1/*
2 * Copyright (c) 2004 Apple Computer, Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * All rights reserved.
5 *
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 *
|
33 * $P4: //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.c#7 $
34 * $FreeBSD: head/sys/security/audit/audit_bsm_token.c 155192 2006-02-01 20:01:18Z rwatson $
|
33 * $P4: //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.c#9 $
34 * $FreeBSD: head/sys/security/audit/audit_bsm_token.c 156291 2006-03-04 17:00:55Z rwatson $ |
35 */
36
37#include <sys/types.h>
|
38#ifdef __APPLE__
39#include <compat/endian.h>
40#else /* !__APPLE__ */
|
38#include <sys/endian.h>
|
42#endif /* __APPLE__*/
|
39#include <sys/socket.h>
40#include <sys/time.h>
41
42#include <sys/ipc.h>
43#include <sys/libkern.h>
44#include <sys/malloc.h>
45#include <sys/un.h>
46
47#include <netinet/in.h>
48#include <netinet/in_systm.h>
49#include <netinet/ip.h>
50
51#include <sys/socketvar.h>
52
53#include <bsm/audit.h>
54#include <bsm/audit_internal.h>
55#include <bsm/audit_record.h>
56#include <security/audit/audit.h>
57#include <security/audit/audit_private.h>
58
59#define GET_TOKEN_AREA(t, dptr, length) do { \
60 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \
61 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \
62 t->len = length; \
63 dptr = t->t_data; \
64} while (0)
65
66/*
67 * token ID 1 byte
68 * argument # 1 byte
69 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
70 * text length 2 bytes
71 * text N bytes + 1 terminating NULL byte
72 */
73token_t *
74au_to_arg32(char n, char *text, u_int32_t v)
75{
76 token_t *t;
77 u_char *dptr = NULL;
78 u_int16_t textlen;
79
80 textlen = strlen(text);
81 textlen += 1;
82
83 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
84 sizeof(u_int16_t) + textlen);
85
86 ADD_U_CHAR(dptr, AUT_ARG32);
87 ADD_U_CHAR(dptr, n);
88 ADD_U_INT32(dptr, v);
89 ADD_U_INT16(dptr, textlen);
90 ADD_STRING(dptr, text, textlen);
91
92 return (t);
93
94}
95
96token_t *
97au_to_arg64(char n, char *text, u_int64_t v)
98{
99 token_t *t;
100 u_char *dptr = NULL;
101 u_int16_t textlen;
102
103 textlen = strlen(text);
104 textlen += 1;
105
106 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
107 sizeof(u_int16_t) + textlen);
108
109 ADD_U_CHAR(dptr, AUT_ARG64);
110 ADD_U_CHAR(dptr, n);
111 ADD_U_INT64(dptr, v);
112 ADD_U_INT16(dptr, textlen);
113 ADD_STRING(dptr, text, textlen);
114
115 return (t);
116
117}
118
119token_t *
120au_to_arg(char n, char *text, u_int32_t v)
121{
122
123 return (au_to_arg32(n, text, v));
124}
125
126#if defined(_KERNEL) || defined(KERNEL)
127/*
128 * token ID 1 byte
129 * file access mode 4 bytes
130 * owner user ID 4 bytes
131 * owner group ID 4 bytes
132 * file system ID 4 bytes
133 * node ID 8 bytes
134 * device 4 bytes/8 bytes (32-bit/64-bit)
135 */
136token_t *
137au_to_attr32(struct vnode_au_info *vni)
138{
139 token_t *t;
140 u_char *dptr = NULL;
141 u_int16_t pad0_16 = 0;
142 u_int16_t pad0_32 = 0;
143
144 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
145 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
146
147 ADD_U_CHAR(dptr, AUT_ATTR32);
148
149 /*
150 * Darwin defines the size for the file mode
151 * as 2 bytes; BSM defines 4 so pad with 0
152 */
153 ADD_U_INT16(dptr, pad0_16);
154 ADD_U_INT16(dptr, vni->vn_mode);
155
156 ADD_U_INT32(dptr, vni->vn_uid);
157 ADD_U_INT32(dptr, vni->vn_gid);
158 ADD_U_INT32(dptr, vni->vn_fsid);
159
160 /*
161 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
162 * Attempt to handle both, and let the compiler sort it out. If we
163 * could pick this out at compile-time, it would be better, so as to
164 * avoid the else case below.
