598 return (-1);
2599
2600 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2601 if (err)
2602 return (-1);
2603
2604 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2605 if (err)
2606 return (-1);
2607
2608 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2609 if (err)
2610 return (-1);
2611
2612 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2613 if (err)
2614 return (-1);
2615
2616 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2617 if (err)
2618 return (-1);
2619
2620 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2621 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2622 if (err)
2623 return (-1);
2624
2625 return (0);
2626}
2627
2628static void
2629print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2630 __unused char sfrm, int xml)
2631{
2632 print_tok_type(fp, tok->id, "process", raw, xml);
2633 if (xml) {
2634 open_attr(fp, "audit-uid");
2635 print_user(fp, tok->tt.proc64.auid, raw);
2636 close_attr(fp);
2637 open_attr(fp, "uid");
2638 print_user(fp, tok->tt.proc64.euid, raw);
2639 close_attr(fp);
2640 open_attr(fp, "gid");
2641 print_group(fp, tok->tt.proc64.egid, raw);
2642 close_attr(fp);
2643 open_attr(fp, "ruid");
2644 print_user(fp, tok->tt.proc64.ruid, raw);
2645 close_attr(fp);
2646 open_attr(fp, "rgid");
2647 print_group(fp, tok->tt.proc64.rgid, raw);
2648 close_attr(fp);
2649 open_attr(fp, "pid");
2650 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2651 close_attr(fp);
2652 open_attr(fp, "sid");
2653 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2654 close_attr(fp);
2655 open_attr(fp, "tid");
2656 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2657 print_ip_address(fp, tok->tt.proc64.tid.addr);
2658 close_attr(fp);
2659 close_tag(fp, tok->id);
2660 } else {
2661 print_delim(fp, del);
2662 print_user(fp, tok->tt.proc64.auid, raw);
2663 print_delim(fp, del);
2664 print_user(fp, tok->tt.proc64.euid, raw);
2665 print_delim(fp, del);
2666 print_group(fp, tok->tt.proc64.egid, raw);
2667 print_delim(fp, del);
2668 print_user(fp, tok->tt.proc64.ruid, raw);
2669 print_delim(fp, del);
2670 print_group(fp, tok->tt.proc64.rgid, raw);
2671 print_delim(fp, del);
2672 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2673 print_delim(fp, del);
2674 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2675 print_delim(fp, del);
2676 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2677 print_delim(fp, del);
2678 print_ip_address(fp, tok->tt.proc64.tid.addr);
2679 }
2680}
2681
2682/*
2683 * token ID 1 byte
2684 * audit ID 4 bytes
2685 * effective user ID 4 bytes
2686 * effective group ID 4 bytes
2687 * real user ID 4 bytes
2688 * real group ID 4 bytes
2689 * process ID 4 bytes
2690 * session ID 4 bytes
2691 * terminal ID
2692 * port ID 4 bytes
2693 * address type-len 4 bytes
2694 * machine address 16 bytes
2695 */
2696static int
2697fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2698{
2699 int err = 0;
2700
2701 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2702 if (err)
2703 return (-1);
2704
2705 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2706 if (err)
2707 return (-1);
2708
2709 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2710 if (err)
2711 return (-1);
2712
2713 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2714 if (err)
2715 return (-1);
2716
2717 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2718 if (err)
2719 return (-1);
2720
2721 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2722 if (err)
2723 return (-1);
2724
2725 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2726 if (err)
2727 return (-1);
2728
2729 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2730 err);
2731 if (err)
2732 return (-1);
2733
2734 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2735 err);
2736 if (err)
2737 return (-1);
2738
2739 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2740 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2741 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2742 if (err)
2743 return (-1);
2744 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2745 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2746 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2747 if (err)
2748 return (-1);
2749 } else
2750 return (-1);
2751
2752 return (0);
2753}
2754
2755static void
2756print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2757 __unused char sfrm, int xml)
2758{
2759
2760 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2761 if (xml) {
2762 open_attr(fp, "audit-uid");
2763 print_user(fp, tok->tt.proc32_ex.auid, raw);
2764 close_attr(fp);
2765 open_attr(fp, "uid");
2766 print_user(fp, tok->tt.proc32_ex.euid, raw);
2767 close_attr(fp);
2768 open_attr(fp, "gid");
2769 print_group(fp, tok->tt.proc32_ex.egid, raw);
2770 close_attr(fp);
2771 open_attr(fp, "ruid");
2772 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2773 close_attr(fp);
2774 open_attr(fp, "rgid");
2775 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2776 close_attr(fp);
2777 open_attr(fp, "pid");
2778 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2779 close_attr(fp);
2780 open_attr(fp, "sid");
2781 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2782 close_attr(fp);
2783 open_attr(fp, "tid");
2784 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2785 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2786 tok->tt.proc32_ex.tid.addr);
2787 close_attr(fp);
2788 close_tag(fp, tok->id);
2789 } else {
2790 print_delim(fp, del);
2791 print_user(fp, tok->tt.proc32_ex.auid, raw);
2792 print_delim(fp, del);
2793 print_user(fp, tok->tt.proc32_ex.euid, raw);
2794 print_delim(fp, del);
2795 print_group(fp, tok->tt.proc32_ex.egid, raw);
2796 print_delim(fp, del);
2797 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2798 print_delim(fp, del);
2799 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2800 print_delim(fp, del);
2801 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2802 print_delim(fp, del);
2803 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2804 print_delim(fp, del);
2805 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2806 print_delim(fp, del);
2807 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2808 tok->tt.proc32_ex.tid.addr);
