bsm_io.c revision 156283
1/* 2 * Copyright (c) 2004 Apple Computer, Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * All rights reserved. 6 * 7 * This code was developed in part by Robert N. M. Watson, Senior Principal 8 * Scientist, SPARTA, Inc. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 19 * its contributors may be used to endorse or promote products derived 20 * from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 26 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 30 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 31 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32 * POSSIBILITY OF SUCH DAMAGE. 33 * 34 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#34 $ 35 */ 36 37#include <sys/types.h> 38 39#include <config/config.h> 40#ifdef HAVE_SYS_ENDIAN_H 41#include <sys/endian.h> 42#else /* !HAVE_SYS_ENDIAN_H */ 43#ifdef HAVE_MACHINE_ENDIAN_H 44#include <machine/endian.h> 45#else /* !HAVE_MACHINE_ENDIAN_H */ 46#ifdef HAVE_ENDIAN_H 47#include <endian.h> 48#else /* !HAVE_ENDIAN_H */ 49#error "No supported endian.h" 50#endif /* !HAVE_ENDIAN_H */ 51#endif /* !HAVE_MACHINE_ENDIAN_H */ 52#include <compat/endian.h> 53#endif /* !HAVE_SYS_ENDIAN_H */ 54#ifdef HAVE_FULL_QUEUE_H 55#include <sys/queue.h> 56#else /* !HAVE_FULL_QUEUE_H */ 57#include <compat/queue.h> 58#endif /* !HAVE_FULL_QUEUE_H */ 59 60#include <sys/stat.h> 61#include <sys/socket.h> 62 63#include <bsm/libbsm.h> 64 65#include <unistd.h> 66#include <netinet/in.h> 67#include <arpa/inet.h> 68#include <errno.h> 69#include <time.h> 70#include <stdlib.h> 71#include <stdio.h> 72#include <string.h> 73#include <pwd.h> 74#include <grp.h> 75 76#include <bsm/audit_internal.h> 77 78#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 79 if (bytesread + size > len) { \ 80 err = 1; \ 81 } else { \ 82 memcpy(dest, buf + bytesread, size); \ 83 bytesread += size; \ 84 } \ 85} while (0) 86 87#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 88 if (bytesread + sizeof(u_char) <= len) { \ 89 dest = buf[bytesread]; \ 90 bytesread += sizeof(u_char); \ 91 } else \ 92 err = 1; \ 93} while (0) 94 95#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 96 if (bytesread + sizeof(u_int16_t) <= len) { \ 97 dest = be16dec(buf + bytesread); \ 98 bytesread += sizeof(u_int16_t); \ 99 } else \ 100 err = 1; \ 101} while (0) 102 103#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 104 if (bytesread + sizeof(u_int32_t) <= len) { \ 105 dest = be32dec(buf + bytesread); \ 106 bytesread += sizeof(u_int32_t); \ 107 } else \ 108 err = 1; \ 109} while (0) 110 111#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 112 if (bytesread + sizeof(u_int64_t) <= len) { \ 113 dest = be64dec(buf + bytesread); \ 114 bytesread += sizeof(u_int64_t); \ 115 } else \ 116 err = 1; \ 117} while (0) 118 119#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 120 if ((bytesread) + (size) > (len)) \ 121 (err) = 1; \ 122 else { \ 123 (ptr) = (buf) + (bytesread); \ 124 (bytesread) += (size); \ 125 } \ 126} while (0) 127 128/* 129 * Prints the delimiter string. 130 */ 131static void 132print_delim(FILE *fp, const char *del) 133{ 134 135 fprintf(fp, "%s", del); 136} 137 138/* 139 * Prints a single byte in the given format. 140 */ 141static void 142print_1_byte(FILE *fp, u_char val, const char *format) 143{ 144 145 fprintf(fp, format, val); 146} 147 148/* 149 * Print 2 bytes in the given format. 150 */ 151static void 152print_2_bytes(FILE *fp, u_int16_t val, const char *format) 153{ 154 155 fprintf(fp, format, val); 156} 157 158/* 159 * Prints 4 bytes in the given format. 160 */ 161static void 162print_4_bytes(FILE *fp, u_int32_t val, const char *format) 163{ 164 165 fprintf(fp, format, val); 166} 167 168/* 169 * Prints 8 bytes in the given format. 170 */ 171static void 172print_8_bytes(FILE *fp, u_int64_t val, const char *format) 173{ 174 175 fprintf(fp, format, val); 176} 177 178/* 179 * Prints the given size of data bytes in hex. 180 */ 181static void 182print_mem(FILE *fp, u_char *data, size_t len) 183{ 184 int i; 185 186 if (len > 0) { 187 fprintf(fp, "0x"); 188 for (i = 0; i < len; i++) 189 fprintf(fp, "%x", data[i]); 190 } 191} 192 193/* 194 * Prints the given data bytes as a string. 195 */ 196static void 197print_string(FILE *fp, u_char *str, size_t len) 198{ 199 int i; 200 201 if (len > 0) { 202 for (i = 0; i < len; i++) { 203 if (str[i] != '\0') 204 fprintf(fp, "%c", str[i]); 205 } 206 } 207} 208 209/* 210 * Prints the token type in either the raw or the default form. 211 */ 212static void 213print_tok_type(FILE *fp, u_char type, const char *tokname, char raw) 214{ 215 216 if (raw) 217 fprintf(fp, "%u", type); 218 else 219 fprintf(fp, "%s", tokname); 220} 221 222/* 223 * Prints a user value. 224 */ 225static void 226print_user(FILE *fp, u_int32_t usr, char raw) 227{ 228 struct passwd *pwent; 229 230 if (raw) 231 fprintf(fp, "%d", usr); 232 else { 233 pwent = getpwuid(usr); 234 if (pwent != NULL) 235 fprintf(fp, "%s", pwent->pw_name); 236 else 237 fprintf(fp, "%d", usr); 238 } 239} 240 241/* 242 * Prints a group value. 243 */ 244static void 245print_group(FILE *fp, u_int32_t grp, char raw) 246{ 247 struct group *grpent; 248 249 if (raw) 250 fprintf(fp, "%d", grp); 251 else { 252 grpent = getgrgid(grp); 253 if (grpent != NULL) 254 fprintf(fp, "%s", grpent->gr_name); 255 else 256 fprintf(fp, "%d", grp); 257 } 258} 259 260/* 261 * Prints the event from the header token in either the short, default or raw 262 * form. 263 */ 264static void 265print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 266{ 267 char event_ent_name[AU_EVENT_NAME_MAX]; 268 char event_ent_desc[AU_EVENT_DESC_MAX]; 269 struct au_event_ent e, *ep; 270 271 bzero(&e, sizeof(e)); 272 bzero(event_ent_name, sizeof(event_ent_name)); 273 bzero(event_ent_desc, sizeof(event_ent_desc)); 274 e.ae_name = event_ent_name; 275 e.ae_desc = event_ent_desc; 276 277 ep = getauevnum_r(&e, ev); 278 if (ep == NULL) { 279 fprintf(fp, "%u", ev); 280 return; 281 } 282 283 if (raw) 284 fprintf(fp, "%u", ev); 285 else if (sfrm) 286 fprintf(fp, "%s", e.ae_name); 287 else 288 fprintf(fp, "%s", e.ae_desc); 289} 290 291 292/* 293 * Prints the event modifier from the header token in either the default or 294 * raw form. 295 */ 296static void 297print_evmod(FILE *fp, u_int16_t evmod, char raw) 298{ 299 if (raw) 300 fprintf(fp, "%u", evmod); 301 else 302 fprintf(fp, "%u", evmod); 303} 304 305/* 306 * Prints seconds in the ctime format. 307 */ 308static void 309print_sec32(FILE *fp, u_int32_t sec, char raw) 310{ 311 time_t timestamp; 312 char timestr[26]; 313 314 if (raw) 315 fprintf(fp, "%u", sec); 316 else { 317 timestamp = (time_t)sec; 318 ctime_r(×tamp, timestr); 319 timestr[24] = '\0'; /* No new line */ 320 fprintf(fp, "%s", timestr); 321 } 322} 323 324/* 325 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 326 * assume a 32-bit time_t, we simply truncate for now. 327 */ 328static void 329print_sec64(FILE *fp, u_int64_t sec, char raw) 330{ 331 time_t timestamp; 332 char timestr[26]; 333 334 if (raw) 335 fprintf(fp, "%u", (u_int32_t)sec); 336 else { 337 timestamp = (time_t)sec; 338 ctime_r(×tamp, timestr); 339 timestr[24] = '\0'; /* No new line */ 340 fprintf(fp, "%s", timestr); 341 } 342} 343 344/* 345 * Prints the excess milliseconds. 346 */ 347static void 348print_msec32(FILE *fp, u_int32_t msec, char raw) 349{ 350 if (raw) 351 fprintf(fp, "%u", msec); 352 else 353 fprintf(fp, " + %u msec", msec); 354} 355 356/* 357 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 358 * a 32-bit msec, we simply truncate for now. 359 */ 360static void 361print_msec64(FILE *fp, u_int64_t msec, char raw) 362{ 363 364 msec &= 0xffffffff; 365 if (raw) 366 fprintf(fp, "%u", (u_int32_t)msec); 367 else 368 fprintf(fp, " + %u msec", (u_int32_t)msec); 369} 370 371/* 372 * Prints a dotted form for the IP address. 373 */ 374static void 375print_ip_address(FILE *fp, u_int32_t ip) 376{ 377 struct in_addr ipaddr; 378 379 ipaddr.s_addr = ip; 380 fprintf(fp, "%s", inet_ntoa(ipaddr)); 381} 382 383/* 384 * Prints a string value for the given ip address. 385 */ 386static void 387print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 388{ 389 struct in_addr ipv4; 390 struct in6_addr ipv6; 391 char dst[INET6_ADDRSTRLEN]; 392 393 switch (type) { 394 case AU_IPv4: 395 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 396 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 397 INET6_ADDRSTRLEN)); 398 break; 399 400 case AU_IPv6: 401 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 402 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 403 INET6_ADDRSTRLEN)); 404 break; 405 406 default: 407 fprintf(fp, "invalid"); 408 } 409} 410 411/* 412 * Prints return value as success or failure. 