bsm_io.c revision 155131
1/* 2 * Copyright (c) 2004 Apple Computer, Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * All rights reserved. 6 * 7 * This code was developed in part by Robert N. M. Watson, Senior Principal 8 * Scientist, SPARTA, Inc. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 19 * its contributors may be used to endorse or promote products derived 20 * from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 26 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 30 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 31 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32 * POSSIBILITY OF SUCH DAMAGE. 33 * 34 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#29 $ 35 */ 36 37#include <sys/types.h> 38#ifdef __APPLE__ 39#include <compat/endian.h> 40#else /* !__APPLE__ */ 41#include <sys/endian.h> 42#endif /* __APPLE__*/ 43#include <sys/stat.h> 44#include <sys/socket.h> 45 46#include <bsm/libbsm.h> 47 48#include <unistd.h> 49#include <netinet/in.h> 50#include <arpa/inet.h> 51#include <errno.h> 52#include <time.h> 53#include <stdlib.h> 54#include <stdio.h> 55#include <string.h> 56#include <pwd.h> 57#include <grp.h> 58 59#include <bsm/audit_internal.h> 60 61#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 62 if (bytesread + size > len) { \ 63 err = 1; \ 64 } else { \ 65 memcpy(dest, buf + bytesread, size); \ 66 bytesread += size; \ 67 } \ 68} while (0) 69 70#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 71 if (bytesread + sizeof(u_char) <= len) { \ 72 dest = buf[bytesread]; \ 73 bytesread += sizeof(u_char); \ 74 } else \ 75 err = 1; \ 76} while (0) 77 78#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 79 if (bytesread + sizeof(u_int16_t) <= len) { \ 80 dest = be16dec(buf + bytesread); \ 81 bytesread += sizeof(u_int16_t); \ 82 } else \ 83 err = 1; \ 84} while (0) 85 86#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 87 if (bytesread + sizeof(u_int32_t) <= len) { \ 88 dest = be32dec(buf + bytesread); \ 89 bytesread += sizeof(u_int32_t); \ 90 } else \ 91 err = 1; \ 92} while (0) 93 94#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 95 if (bytesread + sizeof(u_int64_t) <= len) { \ 96 dest = be64dec(buf + bytesread); \ 97 bytesread += sizeof(u_int64_t); \ 98 } else \ 99 err = 1; \ 100} while (0) 101 102#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 103 if ((bytesread) + (size) > (len)) \ 104 (err) = 1; \ 105 else { \ 106 (ptr) = (buf) + (bytesread); \ 107 (bytesread) += (size); \ 108 } \ 109} while (0) 110 111/* 112 * Prints the delimiter string. 113 */ 114static void 115print_delim(FILE *fp, const char *del) 116{ 117 118 fprintf(fp, "%s", del); 119} 120 121/* 122 * Prints a single byte in the given format. 123 */ 124static void 125print_1_byte(FILE *fp, u_char val, const char *format) 126{ 127 128 fprintf(fp, format, val); 129} 130 131/* 132 * Print 2 bytes in the given format. 133 */ 134static void 135print_2_bytes(FILE *fp, u_int16_t val, const char *format) 136{ 137 138 fprintf(fp, format, val); 139} 140 141/* 142 * Prints 4 bytes in the given format. 143 */ 144static void 145print_4_bytes(FILE *fp, u_int32_t val, const char *format) 146{ 147 148 fprintf(fp, format, val); 149} 150 151/* 152 * Prints 8 bytes in the given format. 153 */ 154static void 155print_8_bytes(FILE *fp, u_int64_t val, const char *format) 156{ 157 158 fprintf(fp, format, val); 159} 160 161/* 162 * Prints the given size of data bytes in hex. 163 */ 164static void 165print_mem(FILE *fp, u_char *data, size_t len) 166{ 167 int i; 168 169 if (len > 0) { 170 fprintf(fp, "0x"); 171 for (i = 0; i < len; i++) 172 fprintf(fp, "%x", data[i]); 173 } 174} 175 176/* 177 * Prints the given data bytes as a string. 178 */ 179static void 180print_string(FILE *fp, u_char *str, size_t len) 181{ 182 int i; 183 184 if (len > 0) { 185 for (i = 0; i < len; i++) { 186 if (str[i] != '\0') 187 fprintf(fp, "%c", str[i]); 188 } 189 } 190} 191 192/* 193 * Prints the token type in either the raw or the default form. 194 */ 195static void 196print_tok_type(FILE *fp, u_char type, const char *tokname, char raw) 197{ 198 199 if (raw) 200 fprintf(fp, "%u", type); 201 else 202 fprintf(fp, "%s", tokname); 203} 204 205/* 206 * Prints a user value. 207 */ 208static void 209print_user(FILE *fp, u_int32_t usr, char raw) 210{ 211 struct passwd *pwent; 212 213 if (raw) 214 fprintf(fp, "%d", usr); 215 else { 216 pwent = getpwuid(usr); 217 if (pwent != NULL) 218 fprintf(fp, "%s", pwent->pw_name); 219 else 220 fprintf(fp, "%d", usr); 221 } 222} 223 224/* 225 * Prints a group value. 226 */ 227static void 228print_group(FILE *fp, u_int32_t grp, char raw) 229{ 230 struct group *grpent; 231 232 if (raw) 233 fprintf(fp, "%d", grp); 234 else { 235 grpent = getgrgid(grp); 236 if (grpent != NULL) 237 fprintf(fp, "%s", grpent->gr_name); 238 else 239 fprintf(fp, "%d", grp); 240 } 241} 242 243/* 244 * Prints the event from the header token in either the short, default or raw 245 * form. 246 */ 247static void 248print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 249{ 250 char event_ent_name[AU_EVENT_NAME_MAX]; 251 char event_ent_desc[AU_EVENT_DESC_MAX]; 252 struct au_event_ent e, *ep; 253 254 bzero(&e, sizeof(e)); 255 bzero(event_ent_name, sizeof(event_ent_name)); 256 bzero(event_ent_desc, sizeof(event_ent_desc)); 257 e.ae_name = event_ent_name; 258 e.ae_desc = event_ent_desc; 259 260 ep = getauevnum_r(&e, ev); 261 if (ep == NULL) { 262 fprintf(fp, "%u", ev); 263 return; 264 } 265 266 if (raw) 267 fprintf(fp, "%u", ev); 268 else if (sfrm) 269 fprintf(fp, "%s", e.ae_name); 270 else 271 fprintf(fp, "%s", e.ae_desc); 272} 273 274 275/* 276 * Prints the event modifier from the header token in either the default or 277 * raw form. 278 */ 279static void 280print_evmod(FILE *fp, u_int16_t evmod, char raw) 281{ 282 if (raw) 283 fprintf(fp, "%u", evmod); 284 else 285 fprintf(fp, "%u", evmod); 286} 287 288/* 289 * Prints seconds in the ctime format. 290 */ 291static void 292print_sec32(FILE *fp, u_int32_t sec, char raw) 293{ 294 time_t timestamp; 295 char timestr[26]; 296 297 if (raw) 298 fprintf(fp, "%u", sec); 299 else { 300 timestamp = (time_t)sec; 301 ctime_r(×tamp, timestr); 302 timestr[24] = '\0'; /* No new line */ 303 fprintf(fp, "%s", timestr); 304 } 305} 306 307/* 308 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 309 * assume a 32-bit time_t, we simply truncate for now. 310 */ 311static void 312print_sec64(FILE *fp, u_int64_t sec, char raw) 313{ 314 time_t timestamp; 315 char timestr[26]; 316 317 if (raw) 318 fprintf(fp, "%u", (u_int32_t)sec); 319 else { 320 timestamp = (time_t)sec; 321 ctime_r(×tamp, timestr); 322 timestr[24] = '\0'; /* No new line */ 323 fprintf(fp, "%s", timestr); 324 } 325} 326 327/* 328 * Prints the excess milliseconds. 329 */ 330static void 331print_msec32(FILE *fp, u_int32_t msec, char raw) 332{ 333 if (raw) 334 fprintf(fp, "%u", msec); 335 else 336 fprintf(fp, " + %u msec", msec); 337} 338 339/* 340 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 341 * a 32-bit msec, we simply truncate for now. 342 */ 343static void 344print_msec64(FILE *fp, u_int64_t msec, char raw) 345{ 346 347 msec &= 0xffffffff; 348 if (raw) 349 fprintf(fp, "%u", (u_int32_t)msec); 350 else 351 fprintf(fp, " + %u msec", (u_int32_t)msec); 352} 353 354/* 355 * Prints a dotted form for the IP address. 356 */ 357static void 358print_ip_address(FILE *fp, u_int32_t ip) 359{ 360 struct in_addr ipaddr; 361 362 ipaddr.s_addr = ip; 363 fprintf(fp, "%s", inet_ntoa(ipaddr)); 364} 365 366/* 367 * Prints a string value for the given ip address. 368 */ 369static void 370print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 371{ 372 struct in_addr ipv4; 373 struct in6_addr ipv6; 374 char dst[INET6_ADDRSTRLEN]; 375 376 switch (type) { 377 case AU_IPv4: 378 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 379 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 380 INET6_ADDRSTRLEN)); 381 break; 382 383 case AU_IPv6: 384 ipv6.__u6_addr.__u6_addr32[0] = ipaddr[0]; 385 ipv6.__u6_addr.__u6_addr32[1] = ipaddr[1]; 386 ipv6.__u6_addr.__u6_addr32[2] = ipaddr[2]; 387 ipv6.__u6_addr.__u6_addr32[3] = ipaddr[3]; 388 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 389 INET6_ADDRSTRLEN)); 390 break; 391 392 default: 393 fprintf(fp, "invalid"); 394 } 395} 396 397/* 398 * Prints return value as success or failure. 399 */ 400static void 401print_retval(FILE *fp, u_char status, char raw) 402{ 403 if (raw) 404 fprintf(fp, "%u", status); 405 else { 406 if (status == 0) 407 fprintf(fp, "success"); 408 else 409 fprintf(fp, "failure : %s", strerror(status)); 410 } 411} 412 413/* 414 * Prints the exit value. 