2809 }
2810}
2811
2812/*
2813 * token ID 1 byte
2814 * audit ID 4 bytes
2815 * effective user ID 4 bytes
2816 * effective group ID 4 bytes
2817 * real user ID 4 bytes
2818 * real group ID 4 bytes
2819 * process ID 4 bytes
2820 * session ID 4 bytes
2821 * terminal ID
2822 * port ID 8 bytes
2823 * address type-len 4 bytes
2824 * machine address 16 bytes
2825 */
2826static int
2827fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2828{
2829 int err = 0;
2830
2831 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2832 if (err)
2833 return (-1);
2834
2835 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2836 if (err)
2837 return (-1);
2838
2839 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2840 if (err)
2841 return (-1);
2842
2843 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2844 if (err)
2845 return (-1);
2846
2847 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2848 if (err)
2849 return (-1);
2850
2851 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2852 if (err)
2853 return (-1);
2854
2855 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2856 if (err)
2857 return (-1);
2858
2859 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2860 err);
2861 if (err)
2862 return (-1);
2863
2864 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2865 err);
2866 if (err)
2867 return (-1);
2868
2869 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2870 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2871 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2872 if (err)
2873 return (-1);
2874 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2875 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2876 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2877 if (err)
2878 return (-1);
2879 } else
2880 return (-1);
2881
2882 return (0);
2883}
2884
2885static void
2886print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2887 __unused char sfrm, int xml)
2888{
2889 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2890 if (xml) {
2891 open_attr(fp, "audit-uid");
2892 print_user(fp, tok->tt.proc64_ex.auid, raw);
2893 close_attr(fp);
2894 open_attr(fp, "uid");
2895 print_user(fp, tok->tt.proc64_ex.euid, raw);
2896 close_attr(fp);
2897 open_attr(fp, "gid");
2898 print_group(fp, tok->tt.proc64_ex.egid, raw);
2899 close_attr(fp);
2900 open_attr(fp, "ruid");
2901 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2902 close_attr(fp);
2903 open_attr(fp, "rgid");
2904 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2905 close_attr(fp);
2906 open_attr(fp, "pid");
2907 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2908 close_attr(fp);
2909 open_attr(fp, "sid");
2910 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2911 close_attr(fp);
2912 open_attr(fp, "tid");
2913 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2914 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2915 tok->tt.proc64_ex.tid.addr);
2916 close_attr(fp);
2917 close_tag(fp, tok->id);
2918 } else {
2919 print_delim(fp, del);
2920 print_user(fp, tok->tt.proc64_ex.auid, raw);
2921 print_delim(fp, del);
2922 print_user(fp, tok->tt.proc64_ex.euid, raw);
2923 print_delim(fp, del);
2924 print_group(fp, tok->tt.proc64_ex.egid, raw);
2925 print_delim(fp, del);
2926 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2927 print_delim(fp, del);
2928 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2929 print_delim(fp, del);
2930 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2931 print_delim(fp, del);
2932 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2933 print_delim(fp, del);
2934 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2935 print_delim(fp, del);
2936 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2937 tok->tt.proc64_ex.tid.addr);
2938 }
2939}
2940
2941/*
2942 * errno 1 byte
2943 * return value 4 bytes
2944 */
2945static int
2946fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2947{
2948 int err = 0;
2949
2950 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2951 if (err)
2952 return (-1);
2953
2954 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2955 if (err)
2956 return (-1);
2957
2958 return (0);
2959}
2960
2961static void
2962print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2963 __unused char sfrm, int xml)
2964{
2965
2966 print_tok_type(fp, tok->id, "return", raw, xml);
2967 if (xml) {
2968 open_attr(fp ,"errval");
2969 print_retval(fp, tok->tt.ret32.status, raw);
2970 close_attr(fp);
2971 open_attr(fp, "retval");
2972 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2973 close_attr(fp);
2974 close_tag(fp, tok->id);
2975 } else {
2976 print_delim(fp, del);
2977 print_retval(fp, tok->tt.ret32.status, raw);
2978 print_delim(fp, del);
2979 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2980 }
2981}
2982
2983static int
2984fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
2985{
2986 int err = 0;
2987
2988 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
2989 if (err)
2990 return (-1);
2991
2992 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
2993 if (err)
2994 return (-1);
2995
2996 return (0);
2997}
2998
2999static void
3000print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3001 __unused char sfrm, int xml)
3002{
3003
3004 print_tok_type(fp, tok->id, "return", raw, xml);
3005 if (xml) {
3006 open_attr(fp, "errval");
3007 print_retval(fp, tok->tt.ret64.err, raw);
3008 close_attr(fp);
3009 open_attr(fp, "retval");
3010 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3011 close_attr(fp);
3012 close_tag(fp, tok->id);
3013 } else {
3014 print_delim(fp, del);
3015 print_retval(fp, tok->tt.ret64.err, raw);
3016 print_delim(fp, del);
3017 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3018 }
3019}
3020
3021/*
3022 * seq 4 bytes
3023 */
3024static int
3025fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3026{
3027 int err = 0;
3028
3029 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3030 if (err)
3031 return (-1);
3032
3033 return (0);
3034}
3035
3036static void
3037print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3038 __unused char sfrm, int xml)
3039{
3040
3041 print_tok_type(fp, tok->id, "sequence", raw, xml);
3042 if (xml) {
3043 open_attr(fp, "seq-num");
