bsm_token.c revision 243751
1/*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * All rights reserved. 5 * 6 * This code was developed in part by Robert N. M. Watson, Senior Principal 7 * Scientist, SPARTA, Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 18 * its contributors may be used to endorse or promote products derived 19 * from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 * 33 * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#99 34 */ 35 36#include <sys/cdefs.h> 37__FBSDID("$FreeBSD: head/sys/security/audit/audit_bsm_token.c 243751 2012-12-01 13:46:37Z rwatson $"); 38 39#include <sys/param.h> 40#include <sys/types.h> 41#include <sys/endian.h> 42#include <sys/queue.h> 43#include <sys/socket.h> 44#include <sys/time.h> 45 46#include <sys/ipc.h> 47#include <sys/libkern.h> 48#include <sys/malloc.h> 49#include <sys/un.h> 50 51#include <netinet/in.h> 52#include <netinet/in_systm.h> 53#include <netinet/ip.h> 54 55 56#include <bsm/audit.h> 57#include <bsm/audit_internal.h> 58#include <bsm/audit_record.h> 59#include <security/audit/audit.h> 60#include <security/audit/audit_private.h> 61 62#define GET_TOKEN_AREA(t, dptr, length) do { \ 63 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \ 64 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \ 65 t->len = length; \ 66 dptr = t->t_data; \ 67} while (0) 68 69/* 70 * token ID 1 byte 71 * success/failure 1 byte 72 * privstrlen 2 bytes 73 * privstr N bytes + 1 (\0 byte) 74 */ 75token_t * 76au_to_upriv(char sorf, char *priv) 77{ 78 u_int16_t textlen; 79 u_char *dptr; 80 token_t *t; 81 82 textlen = strlen(priv) + 1; 83 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) + 84 sizeof(u_int16_t) + textlen); 85 86 ADD_U_CHAR(dptr, AUT_UPRIV); 87 ADD_U_CHAR(dptr, sorf); 88 ADD_U_INT16(dptr, textlen); 89 ADD_STRING(dptr, priv, textlen); 90 return (t); 91} 92 93/* 94 * token ID 1 byte 95 * privtstrlen 2 bytes 96 * privtstr N bytes + 1 97 * privstrlen 2 bytes 98 * privstr N bytes + 1 99 */ 100token_t * 101au_to_privset(char *privtypestr, char *privstr) 102{ 103 u_int16_t type_len, priv_len; 104 u_char *dptr; 105 token_t *t; 106 107 type_len = strlen(privtypestr) + 1; 108 priv_len = strlen(privstr) + 1; 109 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 110 sizeof(u_int16_t) + type_len + priv_len); 111 112 ADD_U_CHAR(dptr, AUT_PRIV); 113 ADD_U_INT16(dptr, type_len); 114 ADD_STRING(dptr, privtypestr, type_len); 115 ADD_U_INT16(dptr, priv_len); 116 ADD_STRING(dptr, privstr, priv_len); 117 return (t); 118} 119 120/* 121 * token ID 1 byte 122 * argument # 1 byte 123 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 124 * text length 2 bytes 125 * text N bytes + 1 terminating NULL byte 126 */ 127token_t * 128au_to_arg32(char n, const char *text, u_int32_t v) 129{ 130 token_t *t; 131 u_char *dptr = NULL; 132 u_int16_t textlen; 133 134 textlen = strlen(text); 135 textlen += 1; 136 137 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + 138 sizeof(u_int16_t) + textlen); 139 140 ADD_U_CHAR(dptr, AUT_ARG32); 141 ADD_U_CHAR(dptr, n); 142 ADD_U_INT32(dptr, v); 143 ADD_U_INT16(dptr, textlen); 144 ADD_STRING(dptr, text, textlen); 145 146 return (t); 147} 148 149token_t * 150au_to_arg64(char n, const char *text, u_int64_t v) 151{ 152 token_t *t; 153 u_char *dptr = NULL; 154 u_int16_t textlen; 155 156 textlen = strlen(text); 157 textlen += 1; 158 159 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + 160 sizeof(u_int16_t) + textlen); 161 162 ADD_U_CHAR(dptr, AUT_ARG64); 163 ADD_U_CHAR(dptr, n); 164 ADD_U_INT64(dptr, v); 165 ADD_U_INT16(dptr, textlen); 166 ADD_STRING(dptr, text, textlen); 167 168 return (t); 169} 170 171token_t * 172au_to_arg(char n, const char *text, u_int32_t v) 173{ 174 175 return (au_to_arg32(n, text, v)); 176} 177 178#if defined(_KERNEL) || defined(KERNEL) 179/* 180 * token ID 1 byte 181 * file access mode 4 bytes 182 * owner user ID 4 bytes 183 * owner group ID 4 bytes 184 * file system ID 4 bytes 185 * node ID 8 bytes 186 * device 4 bytes/8 bytes (32-bit/64-bit) 187 */ 188token_t * 189au_to_attr32(struct vnode_au_info *vni) 190{ 191 token_t *t; 192 u_char *dptr = NULL; 193 u_int16_t pad0_16 = 0; 194 u_int32_t pad0_32 = 0; 195 196 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 197 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); 198 199 ADD_U_CHAR(dptr, AUT_ATTR32); 200 201 /* 202 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 203 * so pad with 0. 204 * 205 * XXXRW: Possibly should be conditionally compiled. 206 * 207 * XXXRW: Should any conversions take place on the mode? 208 */ 209 ADD_U_INT16(dptr, pad0_16); 210 ADD_U_INT16(dptr, vni->vn_mode); 211 212 ADD_U_INT32(dptr, vni->vn_uid); 213 ADD_U_INT32(dptr, vni->vn_gid); 214 ADD_U_INT32(dptr, vni->vn_fsid); 215 216 /* 217 * Some systems use 32-bit file ID's, others use 64-bit file IDs. 218 * Attempt to handle both, and let the compiler sort it out. If we 219 * could pick this out at compile-time, it would be better, so as to 220 * avoid the else case below. 