413 */ 414static void 415print_retval(FILE *fp, u_char status, char raw) 416{ 417 if (raw) 418 fprintf(fp, "%u", status); 419 else { 420 if (status == 0) 421 fprintf(fp, "success"); 422 else 423 fprintf(fp, "failure : %s", strerror(status)); 424 } 425} 426 427/* 428 * Prints the exit value. 429 */ 430static void 431print_errval(FILE *fp, u_int32_t val) 432{ 433 434 fprintf(fp, "Error %u", val); 435} 436 437/* 438 * Prints IPC type. 439 */ 440static void 441print_ipctype(FILE *fp, u_char type, char raw) 442{ 443 if (raw) 444 fprintf(fp, "%u", type); 445 else { 446 if (type == AT_IPC_MSG) 447 fprintf(fp, "Message IPC"); 448 else if (type == AT_IPC_SEM) 449 fprintf(fp, "Semaphore IPC"); 450 else if (type == AT_IPC_SHM) 451 fprintf(fp, "Shared Memory IPC"); 452 else 453 fprintf(fp, "%u", type); 454 } 455} 456 457/* 458 * record byte count 4 bytes 459 * version # 1 byte [2] 460 * event type 2 bytes 461 * event modifier 2 bytes 462 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 463 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 464 */ 465static int 466fetch_header32_tok(tokenstr_t *tok, char *buf, int len) 467{ 468 int err = 0; 469 470 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 471 if (err) 472 return (-1); 473 474 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 475 if (err) 476 return (-1); 477 478 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 479 if (err) 480 return (-1); 481 482 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 483 if (err) 484 return (-1); 485 486 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 487 if (err) 488 return (-1); 489 490 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 491 if (err) 492 return (-1); 493 494 return (0); 495} 496 497static void 498print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 499{ 500 501 print_tok_type(fp, tok->id, "header", raw); 502 print_delim(fp, del); 503 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 504 print_delim(fp, del); 505 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 506 print_delim(fp, del); 507 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 508 print_delim(fp, del); 509 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 510 print_delim(fp, del); 511 print_sec32(fp, tok->tt.hdr32.s, raw); 512 print_delim(fp, del); 513 print_msec32(fp, tok->tt.hdr32.ms, raw); 514} 515 516/* 517 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 518 * depending on the bit of the specifications found. The OpenSolaris source 519 * code uses a 4-byte address length, followed by some number of bytes of 520 * address data. This contrasts with the Solaris audit.log.5 man page, which 521 * specifies a 1-byte length field. We use the Solaris 10 definition so that 522 * we can parse audit trails from that system. 523 * 524 * record byte count 4 bytes 525 * version # 1 byte [2] 526 * event type 2 bytes 527 * event modifier 2 bytes 528 * address type/length 4 bytes 529 * [ Solaris man page: address type/length 1 byte] 530 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 531 * seconds of time 4 bytes/8 bytes (32/64-bits) 532 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 533 */ 534static int 535fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len) 536{ 537 int err = 0; 538 539 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 540 if (err) 541 return (-1); 542 543 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 544 if (err) 545 return (-1); 546 547 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 548 if (err) 549 return (-1); 550 551 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 552 if (err) 553 return (-1); 554 555 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 556 if (err) 557 return (-1); 558 559 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 560 switch (tok->tt.hdr32_ex.ad_type) { 561 case AU_IPv4: 562 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 563 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 564 if (err) 565 return (-1); 566 break; 567 568 case AU_IPv6: 569 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 570 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 571 break; 572 } 573 574 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 575 if (err) 576 return (-1); 577 578 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 579 if (err) 580 return (-1); 581 582 return (0); 583} 584 585static void 586print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 587 char sfrm) 588{ 589 590 print_tok_type(fp, tok->id, "header_ex", raw); 591 print_delim(fp, del); 592 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 593 print_delim(fp, del); 594 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 595 print_delim(fp, del); 596 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 597 print_delim(fp, del); 598 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 599 print_delim(fp, del); 600 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 601 tok->tt.hdr32_ex.addr); 602 print_delim(fp, del); 603 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 604 print_delim(fp, del); 605 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 606} 607 608/* 609 * record byte count 4 bytes 610 * event type 2 bytes 611 * event modifier 2 bytes 612 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 613 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 614 * version # 615 */ 616static int 617fetch_header64_tok(tokenstr_t *tok, char *buf, int len) 618{ 619 int err = 0; 620 621 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 622 if (err) 623 return (-1); 624 625 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 626 if (err) 627 return (-1); 628 629 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 630 if (err) 631 return (-1); 632 633 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 634 if (err) 635 return (-1); 636 637 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 638 if (err) 639 return (-1); 640 641 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 642 if (err) 643 return (-1); 644 645 return (0); 646} 647 648static void 649print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 650{ 651 652 print_tok_type(fp, tok->id, "header", raw); 653 print_delim(fp, del); 654 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 655 print_delim(fp, del); 656 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 657 print_delim(fp, del); 658 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 659 print_delim(fp, del); 660 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 661 print_delim(fp, del); 662 print_sec64(fp, tok->tt.hdr64.s, raw); 663 print_delim(fp, del); 664 print_msec64(fp, tok->tt.hdr64.ms, raw); 665} 666/* 667 * record byte count 4 bytes 668 * version # 1 byte [2] 669 * event type 2 bytes 670 * event modifier 2 bytes 671 * address type/length 4 bytes 672 * [ Solaris man page: address type/length 1 byte] 673 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 674 * seconds of time 4 bytes/8 bytes (32/64-bits) 675 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 676 * 677 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 678 * accuracy of the BSM spec. 679 */ 680static int 681fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len) 682{ 683 int err = 0; 684 685 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 686 if (err) 687 return (-1); 688 689 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 690 if (err) 691 return (-1); 692 693 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 694 if (err) 695 return (-1); 696 697 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 698 if (err) 699 return (-1); 700 701 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 702 if (err) 703 return (-1); 704 705 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 706 switch (tok->tt.hdr64_ex.ad_type) { 707 case AU_IPv4: 708 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 709 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 710 if (err) 711 return (-1); 712 break; 713 714 case AU_IPv6: 715 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 716 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 717 break; 718 } 719 720 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 721 if (err) 722 return (-1); 723 724 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 725 if (err) 726 return (-1); 727 728 return (0); 729} 730 731static void 732print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 733{ 734 735 print_tok_type(fp, tok->id, "header_ex", raw); 736 print_delim(fp, del); 737 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 738 