1/*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * All rights reserved. 5 * 6 * This code was developed in part by Robert N. M. Watson, Senior Principal 7 * Scientist, SPARTA, Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 18 * its contributors may be used to endorse or promote products derived 19 * from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 * 33 * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#99 34 */ 35 36#include <sys/cdefs.h> 37__FBSDID("$FreeBSD$"); 38 39#include <sys/param.h> 40#include <sys/types.h> 41#include <sys/endian.h> 42#include <sys/queue.h> 43#include <sys/socket.h> 44#include <sys/time.h> 45 46#include <sys/ipc.h> 47#include <sys/libkern.h> 48#include <sys/malloc.h> 49#include <sys/un.h> 50 51#include <netinet/in.h> 52#include <netinet/in_systm.h> 53#include <netinet/ip.h> 54 55 56#include <bsm/audit.h> 57#include <bsm/audit_internal.h> 58#include <bsm/audit_record.h> 59#include <security/audit/audit.h> 60#include <security/audit/audit_private.h> 61 62#define GET_TOKEN_AREA(t, dptr, length) do { \ 63 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \ 64 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \ 65 t->len = length; \ 66 dptr = t->t_data; \ 67} while (0) 68 69/* 70 * token ID 1 byte 71 * success/failure 1 byte 72 * privstrlen 2 bytes 73 * privstr N bytes + 1 (\0 byte) 74 */ 75token_t * 76au_to_upriv(char sorf, char *priv) 77{ 78 u_int16_t textlen; 79 u_char *dptr; 80 token_t *t; 81 82 textlen = strlen(priv) + 1; 83 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) + 84 sizeof(u_int16_t) + textlen); 85 86 ADD_U_CHAR(dptr, AUT_UPRIV); 87 ADD_U_CHAR(dptr, sorf); 88 ADD_U_INT16(dptr, textlen); 89 ADD_STRING(dptr, priv, textlen); 90 return (t); 91} 92 93/* 94 * token ID 1 byte 95 * privtstrlen 2 bytes 96 * privtstr N bytes + 1 97 * privstrlen 2 bytes 98 * privstr N bytes + 1 99 */ 100token_t * 101au_to_privset(char *privtypestr, char *privstr) 102{ 103 u_int16_t type_len, priv_len; 104 u_char *dptr; 105 token_t *t; 106 107 type_len = strlen(privtypestr) + 1; 108 priv_len = strlen(privstr) + 1; 109 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 110 sizeof(u_int16_t) + type_len + priv_len); 111 112 ADD_U_CHAR(dptr, AUT_PRIV); 113 ADD_U_INT16(dptr, type_len); 114 ADD_STRING(dptr, privtypestr, type_len); 115 ADD_U_INT16(dptr, priv_len); 116 ADD_STRING(dptr, privstr, priv_len); 117 return (t); 118} 119 120/* 121 * token ID 1 byte 122 * argument # 1 byte 123 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 124 * text length 2 bytes 125 * text N bytes + 1 terminating NULL byte 126 */ 127token_t * 128au_to_arg32(char n, const char *text, u_int32_t v) 129{ 130 token_t *t; 131 u_char *dptr = NULL; 132 u_int16_t textlen; 133 134 textlen = strlen(text); 135 textlen += 1; 136 137 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + 138 sizeof(u_int16_t) + textlen); 139 140 ADD_U_CHAR(dptr, AUT_ARG32); 141 ADD_U_CHAR(dptr, n); 142 ADD_U_INT32(dptr, v); 143 ADD_U_INT16(dptr, textlen); 144 ADD_STRING(dptr, text, textlen); 145 146 return (t); 147} 148 149token_t * 150au_to_arg64(char n, const char *text, u_int64_t v) 151{ 152 token_t *t; 153 u_char *dptr = NULL; 154 u_int16_t textlen; 155 156 textlen = strlen(text); 157 textlen += 1; 158 159 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + 160 sizeof(u_int16_t) + textlen); 161 162 ADD_U_CHAR(dptr, AUT_ARG64); 163 ADD_U_CHAR(dptr, n); 164 ADD_U_INT64(dptr, v); 165 ADD_U_INT16(dptr, textlen); 166 ADD_STRING(dptr, text, textlen); 167 168 return (t); 169} 170 171token_t * 172au_to_arg(char n, const char *text, u_int32_t v) 173{ 174 175 return (au_to_arg32(n, text, v)); 176} 177 178#if defined(_KERNEL) || defined(KERNEL) 179/* 180 * token ID 1 byte 181 * file access mode 4 bytes 182 * owner user ID 4 bytes 183 * owner group ID 4 bytes 184 * file system ID 4 bytes 185 * node ID 8 bytes 186 * device 4 bytes/8 bytes (32-bit/64-bit) 187 */ 188token_t * 189au_to_attr32(struct vnode_au_info *vni) 190{ 191 token_t *t; 192 u_char *dptr = NULL; 193 u_int16_t pad0_16 = 0; 194 u_int32_t pad0_32 = 0; 195 196 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 197 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); 198 199 ADD_U_CHAR(dptr, AUT_ATTR32); 200 201 /* 202 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 203 * so pad with 0. 204 * 205 * XXXRW: Possibly should be conditionally compiled. 206 * 207 * XXXRW: Should any conversions take place on the mode? 208 */ 209 ADD_U_INT16(dptr, pad0_16); 210 ADD_U_INT16(dptr, vni->vn_mode); 211 212 ADD_U_INT32(dptr, vni->vn_uid); 213 ADD_U_INT32(dptr, vni->vn_gid); 214 ADD_U_INT32(dptr, vni->vn_fsid); 215 216 /* 217 * Some systems use 32-bit file ID's, others use 64-bit file IDs. 218 * Attempt to handle both, and let the compiler sort it out. If we 219 * could pick this out at compile-time, it would be better, so as to 220 * avoid the else case below. 