221 */ 222 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 223 ADD_U_INT32(dptr, pad0_32); 224 ADD_U_INT32(dptr, vni->vn_fileid); 225 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 226 ADD_U_INT64(dptr, vni->vn_fileid); 227 else 228 ADD_U_INT64(dptr, 0LL); 229 230 ADD_U_INT32(dptr, vni->vn_dev); 231 232 return (t); 233} 234 235token_t * 236au_to_attr64(struct vnode_au_info *vni) 237{ 238 token_t *t; 239 u_char *dptr = NULL; 240 u_int16_t pad0_16 = 0; 241 u_int32_t pad0_32 = 0; 242 243 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 244 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); 245 246 ADD_U_CHAR(dptr, AUT_ATTR64); 247 248 /* 249 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 250 * so pad with 0. 251 * 252 * XXXRW: Possibly should be conditionally compiled. 253 * 254 * XXXRW: Should any conversions take place on the mode? 255 */ 256 ADD_U_INT16(dptr, pad0_16); 257 ADD_U_INT16(dptr, vni->vn_mode); 258 259 ADD_U_INT32(dptr, vni->vn_uid); 260 ADD_U_INT32(dptr, vni->vn_gid); 261 ADD_U_INT32(dptr, vni->vn_fsid); 262 263 /* 264 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 265 * Attempt to handle both, and let the compiler sort it out. If we 266 * could pick this out at compile-time, it would be better, so as to 267 * avoid the else case below. 268 */ 269 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 270 ADD_U_INT32(dptr, pad0_32); 271 ADD_U_INT32(dptr, vni->vn_fileid); 272 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 273 ADD_U_INT64(dptr, vni->vn_fileid); 274 else 275 ADD_U_INT64(dptr, 0LL); 276 277 ADD_U_INT64(dptr, vni->vn_dev); 278 279 return (t); 280} 281 282token_t * 283au_to_attr(struct vnode_au_info *vni) 284{ 285 286 return (au_to_attr32(vni)); 287} 288#endif /* !(defined(_KERNEL) || defined(KERNEL) */ 289 290/* 291 * token ID 1 byte 292 * how to print 1 byte 293 * basic unit 1 byte 294 * unit count 1 byte 295 * data items (depends on basic unit) 296 */ 297token_t * 298au_to_data(char unit_print, char unit_type, char unit_count, const char *p) 299{ 300 token_t *t; 301 u_char *dptr = NULL; 302 size_t datasize, totdata; 303 304 /* Determine the size of the basic unit. */ 305 switch (unit_type) { 306 case AUR_BYTE: 307 /* case AUR_CHAR: */ 308 datasize = AUR_BYTE_SIZE; 309 break; 310 311 case AUR_SHORT: 312 datasize = AUR_SHORT_SIZE; 313 break; 314 315 case AUR_INT32: 316 /* case AUR_INT: */ 317 datasize = AUR_INT32_SIZE; 318 break; 319 320 case AUR_INT64: 321 datasize = AUR_INT64_SIZE; 322 break; 323 324 default: 325 return (NULL); 326 } 327 328 totdata = datasize * unit_count; 329 330 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata); 331 332 /* 333 * XXXRW: We should be byte-swapping each data item for multi-byte 334 * types. 335 */ 336 ADD_U_CHAR(dptr, AUT_DATA); 337 ADD_U_CHAR(dptr, unit_print); 338 ADD_U_CHAR(dptr, unit_type); 339 ADD_U_CHAR(dptr, unit_count); 340 ADD_MEM(dptr, p, totdata); 341 342 return (t); 343} 344 345 346/* 347 * token ID 1 byte 348 * status 4 bytes 349 * return value 4 bytes 350 */ 351token_t * 352au_to_exit(int retval, int err) 353{ 354 token_t *t; 355 u_char *dptr = NULL; 356 357 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); 358 359 ADD_U_CHAR(dptr, AUT_EXIT); 360 ADD_U_INT32(dptr, err); 361 ADD_U_INT32(dptr, retval); 362 363 return (t); 364} 365 366/* 367 */ 368token_t * 369au_to_groups(int *groups) 370{ 371 372 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups)); 373} 374 375/* 376 * token ID 1 byte 377 * number groups 2 bytes 378 * group list count * 4 bytes 379 */ 380token_t * 381au_to_newgroups(u_int16_t n, gid_t *groups) 382{ 383 token_t *t; 384 u_char *dptr = NULL; 385 int i; 386 387 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 388 n * sizeof(u_int32_t)); 389 390 ADD_U_CHAR(dptr, AUT_NEWGROUPS); 391 ADD_U_INT16(dptr, n); 392 for (i = 0; i < n; i++) 393 ADD_U_INT32(dptr, groups[i]); 394 395 return (t); 396} 397 398/* 399 * token ID 1 byte 400 * internet address 4 bytes 401 */ 402token_t * 403au_to_in_addr(struct in_addr *internet_addr) 404{ 405 token_t *t; 406 u_char *dptr = NULL; 407 408 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); 409 410 ADD_U_CHAR(dptr, AUT_IN_ADDR); 411 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); 412 413 return (t); 414} 415 416/* 417 * token ID 1 byte 418 * address type/length 4 bytes 419 * address 16 bytes 420 */ 421token_t * 422au_to_in_addr_ex(struct in6_addr *internet_addr) 423{ 424 token_t *t; 425 u_char *dptr = NULL; 426 u_int32_t type = AU_IPv6; 427 428 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); 429 430 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); 431 ADD_U_INT32(dptr, type); 432 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t)); 433 434 return (t); 435} 436 437/* 438 * token ID 1 byte 439 * ip header 20 bytes 440 * 441 * The IP header should be submitted in network byte order. 