print_delim(fp, del); 739 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 740 print_delim(fp, del); 741 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 742 print_delim(fp, del); 743 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 744 print_delim(fp, del); 745 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 746 tok->tt.hdr64_ex.addr); 747 print_delim(fp, del); 748 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 749 print_delim(fp, del); 750 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 751} 752 753/* 754 * trailer magic 2 bytes 755 * record size 4 bytes 756 */ 757static int 758fetch_trailer_tok(tokenstr_t *tok, char *buf, int len) 759{ 760 int err = 0; 761 762 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 763 if (err) 764 return (-1); 765 766 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 767 if (err) 768 return (-1); 769 770 return (0); 771} 772 773static void 774print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 775 __unused char sfrm) 776{ 777 778 print_tok_type(fp, tok->id, "trailer", raw); 779 print_delim(fp, del); 780 print_4_bytes(fp, tok->tt.trail.count, "%u"); 781} 782 783/* 784 * argument # 1 byte 785 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 786 * text length 2 bytes 787 * text N bytes + 1 terminating NULL byte 788 */ 789static int 790fetch_arg32_tok(tokenstr_t *tok, char *buf, int len) 791{ 792 int err = 0; 793 794 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 795 if (err) 796 return (-1); 797 798 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 799 if (err) 800 return (-1); 801 802 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 803 if (err) 804 return (-1); 805 806 SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len, 807 err); 808 if (err) 809 return (-1); 810 811 return (0); 812} 813 814static void 815print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 816 __unused char sfrm) 817{ 818 819 print_tok_type(fp, tok->id, "argument", raw); 820 print_delim(fp, del); 821 print_1_byte(fp, tok->tt.arg32.no, "%u"); 822 print_delim(fp, del); 823 print_4_bytes(fp, tok->tt.arg32.val, "%#x"); 824 print_delim(fp, del); 825 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 826} 827 828static int 829fetch_arg64_tok(tokenstr_t *tok, char *buf, int len) 830{ 831 int err = 0; 832 833 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 834 if (err) 835 return (-1); 836 837 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 838 if (err) 839 return (-1); 840 841 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 842 if (err) 843 return (-1); 844 845 SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len, 846 err); 847 if (err) 848 return (-1); 849 850 return (0); 851} 852 853static void 854print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 855 __unused char sfrm) 856{ 857 858 print_tok_type(fp, tok->id, "argument", raw); 859 print_delim(fp, del); 860 print_1_byte(fp, tok->tt.arg64.no, "%u"); 861 print_delim(fp, del); 862 print_8_bytes(fp, tok->tt.arg64.val, "%#llx"); 863 print_delim(fp, del); 864 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 865} 866 867/* 868 * how to print 1 byte 869 * basic unit 1 byte 870 * unit count 1 byte 871 * data items (depends on basic unit) 872 */ 873static int 874fetch_arb_tok(tokenstr_t *tok, char *buf, int len) 875{ 876 int err = 0; 877 int datasize; 878 879 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 880 if (err) 881 return (-1); 882 883 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 884 if (err) 885 return (-1); 886 887 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 888 if (err) 889 return (-1); 890 891 /* 892 * Determine the size of the basic unit. 893 */ 894 switch(tok->tt.arb.bu) { 895 case AUR_BYTE: 896 datasize = AUR_BYTE_SIZE; 897 break; 898 899 case AUR_SHORT: 900 datasize = AUR_SHORT_SIZE; 901 break; 902 903 case AUR_LONG: 904 datasize = AUR_LONG_SIZE; 905 break; 906 907 default: 908 return (-1); 909 } 910 911 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 912 tok->len, err); 913 if (err) 914 return (-1); 915 916 return (0); 917} 918 919static void 920print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 921 __unused char sfrm) 922{ 923 char *str; 924 char *format; 925 size_t size; 926 int i; 927 928 print_tok_type(fp, tok->id, "arbitrary", raw); 929 print_delim(fp, del); 930 931 switch(tok->tt.arb.howtopr) { 932 case AUP_BINARY: 933 str = "binary"; 934 format = " %c"; 935 break; 936 937 case AUP_OCTAL: 938 str = "octal"; 939 format = " %o"; 940 break; 941 942 case AUP_DECIMAL: 943 str = "decimal"; 944 format = " %d"; 945 break; 946 947 case AUP_HEX: 948 str = "hex"; 949 format = " %x"; 950 break; 951 952 case AUP_STRING: 953 str = "string"; 954 format = "%c"; 955 break; 956 957 default: 958 return; 959 } 960 961 print_string(fp, str, strlen(str)); 962 print_delim(fp, del); 963 switch(tok->tt.arb.bu) { 964 case AUR_BYTE: 965 str = "byte"; 966 size = AUR_BYTE_SIZE; 967 print_string(fp, str, strlen(str)); 968 print_delim(fp, del); 969 print_1_byte(fp, tok->tt.arb.uc, "%u"); 970 print_delim(fp, del); 971 for (i = 0; i<tok->tt.arb.uc; i++) 972 fprintf(fp, format, *(tok->tt.arb.data + (size * i))); 973 break; 974 975 case AUR_SHORT: 976 str = "short"; 977 size = AUR_SHORT_SIZE; 978 print_string(fp, str, strlen(str)); 979 print_delim(fp, del); 980 print_1_byte(fp, tok->tt.arb.uc, "%u"); 981 print_delim(fp, del); 982 for (i = 0; i<tok->tt.arb.uc; i++) 983 fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data + 984 (size * i)))); 985 break; 986 987 case AUR_LONG: 988 str = "int"; 989 size = AUR_LONG_SIZE; 990 print_string(fp, str, strlen(str)); 991 print_delim(fp, del); 992 print_1_byte(fp, tok->tt.arb.uc, "%u"); 993 print_delim(fp, del); 994 for (i = 0; i<tok->tt.arb.uc; i++) 995 fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data + 996 (size * i)))); 997 break; 998 999 default: 1000 return; 1001 } 1002} 1003 1004/* 1005 * file access mode 4 bytes 1006 * owner user ID 4 bytes 1007 * owner group ID 4 bytes 1008 * file system ID 4 bytes 1009 * node ID 8 bytes 1010 * device 4 bytes/8 bytes (32-bit/64-bit) 1011 */ 1012static int 1013fetch_attr32_tok(tokenstr_t *tok, char *buf, int len) 1014{ 1015 int err = 0; 1016 1017 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1018 if (err) 1019 return (-1); 1020 1021 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1022 if (err) 1023 return (-1); 1024 1025 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1026 if (err) 1027 return (-1); 1028 1029 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1030 if (err) 1031 return (-1); 1032 1033 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1034 if (err) 1035 return (-1); 1036 1037 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1038 if (err) 1039 return (-1); 1040 1041 return (0); 1042} 1043 1044static void 1045print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1046 __unused char sfrm) 1047{ 1048 1049 print_tok_type(fp, tok->id, "attribute", raw); 1050 print_delim(fp, del); 1051 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1052 print_delim(fp, del); 1053 print_user(fp, tok->tt.attr32.uid, raw); 1054 print_delim(fp, del); 1055 print_group(fp, tok->tt.attr32.gid, raw); 1056 print_delim(fp, del); 1057 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1058 print_delim(fp, del); 1059 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1060 print_delim(fp, del); 1061 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1062} 1063 1064/* 1065 * file access mode 4 bytes 1066 * owner user ID 4 bytes 1067 * owner group ID 4 bytes 1068 * file system ID 4 bytes 1069 * node ID 8 bytes 1070 * device 4 bytes/8 bytes (32-bit/64-bit) 1071 */ 1072static int 1073fetch_attr64_tok(tokenstr_t *tok, char *buf, int len) 1074{ 1075 int err = 0; 1076 1077 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1078 if (err) 1079 return (-1); 1080 1081 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1082 if (err) 1083 return (-1); 1084 1085 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1086 if (err) 1087 return (-1); 1088 1089 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1090 if (err) 1091 return (-1); 1092 1093 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1094 if (err) 1095 return (-1); 1096 1097 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1098 if (err) 1099 return (-1); 1100 1101 return (0); 1102} 1103 1104static void 1105print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1106 __unused char sfrm) 1107{ 1108 1109 print_tok_type(fp, tok->id, "attribute", raw); 1110 print_delim(fp, del); 1111 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1112 