bsm_token.c revision 168783
140682Snsouch/* 240682Snsouch * Copyright (c) 2004 Apple Computer, Inc. 340682Snsouch * Copyright (c) 2005 SPARTA, Inc. 440682Snsouch * All rights reserved. 540682Snsouch * 640682Snsouch * This code was developed in part by Robert N. M. Watson, Senior Principal 740682Snsouch * Scientist, SPARTA, Inc. 840682Snsouch * 940682Snsouch * Redistribution and use in source and binary forms, with or without 1040682Snsouch * modification, are permitted provided that the following conditions 1140682Snsouch * are met: 1240682Snsouch * 1. Redistributions of source code must retain the above copyright 1340682Snsouch * notice, this list of conditions and the following disclaimer. 1440682Snsouch * 2. Redistributions in binary form must reproduce the above copyright 1540682Snsouch * notice, this list of conditions and the following disclaimer in the 1640682Snsouch * documentation and/or other materials provided with the distribution. 1740682Snsouch * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 1840682Snsouch * its contributors may be used to endorse or promote products derived 1940682Snsouch * from this software without specific prior written permission. 2040682Snsouch * 2140682Snsouch * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 2240682Snsouch * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2340682Snsouch * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2440682Snsouch * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 2550476Speter * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2640682Snsouch * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27270243Sloos * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2840682Snsouch * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 2979538Sru * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 3040682Snsouch * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 3140682Snsouch * POSSIBILITY OF SUCH DAMAGE. 3275670Sru * 3340682Snsouch * $P4: //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.c#23 $ 3456460Sasmodai * $FreeBSD: head/sys/security/audit/audit_bsm_token.c 168783 2007-04-16 16:20:45Z rwatson $ 3556460Sasmodai */ 3640682Snsouch 3756460Sasmodai#include <sys/types.h> 3856460Sasmodai#include <sys/endian.h> 3956460Sasmodai#include <sys/queue.h> 4040682Snsouch#include <sys/socket.h> 4140682Snsouch#include <sys/time.h> 4240682Snsouch 4340682Snsouch#include <sys/ipc.h> 4440682Snsouch#include <sys/libkern.h> 4540682Snsouch#include <sys/malloc.h> 4640682Snsouch#include <sys/un.h> 4757676Ssheldonh 4857676Ssheldonh#include <netinet/in.h> 4957676Ssheldonh#include <netinet/in_systm.h> 50141851Sru#include <netinet/ip.h> 5140682Snsouch 5240682Snsouch 5340682Snsouch#include <bsm/audit.h> 5457676Ssheldonh#include <bsm/audit_internal.h> 5557676Ssheldonh#include <bsm/audit_record.h> 5640682Snsouch#include <security/audit/audit.h> 5770466Sru#include <security/audit/audit_private.h> 5840682Snsouch 5957676Ssheldonh#define GET_TOKEN_AREA(t, dptr, length) do { \ 6057676Ssheldonh t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \ 6168881Sben t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \ 6240682Snsouch t->len = length; \ 6357676Ssheldonh dptr = t->t_data; \ 6457676Ssheldonh} while (0) 6568881Sben 6670466Sru/* 6757676Ssheldonh * token ID 1 byte 6857676Ssheldonh * argument # 1 byte 6940682Snsouch * argument value 4 bytes/8 bytes (32-bit/64-bit value) 7057676Ssheldonh * text length 2 bytes 7157676Ssheldonh * text N bytes + 1 terminating NULL byte 7257676Ssheldonh */ 7357676Ssheldonhtoken_t * 7440682Snsouchau_to_arg32(char n, char *text, u_int32_t v) 7540682Snsouch{ 7640682Snsouch token_t *t; 7740682Snsouch u_char *dptr = NULL; 7840682Snsouch u_int16_t textlen; 7940682Snsouch 8040682Snsouch textlen = strlen(text); 8140682Snsouch textlen += 1; 8240682Snsouch 8340682Snsouch GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) + 8440682Snsouch sizeof(u_int16_t) + textlen); 8540682Snsouch 8657676Ssheldonh ADD_U_CHAR(dptr, AUT_ARG32); 8757676Ssheldonh ADD_U_CHAR(dptr, n); 8840682Snsouch ADD_U_INT32(dptr, v); 8957676Ssheldonh ADD_U_INT16(dptr, textlen); 9057676Ssheldonh ADD_STRING(dptr, text, textlen); 9140682Snsouch 9270466Sru return (t); 9340682Snsouch 9468881Sben} 9540682Snsouch 9670466Srutoken_t * 9740682Snsouchau_to_arg64(char n, char *text, u_int64_t v) 9840682Snsouch{ 9940682Snsouch token_t *t; 10040682Snsouch u_char *dptr = NULL; 10140682Snsouch u_int16_t textlen; 10240682Snsouch 10340682Snsouch textlen = strlen(text); 10440682Snsouch textlen += 1; 10540682Snsouch 10640682Snsouch GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) + 107270243Sloos sizeof(u_int16_t) + textlen); 10840682Snsouch 10949831Smpp ADD_U_CHAR(dptr, AUT_ARG64); 11049831Smpp ADD_U_CHAR(dptr, n); 11140682Snsouch ADD_U_INT64(dptr, v); 11240682Snsouch ADD_U_INT16(dptr, textlen); 11340682Snsouch ADD_STRING(dptr, text, textlen); 11440682Snsouch 11540682Snsouch return (t); 11649831Smpp 11740682Snsouch} 11840682Snsouch 11940682Snsouchtoken_t * 120au_to_arg(char n, char *text, u_int32_t v) 121{ 122 123 return (au_to_arg32(n, text, v)); 124} 125 126#if defined(_KERNEL) || defined(KERNEL) 127/* 128 * token ID 1 byte 129 * file access mode 4 bytes 130 * owner user ID 4 bytes 131 * owner group ID 4 bytes 132 * file system ID 4 bytes 133 * node ID 8 bytes 134 * device 4 bytes/8 bytes (32-bit/64-bit) 135 */ 136token_t * 137au_to_attr32(struct vnode_au_info *vni) 138{ 139 token_t *t; 140 u_char *dptr = NULL; 141 u_int16_t pad0_16 = 0; 142 u_int16_t pad0_32 = 0; 143 144 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 145 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); 146 147 ADD_U_CHAR(dptr, AUT_ATTR32); 148 149 /* 150 * Darwin defines the size for the file mode 151 * as 2 bytes; BSM defines 4 so pad with 0 152 */ 153 ADD_U_INT16(dptr, pad0_16); 154 ADD_U_INT16(dptr, vni->vn_mode); 155 156 ADD_U_INT32(dptr, vni->vn_uid); 157 ADD_U_INT32(dptr, vni->vn_gid); 158 ADD_U_INT32(dptr, vni->vn_fsid); 159 160 /* 161 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 162 * Attempt to handle both, and let the compiler sort it out. If we 163 * could pick this out at compile-time, it would be better, so as to 164 * avoid the else case below. 165 */ 166 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 167 ADD_U_INT32(dptr, pad0_32); 168 ADD_U_INT32(dptr, vni->vn_fileid); 169 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 170 ADD_U_INT64(dptr, vni->vn_fileid); 171 else 172 ADD_U_INT64(dptr, 0LL); 173 174 ADD_U_INT32(dptr, vni->vn_dev); 175 176 return (t); 177} 178 179token_t * 180au_to_attr64(struct vnode_au_info *vni) 181{ 182 token_t *t; 183 u_char *dptr = NULL; 184 u_int16_t pad0_16 = 0; 185 u_int16_t pad0_32 = 0; 186 187 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 188 