221 */ 222 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 223 ADD_U_INT32(dptr, pad0_32); 224 ADD_U_INT32(dptr, vni->vn_fileid); 225 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 226 ADD_U_INT64(dptr, vni->vn_fileid); 227 else 228 ADD_U_INT64(dptr, 0LL); 229 230 ADD_U_INT32(dptr, vni->vn_dev); 231 232 return (t); 233} 234 235token_t * 236au_to_attr64(struct vnode_au_info *vni) 237{ 238 token_t *t; 239 u_char *dptr = NULL; 240 u_int16_t pad0_16 = 0; 241 u_int32_t pad0_32 = 0; 242 243 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 244 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); 245 246 ADD_U_CHAR(dptr, AUT_ATTR64); 247 248 /* 249 * BSD defines the size for the file mode as 2 bytes; BSM defines 4 250 * so pad with 0. 251 * 252 * XXXRW: Possibly should be conditionally compiled. 253 * 254 * XXXRW: Should any conversions take place on the mode? 255 */ 256 ADD_U_INT16(dptr, pad0_16); 257 ADD_U_INT16(dptr, vni->vn_mode); 258 259 ADD_U_INT32(dptr, vni->vn_uid); 260 ADD_U_INT32(dptr, vni->vn_gid); 261 ADD_U_INT32(dptr, vni->vn_fsid); 262 263 /* 264 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 265 * Attempt to handle both, and let the compiler sort it out. If we 266 * could pick this out at compile-time, it would be better, so as to 267 * avoid the else case below. 268 */ 269 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 270 ADD_U_INT32(dptr, pad0_32); 271 ADD_U_INT32(dptr, vni->vn_fileid); 272 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 273 ADD_U_INT64(dptr, vni->vn_fileid); 274 else 275 ADD_U_INT64(dptr, 0LL); 276 277 ADD_U_INT64(dptr, vni->vn_dev); 278 279 return (t); 280} 281 282token_t * 283au_to_attr(struct vnode_au_info *vni) 284{ 285 286 return (au_to_attr32(vni)); 287} 288#endif /* !(defined(_KERNEL) || defined(KERNEL) */ 289 290/* 291 * token ID 1 byte 292 * how to print 1 byte 293 * basic unit 1 byte 294 * unit count 1 byte 295 * data items (depends on basic unit) 296 */ 297token_t * 298au_to_data(char unit_print, char unit_type, char unit_count, const char *p) 299{ 300 token_t *t; 301 u_char *dptr = NULL; 302 size_t datasize, totdata; 303 304 /* Determine the size of the basic unit. */ 305 switch (unit_type) { 306 case AUR_BYTE: 307 /* case AUR_CHAR: */ 308 datasize = AUR_BYTE_SIZE; 309 break; 310 311 case AUR_SHORT: 312 datasize = AUR_SHORT_SIZE; 313 break; 314 315 case AUR_INT32: 316 /* case AUR_INT: */ 317 datasize = AUR_INT32_SIZE; 318 break; 319 320 case AUR_INT64: 321 datasize = AUR_INT64_SIZE; 322 break; 323 324 default: 325 return (NULL); 326 } 327 328 totdata = datasize * unit_count; 329 330 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata); 331 332 /* 333 * XXXRW: We should be byte-swapping each data item for multi-byte 334 * types. 335 */ 336 ADD_U_CHAR(dptr, AUT_DATA); 337 ADD_U_CHAR(dptr, unit_print); 338 ADD_U_CHAR(dptr, unit_type); 339 ADD_U_CHAR(dptr, unit_count); 340 ADD_MEM(dptr, p, totdata); 341 342 return (t); 343} 344 345 346/* 347 * token ID 1 byte 348 * status 4 bytes 349 * return value 4 bytes 350 */ 351token_t * 352au_to_exit(int retval, int err) 353{ 354 token_t *t; 355 u_char *dptr = NULL; 356 357 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); 358 359 ADD_U_CHAR(dptr, AUT_EXIT); 360 ADD_U_INT32(dptr, err); 361 ADD_U_INT32(dptr, retval); 362 363 return (t); 364} 365 366/* 367 */ 368token_t * 369au_to_groups(int *groups) 370{ 371 372 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups)); 373} 374 375/* 376 * token ID 1 byte 377 * number groups 2 bytes 378 * group list count * 4 bytes 379 */ 380token_t * 381au_to_newgroups(u_int16_t n, gid_t *groups) 382{ 383 token_t *t; 384 u_char *dptr = NULL; 385 int i; 386 387 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 388 n * sizeof(u_int32_t)); 389 390 ADD_U_CHAR(dptr, AUT_NEWGROUPS); 391 ADD_U_INT16(dptr, n); 392 for (i = 0; i < n; i++) 393 ADD_U_INT32(dptr, groups[i]); 394 395 return (t); 396} 397 398/* 399 * token ID 1 byte 400 * internet address 4 bytes 401 */ 402token_t * 403au_to_in_addr(struct in_addr *internet_addr) 404{ 405 token_t *t; 406 u_char *dptr = NULL; 407 408 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); 409 410 ADD_U_CHAR(dptr, AUT_IN_ADDR); 411 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); 412 413 return (t); 414} 415 416/* 417 * token ID 1 byte 418 * address type/length 4 bytes 419 * address 16 bytes 420 */ 421token_t * 422au_to_in_addr_ex(struct in6_addr *internet_addr) 423{ 424 token_t *t; 425 u_char *dptr = NULL; 426 u_int32_t type = AU_IPv6; 427 428 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); 429 430 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); 431 ADD_U_INT32(dptr, type); 432 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t)); 433 434 return (t); 435} 436 437/* 438 * token ID 1 byte 439 * ip header 20 bytes 440 * 441 * The IP header should be submitted in network byte order. 