1/*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * All rights reserved. 5 * 6 * This code was developed in part by Robert N. M. Watson, Senior Principal 7 * Scientist, SPARTA, Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 18 * its contributors may be used to endorse or promote products derived 19 * from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34#include <sys/types.h> 35 36#include <config/config.h> 37 38#ifdef USE_ENDIAN_H 39#include <endian.h> 40#endif 41#ifdef USE_SYS_ENDIAN_H 42#include <sys/endian.h> 43#endif 44#ifdef USE_MACHINE_ENDIAN_H 45#include <machine/endian.h> 46#endif 47#ifdef USE_COMPAT_ENDIAN_H 48#include <compat/endian.h> 49#endif 50#ifdef USE_COMPAT_ENDIAN_ENC_H 51#include <compat/endian_enc.h> 52#endif 53 54#ifdef HAVE_FULL_QUEUE_H 55#include <sys/queue.h> 56#else /* !HAVE_FULL_QUEUE_H */ 57#include <compat/queue.h> 58#endif /* !HAVE_FULL_QUEUE_H */ 59 60#include <sys/socket.h> 61#include <sys/time.h> 62#include <sys/un.h> 63 64#include <sys/ipc.h> 65 66#include <netinet/in.h> 67#include <netinet/in_systm.h> 68#include <netinet/ip.h> 69 70#include <assert.h> 71#include <errno.h> 72#include <string.h> 73#include <stdlib.h> 74#include <unistd.h> 75 76#include <bsm/audit_internal.h> 77#include <bsm/libbsm.h> 78 79#define GET_TOKEN_AREA(t, dptr, length) do { \ 80 (t) = malloc(sizeof(token_t)); \ 81 if ((t) != NULL) { \ 82 (t)->len = (length); \ 83 (dptr) = (t->t_data) = calloc((length), sizeof(u_char)); \ 84 if ((dptr) == NULL) { \ 85 free(t); \ 86 (t) = NULL; \ 87 } \ 88 } else \ 89 (dptr) = NULL; \ 90 assert((t) == NULL || (dptr) != NULL); \ 91} while (0) 92 93/* 94 * token ID 1 byte 95 * success/failure 1 byte 96 * privstrlen 2 bytes 97 * privstr N bytes + 1 (\0 byte) 98 */ 99token_t * 100au_to_upriv(char sorf, char *priv) 101{ 102 u_int16_t textlen; 103 u_char *dptr; 104 token_t *t; 105 106 textlen = strlen(priv) + 1; 107 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) + 108 sizeof(u_int16_t) + textlen); 109 if (t == NULL) 110 return (NULL); 111 ADD_U_CHAR(dptr, AUT_UPRIV); 112 ADD_U_CHAR(dptr, sorf); 113 ADD_U_INT16(dptr, textlen); 114 ADD_STRING(dptr, priv, textlen); 115 return (t); 116} 117 118/* 119 * token ID 1 byte 120 * privtstrlen 2 bytes 121 * privtstr N bytes + 1 122 * privstrlen 2 bytes 123 * privstr N bytes + 1 124 */ 125token_t * 126au_to_privset(char *privtypestr, char *privstr) 127{ 128 u_int16_t type_len, priv_len; 129 u_char *dptr; 130 token_t *t; 131 132 type_len = strlen(privtypestr) + 1; 133 priv_len = strlen(privstr) + 1; 134 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 135 sizeof(u_int16_t) + type_len + priv_len); 136 if (t == NULL) 137 return (NULL); 138 ADD_U_CHAR(dptr, AUT_PRIV); 139 ADD_U_INT16(dptr, type_len); 140 ADD_STRING(dptr, privtypestr, type_len); 141 ADD_U_INT16(dptr, priv_len); 142 ADD_STRING(dptr, privstr, priv_len); 143 return (t); 144} 145 146/* 147 * token ID 1 byte 148 * argument # 1 byte 149 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 150 * text length 2 bytes 151 * text N bytes + 1 terminating NULL byte 152 */ 153token_t * 154au_to_arg32(char n, const char *text, u_int32_t v) 155{ 156 token_t *t; 157 u_char *dptr = NULL; 158 u_int16_t textlen; 159 160 textlen = strlen(text); 161 textlen += 1; 162 163 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + 164 sizeof(u_int16_t) + textlen); 165 if (t == NULL) 166 return (NULL); 167 168 ADD_U_CHAR(dptr, AUT_ARG32); 169 ADD_U_CHAR(dptr, n); 170 ADD_U_INT32(dptr, v); 171 ADD_U_INT16(dptr, textlen); 172 ADD_STRING(dptr, text, textlen); 173 174 return (t); 175} 176 177token_t * 178au_to_arg64(char n, const char *text, u_int64_t v) 179{ 180 token_t *t; 181 u_char *dptr = NULL; 182 u_int16_t textlen; 183 184 textlen = strlen(text); 185 textlen += 1; 186 187 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + 188 sizeof(u_int16_t) + textlen); 189 if (t == NULL) 190 return (NULL); 191 192 ADD_U_CHAR(dptr, AUT_ARG64); 193 ADD_U_CHAR(dptr, n); 194 ADD_U_INT64(dptr, v); 195 ADD_U_INT16(dptr, textlen); 196 ADD_STRING(dptr, text, textlen); 197 198 return (t); 199} 200 201token_t * 202au_to_arg(char n, const char *text, u_int32_t v) 203{ 204 205 return (au_to_arg32(n, text, v)); 206} 207 208#if defined(_KERNEL) || defined(KERNEL) 209/* 210 * token ID 1 byte 211 * file access mode 4 bytes 212 * owner user ID 4 bytes 213 * owner group ID 4 bytes 214 * file system ID 4 bytes 215 * node ID 8 bytes 216 * device 4 bytes/8 bytes (32-bit/64-bit) 217 */ 218token_t * 219au_to_attr32(struct vnode_au_info *vni) 220{ 221 token_t *t; 222 u_char *dptr = NULL; 223 u_int16_t pad0_16 = 0; 224 u_int32_t pad0_32 = 0; 225 226 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 227 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); 228 if (t == NULL) 229 return (NULL); 230 231 ADD_U_CHAR(dptr, AUT_ATTR32); 232 233 /* 234 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 235 * so pad with 0. 236 * 237 * XXXRW: Possibly should be conditionally compiled. 