3044 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3045 close_attr(fp);
3046 close_tag(fp, tok->id);
3047 } else {
3048 print_delim(fp, del);
3049 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3050 }
3051}
3052
3053/*
3054 * socket family 2 bytes
3055 * local port 2 bytes
3056 * socket address 4 bytes
3057 */
3058static int
3059fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3060{
3061 int err = 0;
3062
3063 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
3064 err);
3065 if (err)
3066 return (-1);
3067
3068 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port,
3069 sizeof(uint16_t), tok->len, err);
3070 if (err)
3071 return (-1);
3072
3073 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
3074 sizeof(tok->tt.sockinet32.addr), tok->len, err);
3075 if (err)
3076 return (-1);
3077
3078 return (0);
3079}
3080
3081static void
3082print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3083 __unused char sfrm, int xml)
3084{
3085
3086 print_tok_type(fp, tok->id, "socket-inet", raw, xml);
3087 if (xml) {
3088 open_attr(fp, "type");
3089 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3090 close_attr(fp);
3091 open_attr(fp, "port");
3092 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3093 close_attr(fp);
3094 open_attr(fp, "addr");
3095 print_ip_address(fp, tok->tt.sockinet32.addr);
3096 close_attr(fp);
3097 close_tag(fp, tok->id);
3098 } else {
3099 print_delim(fp, del);
3100 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3101 print_delim(fp, del);
3102 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3103 print_delim(fp, del);
3104 print_ip_address(fp, tok->tt.sockinet32.addr);
3105 }
3106}
3107
3108/*
3109 * socket family 2 bytes
3110 * path 104 bytes
3111 */
3112static int
3113fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3114{
3115 int err = 0;
3116
3117 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3118 if (err)
3119 return (-1);
3120
3121 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
3122 err);
3123 if (err)
3124 return (-1);
3125
3126 return (0);
3127}
3128
3129static void
3130print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3131 __unused char sfrm, int xml)
3132{
3133
3134 print_tok_type(fp, tok->id, "socket-unix", raw, xml);
3135 if (xml) {
3136 open_attr(fp, "type");
3137 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3138 close_attr(fp);
3139 open_attr(fp, "port");
3140 close_attr(fp);
3141 open_attr(fp, "addr");
3142 print_string(fp, tok->tt.sockunix.path,
3143 strlen(tok->tt.sockunix.path));
3144 close_attr(fp);
3145 close_tag(fp, tok->id);
3146 } else {
3147 print_delim(fp, del);
3148 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3149 print_delim(fp, del);
3150 print_string(fp, tok->tt.sockunix.path,
3151 strlen(tok->tt.sockunix.path));
3152 }
3153}
3154
3155/*
3156 * socket type 2 bytes
3157 * local port 2 bytes
3158 * local address 4 bytes
3159 * remote port 2 bytes
3160 * remote address 4 bytes
3161 */
3162static int
3163fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3164{
3165 int err = 0;
3166
3167 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3168 if (err)
3169 return (-1);
3170
3171 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3172 tok->len, err);
3173 if (err)
3174 return (-1);
3175
3176 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3177 sizeof(tok->tt.socket.l_addr), tok->len, err);
3178 if (err)
3179 return (-1);
3180
3181 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3182 tok->len, err);
3183 if (err)
3184 return (-1);
3185
3186 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3187 sizeof(tok->tt.socket.r_addr), tok->len, err);
3188 if (err)
3189 return (-1);
3190
3191 return (0);
3192}
3193
3194static void
3195print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3196 __unused char sfrm, int xml)
3197{
3198
3199 print_tok_type(fp, tok->id, "socket", raw, xml);
3200 if (xml) {
3201 open_attr(fp, "sock_type");
3202 print_2_bytes(fp, tok->tt.socket.type, "%u");
3203 close_attr(fp);
3204 open_attr(fp, "lport");
3205 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3206 close_attr(fp);
3207 open_attr(fp, "laddr");
3208 print_ip_address(fp, tok->tt.socket.l_addr);
3209 close_attr(fp);
3210 open_attr(fp, "fport");
3211 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3212 close_attr(fp);
3213 open_attr(fp, "faddr");
3214 print_ip_address(fp, tok->tt.socket.r_addr);
3215 close_attr(fp);
3216 close_tag(fp, tok->id);
3217 } else {
3218 print_delim(fp, del);
3219 print_2_bytes(fp, tok->tt.socket.type, "%u");
3220 print_delim(fp, del);
3221 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3222 print_delim(fp, del);
3223 print_ip_address(fp, tok->tt.socket.l_addr);
3224 print_delim(fp, del);
3225 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3226 print_delim(fp, del);
3227 print_ip_address(fp, tok->tt.socket.r_addr);
3228 }
3229}
3230
3231/*
3232 * audit ID 4 bytes
3233 * euid 4 bytes
3234 * egid 4 bytes
3235 * ruid 4 bytes
3236 * rgid 4 bytes
3237 * pid 4 bytes
3238 * sessid 4 bytes
3239 * terminal ID
3240 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3241 * machine id 4 bytes
3242 */
3243static int
3244fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3245{
3246 int err = 0;
3247
3248 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3249 if (err)
3250 return (-1);
3251
3252 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3253 if (err)
3254 return (-1);
3255
3256 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3257 if (err)
3258 return (-1);
3259
3260 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3261 if (err)
3262 return (-1);
3263
3264 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3265 if (err)
3266 return (-1);
3267
3268 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3269 if (err)
3270 return (-1);
3271
3272 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3273 if (err)
3274 return (-1);
3275
3276 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3277 if (err)
3278 return (-1);
3279
3280 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3281 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3282 if (err)
3283 return (-1);
3284
3285 return (0);
3286}
3287
3288static void