415 */ 416static void 417print_errval(FILE *fp, u_int32_t val) 418{ 419 420 fprintf(fp, "Error %u", val); 421} 422 423/* 424 * Prints IPC type. 425 */ 426static void 427print_ipctype(FILE *fp, u_char type, char raw) 428{ 429 if (raw) 430 fprintf(fp, "%u", type); 431 else { 432 if (type == AT_IPC_MSG) 433 fprintf(fp, "Message IPC"); 434 else if (type == AT_IPC_SEM) 435 fprintf(fp, "Semaphore IPC"); 436 else if (type == AT_IPC_SHM) 437 fprintf(fp, "Shared Memory IPC"); 438 else 439 fprintf(fp, "%u", type); 440 } 441} 442 443/* 444 * record byte count 4 bytes 445 * version # 1 byte [2] 446 * event type 2 bytes 447 * event modifier 2 bytes 448 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 449 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 450 */ 451static int 452fetch_header32_tok(tokenstr_t *tok, char *buf, int len) 453{ 454 int err = 0; 455 456 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 457 if (err) 458 return (-1); 459 460 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 461 if (err) 462 return (-1); 463 464 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 465 if (err) 466 return (-1); 467 468 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 469 if (err) 470 return (-1); 471 472 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 473 if (err) 474 return (-1); 475 476 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 477 if (err) 478 return (-1); 479 480 return (0); 481} 482 483static void 484print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 485{ 486 487 print_tok_type(fp, tok->id, "header", raw); 488 print_delim(fp, del); 489 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 490 print_delim(fp, del); 491 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 492 print_delim(fp, del); 493 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 494 print_delim(fp, del); 495 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 496 print_delim(fp, del); 497 print_sec32(fp, tok->tt.hdr32.s, raw); 498 print_delim(fp, del); 499 print_msec32(fp, tok->tt.hdr32.ms, raw); 500} 501 502/* 503 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 504 * depending on the bit of the specifications found. The OpenSolaris source 505 * code uses a 4-byte address length, followed by some number of bytes of 506 * address data. This contrasts with the Solaris audit.log.5 man page, which 507 * specifies a 1-byte length field. We use the Solaris 10 definition so that 508 * we can parse audit trails from that system. 509 * 510 * record byte count 4 bytes 511 * version # 1 byte [2] 512 * event type 2 bytes 513 * event modifier 2 bytes 514 * address type/length 4 bytes 515 * [ Solaris man page: address type/length 1 byte] 516 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 517 * seconds of time 4 bytes/8 bytes (32/64-bits) 518 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 519 */ 520static int 521fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len) 522{ 523 int err = 0; 524 525 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 526 if (err) 527 return (-1); 528 529 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 530 if (err) 531 return (-1); 532 533 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 534 if (err) 535 return (-1); 536 537 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 538 if (err) 539 return (-1); 540 541 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 542 if (err) 543 return (-1); 544 545 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 546 switch (tok->tt.hdr32_ex.ad_type) { 547 case AU_IPv4: 548 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 549 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 550 if (err) 551 return (-1); 552 break; 553 554 case AU_IPv6: 555 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 556 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 557 break; 558 } 559 560 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 561 if (err) 562 return (-1); 563 564 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 565 if (err) 566 return (-1); 567 568 return (0); 569} 570 571static void 572print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 573 char sfrm) 574{ 575 576 print_tok_type(fp, tok->id, "header_ex", raw); 577 print_delim(fp, del); 578 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 579 print_delim(fp, del); 580 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 581 print_delim(fp, del); 582 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 583 print_delim(fp, del); 584 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 585 print_delim(fp, del); 586 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 587 tok->tt.hdr32_ex.addr); 588 print_delim(fp, del); 589 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 590 print_delim(fp, del); 591 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 592} 593 594/* 595 * record byte count 4 bytes 596 * event type 2 bytes 597 * event modifier 2 bytes 598 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 599 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 600 * version # 601 */ 602static int 603fetch_header64_tok(tokenstr_t *tok, char *buf, int len) 604{ 605 int err = 0; 606 607 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 608 if (err) 609 return (-1); 610 611 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 612 if (err) 613 return (-1); 614 615 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 616 if (err) 617 return (-1); 618 619 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 620 if (err) 621 return (-1); 622 623 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 624 if (err) 625 return (-1); 626 627 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 628 if (err) 629 return (-1); 630 631 return (0); 632} 633 634static void 635print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 636{ 637 638 print_tok_type(fp, tok->id, "header", raw); 639 print_delim(fp, del); 640 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 641 print_delim(fp, del); 642 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 643 print_delim(fp, del); 644 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 645 print_delim(fp, del); 646 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 647 print_delim(fp, del); 648 print_sec64(fp, tok->tt.hdr64.s, raw); 649 print_delim(fp, del); 650 print_msec64(fp, tok->tt.hdr64.ms, raw); 651} 652/* 653 * record byte count 4 bytes 654 * version # 1 byte [2] 655 * event type 2 bytes 656 * event modifier 2 bytes 657 * address type/length 4 bytes 658 * [ Solaris man page: address type/length 1 byte] 659 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 660 * seconds of time 4 bytes/8 bytes (32/64-bits) 661 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 662 * 663 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 664 * accuracy of the BSM spec. 665 */ 666static int 667fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len) 668{ 669 int err = 0; 670 671 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 672 if (err) 673 return (-1); 674 675 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 676 if (err) 677 return (-1); 678 679 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 680 if (err) 681 return (-1); 682 683 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 684 if (err) 685 return (-1); 686 687 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 688 if (err) 689 return (-1); 690 691 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 692 switch (tok->tt.hdr64_ex.ad_type) { 693 case AU_IPv4: 694 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 695 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 696 if (err) 697 return (-1); 698 break; 699 700 case AU_IPv6: 701 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 702 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 703 break; 704 } 705 706 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 707 if (err) 708 return (-1); 709 710 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 711 if (err) 712 return (-1); 713 714 return (0); 715} 716 717static void 718print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 719{ 720 721 print_tok_type(fp, tok->id, "header_ex", raw); 722 print_delim(fp, del); 723 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 724 print_delim(fp, del); 725 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 726 print_delim(fp, del); 727 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 728 print_delim(fp, del); 729 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 730 print_delim(fp, del); 