print_delim(fp, del); 1113 print_user(fp, tok->tt.attr64.uid, raw); 1114 print_delim(fp, del); 1115 print_group(fp, tok->tt.attr64.gid, raw); 1116 print_delim(fp, del); 1117 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1118 print_delim(fp, del); 1119 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1120 print_delim(fp, del); 1121 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1122} 1123 1124/* 1125 * status 4 bytes 1126 * return value 4 bytes 1127 */ 1128static int 1129fetch_exit_tok(tokenstr_t *tok, char *buf, int len) 1130{ 1131 int err = 0; 1132 1133 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1134 if (err) 1135 return (-1); 1136 1137 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1138 if (err) 1139 return (-1); 1140 1141 return (0); 1142} 1143 1144static void 1145print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1146 __unused char sfrm) 1147{ 1148 1149 print_tok_type(fp, tok->id, "exit", raw); 1150 print_delim(fp, del); 1151 print_errval(fp, tok->tt.exit.status); 1152 print_delim(fp, del); 1153 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1154} 1155 1156/* 1157 * count 4 bytes 1158 * text count null-terminated string(s) 1159 */ 1160static int 1161fetch_execarg_tok(tokenstr_t *tok, char *buf, int len) 1162{ 1163 int err = 0; 1164 int i; 1165 char *bptr; 1166 1167 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1168 if (err) 1169 return (-1); 1170 1171 for (i = 0; i < tok->tt.execarg.count; i++) { 1172 bptr = buf + tok->len; 1173 tok->tt.execarg.text[i] = bptr; 1174 1175 /* Look for a null terminated string. */ 1176 while (bptr && (*bptr != '\0')) { 1177 if (++tok->len >=len) 1178 return (-1); 1179 bptr = buf + tok->len; 1180 } 1181 if (!bptr) 1182 return (-1); 1183 tok->len++; /* \0 character */ 1184 } 1185 1186 return (0); 1187} 1188 1189static void 1190print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1191 __unused char sfrm) 1192{ 1193 int i; 1194 1195 print_tok_type(fp, tok->id, "exec arg", raw); 1196 for (i = 0; i < tok->tt.execarg.count; i++) { 1197 print_delim(fp, del); 1198 print_string(fp, tok->tt.execarg.text[i], 1199 strlen(tok->tt.execarg.text[i])); 1200 } 1201} 1202 1203/* 1204 * count 4 bytes 1205 * text count null-terminated string(s) 1206 */ 1207static int 1208fetch_execenv_tok(tokenstr_t *tok, char *buf, int len) 1209{ 1210 int err = 0; 1211 int i; 1212 char *bptr; 1213 1214 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1215 if (err) 1216 return (-1); 1217 1218 for (i = 0; i< tok->tt.execenv.count; i++) { 1219 bptr = buf + tok->len; 1220 tok->tt.execenv.text[i] = bptr; 1221 1222 /* Look for a null terminated string. */ 1223 while (bptr && (*bptr != '\0')) { 1224 if (++tok->len >=len) 1225 return (-1); 1226 bptr = buf + tok->len; 1227 } 1228 if (!bptr) 1229 return (-1); 1230 tok->len++; /* \0 character */ 1231 } 1232 1233 return (0); 1234} 1235 1236static void 1237print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1238 __unused char sfrm) 1239{ 1240 int i; 1241 1242 print_tok_type(fp, tok->id, "exec arg", raw); 1243 for (i = 0; i< tok->tt.execenv.count; i++) { 1244 print_delim(fp, del); 1245 print_string(fp, tok->tt.execenv.text[i], 1246 strlen(tok->tt.execenv.text[i])); 1247 } 1248} 1249 1250/* 1251 * seconds of time 4 bytes 1252 * milliseconds of time 4 bytes 1253 * file name len 2 bytes 1254 * file pathname N bytes + 1 terminating NULL byte 1255 */ 1256static int 1257fetch_file_tok(tokenstr_t *tok, char *buf, int len) 1258{ 1259 int err = 0; 1260 1261 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1262 if (err) 1263 return (-1); 1264 1265 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1266 if (err) 1267 return (-1); 1268 1269 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1270 if (err) 1271 return (-1); 1272 1273 SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err); 1274 if (err) 1275 return (-1); 1276 1277 return (0); 1278} 1279 1280static void 1281print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1282 __unused char sfrm) 1283{ 1284 1285 print_tok_type(fp, tok->id, "file", raw); 1286 print_delim(fp, del); 1287 print_sec32(fp, tok->tt.file.s, raw); 1288 print_delim(fp, del); 1289 print_msec32(fp, tok->tt.file.ms, raw); 1290 print_delim(fp, del); 1291 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1292} 1293 1294/* 1295 * number groups 2 bytes 1296 * group list count * 4 bytes 1297 */ 1298static int 1299fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len) 1300{ 1301 int i; 1302 int err = 0; 1303 1304 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1305 if (err) 1306 return (-1); 1307 1308 for (i = 0; i<tok->tt.grps.no; i++) { 1309 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1310 err); 1311 if (err) 1312 return (-1); 1313 } 1314 1315 return (0); 1316} 1317 1318static void 1319print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1320 __unused char sfrm) 1321{ 1322 int i; 1323 1324 print_tok_type(fp, tok->id, "group", raw); 1325 for (i = 0; i < tok->tt.grps.no; i++) { 1326 print_delim(fp, del); 1327 print_group(fp, tok->tt.grps.list[i], raw); 1328 } 1329} 1330 1331/* 1332 * Internet addr 4 bytes 1333 */ 1334static int 1335fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len) 1336{ 1337 int err = 0; 1338 1339 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr.addr, tok->len, err); 1340 if (err) 1341 return (-1); 1342 1343 return (0); 1344 1345} 1346 1347static void 1348print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1349 __unused char sfrm) 1350{ 1351 1352 print_tok_type(fp, tok->id, "ip addr", raw); 1353 print_delim(fp, del); 1354 print_ip_address(fp, tok->tt.inaddr.addr); 1355} 1356 1357/* 1358 * type 4 bytes 1359 * address 16 bytes 1360 */ 1361static int 1362fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len) 1363{ 1364 int err = 0; 1365 1366 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 1367 if (err) 1368 return (-1); 1369 1370 if (tok->tt.inaddr_ex.type == AU_IPv4) { 1371 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 1372 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 1373 if (err) 1374 return (-1); 1375 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 1376 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 1377 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 1378 if (err) 1379 return (-1); 1380 } else 1381 return (-1); 1382 1383 return (0); 1384} 1385 1386static void 1387print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1388 __unused char sfrm) 1389{ 1390 1391 print_tok_type(fp, tok->id, "ip addr ex", raw); 1392 print_delim(fp, del); 1393 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 1394 tok->tt.inaddr_ex.addr); 1395} 1396 1397/* 1398 * ip header 20 bytes 1399 */ 1400static int 1401fetch_ip_tok(tokenstr_t *tok, char *buf, int len) 1402{ 1403 int err = 0; 1404 1405 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 1406 if (err) 1407 return (-1); 1408 1409 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 1410 if (err) 1411 return (-1); 1412 1413 READ_TOKEN_U_INT16(buf, len, tok->tt.ip.len, tok->len, err); 1414 if (err) 1415 return (-1); 1416 1417 READ_TOKEN_U_INT16(buf, len, tok->tt.ip.id, tok->len, err); 1418 if (err) 1419 return (-1); 1420 1421 READ_TOKEN_U_INT16(buf, len, tok->tt.ip.offset, tok->len, err); 1422 if (err) 1423 return (-1); 1424 1425 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 1426 if (err) 1427 return (-1); 1428 1429 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 1430 if (err) 1431 return (-1); 1432 1433 READ_TOKEN_U_INT16(buf, len, tok->tt.ip.chksm, tok->len, err); 1434 if (err) 1435 return (-1); 1436 1437 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 1438 tok->len, err); 1439 if (err) 1440 return (-1); 1441 1442 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 1443 tok->len, err); 1444 if (err) 1445 return (-1); 1446 1447 return (0); 1448} 1449 1450static void 1451print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1452 __unused char sfrm) 1453{ 1454 1455 print_tok_type(fp, tok->id, "ip", raw); 1456 print_delim(fp, del); 1457 print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char)); 1458 print_delim(fp, del); 1459 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 1460 print_delim(fp, del); 1461 print_2_bytes(fp, tok->tt.ip.len, "%u"); 1462 print_delim(fp, del); 1463 print_2_bytes(fp, tok->tt.ip.id, "%u"); 1464 print_delim(fp, del); 1465 print_2_bytes(fp, tok->tt.ip.offset, "%u"); 1466 print_delim(fp, del); 1467 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 1468 print_delim(fp, del); 1469 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 1470 print_delim(fp, del); 