3289print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3290 __unused char sfrm, int xml)
3291{
3292
3293 print_tok_type(fp, tok->id, "subject", raw, xml);
3294 if (xml) {
3295 open_attr(fp, "audit-uid");
3296 print_user(fp, tok->tt.subj32.auid, raw);
3297 close_attr(fp);
3298 open_attr(fp, "uid");
3299 print_user(fp, tok->tt.subj32.euid, raw);
3300 close_attr(fp);
3301 open_attr(fp, "gid");
3302 print_group(fp, tok->tt.subj32.egid, raw);
3303 close_attr(fp);
3304 open_attr(fp, "ruid");
3305 print_user(fp, tok->tt.subj32.ruid, raw);
3306 close_attr(fp);
3307 open_attr(fp, "rgid");
3308 print_group(fp, tok->tt.subj32.rgid, raw);
3309 close_attr(fp);
3310 open_attr(fp,"pid");
3311 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3312 close_attr(fp);
3313 open_attr(fp,"sid");
3314 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3315 close_attr(fp);
3316 open_attr(fp,"tid");
3317 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3318 print_ip_address(fp, tok->tt.subj32.tid.addr);
3319 close_attr(fp);
3320 close_tag(fp, tok->id);
3321 } else {
3322 print_delim(fp, del);
3323 print_user(fp, tok->tt.subj32.auid, raw);
3324 print_delim(fp, del);
3325 print_user(fp, tok->tt.subj32.euid, raw);
3326 print_delim(fp, del);
3327 print_group(fp, tok->tt.subj32.egid, raw);
3328 print_delim(fp, del);
3329 print_user(fp, tok->tt.subj32.ruid, raw);
3330 print_delim(fp, del);
3331 print_group(fp, tok->tt.subj32.rgid, raw);
3332 print_delim(fp, del);
3333 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3334 print_delim(fp, del);
3335 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3336 print_delim(fp, del);
3337 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3338 print_delim(fp, del);
3339 print_ip_address(fp, tok->tt.subj32.tid.addr);
3340 }
3341}
3342
3343/*
3344 * audit ID 4 bytes
3345 * euid 4 bytes
3346 * egid 4 bytes
3347 * ruid 4 bytes
3348 * rgid 4 bytes
3349 * pid 4 bytes
3350 * sessid 4 bytes
3351 * terminal ID
3352 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3353 * machine id 4 bytes
3354 */
3355static int
3356fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3357{
3358 int err = 0;
3359
3360 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3361 if (err)
3362 return (-1);
3363
3364 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3365 if (err)
3366 return (-1);
3367
3368 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3369 if (err)
3370 return (-1);
3371
3372 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3373 if (err)
3374 return (-1);
3375
3376 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3377 if (err)
3378 return (-1);
3379
3380 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3381 if (err)
3382 return (-1);
3383
3384 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3385 if (err)
3386 return (-1);
3387
3388 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3389 if (err)
3390 return (-1);
3391
3392 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3393 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3394 if (err)
3395 return (-1);
3396
3397 return (0);
3398}
3399
3400static void
3401print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3402 __unused char sfrm, int xml)
3403{
3404
3405 print_tok_type(fp, tok->id, "subject", raw, xml);
3406 if (xml) {
3407 open_attr(fp, "audit-uid");
3408 print_user(fp, tok->tt.subj64.auid, raw);
3409 close_attr(fp);
3410 open_attr(fp, "uid");
3411 print_user(fp, tok->tt.subj64.euid, raw);
3412 close_attr(fp);
3413 open_attr(fp, "gid");
3414 print_group(fp, tok->tt.subj64.egid, raw);
3415 close_attr(fp);
3416 open_attr(fp, "ruid");
3417 print_user(fp, tok->tt.subj64.ruid, raw);
3418 close_attr(fp);
3419 open_attr(fp, "rgid");
3420 print_group(fp, tok->tt.subj64.rgid, raw);
3421 close_attr(fp);
3422 open_attr(fp, "pid");
3423 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3424 close_attr(fp);
3425 open_attr(fp, "sid");
3426 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3427 close_attr(fp);
3428 open_attr(fp, "tid");
3429 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3430 print_ip_address(fp, tok->tt.subj64.tid.addr);
3431 close_attr(fp);
3432 close_tag(fp, tok->id);
3433 } else {
3434 print_delim(fp, del);
3435 print_user(fp, tok->tt.subj64.auid, raw);
3436 print_delim(fp, del);
3437 print_user(fp, tok->tt.subj64.euid, raw);
3438 print_delim(fp, del);
3439 print_group(fp, tok->tt.subj64.egid, raw);
3440 print_delim(fp, del);
3441 print_user(fp, tok->tt.subj64.ruid, raw);
3442 print_delim(fp, del);
3443 print_group(fp, tok->tt.subj64.rgid, raw);
3444 print_delim(fp, del);
3445 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3446 print_delim(fp, del);
3447 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3448 print_delim(fp, del);
3449 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3450 print_delim(fp, del);
3451 print_ip_address(fp, tok->tt.subj64.tid.addr);
3452 }
3453}
3454
3455/*
3456 * audit ID 4 bytes
3457 * euid 4 bytes
3458 * egid 4 bytes
3459 * ruid 4 bytes
3460 * rgid 4 bytes
3461 * pid 4 bytes
3462 * sessid 4 bytes
3463 * terminal ID
3464 * portid 4 bytes
3465 * type 4 bytes
3466 * machine id 16 bytes
3467 */
3468static int
3469fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3470{
3471 int err = 0;
3472
3473 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3474 if (err)
3475 return (-1);
3476
3477 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3478 if (err)
3479 return (-1);
3480
3481 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3482 if (err)
3483 return (-1);
3484
3485 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3486 if (err)
3487 return (-1);
3488
3489 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3490 if (err)
3491 return (-1);
3492
3493 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3494 if (err)
3495 return (-1);
3496
3497 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3498 if (err)
3499 return (-1);
3500
3501 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3502 err);
3503 if (err)
3504 return (-1);
3505
3506 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3507 err);
3508 if (err)
3509 return (-1);
3510