442 */ 443token_t * 444au_to_ip(struct ip *ip) 445{ 446 token_t *t; 447 u_char *dptr = NULL; 448 449 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); 450 451 ADD_U_CHAR(dptr, AUT_IP); 452 ADD_MEM(dptr, ip, sizeof(struct ip)); 453 454 return (t); 455} 456 457/* 458 * token ID 1 byte 459 * object ID type 1 byte 460 * object ID 4 bytes 461 */ 462token_t * 463au_to_ipc(char type, int id) 464{ 465 token_t *t; 466 u_char *dptr = NULL; 467 468 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 469 470 ADD_U_CHAR(dptr, AUT_IPC); 471 ADD_U_CHAR(dptr, type); 472 ADD_U_INT32(dptr, id); 473 474 return (t); 475} 476 477/* 478 * token ID 1 byte 479 * owner user ID 4 bytes 480 * owner group ID 4 bytes 481 * creator user ID 4 bytes 482 * creator group ID 4 bytes 483 * access mode 4 bytes 484 * slot sequence # 4 bytes 485 * key 4 bytes 486 */ 487token_t * 488au_to_ipc_perm(struct ipc_perm *perm) 489{ 490 token_t *t; 491 u_char *dptr = NULL; 492 u_int16_t pad0 = 0; 493 494 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) + 495 sizeof(u_int32_t)); 496 497 ADD_U_CHAR(dptr, AUT_IPC_PERM); 498 499 /* 500 * Systems vary significantly in what types they use in struct 501 * ipc_perm; at least a few still use 16-bit uid's and gid's, so 502 * allow for that, as BSM define 32-bit values here. 503 * Some systems define the sizes for ipc_perm members as 2 bytes; 504 * BSM defines 4 so pad with 0. 505 * 506 * XXXRW: Possibly shoulid be conditionally compiled, and more cases 507 * need to be handled. 508 */ 509 if (sizeof(perm->uid) != sizeof(u_int32_t)) { 510 ADD_U_INT16(dptr, pad0); 511 ADD_U_INT16(dptr, perm->uid); 512 ADD_U_INT16(dptr, pad0); 513 ADD_U_INT16(dptr, perm->gid); 514 ADD_U_INT16(dptr, pad0); 515 ADD_U_INT16(dptr, perm->cuid); 516 ADD_U_INT16(dptr, pad0); 517 ADD_U_INT16(dptr, perm->cgid); 518 } else { 519 ADD_U_INT32(dptr, perm->uid); 520 ADD_U_INT32(dptr, perm->gid); 521 ADD_U_INT32(dptr, perm->cuid); 522 ADD_U_INT32(dptr, perm->cgid); 523 } 524 525 ADD_U_INT16(dptr, pad0); 526 ADD_U_INT16(dptr, perm->mode); 527 528 ADD_U_INT16(dptr, pad0); 529 530 ADD_U_INT16(dptr, perm->seq); 531 532 ADD_U_INT32(dptr, perm->key); 533 534 return (t); 535} 536 537/* 538 * token ID 1 byte 539 * port IP address 2 bytes 540 */ 541token_t * 542au_to_iport(u_int16_t iport) 543{ 544 token_t *t; 545 u_char *dptr = NULL; 546 547 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); 548 549 ADD_U_CHAR(dptr, AUT_IPORT); 550 ADD_U_INT16(dptr, iport); 551 552 return (t); 553} 554 555/* 556 * token ID 1 byte 557 * size 2 bytes 558 * data size bytes 559 */ 560token_t * 561au_to_opaque(const char *data, u_int16_t bytes) 562{ 563 token_t *t; 564 u_char *dptr = NULL; 565 566 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); 567 568 ADD_U_CHAR(dptr, AUT_OPAQUE); 569 ADD_U_INT16(dptr, bytes); 570 ADD_MEM(dptr, data, bytes); 571 572 return (t); 573} 574 575/* 576 * token ID 1 byte 577 * seconds of time 4 bytes 578 * milliseconds of time 4 bytes 579 * file name len 2 bytes 580 * file pathname N bytes + 1 terminating NULL byte 581 */ 582token_t * 583au_to_file(const char *file, struct timeval tm) 584{ 585 token_t *t; 586 u_char *dptr = NULL; 587 u_int16_t filelen; 588 u_int32_t timems; 589 590 filelen = strlen(file); 591 filelen += 1; 592 593 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + 594 sizeof(u_int16_t) + filelen); 595 596 timems = tm.tv_usec/1000; 597 598 ADD_U_CHAR(dptr, AUT_OTHER_FILE32); 599 ADD_U_INT32(dptr, tm.tv_sec); 600 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 601 ADD_U_INT16(dptr, filelen); 602 ADD_STRING(dptr, file, filelen); 603 604 return (t); 605} 606 607/* 608 * token ID 1 byte 609 * text length 2 bytes 610 * text N bytes + 1 terminating NULL byte 611 */ 612token_t * 613au_to_text(const char *text) 614{ 615 token_t *t; 616 u_char *dptr = NULL; 617 u_int16_t textlen; 618 619 textlen = strlen(text); 620 textlen += 1; 621 622 /* XXXRW: Should validate length against token size limit. */ 623 624 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 625 626 ADD_U_CHAR(dptr, AUT_TEXT); 627 ADD_U_INT16(dptr, textlen); 628 ADD_STRING(dptr, text, textlen); 629 630 return (t); 631} 632 633/* 634 * token ID 1 byte 635 * path length 2 bytes 636 * path N bytes + 1 terminating NULL byte 637 */ 638token_t * 639au_to_path(const char *text) 640{ 641 token_t *t; 642 u_char *dptr = NULL; 643 u_int16_t textlen; 644 645 textlen = strlen(text); 646 textlen += 1; 647 648 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 649 650 ADD_U_CHAR(dptr, AUT_PATH); 651 ADD_U_INT16(dptr, textlen); 652 ADD_STRING(dptr, text, textlen); 653 654 return (t); 655} 656 657/* 658 * token ID 1 byte 659 * audit ID 4 bytes 660 * effective user ID 4 bytes 661 * effective group ID 4 bytes 662 * real user ID 4 bytes 663 * real group ID 4 bytes 664 * process ID 4 bytes 665 * session ID 4 bytes 666 * terminal ID 667 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 668 * machine address 4 bytes 669 */ 670token_t * 671au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 672 pid_t pid, au_asid_t sid, au_tid_t *tid) 673{ 674 token_t *t; 675 u_char *dptr = NULL; 676 677 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 678 679 ADD_U_CHAR(dptr, AUT_PROCESS32); 680 ADD_U_INT32(dptr, auid); 681 ADD_U_INT32(dptr, euid); 682 ADD_U_INT32(dptr, egid); 683 ADD_U_INT32(dptr, ruid); 684 ADD_U_INT32(dptr, rgid); 685 ADD_U_INT32(dptr, pid); 686 ADD_U_INT32(dptr, sid); 687 ADD_U_INT32(dptr, tid->port); 688 689 /* 690 * Note: Solaris will write out IPv6 addresses here as a 32-bit 691 * address type and 16 bytes of address, but for IPv4 addresses it 692 * simply writes the 4-byte address directly. We support only IPv4 693 * addresses for process32 tokens. 