442 */ 443token_t * 444au_to_ip(struct ip *ip) 445{ 446 token_t *t; 447 u_char *dptr = NULL; 448 449 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); 450 451 ADD_U_CHAR(dptr, AUT_IP); 452 ADD_MEM(dptr, ip, sizeof(struct ip)); 453 454 return (t); 455} 456 457/* 458 * token ID 1 byte 459 * object ID type 1 byte 460 * object ID 4 bytes 461 */ 462token_t * 463au_to_ipc(char type, int id) 464{ 465 token_t *t; 466 u_char *dptr = NULL; 467 468 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 469 470 ADD_U_CHAR(dptr, AUT_IPC); 471 ADD_U_CHAR(dptr, type); 472 ADD_U_INT32(dptr, id); 473 474 return (t); 475} 476 477/* 478 * token ID 1 byte 479 * owner user ID 4 bytes 480 * owner group ID 4 bytes 481 * creator user ID 4 bytes 482 * creator group ID 4 bytes 483 * access mode 4 bytes 484 * slot sequence # 4 bytes 485 * key 4 bytes 486 */ 487token_t * 488au_to_ipc_perm(struct ipc_perm *perm) 489{ 490 token_t *t; 491 u_char *dptr = NULL; 492 u_int16_t pad0 = 0; 493 494 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) + 495 sizeof(u_int32_t)); 496 497 ADD_U_CHAR(dptr, AUT_IPC_PERM); 498 499 /* 500 * Systems vary significantly in what types they use in struct 501 * ipc_perm; at least a few still use 16-bit uid's and gid's, so 502 * allow for that, as BSM define 32-bit values here. 503 * Some systems define the sizes for ipc_perm members as 2 bytes; 504 * BSM defines 4 so pad with 0. 505 * 506 * XXXRW: Possibly shoulid be conditionally compiled, and more cases 507 * need to be handled. 508 */ 509 if (sizeof(perm->uid) != sizeof(u_int32_t)) { 510 ADD_U_INT16(dptr, pad0); 511 ADD_U_INT16(dptr, perm->uid); 512 ADD_U_INT16(dptr, pad0); 513 ADD_U_INT16(dptr, perm->gid); 514 ADD_U_INT16(dptr, pad0); 515 ADD_U_INT16(dptr, perm->cuid); 516 ADD_U_INT16(dptr, pad0); 517 ADD_U_INT16(dptr, perm->cgid); 518 } else { 519 ADD_U_INT32(dptr, perm->uid); 520 ADD_U_INT32(dptr, perm->gid); 521 ADD_U_INT32(dptr, perm->cuid); 522 ADD_U_INT32(dptr, perm->cgid); 523 } 524 525 ADD_U_INT16(dptr, pad0); 526 ADD_U_INT16(dptr, perm->mode); 527 528 ADD_U_INT16(dptr, pad0); 529 530 ADD_U_INT16(dptr, perm->seq); 531 532 ADD_U_INT32(dptr, perm->key); 533 534 return (t); 535} 536 537/* 538 * token ID 1 byte 539 * port IP address 2 bytes 540 */ 541token_t * 542au_to_iport(u_int16_t iport) 543{ 544 token_t *t; 545 u_char *dptr = NULL; 546 547 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); 548 549 ADD_U_CHAR(dptr, AUT_IPORT); 550 ADD_U_INT16(dptr, iport); 551 552 return (t); 553} 554 555/* 556 * token ID 1 byte 557 * size 2 bytes 558 * data size bytes 559 */ 560token_t * 561au_to_opaque(const char *data, u_int16_t bytes) 562{ 563 token_t *t; 564 u_char *dptr = NULL; 565 566 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); 567 568 ADD_U_CHAR(dptr, AUT_OPAQUE); 569 ADD_U_INT16(dptr, bytes); 570 ADD_MEM(dptr, data, bytes); 571 572 return (t); 573} 574 575/* 576 * token ID 1 byte 577 * seconds of time 4 bytes 578 * milliseconds of time 4 bytes 579 * file name len 2 bytes 580 * file pathname N bytes + 1 terminating NULL byte 581 */ 582token_t * 583au_to_file(const char *file, struct timeval tm) 584{ 585 token_t *t; 586 u_char *dptr = NULL; 587 u_int16_t filelen; 588 u_int32_t timems; 589 590 filelen = strlen(file); 591 filelen += 1; 592 593 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + 594 sizeof(u_int16_t) + filelen); 595 596 timems = tm.tv_usec/1000; 597 598 ADD_U_CHAR(dptr, AUT_OTHER_FILE32); 599 ADD_U_INT32(dptr, tm.tv_sec); 600 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 601 ADD_U_INT16(dptr, filelen); 602 ADD_STRING(dptr, file, filelen); 603 604 return (t); 605} 606 607/* 608 * token ID 1 byte 609 * text length 2 bytes 610 * text N bytes + 1 terminating NULL byte 611 */ 612token_t * 613au_to_text(const char *text) 614{ 615 token_t *t; 616 u_char *dptr = NULL; 617 u_int16_t textlen; 618 619 textlen = strlen(text); 620 textlen += 1; 621 622 /* XXXRW: Should validate length against token size limit. */ 623 624 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 625 626 ADD_U_CHAR(dptr, AUT_TEXT); 627 ADD_U_INT16(dptr, textlen); 628 ADD_STRING(dptr, text, textlen); 629 630 return (t); 631} 632 633/* 634 * token ID 1 byte 635 * path length 2 bytes 636 * path N bytes + 1 terminating NULL byte 637 */ 638token_t * 639au_to_path(const char *text) 640{ 641 token_t *t; 642 u_char *dptr = NULL; 643 u_int16_t textlen; 644 645 textlen = strlen(text); 646 textlen += 1; 647 648 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 649 650 ADD_U_CHAR(dptr, AUT_PATH); 651 ADD_U_INT16(dptr, textlen); 652 ADD_STRING(dptr, text, textlen); 653 654 return (t); 655} 656 657/* 658 * token ID 1 byte 659 * audit ID 4 bytes 660 * effective user ID 4 bytes 661 * effective group ID 4 bytes 662 * real user ID 4 bytes 663 * real group ID 4 bytes 664 * process ID 4 bytes 665 * session ID 4 bytes 666 * terminal ID 667 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 668 * machine address 4 bytes 669 */ 670token_t * 671au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 672 pid_t pid, au_asid_t sid, au_tid_t *tid) 673{ 674 token_t *t; 675 u_char *dptr = NULL; 676 677 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 678 679 ADD_U_CHAR(dptr, AUT_PROCESS32); 680 ADD_U_INT32(dptr, auid); 681 ADD_U_INT32(dptr, euid); 682 ADD_U_INT32(dptr, egid); 683 ADD_U_INT32(dptr, ruid); 684 ADD_U_INT32(dptr, rgid); 685 ADD_U_INT32(dptr, pid); 686 ADD_U_INT32(dptr, sid); 687 ADD_U_INT32(dptr, tid->port); 688 689 /* 690 * Note: Solaris will write out IPv6 addresses here as a 32-bit 691 * address type and 16 bytes of address, but for IPv4 addresses it 692 * simply writes the 4-byte address directly. We support only IPv4 693 * addresses for process32 tokens. 