3511 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3512 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3513 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3514 if (err)
3515 return (-1);
3516 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3517 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3518 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3519 if (err)
3520 return (-1);
3521 } else
3522 return (-1);
3523
3524 return (0);
3525}
3526
3527static void
3528print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3529 __unused char sfrm, int xml)
3530{
3531
3532 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3533 if (xml) {
3534 open_attr(fp, "audit-uid");
3535 print_user(fp, tok->tt.subj32_ex.auid, raw);
3536 close_attr(fp);
3537 open_attr(fp, "uid");
3538 print_user(fp, tok->tt.subj32_ex.euid, raw);
3539 close_attr(fp);
3540 open_attr(fp, "gid");
3541 print_group(fp, tok->tt.subj32_ex.egid, raw);
3542 close_attr(fp);
3543 open_attr(fp, "ruid");
3544 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3545 close_attr(fp);
3546 open_attr(fp, "rgid");
3547 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3548 close_attr(fp);
3549 open_attr(fp, "pid");
3550 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3551 close_attr(fp);
3552 open_attr(fp, "sid");
3553 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3554 close_attr(fp);
3555 open_attr(fp, "tid");
3556 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3557 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3558 tok->tt.subj32_ex.tid.addr);
3559 close_attr(fp);
3560 close_tag(fp, tok->id);
3561 } else {
3562 print_delim(fp, del);
3563 print_user(fp, tok->tt.subj32_ex.auid, raw);
3564 print_delim(fp, del);
3565 print_user(fp, tok->tt.subj32_ex.euid, raw);
3566 print_delim(fp, del);
3567 print_group(fp, tok->tt.subj32_ex.egid, raw);
3568 print_delim(fp, del);
3569 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3570 print_delim(fp, del);
3571 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3572 print_delim(fp, del);
3573 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3574 print_delim(fp, del);
3575 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3576 print_delim(fp, del);
3577 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3578 print_delim(fp, del);
3579 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3580 tok->tt.subj32_ex.tid.addr);
3581 }
3582}
3583
3584/*
3585 * audit ID 4 bytes
3586 * euid 4 bytes
3587 * egid 4 bytes
3588 * ruid 4 bytes
3589 * rgid 4 bytes
3590 * pid 4 bytes
3591 * sessid 4 bytes
3592 * terminal ID
3593 * portid 8 bytes
3594 * type 4 bytes
3595 * machine id 16 bytes
3596 */
3597static int
3598fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3599{
3600 int err = 0;
3601
3602 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3603 if (err)
3604 return (-1);
3605
3606 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3607 if (err)
3608 return (-1);
3609
3610 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3611 if (err)
3612 return (-1);
3613
3614 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3615 if (err)
3616 return (-1);
3617
3618 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3619 if (err)
3620 return (-1);
3621
3622 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3623 if (err)
3624 return (-1);
3625
3626 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3627 if (err)
3628 return (-1);
3629
3630 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3631 err);
3632 if (err)
3633 return (-1);
3634
3635 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3636 err);
3637 if (err)
3638 return (-1);
3639
3640 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3641 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3642 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3643 if (err)
3644 return (-1);
3645 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3646 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3647 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3648 if (err)
3649 return (-1);
3650 } else
3651 return (-1);
3652
3653 return (0);
3654}
3655
3656static void
3657print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3658 __unused char sfrm, int xml)
3659{
3660 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3661 if (xml) {
3662 open_attr(fp, "audit-uid");
3663 print_user(fp, tok->tt.subj64_ex.auid, raw);
3664 close_attr(fp);
3665 open_attr(fp, "uid");
3666 print_user(fp, tok->tt.subj64_ex.euid, raw);
3667 close_attr(fp);
3668 open_attr(fp, "gid");
3669 print_group(fp, tok->tt.subj64_ex.egid, raw);
3670 close_attr(fp);
3671 open_attr(fp, "ruid");
3672 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3673 close_attr(fp);
3674 open_attr(fp, "rgid");
3675 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3676 close_attr(fp);
3677 open_attr(fp, "pid");
3678 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3679 close_attr(fp);
3680 open_attr(fp, "sid");
3681 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3682 close_attr(fp);
3683 open_attr(fp, "tid");
3684 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3685 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3686 tok->tt.subj64_ex.tid.addr);
3687 close_attr(fp);
3688 close_tag(fp, tok->id);
3689 } else {
3690 print_delim(fp, del);
3691 print_user(fp, tok->tt.subj64_ex.auid, raw);
3692 print_delim(fp, del);
3693 print_user(fp, tok->tt.subj64_ex.euid, raw);
3694 print_delim(fp, del);
3695 print_group(fp, tok->tt.subj64_ex.egid, raw);
3696 print_delim(fp, del);
3697 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3698 print_delim(fp, del);
3699 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3700 print_delim(fp, del);
3701 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3702 print_delim(fp, del);
3703 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3704 print_delim(fp, del);
3705 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3706 print_delim(fp, del);
3707 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3708 tok->tt.subj64_ex.tid.addr);
3709 }
3710}
3711
3712/*
3713 * size 2 bytes
3714 * data size bytes
3715 */
3716static int
3717fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3718{
3719 int err = 0;
3720
3721 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3722 if (err)