238 * 239 * XXXRW: Should any conversions take place on the mode? 240 */ 241 ADD_U_INT16(dptr, pad0_16); 242 ADD_U_INT16(dptr, vni->vn_mode); 243 244 ADD_U_INT32(dptr, vni->vn_uid); 245 ADD_U_INT32(dptr, vni->vn_gid); 246 ADD_U_INT32(dptr, vni->vn_fsid); 247 248 /* 249 * Some systems use 32-bit file ID's, others use 64-bit file IDs. 250 * Attempt to handle both, and let the compiler sort it out. If we 251 * could pick this out at compile-time, it would be better, so as to 252 * avoid the else case below. 253 */ 254 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 255 ADD_U_INT32(dptr, pad0_32); 256 ADD_U_INT32(dptr, vni->vn_fileid); 257 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 258 ADD_U_INT64(dptr, vni->vn_fileid); 259 else 260 ADD_U_INT64(dptr, 0LL); 261 262 ADD_U_INT32(dptr, vni->vn_dev); 263 264 return (t); 265} 266 267token_t * 268au_to_attr64(struct vnode_au_info *vni) 269{ 270 token_t *t; 271 u_char *dptr = NULL; 272 u_int16_t pad0_16 = 0; 273 u_int32_t pad0_32 = 0; 274 275 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 276 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); 277 if (t == NULL) 278 return (NULL); 279 280 ADD_U_CHAR(dptr, AUT_ATTR64); 281 282 /* 283 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 284 * so pad with 0. 285 * 286 * XXXRW: Possibly should be conditionally compiled. 287 * 288 * XXXRW: Should any conversions take place on the mode? 289 */ 290 ADD_U_INT16(dptr, pad0_16); 291 ADD_U_INT16(dptr, vni->vn_mode); 292 293 ADD_U_INT32(dptr, vni->vn_uid); 294 ADD_U_INT32(dptr, vni->vn_gid); 295 ADD_U_INT32(dptr, vni->vn_fsid); 296 297 /* 298 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 299 * Attempt to handle both, and let the compiler sort it out. If we 300 * could pick this out at compile-time, it would be better, so as to 301 * avoid the else case below. 302 */ 303 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 304 ADD_U_INT32(dptr, pad0_32); 305 ADD_U_INT32(dptr, vni->vn_fileid); 306 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 307 ADD_U_INT64(dptr, vni->vn_fileid); 308 else 309 ADD_U_INT64(dptr, 0LL); 310 311 ADD_U_INT64(dptr, vni->vn_dev); 312 313 return (t); 314} 315 316token_t * 317au_to_attr(struct vnode_au_info *vni) 318{ 319 320 return (au_to_attr32(vni)); 321} 322#endif /* !(defined(_KERNEL) || defined(KERNEL) */ 323 324/* 325 * token ID 1 byte 326 * how to print 1 byte 327 * basic unit 1 byte 328 * unit count 1 byte 329 * data items (depends on basic unit) 330 */ 331token_t * 332au_to_data(char unit_print, char unit_type, char unit_count, const char *p) 333{ 334 token_t *t; 335 u_char *dptr = NULL; 336 size_t datasize, totdata; 337 338 /* Determine the size of the basic unit. */ 339 switch (unit_type) { 340 case AUR_BYTE: 341 /* case AUR_CHAR: */ 342 datasize = AUR_BYTE_SIZE; 343 break; 344 345 case AUR_SHORT: 346 datasize = AUR_SHORT_SIZE; 347 break; 348 349 case AUR_INT32: 350 /* case AUR_INT: */ 351 datasize = AUR_INT32_SIZE; 352 break; 353 354 case AUR_INT64: 355 datasize = AUR_INT64_SIZE; 356 break; 357 358 default: 359 errno = EINVAL; 360 return (NULL); 361 } 362 363 totdata = datasize * unit_count; 364 365 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata); 366 if (t == NULL) 367 return (NULL); 368 369 /* 370 * XXXRW: We should be byte-swapping each data item for multi-byte 371 * types. 372 */ 373 ADD_U_CHAR(dptr, AUT_DATA); 374 ADD_U_CHAR(dptr, unit_print); 375 ADD_U_CHAR(dptr, unit_type); 376 ADD_U_CHAR(dptr, unit_count); 377 ADD_MEM(dptr, p, totdata); 378 379 return (t); 380} 381 382 383/* 384 * token ID 1 byte 385 * status 4 bytes 386 * return value 4 bytes 387 */ 388token_t * 389au_to_exit(int retval, int err) 390{ 391 token_t *t; 392 u_char *dptr = NULL; 393 394 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); 395 if (t == NULL) 396 return (NULL); 397 398 ADD_U_CHAR(dptr, AUT_EXIT); 399 ADD_U_INT32(dptr, err); 400 ADD_U_INT32(dptr, retval); 401 402 return (t); 403} 404 405/* 406 */ 407token_t * 408au_to_groups(int *groups) 409{ 410 411 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups)); 412} 413 414/* 415 * token ID 1 byte 416 * number groups 2 bytes 417 * group list count * 4 bytes 418 */ 419token_t * 420au_to_newgroups(u_int16_t n, gid_t *groups) 421{ 422 token_t *t; 423 u_char *dptr = NULL; 424 int i; 425 426 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 427 n * sizeof(u_int32_t)); 428 if (t == NULL) 429 return (NULL); 430 431 ADD_U_CHAR(dptr, AUT_NEWGROUPS); 432 ADD_U_INT16(dptr, n); 433 for (i = 0; i < n; i++) 434 ADD_U_INT32(dptr, groups[i]); 435 436 return (t); 437} 438 439/* 440 * token ID 1 byte 441 * internet address 4 bytes 442 */ 443token_t * 444au_to_in_addr(struct in_addr *internet_addr) 445{ 446 token_t *t; 447 u_char *dptr = NULL; 448 449 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); 450 if (t == NULL) 451 return (NULL); 452 453 ADD_U_CHAR(dptr, AUT_IN_ADDR); 454 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); 455 456 return (t); 457} 458 459/* 460 * token ID 1 byte 461 * address type/length 4 bytes 462 * address 16 bytes 463 */ 464token_t * 465au_to_in_addr_ex(struct in6_addr *internet_addr) 466{ 467 token_t *t; 468 u_char *dptr = NULL; 469 u_int32_t type = AU_IPv6; 470 471 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); 472 if (t == NULL) 473 return (NULL); 474 475 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); 476 ADD_U_INT32(dptr, type); 477 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t)); 478 479 return (t); 480} 481 482/* 483 * token ID 1 byte 484 * ip header 20 bytes 485 * 486 * The IP header should be submitted in network byte order. 