694 */ 695 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 696 697 return (t); 698} 699 700token_t * 701au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 702 pid_t pid, au_asid_t sid, au_tid_t *tid) 703{ 704 token_t *t; 705 u_char *dptr = NULL; 706 707 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + 708 sizeof(u_int64_t)); 709 710 ADD_U_CHAR(dptr, AUT_PROCESS64); 711 ADD_U_INT32(dptr, auid); 712 ADD_U_INT32(dptr, euid); 713 ADD_U_INT32(dptr, egid); 714 ADD_U_INT32(dptr, ruid); 715 ADD_U_INT32(dptr, rgid); 716 ADD_U_INT32(dptr, pid); 717 ADD_U_INT32(dptr, sid); 718 ADD_U_INT64(dptr, tid->port); 719 720 /* 721 * Note: Solaris will write out IPv6 addresses here as a 32-bit 722 * address type and 16 bytes of address, but for IPv4 addresses it 723 * simply writes the 4-byte address directly. We support only IPv4 724 * addresses for process64 tokens. 725 */ 726 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 727 728 return (t); 729} 730 731token_t * 732au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 733 pid_t pid, au_asid_t sid, au_tid_t *tid) 734{ 735 736 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, 737 tid)); 738} 739 740/* 741 * token ID 1 byte 742 * audit ID 4 bytes 743 * effective user ID 4 bytes 744 * effective group ID 4 bytes 745 * real user ID 4 bytes 746 * real group ID 4 bytes 747 * process ID 4 bytes 748 * session ID 4 bytes 749 * terminal ID 750 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 751 * address type-len 4 bytes 752 * machine address 16 bytes 753 */ 754token_t * 755au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 756 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 757{ 758 token_t *t; 759 u_char *dptr = NULL; 760 761 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 762 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type)); 763 if (tid->at_type == AU_IPv4) 764 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 765 10 * sizeof(u_int32_t)); 766 else 767 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 768 13 * sizeof(u_int32_t)); 769 770 ADD_U_CHAR(dptr, AUT_PROCESS32_EX); 771 ADD_U_INT32(dptr, auid); 772 ADD_U_INT32(dptr, euid); 773 ADD_U_INT32(dptr, egid); 774 ADD_U_INT32(dptr, ruid); 775 ADD_U_INT32(dptr, rgid); 776 ADD_U_INT32(dptr, pid); 777 ADD_U_INT32(dptr, sid); 778 ADD_U_INT32(dptr, tid->at_port); 779 ADD_U_INT32(dptr, tid->at_type); 780 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 781 if (tid->at_type == AU_IPv6) { 782 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 783 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 784 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 785 } 786 787 return (t); 788} 789 790token_t * 791au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 792 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 793{ 794 token_t *t; 795 u_char *dptr = NULL; 796 797 if (tid->at_type == AU_IPv4) 798 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 799 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 800 2 * sizeof(u_int32_t)); 801 else if (tid->at_type == AU_IPv6) 802 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 803 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 804 5 * sizeof(u_int32_t)); 805 else 806 panic("au_to_process64_ex: invalidate at_type (%d)", 807 tid->at_type); 808 809 ADD_U_CHAR(dptr, AUT_PROCESS64_EX); 810 ADD_U_INT32(dptr, auid); 811 ADD_U_INT32(dptr, euid); 812 ADD_U_INT32(dptr, egid); 813 ADD_U_INT32(dptr, ruid); 814 ADD_U_INT32(dptr, rgid); 815 ADD_U_INT32(dptr, pid); 816 ADD_U_INT32(dptr, sid); 817 ADD_U_INT64(dptr, tid->at_port); 818 ADD_U_INT32(dptr, tid->at_type); 819 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 820 if (tid->at_type == AU_IPv6) { 821 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 822 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 823 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 824 } 825 826 return (t); 827} 828 829token_t * 830au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 831 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 832{ 833 834 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, 835 tid)); 836} 837 838token_t * 839au_to_rights(cap_rights_t *rightsp) 840{ 841 token_t *t; 842 u_char *dptr; 843 int i; 844 845 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(*rightsp)); 846 847 ADD_U_CHAR(dptr, AUT_RIGHTS); 848 for (i = 0; i < nitems(rightsp->cr_rights); i++) 849 ADD_U_INT64(dptr, rightsp->cr_rights[i]); 850 851 return (t); 852} 853 