3723 return (-1);
3724
3725 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3726 err);
3727 if (err)
3728 return (-1);
3729
3730 return (0);
3731}
3732
3733static void
3734print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3735 __unused char sfrm, int xml)
3736{
3737
3738 print_tok_type(fp, tok->id, "text", raw, xml);
3739 if (xml) {
3740 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3741 close_tag(fp, tok->id);
3742 } else {
3743 print_delim(fp, del);
3744 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3745 }
3746}
3747
3748/*
3749 * socket type 2 bytes
3750 * local port 2 bytes
3751 * address type/length 4 bytes
3752 * local Internet address 4 bytes
3753 * remote port 4 bytes
3754 * address type/length 4 bytes
3755 * remote Internet address 4 bytes
3756 */
3757static int
3758fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3759{
3760 int err = 0;
3761
3762 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3763 err);
3764 if (err)
3765 return (-1);
3766
3767 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3768 sizeof(uint16_t), tok->len, err);
3769 if (err)
3770 return (-1);
3771
3772 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
3773 err);
3774 if (err)
3775 return (-1);
3776
3777 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3778 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3779 if (err)
3780 return (-1);
3781
3782 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3783 sizeof(uint16_t), tok->len, err);
3784 if (err)
3785 return (-1);
3786
3787 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
3788 err);
3789 if (err)
3790 return (-1);
3791
3792 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3793 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
3794 if (err)
3795 return (-1);
3796
3797 return (0);
3798}
3799
3800static void
3801print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3802 __unused char sfrm, int xml)
3803{
3804
3805 print_tok_type(fp, tok->id, "socket", raw, xml);
3806 if (xml) {
3807 open_attr(fp, "sock_type");
3808 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3809 close_attr(fp);
3810 open_attr(fp, "lport");
3811 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3812 close_attr(fp);
3813 open_attr(fp, "laddr");
3814 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3815 close_attr(fp);
3816 open_attr(fp, "faddr");
3817 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3818 close_attr(fp);
3819 open_attr(fp, "fport");
3820 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3821 close_attr(fp);
3822 close_tag(fp, tok->id);
3823 } else {
3824 print_delim(fp, del);
3825 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3826 print_delim(fp, del);
3827 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3828 print_delim(fp, del);
3829 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3830 print_delim(fp, del);
3831 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3832 print_delim(fp, del);
3833 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3834 }
3835}
3836
3837static int
3838fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
3839{
3840 int err = 0;
3841 int recoversize;
3842
3843 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
3844 if (recoversize <= 0)
3845 return (-1);
3846
3847 tok->tt.invalid.length = recoversize;
3848
3849 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
3850 err);
3851 if (err)
3852 return (-1);
3853
3854 return (0);
3855}
3856
3857static void
3858print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3859 __unused char sfrm, int xml)
3860{
3861
3862 if (!xml) {
3863 print_tok_type(fp, tok->id, "unknown", raw, 0);
3864 print_delim(fp, del);
3865 print_mem(fp, (u_char*)tok->tt.invalid.data,
3866 tok->tt.invalid.length);
3867 }
3868}
3869
3870
3871/*
3872 * size 2 bytes;
3873 * zonename size bytes;
3874 */
3875static int
3876fetch_zonename_tok(tokenstr_t *tok, char *buf, int len)
3877{
3878 int err = 0;
3879
3880 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
3881 if (err)
3882 return (-1);
3883 SET_PTR(buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
3884 tok->len, err);
3885 if (err)
3886 return (-1);
3887 return (0);
3888}
3889
3890static void
3891print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3892 __unused char sfrm, int xml)
3893{
3894
3895 print_tok_type(fp, tok->id, "zone", raw, xml);
3896 if (xml) {
3897 open_attr(fp, "name");
3898 print_string(fp, tok->tt.zonename.zonename,
3899 tok->tt.zonename.len);
3900 close_attr(fp);
3901 close_tag(fp, tok->id);
3902 } else {
3903 print_delim(fp, del);
3904 print_string(fp, tok->tt.zonename.zonename,
3905 tok->tt.zonename.len);
3906 }
3907}
3908
3909/*
3910 * Reads the token beginning at buf into tok.
3911 */
3912int
3913au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
3914{
3915
3916 if (len <= 0)
3917 return (-1);
3918
3919 tok->len = 1;
3920 tok->data = buf;
3921 tok->id = *buf;
3922
3923 switch(tok->id) {
3924 case AUT_HEADER32:
3925 return (fetch_header32_tok(tok, buf, len));
3926
3927 case AUT_HEADER32_EX:
3928 return (fetch_header32_ex_tok(tok, buf, len));
3929
3930 case AUT_HEADER64:
3931 return (fetch_header64_tok(tok, buf, len));
3932
3933 case AUT_HEADER64_EX:
3934 return (fetch_header64_ex_tok(tok, buf, len));
3935
3936 case AUT_TRAILER:
3937 return (fetch_trailer_tok(tok, buf, len));
3938
3939 case AUT_ARG32:
3940 return (fetch_arg32_tok(tok, buf, len));
3941
3942 case AUT_ARG64:
3943 return (fetch_arg64_tok(tok, buf, len));
3944
3945 case AUT_ATTR32:
3946 return (fetch_attr32_tok(tok, buf, len));
3947
3948 case AUT_ATTR64:
3949 return (fetch_attr64_tok(tok, buf, len));
3950
3951 case AUT_EXIT:
3952 return (fetch_exit_tok(tok, buf, len));
3953
3954 case AUT_EXEC_ARGS:
3955 return (fetch_execarg_tok(tok, buf, len));
3956
3957 case AUT_EXEC_ENV:
3958 return (fetch_execenv_tok(tok, buf, len));
3959
3960 case AUT_OTHER_FILE32:
3961 return (fetch_file_tok(tok, buf, len));
3962
3963 case AUT_NEWGROUPS:
3964 return (fetch_newgroups_tok(tok, buf, len));
3965
3966 case AUT_IN_ADDR:
3967 return (fetch_inaddr_tok(tok, buf, len));
3968
3969 case AUT_IN_ADDR_EX:
3970 return (fetch_inaddr_ex_tok(tok, buf, len));
3971