731 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 732 tok->tt.hdr64_ex.addr); 733 print_delim(fp, del); 734 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 735 print_delim(fp, del); 736 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 737} 738 739/* 740 * trailer magic 2 bytes 741 * record size 4 bytes 742 */ 743static int 744fetch_trailer_tok(tokenstr_t *tok, char *buf, int len) 745{ 746 int err = 0; 747 748 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 749 if (err) 750 return (-1); 751 752 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 753 if (err) 754 return (-1); 755 756 return (0); 757} 758 759static void 760print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 761 __unused char sfrm) 762{ 763 764 print_tok_type(fp, tok->id, "trailer", raw); 765 print_delim(fp, del); 766 print_4_bytes(fp, tok->tt.trail.count, "%u"); 767} 768 769/* 770 * argument # 1 byte 771 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 772 * text length 2 bytes 773 * text N bytes + 1 terminating NULL byte 774 */ 775static int 776fetch_arg32_tok(tokenstr_t *tok, char *buf, int len) 777{ 778 int err = 0; 779 780 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 781 if (err) 782 return (-1); 783 784 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 785 if (err) 786 return (-1); 787 788 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 789 if (err) 790 return (-1); 791 792 SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len, 793 err); 794 if (err) 795 return (-1); 796 797 return (0); 798} 799 800static void 801print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 802 __unused char sfrm) 803{ 804 805 print_tok_type(fp, tok->id, "argument", raw); 806 print_delim(fp, del); 807 print_1_byte(fp, tok->tt.arg32.no, "%u"); 808 print_delim(fp, del); 809 print_4_bytes(fp, tok->tt.arg32.val, "%#x"); 810 print_delim(fp, del); 811 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 812} 813 814static int 815fetch_arg64_tok(tokenstr_t *tok, char *buf, int len) 816{ 817 int err = 0; 818 819 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 820 if (err) 821 return (-1); 822 823 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 824 if (err) 825 return (-1); 826 827 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 828 if (err) 829 return (-1); 830 831 SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len, 832 err); 833 if (err) 834 return (-1); 835 836 return (0); 837} 838 839static void 840print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 841 __unused char sfrm) 842{ 843 844 print_tok_type(fp, tok->id, "argument", raw); 845 print_delim(fp, del); 846 print_1_byte(fp, tok->tt.arg64.no, "%u"); 847 print_delim(fp, del); 848 print_8_bytes(fp, tok->tt.arg64.val, "%#llx"); 849 print_delim(fp, del); 850 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 851} 852 853/* 854 * how to print 1 byte 855 * basic unit 1 byte 856 * unit count 1 byte 857 * data items (depends on basic unit) 858 */ 859static int 860fetch_arb_tok(tokenstr_t *tok, char *buf, int len) 861{ 862 int err = 0; 863 int datasize; 864 865 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 866 if (err) 867 return (-1); 868 869 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 870 if (err) 871 return (-1); 872 873 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 874 if (err) 875 return (-1); 876 877 /* 878 * Determine the size of the basic unit. 879 */ 880 switch(tok->tt.arb.bu) { 881 case AUR_BYTE: 882 datasize = AUR_BYTE_SIZE; 883 break; 884 885 case AUR_SHORT: 886 datasize = AUR_SHORT_SIZE; 887 break; 888 889 case AUR_LONG: 890 datasize = AUR_LONG_SIZE; 891 break; 892 893 default: 894 return (-1); 895 } 896 897 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 898 tok->len, err); 899 if (err) 900 return (-1); 901 902 return (0); 903} 904 905static void 906print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 907 __unused char sfrm) 908{ 909 char *str; 910 char *format; 911 size_t size; 912 int i; 913 914 print_tok_type(fp, tok->id, "arbitrary", raw); 915 print_delim(fp, del); 916 917 switch(tok->tt.arb.howtopr) { 918 case AUP_BINARY: 919 str = "binary"; 920 format = " %c"; 921 break; 922 923 case AUP_OCTAL: 924 str = "octal"; 925 format = " %o"; 926 break; 927 928 case AUP_DECIMAL: 929 str = "decimal"; 930 format = " %d"; 931 break; 932 933 case AUP_HEX: 934 str = "hex"; 935 format = " %x"; 936 break; 937 938 case AUP_STRING: 939 str = "string"; 940 format = "%c"; 941 break; 942 943 default: 944 return; 945 } 946 947 print_string(fp, str, strlen(str)); 948 print_delim(fp, del); 949 switch(tok->tt.arb.bu) { 950 case AUR_BYTE: 951 str = "byte"; 952 size = AUR_BYTE_SIZE; 953 print_string(fp, str, strlen(str)); 954 print_delim(fp, del); 955 print_1_byte(fp, tok->tt.arb.uc, "%u"); 956 print_delim(fp, del); 957 for (i = 0; i<tok->tt.arb.uc; i++) 958 fprintf(fp, format, *(tok->tt.arb.data + (size * i))); 959 break; 960 961 case AUR_SHORT: 962 str = "short"; 963 size = AUR_SHORT_SIZE; 964 print_string(fp, str, strlen(str)); 965 print_delim(fp, del); 966 print_1_byte(fp, tok->tt.arb.uc, "%u"); 967 print_delim(fp, del); 968 for (i = 0; i<tok->tt.arb.uc; i++) 969 fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data + 970 (size * i)))); 971 break; 972 973 case AUR_LONG: 974 str = "int"; 975 size = AUR_LONG_SIZE; 976 print_string(fp, str, strlen(str)); 977 print_delim(fp, del); 978 print_1_byte(fp, tok->tt.arb.uc, "%u"); 979 print_delim(fp, del); 980 for (i = 0; i<tok->tt.arb.uc; i++) 981 fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data + 982 (size * i)))); 983 break; 984 985 default: 986 return; 987 } 988} 989 990/* 991 * file access mode 4 bytes 992 * owner user ID 4 bytes 993 * owner group ID 4 bytes 994 * file system ID 4 bytes 995 * node ID 8 bytes 996 * device 4 bytes/8 bytes (32-bit/64-bit) 997 */ 998static int 999fetch_attr32_tok(tokenstr_t *tok, char *buf, int len) 1000{ 1001 int err = 0; 1002 1003 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1004 if (err) 1005 return (-1); 1006 1007 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1008 if (err) 1009 return (-1); 1010 1011 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1012 if (err) 1013 return (-1); 1014 1015 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1016 if (err) 1017 return (-1); 1018 1019 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1020 if (err) 1021 return (-1); 1022 1023 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1024 if (err) 1025 return (-1); 1026 1027 return (0); 1028} 1029 1030static void 1031print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1032 __unused char sfrm) 1033{ 1034 1035 print_tok_type(fp, tok->id, "attribute", raw); 1036 print_delim(fp, del); 1037 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1038 print_delim(fp, del); 1039 print_user(fp, tok->tt.attr32.uid, raw); 1040 print_delim(fp, del); 1041 print_group(fp, tok->tt.attr32.gid, raw); 1042 print_delim(fp, del); 1043 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1044 print_delim(fp, del); 1045 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1046 print_delim(fp, del); 1047 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1048} 1049 1050/* 1051 * file access mode 4 bytes 1052 * owner user ID 4 bytes 1053 * owner group ID 4 bytes 1054 * file system ID 4 bytes 1055 * node ID 8 bytes 1056 * device 4 bytes/8 bytes (32-bit/64-bit) 1057 */ 1058static int 1059fetch_attr64_tok(tokenstr_t *tok, char *buf, int len) 1060{ 1061 int err = 0; 1062 1063 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1064 if (err) 1065 return (-1); 1066 1067 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1068 if (err) 1069 return (-1); 1070 1071 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1072 if (err) 1073 return (-1); 1074 1075 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1076 if (err) 1077 return (-1); 1078 1079 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1080 if (err) 1081 return (-1); 1082 1083 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1084 if (err) 1085 return (-1); 1086 1087 return (0); 1088} 1089 1090static void 1091print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1092 __unused char sfrm) 1093{ 1094 1095 print_tok_type(fp, tok->id, "attribute", raw); 1096 print_delim(fp, del); 1097 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1098 print_delim(fp, del); 1099 print_user(fp, tok->tt.attr64.uid, raw); 1100 print_delim(fp, del); 1101 print_group(fp, tok->tt.attr64.gid, raw); 1102 print_delim(fp, del); 1103 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1104 