165 */
166 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
167 ADD_U_INT32(dptr, pad0_32);
168 ADD_U_INT32(dptr, vni->vn_fileid);
169 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
170 ADD_U_INT64(dptr, vni->vn_fileid);
171 else
172 ADD_U_INT64(dptr, 0LL);
173
174 ADD_U_INT32(dptr, vni->vn_dev);
175
176 return (t);
177}
178
179token_t *
180au_to_attr64(struct vnode_au_info *vni)
181{
182
183 return (NULL);
184}
185
186token_t *
187au_to_attr(struct vnode_au_info *vni)
188{
189
190 return (au_to_attr32(vni));
191}
192#endif /* !(defined(_KERNEL) || defined(KERNEL) */
193
194/*
195 * token ID 1 byte
196 * how to print 1 byte
197 * basic unit 1 byte
198 * unit count 1 byte
199 * data items (depends on basic unit)
200 */
201token_t *
202au_to_data(char unit_print, char unit_type, char unit_count, char *p)
203{
204 token_t *t;
205 u_char *dptr = NULL;
206 size_t datasize, totdata;
207
208 /* Determine the size of the basic unit. */
209 switch (unit_type) {
210 case AUR_BYTE:
211 datasize = AUR_BYTE_SIZE;
212 break;
213
214 case AUR_SHORT:
215 datasize = AUR_SHORT_SIZE;
216 break;
217
218 case AUR_LONG:
219 datasize = AUR_LONG_SIZE;
220 break;
221
222 default:
223 return (NULL);
224 }
225
226 totdata = datasize * unit_count;
227
228 GET_TOKEN_AREA(t, dptr, totdata + 4 * sizeof(u_char));
229
230 ADD_U_CHAR(dptr, AUT_DATA);
231 ADD_U_CHAR(dptr, unit_print);
232 ADD_U_CHAR(dptr, unit_type);
233 ADD_U_CHAR(dptr, unit_count);
234 ADD_MEM(dptr, p, totdata);
235
236 return (t);
237}
238
239
240/*
241 * token ID 1 byte
242 * status 4 bytes
243 * return value 4 bytes
244 */
245token_t *
246au_to_exit(int retval, int err)
247{
248 token_t *t;
249 u_char *dptr = NULL;
250
251 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
252
253 ADD_U_CHAR(dptr, AUT_EXIT);
254 ADD_U_INT32(dptr, err);
255 ADD_U_INT32(dptr, retval);
256
257 return (t);
258}
259
260/*
261 */
262token_t *
263au_to_groups(int *groups)
264{
265
266 return (au_to_newgroups(BSM_MAX_GROUPS, groups));
267}
268
269/*
270 * token ID 1 byte
271 * number groups 2 bytes
272 * group list count * 4 bytes
273 */
274token_t *
275au_to_newgroups(u_int16_t n, gid_t *groups)
276{
277 token_t *t;
278 u_char *dptr = NULL;
279 int i;
280
281 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
282 n * sizeof(u_int32_t));
283
284 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
285 ADD_U_INT16(dptr, n);
286 for (i = 0; i < n; i++)
287 ADD_U_INT32(dptr, groups[i]);
288
289 return (t);
290}
291
292/*
293 * token ID 1 byte
294 * internet address 4 bytes
295 */
296token_t *
297au_to_in_addr(struct in_addr *internet_addr)
298{
299 token_t *t;
300 u_char *dptr = NULL;
301
302 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
303
304 ADD_U_CHAR(dptr, AUT_IN_ADDR);
305 ADD_U_INT32(dptr, internet_addr->s_addr);
306
307 return (t);
308}
309
310/*
311 * token ID 1 byte
312 * address type/length 4 bytes
313 * Address 16 bytes
314 */
315token_t *
316au_to_in_addr_ex(struct in6_addr *internet_addr)
317{
318 token_t *t;
319 u_char *dptr = NULL;
320 u_int32_t type = AF_INET6;
321
322 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(u_int32_t));
323
324 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
325 ADD_U_INT32(dptr, type);
|
330 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[0]);
331 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[1]);
332 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[2]);
333 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[3]);
|
| 326 ADD_MEM(dptr, internet_addr, sizeof(*internet_addr)); |
327
328 return (t);
329}
330
331/*
332 * token ID 1 byte
333 * ip header 20 bytes
334 */
335token_t *
336au_to_ip(struct ip *ip)
337{
338 token_t *t;
339 u_char *dptr = NULL;
340
341 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
342
343 ADD_U_CHAR(dptr, AUT_IP);
344 /*
345 * XXXRW: Any byte order work needed on the IP header before writing?