3972 case AUT_IP:
3973 return (fetch_ip_tok(tok, buf, len));
3974
3975 case AUT_IPC:
3976 return (fetch_ipc_tok(tok, buf, len));
3977
3978 case AUT_IPC_PERM:
3979 return (fetch_ipcperm_tok(tok, buf, len));
3980
3981 case AUT_IPORT:
3982 return (fetch_iport_tok(tok, buf, len));
3983
3984 case AUT_OPAQUE:
3985 return (fetch_opaque_tok(tok, buf, len));
3986
3987 case AUT_PATH:
3988 return (fetch_path_tok(tok, buf, len));
3989
3990 case AUT_PROCESS32:
3991 return (fetch_process32_tok(tok, buf, len));
3992
3993 case AUT_PROCESS32_EX:
3994 return (fetch_process32ex_tok(tok, buf, len));
3995
3996 case AUT_PROCESS64:
3997 return (fetch_process64_tok(tok, buf, len));
3998
3999 case AUT_PROCESS64_EX:
4000 return (fetch_process64ex_tok(tok, buf, len));
4001
4002 case AUT_RETURN32:
4003 return (fetch_return32_tok(tok, buf, len));
4004
4005 case AUT_RETURN64:
4006 return (fetch_return64_tok(tok, buf, len));
4007
4008 case AUT_SEQ:
4009 return (fetch_seq_tok(tok, buf, len));
4010
4011 case AUT_SOCKET:
4012 return (fetch_socket_tok(tok, buf, len));
4013
4014 case AUT_SOCKINET32:
4015 return (fetch_sock_inet32_tok(tok, buf, len));
4016
4017 case AUT_SOCKUNIX:
4018 return (fetch_sock_unix_tok(tok, buf, len));
4019
4020 case AUT_SUBJECT32:
4021 return (fetch_subject32_tok(tok, buf, len));
4022
4023 case AUT_SUBJECT32_EX:
4024 return (fetch_subject32ex_tok(tok, buf, len));
4025
4026 case AUT_SUBJECT64:
4027 return (fetch_subject64_tok(tok, buf, len));
4028
4029 case AUT_SUBJECT64_EX:
4030 return (fetch_subject64ex_tok(tok, buf, len));
4031
4032 case AUT_TEXT:
4033 return (fetch_text_tok(tok, buf, len));
4034
4035 case AUT_SOCKET_EX:
4036 return (fetch_socketex32_tok(tok, buf, len));
4037
4038 case AUT_DATA:
4039 return (fetch_arb_tok(tok, buf, len));
4040
4041 case AUT_ZONENAME:
4042 return (fetch_zonename_tok(tok, buf, len));
4043
4044 default:
4045 return (fetch_invalid_tok(tok, buf, len));
4046 }
4047}
4048
4049/*
4050 * 'prints' the token out to outfp.
4051 */
4052void
4053au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4054{
4055
4056 switch(tok->id) {
4057 case AUT_HEADER32:
4058 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4059 return;
4060
4061 case AUT_HEADER32_EX:
4062 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4063 return;
4064
4065 case AUT_HEADER64:
4066 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4067 return;
4068
4069 case AUT_HEADER64_EX:
4070 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4071 return;
4072
4073 case AUT_TRAILER:
4074 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4075 return;
4076
4077 case AUT_ARG32:
4078 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4079 return;
4080
4081 case AUT_ARG64:
4082 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4083 return;
4084
4085 case AUT_DATA:
4086 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4087 return;
4088
4089 case AUT_ATTR32:
4090 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4091 return;
4092
4093 case AUT_ATTR64:
4094 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4095 return;
4096
4097 case AUT_EXIT:
4098 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4099 return;
4100
4101 case AUT_EXEC_ARGS:
4102 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4103 return;
4104
4105 case AUT_EXEC_ENV:
4106 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4107 return;
4108
4109 case AUT_OTHER_FILE32:
4110 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4111 return;
4112
4113 case AUT_NEWGROUPS:
4114 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4115 return;
4116
4117 case AUT_IN_ADDR:
4118 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4119 return;
4120
4121 case AUT_IN_ADDR_EX:
4122 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4123 return;
4124
4125 case AUT_IP:
4126 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4127 return;
4128
4129 case AUT_IPC:
4130 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4131 return;
4132
4133 case AUT_IPC_PERM:
4134 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4135 return;
4136
4137 case AUT_IPORT:
4138 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4139 return;
4140
4141 case AUT_OPAQUE:
4142 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4143 return;
4144
4145 case AUT_PATH:
4146 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4147 return;
4148
4149 case AUT_PROCESS32:
4150 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4151 return;
4152
4153 case AUT_PROCESS32_EX:
4154 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4155 return;
4156
4157 case AUT_PROCESS64:
4158 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4159 return;
4160
4161 case AUT_PROCESS64_EX:
4162 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4163 return;
4164
4165 case AUT_RETURN32:
4166 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4167 return;
4168
4169 case AUT_RETURN64:
4170 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4171 return;
4172
4173 case AUT_SEQ:
4174 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4175 return;
4176
4177 case AUT_SOCKET:
4178 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4179 return;
4180
4181 case AUT_SOCKINET32:
4182 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4183 return;
4184
4185 case AUT_SOCKUNIX:
4186 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4187 return;
4188
4189 case AUT_SUBJECT32:
4190 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4191 return;
4192
4193 case AUT_SUBJECT64:
4194 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4195 return;
4196
4197 case AUT_SUBJECT32_EX:
4198 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4199 return;
4200
4201 case AUT_SUBJECT64_EX:
4202 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4203 return;
4204
4205 case AUT_TEXT:
4206 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4207 return;
4208
4209 case AUT_SOCKET_EX:
4210 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4211 return;
4212
4213 case AUT_ZONENAME:
4214 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4215 return;
4216
4217 default:
4218 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4219 }
4220}
4221
4222/*
4223 * 'prints' the token out to outfp in XML format.