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); 189 190 ADD_U_CHAR(dptr, AUT_ATTR64); 191 192 /* 193 * Darwin defines the size for the file mode 194 * as 2 bytes; BSM defines 4 so pad with 0 195 */ 196 ADD_U_INT16(dptr, pad0_16); 197 ADD_U_INT16(dptr, vni->vn_mode); 198 199 ADD_U_INT32(dptr, vni->vn_uid); 200 ADD_U_INT32(dptr, vni->vn_gid); 201 ADD_U_INT32(dptr, vni->vn_fsid); 202 203 /* 204 * Some systems use 32-bit file ID's, other's use 64-bit file IDs. 205 * Attempt to handle both, and let the compiler sort it out. If we 206 * could pick this out at compile-time, it would be better, so as to 207 * avoid the else case below. 208 */ 209 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { 210 ADD_U_INT32(dptr, pad0_32); 211 ADD_U_INT32(dptr, vni->vn_fileid); 212 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) 213 ADD_U_INT64(dptr, vni->vn_fileid); 214 else 215 ADD_U_INT64(dptr, 0LL); 216 217 ADD_U_INT64(dptr, vni->vn_dev); 218 219 return (t); 220} 221 222token_t * 223au_to_attr(struct vnode_au_info *vni) 224{ 225 226 return (au_to_attr32(vni)); 227} 228#endif /* !(defined(_KERNEL) || defined(KERNEL) */ 229 230/* 231 * token ID 1 byte 232 * how to print 1 byte 233 * basic unit 1 byte 234 * unit count 1 byte 235 * data items (depends on basic unit) 236 */ 237token_t * 238au_to_data(char unit_print, char unit_type, char unit_count, char *p) 239{ 240 token_t *t; 241 u_char *dptr = NULL; 242 size_t datasize, totdata; 243 244 /* Determine the size of the basic unit. */ 245 switch (unit_type) { 246 case AUR_BYTE: 247 /* case AUR_CHAR: */ 248 datasize = AUR_BYTE_SIZE; 249 break; 250 251 case AUR_SHORT: 252 datasize = AUR_SHORT_SIZE; 253 break; 254 255 case AUR_INT32: 256 /* case AUR_INT: */ 257 datasize = AUR_INT32_SIZE; 258 break; 259 260 case AUR_INT64: 261 datasize = AUR_INT64_SIZE; 262 break; 263 264 default: 265 return (NULL); 266 } 267 268 totdata = datasize * unit_count; 269 270 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata); 271 272 ADD_U_CHAR(dptr, AUT_DATA); 273 ADD_U_CHAR(dptr, unit_print); 274 ADD_U_CHAR(dptr, unit_type); 275 ADD_U_CHAR(dptr, unit_count); 276 ADD_MEM(dptr, p, totdata); 277 278 return (t); 279} 280 281 282/* 283 * token ID 1 byte 284 * status 4 bytes 285 * return value 4 bytes 286 */ 287token_t * 288au_to_exit(int retval, int err) 289{ 290 token_t *t; 291 u_char *dptr = NULL; 292 293 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); 294 295 ADD_U_CHAR(dptr, AUT_EXIT); 296 ADD_U_INT32(dptr, err); 297 ADD_U_INT32(dptr, retval); 298 299 return (t); 300} 301 302/* 303 */ 304token_t * 305au_to_groups(int *groups) 306{ 307 308 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t*)groups)); 309} 310 311/* 312 * token ID 1 byte 313 * number groups 2 bytes 314 * group list count * 4 bytes 315 */ 316token_t * 317au_to_newgroups(u_int16_t n, gid_t *groups) 318{ 319 token_t *t; 320 u_char *dptr = NULL; 321 int i; 322 323 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 324 n * sizeof(u_int32_t)); 325 326 ADD_U_CHAR(dptr, AUT_NEWGROUPS); 327 ADD_U_INT16(dptr, n); 328 for (i = 0; i < n; i++) 329 ADD_U_INT32(dptr, groups[i]); 330 331 return (t); 332} 333 334/* 335 * token ID 1 byte 336 * internet address 4 bytes 337 */ 338token_t * 339au_to_in_addr(struct in_addr *internet_addr) 340{ 341 token_t *t; 342 u_char *dptr = NULL; 343 344 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); 345 346 