487 */ 488token_t * 489au_to_ip(struct ip *ip) 490{ 491 token_t *t; 492 u_char *dptr = NULL; 493 494 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); 495 if (t == NULL) 496 return (NULL); 497 498 ADD_U_CHAR(dptr, AUT_IP); 499 ADD_MEM(dptr, ip, sizeof(struct ip)); 500 501 return (t); 502} 503 504/* 505 * token ID 1 byte 506 * object ID type 1 byte 507 * object ID 4 bytes 508 */ 509token_t * 510au_to_ipc(char type, int id) 511{ 512 token_t *t; 513 u_char *dptr = NULL; 514 515 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 516 if (t == NULL) 517 return (NULL); 518 519 ADD_U_CHAR(dptr, AUT_IPC); 520 ADD_U_CHAR(dptr, type); 521 ADD_U_INT32(dptr, id); 522 523 return (t); 524} 525 526/* 527 * token ID 1 byte 528 * owner user ID 4 bytes 529 * owner group ID 4 bytes 530 * creator user ID 4 bytes 531 * creator group ID 4 bytes 532 * access mode 4 bytes 533 * slot sequence # 4 bytes 534 * key 4 bytes 535 */ 536token_t * 537au_to_ipc_perm(struct ipc_perm *perm) 538{ 539 token_t *t; 540 u_char *dptr = NULL; 541 u_int16_t pad0 = 0; 542 543 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) + 544 sizeof(u_int32_t)); 545 if (t == NULL) 546 return (NULL); 547 548 ADD_U_CHAR(dptr, AUT_IPC_PERM); 549 550 /* 551 * Systems vary significantly in what types they use in struct 552 * ipc_perm; at least a few still use 16-bit uid's and gid's, so 553 * allow for that, as BSM define 32-bit values here. 554 * Some systems define the sizes for ipc_perm members as 2 bytes; 555 * BSM defines 4 so pad with 0. 556 * 557 * XXXRW: Possibly shoulid be conditionally compiled, and more cases 558 * need to be handled. 559 */ 560 if (sizeof(perm->uid) != sizeof(u_int32_t)) { 561 ADD_U_INT16(dptr, pad0); 562 ADD_U_INT16(dptr, perm->uid); 563 ADD_U_INT16(dptr, pad0); 564 ADD_U_INT16(dptr, perm->gid); 565 ADD_U_INT16(dptr, pad0); 566 ADD_U_INT16(dptr, perm->cuid); 567 ADD_U_INT16(dptr, pad0); 568 ADD_U_INT16(dptr, perm->cgid); 569 } else { 570 ADD_U_INT32(dptr, perm->uid); 571 ADD_U_INT32(dptr, perm->gid); 572 ADD_U_INT32(dptr, perm->cuid); 573 ADD_U_INT32(dptr, perm->cgid); 574 } 575 576 ADD_U_INT16(dptr, pad0); 577 ADD_U_INT16(dptr, perm->mode); 578 579 ADD_U_INT16(dptr, pad0); 580 581#ifdef HAVE_IPC_PERM___SEQ 582 ADD_U_INT16(dptr, perm->__seq); 583#else /* HAVE_IPC_PERM___SEQ */ 584#ifdef HAVE_IPC_PERM__SEQ 585 ADD_U_INT16(dptr, perm->_seq); 586#else /* HAVE_IPC_PERM__SEQ */ 587 ADD_U_INT16(dptr, perm->seq); 588#endif /* HAVE_IPC_PERM__SEQ */ 589#endif /* HAVE_IPC_PERM___SEQ */ 590 591#ifdef HAVE_IPC_PERM___KEY 592 ADD_U_INT32(dptr, perm->__key); 593#else /* HAVE_IPC_PERM___KEY */ 594#ifdef HAVE_IPC_PERM__KEY 595 ADD_U_INT32(dptr, perm->_key); 596#else /* HAVE_IPC_PERM__KEY */ 597 ADD_U_INT32(dptr, perm->key); 598#endif /* HAVE_IPC_PERM__KEY */ 599#endif /* HAVE_IPC_PERM___KEY */ 600 601 return (t); 602} 603 604/* 605 * token ID 1 byte 606 * port IP address 2 bytes 607 */ 608token_t * 609au_to_iport(u_int16_t iport) 610{ 611 token_t *t; 612 u_char *dptr = NULL; 613 614 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); 615 if (t == NULL) 616 return (NULL); 617 618 ADD_U_CHAR(dptr, AUT_IPORT); 619 ADD_U_INT16(dptr, iport); 620 621 return (t); 622} 623 624/* 625 * token ID 1 byte 626 * size 2 bytes 627 * data size bytes 628 */ 629token_t * 630au_to_opaque(const char *data, u_int16_t bytes) 631{ 632 token_t *t; 633 u_char *dptr = NULL; 634 635 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); 636 if (t == NULL) 637 return (NULL); 638 639 ADD_U_CHAR(dptr, AUT_OPAQUE); 640 ADD_U_INT16(dptr, bytes); 641 ADD_MEM(dptr, data, bytes); 642 643 return (t); 644} 645 646/* 647 * token ID 1 byte 648 * seconds of time 4 bytes 649 * milliseconds of time 4 bytes 650 * file name len 2 bytes 651 * file pathname N bytes + 1 terminating NULL byte 652 */ 653token_t * 654au_to_file(const char *file, struct timeval tm) 655{ 656 token_t *t; 657 u_char *dptr = NULL; 658 u_int16_t filelen; 659 u_int32_t timems; 660 661 filelen = strlen(file); 662 filelen += 1; 663 664 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + 665 sizeof(u_int16_t) + filelen); 666 if (t == NULL) 667 return (NULL); 668 669 timems = tm.tv_usec/1000; 670 671 ADD_U_CHAR(dptr, AUT_OTHER_FILE32); 672 ADD_U_INT32(dptr, tm.tv_sec); 673 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 674 ADD_U_INT16(dptr, filelen); 675 ADD_STRING(dptr, file, filelen); 676 677 return (t); 678} 679 680/* 681 * token ID 1 byte 682 * text length 2 bytes 683 * text N bytes + 1 terminating