346 */
347 ADD_MEM(dptr, ip, sizeof(struct ip));
348
349 return (t);
350}
351
352/*
353 * token ID 1 byte
354 * object ID type 1 byte
355 * object ID 4 bytes
356 */
357token_t *
358au_to_ipc(char type, int id)
359{
360 token_t *t;
361 u_char *dptr = NULL;
362
363 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
364
365 ADD_U_CHAR(dptr, AUT_IPC);
366 ADD_U_CHAR(dptr, type);
367 ADD_U_INT32(dptr, id);
368
369 return (t);
370}
371
372/*
373 * token ID 1 byte
374 * owner user ID 4 bytes
375 * owner group ID 4 bytes
376 * creator user ID 4 bytes
377 * creator group ID 4 bytes
378 * access mode 4 bytes
379 * slot sequence # 4 bytes
380 * key 4 bytes
381 */
382token_t *
383au_to_ipc_perm(struct ipc_perm *perm)
384{
385 token_t *t;
386 u_char *dptr = NULL;
387 u_int16_t pad0 = 0;
388
389 GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
390
391 ADD_U_CHAR(dptr, AUT_IPC_PERM);
392
393 /*
394 * Darwin defines the sizes for ipc_perm members
395 * as 2 bytes; BSM defines 4 so pad with 0
396 */
397 ADD_U_INT16(dptr, pad0);
398 ADD_U_INT16(dptr, perm->uid);
399
400 ADD_U_INT16(dptr, pad0);
401 ADD_U_INT16(dptr, perm->gid);
402
403 ADD_U_INT16(dptr, pad0);
404 ADD_U_INT16(dptr, perm->cuid);
405
406 ADD_U_INT16(dptr, pad0);
407 ADD_U_INT16(dptr, perm->cgid);
408
409 ADD_U_INT16(dptr, pad0);
410 ADD_U_INT16(dptr, perm->mode);
411
412 ADD_U_INT16(dptr, pad0);
413 ADD_U_INT16(dptr, perm->seq);
414
415 ADD_U_INT32(dptr, perm->key);
416
417 return (t);
418}
419
420/*
421 * token ID 1 byte
422 * port IP address 2 bytes
423 */
424token_t *
425au_to_iport(u_int16_t iport)
426{
427 token_t *t;
428 u_char *dptr = NULL;
429
430 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
431
432 ADD_U_CHAR(dptr, AUT_IPORT);
433 ADD_U_INT16(dptr, iport);
434
435 return (t);
436}
437
438/*
439 * token ID 1 byte
440 * size 2 bytes
441 * data size bytes
442 */
443token_t *
444au_to_opaque(char *data, u_int16_t bytes)
445{
446 token_t *t;
447 u_char *dptr = NULL;
448
449 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
450
451 ADD_U_CHAR(dptr, AUT_OPAQUE);
452 ADD_U_INT16(dptr, bytes);
453 ADD_MEM(dptr, data, bytes);
454
455 return (t);
456}
457
458/*
459 * token ID 1 byte
460 * seconds of time 4 bytes
461 * milliseconds of time 4 bytes
462 * file name len 2 bytes
463 * file pathname N bytes + 1 terminating NULL byte
464 */
465token_t *
466#if defined(KERNEL) || defined(_KERNEL)
467au_to_file(char *file, struct timeval tm)
468#else
469au_to_file(char *file)
470#endif
471{
472 token_t *t;
473 u_char *dptr = NULL;
474 u_int16_t filelen;
475 u_int32_t timems;
476#if !defined(KERNEL) && !defined(_KERNEL)
477 struct timeval tm;
478 struct timezone tzp;
479
480 if (gettimeofday(&tm, &tzp) == -1)
481 return (NULL);
482#endif
483 /* XXXRW: else ...? */
484
485 filelen = strlen(file);
486 filelen += 1;
487
488 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
489 sizeof(u_int16_t) + filelen);
490
491 timems = tm.tv_usec/1000;
492
493 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
494 ADD_U_INT32(dptr, tm.tv_sec);
495 ADD_U_INT32(dptr, timems); /* We need time in ms. */
496 ADD_U_INT16(dptr, filelen);
497 ADD_STRING(dptr, file, filelen);
498
499 return (t);
500}
501
502/*
503 * token ID 1 byte
504 * text length 2 bytes
505 * text N bytes + 1 terminating NULL byte
506 */
507token_t *
508au_to_text(char *text)
509{
510 token_t *t;
511 u_char *dptr = NULL;
512 u_int16_t textlen;
513
514 textlen = strlen(text);
515 textlen += 1;
516
517 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
518
519 ADD_U_CHAR(dptr, AUT_TEXT);
520 ADD_U_INT16(dptr, textlen);
521 ADD_STRING(dptr, text, textlen);
522
523 return (t);
524}
525
526/*
527 * token ID 1 byte
528 * path length 2 bytes
529 * path N bytes + 1 terminating NULL byte