ADD_U_CHAR(dptr, AUT_IN_ADDR); 347 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); 348 349 return (t); 350} 351 352/* 353 * token ID 1 byte 354 * address type/length 4 bytes 355 * Address 16 bytes 356 */ 357token_t * 358au_to_in_addr_ex(struct in6_addr *internet_addr) 359{ 360 token_t *t; 361 u_char *dptr = NULL; 362 u_int32_t type = AF_INET6; 363 364 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); 365 366 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); 367 ADD_U_INT32(dptr, type); 368 ADD_MEM(dptr, internet_addr, 5 * sizeof(uint32_t)); 369 370 return (t); 371} 372 373/* 374 * token ID 1 byte 375 * ip header 20 bytes 376 * 377 * The IP header should be submitted in network byte order. 378 */ 379token_t * 380au_to_ip(struct ip *ip) 381{ 382 token_t *t; 383 u_char *dptr = NULL; 384 385 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); 386 387 ADD_U_CHAR(dptr, AUT_IP); 388 ADD_MEM(dptr, ip, sizeof(struct ip)); 389 390 return (t); 391} 392 393/* 394 * token ID 1 byte 395 * object ID type 1 byte 396 * object ID 4 bytes 397 */ 398token_t * 399au_to_ipc(char type, int id) 400{ 401 token_t *t; 402 u_char *dptr = NULL; 403 404 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 405 406 ADD_U_CHAR(dptr, AUT_IPC); 407 ADD_U_CHAR(dptr, type); 408 ADD_U_INT32(dptr, id); 409 410 return (t); 411} 412 413/* 414 * token ID 1 byte 415 * owner user ID 4 bytes 416 * owner group ID 4 bytes 417 * creator user ID 4 bytes 418 * creator group ID 4 bytes 419 * access mode 4 bytes 420 * slot sequence # 4 bytes 421 * key 4 bytes 422 */ 423token_t * 424au_to_ipc_perm(struct ipc_perm *perm) 425{ 426 token_t *t; 427 u_char *dptr = NULL; 428 u_int16_t pad0 = 0; 429 430 GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t)); 431 432 ADD_U_CHAR(dptr, AUT_IPC_PERM); 433 434 /* 435 * Darwin defines the sizes for ipc_perm members 436 * as 2 bytes; BSM defines 4 so pad with 0 437 */ 438 ADD_U_INT16(dptr, pad0); 439 ADD_U_INT16(dptr, perm->uid); 440 441 ADD_U_INT16(dptr, pad0); 442 ADD_U_INT16(dptr, perm->gid); 443 444 ADD_U_INT16(dptr, pad0); 445 ADD_U_INT16(dptr, perm->cuid); 446 447 ADD_U_INT16(dptr, pad0); 448 ADD_U_INT16(dptr, perm->cgid); 449 450 ADD_U_INT16(dptr, pad0); 451 ADD_U_INT16(dptr, perm->mode); 452 453 ADD_U_INT16(dptr, pad0); 454 ADD_U_INT16(dptr, perm->seq); 455 456 ADD_U_INT32(dptr, perm->key); 457 458 return (t); 459} 460 461/* 462 * token ID 1 byte 463 * port IP address 2 bytes 464 */ 465token_t * 466au_to_iport(u_int16_t iport) 467{ 468 token_t *t; 469 u_char *dptr = NULL; 470 471 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); 472 473 ADD_U_CHAR(dptr, AUT_IPORT); 474 ADD_U_INT16(dptr, iport); 475 476 return (t); 477} 478 479/* 480 * token ID 1 byte 481 * size 2 bytes 482 * data size bytes 483 */ 484token_t * 485au_to_opaque(char *data, u_int16_t bytes) 486{ 487 token_t *t; 488 u_char *dptr = NULL; 489 490 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes); 491 492 ADD_U_CHAR(dptr, AUT_OPAQUE); 493 ADD_U_INT16(dptr, bytes); 494 ADD_MEM(dptr, data, bytes); 495 496 return (t); 497} 498 499/* 500 * token ID 1 byte 501 * seconds of time 4 bytes 502 * milliseconds of time 4 bytes 503 * file name len 2 bytes 504 * file pathname N bytes + 1 terminating NULL byte 505 */ 506token_t * 507au_to_file(char *file, struct timeval tm) 508{ 509 token_t *t; 510 u_char *dptr = NULL; 511 u_int16_t filelen; 512 u_int32_t timems; 