4224 */
4225void
4226au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4227 char sfrm)
4228{
4229
4230 switch(tok->id) {
4231 case AUT_HEADER32:
4232 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4233 return;
4234
4235 case AUT_HEADER32_EX:
4236 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4237 return;
4238
4239 case AUT_HEADER64:
4240 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4241 return;
4242
4243 case AUT_HEADER64_EX:
4244 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4245 return;
4246
4247 case AUT_TRAILER:
4248 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
4249 return;
4250
4251 case AUT_ARG32:
4252 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4253 return;
4254
4255 case AUT_ARG64:
4256 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4257 return;
4258
4259 case AUT_DATA:
4260 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
4261 return;
4262
4263 case AUT_ATTR32:
4264 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4265 return;
4266
4267 case AUT_ATTR64:
4268 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4269 return;
4270
4271 case AUT_EXIT:
4272 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
4273 return;
4274
4275 case AUT_EXEC_ARGS:
4276 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
4277 return;
4278
4279 case AUT_EXEC_ENV:
4280 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
4281 return;
4282
4283 case AUT_OTHER_FILE32:
4284 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
4285 return;
4286
4287 case AUT_NEWGROUPS:
4288 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
4289 return;
4290
4291 case AUT_IN_ADDR:
4292 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
4293 return;
4294
4295 case AUT_IN_ADDR_EX:
4296 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4297 return;
4298
4299 case AUT_IP:
4300 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
4301 return;
4302
4303 case AUT_IPC:
4304 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
4305 return;
4306
4307 case AUT_IPC_PERM:
4308 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
4309 return;
4310
4311 case AUT_IPORT:
4312 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
4313 return;
4314
4315 case AUT_OPAQUE:
4316 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
4317 return;
4318
4319 case AUT_PATH:
4320 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
4321 return;
4322
4323 case AUT_PROCESS32:
4324 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4325 return;
4326
4327 case AUT_PROCESS32_EX:
4328 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4329 return;
4330
4331 case AUT_PROCESS64:
4332 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4333 return;
4334
4335 case AUT_PROCESS64_EX:
4336 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4337 return;
4338
4339 case AUT_RETURN32:
4340 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4341 return;
4342
4343 case AUT_RETURN64:
4344 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4345 return;
4346
4347 case AUT_SEQ:
4348 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
4349 return;
4350
4351 case AUT_SOCKET:
4352 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
4353 return;
4354
4355 case AUT_SOCKINET32:
4356 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4357 return;
4358
4359 case AUT_SOCKUNIX:
4360 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
4361 return;
4362
4363 case AUT_SUBJECT32:
4364 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4365 return;
4366
4367 case AUT_SUBJECT64:
4368 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4369 return;
4370
4371 case AUT_SUBJECT32_EX:
4372 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4373 return;
4374
4375 case AUT_SUBJECT64_EX:
4376 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4377 return;
4378
4379 case AUT_TEXT:
4380 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
4381 return;
4382
4383 case AUT_SOCKET_EX:
4384 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4385 return;
4386
4387 case AUT_ZONENAME:
4388 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
4389 return;
4390
4391 default:
4392 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
4393 }
4394}
4395
4396/*
4397 * Read a record from the file pointer, store data in buf memory for buf is
4398 * also allocated in this function and has to be free'd outside this call.
4399 *
4400 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4401 * complete audit record.
4402 *
4403 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4404 * state, because it will be partly offset into a record. We should rewind
4405 * or do something more intelligent. Particularly interesting is the case
4406 * where we perform a partial read of a record from a non-blockable file
4407 * descriptor. We should return the partial read and continue...?
4408 */
4409int
4410au_read_rec(FILE *fp, u_char **buf)
4411{
4412 u_char *bptr;
4413 u_int32_t recsize;
4414 u_int32_t bytestoread;
4415 u_char type;
4416
4417 u_int32_t sec, msec;
4418 u_int16_t filenamelen;
4419
4420 type = fgetc(fp);
4421
4422 switch (type) {
4423 case AUT_HEADER32:
4424 case AUT_HEADER32_EX:
4425 case AUT_HEADER64:
4426 case AUT_HEADER64_EX:
4427 /* read the record size from the token */
4428 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4429 sizeof(u_int32_t)) {
4430 errno = EINVAL;
4431 return (-1);
4432 }
4433 recsize = be32toh(recsize);
4434
4435 /* Check for recsize sanity */
4436 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4437 errno = EINVAL;
4438 return (-1);
4439 }
4440
4441 *buf = malloc(recsize * sizeof(u_char));
4442 if (*buf == NULL)
4443 return (-1);
4444 bptr = *buf;
4445 memset(bptr, 0, recsize);
4446
4447 /* store the token contents already read, back to the buffer*/
4448 *bptr = type;
4449 bptr++;
4450 be32enc(bptr, recsize);
4451 bptr += sizeof(u_int32_t);
4452
4453 /* now read remaining record bytes */
4454 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4455
4456 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4457 free(*buf);
4458 errno = EINVAL;
4459 return (-1);
4460 }
4461 break;
4462
4463 case AUT_OTHER_FILE32:
4464 /*
4465 * The file token is variable-length, as it includes a
4466 * pathname. As a result, we have to read incrementally
4467 * until we know the total length, then allocate space and
4468 * read the rest.
4469 */
4470 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4471 errno = EINVAL;
4472 return (-1);
4473 }
4474 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4475 errno = EINVAL;
4476 return (-1);
4477 }
4478 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4479 sizeof(filenamelen)) {
4480 errno = EINVAL;
4481 return (-1);
4482 }
4483 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4484 sizeof(filenamelen) + ntohs(filenamelen);
4485 *buf = malloc(recsize);
4486 if (*buf == NULL)
4487 return (-1);
4488 bptr = *buf;
4489
4490 bcopy(&type, bptr, sizeof(type));
4491 bptr += sizeof(type);
4492 bcopy(&sec, bptr, sizeof(sec));
4493 bptr += sizeof(sec);
4494 bcopy(&msec, bptr, sizeof(msec));
4495 bptr += sizeof(msec);
4496 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4497 bptr += sizeof(filenamelen);
4498
4499 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4500 ntohs(filenamelen)) {
4501 free(buf);
4502 errno = EINVAL;
4503 return (-1);
4504 }
4505 break;
4506
4507 default:
4508 errno = EINVAL;
4509 return (-1);
4510 }
4511
4512 return (recsize);
4513}
|