530 */
531token_t *
532au_to_path(char *text)
533{
534 token_t *t;
535 u_char *dptr = NULL;
536 u_int16_t textlen;
537
538 textlen = strlen(text);
539 textlen += 1;
540
541 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
542
543 ADD_U_CHAR(dptr, AUT_PATH);
544 ADD_U_INT16(dptr, textlen);
545 ADD_STRING(dptr, text, textlen);
546
547 return (t);
548}
549
550/*
551 * token ID 1 byte
552 * audit ID 4 bytes
553 * effective user ID 4 bytes
554 * effective group ID 4 bytes
555 * real user ID 4 bytes
556 * real group ID 4 bytes
557 * process ID 4 bytes
558 * session ID 4 bytes
559 * terminal ID
560 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
561 * machine address 4 bytes
562 */
563token_t *
564au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
565 pid_t pid, au_asid_t sid, au_tid_t *tid)
566{
567 token_t *t;
568 u_char *dptr = NULL;
569
570 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
571
572 ADD_U_CHAR(dptr, AUT_PROCESS32);
573 ADD_U_INT32(dptr, auid);
574 ADD_U_INT32(dptr, euid);
575 ADD_U_INT32(dptr, egid);
576 ADD_U_INT32(dptr, ruid);
577 ADD_U_INT32(dptr, rgid);
578 ADD_U_INT32(dptr, pid);
579 ADD_U_INT32(dptr, sid);
580 ADD_U_INT32(dptr, tid->port);
581 ADD_U_INT32(dptr, tid->machine);
582
583 return (t);
584}
585
586token_t *
587au_to_process64(__unused au_id_t auid, __unused uid_t euid,
588 __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
589 __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
590{
591
592 return (NULL);
593}
594
595token_t *
596au_to_process(__unused au_id_t auid, __unused uid_t euid,
597 __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
598 __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
599{
600
601 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
602 tid));
603}
604
605/*
606 * token ID 1 byte
607 * audit ID 4 bytes
608 * effective user ID 4 bytes
609 * effective group ID 4 bytes
610 * real user ID 4 bytes
611 * real group ID 4 bytes
612 * process ID 4 bytes
613 * session ID 4 bytes
614 * terminal ID
615 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
616 * address type-len 4 bytes
617 * machine address 16 bytes
618 */
619token_t *
620au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
621 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
622{
623 token_t *t;
624 u_char *dptr = NULL;
625
626 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * sizeof(u_int32_t));
627
628 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
629 ADD_U_INT32(dptr, auid);
630 ADD_U_INT32(dptr, euid);
631 ADD_U_INT32(dptr, egid);
632 ADD_U_INT32(dptr, ruid);
633 ADD_U_INT32(dptr, rgid);
634 ADD_U_INT32(dptr, pid);
635 ADD_U_INT32(dptr, sid);
636 ADD_U_INT32(dptr, tid->at_port);
637 ADD_U_INT32(dptr, tid->at_type);
638 ADD_U_INT32(dptr, tid->at_addr[0]);
639 ADD_U_INT32(dptr, tid->at_addr[1]);
640 ADD_U_INT32(dptr, tid->at_addr[2]);
641 ADD_U_INT32(dptr, tid->at_addr[3]);
642
643 return (t);
644}
645
646token_t *
647au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
648 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
649{
650
651 return (NULL);
652}
653
654token_t *
655au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
656 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
657{
658
659 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
660 tid));
661}
662
663/*
664 * token ID 1 byte
665 * error status 1 byte
666 * return value 4 bytes/8 bytes (32-bit/64-bit value)
667 */
668token_t *
669au_to_return32(char status, u_int32_t ret)
670{
671 token_t *t;
672 u_char *dptr = NULL;
673
674 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
675
676 ADD_U_CHAR(dptr, AUT_RETURN32);
677 ADD_U_CHAR(dptr, status);
678 ADD_U_INT32(dptr, ret);
679
680 return (t);
681}
682
683token_t *