513 514 filelen = strlen(file); 515 filelen += 1; 516 517 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) + 518 sizeof(u_int16_t) + filelen); 519 520 timems = tm.tv_usec/1000; 521 522 ADD_U_CHAR(dptr, AUT_OTHER_FILE32); 523 ADD_U_INT32(dptr, tm.tv_sec); 524 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 525 ADD_U_INT16(dptr, filelen); 526 ADD_STRING(dptr, file, filelen); 527 528 return (t); 529} 530 531/* 532 * token ID 1 byte 533 * text length 2 bytes 534 * text N bytes + 1 terminating NULL byte 535 */ 536token_t * 537au_to_text(char *text) 538{ 539 token_t *t; 540 u_char *dptr = NULL; 541 u_int16_t textlen; 542 543 textlen = strlen(text); 544 textlen += 1; 545 546 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 547 548 ADD_U_CHAR(dptr, AUT_TEXT); 549 ADD_U_INT16(dptr, textlen); 550 ADD_STRING(dptr, text, textlen); 551 552 return (t); 553} 554 555/* 556 * token ID 1 byte 557 * path length 2 bytes 558 * path N bytes + 1 terminating NULL byte 559 */ 560token_t * 561au_to_path(char *text) 562{ 563 token_t *t; 564 u_char *dptr = NULL; 565 u_int16_t textlen; 566 567 textlen = strlen(text); 568 textlen += 1; 569 570 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 571 572 ADD_U_CHAR(dptr, AUT_PATH); 573 ADD_U_INT16(dptr, textlen); 574 ADD_STRING(dptr, text, textlen); 575 576 return (t); 577} 578 579/* 580 * token ID 1 byte 581 * audit ID 4 bytes 582 * effective user ID 4 bytes 583 * effective group ID 4 bytes 584 * real user ID 4 bytes 585 * real group ID 4 bytes 586 * process ID 4 bytes 587 * session ID 4 bytes 588 * terminal ID 589 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 590 * machine address 4 bytes 591 */ 592token_t * 593au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 594 pid_t pid, au_asid_t sid, au_tid_t *tid) 595{ 596 token_t *t; 597 u_char *dptr = NULL; 598 599 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 600 601 ADD_U_CHAR(dptr, AUT_PROCESS32); 602 ADD_U_INT32(dptr, auid); 603 ADD_U_INT32(dptr, euid); 604 ADD_U_INT32(dptr, egid); 605 ADD_U_INT32(dptr, ruid); 606 ADD_U_INT32(dptr, rgid); 607 ADD_U_INT32(dptr, pid); 608 ADD_U_INT32(dptr, sid); 609 ADD_U_INT32(dptr, tid->port); 610 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 611 612 return (t); 613} 614 615token_t * 616au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 617 pid_t pid, au_asid_t sid, au_tid_t *tid) 618{ 619 token_t *t; 620 u_char *dptr = NULL; 621 622 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + 623 sizeof(u_int64_t)); 624 625 ADD_U_CHAR(dptr, AUT_PROCESS64); 626 ADD_U_INT32(dptr, auid); 627 ADD_U_INT32(dptr, euid); 628 ADD_U_INT32(dptr, egid); 629 ADD_U_INT32(dptr, ruid); 630 ADD_U_INT32(dptr, rgid); 631 ADD_U_INT32(dptr, pid); 632 ADD_U_INT32(dptr, sid); 633 ADD_U_INT64(dptr, tid->port); 634 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 635 636 return (t); 637} 638 639token_t * 640au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 641 pid_t pid, au_asid_t sid, au_tid_t *tid) 642{ 643 644 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, 645 tid)); 646} 647 648/* 649 * token ID 1 byte 650 * audit ID 4 bytes 651 * effective user ID 4 bytes 652 * effective group ID 4 bytes 653 * real user ID 4 bytes 654 * real group ID 4 bytes 655 * process ID 4 bytes 656 * session ID 4 bytes 657 * terminal ID 658 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 659 * address type-len 4 