print_delim(fp, del); 1105 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1106 print_delim(fp, del); 1107 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1108} 1109 1110/* 1111 * status 4 bytes 1112 * return value 4 bytes 1113 */ 1114static int 1115fetch_exit_tok(tokenstr_t *tok, char *buf, int len) 1116{ 1117 int err = 0; 1118 1119 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1120 if (err) 1121 return (-1); 1122 1123 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1124 if (err) 1125 return (-1); 1126 1127 return (0); 1128} 1129 1130static void 1131print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1132 __unused char sfrm) 1133{ 1134 1135 print_tok_type(fp, tok->id, "exit", raw); 1136 print_delim(fp, del); 1137 print_errval(fp, tok->tt.exit.status); 1138 print_delim(fp, del); 1139 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1140} 1141 1142/* 1143 * count 4 bytes 1144 * text count null-terminated string(s) 1145 */ 1146static int 1147fetch_execarg_tok(tokenstr_t *tok, char *buf, int len) 1148{ 1149 int err = 0; 1150 int i; 1151 char *bptr; 1152 1153 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1154 if (err) 1155 return (-1); 1156 1157 for (i = 0; i < tok->tt.execarg.count; i++) { 1158 bptr = buf + tok->len; 1159 tok->tt.execarg.text[i] = bptr; 1160 1161 /* Look for a null terminated string. */ 1162 while (bptr && (*bptr != '\0')) { 1163 if (++tok->len >=len) 1164 return (-1); 1165 bptr = buf + tok->len; 1166 } 1167 if (!bptr) 1168 return (-1); 1169 tok->len++; /* \0 character */ 1170 } 1171 1172 return (0); 1173} 1174 1175static void 1176print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1177 __unused char sfrm) 1178{ 1179 int i; 1180 1181 print_tok_type(fp, tok->id, "exec arg", raw); 1182 for (i = 0; i < tok->tt.execarg.count; i++) { 1183 print_delim(fp, del); 1184 print_string(fp, tok->tt.execarg.text[i], 1185 strlen(tok->tt.execarg.text[i])); 1186 } 1187} 1188 1189/* 1190 * count 4 bytes 1191 * text count null-terminated string(s) 1192 */ 1193static int 1194fetch_execenv_tok(tokenstr_t *tok, char *buf, int len) 1195{ 1196 int err = 0; 1197 int i; 1198 char *bptr; 1199 1200 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1201 if (err) 1202 return (-1); 1203 1204 for (i = 0; i< tok->tt.execenv.count; i++) { 1205 bptr = buf + tok->len; 1206 tok->tt.execenv.text[i] = bptr; 1207 1208 /* Look for a null terminated string. */ 1209 while (bptr && (*bptr != '\0')) { 1210 if (++tok->len >=len) 1211 return (-1); 1212 bptr = buf + tok->len; 1213 } 1214 if (!bptr) 1215 return (-1); 1216 tok->len++; /* \0 character */ 1217 } 1218 1219 return (0); 1220} 1221 1222static void 1223print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1224 __unused char sfrm) 1225{ 1226 int i; 1227 1228 print_tok_type(fp, tok->id, "exec arg", raw); 1229 for (i = 0; i< tok->tt.execenv.count; i++) { 1230 print_delim(fp, del); 1231 print_string(fp, tok->tt.execenv.text[i], 1232 strlen(tok->tt.execenv.text[i])); 1233 } 1234} 1235 1236/* 1237 * seconds of time 4 bytes 1238 * milliseconds of time 4 bytes 1239 * file name len 2 bytes 1240 * file pathname N bytes + 1 terminating NULL byte 1241 */ 1242static int 1243fetch_file_tok(tokenstr_t *tok, char *buf, int len) 1244{ 1245 int err = 0; 1246 1247 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1248 if (err) 1249 return (-1); 1250 1251 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1252 if (err) 1253 return (-1); 1254 1255 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1256 if (err) 1257 return (-1); 1258 1259 SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err); 1260 if (err) 1261 return (-1); 1262 1263 return (0); 1264} 1265 1266static void 1267print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1268 __unused char sfrm) 1269{ 1270 1271 print_tok_type(fp, tok->id, "file", raw); 1272 print_delim(fp, del); 1273 print_sec32(fp, tok->tt.file.s, raw); 1274 print_delim(fp, del); 1275 print_msec32(fp, tok->tt.file.ms, raw); 1276 print_delim(fp, del); 1277 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1278} 1279 1280/* 1281 * number groups 2 bytes 1282 * group list count * 4 bytes 1283 */ 1284static int 1285fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len) 1286{ 1287 int i; 1288 int err = 0; 1289 1290 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1291 if (err) 1292 return (-1); 1293 1294 for (i = 0; i<tok->tt.grps.no; i++) { 1295 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1296 err); 1297 if (err) 1298 return (-1); 1299 } 1300 1301 return (0); 1302} 1303 1304static void 1305print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1306 __unused char sfrm) 1307{ 1308 int i; 1309 1310 print_tok_type(fp, tok->id, "group", raw); 1311 for (i = 0; i < tok->tt.grps.no; i++) { 1312 print_delim(fp, del); 1313 print_group(fp, tok->tt.grps.list[i], raw); 1314 } 1315} 1316 1317/* 1318 * Internet addr 4 bytes 1319 */ 1320static int 1321fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len) 1322{ 1323 int err = 0; 1324 1325 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr.addr, tok->len, err); 1326 if (err) 1327 return (-1); 1328 1329 return (0); 1330 1331} 1332 1333static void 1334print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1335 __unused char sfrm) 1336{ 1337 1338 print_tok_type(fp, tok->id, "ip addr", raw); 1339 print_delim(fp, del); 1340 print_ip_address(fp, tok->tt.inaddr.addr); 1341} 1342 1343/* 1344 * type 4 bytes 1345 * address 16 bytes 1346 */ 1347static int 1348fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len) 1349{ 1350 int err = 0; 1351 1352 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 1353 if (err) 1354 return (-1); 1355 1356 if (tok->tt.inaddr_ex.type == AU_IPv4) { 1357 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 1358 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 1359 if (err) 1360 return (-1); 1361 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 1362 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 1363 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 1364 if (err) 1365 return (-1); 1366 } else 1367 return (-1); 1368 1369 return (0); 1370} 1371 1372static void 1373print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1374 __unused char sfrm) 1375{ 1376 1377 print_tok_type(fp, tok->id, "ip addr ex", raw); 1378 print_delim(fp, del); 1379 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 1380 tok->tt.inaddr_ex.addr); 1381} 1382 1383/* 1384 * ip header 20 bytes 1385 */ 1386static int 1387fetch_ip_tok(tokenstr_t *tok, char *buf, int len) 1388{ 1389 int err = 0; 1390 1391 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 1392 if (err) 1393 return (-1); 1394 1395 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 1396 if (err) 1397 return (-1); 1398 1399 READ_TOKEN_U_INT16(buf, len, tok->tt.ip.len, tok->len, err); 1400 if (err) 1401 return (-1); 1402 1403 READ_TOKEN_U_INT16(buf, len, tok->tt.ip.id, tok->len, err); 1404 if (err) 1405 return (-1); 1406 1407 READ_TOKEN_U_INT16(buf, len, tok->tt.ip.offset, tok->len, err); 1408 if (err) 1409 return (-1); 1410 1411 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 1412 if (err) 1413 return (-1); 1414 1415 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 1416 if (err) 1417 return (-1); 1418 1419 READ_TOKEN_U_INT16(buf, len, tok->tt.ip.chksm, tok->len, err); 1420 if (err) 1421 return (-1); 1422 1423 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 1424 tok->len, err); 1425 if (err) 1426 return (-1); 1427 1428 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 1429 tok->len, err); 1430 if (err) 1431 return (-1); 1432 1433 return (0); 1434} 1435 1436static void 1437print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1438 __unused char sfrm) 1439{ 1440 1441 print_tok_type(fp, tok->id, "ip", raw); 1442 print_delim(fp, del); 1443 print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char)); 1444 print_delim(fp, del); 1445 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 1446 print_delim(fp, del); 1447 print_2_bytes(fp, tok->tt.ip.len, "%u"); 1448 print_delim(fp, del); 1449 print_2_bytes(fp, tok->tt.ip.id, "%u"); 1450 print_delim(fp, del); 1451 print_2_bytes(fp, tok->tt.ip.offset, "%u"); 1452 print_delim(fp, del); 1453 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 1454 print_delim(fp, del); 1455 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 1456 print_delim(fp, del); 1457 print_2_bytes(fp, tok->tt.ip.chksm, "%u"); 1458 print_delim(fp, del); 1459 print_ip_address(fp, tok->tt.ip.src); 1460 print_delim(fp, del); 1461 print_ip_address(fp, tok->tt.ip.dest); 