684au_to_return64(char status, u_int64_t ret)
685{
686 token_t *t;
687 u_char *dptr = NULL;
688
689 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
690
691 ADD_U_CHAR(dptr, AUT_RETURN64);
692 ADD_U_CHAR(dptr, status);
693 ADD_U_INT64(dptr, ret);
694
695 return (t);
696}
697
698token_t *
699au_to_return(char status, u_int32_t ret)
700{
701
702 return (au_to_return32(status, ret));
703}
704
705/*
706 * token ID 1 byte
707 * sequence number 4 bytes
708 */
709token_t *
710au_to_seq(long audit_count)
711{
712 token_t *t;
713 u_char *dptr = NULL;
714
715 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
716
717 ADD_U_CHAR(dptr, AUT_SEQ);
718 ADD_U_INT32(dptr, audit_count);
719
720 return (t);
721}
722
723/*
724 * token ID 1 byte
725 * socket type 2 bytes
726 * local port 2 bytes
727 * local Internet address 4 bytes
728 * remote port 2 bytes
729 * remote Internet address 4 bytes
730 */
731token_t *
732au_to_socket(struct socket *so)
733{
734
735 /* XXXRW ... */
736 return (NULL);
737}
738
739/*
740 * Kernel-specific version of the above function.
741 */
742#ifdef _KERNEL
743token_t *
744kau_to_socket(struct socket_au_info *soi)
745{
746 token_t *t;
747 u_char *dptr;
748 u_int16_t so_type;
749
750 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
751 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
752
753 ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
754 /* Coerce the socket type into a short value */
755 so_type = soi->so_type;
756 ADD_U_INT16(dptr, so_type);
757 ADD_U_INT16(dptr, soi->so_lport);
758 ADD_U_INT32(dptr, soi->so_laddr);
759 ADD_U_INT16(dptr, soi->so_rport);
760 ADD_U_INT32(dptr, soi->so_raddr);
761
762 return (t);
763}
764#endif
765
766/*
767 * token ID 1 byte
768 * socket type 2 bytes
769 * local port 2 bytes
770 * address type/length 4 bytes
771 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
772 * remote port 4 bytes
773 * address type/length 4 bytes
774 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
775 */
776token_t *
777au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
778 struct sockaddr *ra)
779{
780
781 return (NULL);
782}
783
784token_t *
785au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
786 struct sockaddr *ra)
787{
788
789 return (NULL);
790}
791
792/*
793 * token ID 1 byte
794 * socket family 2 bytes
795 * path 104 bytes
796 */
797token_t *
798au_to_sock_unix(struct sockaddr_un *so)
799{
800 token_t *t;
801 u_char *dptr;
802
803 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
804
805 ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
806 /* BSM token has two bytes for family */
807 ADD_U_CHAR(dptr, 0);
808 ADD_U_CHAR(dptr, so->sun_family);
809 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
810
811 return (t);
812}
813
814/*
815 * token ID 1 byte
816 * socket family 2 bytes
817 * local port 2 bytes
818 * socket address 4 bytes
819 */
820token_t *
821au_to_sock_inet32(struct sockaddr_in *so)
822{
823 token_t *t;
824 u_char *dptr = NULL;
825
826 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
827 sizeof(u_int32_t));
828
829 ADD_U_CHAR(dptr, AUT_SOCKINET32);
830 /*
831 * In Darwin, sin_family is one octet, but BSM defines the token
832 * to store two. So we copy in a 0 first.
833 */
834 ADD_U_CHAR(dptr, 0);
835 ADD_U_CHAR(dptr, so->sin_family);
836 ADD_U_INT16(dptr, so->sin_port);
837 ADD_U_INT32(dptr, so->sin_addr.s_addr);
838
839 return (t);
840
841}
842
843token_t *
844au_to_sock_inet128(struct sockaddr_in6 *so)
845{
846 token_t *t;
847 u_char *dptr = NULL;
848
849 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
850 4 * sizeof(u_int32_t));
851
852 ADD_U_CHAR(dptr, AUT_SOCKINET128);
853 /*
854 * In Darwin, sin6_family is one octet, but BSM defines the token
855 * to store two. So we copy in a 0 first.