bytes 660 * machine address 4/16 bytes 661 */ 662token_t * 663au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 664 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 665{ 666 token_t *t; 667 u_char *dptr = NULL; 668 669 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 670 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type)); 671 if (tid->at_type == AU_IPv6) 672 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 673 sizeof(u_int32_t)); 674 else 675 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 676 sizeof(u_int32_t)); 677 678 ADD_U_CHAR(dptr, AUT_PROCESS32_EX); 679 ADD_U_INT32(dptr, auid); 680 ADD_U_INT32(dptr, euid); 681 ADD_U_INT32(dptr, egid); 682 ADD_U_INT32(dptr, ruid); 683 ADD_U_INT32(dptr, rgid); 684 ADD_U_INT32(dptr, pid); 685 ADD_U_INT32(dptr, sid); 686 ADD_U_INT32(dptr, tid->at_port); 687 ADD_U_INT32(dptr, tid->at_type); 688 if (tid->at_type == AU_IPv6) 689 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 690 else 691 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 692 return (t); 693} 694 695token_t * 696au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 697 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 698{ 699 token_t *t; 700 u_char *dptr = NULL; 701 702 if (tid->at_type == AU_IPv4) 703 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 704 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 705 2 * sizeof(u_int32_t)); 706 else if (tid->at_type == AU_IPv6) 707 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 708 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 709 5 * sizeof(u_int32_t)); 710 else 711 panic("au_to_process64_ex: invalidate at_type (%d)", 712 tid->at_type); 713 714 ADD_U_CHAR(dptr, AUT_PROCESS64_EX); 715 ADD_U_INT32(dptr, auid); 716 ADD_U_INT32(dptr, euid); 717 ADD_U_INT32(dptr, egid); 718 ADD_U_INT32(dptr, ruid); 719 ADD_U_INT32(dptr, rgid); 720 ADD_U_INT32(dptr, pid); 721 ADD_U_INT32(dptr, sid); 722 ADD_U_INT64(dptr, tid->at_port); 723 ADD_U_INT32(dptr, tid->at_type); 724 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 725 if (tid->at_type == AU_IPv6) { 726 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); 727 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); 728 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); 729 } 730 731 return (t); 732} 733 734token_t * 735au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 736 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 737{ 738 739 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, 740 tid)); 741} 742 743/* 744 * token ID 1 byte 745 * error status 1 byte 746 * return value 4 bytes/8 bytes (32-bit/64-bit value) 747 */ 748token_t * 749au_to_return32(char status, u_int32_t ret) 750{ 751 token_t *t; 752 u_char *dptr = NULL; 753 754 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); 755 756 ADD_U_CHAR(dptr, AUT_RETURN32); 757 ADD_U_CHAR(dptr, status); 758 ADD_U_INT32(dptr, ret); 759 760 return (t); 761} 762 763token_t * 764au_to_return64(char status, u_int64_t ret) 765{ 766 token_t *t; 767 u_char *dptr = NULL; 768 769 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); 770 771 ADD_U_CHAR(dptr, AUT_RETURN64); 772 ADD_U_CHAR(dptr, status); 773 ADD_U_INT64(dptr, ret); 774 775 return (t); 776} 777 778token_t * 779au_to_return(char status, u_int32_t ret) 780{ 781 782 return (au_to_return32(status, ret)); 783} 784 785/* 786 * token ID 1 byte 787 * sequence number 