694 */ 695 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 696 697 return (t); 698} 699 700token_t * 701au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 702 pid_t pid, au_asid_t sid, au_tid_t *tid) 703{ 704 token_t *t; 705 u_char *dptr = NULL; 706 707 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + 708 sizeof(u_int64_t)); 709 710 ADD_U_CHAR(dptr, AUT_PROCESS64); 711 ADD_U_INT32(dptr, auid); 712 ADD_U_INT32(dptr, euid); 713 ADD_U_INT32(dptr, egid); 714 ADD_U_INT32(dptr, ruid); 715 ADD_U_INT32(dptr, rgid); 716 ADD_U_INT32(dptr, pid); 717 ADD_U_INT32(dptr, sid); 718 ADD_U_INT64(dptr, tid->port); 719 720 /* 721 * Note: Solaris will write out IPv6 addresses here as a 32-bit 722 * address type and 16 bytes of address, but for IPv4 addresses it 723 * simply writes the 4-byte address directly. We support only IPv4 724 * addresses for process64 tokens. 725 */ 726 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 727 728 return (t); 729} 730 731token_t * 732au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 733 pid_t pid, au_asid_t sid, au_tid_t *tid) 734{ 735 736 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, 737 tid)); 738} 739 740/* 741 * token ID 1 byte 742 * audit ID 4 bytes 743 * effective user ID 4 bytes 744 * effective group ID 4 bytes 745 * real user ID 4 bytes 746 * real group ID 4 bytes 747 * process ID 4 bytes 748 * session ID 4 bytes 749 * terminal ID 750 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 751 * address type-len 4 bytes 752 * machine address 16 bytes 753 */ 754token_t * 755au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 756 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 757{ 758 token_t *t; 759 u_char *dptr = NULL; 760 761 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 762 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type)); 763 if (tid->at_type == AU_IPv4) 764 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 765 10 * sizeof(u_int32_t)); 766 else 767 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 768 13 * sizeof(u_int32_t)); 769 770 ADD_U_CHAR(dptr, AUT_PROCESS32_EX); 771 ADD_U_INT32(dptr, auid); 772 ADD_U_INT32(dptr, euid); 773 ADD_U_INT32(dptr, egid); 774 ADD_U_INT32(dptr, ruid); 775 ADD_U_INT32(dptr, rgid); 776 ADD_U_INT32(dptr, pid); 777 ADD_U_INT32(dptr, sid); 778 ADD_U_INT32(dptr, tid->at_port); 779 ADD_U_INT32(dptr, tid->at_type); 780 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 781 if (tid->at_type == AU_IPv6) { 782 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 783 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 784 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 785 } 786 787 return (t); 788} 789 790token_t * 791au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 792 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 793{ 794 token_t *t; 795 u_char *dptr = NULL; 796 797 if (tid->at_type == AU_IPv4) 798 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 799 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 800 2 * sizeof(u_int32_t)); 801 else if (tid->at_type == AU_IPv6) 802 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 803 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 804 5 * sizeof(u_int32_t)); 805 else 806 panic("au_to_process64_ex: invalidate at_type (%d)", 807 tid->at_type); 808 809 ADD_U_CHAR(dptr, AUT_PROCESS64_EX); 810 ADD_U_INT32(dptr, auid); 811 ADD_U_INT32(dptr, euid); 812 ADD_U_INT32(dptr, egid); 813 ADD_U_INT32(dptr, ruid); 814 ADD_U_INT32(dptr, rgid); 815 ADD_U_INT32(dptr, pid); 816 ADD_U_INT32(dptr, sid); 817 ADD_U_INT64(dptr, tid->at_port); 818 ADD_U_INT32(dptr, tid->at_type); 819 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 820 if (tid->at_type == AU_IPv6) { 821 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 822 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 823 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 824 } 825 826 return (t); 827} 828 829token_t * 830au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 831 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 832{ 833 834 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, 835 tid)); 836} 837 838/* 839 * token ID 1 byte 840 * error status 1 byte 841 * return value 4 bytes/8 bytes (32-bit/64-bit value) 