1471 print_2_bytes(fp, tok->tt.ip.chksm, "%u"); 1472 print_delim(fp, del); 1473 print_ip_address(fp, tok->tt.ip.src); 1474 print_delim(fp, del); 1475 print_ip_address(fp, tok->tt.ip.dest); 1476} 1477 1478/* 1479 * object ID type 1 byte 1480 * Object ID 4 bytes 1481 */ 1482static int 1483fetch_ipc_tok(tokenstr_t *tok, char *buf, int len) 1484{ 1485 int err = 0; 1486 1487 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 1488 if (err) 1489 return (-1); 1490 1491 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 1492 if (err) 1493 return (-1); 1494 1495 return (0); 1496} 1497 1498static void 1499print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1500 __unused char sfrm) 1501{ 1502 1503 print_tok_type(fp, tok->id, "IPC", raw); 1504 print_delim(fp, del); 1505 print_ipctype(fp, tok->tt.ipc.type, raw); 1506 print_delim(fp, del); 1507 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 1508} 1509 1510/* 1511 * owner user id 4 bytes 1512 * owner group id 4 bytes 1513 * creator user id 4 bytes 1514 * creator group id 4 bytes 1515 * access mode 4 bytes 1516 * slot seq 4 bytes 1517 * key 4 bytes 1518 */ 1519static int 1520fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len) 1521{ 1522 int err = 0; 1523 1524 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 1525 if (err) 1526 return (-1); 1527 1528 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 1529 if (err) 1530 return (-1); 1531 1532 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 1533 if (err) 1534 return (-1); 1535 1536 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 1537 if (err) 1538 return (-1); 1539 1540 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 1541 if (err) 1542 return (-1); 1543 1544 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 1545 if (err) 1546 return (-1); 1547 1548 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 1549 if (err) 1550 return (-1); 1551 1552 return (0); 1553} 1554 1555static void 1556print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1557 __unused char sfrm) 1558{ 1559 1560 print_tok_type(fp, tok->id, "IPC perm", raw); 1561 print_delim(fp, del); 1562 print_user(fp, tok->tt.ipcperm.uid, raw); 1563 print_delim(fp, del); 1564 print_group(fp, tok->tt.ipcperm.gid, raw); 1565 print_delim(fp, del); 1566 print_user(fp, tok->tt.ipcperm.puid, raw); 1567 print_delim(fp, del); 1568 print_group(fp, tok->tt.ipcperm.pgid, raw); 1569 print_delim(fp, del); 1570 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 1571 print_delim(fp, del); 1572 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 1573 print_delim(fp, del); 1574 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 1575} 1576 1577/* 1578 * port Ip address 2 bytes 1579 */ 1580static int 1581fetch_iport_tok(tokenstr_t *tok, char *buf, int len) 1582{ 1583 int err = 0; 1584 1585 READ_TOKEN_U_INT16(buf, len, tok->tt.iport.port, tok->len, err); 1586 if (err) 1587 return (-1); 1588 1589 return (0); 1590} 1591 1592static void 1593print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1594 __unused char sfrm) 1595{ 1596 1597 print_tok_type(fp, tok->id, "ip port", raw); 1598 print_delim(fp, del); 1599 print_2_bytes(fp, tok->tt.iport.port, "%#x"); 1600} 1601 1602/* 1603 * size 2 bytes 1604 * data size bytes 1605 */ 1606static int 1607fetch_opaque_tok(tokenstr_t *tok, char *buf, int len) 1608{ 1609 int err = 0; 1610 1611 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 1612 if (err) 1613 return (-1); 1614 1615 SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len, 1616 err); 1617 if (err) 1618 return (-1); 1619 1620 return (0); 1621} 1622 1623static void 1624print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1625 __unused char sfrm) 1626{ 1627 1628 print_tok_type(fp, tok->id, "opaque", raw); 1629 print_delim(fp, del); 1630 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 1631 print_delim(fp, del); 1632 print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size); 1633} 1634 1635/* 1636 * size 2 bytes 1637 * data size bytes 1638 */ 1639static int 1640fetch_path_tok(tokenstr_t *tok, char *buf, int len) 1641{ 1642 int err = 0; 1643 1644 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 1645 if (err) 1646 return (-1); 1647 1648 SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err); 1649 if (err) 1650 return (-1); 1651 1652 return (0); 1653} 1654 1655static void 1656print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1657 __unused char sfrm) 1658{ 1659 1660 print_tok_type(fp, tok->id, "path", raw); 1661 print_delim(fp, del); 1662 print_string(fp, tok->tt.path.path, tok->tt.path.len); 1663} 1664 1665/* 1666 * token ID 1 byte 1667 * audit ID 4 bytes 1668 * euid 4 bytes 1669 * egid 4 bytes 1670 * ruid 4 bytes 1671 * rgid 4 bytes 1672 * pid 4 bytes 1673 * sessid 4 bytes 1674 * terminal ID 1675 * portid 4 bytes 1676 * machine id 4 bytes 1677 */ 1678static int 1679fetch_process32_tok(tokenstr_t *tok, char *buf, int len) 1680{ 1681 int err = 0; 1682 1683 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 1684 if (err) 1685 return (-1); 1686 1687 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 1688 if (err) 1689 return (-1); 1690 1691 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 1692 if (err) 1693 return (-1); 1694 1695 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 1696 if (err) 1697 return (-1); 1698 1699 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 1700 if (err) 1701 return (-1); 1702 1703 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 1704 if (err) 1705 return (-1); 1706 1707 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 1708 if (err) 1709 return (-1); 1710 1711 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 1712 if (err) 1713 return (-1); 1714 1715 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.addr, tok->len, err); 1716 if (err) 1717 return (-1); 1718 1719 return (0); 1720} 1721 1722static void 1723print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1724 __unused char sfrm) 1725{ 1726 1727 print_tok_type(fp, tok->id, "process", raw); 1728 print_delim(fp, del); 1729 print_user(fp, tok->tt.proc32.auid, raw); 1730 print_delim(fp, del); 1731 print_user(fp, tok->tt.proc32.euid, raw); 1732 print_delim(fp, del); 1733 print_group(fp, tok->tt.proc32.egid, raw); 1734 print_delim(fp, del); 1735 print_user(fp, tok->tt.proc32.ruid, raw); 1736 print_delim(fp, del); 1737 print_group(fp, tok->tt.proc32.rgid, raw); 1738 print_delim(fp, del); 1739 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 1740 print_delim(fp, del); 1741 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 1742 print_delim(fp, del); 1743 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 1744 print_delim(fp, del); 1745 print_ip_address(fp, tok->tt.proc32.tid.addr); 1746} 1747 1748static int 1749fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len) 1750{ 1751 int err = 0; 1752 1753 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 1754 if (err) 1755 return (-1); 1756 1757 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 1758 if (err) 1759 return (-1); 1760 1761 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 1762 if (err) 1763 return (-1); 1764 1765 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 1766 if (err) 1767 return (-1); 1768 1769 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 1770 if (err) 1771 return (-1); 1772 1773 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 1774 if (err) 1775 return (-1); 1776 1777 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 1778 if (err) 1779 return (-1); 1780 1781 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 1782 err); 1783 if (err) 1784 return (-1); 1785 1786 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 1787 err); 1788 if (err) 1789 return (-1); 1790 1791 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 1792 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 1793 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 1794 if (err) 1795 return (-1); 1796 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 1797 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 1798 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 1799 if (err) 1800 return (-1); 1801 } else 1802 return (-1); 1803 1804 return (0); 1805} 1806 1807static void 1808print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1809 __unused char sfrm) 1810{ 1811 1812 print_tok_type(fp, tok->id, "process_ex", raw); 1813 print_delim(fp, del); 1814 print_user(fp, tok->tt.proc32_ex.auid, raw); 1815 print_delim(fp, del); 1816 print_user(fp, tok->tt.proc32_ex.euid, raw); 1817 print_delim(fp, del); 1818 print_group(fp, tok->tt.proc32_ex.egid, raw); 1819 print_delim(fp, del); 