4 bytes 788 */ 789token_t * 790au_to_seq(long audit_count) 791{ 792 token_t *t; 793 u_char *dptr = NULL; 794 795 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); 796 797 ADD_U_CHAR(dptr, AUT_SEQ); 798 ADD_U_INT32(dptr, audit_count); 799 800 return (t); 801} 802 803/* 804 * token ID 1 byte 805 * socket type 2 bytes 806 * local port 2 bytes 807 * local Internet address 4 bytes 808 * remote port 2 bytes 809 * remote Internet address 4 bytes 810 */ 811token_t * 812au_to_socket(struct socket *so) 813{ 814 815 /* XXXRW ... */ 816 return (NULL); 817} 818 819/* 820 * Kernel-specific version of the above function. 821 */ 822#ifdef _KERNEL 823token_t * 824kau_to_socket(struct socket_au_info *soi) 825{ 826 token_t *t; 827 u_char *dptr; 828 u_int16_t so_type; 829 830 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + 831 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t)); 832 833 ADD_U_CHAR(dptr, AU_SOCK_TOKEN); 834 /* Coerce the socket type into a short value */ 835 so_type = soi->so_type; 836 ADD_U_INT16(dptr, so_type); 837 ADD_U_INT16(dptr, soi->so_lport); 838 ADD_U_INT32(dptr, soi->so_laddr); 839 ADD_U_INT16(dptr, soi->so_rport); 840 ADD_U_INT32(dptr, soi->so_raddr); 841 842 return (t); 843} 844#endif 845 846/* 847 * token ID 1 byte 848 * socket type 2 bytes 849 * local port 2 bytes 850 * address type/length 4 bytes 851 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 852 * remote port 4 bytes 853 * address type/length 4 bytes 854 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 855 */ 856token_t * 857au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la, 858 struct sockaddr *ra) 859{ 860 861 return (NULL); 862} 863 864token_t * 865au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la, 866 struct sockaddr *ra) 867{ 868 869 return (NULL); 870} 871 872/* 873 * token ID 1 byte 874 * socket family 2 bytes 875 * path 104 bytes 876 */ 877token_t * 878au_to_sock_unix(struct sockaddr_un *so) 879{ 880 token_t *t; 881 u_char *dptr; 882 883 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1); 884 885 ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN); 886 /* BSM token has two bytes for family */ 887 ADD_U_CHAR(dptr, 0); 888 ADD_U_CHAR(dptr, so->sun_family); 889 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1); 890 891 return (t); 892} 893 894/* 895 * token ID 1 byte 896 * socket family 2 bytes 897 * local port 2 bytes 898 * socket address 4 bytes 899 */ 900token_t * 901au_to_sock_inet32(struct sockaddr_in *so) 902{ 903 token_t *t; 904 u_char *dptr = NULL; 905 uint16_t family; 906 907 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + 908 sizeof(uint32_t)); 909 910 ADD_U_CHAR(dptr, AUT_SOCKINET32); 911 /* 912 * BSM defines the family field as 16 bits, but many operating 913 * systems have an 8-bit sin_family field. Extend to 16 bits before 914 * writing into the token. Assume that both the port and the address 915 * in the sockaddr_in are already in network byte order, but family 916 * is in local byte order. 917 * 918 * XXXRW: Should a name space conversion be taking place on the value 919 * of sin_family? 920 */ 921 family = so->sin_family; 922 ADD_U_INT16(dptr, family); 923 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); 924 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); 925 926 return (t); 927 928} 929 930token_t * 931au_to_sock_inet128(struct sockaddr_in6 *so) 932{ 933 token_t *t; 934 u_char *dptr = NULL; 935 936 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) + 937 4 * sizeof(u_int32_t)); 938 939 ADD_U_CHAR(dptr, AUT_SOCKINET128); 940 /* 941 * In Darwin, sin6_family is one octet, but BSM defines the token 942 * to store two. So we copy in a 0 first. 