856 */
857 ADD_U_CHAR(dptr, 0);
858 ADD_U_CHAR(dptr, so->sin6_family);
859
860 ADD_U_INT16(dptr, so->sin6_port);
|
868 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[0]);
869 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[1]);
870 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[2]);
871 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[3]);
|
| 861 ADD_MEM(dptr, &so->sin6_addr, sizeof(so->sin6_addr)); |
862
863 return (t);
864
865}
866
867token_t *
868au_to_sock_inet(struct sockaddr_in *so)
869{
870
871 return (au_to_sock_inet32(so));
872}
873
874/*
875 * token ID 1 byte
876 * audit ID 4 bytes
877 * effective user ID 4 bytes
878 * effective group ID 4 bytes
879 * real user ID 4 bytes
880 * real group ID 4 bytes
881 * process ID 4 bytes
882 * session ID 4 bytes
883 * terminal ID
884 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
885 * machine address 4 bytes
886 */
887token_t *
888au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
889 pid_t pid, au_asid_t sid, au_tid_t *tid)
890{
891 token_t *t;
892 u_char *dptr = NULL;
893
894 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
895
896 ADD_U_CHAR(dptr, AUT_SUBJECT32);
897 ADD_U_INT32(dptr, auid);
898 ADD_U_INT32(dptr, euid);
899 ADD_U_INT32(dptr, egid);
900 ADD_U_INT32(dptr, ruid);
901 ADD_U_INT32(dptr, rgid);
902 ADD_U_INT32(dptr, pid);
903 ADD_U_INT32(dptr, sid);
904 ADD_U_INT32(dptr, tid->port);
905 ADD_U_INT32(dptr, tid->machine);
906
907 return (t);
908}
909
910token_t *
911au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
912 pid_t pid, au_asid_t sid, au_tid_t *tid)
913{
914
915 return (NULL);
916}
917
918token_t *
919au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
920 pid_t pid, au_asid_t sid, au_tid_t *tid)
921{
922
923 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
924 tid));
925}
926
927/*
928 * token ID 1 byte
929 * audit ID 4 bytes
930 * effective user ID 4 bytes
931 * effective group ID 4 bytes
932 * real user ID 4 bytes
933 * real group ID 4 bytes
934 * process ID 4 bytes
935 * session ID 4 bytes
936 * terminal ID
937 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
938 * address type/length 4 bytes
939 * machine address 16 bytes
940 */
941token_t *
942au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
943 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
944{
945 token_t *t;
946 u_char *dptr = NULL;
947
948 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * sizeof(u_int32_t));
949
950 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
951 ADD_U_INT32(dptr, auid);
952 ADD_U_INT32(dptr, euid);
953 ADD_U_INT32(dptr, egid);
954 ADD_U_INT32(dptr, ruid);
955 ADD_U_INT32(dptr, rgid);
956 ADD_U_INT32(dptr, pid);
957 ADD_U_INT32(dptr, sid);
958 ADD_U_INT32(dptr, tid->at_port);
959 ADD_U_INT32(dptr, tid->at_type);
960 ADD_U_INT32(dptr, tid->at_addr[0]);
961 ADD_U_INT32(dptr, tid->at_addr[1]);
962 ADD_U_INT32(dptr, tid->at_addr[2]);
963 ADD_U_INT32(dptr, tid->at_addr[3]);
964
965 return (t);
966}
967
968token_t *
969au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
970 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
971{
972
973 return (NULL);
974}
975
976token_t *
977au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
978 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
979{
980
981 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
982 tid));
983}
984
|
995#if !defined(_KERNEL) && !defined(KERNEL)
|
| 985#if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) |
986/*
987 * Collects audit information for the current process
988 * and creates a subject token from it
989 */
990token_t *
991au_to_me(void)
992{
993 auditinfo_t auinfo;
994
995 if (getaudit(&auinfo) != 0)
996 return (NULL);
997
998 return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(),
999 getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid));
1000}
1001#endif
1002
1003/*
1004 * token ID 1 byte