NULL byte 684 */ 685token_t * 686au_to_text(const char *text) 687{ 688 token_t *t; 689 u_char *dptr = NULL; 690 u_int16_t textlen; 691 692 textlen = strlen(text); 693 textlen += 1; 694 695 /* XXXRW: Should validate length against token size limit. */ 696 697 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 698 if (t == NULL) 699 return (NULL); 700 701 ADD_U_CHAR(dptr, AUT_TEXT); 702 ADD_U_INT16(dptr, textlen); 703 ADD_STRING(dptr, text, textlen); 704 705 return (t); 706} 707 708/* 709 * token ID 1 byte 710 * path length 2 bytes 711 * path N bytes + 1 terminating NULL byte 712 */ 713token_t * 714au_to_path(const char *text) 715{ 716 token_t *t; 717 u_char *dptr = NULL; 718 u_int16_t textlen; 719 720 textlen = strlen(text); 721 textlen += 1; 722 723 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 724 if (t == NULL) 725 return (NULL); 726 727 ADD_U_CHAR(dptr, AUT_PATH); 728 ADD_U_INT16(dptr, textlen); 729 ADD_STRING(dptr, text, textlen); 730 731 return (t); 732} 733 734/* 735 * token ID 1 byte 736 * audit ID 4 bytes 737 * effective user ID 4 bytes 738 * effective group ID 4 bytes 739 * real user ID 4 bytes 740 * real group ID 4 bytes 741 * process ID 4 bytes 742 * session ID 4 bytes 743 * terminal ID 744 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 745 * machine address 4 bytes 746 */ 747token_t * 748au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 749 pid_t pid, au_asid_t sid, au_tid_t *tid) 750{ 751 token_t *t; 752 u_char *dptr = NULL; 753 754 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 755 if (t == NULL) 756 return (NULL); 757 758 ADD_U_CHAR(dptr, AUT_PROCESS32); 759 ADD_U_INT32(dptr, auid); 760 ADD_U_INT32(dptr, euid); 761 ADD_U_INT32(dptr, egid); 762 ADD_U_INT32(dptr, ruid); 763 ADD_U_INT32(dptr, rgid); 764 ADD_U_INT32(dptr, pid); 765 ADD_U_INT32(dptr, sid); 766 ADD_U_INT32(dptr, tid->port); 767 768 /* 769 * Note: Solaris will write out IPv6 addresses here as a 32-bit 770 * address type and 16 bytes of address, but for IPv4 addresses it 771 * simply writes the 4-byte address directly. We support only IPv4 772 * addresses for process32 tokens. 773 */ 774 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 775 776 return (t); 777} 778 779token_t * 780au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 781 pid_t pid, au_asid_t sid, au_tid_t *tid) 782{ 783 token_t *t; 784 u_char *dptr = NULL; 785 786 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + 787 sizeof(u_int64_t)); 788 if (t == NULL) 789 return (NULL); 790 791 ADD_U_CHAR(dptr, AUT_PROCESS64); 792 ADD_U_INT32(dptr, auid); 793 ADD_U_INT32(dptr, euid); 794 ADD_U_INT32(dptr, egid); 795 ADD_U_INT32(dptr, ruid); 796 ADD_U_INT32(dptr, rgid); 797 ADD_U_INT32(dptr, pid); 798 ADD_U_INT32(dptr, sid); 799 ADD_U_INT64(dptr, tid->port); 800 801 /* 802 * Note: Solaris will write out IPv6 addresses here as a 32-bit 803 * address type and 16 bytes of address, but for IPv4 addresses it 804 * simply writes the 4-byte address directly. We support only IPv4 805 * addresses for process64 tokens. 806 */ 807 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 808 809 return (t); 810} 811 812token_t * 813au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 814 pid_t pid, au_asid_t sid, au_tid_t *tid) 815{ 816 817 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, 818 tid)); 819} 820 821/* 822 * token ID 1 byte 823 * audit ID 4 bytes 824 * effective user ID 4 bytes 825 * effective group ID 4 bytes 826 * real user ID 4 bytes 827 * real group ID 4 bytes 828 * process ID 4 bytes 829 * session ID 4 bytes 830 * terminal ID 831 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 832 * address type-len 4 bytes 833 * machine address 16 bytes 834 */ 835token_t * 836au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 837 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 838{ 839 token_t *t; 840 u_char *dptr = NULL; 841 842 if (tid->at_type == AU_IPv4) 843 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 844 10 * sizeof(u_int32_t)); 845 else if (tid->at_type == AU_IPv6) 846 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 847 13 * sizeof(u_int32_t)); 848 else { 849 errno = EINVAL; 850 return (NULL); 851 } 852 if (t == NULL) 853 return (NULL); 854 855 ADD_U_CHAR(dptr, AUT_PROCESS32_EX); 856 ADD_U_INT32(dptr, auid); 857 ADD_U_INT32(dptr, euid); 858 ADD_U_INT32(dptr, egid); 859 ADD_U_INT32(dptr, ruid); 860 ADD_U_INT32(dptr, rgid); 861 ADD_U_INT32(dptr, pid); 862 ADD_U_INT32(dptr, sid); 863 ADD_U_INT32(dptr, tid->at_port); 864 ADD_U_INT32(dptr, tid->at_type); 865 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 866 if (tid->at_type == AU_IPv6) { 867 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 868 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 869 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 870 } 871 872 return (t); 873} 874 875token_t * 876au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 877 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 878{ 879 token_t *t; 880 u_char *dptr = NULL; 881 882 if (tid->at_type == AU_IPv4) 883 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 884 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 885 2 * sizeof(u_int32_t)); 886 else if (tid->at_type == AU_IPv6) 887 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 888 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 889 5 * sizeof(u_int32_t)); 890 else { 891 errno = EINVAL; 892 return (NULL); 893 } 894 if (t == NULL) 895 return (NULL); 896 897 ADD_U_CHAR(dptr, AUT_PROCESS64_EX); 898 ADD_U_INT32(dptr, auid); 899 ADD_U_INT32(dptr, euid); 900 ADD_U_INT32(dptr, egid); 901 ADD_U_INT32(dptr, ruid); 902 ADD_U_INT32(dptr, rgid); 903 ADD_U_INT32(dptr, pid); 904 ADD_U_INT32(dptr, sid); 905 ADD_U_INT64(dptr, tid->at_port); 906 ADD_U_INT32(dptr, tid->at_type); 907 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 908 if (tid->at_type == AU_IPv6) { 909 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 910 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 911 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 912 } 913 914 return (t); 915} 916 917token_t * 918au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 919 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 920{ 921 922 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, 923 tid)); 924} 925 926/* 927 * token ID 1 byte 928 * error status 1 byte 929 * return value 4 bytes/8 bytes (32-bit/64-bit value) 930 */ 931token_t * 932au_to_return32(char status, u_int32_t ret) 933{ 934 token_t *t; 935 u_char *dptr = NULL; 936 937 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 938 if (t == NULL) 939 return (NULL); 940 941 ADD_U_CHAR(dptr, AUT_RETURN32); 942 ADD_U_CHAR(dptr, status); 943 ADD_U_INT32(dptr, ret); 944 945 return (t); 946} 947 948token_t * 949au_to_return64(char status, u_int64_t ret) 950{ 951 token_t *t; 952 u_char *dptr = NULL; 953 954 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); 955 if (t == NULL) 956 return (NULL); 957 958 ADD_U_CHAR(dptr, AUT_RETURN64); 959 ADD_U_CHAR(dptr, status); 960 ADD_U_INT64(dptr, ret); 961 962 return (t); 963} 964 965token_t * 966au_to_return(char status, u_int32_t ret) 967{ 968 969 return (au_to_return32(status, ret)); 970} 971 972/* 973 * token ID 1 byte 974 * sequence number 4 bytes 975 */ 976token_t * 977au_to_seq(long audit_count) 978{ 979 token_t *t; 980 u_char *dptr = NULL; 981 982 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); 983 if (t == NULL) 984 return (NULL); 985 986 ADD_U_CHAR(dptr, AUT_SEQ); 987 ADD_U_INT32(dptr, audit_count); 988 989 return (t); 990} 991 992/* 993 * token ID 1 byte 994 * socket domain 2 bytes 995 * socket type 2 bytes 996 * address type 2 byte 997 * local port 2 bytes 998 * local address 4 bytes/16 bytes (IPv4/IPv6 address) 999 * remote port 2 bytes 1000 * remote address 4 bytes/16 bytes (IPv4/IPv6 address) 1001 * 1002 * Domain and type arguments to this routine are assumed to already have been 1003 * converted to the BSM constant space, so we don't do that here. 1004 */ 1005token_t * 1006au_to_socket_ex(u_short so_domain, u_short so_type, 1007 struct sockaddr *sa_local, struct sockaddr *sa_remote) 1008{ 1009 token_t *t; 1010 u_char *dptr = NULL; 1011 struct sockaddr_in *sin; 1012 struct sockaddr_in6 *sin6; 1013 1014 if (so_domain == AF_INET) 1015 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1016 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1017 else if (so_domain == AF_INET6) 1018 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1019 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t)); 1020 else { 1021 errno = EINVAL; 1022 return (NULL); 1023 } 1024 if (t == NULL) 1025 return (NULL); 1026 1027 ADD_U_CHAR(dptr, AUT_SOCKET_EX); 1028 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain)); 1029 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type)); 1030 if (so_domain == AF_INET) { 1031 ADD_U_INT16(dptr, AU_IPv4); 1032 sin = (struct sockaddr_in *)sa_local; 1033 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 1034 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 1035 sin = (struct sockaddr_in *)sa_remote; 1036 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 1037 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 1038 } else { 1039 ADD_U_INT16(dptr, AU_IPv6); 1040 sin6 = (struct sockaddr_in6 *)sa_local; 1041 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 1042 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 1043 sin6 = (struct sockaddr_in6 *)sa_remote; 1044 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 1045 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 1046 } 1047 1048 return (t); 1049} 1050 1051/* 1052 * token ID 1 byte 1053 * socket family 2 bytes 1054 * path (up to) 104 bytes + NULL (NULL terminated string) 1055 */ 1056token_t * 1057au_to_sock_unix(struct sockaddr_un *so) 1058{ 1059 token_t *t; 1060 u_char *dptr; 1061 1062 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); 1063 if (t == NULL) 1064 return (NULL); 1065 1066 ADD_U_CHAR(dptr, AUT_SOCKUNIX); 1067 /* BSM token has two bytes for family */ 1068 ADD_U_CHAR(dptr, 