854/* 855 * token ID 1 byte 856 * error status 1 byte 857 * return value 4 bytes/8 bytes (32-bit/64-bit value) 858 */ 859token_t * 860au_to_return32(char status, u_int32_t ret) 861{ 862 token_t *t; 863 u_char *dptr = NULL; 864 865 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 866 867 ADD_U_CHAR(dptr, AUT_RETURN32); 868 ADD_U_CHAR(dptr, status); 869 ADD_U_INT32(dptr, ret); 870 871 return (t); 872} 873 874token_t * 875au_to_return64(char status, u_int64_t ret) 876{ 877 token_t *t; 878 u_char *dptr = NULL; 879 880 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); 881 882 ADD_U_CHAR(dptr, AUT_RETURN64); 883 ADD_U_CHAR(dptr, status); 884 ADD_U_INT64(dptr, ret); 885 886 return (t); 887} 888 889token_t * 890au_to_return(char status, u_int32_t ret) 891{ 892 893 return (au_to_return32(status, ret)); 894} 895 896/* 897 * token ID 1 byte 898 * sequence number 4 bytes 899 */ 900token_t * 901au_to_seq(long audit_count) 902{ 903 token_t *t; 904 u_char *dptr = NULL; 905 906 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); 907 908 ADD_U_CHAR(dptr, AUT_SEQ); 909 ADD_U_INT32(dptr, audit_count); 910 911 return (t); 912} 913 914/* 915 * token ID 1 byte 916 * socket domain 2 bytes 917 * socket type 2 bytes 918 * address type 2 byte 919 * local port 2 bytes 920 * local address 4 bytes/16 bytes (IPv4/IPv6 address) 921 * remote port 2 bytes 922 * remote address 4 bytes/16 bytes (IPv4/IPv6 address) 923 * 924 * Domain and type arguments to this routine are assumed to already have been 925 * converted to the BSM constant space, so we don't do that here. 926 */ 927token_t * 928au_to_socket_ex(u_short so_domain, u_short so_type, 929 struct sockaddr *sa_local, struct sockaddr *sa_remote) 930{ 931 token_t *t; 932 u_char *dptr = NULL; 933 struct sockaddr_in *sin; 934 struct sockaddr_in6 *sin6; 935 936 if (so_domain == AF_INET) 937 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 938 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 939 else if (so_domain == AF_INET6) 940 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 941 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t)); 942 else 943 return (NULL); 944 945 ADD_U_CHAR(dptr, AUT_SOCKET_EX); 946 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain)); 947 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type)); 948 if (so_domain == AF_INET) { 949 ADD_U_INT16(dptr, AU_IPv4); 950 sin = (struct sockaddr_in *)sa_local; 951 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 952 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 953 sin = (struct sockaddr_in *)sa_remote; 954 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); 955 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); 956 } else { 957 ADD_U_INT16(dptr, AU_IPv6); 958 sin6 = (struct sockaddr_in6 *)sa_local; 959 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 960 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 961 sin6 = (struct sockaddr_in6 *)sa_remote; 962 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); 963 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); 964 } 965 966 return (t); 967} 968 969/* 970 * Kernel-specific version of the above function. 971 * 972 * XXXRW: Should now use au_to_socket_ex() here. 973 */ 974#ifdef _KERNEL 975token_t * 976kau_to_socket(struct socket_au_info *soi) 977{ 978 token_t *t; 979 u_char *dptr; 980 u_int16_t so_type; 981 982 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 983 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t)); 984 985 ADD_U_CHAR(dptr, AUT_SOCKET); 986 /* Coerce the socket type into a short value */ 987 so_type = soi->so_type; 988 ADD_U_INT16(dptr, so_type); 989 ADD_U_INT16(dptr, soi->so_lport); 990 ADD_U_INT32(dptr, soi->so_laddr); 991 ADD_U_INT16(dptr, soi->so_rport); 992 ADD_U_INT32(dptr, soi->so_raddr); 993 994 return (t); 995} 996#endif 997 998/* 999 * token ID 1 byte 1000 * socket family 2 bytes 1001 * path (up to) 104 bytes + NULL (NULL terminated string) 1002 */ 1003token_t * 1004au_to_sock_unix(struct sockaddr_un *so) 1005{ 1006 token_t *t; 1007 u_char *dptr; 1008 1009 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); 1010 1011 ADD_U_CHAR(dptr, AUT_SOCKUNIX); 1012 /* BSM token has two bytes for family */ 1013 ADD_U_CHAR(dptr, 0); 1014 ADD_U_CHAR(dptr, so->sun_family); 1015 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); 1016 1017 return (t); 1018} 1019 1020/* 1021 * token ID 1 byte 1022 * socket family 2 bytes 1023 * local port 2 bytes 1024 * socket address 4 bytes 1025 */ 1026token_t * 1027au_to_sock_inet32(struct sockaddr_in *so) 1028{ 1029 token_t *t; 1030 u_char *dptr = NULL; 1031 uint16_t family; 1032 1033 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + 1034 sizeof(uint32_t)); 1035 1036 ADD_U_CHAR(dptr, AUT_SOCKINET32); 1037 /* 1038 * BSM defines the family field as 16 bits, but many operating 1039 * systems have an 8-bit sin_family field. Extend to 16 bits before 1040 * writing into the token. Assume that both the port and the address 1041 * in the sockaddr_in are already in network byte order, but family 1042 * is in local byte order. 