1462} 1463 1464/* 1465 * object ID type 1 byte 1466 * Object ID 4 bytes 1467 */ 1468static int 1469fetch_ipc_tok(tokenstr_t *tok, char *buf, int len) 1470{ 1471 int err = 0; 1472 1473 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 1474 if (err) 1475 return (-1); 1476 1477 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 1478 if (err) 1479 return (-1); 1480 1481 return (0); 1482} 1483 1484static void 1485print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1486 __unused char sfrm) 1487{ 1488 1489 print_tok_type(fp, tok->id, "IPC", raw); 1490 print_delim(fp, del); 1491 print_ipctype(fp, tok->tt.ipc.type, raw); 1492 print_delim(fp, del); 1493 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 1494} 1495 1496/* 1497 * owner user id 4 bytes 1498 * owner group id 4 bytes 1499 * creator user id 4 bytes 1500 * creator group id 4 bytes 1501 * access mode 4 bytes 1502 * slot seq 4 bytes 1503 * key 4 bytes 1504 */ 1505static int 1506fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len) 1507{ 1508 int err = 0; 1509 1510 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 1511 if (err) 1512 return (-1); 1513 1514 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 1515 if (err) 1516 return (-1); 1517 1518 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 1519 if (err) 1520 return (-1); 1521 1522 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 1523 if (err) 1524 return (-1); 1525 1526 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 1527 if (err) 1528 return (-1); 1529 1530 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 1531 if (err) 1532 return (-1); 1533 1534 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 1535 if (err) 1536 return (-1); 1537 1538 return (0); 1539} 1540 1541static void 1542print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1543 __unused char sfrm) 1544{ 1545 1546 print_tok_type(fp, tok->id, "IPC perm", raw); 1547 print_delim(fp, del); 1548 print_user(fp, tok->tt.ipcperm.uid, raw); 1549 print_delim(fp, del); 1550 print_group(fp, tok->tt.ipcperm.gid, raw); 1551 print_delim(fp, del); 1552 print_user(fp, tok->tt.ipcperm.puid, raw); 1553 print_delim(fp, del); 1554 print_group(fp, tok->tt.ipcperm.pgid, raw); 1555 print_delim(fp, del); 1556 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 1557 print_delim(fp, del); 1558 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 1559 print_delim(fp, del); 1560 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 1561} 1562 1563/* 1564 * port Ip address 2 bytes 1565 */ 1566static int 1567fetch_iport_tok(tokenstr_t *tok, char *buf, int len) 1568{ 1569 int err = 0; 1570 1571 READ_TOKEN_U_INT16(buf, len, tok->tt.iport.port, tok->len, err); 1572 if (err) 1573 return (-1); 1574 1575 return (0); 1576} 1577 1578static void 1579print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1580 __unused char sfrm) 1581{ 1582 1583 print_tok_type(fp, tok->id, "ip port", raw); 1584 print_delim(fp, del); 1585 print_2_bytes(fp, tok->tt.iport.port, "%#x"); 1586} 1587 1588/* 1589 * size 2 bytes 1590 * data size bytes 1591 */ 1592static int 1593fetch_opaque_tok(tokenstr_t *tok, char *buf, int len) 1594{ 1595 int err = 0; 1596 1597 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 1598 if (err) 1599 return (-1); 1600 1601 SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len, 1602 err); 1603 if (err) 1604 return (-1); 1605 1606 return (0); 1607} 1608 1609static void 1610print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1611 __unused char sfrm) 1612{ 1613 1614 print_tok_type(fp, tok->id, "opaque", raw); 1615 print_delim(fp, del); 1616 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 1617 print_delim(fp, del); 1618 print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size); 1619} 1620 1621/* 1622 * size 2 bytes 1623 * data size bytes 1624 */ 1625static int 1626fetch_path_tok(tokenstr_t *tok, char *buf, int len) 1627{ 1628 int err = 0; 1629 1630 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 1631 if (err) 1632 return (-1); 1633 1634 SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err); 1635 if (err) 1636 return (-1); 1637 1638 return (0); 1639} 1640 1641static void 1642print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1643 __unused char sfrm) 1644{ 1645 1646 print_tok_type(fp, tok->id, "path", raw); 1647 print_delim(fp, del); 1648 print_string(fp, tok->tt.path.path, tok->tt.path.len); 1649} 1650 1651/* 1652 * token ID 1 byte 1653 * audit ID 4 bytes 1654 * euid 4 bytes 1655 * egid 4 bytes 1656 * ruid 4 bytes 1657 * rgid 4 bytes 1658 * pid 4 bytes 1659 * sessid 4 bytes 1660 * terminal ID 1661 * portid 4 bytes 1662 * machine id 4 bytes 1663 */ 1664static int 1665fetch_process32_tok(tokenstr_t *tok, char *buf, int len) 1666{ 1667 int err = 0; 1668 1669 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 1670 if (err) 1671 return (-1); 1672 1673 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 1674 if (err) 1675 return (-1); 1676 1677 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 1678 if (err) 1679 return (-1); 1680 1681 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 1682 if (err) 1683 return (-1); 1684 1685 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 1686 if (err) 1687 return (-1); 1688 1689 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 1690 if (err) 1691 return (-1); 1692 1693 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 1694 if (err) 1695 return (-1); 1696 1697 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 1698 if (err) 1699 return (-1); 1700 1701 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.addr, tok->len, err); 1702 if (err) 1703 return (-1); 1704 1705 return (0); 1706} 1707 1708static void 1709print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1710 __unused char sfrm) 1711{ 1712 1713 print_tok_type(fp, tok->id, "process", raw); 1714 print_delim(fp, del); 1715 print_user(fp, tok->tt.proc32.auid, raw); 1716 print_delim(fp, del); 1717 print_user(fp, tok->tt.proc32.euid, raw); 1718 print_delim(fp, del); 1719 print_group(fp, tok->tt.proc32.egid, raw); 1720 print_delim(fp, del); 1721 print_user(fp, tok->tt.proc32.ruid, raw); 1722 print_delim(fp, del); 1723 print_group(fp, tok->tt.proc32.rgid, raw); 1724 print_delim(fp, del); 1725 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 1726 print_delim(fp, del); 1727 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 1728 print_delim(fp, del); 1729 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 1730 print_delim(fp, del); 1731 print_ip_address(fp, tok->tt.proc32.tid.addr); 1732} 1733 1734static int 1735fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len) 1736{ 1737 int err = 0; 1738 1739 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 1740 if (err) 1741 return (-1); 1742 1743 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 1744 if (err) 1745 return (-1); 1746 1747 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 1748 if (err) 1749 return (-1); 1750 1751 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 1752 if (err) 1753 return (-1); 1754 1755 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 1756 if (err) 1757 return (-1); 1758 1759 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 1760 if (err) 1761 return (-1); 1762 1763 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 1764 if (err) 1765 return (-1); 1766 1767 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 1768 err); 1769 if (err) 1770 return (-1); 1771 1772 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 1773 err); 1774 if (err) 1775 return (-1); 1776 1777 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 1778 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 1779 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 1780 if (err) 1781 return (-1); 1782 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 1783 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 1784 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 1785 if (err) 1786 return (-1); 1787 } else 1788 return (-1); 1789 1790 return (0); 1791} 1792 1793static void 1794print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1795 __unused char sfrm) 1796{ 1797 1798 print_tok_type(fp, tok->id, "process_ex", raw); 1799 print_delim(fp, del); 1800 print_user(fp, tok->tt.proc32_ex.auid, raw); 1801 print_delim(fp, del); 1802 print_user(fp, tok->tt.proc32_ex.euid, raw); 1803 print_delim(fp, del); 1804 print_group(fp, tok->tt.proc32_ex.egid, raw); 1805 print_delim(fp, del); 1806 print_user(fp, tok->tt.proc32_ex.ruid, raw); 1807 print_delim(fp, del); 1808 print_group(fp, tok->tt.proc32_ex.rgid, raw); 1809 