1005 * count 4 bytes
1006 * text count null-terminated strings
1007 */
1008token_t *
1009au_to_exec_args(const char **args)
1010{
1011 token_t *t;
1012 u_char *dptr = NULL;
1013 const char *nextarg;
1014 int i, count = 0;
1015 size_t totlen = 0;
1016
1017 nextarg = *args;
1018
1019 while (nextarg != NULL) {
1020 int nextlen;
1021
1022 nextlen = strlen(nextarg);
1023 totlen += nextlen + 1;
1024 count++;
1025 nextarg = *(args + count);
1026 }
1027
1028 totlen += count * sizeof(char); /* nul terminations. */
1029 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1030
1031 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1032 ADD_U_INT32(dptr, count);
1033
1034 for (i = 0; i < count; i++) {
1035 nextarg = *(args + i);
1036 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1037 }
1038
1039 return (t);
1040}
1041
1042/*
1043 * token ID 1 byte
1044 * count 4 bytes
1045 * text count null-terminated strings
1046 */
1047token_t *
1048au_to_exec_env(const char **env)
1049{
1050 token_t *t;
1051 u_char *dptr = NULL;
1052 int i, count = 0;
1053 size_t totlen = 0;
1054 const char *nextenv;
1055
1056 nextenv = *env;
1057
1058 while (nextenv != NULL) {
1059 int nextlen;
1060
1061 nextlen = strlen(nextenv);
1062 totlen += nextlen + 1;
1063 count++;
1064 nextenv = *(env + count);
1065 }
1066
1067 totlen += sizeof(char) * count;
1068 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1069
1070 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1071 ADD_U_INT32(dptr, count);
1072
1073 for (i = 0; i < count; i++) {
1074 nextenv = *(env + i);
1075 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1076 }
1077
1078 return (t);
1079}
1080
1081/*
1082 * token ID 1 byte
1083 * record byte count 4 bytes
1084 * version # 1 byte [2]
1085 * event type 2 bytes
1086 * event modifier 2 bytes
1087 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1088 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1089 */
1090token_t *
1091#if defined(KERNEL) || defined(_KERNEL)
1092au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod,
1093 struct timeval tm)
1094#else
1095au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
1096#endif
1097{
1098 token_t *t;
1099 u_char *dptr = NULL;
1100 u_int32_t timems;
1101#if !defined(KERNEL) && !defined(_KERNEL)
1102 struct timeval tm;
1103 struct timezone tzp;
1104
1105 if (gettimeofday(&tm, &tzp) == -1)
1106 return (NULL);
1107#endif
1108 /* XXXRW: else ...? */
1109
1110 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1111 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1112
1113 ADD_U_CHAR(dptr, AUT_HEADER32);
1114 ADD_U_INT32(dptr, rec_size);
1115 ADD_U_CHAR(dptr, HEADER_VERSION);
1116 ADD_U_INT16(dptr, e_type);
1117 ADD_U_INT16(dptr, e_mod);
1118
1119 timems = tm.tv_usec/1000;
1120 /* Add the timestamp */
1121 ADD_U_INT32(dptr, tm.tv_sec);
1122 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1123
1124 return (t);
1125}
1126
1127token_t *
1128au_to_header64(__unused int rec_size, __unused au_event_t e_type,
1129 __unused au_emod_t e_mod)
1130{
1131
1132 return (NULL);
1133}
1134
1135token_t *
1136#if defined(KERNEL) || defined(_KERNEL)
1137au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod,
1138 struct timeval tm)
1139{
1140
1141 return (au_to_header32(rec_size, e_type, e_mod, tm));
1142}
1143#else
1144au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
1145{
1146
1147 return (au_to_header32(rec_size, e_type, e_mod));
1148}
1149#endif
1150
1151/*
1152 * token ID 1 byte
1153 * trailer magic number 2 bytes
1154 * record byte count 4 bytes
1155 */
1156token_t *
1157au_to_trailer(int rec_size)
1158{
1159 token_t *t;
1160 u_char *dptr = NULL;
1161 u_int16_t magic = TRAILER_PAD_MAGIC;
1162
1163 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1164 sizeof(u_int32_t));
1165
1166 ADD_U_CHAR(dptr, AUT_TRAILER);
1167 ADD_U_INT16(dptr, magic);
1168 ADD_U_INT32(dptr, rec_size);
1169
1170 return (t);
1171}
|