1043 * 1044 * XXXRW: Should a name space conversion be taking place on the value 1045 * of sin_family? 1046 */ 1047 family = so->sin_family; 1048 ADD_U_INT16(dptr, family); 1049 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); 1050 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); 1051 1052 return (t); 1053} 1054 1055token_t * 1056au_to_sock_inet128(struct sockaddr_in6 *so) 1057{ 1058 token_t *t; 1059 u_char *dptr = NULL; 1060 1061 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + 1062 4 * sizeof(u_int32_t)); 1063 1064 ADD_U_CHAR(dptr, AUT_SOCKINET128); 1065 /* 1066 * In BSD, sin6_family is one octet, but BSM defines the token to 1067 * store two. So we copy in a 0 first. XXXRW: Possibly should be 1068 * conditionally compiled. 1069 */ 1070 ADD_U_CHAR(dptr, 0); 1071 ADD_U_CHAR(dptr, so->sin6_family); 1072 1073 ADD_U_INT16(dptr, so->sin6_port); 1074 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); 1075 1076 return (t); 1077} 1078 1079token_t * 1080au_to_sock_inet(struct sockaddr_in *so) 1081{ 1082 1083 return (au_to_sock_inet32(so)); 1084} 1085 1086/* 1087 * token ID 1 byte 1088 * audit ID 4 bytes 1089 * effective user ID 4 bytes 1090 * effective group ID 4 bytes 1091 * real user ID 4 bytes 1092 * real group ID 4 bytes 1093 * process ID 4 bytes 1094 * session ID 4 bytes 1095 * terminal ID 1096 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1097 * machine address 4 bytes 1098 */ 1099token_t * 1100au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1101 pid_t pid, au_asid_t sid, au_tid_t *tid) 1102{ 1103 token_t *t; 1104 u_char *dptr = NULL; 1105 1106 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 1107 1108 ADD_U_CHAR(dptr, AUT_SUBJECT32); 1109 ADD_U_INT32(dptr, auid); 1110 ADD_U_INT32(dptr, euid); 1111 ADD_U_INT32(dptr, egid); 1112 ADD_U_INT32(dptr, ruid); 1113 ADD_U_INT32(dptr, rgid); 1114 ADD_U_INT32(dptr, pid); 1115 ADD_U_INT32(dptr, sid); 1116 ADD_U_INT32(dptr, tid->port); 1117 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1118 1119 return (t); 1120} 1121 1122token_t * 1123au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1124 pid_t pid, au_asid_t sid, au_tid_t *tid) 1125{ 1126 token_t *t; 1127 u_char *dptr = NULL; 1128 1129 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + 1130 sizeof(u_int64_t) + sizeof(u_int32_t)); 1131 1132 ADD_U_CHAR(dptr, AUT_SUBJECT64); 1133 ADD_U_INT32(dptr, auid); 1134 ADD_U_INT32(dptr, euid); 1135 ADD_U_INT32(dptr, egid); 1136 ADD_U_INT32(dptr, ruid); 1137 ADD_U_INT32(dptr, rgid); 1138 ADD_U_INT32(dptr, pid); 1139 ADD_U_INT32(dptr, sid); 1140 ADD_U_INT64(dptr, tid->port); 1141 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1142 1143 return (t); 1144} 1145 1146token_t * 1147au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1148 pid_t pid, au_asid_t sid, au_tid_t *tid) 1149{ 1150 1151 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, 1152 tid)); 1153} 1154 1155/* 1156 * token ID 1 byte 1157 * audit ID 4 bytes 1158 * effective user ID 4 bytes 1159 * effective group ID 4 bytes 1160 * real user ID 4 bytes 1161 * real group ID 4 bytes 1162 * process ID 4 bytes 1163 * session ID 4 bytes 1164 * terminal ID 1165 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1166 * address type/length 4 bytes 1167 * machine address 16 bytes 1168 */ 1169token_t * 1170au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1171 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1172{ 1173 token_t *t; 1174 u_char *dptr = NULL; 1175 1176 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1177 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type)); 1178 1179 if (tid->at_type == AU_IPv4) 1180 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 1181 sizeof(u_int32_t)); 1182 else 1183 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 1184 sizeof(u_int32_t)); 1185 1186 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); 1187 ADD_U_INT32(dptr, auid); 1188 ADD_U_INT32(dptr, euid); 1189 ADD_U_INT32(dptr, egid); 1190 ADD_U_INT32(dptr, ruid); 1191 ADD_U_INT32(dptr, rgid); 1192 ADD_U_INT32(dptr, pid); 1193 ADD_U_INT32(dptr, sid); 1194 ADD_U_INT32(dptr, tid->at_port); 1195 ADD_U_INT32(dptr, tid->at_type); 1196 if (tid->at_type == AU_IPv6) 1197 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1198 else 1199 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1200 1201 return (t); 1202} 1203 1204token_t * 1205au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1206 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1207{ 1208 token_t *t; 1209 u_char *dptr = NULL; 1210 1211 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1212 ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type)); 1213 1214 if (tid->at_type == AU_IPv4) 1215 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1216 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1217 2 * sizeof(u_int32_t)); 1218 else 1219 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1220 