print_delim(fp, del); 1810 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 1811 print_delim(fp, del); 1812 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 1813 print_delim(fp, del); 1814 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 1815 print_delim(fp, del); 1816 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 1817 tok->tt.proc32_ex.tid.addr); 1818} 1819 1820/* 1821 * errno 1 byte 1822 * return value 4 bytes 1823 */ 1824static int 1825fetch_return32_tok(tokenstr_t *tok, char *buf, int len) 1826{ 1827 int err = 0; 1828 1829 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 1830 if (err) 1831 return (-1); 1832 1833 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 1834 if (err) 1835 return (-1); 1836 1837 return (0); 1838} 1839 1840static void 1841print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1842 __unused char sfrm) 1843{ 1844 1845 print_tok_type(fp, tok->id, "return", raw); 1846 print_delim(fp, del); 1847 print_retval(fp, tok->tt.ret32.status, raw); 1848 print_delim(fp, del); 1849 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 1850} 1851 1852static int 1853fetch_return64_tok(tokenstr_t *tok, char *buf, int len) 1854{ 1855 int err = 0; 1856 1857 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 1858 if (err) 1859 return (-1); 1860 1861 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 1862 if (err) 1863 return (-1); 1864 1865 return (0); 1866} 1867 1868static void 1869print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1870 __unused char sfrm) 1871{ 1872 1873 print_tok_type(fp, tok->id, "return", raw); 1874 print_delim(fp, del); 1875 print_retval(fp, tok->tt.ret64.err, raw); 1876 print_delim(fp, del); 1877 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 1878} 1879 1880/* 1881 * seq 4 bytes 1882 */ 1883static int 1884fetch_seq_tok(tokenstr_t *tok, char *buf, int len) 1885{ 1886 int err = 0; 1887 1888 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 1889 if (err) 1890 return (-1); 1891 1892 return (0); 1893} 1894 1895static void 1896print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1897 __unused char sfrm) 1898{ 1899 1900 print_tok_type(fp, tok->id, "sequence", raw); 1901 print_delim(fp, del); 1902 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 1903} 1904 1905/* 1906 * socket family 2 bytes 1907 * local port 2 bytes 1908 * socket address 4 bytes 1909 */ 1910static int 1911fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len) 1912{ 1913 int err = 0; 1914 1915 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 1916 err); 1917 if (err) 1918 return (-1); 1919 1920 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.port, tok->len, err); 1921 if (err) 1922 return (-1); 1923 1924 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 1925 sizeof(tok->tt.sockinet32.addr), tok->len, err); 1926 if (err) 1927 return (-1); 1928 1929 return (0); 1930} 1931 1932static void 1933print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1934 __unused char sfrm) 1935{ 1936 1937 print_tok_type(fp, tok->id, "socket-inet", raw); 1938 print_delim(fp, del); 1939 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 1940 print_delim(fp, del); 1941 print_2_bytes(fp, tok->tt.sockinet32.port, "%u"); 1942 print_delim(fp, del); 1943 print_ip_address(fp, tok->tt.sockinet32.addr); 1944} 1945 1946/* 1947 * socket family 2 bytes 1948 * path 104 bytes 1949 */ 1950static int fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len) 1951{ 1952 int err = 0; 1953 1954 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 1955 if (err) 1956 return (-1); 1957 1958 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 1959 err); 1960 if (err) 1961 return (-1); 1962 1963 return (0); 1964} 1965 1966static void 1967print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1968 __unused char sfrm) 1969{ 1970 1971 print_tok_type(fp, tok->id, "socket-unix", raw); 1972 print_delim(fp, del); 1973 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 1974 print_delim(fp, del); 1975 print_string(fp, tok->tt.sockunix.path, 1976 strlen(tok->tt.sockunix.path)); 1977} 1978 1979/* 1980 * socket type 2 bytes 1981 * local port 2 bytes 1982 * local address 4 bytes 1983 * remote port 2 bytes 1984 * remote address 4 bytes 1985 */ 1986static int fetch_socket_tok(tokenstr_t *tok, char *buf, int len) 1987{ 1988 int err = 0; 1989 1990 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 1991 if (err) 1992 return (-1); 1993 1994 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.l_port, tok->len, err); 1995 if (err) 1996 return (-1); 1997 1998 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 1999 sizeof(tok->tt.socket.l_addr), tok->len, err); 2000 if (err) 2001 return (-1); 2002 2003 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.r_port, tok->len, err); 2004 if (err) 2005 return (-1); 2006 2007 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 2008 sizeof(tok->tt.socket.r_addr), tok->len, err); 2009 if (err) 2010 return (-1); 2011 2012 return (0); 2013} 2014 2015static void 2016print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2017 __unused char sfrm) 2018{ 2019 2020 print_tok_type(fp, tok->id, "socket", raw); 2021 print_delim(fp, del); 2022 print_2_bytes(fp, tok->tt.socket.type, "%u"); 2023 print_delim(fp, del); 2024 print_2_bytes(fp, tok->tt.socket.l_port, "%u"); 2025 print_delim(fp, del); 2026 print_ip_address(fp, tok->tt.socket.l_addr); 2027 print_delim(fp, del); 2028 print_2_bytes(fp, tok->tt.socket.r_port, "%u"); 2029 print_delim(fp, del); 2030 print_ip_address(fp, tok->tt.socket.r_addr); 2031} 2032 2033/* 2034 * audit ID 4 bytes 2035 * euid 4 bytes 2036 * egid 4 bytes 2037 * ruid 4 bytes 2038 * rgid 4 bytes 2039 * pid 4 bytes 2040 * sessid 4 bytes 2041 * terminal ID 2042 * portid 4 bytes/8 bytes (32-bit/64-bit value) 2043 * machine id 4 bytes 2044 */ 2045static int 2046fetch_subject32_tok(tokenstr_t *tok, char *buf, int len) 2047{ 2048 int err = 0; 2049 2050 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 2051 if (err) 2052 return (-1); 2053 2054 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 2055 if (err) 2056 return (-1); 2057 2058 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 2059 if (err) 2060 return (-1); 2061 2062 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 2063 if (err) 2064 return (-1); 2065 2066 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 2067 if (err) 2068 return (-1); 2069 2070 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 2071 if (err) 2072 return (-1); 2073 2074 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 2075 if (err) 2076 return (-1); 2077 2078 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 2079 if (err) 2080 return (-1); 2081 2082 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 2083 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 2084 if (err) 2085 return (-1); 2086 2087 return (0); 2088} 2089 2090static void 2091print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2092 __unused char sfrm) 2093{ 2094 2095 print_tok_type(fp, tok->id, "subject", raw); 2096 print_delim(fp, del); 2097 print_user(fp, tok->tt.subj32.auid, raw); 2098 print_delim(fp, del); 2099 print_user(fp, tok->tt.subj32.euid, raw); 2100 print_delim(fp, del); 2101 print_group(fp, tok->tt.subj32.egid, raw); 2102 print_delim(fp, del); 2103 print_user(fp, tok->tt.subj32.ruid, raw); 2104 print_delim(fp, del); 2105 print_group(fp, tok->tt.subj32.rgid, raw); 2106 print_delim(fp, del); 2107 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 2108 print_delim(fp, del); 2109 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 2110 print_delim(fp, del); 2111 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 2112 print_delim(fp, del); 2113 print_ip_address(fp, tok->tt.subj32.tid.addr); 2114} 2115 2116/* 2117 * audit ID 4 bytes 2118 * euid 4 bytes 2119 * egid 4 bytes 2120 * ruid 4 bytes 2121 * rgid 4 bytes 2122 * pid 4 bytes 2123 * sessid 4 bytes 2124 * terminal ID 2125 * portid 4 bytes/8 bytes (32-bit/64-bit value) 2126 * machine id 4 bytes 2127 */ 2128static int 2129fetch_subject64_tok(tokenstr_t *tok, char *buf, int len) 2130{ 2131 int err = 0; 2132 2133 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 2134 if (err) 2135 return (-1); 2136 2137 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 2138 if (err) 2139 return (-1); 2140 2141 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 2142 if (err) 2143 return (-1); 2144 2145 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 2146 if (err) 2147 return (-1); 2148 2149 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 2150 if (err) 2151 return (-1); 2152 2153 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 2154 if (err) 2155 return (-1); 2156 2157 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 2158 if (err) 2159 return (-1); 2160 2161 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 2162 if (err) 2163 return (-1); 2164 2165 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 2166 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 2167 if (err) 2168 return (-1); 2169 2170 return (0); 2171} 2172 2173static void 2174print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2175 __unused char sfrm) 2176{ 2177 2178 print_tok_type(fp, tok->id, "subject", raw); 2179 print_delim(fp, del); 2180 print_user(fp, tok->tt.subj64.auid, raw); 2181 print_delim(fp, del); 2182 print_user(fp, tok->tt.subj64.euid, raw); 2183 print_delim(fp, del); 2184 print_group(fp, tok->tt.subj64.egid, raw); 2185 print_delim(fp, del); 2186 print_user(fp, tok->tt.subj64.ruid, raw); 2187 print_delim(fp, del); 2188 print_group(fp, tok->tt.subj64.rgid, raw); 2189 print_delim(fp, del); 2190 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 2191 print_delim(fp, del); 2192 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 2193 print_delim(fp, del); 2194 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 2195 print_delim(fp, del); 2196 print_ip_address(fp, tok->tt.subj64.tid.addr); 2197} 2198 2199/* 2200 * audit ID 4 bytes 2201 * euid 4 bytes 2202 * egid 4 bytes 2203 * ruid 4 bytes 2204 * rgid 4 bytes 2205 * pid 4 bytes 2206 * sessid 4 bytes 2207 * terminal ID 2208 * portid 4 bytes 2209 * type 4 bytes 2210 * machine id 16 bytes 2211 */ 2212static int 2213fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len) 2214{ 2215 int err = 0; 2216 2217 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 2218 if (err) 2219 return (-1); 2220 2221 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 2222 if (err) 2223 return (-1); 2224 2225 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 2226 if (err) 2227 return (-1); 2228 2229 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 2230 if (err) 2231 return (-1); 2232 2233 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 2234 if (err) 2235 return (-1); 2236 2237 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 2238 if (err) 2239 return (-1); 2240 2241 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 2242 if (err) 2243 return (-1); 2244 2245 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 2246 err); 2247 if (err) 2248 return (-1); 2249 2250 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 2251 err); 2252 if (err) 2253 return (-1); 2254 2255 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 2256 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 2257 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 2258 if (err) 2259 return (-1); 2260 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 2261 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 2262 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 2263 if (err) 2264 return (-1); 2265 } else 2266 return (-1); 2267 2268 return (0); 2269} 2270 2271static void 2272print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2273 __unused char sfrm) 2274{ 2275 2276 print_tok_type(fp, tok->id, "subject_ex", raw); 2277 print_delim(fp, del); 2278 print_user(fp, tok->tt.subj32_ex.auid, raw); 2279 print_delim(fp, del); 2280 print_user(fp, tok->tt.subj32_ex.euid, raw); 2281 print_delim(fp, del); 2282 print_group(fp, tok->tt.subj32_ex.egid, raw); 2283 print_delim(fp, del); 2284 print_user(fp, tok->tt.subj32_ex.ruid, raw); 2285 print_delim(fp, del); 2286 print_group(fp, tok->tt.subj32_ex.rgid, raw); 2287 print_delim(fp, del); 2288 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 2289 print_delim(fp, del); 2290 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 2291 print_delim(fp, del); 2292 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 2293 print_delim(fp, del); 2294 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 2295 tok->tt.subj32_ex.tid.addr); 2296} 2297 2298/* 2299 * size 2 bytes 2300 * data size bytes 2301 */ 2302static int 2303fetch_text_tok(tokenstr_t *tok, char *buf, int len) 2304{ 2305 int err = 0; 2306 2307 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 2308 if (err) 2309 return (-1); 2310 2311 SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 2312 err); 2313 if (err) 2314 return (-1); 2315 2316 return (0); 2317} 2318 2319static void 2320print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2321 __unused char sfrm) 2322{ 2323 2324 print_tok_type(fp, tok->id, "text", raw); 2325 print_delim(fp, del); 2326 print_string(fp, tok->tt.text.text, tok->tt.text.len); 2327} 2328 2329/* 2330 * socket type 2 bytes 2331 * local port 2 bytes 2332 * address type/length 4 bytes 2333 * local Internet address 4 bytes 2334 * remote port 4 bytes 2335 * address type/length 4 bytes 2336 * remote Internet address 4 bytes 2337 */ 2338static int 2339fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len) 2340{ 2341 int err = 0; 2342 2343 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 2344 err); 2345 if (err) 2346 return (-1); 2347 2348 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.l_port, tok->len, 2349 err); 2350 if (err) 2351 return (-1); 2352 2353 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, 2354 err); 2355 if (err) 2356 return (-1); 2357 2358 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 2359 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 2360 if (err) 2361 return (-1); 2362 2363 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_port, tok->len, 2364 err); 2365 if (err) 2366 return (-1); 2367 2368 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, 2369 err); 2370 if (err) 2371 return (-1); 2372 2373 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 2374 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 2375 if (err) 2376 return (-1); 2377 2378 return (0); 2379} 2380 2381static void 2382print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2383 __unused char sfrm) 2384{ 2385 2386 print_tok_type(fp, tok->id, "socket", raw); 2387 print_delim(fp, del); 2388 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 2389 print_delim(fp, del); 2390 print_2_bytes(fp, tok->tt.socket_ex32.l_port, "%#x"); 2391 print_delim(fp, del); 2392 print_ip_address(fp, tok->tt.socket_ex32.l_addr); 2393 print_delim(fp, del); 2394 print_4_bytes(fp, tok->tt.socket_ex32.r_port, "%#x"); 2395 print_delim(fp, del); 2396 print_ip_address(fp, tok->tt.socket_ex32.r_addr); 2397} 2398 2399static int 2400fetch_invalid_tok(tokenstr_t *tok, char *buf, int len) 2401{ 2402 int err = 0; 2403 int recoversize; 2404 2405 recoversize = len - (tok->len + BSM_TRAILER_SIZE); 2406 if (recoversize <= 0) 2407 return (-1); 2408 2409 tok->tt.invalid.length = recoversize; 2410 2411 SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err); 2412 if (err) 2413 return (-1); 2414 2415 return (0); 2416} 2417 2418static void 2419print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2420 __unused char sfrm) 2421{ 2422 2423 print_tok_type(fp, tok->id, "unknown", raw); 2424 print_delim(fp, del); 2425 print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length); 2426} 2427 2428 2429/* 2430 * Reads the token beginning at buf into tok. 2431 */ 2432int 2433au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 2434{ 2435 2436 if (len <= 0) 2437 return (-1); 2438 2439 tok->len = 1; 2440 tok->data = buf; 2441 tok->id = *buf; 2442 2443 switch(tok->id) { 2444 case AUT_HEADER32: 2445 return (fetch_header32_tok(tok, buf, len)); 2446 2447 case AUT_HEADER32_EX: 2448 return (fetch_header32_ex_tok(tok, buf, len)); 2449 2450 case AUT_HEADER64: 2451 return (fetch_header64_tok(tok, buf, len)); 2452 2453 case AUT_HEADER64_EX: 2454 return (fetch_header64_ex_tok(tok, buf, len)); 2455 2456 case AUT_TRAILER: 2457 return (fetch_trailer_tok(tok, buf, len)); 2458 2459 case AUT_ARG32: 2460 return (fetch_arg32_tok(tok, buf, len)); 2461 2462 case AUT_ARG64: 2463 return (fetch_arg64_tok(tok, buf, len)); 2464 2465 case AUT_ATTR32: 2466 return (fetch_attr32_tok(tok, buf, len)); 2467 2468 case AUT_ATTR64: 2469 return (fetch_attr64_tok(tok, buf, len)); 2470 2471 case AUT_EXIT: 2472 return (fetch_exit_tok(tok, buf, len)); 2473 2474 case AUT_EXEC_ARGS: 2475 return (fetch_execarg_tok(tok, buf, len)); 2476 2477 case AUT_EXEC_ENV: 2478 return (fetch_execenv_tok(tok, buf, len)); 2479 2480 case AUT_OTHER_FILE32: 2481 return (fetch_file_tok(tok, buf, len)); 2482 2483 case AUT_NEWGROUPS: 2484 return (fetch_newgroups_tok(tok, buf, len)); 2485 2486 case AUT_IN_ADDR: 2487 