842 */ 843token_t * 844au_to_return32(char status, u_int32_t ret) 845{ 846 token_t *t; 847 u_char *dptr = NULL; 848 849 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 850 851 ADD_U_CHAR(dptr, AUT_RETURN32); 852 ADD_U_CHAR(dptr, status); 853 ADD_U_INT32(dptr, ret); 854 855 return (t); 856} 857 858token_t * 859au_to_return64(char status, u_int64_t ret) 860{ 861 token_t *t; 862 u_char *dptr = NULL; 863 864 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); 865 866 ADD_U_CHAR(dptr, AUT_RETURN64); 867 ADD_U_CHAR(dptr, status); 868 ADD_U_INT64(dptr, ret); 869 870 return (t); 871} 872 873token_t * 874au_to_return(char status, u_int32_t ret) 875{ 876 877 return (au_to_return32(status, ret)); 878} 879 880/* 881 * token ID 1 byte 882 * sequence number 4 bytes 883 */ 884token_t * 885au_to_seq(long audit_count) 886{ 887 token_t *t; 888 u_char *dptr = NULL; 889 890 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); 891 892 ADD_U_CHAR(dptr, AUT_SEQ); 893 ADD_U_INT32(dptr, audit_count); 894 895 return (t); 896} 897 898/* 899 * token ID 1 byte 900 * socket domain 2 bytes 901 * socket type 2 bytes 902 * address type 2 byte 903 * local port 2 bytes 904 * local address 4 bytes/16 bytes (IPv4/IPv6 address) 905 * remote port 2 bytes 906 * remote address 4 bytes/16 bytes (IPv4/IPv6 address) 907 * 908 * Domain and type arguments to this routine are assumed to already have been 909 * converted to the BSM constant space, so we don't do that here. 910 */ 911token_t * 912au_to_socket_ex(u_short so_domain, u_short so_type, 913 struct sockaddr *sa_local, struct sockaddr *sa_remote) 914{ 915 token_t *t; 916 u_char *dptr = NULL; 917 struct sockaddr_in *sin; 918 struct sockaddr_in6 *sin6; 919 920 if (so_domain == AF_INET) 921 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 922 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 923 else if (so_domain == AF_INET6) 924 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 925 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t)); 926 else 927 return (NULL); 928 929 ADD_U_CHAR(dptr, AUT_SOCKET_EX); 930 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain)); 931 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type)); 932 if (so_domain == AF_INET) { 933 ADD_U_INT16(dptr, AU_IPv4); 934 sin = (struct sockaddr_in *)sa_local; 935 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 936 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 937 sin = (struct sockaddr_in *)sa_remote; 938 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 939 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 940 } else { 941 ADD_U_INT16(dptr, AU_IPv6); 942 sin6 = (struct sockaddr_in6 *)sa_local; 943 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 944 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 945 sin6 = (struct sockaddr_in6 *)sa_remote; 946 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 947 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 948 } 949 950 return (t); 951} 952 953/* 954 * Kernel-specific version of the above function. 955 * 956 * XXXRW: Should now use au_to_socket_ex() here. 957 */ 958#ifdef _KERNEL 959token_t * 960kau_to_socket(struct socket_au_info *soi) 961{ 962 token_t *t; 963 u_char *dptr; 964 u_int16_t so_type; 965 966 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 967 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t)); 968 969 ADD_U_CHAR(dptr, AUT_SOCKET); 970 /* Coerce the socket type into a short value */ 971 so_type = soi->so_type; 972 ADD_U_INT16(dptr, so_type); 973 ADD_U_INT16(dptr, soi->so_lport); 974 ADD_U_INT32(dptr, soi->so_laddr); 975 ADD_U_INT16(dptr, soi->so_rport); 976 ADD_U_INT32(dptr, soi->so_raddr); 977 978 return (t); 979} 980#endif 981 982/* 983 * token ID 1 byte 984 * socket family 2 bytes 985 * path (up to) 104 bytes + NULL (NULL terminated string) 986 */ 987token_t * 988au_to_sock_unix(struct sockaddr_un *so) 989{ 990 token_t *t; 991 u_char *dptr; 992 993 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); 994 995 ADD_U_CHAR(dptr, AUT_SOCKUNIX); 996 /* BSM token has two bytes for family */ 997 ADD_U_CHAR(dptr, 0); 998 ADD_U_CHAR(dptr, so->sun_family); 999 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); 1000 1001 return (t); 1002} 1003 1004/* 1005 * token ID 1 byte 1006 * socket family 2 bytes 1007 * local port 2 bytes 1008 * socket address 4 bytes 1009 */ 1010token_t * 1011au_to_sock_inet32(struct sockaddr_in *so) 1012{ 1013 token_t *t; 1014 u_char *dptr = NULL; 1015 uint16_t family; 1016 1017 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + 1018 sizeof(uint32_t)); 1019 1020 ADD_U_CHAR(dptr, AUT_SOCKINET32); 1021 /* 1022 * BSM defines the family field as 16 bits, but many operating 1023 * systems have an 8-bit sin_family field. Extend to 16 bits before 1024 * writing into the token. Assume that both the port and the address 1025 * in the sockaddr_in are already in network byte order, but family 1026 * is in local byte order. 