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1221 5 * sizeof(u_int32_t)); 1222 1223 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); 1224 ADD_U_INT32(dptr, auid); 1225 ADD_U_INT32(dptr, euid); 1226 ADD_U_INT32(dptr, egid); 1227 ADD_U_INT32(dptr, ruid); 1228 ADD_U_INT32(dptr, rgid); 1229 ADD_U_INT32(dptr, pid); 1230 ADD_U_INT32(dptr, sid); 1231 ADD_U_INT64(dptr, tid->at_port); 1232 ADD_U_INT32(dptr, tid->at_type); 1233 if (tid->at_type == AU_IPv6) 1234 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1235 else 1236 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1237 1238 return (t); 1239} 1240 1241token_t * 1242au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1243 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1244{ 1245 1246 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, 1247 tid)); 1248} 1249 1250#if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) 1251/* 1252 * Collects audit information for the current process and creates a subject 1253 * token from it. 1254 */ 1255token_t * 1256au_to_me(void) 1257{ 1258 auditinfo_t auinfo; 1259 auditinfo_addr_t aia; 1260 1261 /* 1262 * Try to use getaudit_addr(2) first. If this kernel does not support 1263 * it, then fall back on to getaudit(2). 1264 */ 1265 if (getaudit_addr(&aia, sizeof(aia)) != 0) { 1266 if (errno == ENOSYS) { 1267 if (getaudit(&auinfo) != 0) 1268 return (NULL); 1269 return (au_to_subject32(auinfo.ai_auid, geteuid(), 1270 getegid(), getuid(), getgid(), getpid(), 1271 auinfo.ai_asid, &auinfo.ai_termid)); 1272 } else { 1273 /* getaudit_addr(2) failed for some other reason. */ 1274 return (NULL); 1275 } 1276 } 1277 1278 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), 1279 getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); 1280} 1281#endif 1282 1283#if defined(_KERNEL) || defined(KERNEL) 1284static token_t * 1285au_to_exec_strings(char *strs, int count, u_char type) 1286{ 1287 token_t *t; 1288 u_char *dptr = NULL; 1289 u_int32_t totlen; 1290 int ctr; 1291 char *p; 1292 1293 totlen = 0; 1294 ctr = count; 1295 p = strs; 1296 while (ctr-- > 0) { 1297 totlen += strlen(p) + 1; 1298 p = strs + totlen; 1299 } 1300 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1301 ADD_U_CHAR(dptr, type); 1302 ADD_U_INT32(dptr, count); 1303 ADD_STRING(dptr, strs, totlen); 1304 1305 return (t); 1306} 1307 1308/* 1309 * token ID 1 byte 1310 * count 4 bytes 1311 * text count null-terminated strings 1312 */ 1313token_t * 1314au_to_exec_args(char *args, int argc) 1315{ 1316 1317 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS)); 1318} 1319 1320/* 1321 * token ID 1 byte 1322 * count 4 bytes 1323 * text count null-terminated strings 1324 */ 1325token_t * 1326au_to_exec_env(char *envs, int envc) 1327{ 1328 1329 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV)); 1330} 1331#else 1332/* 1333 * token ID 1 byte 1334 * count 4 bytes 1335 * text count null-terminated strings 1336 */ 1337token_t * 1338au_to_exec_args(char **argv) 1339{ 1340 token_t *t; 1341 u_char *dptr = NULL; 1342 const char *nextarg; 1343 int i, count = 0; 1344 size_t totlen = 0; 1345 1346 nextarg = *argv; 1347 1348 while (nextarg != NULL) { 1349 int nextlen; 1350 1351 nextlen = strlen(nextarg); 1352 totlen += nextlen + 1; 1353 count++; 1354 nextarg = *(argv + count); 1355 } 1356 1357 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1358 1359 ADD_U_CHAR(dptr, AUT_EXEC_ARGS); 1360 ADD_U_INT32(dptr, count); 1361 1362 for (i = 0; i < count; i++) { 1363 nextarg = *(argv + i); 1364 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); 1365 } 1366 1367 return (t); 1368} 1369 1370/* 1371 * token ID 1 byte 1372 * count 4 bytes 1373 * text count null-terminated strings 1374 */ 1375token_t * 1376au_to_exec_env(char **envp) 1377{ 1378 token_t *t; 1379 u_char *dptr = NULL; 1380 int i, count = 0; 1381 size_t totlen = 0; 1382 const char *nextenv; 1383 1384 nextenv = *envp; 1385 1386 while (nextenv != NULL) { 1387 int nextlen; 1388 1389 nextlen = strlen(nextenv); 1390 totlen += nextlen + 1; 1391 count++; 1392 nextenv = *(envp + count); 1393 } 1394 1395 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1396 1397 ADD_U_CHAR(dptr, AUT_EXEC_ENV); 1398 ADD_U_INT32(dptr, count); 1399 1400 for (i = 0; i < count; i++) { 1401 nextenv = *(envp + i); 1402 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); 1403 } 1404 1405 return (t); 1406} 1407#endif 1408 1409/* 1410 * token ID 1 byte 1411 * zonename length 2 bytes 1412 * zonename N bytes + 1 terminating NULL byte 1413 */ 1414token_t * 1415au_to_zonename(const char *zonename) 1416{ 1417 u_char *dptr = NULL; 1418 u_int16_t textlen; 1419 token_t *t; 1420 1421 textlen = strlen(zonename) + 1; 1422 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 1423 1424 ADD_U_CHAR(dptr, AUT_ZONENAME); 1425 ADD_U_INT16(dptr, textlen); 1426 ADD_STRING(dptr, zonename, textlen); 1427 return (t); 1428} 1429 1430/* 1431 * token ID 1 byte 1432 * record byte count 4 bytes 1433 * version # 1 byte [2] 1434 * event type 2 