0); 1069 ADD_U_CHAR(dptr, so->sun_family); 1070 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); 1071 1072 return (t); 1073} 1074 1075/* 1076 * token ID 1 byte 1077 * socket family 2 bytes 1078 * local port 2 bytes 1079 * socket address 4 bytes 1080 */ 1081token_t * 1082au_to_sock_inet32(struct sockaddr_in *so) 1083{ 1084 token_t *t; 1085 u_char *dptr = NULL; 1086 uint16_t family; 1087 1088 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + 1089 sizeof(uint32_t)); 1090 if (t == NULL) 1091 return (NULL); 1092 1093 ADD_U_CHAR(dptr, AUT_SOCKINET32); 1094 /* 1095 * BSM defines the family field as 16 bits, but many operating 1096 * systems have an 8-bit sin_family field. Extend to 16 bits before 1097 * writing into the token. Assume that both the port and the address 1098 * in the sockaddr_in are already in network byte order, but family 1099 * is in local byte order. 1100 * 1101 * XXXRW: Should a name space conversion be taking place on the value 1102 * of sin_family? 1103 */ 1104 family = so->sin_family; 1105 ADD_U_INT16(dptr, family); 1106 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); 1107 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); 1108 1109 return (t); 1110} 1111 1112token_t * 1113au_to_sock_inet128(struct sockaddr_in6 *so) 1114{ 1115 token_t *t; 1116 u_char *dptr = NULL; 1117 1118 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + 1119 4 * sizeof(u_int32_t)); 1120 if (t == NULL) 1121 return (NULL); 1122 1123 ADD_U_CHAR(dptr, AUT_SOCKINET128); 1124 /* 1125 * In BSD, sin6_family is one octet, but BSM defines the token to 1126 * store two. So we copy in a 0 first. XXXRW: Possibly should be 1127 * conditionally compiled. 1128 */ 1129 ADD_U_CHAR(dptr, 0); 1130 ADD_U_CHAR(dptr, so->sin6_family); 1131 1132 ADD_U_INT16(dptr, so->sin6_port); 1133 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); 1134 1135 return (t); 1136} 1137 1138token_t * 1139au_to_sock_inet(struct sockaddr_in *so) 1140{ 1141 1142 return (au_to_sock_inet32(so)); 1143} 1144 1145/* 1146 * token ID 1 byte 1147 * audit ID 4 bytes 1148 * effective user ID 4 bytes 1149 * effective group ID 4 bytes 1150 * real user ID 4 bytes 1151 * real group ID 4 bytes 1152 * process ID 4 bytes 1153 * session ID 4 bytes 1154 * terminal ID 1155 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1156 * machine address 4 bytes 1157 */ 1158token_t * 1159au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1160 pid_t pid, au_asid_t sid, au_tid_t *tid) 1161{ 1162 token_t *t; 1163 u_char *dptr = NULL; 1164 1165 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 1166 if (t == NULL) 1167 return (NULL); 1168 1169 ADD_U_CHAR(dptr, AUT_SUBJECT32); 1170 ADD_U_INT32(dptr, auid); 1171 ADD_U_INT32(dptr, euid); 1172 ADD_U_INT32(dptr, egid); 1173 ADD_U_INT32(dptr, ruid); 1174 ADD_U_INT32(dptr, rgid); 1175 ADD_U_INT32(dptr, pid); 1176 ADD_U_INT32(dptr, sid); 1177 ADD_U_INT32(dptr, tid->port); 1178 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1179 1180 return (t); 1181} 1182 1183token_t * 1184au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1185 pid_t pid, au_asid_t sid, au_tid_t *tid) 1186{ 1187 token_t *t; 1188 u_char *dptr = NULL; 1189 1190 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + 1191 sizeof(u_int64_t) + sizeof(u_int32_t)); 1192 if (t == NULL) 1193 return (NULL); 1194 1195 ADD_U_CHAR(dptr, AUT_SUBJECT64); 1196 ADD_U_INT32(dptr, auid); 1197 ADD_U_INT32(dptr, euid); 1198 ADD_U_INT32(dptr, egid); 1199 ADD_U_INT32(dptr, ruid); 1200 ADD_U_INT32(dptr, rgid); 1201 ADD_U_INT32(dptr, pid); 1202 ADD_U_INT32(dptr, sid); 1203 ADD_U_INT64(dptr, tid->port); 1204 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1205 1206 return (t); 1207} 1208 1209token_t * 1210au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1211 pid_t pid, au_asid_t sid, au_tid_t *tid) 1212{ 1213 1214 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, 1215 tid)); 1216} 1217 1218/* 1219 * token ID 1 byte 1220 * audit ID 4 bytes 1221 * effective user ID 4 bytes 1222 * effective group ID 4 bytes 1223 * real user ID 4 bytes 1224 * real group ID 4 bytes 1225 * process ID 4 bytes 1226 * session ID 4 bytes 1227 * terminal ID 1228 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1229 * address type/length 4 bytes 1230 * machine address 16 bytes 1231 */ 1232token_t * 1233au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1234 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1235{ 1236 token_t *t; 1237 u_char *dptr = NULL; 1238 1239 if (tid->at_type == AU_IPv4) 1240 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 1241 sizeof(u_int32_t)); 1242 else if (tid->at_type == AU_IPv6) 1243 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 1244 sizeof(u_int32_t)); 1245 else { 1246 errno = EINVAL; 1247 return (NULL); 1248 } 1249 if (t == NULL) 1250 return (NULL); 1251 1252 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); 1253 ADD_U_INT32(dptr, auid); 1254 ADD_U_INT32(dptr, euid); 1255 ADD_U_INT32(dptr, egid); 1256 ADD_U_INT32(dptr, ruid); 1257 ADD_U_INT32(dptr, rgid); 