1027 * 1028 * XXXRW: Should a name space conversion be taking place on the value 1029 * of sin_family? 1030 */ 1031 family = so->sin_family; 1032 ADD_U_INT16(dptr, family); 1033 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); 1034 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); 1035 1036 return (t); 1037} 1038 1039token_t * 1040au_to_sock_inet128(struct sockaddr_in6 *so) 1041{ 1042 token_t *t; 1043 u_char *dptr = NULL; 1044 1045 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + 1046 4 * sizeof(u_int32_t)); 1047 1048 ADD_U_CHAR(dptr, AUT_SOCKINET128); 1049 /* 1050 * In BSD, sin6_family is one octet, but BSM defines the token to 1051 * store two. So we copy in a 0 first. XXXRW: Possibly should be 1052 * conditionally compiled. 1053 */ 1054 ADD_U_CHAR(dptr, 0); 1055 ADD_U_CHAR(dptr, so->sin6_family); 1056 1057 ADD_U_INT16(dptr, so->sin6_port); 1058 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); 1059 1060 return (t); 1061} 1062 1063token_t * 1064au_to_sock_inet(struct sockaddr_in *so) 1065{ 1066 1067 return (au_to_sock_inet32(so)); 1068} 1069 1070/* 1071 * token ID 1 byte 1072 * audit ID 4 bytes 1073 * effective user ID 4 bytes 1074 * effective group ID 4 bytes 1075 * real user ID 4 bytes 1076 * real group ID 4 bytes 1077 * process ID 4 bytes 1078 * session ID 4 bytes 1079 * terminal ID 1080 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1081 * machine address 4 bytes 1082 */ 1083token_t * 1084au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1085 pid_t pid, au_asid_t sid, au_tid_t *tid) 1086{ 1087 token_t *t; 1088 u_char *dptr = NULL; 1089 1090 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 1091 1092 ADD_U_CHAR(dptr, AUT_SUBJECT32); 1093 ADD_U_INT32(dptr, auid); 1094 ADD_U_INT32(dptr, euid); 1095 ADD_U_INT32(dptr, egid); 1096 ADD_U_INT32(dptr, ruid); 1097 ADD_U_INT32(dptr, rgid); 1098 ADD_U_INT32(dptr, pid); 1099 ADD_U_INT32(dptr, sid); 1100 ADD_U_INT32(dptr, tid->port); 1101 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1102 1103 return (t); 1104} 1105 1106token_t * 1107au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1108 pid_t pid, au_asid_t sid, au_tid_t *tid) 1109{ 1110 token_t *t; 1111 u_char *dptr = NULL; 1112 1113 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + 1114 sizeof(u_int64_t) + sizeof(u_int32_t)); 1115 1116 ADD_U_CHAR(dptr, AUT_SUBJECT64); 1117 ADD_U_INT32(dptr, auid); 1118 ADD_U_INT32(dptr, euid); 1119 ADD_U_INT32(dptr, egid); 1120 ADD_U_INT32(dptr, ruid); 1121 ADD_U_INT32(dptr, rgid); 1122 ADD_U_INT32(dptr, pid); 1123 ADD_U_INT32(dptr, sid); 1124 ADD_U_INT64(dptr, tid->port); 1125 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1126 1127 return (t); 1128} 1129 1130token_t * 1131au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1132 pid_t pid, au_asid_t sid, au_tid_t *tid) 1133{ 1134 1135 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, 1136 tid)); 1137} 1138 1139/* 1140 * token ID 1 byte 1141 * audit ID 4 bytes 1142 * effective user ID 4 bytes 1143 * effective group ID 4 bytes 1144 * real user ID 4 bytes 1145 * real group ID 4 bytes 1146 * process ID 4 bytes 1147 * session ID 4 bytes 1148 * terminal ID 1149 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1150 * address type/length 4 bytes 1151 * machine address 16 bytes 1152 */ 1153token_t * 1154au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1155 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1156{ 1157 token_t *t; 1158 u_char *dptr = NULL; 1159 1160 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1161 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type)); 1162 1163 if (tid->at_type == AU_IPv4) 1164 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 1165 sizeof(u_int32_t)); 1166 else 1167 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 1168 sizeof(u_int32_t)); 1169 1170 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); 1171 ADD_U_INT32(dptr, auid); 1172 ADD_U_INT32(dptr, euid); 1173 ADD_U_INT32(dptr, egid); 1174 ADD_U_INT32(dptr, ruid); 1175 ADD_U_INT32(dptr, rgid); 1176 ADD_U_INT32(dptr, pid); 1177 ADD_U_INT32(dptr, sid); 1178 ADD_U_INT32(dptr, tid->at_port); 1179 ADD_U_INT32(dptr, tid->at_type); 1180 if (tid->at_type == AU_IPv6) 1181 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1182 else 1183 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1184 1185 return (t); 1186} 1187 1188token_t * 1189au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1190 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1191{ 1192 token_t *t; 1193 u_char *dptr = NULL; 1194 1195 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1196 ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type)); 1197 1198 if (tid->at_type == AU_IPv4) 1199 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1200 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1201 2 * sizeof(u_int32_t)); 1202 else 1203 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1204 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1205 