bytes 1435 * event modifier 2 bytes 1436 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1437 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1438 */ 1439token_t * 1440au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1441 struct timeval tm) 1442{ 1443 token_t *t; 1444 u_char *dptr = NULL; 1445 u_int32_t timems; 1446 1447 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1448 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1449 1450 ADD_U_CHAR(dptr, AUT_HEADER32); 1451 ADD_U_INT32(dptr, rec_size); 1452 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1453 ADD_U_INT16(dptr, e_type); 1454 ADD_U_INT16(dptr, e_mod); 1455 1456 timems = tm.tv_usec/1000; 1457 /* Add the timestamp */ 1458 ADD_U_INT32(dptr, tm.tv_sec); 1459 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1460 1461 return (t); 1462} 1463 1464/* 1465 * token ID 1 byte 1466 * record byte count 4 bytes 1467 * version # 1 byte [2] 1468 * event type 2 bytes 1469 * event modifier 2 bytes 1470 * address type/length 4 bytes 1471 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1472 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1473 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1474 */ 1475token_t * 1476au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1477 struct timeval tm, struct auditinfo_addr *aia) 1478{ 1479 token_t *t; 1480 u_char *dptr = NULL; 1481 u_int32_t timems; 1482 au_tid_addr_t *tid; 1483 1484 tid = &aia->ai_termid; 1485 KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6, 1486 ("au_to_header32_ex_tm: invalid address family")); 1487 1488 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1489 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * 1490 sizeof(u_int32_t) + tid->at_type); 1491 1492 ADD_U_CHAR(dptr, AUT_HEADER32_EX); 1493 ADD_U_INT32(dptr, rec_size); 1494 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1495 ADD_U_INT16(dptr, e_type); 1496 ADD_U_INT16(dptr, e_mod); 1497 1498 ADD_U_INT32(dptr, tid->at_type); 1499 if (tid->at_type == AU_IPv6) 1500 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1501 else 1502 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1503 timems = tm.tv_usec/1000; 1504 /* Add the timestamp */ 1505 ADD_U_INT32(dptr, tm.tv_sec); 1506 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1507 1508 return (t); 1509} 1510 1511token_t * 1512au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1513 struct timeval tm) 1514{ 1515 token_t *t; 1516 u_char *dptr = NULL; 1517 u_int32_t timems; 1518 1519 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1520 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); 1521 1522 ADD_U_CHAR(dptr, AUT_HEADER64); 1523 ADD_U_INT32(dptr, rec_size); 1524 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1525 ADD_U_INT16(dptr, e_type); 1526 ADD_U_INT16(dptr, e_mod); 1527 1528 timems = tm.tv_usec/1000; 1529 /* Add the timestamp */ 1530 ADD_U_INT64(dptr, tm.tv_sec); 1531 ADD_U_INT64(dptr, timems); /* We need time in ms. */ 1532 1533 return (t); 1534} 1535 1536#if !defined(KERNEL) && !defined(_KERNEL) 1537#ifdef HAVE_AUDIT_SYSCALLS 1538token_t * 1539au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1540{ 1541 struct timeval tm; 1542 struct auditinfo_addr aia; 1543 1544 if (gettimeofday(&tm, NULL) == -1) 1545 return (NULL); 1546 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) { 1547 if (errno != ENOSYS) 1548 return (NULL); 1549 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1550 } 1551 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia)); 1552} 1553#endif /* HAVE_AUDIT_SYSCALLS */ 1554 1555token_t * 1556au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) 1557{ 1558 struct timeval tm; 1559 1560 if (gettimeofday(&tm, NULL) == -1) 1561 return (NULL); 1562 return (au_to_header32_tm(rec_size, e_type, e_mod, tm)); 1563} 1564 1565token_t * 1566au_to_header64(__unused int rec_size, __unused au_event_t e_type, 1567 __unused au_emod_t e_mod) 1568{ 1569 struct timeval tm; 1570 1571 if (gettimeofday(&tm, NULL) == -1) 1572 return (NULL); 1573 return (au_to_header64_tm(rec_size, e_type, e_mod, tm)); 1574} 1575 1576token_t * 1577au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod) 1578{ 1579 1580 return (au_to_header32(rec_size, e_type, e_mod)); 1581} 1582 1583#ifdef HAVE_AUDIT_SYSCALLS 1584token_t * 1585au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod) 1586{ 1587 1588 return (au_to_header32_ex(rec_size, e_type, e_mod)); 1589} 1590#endif /* HAVE_AUDIT_SYSCALLS */ 1591#endif /* !defined(KERNEL) && !defined(_KERNEL) */ 1592 1593/* 1594 * token ID 1 byte 1595 * trailer magic number 2 bytes 1596 * record byte count 4 bytes 1597 */ 1598token_t * 1599au_to_trailer(int rec_size) 1600{ 1601 token_t *t; 1602 u_char *dptr = NULL; 1603 u_int16_t magic = AUT_TRAILER_MAGIC; 1604 1605 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 1606 sizeof(u_int32_t)); 1607 1608 ADD_U_CHAR(dptr, AUT_TRAILER); 1609 ADD_U_INT16(dptr, magic); 1610 ADD_U_INT32(dptr, rec_size); 1611 1612 return (t); 1613} 1614