1258 ADD_U_INT32(dptr, pid); 1259 ADD_U_INT32(dptr, sid); 1260 ADD_U_INT32(dptr, tid->at_port); 1261 ADD_U_INT32(dptr, tid->at_type); 1262 if (tid->at_type == AU_IPv6) 1263 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1264 else 1265 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1266 1267 return (t); 1268} 1269 1270token_t * 1271au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1272 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1273{ 1274 token_t *t; 1275 u_char *dptr = NULL; 1276 1277 if (tid->at_type == AU_IPv4) 1278 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1279 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1280 2 * sizeof(u_int32_t)); 1281 else if (tid->at_type == AU_IPv6) 1282 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1283 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1284 5 * sizeof(u_int32_t)); 1285 else { 1286 errno = EINVAL; 1287 return (NULL); 1288 } 1289 if (t == NULL) 1290 return (NULL); 1291 1292 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); 1293 ADD_U_INT32(dptr, auid); 1294 ADD_U_INT32(dptr, euid); 1295 ADD_U_INT32(dptr, egid); 1296 ADD_U_INT32(dptr, ruid); 1297 ADD_U_INT32(dptr, rgid); 1298 ADD_U_INT32(dptr, pid); 1299 ADD_U_INT32(dptr, sid); 1300 ADD_U_INT64(dptr, tid->at_port); 1301 ADD_U_INT32(dptr, tid->at_type); 1302 if (tid->at_type == AU_IPv6) 1303 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1304 else 1305 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1306 1307 return (t); 1308} 1309 1310token_t * 1311au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1312 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1313{ 1314 1315 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, 1316 tid)); 1317} 1318 1319#if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) 1320/* 1321 * Collects audit information for the current process and creates a subject 1322 * token from it. 1323 */ 1324token_t * 1325au_to_me(void) 1326{ 1327 auditinfo_t auinfo; 1328 auditinfo_addr_t aia; 1329 1330 /* 1331 * Try to use getaudit_addr(2) first. If this kernel does not support 1332 * it, then fall back on to getaudit(2). 1333 */ 1334 if (getaudit_addr(&aia, sizeof(aia)) != 0) { 1335 if (errno == ENOSYS) { 1336 if (getaudit(&auinfo) != 0) 1337 return (NULL); 1338 return (au_to_subject32(auinfo.ai_auid, geteuid(), 1339 getegid(), getuid(), getgid(), getpid(), 1340 auinfo.ai_asid, &auinfo.ai_termid)); 1341 } else { 1342 /* getaudit_addr(2) failed for some other reason. */ 1343 return (NULL); 1344 } 1345 } 1346 1347 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), 1348 getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); 1349} 1350#endif 1351 1352/* 1353 * token ID 1 byte 1354 * count 4 bytes 1355 * text count null-terminated strings 1356 */ 1357token_t * 1358au_to_exec_args(char **argv) 1359{ 1360 token_t *t; 1361 u_char *dptr = NULL; 1362 const char *nextarg; 1363 int i, count = 0; 1364 size_t totlen = 0; 1365 1366 nextarg = *argv; 1367 1368 while (nextarg != NULL) { 1369 int nextlen; 1370 1371 nextlen = strlen(nextarg); 1372 totlen += nextlen + 1; 1373 count++; 1374 nextarg = *(argv + count); 1375 } 1376 1377 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1378 if (t == NULL) 1379 return (NULL); 1380 1381 ADD_U_CHAR(dptr, AUT_EXEC_ARGS); 1382 ADD_U_INT32(dptr, count); 1383 1384 for (i = 0; i < count; i++) { 1385 nextarg = *(argv + i); 1386 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); 1387 } 1388 1389 return (t); 1390} 1391 1392/* 1393 * token ID 1 byte 1394 * count 4 bytes 1395 * text count null-terminated strings 1396 */ 1397token_t * 1398au_to_exec_env(char **envp) 1399{ 1400 token_t *t; 1401 u_char *dptr = NULL; 1402 int i, count = 0; 1403 size_t totlen = 0; 1404 const char *nextenv; 1405 1406 nextenv = *envp; 1407 1408 while (nextenv != NULL) { 1409 int nextlen; 1410 1411 nextlen = strlen(nextenv); 1412 totlen += nextlen + 1; 1413 count++; 1414 nextenv = *(envp + count); 1415 } 1416 1417 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1418 if (t == NULL) 1419 return (NULL); 1420 1421 ADD_U_CHAR(dptr, AUT_EXEC_ENV); 1422 ADD_U_INT32(dptr, count); 1423 1424 for (i = 0; i < count; i++) { 1425 nextenv = *(envp + i); 1426 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); 1427 } 1428 1429 return (t); 1430} 1431 1432/* 1433 * token ID 1 byte 1434 * zonename length 2 bytes 1435 * zonename N bytes + 1 terminating NULL byte 1436 */ 1437token_t * 1438au_to_zonename(const char *zonename) 1439{ 1440 u_char *dptr = NULL; 1441 u_int16_t textlen; 1442 token_t *t; 1443 1444 textlen = strlen(zonename) + 1; 1445 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 1446 if (t == NULL) 1447 return (NULL); 1448 1449 ADD_U_CHAR(dptr, AUT_ZONENAME); 1450 ADD_U_INT16(dptr, textlen); 1451 ADD_STRING(dptr, zonename, textlen); 1452 return (t); 1453} 1454 1455/* 1456 * token ID 1 byte 1457 * record byte count 4 bytes 1458 * version # 1 byte [2] 1459 * event type 2 bytes 1460 * event modifier 2 bytes 1461 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1462 