5 * sizeof(u_int32_t)); 1206 1207 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); 1208 ADD_U_INT32(dptr, auid); 1209 ADD_U_INT32(dptr, euid); 1210 ADD_U_INT32(dptr, egid); 1211 ADD_U_INT32(dptr, ruid); 1212 ADD_U_INT32(dptr, rgid); 1213 ADD_U_INT32(dptr, pid); 1214 ADD_U_INT32(dptr, sid); 1215 ADD_U_INT64(dptr, tid->at_port); 1216 ADD_U_INT32(dptr, tid->at_type); 1217 if (tid->at_type == AU_IPv6) 1218 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1219 else 1220 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1221 1222 return (t); 1223} 1224 1225token_t * 1226au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1227 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1228{ 1229 1230 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, 1231 tid)); 1232} 1233 1234#if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) 1235/* 1236 * Collects audit information for the current process and creates a subject 1237 * token from it. 1238 */ 1239token_t * 1240au_to_me(void) 1241{ 1242 auditinfo_t auinfo; 1243 auditinfo_addr_t aia; 1244 1245 /* 1246 * Try to use getaudit_addr(2) first. If this kernel does not support 1247 * it, then fall back on to getaudit(2). 1248 */ 1249 if (getaudit_addr(&aia, sizeof(aia)) != 0) { 1250 if (errno == ENOSYS) { 1251 if (getaudit(&auinfo) != 0) 1252 return (NULL); 1253 return (au_to_subject32(auinfo.ai_auid, geteuid(), 1254 getegid(), getuid(), getgid(), getpid(), 1255 auinfo.ai_asid, &auinfo.ai_termid)); 1256 } else { 1257 /* getaudit_addr(2) failed for some other reason. */ 1258 return (NULL); 1259 } 1260 } 1261 1262 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), 1263 getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); 1264} 1265#endif 1266 1267#if defined(_KERNEL) || defined(KERNEL) 1268static token_t * 1269au_to_exec_strings(char *strs, int count, u_char type) 1270{ 1271 token_t *t; 1272 u_char *dptr = NULL; 1273 u_int32_t totlen; 1274 int ctr; 1275 char *p; 1276 1277 totlen = 0; 1278 ctr = count; 1279 p = strs; 1280 while (ctr-- > 0) { 1281 totlen += strlen(p) + 1; 1282 p = strs + totlen; 1283 } 1284 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1285 ADD_U_CHAR(dptr, type); 1286 ADD_U_INT32(dptr, count); 1287 ADD_STRING(dptr, strs, totlen); 1288 1289 return (t); 1290} 1291 1292/* 1293 * token ID 1 byte 1294 * count 4 bytes 1295 * text count null-terminated strings 1296 */ 1297token_t * 1298au_to_exec_args(char *args, int argc) 1299{ 1300 1301 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS)); 1302} 1303 1304/* 1305 * token ID 1 byte 1306 * count 4 bytes 1307 * text count null-terminated strings 1308 */ 1309token_t * 1310au_to_exec_env(char *envs, int envc) 1311{ 1312 1313 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV)); 1314} 1315#else 1316/* 1317 * token ID 1 byte 1318 * count 4 bytes 1319 * text count null-terminated strings 1320 */ 1321token_t * 1322au_to_exec_args(char **argv) 1323{ 1324 token_t *t; 1325 u_char *dptr = NULL; 1326 const char *nextarg; 1327 int i, count = 0; 1328 size_t totlen = 0; 1329 1330 nextarg = *argv; 1331 1332 while (nextarg != NULL) { 1333 int nextlen; 1334 1335 nextlen = strlen(nextarg); 1336 totlen += nextlen + 1; 1337 count++; 1338 nextarg = *(argv + count); 1339 } 1340 1341 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1342 1343 ADD_U_CHAR(dptr, AUT_EXEC_ARGS); 1344 ADD_U_INT32(dptr, count); 1345 1346 for (i = 0; i < count; i++) { 1347 nextarg = *(argv + i); 1348 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); 1349 } 1350 1351 return (t); 1352} 1353 1354/* 1355 * token ID 1 byte 1356 * count 4 bytes 1357 * text count null-terminated strings 1358 */ 1359token_t * 1360au_to_exec_env(char **envp) 1361{ 1362 token_t *t; 1363 u_char *dptr = NULL; 1364 int i, count = 0; 1365 size_t totlen = 0; 1366 const char *nextenv; 1367 1368 nextenv = *envp; 1369 1370 while (nextenv != NULL) { 1371 int nextlen; 1372 1373 nextlen = strlen(nextenv); 1374 totlen += nextlen + 1; 1375 count++; 1376 nextenv = *(envp + count); 1377 } 1378 1379 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1380 1381 ADD_U_CHAR(dptr, AUT_EXEC_ENV); 1382 ADD_U_INT32(dptr, count); 1383 1384 for (i = 0; i < count; i++) { 1385 nextenv = *(envp + i); 1386 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); 1387 } 1388 1389 return (t); 1390} 1391#endif 1392 1393/* 1394 * token ID 1 byte 1395 * zonename length 2 bytes 1396 * zonename N bytes + 1 terminating NULL byte 1397 */ 1398token_t * 1399au_to_zonename(const char *zonename) 1400{ 1401 u_char *dptr = NULL; 1402 u_int16_t textlen; 1403 token_t *t; 1404 1405 textlen = strlen(zonename) + 1; 1406 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 1407 1408 ADD_U_CHAR(dptr, AUT_ZONENAME); 1409 ADD_U_INT16(dptr, textlen); 1410 ADD_STRING(dptr, zonename, textlen); 1411 return (t); 1412} 1413 1414/* 1415 * token ID 1 byte 1416 * record byte count 4 bytes 1417 * version # 1 byte [2] 1418 * event type 2 bytes 1419 * event modifier 