return (fetch_inaddr_tok(tok, buf, len)); 2488 2489 case AUT_IN_ADDR_EX: 2490 return (fetch_inaddr_ex_tok(tok, buf, len)); 2491 2492 case AUT_IP: 2493 return (fetch_ip_tok(tok, buf, len)); 2494 2495 case AUT_IPC: 2496 return (fetch_ipc_tok(tok, buf, len)); 2497 2498 case AUT_IPC_PERM: 2499 return (fetch_ipcperm_tok(tok, buf, len)); 2500 2501 case AUT_IPORT: 2502 return (fetch_iport_tok(tok, buf, len)); 2503 2504 case AUT_OPAQUE: 2505 return (fetch_opaque_tok(tok, buf, len)); 2506 2507 case AUT_PATH: 2508 return (fetch_path_tok(tok, buf, len)); 2509 2510 case AUT_PROCESS32: 2511 return (fetch_process32_tok(tok, buf, len)); 2512 2513 case AUT_PROCESS32_EX: 2514 return (fetch_process32ex_tok(tok, buf, len)); 2515 2516 case AUT_RETURN32: 2517 return (fetch_return32_tok(tok, buf, len)); 2518 2519 case AUT_RETURN64: 2520 return (fetch_return64_tok(tok, buf, len)); 2521 2522 case AUT_SEQ: 2523 return (fetch_seq_tok(tok, buf, len)); 2524 2525 case AUT_SOCKET: 2526 return (fetch_socket_tok(tok, buf, len)); 2527 2528 case AUT_SOCKINET32: 2529 return (fetch_sock_inet32_tok(tok, buf, len)); 2530 2531 case AUT_SOCKUNIX: 2532 return (fetch_sock_unix_tok(tok, buf, len)); 2533 2534 case AUT_SUBJECT32: 2535 return (fetch_subject32_tok(tok, buf, len)); 2536 2537 case AUT_SUBJECT64: 2538 return (fetch_subject64_tok(tok, buf, len)); 2539 2540 case AUT_SUBJECT32_EX: 2541 return (fetch_subject32ex_tok(tok, buf, len)); 2542 2543 case AUT_TEXT: 2544 return (fetch_text_tok(tok, buf, len)); 2545 2546 case AUT_SOCKET_EX: 2547 return (fetch_socketex32_tok(tok, buf, len)); 2548 2549 case AUT_DATA: 2550 return (fetch_arb_tok(tok, buf, len)); 2551 2552 default: 2553 return (fetch_invalid_tok(tok, buf, len)); 2554 } 2555} 2556 2557/* 2558 * 'prints' the token out to outfp 2559 */ 2560void 2561au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 2562{ 2563 2564 switch(tok->id) { 2565 case AUT_HEADER32: 2566 print_header32_tok(outfp, tok, del, raw, sfrm); 2567 return; 2568 2569 case AUT_HEADER32_EX: 2570 print_header32_ex_tok(outfp, tok, del, raw, sfrm); 2571 return; 2572 2573 case AUT_HEADER64: 2574 print_header64_tok(outfp, tok, del, raw, sfrm); 2575 return; 2576 2577 case AUT_HEADER64_EX: 2578 print_header64_ex_tok(outfp, tok, del, raw, sfrm); 2579 return; 2580 2581 case AUT_TRAILER: 2582 print_trailer_tok(outfp, tok, del, raw, sfrm); 2583 return; 2584 2585 case AUT_ARG32: 2586 print_arg32_tok(outfp, tok, del, raw, sfrm); 2587 return; 2588 2589 case AUT_ARG64: 2590 print_arg64_tok(outfp, tok, del, raw, sfrm); 2591 return; 2592 2593 case AUT_DATA: 2594 print_arb_tok(outfp, tok, del, raw, sfrm); 2595 return; 2596 2597 case AUT_ATTR32: 2598 print_attr32_tok(outfp, tok, del, raw, sfrm); 2599 return; 2600 2601 case AUT_ATTR64: 2602 print_attr64_tok(outfp, tok, del, raw, sfrm); 2603 return; 2604 2605 case AUT_EXIT: 2606 print_exit_tok(outfp, tok, del, raw, sfrm); 2607 return; 2608 2609 case AUT_EXEC_ARGS: 2610 print_execarg_tok(outfp, tok, del, raw, sfrm); 2611 return; 2612 2613 case AUT_EXEC_ENV: 2614 print_execenv_tok(outfp, tok, del, raw, sfrm); 2615 return; 2616 2617 case AUT_OTHER_FILE32: 2618 print_file_tok(outfp, tok, del, raw, sfrm); 2619 return; 2620 2621 case AUT_NEWGROUPS: 2622 print_newgroups_tok(outfp, tok, del, raw, sfrm); 2623 return; 2624 2625 case AUT_IN_ADDR: 2626 print_inaddr_tok(outfp, tok, del, raw, sfrm); 2627 return; 2628 2629 case AUT_IN_ADDR_EX: 2630 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm); 2631 return; 2632 2633 case AUT_IP: 2634 print_ip_tok(outfp, tok, del, raw, sfrm); 2635 return; 2636 2637 case AUT_IPC: 2638 print_ipc_tok(outfp, tok, del, raw, sfrm); 2639 return; 2640 2641 case AUT_IPC_PERM: 2642 print_ipcperm_tok(outfp, tok, del, raw, sfrm); 2643 return; 2644 2645 case AUT_IPORT: 2646 print_iport_tok(outfp, tok, del, raw, sfrm); 2647 return; 2648 2649 case AUT_OPAQUE: 2650 print_opaque_tok(outfp, tok, del, raw, sfrm); 2651 return; 2652 2653 case AUT_PATH: 2654 print_path_tok(outfp, tok, del, raw, sfrm); 2655 return; 2656 2657 case AUT_PROCESS32: 2658 print_process32_tok(outfp, tok, del, raw, sfrm); 2659 return; 2660 2661 case AUT_PROCESS32_EX: 2662 print_process32ex_tok(outfp, tok, del, raw, sfrm); 2663 return; 2664 2665 case AUT_RETURN32: 2666 print_return32_tok(outfp, tok, del, raw, sfrm); 2667 return; 2668 2669 case AUT_RETURN64: 2670 print_return64_tok(outfp, tok, del, raw, sfrm); 2671 return; 2672 2673 case AUT_SEQ: 2674 print_seq_tok(outfp, tok, del, raw, sfrm); 2675 return; 2676 2677 case AUT_SOCKET: 2678 print_socket_tok(outfp, tok, del, raw, sfrm); 2679 return; 2680 2681 case AUT_SOCKINET32: 2682 print_sock_inet32_tok(outfp, tok, del, raw, sfrm); 2683 return; 2684 2685 case AUT_SOCKUNIX: 2686 print_sock_unix_tok(outfp, tok, del, raw, sfrm); 2687 return; 2688 2689 case AUT_SUBJECT32: 2690 print_subject32_tok(outfp, tok, del, raw, sfrm); 2691 return; 2692 2693 case AUT_SUBJECT64: 2694 print_subject64_tok(outfp, tok, del, raw, sfrm); 2695 return; 2696 2697 case AUT_SUBJECT32_EX: 2698 print_subject32ex_tok(outfp, tok, del, raw, sfrm); 2699 return; 2700 2701 case AUT_TEXT: 2702 print_text_tok(outfp, tok, del, raw, sfrm); 2703 return; 2704 2705 case AUT_SOCKET_EX: 2706 print_socketex32_tok(outfp, tok, del, raw, sfrm); 2707 return; 2708 2709 default: 2710 print_invalid_tok(outfp, tok, del, raw, sfrm); 2711 } 2712} 2713 2714/* 2715 * Read a record from the file pointer, store data in buf memory for buf is 2716 * also allocated in this function and has to be free'd outside this call. 2717 * 2718 * au_read_rec() handles two possibilities: a stand-alone file token, or a 2719 * complete audit record. 2720 * 2721 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 2722 * state, because it will be partly offset into a record. We should rewind 2723 * or do something more intelligent. Particularly interesting is the case 2724 * where we perform a partial read of a record from a non-blockable file 2725 * descriptor. We should return the partial read and continue...? 2726 */ 2727int 2728au_read_rec(FILE *fp, u_char **buf) 2729{ 2730 u_char *bptr; 2731 u_int32_t recsize; 2732 u_int32_t bytestoread; 2733 u_char type; 2734 2735 u_int32_t sec, msec; 2736 u_int16_t filenamelen; 2737 2738 type = fgetc(fp); 2739 2740 switch (type) { 2741 case AUT_HEADER32: 2742 case AUT_HEADER32_EX: 2743 case AUT_HEADER64: 2744 case AUT_HEADER64_EX: 2745 /* read the record size from the token */ 2746 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 2747 sizeof(u_int32_t)) { 2748 errno = EINVAL; 2749 return (-1); 2750 } 2751 recsize = be32toh(recsize); 2752 2753 /* Check for recsize sanity */ 2754 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 2755 errno = EINVAL; 2756 return (-1); 2757 } 2758 2759 *buf = malloc(recsize * sizeof(u_char)); 2760 if (*buf == NULL) 2761 return (-1); 2762 bptr = *buf; 2763 memset(bptr, 0, recsize); 2764 2765 /* store the token contents already read, back to the buffer*/ 2766 *bptr = type; 2767 bptr++; 2768 be32enc(bptr, recsize); 2769 bptr += sizeof(u_int32_t); 2770 2771 /* now read remaining record bytes */ 2772 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 2773 2774 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 2775 free(*buf); 2776 errno = EINVAL; 2777 return (-1); 2778 } 2779 break; 2780 2781 case AUT_OTHER_FILE32: 2782 /* 2783 * The file token is variable-length, as it includes a 2784 * pathname. As a result, we have to read incrementally 2785 * until we know the total length, then allocate space and 2786 * read the rest. 2787 */ 2788 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 2789 errno = EINVAL; 2790 return (-1); 2791 } 2792 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 2793 errno = EINVAL; 2794 return (-1); 2795 } 2796 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 2797 sizeof(filenamelen)) { 2798 errno = EINVAL; 2799 return (-1); 2800 } 2801 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 2802 sizeof(filenamelen) + ntohs(filenamelen); 2803 *buf = malloc(recsize); 2804 if (*buf == NULL) 2805 return (-1); 2806 bptr = *buf; 2807 2808 bcopy(&type, bptr, sizeof(type)); 2809 bptr += sizeof(type); 2810 bcopy(&sec, bptr, sizeof(sec)); 2811 bptr += sizeof(sec); 2812 bcopy(&msec, bptr, sizeof(msec)); 2813 bptr += sizeof(msec); 2814 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 2815 bptr += sizeof(filenamelen); 2816 2817 if (fread(bptr, 1, ntohs(filenamelen), fp) < 2818 ntohs(filenamelen)) { 2819 free(buf); 2820 errno = EINVAL; 2821 return (-1); 2822 } 2823 break; 2824 2825 default: 2826 errno = EINVAL; 2827 return (-1); 2828 } 2829 2830 return (recsize); 2831} 2832