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1463 */ 1464token_t * 1465au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1466 struct timeval tm) 1467{ 1468 token_t *t; 1469 u_char *dptr = NULL; 1470 u_int32_t timems; 1471 1472 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1473 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1474 if (t == NULL) 1475 return (NULL); 1476 1477 ADD_U_CHAR(dptr, AUT_HEADER32); 1478 ADD_U_INT32(dptr, rec_size); 1479 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1480 ADD_U_INT16(dptr, e_type); 1481 ADD_U_INT16(dptr, e_mod); 1482 1483 timems = tm.tv_usec/1000; 1484 /* Add the timestamp */ 1485 ADD_U_INT32(dptr, tm.tv_sec); 1486 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1487 1488 return (t); 1489} 1490 1491/* 1492 * token ID 1 byte 1493 * record byte count 4 bytes 1494 * version # 1 byte [2] 1495 * event type 2 bytes 1496 * event modifier 2 bytes 1497 * address type/length 4 bytes 1498 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1499 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1500 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1501 */ 1502token_t * 1503au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1504 struct timeval tm, struct auditinfo_addr *aia) 1505{ 1506 token_t *t; 1507 u_char *dptr = NULL; 1508 u_int32_t timems; 1509 au_tid_addr_t *tid; 1510 1511 tid = &aia->ai_termid; 1512 if (tid->at_type != AU_IPv4 && tid->at_type != AU_IPv6) 1513 return (NULL); 1514 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1515 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * 1516 sizeof(u_int32_t) + tid->at_type); 1517 if (t == NULL) 1518 return (NULL); 1519 1520 ADD_U_CHAR(dptr, AUT_HEADER32_EX); 1521 ADD_U_INT32(dptr, rec_size); 1522 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1523 ADD_U_INT16(dptr, e_type); 1524 ADD_U_INT16(dptr, e_mod); 1525 1526 ADD_U_INT32(dptr, tid->at_type); 1527 if (tid->at_type == AU_IPv6) 1528 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1529 else 1530 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1531 timems = tm.tv_usec/1000; 1532 /* Add the timestamp */ 1533 ADD_U_INT32(dptr, tm.tv_sec); 1534 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1535 1536 return (t); 1537} 1538 1539token_t * 1540au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1541 struct timeval tm) 1542{ 1543 token_t *t; 1544 u_char *dptr = NULL; 1545 u_int32_t timems; 1546 1547 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1548 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); 1549 if (t == NULL) 1550 return (NULL); 1551 1552 ADD_U_CHAR(dptr, AUT_HEADER64); 1553 ADD_U_INT32(dptr, rec_size); 1554 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1555 ADD_U_INT16(dptr, e_type); 1556 ADD_U_INT16(dptr, e_mod); 1557 1558 timems = tm.tv_usec/1000; 1559 /* Add the timestamp */ 1560 ADD_U_INT64(dptr, tm.tv_sec); 1561 ADD_U_INT64(dptr, timems); /* We need time in ms. */ 1562 1563 return (t); 1564} 1565 1566#if !defined(KERNEL) && !defined(_KERNEL) 1567#ifdef HAVE_AUDIT_SYSCALLS 1568token_t * 1569au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1570{ 1571 struct timeval tm; 1572 struct auditinfo_addr aia; 1573 1574 if (gettimeofday(&tm, NULL) == -1) 1575 return (NULL); 1576 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) { 1577 if (errno != ENOSYS) 1578 return (NULL); 1579 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1580 } 1581 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia)); 1582} 1583#endif /* HAVE_AUDIT_SYSCALLS */ 1584 1585token_t * 1586au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) 1587{ 1588 struct timeval tm; 1589 1590 if (gettimeofday(&tm, NULL) == -1) 1591 return (NULL); 1592 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1593} 1594 1595token_t * 1596au_to_header64(__unused int rec_size, __unused au_event_t e_type, 1597 __unused au_emod_t e_mod) 1598{ 1599 struct timeval tm; 1600 1601 if (gettimeofday(&tm, NULL) == -1) 1602 return (NULL); 1603 return (au_to_header64_tm(rec_size, e_type, e_mod, tm)); 1604} 1605 1606token_t * 1607au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod) 1608{ 1609 1610 return (au_to_header32(rec_size, e_type, e_mod)); 1611} 1612 1613#ifdef HAVE_AUDIT_SYSCALLS 1614token_t * 1615au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1616{ 1617 1618 return (au_to_header32_ex(rec_size, e_type, e_mod)); 1619} 1620#endif /* HAVE_AUDIT_SYSCALLS */ 1621#endif /* !defined(KERNEL) && !defined(_KERNEL) */ 1622 1623/* 1624 * token ID 1 byte 1625 * trailer magic number 2 bytes 1626 * record byte count 4 bytes 1627 */ 1628token_t * 1629au_to_trailer(int rec_size) 1630{ 1631 token_t *t; 1632 u_char *dptr = NULL; 1633 u_int16_t magic = AUT_TRAILER_MAGIC; 1634 1635 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 1636 sizeof(u_int32_t)); 1637 if (t == NULL) 1638 return (NULL); 1639 1640 ADD_U_CHAR(dptr, AUT_TRAILER); 1641 ADD_U_INT16(dptr, magic); 1642 ADD_U_INT32(dptr, rec_size); 1643 1644 return (t); 1645} 1646