1820 print_user(fp, tok->tt.proc32_ex.ruid, raw); 1821 print_delim(fp, del); 1822 print_group(fp, tok->tt.proc32_ex.rgid, raw); 1823 print_delim(fp, del); 1824 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 1825 print_delim(fp, del); 1826 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 1827 print_delim(fp, del); 1828 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 1829 print_delim(fp, del); 1830 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 1831 tok->tt.proc32_ex.tid.addr); 1832} 1833 1834/* 1835 * errno 1 byte 1836 * return value 4 bytes 1837 */ 1838static int 1839fetch_return32_tok(tokenstr_t *tok, char *buf, int len) 1840{ 1841 int err = 0; 1842 1843 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 1844 if (err) 1845 return (-1); 1846 1847 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 1848 if (err) 1849 return (-1); 1850 1851 return (0); 1852} 1853 1854static void 1855print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1856 __unused char sfrm) 1857{ 1858 1859 print_tok_type(fp, tok->id, "return", raw); 1860 print_delim(fp, del); 1861 print_retval(fp, tok->tt.ret32.status, raw); 1862 print_delim(fp, del); 1863 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 1864} 1865 1866static int 1867fetch_return64_tok(tokenstr_t *tok, char *buf, int len) 1868{ 1869 int err = 0; 1870 1871 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 1872 if (err) 1873 return (-1); 1874 1875 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 1876 if (err) 1877 return (-1); 1878 1879 return (0); 1880} 1881 1882static void 1883print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1884 __unused char sfrm) 1885{ 1886 1887 print_tok_type(fp, tok->id, "return", raw); 1888 print_delim(fp, del); 1889 print_retval(fp, tok->tt.ret64.err, raw); 1890 print_delim(fp, del); 1891 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 1892} 1893 1894/* 1895 * seq 4 bytes 1896 */ 1897static int 1898fetch_seq_tok(tokenstr_t *tok, char *buf, int len) 1899{ 1900 int err = 0; 1901 1902 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 1903 if (err) 1904 return (-1); 1905 1906 return (0); 1907} 1908 1909static void 1910print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1911 __unused char sfrm) 1912{ 1913 1914 print_tok_type(fp, tok->id, "sequence", raw); 1915 print_delim(fp, del); 1916 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 1917} 1918 1919/* 1920 * socket family 2 bytes 1921 * local port 2 bytes 1922 * socket address 4 bytes 1923 */ 1924static int 1925fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len) 1926{ 1927 int err = 0; 1928 1929 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 1930 err); 1931 if (err) 1932 return (-1); 1933 1934 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.port, tok->len, err); 1935 if (err) 1936 return (-1); 1937 1938 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 1939 sizeof(tok->tt.sockinet32.addr), tok->len, err); 1940 if (err) 1941 return (-1); 1942 1943 return (0); 1944} 1945 1946static void 1947print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1948 __unused char sfrm) 1949{ 1950 1951 print_tok_type(fp, tok->id, "socket-inet", raw); 1952 print_delim(fp, del); 1953 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 1954 print_delim(fp, del); 1955 print_2_bytes(fp, tok->tt.sockinet32.port, "%u"); 1956 print_delim(fp, del); 1957 print_ip_address(fp, tok->tt.sockinet32.addr); 1958} 1959 1960/* 1961 * socket family 2 bytes 1962 * path 104 bytes 1963 */ 1964static int fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len) 1965{ 1966 int err = 0; 1967 1968 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 1969 if (err) 1970 return (-1); 1971 1972 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 1973 err); 1974 if (err) 1975 return (-1); 1976 1977 return (0); 1978} 1979 1980static void 1981print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1982 __unused char sfrm) 1983{ 1984 1985 print_tok_type(fp, tok->id, "socket-unix", raw); 1986 print_delim(fp, del); 1987 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 1988 print_delim(fp, del); 1989 print_string(fp, tok->tt.sockunix.path, 1990 strlen(tok->tt.sockunix.path)); 1991} 1992 1993/* 1994 * socket type 2 bytes 1995 * local port 2 bytes 1996 * local address 4 bytes 1997 * remote port 2 bytes 1998 * remote address 4 bytes 1999 */ 2000static int fetch_socket_tok(tokenstr_t *tok, char *buf, int len) 2001{ 2002 int err = 0; 2003 2004 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 2005 if (err) 2006 return (-1); 2007 2008 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.l_port, tok->len, err); 2009 if (err) 2010 return (-1); 2011 2012 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 2013 sizeof(tok->tt.socket.l_addr), tok->len, err); 2014 if (err) 2015 return (-1); 2016 2017 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.r_port, tok->len, err); 2018 if (err) 2019 return (-1); 2020 2021 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 2022 sizeof(tok->tt.socket.r_addr), tok->len, err); 2023 if (err) 2024 return (-1); 2025 2026 return (0); 2027} 2028 2029static void 2030print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2031 __unused char sfrm) 2032{ 2033 2034 print_tok_type(fp, tok->id, "socket", raw); 2035 print_delim(fp, del); 2036 print_2_bytes(fp, tok->tt.socket.type, "%u"); 2037 print_delim(fp, del); 2038 print_2_bytes(fp, tok->tt.socket.l_port, "%u"); 2039 print_delim(fp, del); 2040 print_ip_address(fp, tok->tt.socket.l_addr); 2041 print_delim(fp, del); 2042 print_2_bytes(fp, tok->tt.socket.r_port, "%u"); 2043 print_delim(fp, del); 2044 print_ip_address(fp, tok->tt.socket.r_addr); 2045} 2046 2047/* 2048 * audit ID 4 bytes 2049 * euid 4 bytes 2050 * egid 4 bytes 2051 * ruid 4 bytes 2052 * rgid 4 bytes 2053 * pid 4 bytes 2054 * sessid 4 bytes 2055 * terminal ID 2056 * portid 4 bytes/8 bytes (32-bit/64-bit value) 2057 * machine id 4 bytes 2058 */ 2059static int 2060fetch_subject32_tok(tokenstr_t *tok, char *buf, int len) 2061{ 2062 int err = 0; 2063 2064 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 2065 if (err) 2066 return (-1); 2067 2068 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 2069 if (err) 2070 return (-1); 2071 2072 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 2073 if (err) 2074 return (-1); 2075 2076 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 2077 if (err) 2078 return (-1); 2079 2080 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 2081 if (err) 2082 return (-1); 2083 2084 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 2085 if (err) 2086 return (-1); 2087 2088 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 2089 if (err) 2090 return (-1); 2091 2092 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 2093 if (err) 2094 return (-1); 2095 2096 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 2097 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 2098 if (err) 2099 return (-1); 2100 2101 return (0); 2102} 2103 2104static void 2105print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2106 __unused char sfrm) 2107{ 2108 2109 print_tok_type(fp, tok->id, "subject", raw); 2110 print_delim(fp, del); 2111 print_user(fp, tok->tt.subj32.auid, raw); 2112 print_delim(fp, del); 2113 print_user(fp, tok->tt.subj32.euid, raw); 2114 print_delim(fp, del); 2115 print_group(fp, tok->tt.subj32.egid, raw); 2116 print_delim(fp, del); 2117 print_user(fp, tok->tt.subj32.ruid, raw); 2118 print_delim(fp, del); 2119 print_group(fp, tok->tt.subj32.rgid, raw); 2120 print_delim(fp, del); 2121 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 2122 print_delim(fp, del); 2123 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 2124 print_delim(fp, del); 2125 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 2126 print_delim(fp, del); 2127 print_ip_address(fp, tok->tt.subj32.tid.addr); 2128} 2129 2130/* 2131 * audit ID 4 bytes 2132 * euid 4 bytes 2133 * egid 4 bytes 2134 * ruid 4 bytes 2135 * rgid 4 bytes 2136 * pid 4 bytes 2137 * sessid 4 bytes 2138 * terminal ID 2139 * portid 4 bytes/8 bytes (32-bit/64-bit value) 2140 * machine id 4 bytes 2141 */ 2142static int 2143fetch_subject64_tok(tokenstr_t *tok, char *buf, int len) 2144{ 2145 int err = 0; 2146 2147 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 2148 if (err) 2149 return (-1); 2150 2151 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 2152 if (err) 2153 return (-1); 2154 2155 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 2156 if (err) 2157 return (-1); 2158 2159 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 2160 if (err) 2161 return (-1); 2162 2163 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 2164 if (err) 2165 return (-1); 2166 2167 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 2168 if (err) 2169 return (-1); 2170 2171 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 2172 if (err) 2173 return (-1); 2174 2175 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 2176 if (err) 2177 return (-1); 2178 2179 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 2180 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 2181 if (err) 2182 return (-1); 2183 2184 return (0); 2185} 2186 2187static void 2188print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2189 __unused char sfrm) 2190{ 2191 2192 print_tok_type(fp, tok->id, "subject", raw); 2193 print_delim(fp, del); 2194 print_user(fp, tok->tt.subj64.auid, raw); 2195 print_delim(fp, del); 2196 print_user(fp, tok->tt.subj64.euid, raw); 2197 print_delim(fp, del); 2198 print_group(fp, tok->tt.subj64.egid, raw); 2199 print_delim(fp, del); 2200 print_user(fp, tok->tt.subj64.ruid, raw); 2201 print_delim(fp, del); 2202 print_group(fp, tok->tt.subj64.rgid, raw); 2203 print_delim(fp, del); 2204 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 2205 print_delim(fp, del); 2206 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 2207 print_delim(fp, del); 2208 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 2209 print_delim(fp, del); 2210 print_ip_address(fp, tok->tt.subj64.tid.addr); 2211} 2212 2213/* 2214 * audit ID 4 bytes 2215 * euid 4 bytes 2216 * egid 4 bytes 2217 * ruid 4 bytes 2218 * rgid 4 bytes 2219 * pid 4 bytes 2220 * sessid 4 bytes 2221 * terminal ID 2222 * portid 4 bytes 2223 * type 4 bytes 2224 * machine id 16 bytes 2225 */ 2226static int 2227fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len) 2228{ 2229 int err = 0; 2230 2231 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 2232 if (err) 2233 return (-1); 2234 2235 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 2236 if (err) 2237 return (-1); 2238 2239 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 2240 if (err) 2241 return (-1); 2242 2243 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 2244 if (err) 2245 return (-1); 2246 2247 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 2248 if (err) 2249 return (-1); 2250 2251 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 2252 if (err) 2253 return (-1); 2254 2255 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 2256 if (err) 2257 return (-1); 2258 2259 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 2260 err); 2261 if (err) 2262 return (-1); 2263 2264 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 2265 err); 2266 if (err) 2267 return (-1); 2268 2269 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 2270 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 2271 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 2272 if (err) 2273 return (-1); 2274 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 2275 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 2276 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 2277 if (err) 2278 return (-1); 2279 } else 2280 return (-1); 2281 2282 return (0); 2283} 2284 2285static void 2286print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2287 __unused char sfrm) 2288{ 2289 2290 print_tok_type(fp, tok->id, "subject_ex", raw); 2291 print_delim(fp, del); 2292 print_user(fp, tok->tt.subj32_ex.auid, raw); 2293 print_delim(fp, del); 2294 print_user(fp, tok->tt.subj32_ex.euid, raw); 2295 print_delim(fp, del); 2296 print_group(fp, tok->tt.subj32_ex.egid, raw); 2297 print_delim(fp, del); 2298 print_user(fp, tok->tt.subj32_ex.ruid, raw); 2299 print_delim(fp, del); 2300 print_group(fp, tok->tt.subj32_ex.rgid, raw); 2301 print_delim(fp, del); 2302 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 2303 print_delim(fp, del); 2304 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 2305 print_delim(fp, del); 2306 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 2307 print_delim(fp, del); 2308 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 2309 tok->tt.subj32_ex.tid.addr); 2310} 2311 2312/* 2313 * size 2 bytes 2314 * data size bytes 2315 */ 2316static int 2317fetch_text_tok(tokenstr_t *tok, char *buf, int len) 2318{ 2319 int err = 0; 2320 2321 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 2322 if (err) 2323 return (-1); 2324 2325 SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 2326 err); 2327 if (err) 2328 return (-1); 2329 2330 return (0); 2331} 2332 2333static void 2334print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2335 __unused char sfrm) 2336{ 2337 2338 print_tok_type(fp, tok->id, "text", raw); 2339 print_delim(fp, del); 2340 print_string(fp, tok->tt.text.text, tok->tt.text.len); 2341} 2342 2343/* 2344 * socket type 2 bytes 2345 * local port 2 bytes 2346 * address type/length 4 bytes 2347 * local Internet address 4 bytes 2348 * remote port 4 bytes 2349 * address type/length 4 bytes 2350 * remote Internet address 4 bytes 2351 */ 2352static int 2353fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len) 2354{ 2355 int err = 0; 2356 2357 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 2358 err); 2359 if (err) 2360 return (-1); 2361 2362 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.l_port, tok->len, 2363 err); 2364 if (err) 2365 return (-1); 2366 2367 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, 2368 err); 2369 if (err) 2370 return (-1); 2371 2372 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 2373 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 2374 if (err) 2375 return (-1); 2376 2377 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_port, tok->len, 2378 err); 2379 if (err) 2380 return (-1); 2381 2382 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, 2383 err); 2384 if (err) 2385 return (-1); 2386 2387 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 2388 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 2389 if (err) 2390 return (-1); 2391 2392 return (0); 2393} 2394 2395static void 2396print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2397 __unused char sfrm) 2398{ 2399 2400 print_tok_type(fp, tok->id, "socket", raw); 2401 print_delim(fp, del); 2402 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 2403 print_delim(fp, del); 2404 print_2_bytes(fp, tok->tt.socket_ex32.l_port, "%#x"); 2405 print_delim(fp, del); 2406 print_ip_address(fp, tok->tt.socket_ex32.l_addr); 2407 print_delim(fp, del); 2408 print_4_bytes(fp, tok->tt.socket_ex32.r_port, "%#x"); 2409 print_delim(fp, del); 2410 print_ip_address(fp, tok->tt.socket_ex32.r_addr); 2411} 2412 2413static int 2414fetch_invalid_tok(tokenstr_t *tok, char *buf, int len) 2415{ 2416 int err = 0; 2417 int recoversize; 2418 2419 recoversize = len - (tok->len + BSM_TRAILER_SIZE); 2420 if (recoversize <= 0) 2421 return (-1); 2422 2423 tok->tt.invalid.length = recoversize; 2424 2425 SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err); 2426 if (err) 2427 return (-1); 2428 2429 return (0); 2430} 2431 2432static void 2433print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2434 __unused char sfrm) 2435{ 2436 2437 print_tok_type(fp, tok->id, "unknown", raw); 2438 print_delim(fp, del); 2439 print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length); 2440} 2441 2442 2443/* 2444 * Reads the token beginning at buf into tok. 2445 */ 2446int 2447au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 2448{ 2449 2450 if (len <= 0) 2451 return (-1); 2452 2453 tok->len = 1; 2454 tok->data = buf; 2455 tok->id = *buf; 2456 2457 switch(tok->id) { 2458 case AUT_HEADER32: 2459 return (fetch_header32_tok(tok, buf, len)); 2460 2461 case AUT_HEADER32_EX: 2462 return (fetch_header32_ex_tok(tok, buf, len)); 2463 2464 case AUT_HEADER64: 2465 return (fetch_header64_tok(tok, buf, len)); 2466 2467 case AUT_HEADER64_EX: 2468 return (fetch_header64_ex_tok(tok, buf, len)); 2469 2470 case AUT_TRAILER: 2471 return (fetch_trailer_tok(tok, buf, len)); 2472 2473 case AUT_ARG32: 2474 return (fetch_arg32_tok(tok, buf, len)); 2475 2476 case AUT_ARG64: 2477 return (fetch_arg64_tok(tok, buf, len)); 2478 2479 case AUT_ATTR32: 2480 return (fetch_attr32_tok(tok, buf, len)); 2481 2482 case AUT_ATTR64: 2483 return (fetch_attr64_tok(tok, buf, len)); 2484 2485 case AUT_EXIT: 2486 return (fetch_exit_tok(tok, buf, len)); 2487 2488 case AUT_EXEC_ARGS: 2489 return (fetch_execarg_tok(tok, buf, len)); 2490 2491 case AUT_EXEC_ENV: 2492 return (fetch_execenv_tok(tok, buf, len)); 2493 2494 case AUT_OTHER_FILE32: 2495 return (fetch_file_tok(tok, buf, len)); 2496 2497 case AUT_NEWGROUPS: 2498 return (fetch_newgroups_tok(tok, buf, len)); 