2 bytes 1420 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1421 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1422 */ 1423token_t * 1424au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1425 struct timeval tm) 1426{ 1427 token_t *t; 1428 u_char *dptr = NULL; 1429 u_int32_t timems; 1430 1431 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1432 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1433 1434 ADD_U_CHAR(dptr, AUT_HEADER32); 1435 ADD_U_INT32(dptr, rec_size); 1436 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1437 ADD_U_INT16(dptr, e_type); 1438 ADD_U_INT16(dptr, e_mod); 1439 1440 timems = tm.tv_usec/1000; 1441 /* Add the timestamp */ 1442 ADD_U_INT32(dptr, tm.tv_sec); 1443 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1444 1445 return (t); 1446} 1447 1448/* 1449 * token ID 1 byte 1450 * record byte count 4 bytes 1451 * version # 1 byte [2] 1452 * event type 2 bytes 1453 * event modifier 2 bytes 1454 * address type/length 4 bytes 1455 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1456 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1457 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1458 */ 1459token_t * 1460au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1461 struct timeval tm, struct auditinfo_addr *aia) 1462{ 1463 token_t *t; 1464 u_char *dptr = NULL; 1465 u_int32_t timems; 1466 au_tid_addr_t *tid; 1467 1468 tid = &aia->ai_termid; 1469 KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6, 1470 ("au_to_header32_ex_tm: invalid address family")); 1471 1472 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1473 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * 1474 sizeof(u_int32_t) + tid->at_type); 1475 1476 ADD_U_CHAR(dptr, AUT_HEADER32_EX); 1477 ADD_U_INT32(dptr, rec_size); 1478 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1479 ADD_U_INT16(dptr, e_type); 1480 ADD_U_INT16(dptr, e_mod); 1481 1482 ADD_U_INT32(dptr, tid->at_type); 1483 if (tid->at_type == AU_IPv6) 1484 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1485 else 1486 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1487 timems = tm.tv_usec/1000; 1488 /* Add the timestamp */ 1489 ADD_U_INT32(dptr, tm.tv_sec); 1490 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1491 1492 return (t); 1493} 1494 1495token_t * 1496au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1497 struct timeval tm) 1498{ 1499 token_t *t; 1500 u_char *dptr = NULL; 1501 u_int32_t timems; 1502 1503 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1504 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); 1505 1506 ADD_U_CHAR(dptr, AUT_HEADER64); 1507 ADD_U_INT32(dptr, rec_size); 1508 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1509 ADD_U_INT16(dptr, e_type); 1510 ADD_U_INT16(dptr, e_mod); 1511 1512 timems = tm.tv_usec/1000; 1513 /* Add the timestamp */ 1514 ADD_U_INT64(dptr, tm.tv_sec); 1515 ADD_U_INT64(dptr, timems); /* We need time in ms. */ 1516 1517 return (t); 1518} 1519 1520#if !defined(KERNEL) && !defined(_KERNEL) 1521#ifdef HAVE_AUDIT_SYSCALLS 1522token_t * 1523au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1524{ 1525 struct timeval tm; 1526 struct auditinfo_addr aia; 1527 1528 if (gettimeofday(&tm, NULL) == -1) 1529 return (NULL); 1530 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) { 1531 if (errno != ENOSYS) 1532 return (NULL); 1533 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1534 } 1535 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia)); 1536} 1537#endif /* HAVE_AUDIT_SYSCALLS */ 1538 1539token_t * 1540au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) 1541{ 1542 struct timeval tm; 1543 1544 if (gettimeofday(&tm, NULL) == -1) 1545 return (NULL); 1546 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1547} 1548 1549token_t * 1550au_to_header64(__unused int rec_size, __unused au_event_t e_type, 1551 __unused au_emod_t e_mod) 1552{ 1553 struct timeval tm; 1554 1555 if (gettimeofday(&tm, NULL) == -1) 1556 return (NULL); 1557 return (au_to_header64_tm(rec_size, e_type, e_mod, tm)); 1558} 1559 1560token_t * 1561au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod) 1562{ 1563 1564 return (au_to_header32(rec_size, e_type, e_mod)); 1565} 1566 1567#ifdef HAVE_AUDIT_SYSCALLS 1568token_t * 1569au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1570{ 1571 1572 return (au_to_header32_ex(rec_size, e_type, e_mod)); 1573} 1574#endif /* HAVE_AUDIT_SYSCALLS */ 1575#endif /* !defined(KERNEL) && !defined(_KERNEL) */ 1576 1577/* 1578 * token ID 1 byte 1579 * trailer magic number 2 bytes 1580 * record byte count 4 bytes 1581 */ 1582token_t * 1583au_to_trailer(int rec_size) 1584{ 1585 token_t *t; 1586 u_char *dptr = NULL; 1587 u_int16_t magic = AUT_TRAILER_MAGIC; 1588 1589 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 1590 sizeof(u_int32_t)); 1591 1592 ADD_U_CHAR(dptr, AUT_TRAILER); 1593 ADD_U_INT16(dptr, magic); 1594 ADD_U_INT32(dptr, rec_size); 1595 1596 return (t); 1597} 1598