2499 2500 case AUT_IN_ADDR: 2501 return (fetch_inaddr_tok(tok, buf, len)); 2502 2503 case AUT_IN_ADDR_EX: 2504 return (fetch_inaddr_ex_tok(tok, buf, len)); 2505 2506 case AUT_IP: 2507 return (fetch_ip_tok(tok, buf, len)); 2508 2509 case AUT_IPC: 2510 return (fetch_ipc_tok(tok, buf, len)); 2511 2512 case AUT_IPC_PERM: 2513 return (fetch_ipcperm_tok(tok, buf, len)); 2514 2515 case AUT_IPORT: 2516 return (fetch_iport_tok(tok, buf, len)); 2517 2518 case AUT_OPAQUE: 2519 return (fetch_opaque_tok(tok, buf, len)); 2520 2521 case AUT_PATH: 2522 return (fetch_path_tok(tok, buf, len)); 2523 2524 case AUT_PROCESS32: 2525 return (fetch_process32_tok(tok, buf, len)); 2526 2527 case AUT_PROCESS32_EX: 2528 return (fetch_process32ex_tok(tok, buf, len)); 2529 2530 case AUT_RETURN32: 2531 return (fetch_return32_tok(tok, buf, len)); 2532 2533 case AUT_RETURN64: 2534 return (fetch_return64_tok(tok, buf, len)); 2535 2536 case AUT_SEQ: 2537 return (fetch_seq_tok(tok, buf, len)); 2538 2539 case AUT_SOCKET: 2540 return (fetch_socket_tok(tok, buf, len)); 2541 2542 case AUT_SOCKINET32: 2543 return (fetch_sock_inet32_tok(tok, buf, len)); 2544 2545 case AUT_SOCKUNIX: 2546 return (fetch_sock_unix_tok(tok, buf, len)); 2547 2548 case AUT_SUBJECT32: 2549 return (fetch_subject32_tok(tok, buf, len)); 2550 2551 case AUT_SUBJECT64: 2552 return (fetch_subject64_tok(tok, buf, len)); 2553 2554 case AUT_SUBJECT32_EX: 2555 return (fetch_subject32ex_tok(tok, buf, len)); 2556 2557 case AUT_TEXT: 2558 return (fetch_text_tok(tok, buf, len)); 2559 2560 case AUT_SOCKET_EX: 2561 return (fetch_socketex32_tok(tok, buf, len)); 2562 2563 case AUT_DATA: 2564 return (fetch_arb_tok(tok, buf, len)); 2565 2566 default: 2567 return (fetch_invalid_tok(tok, buf, len)); 2568 } 2569} 2570 2571/* 2572 * 'prints' the token out to outfp 2573 */ 2574void 2575au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 2576{ 2577 2578 switch(tok->id) { 2579 case AUT_HEADER32: 2580 print_header32_tok(outfp, tok, del, raw, sfrm); 2581 return; 2582 2583 case AUT_HEADER32_EX: 2584 print_header32_ex_tok(outfp, tok, del, raw, sfrm); 2585 return; 2586 2587 case AUT_HEADER64: 2588 print_header64_tok(outfp, tok, del, raw, sfrm); 2589 return; 2590 2591 case AUT_HEADER64_EX: 2592 print_header64_ex_tok(outfp, tok, del, raw, sfrm); 2593 return; 2594 2595 case AUT_TRAILER: 2596 print_trailer_tok(outfp, tok, del, raw, sfrm); 2597 return; 2598 2599 case AUT_ARG32: 2600 print_arg32_tok(outfp, tok, del, raw, sfrm); 2601 return; 2602 2603 case AUT_ARG64: 2604 print_arg64_tok(outfp, tok, del, raw, sfrm); 2605 return; 2606 2607 case AUT_DATA: 2608 print_arb_tok(outfp, tok, del, raw, sfrm); 2609 return; 2610 2611 case AUT_ATTR32: 2612 print_attr32_tok(outfp, tok, del, raw, sfrm); 2613 return; 2614 2615 case AUT_ATTR64: 2616 print_attr64_tok(outfp, tok, del, raw, sfrm); 2617 return; 2618 2619 case AUT_EXIT: 2620 print_exit_tok(outfp, tok, del, raw, sfrm); 2621 return; 2622 2623 case AUT_EXEC_ARGS: 2624 print_execarg_tok(outfp, tok, del, raw, sfrm); 2625 return; 2626 2627 case AUT_EXEC_ENV: 2628 print_execenv_tok(outfp, tok, del, raw, sfrm); 2629 return; 2630 2631 case AUT_OTHER_FILE32: 2632 print_file_tok(outfp, tok, del, raw, sfrm); 2633 return; 2634 2635 case AUT_NEWGROUPS: 2636 print_newgroups_tok(outfp, tok, del, raw, sfrm); 2637 return; 2638 2639 case AUT_IN_ADDR: 2640 print_inaddr_tok(outfp, tok, del, raw, sfrm); 2641 return; 2642 2643 case AUT_IN_ADDR_EX: 2644 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm); 2645 return; 2646 2647 case AUT_IP: 2648 print_ip_tok(outfp, tok, del, raw, sfrm); 2649 return; 2650 2651 case AUT_IPC: 2652 print_ipc_tok(outfp, tok, del, raw, sfrm); 2653 return; 2654 2655 case AUT_IPC_PERM: 2656 print_ipcperm_tok(outfp, tok, del, raw, sfrm); 2657 return; 2658 2659 case AUT_IPORT: 2660 print_iport_tok(outfp, tok, del, raw, sfrm); 2661 return; 2662 2663 case AUT_OPAQUE: 2664 print_opaque_tok(outfp, tok, del, raw, sfrm); 2665 return; 2666 2667 case AUT_PATH: 2668 print_path_tok(outfp, tok, del, raw, sfrm); 2669 return; 2670 2671 case AUT_PROCESS32: 2672 print_process32_tok(outfp, tok, del, raw, sfrm); 2673 return; 2674 2675 case AUT_PROCESS32_EX: 2676 print_process32ex_tok(outfp, tok, del, raw, sfrm); 2677 return; 2678 2679 case AUT_RETURN32: 2680 print_return32_tok(outfp, tok, del, raw, sfrm); 2681 return; 2682 2683 case AUT_RETURN64: 2684 print_return64_tok(outfp, tok, del, raw, sfrm); 2685 return; 2686 2687 case AUT_SEQ: 2688 print_seq_tok(outfp, tok, del, raw, sfrm); 2689 return; 2690 2691 case AUT_SOCKET: 2692 print_socket_tok(outfp, tok, del, raw, sfrm); 2693 return; 2694 2695 case AUT_SOCKINET32: 2696 print_sock_inet32_tok(outfp, tok, del, raw, sfrm); 2697 return; 2698 2699 case AUT_SOCKUNIX: 2700 print_sock_unix_tok(outfp, tok, del, raw, sfrm); 2701 return; 2702 2703 case AUT_SUBJECT32: 2704 print_subject32_tok(outfp, tok, del, raw, sfrm); 2705 return; 2706 2707 case AUT_SUBJECT64: 2708 print_subject64_tok(outfp, tok, del, raw, sfrm); 2709 return; 2710 2711 case AUT_SUBJECT32_EX: 2712 print_subject32ex_tok(outfp, tok, del, raw, sfrm); 2713 return; 2714 2715 case AUT_TEXT: 2716 print_text_tok(outfp, tok, del, raw, sfrm); 2717 return; 2718 2719 case AUT_SOCKET_EX: 2720 print_socketex32_tok(outfp, tok, del, raw, sfrm); 2721 return; 2722 2723 default: 2724 print_invalid_tok(outfp, tok, del, raw, sfrm); 2725 } 2726} 2727 2728/* 2729 * Read a record from the file pointer, store data in buf memory for buf is 2730 * also allocated in this function and has to be free'd outside this call. 2731 * 2732 * au_read_rec() handles two possibilities: a stand-alone file token, or a 2733 * complete audit record. 2734 * 2735 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 2736 * state, because it will be partly offset into a record. We should rewind 2737 * or do something more intelligent. Particularly interesting is the case 2738 * where we perform a partial read of a record from a non-blockable file 2739 * descriptor. We should return the partial read and continue...? 2740 */ 2741int 2742au_read_rec(FILE *fp, u_char **buf) 2743{ 2744 u_char *bptr; 2745 u_int32_t recsize; 2746 u_int32_t bytestoread; 2747 u_char type; 2748 2749 u_int32_t sec, msec; 2750 u_int16_t filenamelen; 2751 2752 type = fgetc(fp); 2753 2754 switch (type) { 2755 case AUT_HEADER32: 2756 case AUT_HEADER32_EX: 2757 case AUT_HEADER64: 2758 case AUT_HEADER64_EX: 2759 /* read the record size from the token */ 2760 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 2761 sizeof(u_int32_t)) { 2762 errno = EINVAL; 2763 return (-1); 2764 } 2765 recsize = be32toh(recsize); 2766 2767 /* Check for recsize sanity */ 2768 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 2769 errno = EINVAL; 2770 return (-1); 2771 } 2772 2773 *buf = malloc(recsize * sizeof(u_char)); 2774 if (*buf == NULL) 2775 return (-1); 2776 bptr = *buf; 2777 memset(bptr, 0, recsize); 2778 2779 /* store the token contents already read, back to the buffer*/ 2780 *bptr = type; 2781 bptr++; 2782 be32enc(bptr, recsize); 2783 bptr += sizeof(u_int32_t); 2784 2785 /* now read remaining record bytes */ 2786 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 2787 2788 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 2789 free(*buf); 2790 errno = EINVAL; 2791 return (-1); 2792 } 2793 break; 2794 2795 case AUT_OTHER_FILE32: 2796 /* 2797 * The file token is variable-length, as it includes a 2798 * pathname. As a result, we have to read incrementally 2799 * until we know the total length, then allocate space and 2800 * read the rest. 2801 */ 2802 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 2803 errno = EINVAL; 2804 return (-1); 2805 } 2806 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 2807 errno = EINVAL; 2808 return (-1); 2809 } 2810 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 2811 sizeof(filenamelen)) { 2812 errno = EINVAL; 2813 return (-1); 2814 } 2815 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 2816 sizeof(filenamelen) + ntohs(filenamelen); 2817 *buf = malloc(recsize); 2818 if (*buf == NULL) 2819 return (-1); 2820 bptr = *buf; 2821 2822 bcopy(&type, bptr, sizeof(type)); 2823 bptr += sizeof(type); 2824 bcopy(&sec, bptr, sizeof(sec)); 2825 bptr += sizeof(sec); 2826 bcopy(&msec, bptr, sizeof(msec)); 2827 bptr += sizeof(msec); 2828 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 2829 bptr += sizeof(filenamelen); 2830 2831 if (fread(bptr, 1, ntohs(filenamelen), fp) < 2832 ntohs(filenamelen)) { 2833 free(buf); 2834 errno = EINVAL; 2835 return (-1); 2836 } 2837 break; 2838 2839 default: 2840 errno = EINVAL; 2841 return (-1); 2842 } 2843 2844 return (recsize); 2845} 2846