943 */ 944 ADD_U_CHAR(dptr, 0); 945 ADD_U_CHAR(dptr, so->sin6_family); 946 947 ADD_U_INT16(dptr, so->sin6_port); 948 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); 949 950 return (t); 951 952} 953 954token_t * 955au_to_sock_inet(struct sockaddr_in *so) 956{ 957 958 return (au_to_sock_inet32(so)); 959} 960 961/* 962 * token ID 1 byte 963 * audit ID 4 bytes 964 * effective user ID 4 bytes 965 * effective group ID 4 bytes 966 * real user ID 4 bytes 967 * real group ID 4 bytes 968 * process ID 4 bytes 969 * session ID 4 bytes 970 * terminal ID 971 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 972 * machine address 4 bytes 973 */ 974token_t * 975au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 976 pid_t pid, au_asid_t sid, au_tid_t *tid) 977{ 978 token_t *t; 979 u_char *dptr = NULL; 980 981 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); 982 983 ADD_U_CHAR(dptr, AUT_SUBJECT32); 984 ADD_U_INT32(dptr, auid); 985 ADD_U_INT32(dptr, euid); 986 ADD_U_INT32(dptr, egid); 987 ADD_U_INT32(dptr, ruid); 988 ADD_U_INT32(dptr, rgid); 989 ADD_U_INT32(dptr, pid); 990 ADD_U_INT32(dptr, sid); 991 ADD_U_INT32(dptr, tid->port); 992 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 993 994 return (t); 995} 996 997token_t * 998au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 999 pid_t pid, au_asid_t sid, au_tid_t *tid) 1000{ 1001 token_t *t; 1002 u_char *dptr = NULL; 1003 1004 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + 1005 sizeof(u_int64_t) + sizeof(u_int32_t)); 1006 1007 ADD_U_CHAR(dptr, AUT_SUBJECT64); 1008 ADD_U_INT32(dptr, auid); 1009 ADD_U_INT32(dptr, euid); 1010 ADD_U_INT32(dptr, egid); 1011 ADD_U_INT32(dptr, ruid); 1012 ADD_U_INT32(dptr, rgid); 1013 ADD_U_INT32(dptr, pid); 1014 ADD_U_INT32(dptr, sid); 1015 ADD_U_INT64(dptr, tid->port); 1016 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); 1017 1018 return (t); 1019} 1020 1021token_t * 1022au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1023 pid_t pid, au_asid_t sid, au_tid_t *tid) 1024{ 1025 1026 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, 1027 tid)); 1028} 1029 1030/* 1031 * token ID 1 byte 1032 * audit ID 4 bytes 1033 * effective user ID 4 bytes 1034 * effective group ID 4 bytes 1035 * real user ID 4 bytes 1036 * real group ID 4 bytes 1037 * process ID 4 bytes 1038 * session ID 4 bytes 1039 * terminal ID 1040 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 1041 * address type/length 4 bytes 1042 * machine address 4/16 bytes 1043 */ 1044token_t * 1045au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1046 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1047{ 1048 token_t *t; 1049 u_char *dptr = NULL; 1050 1051 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), 1052 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type)); 1053 if (tid->at_type == AU_IPv6) 1054 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * 1055 sizeof(u_int32_t)); 1056 else 1057 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * 1058 sizeof(u_int32_t)); 1059 1060 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); 1061 ADD_U_INT32(dptr, auid); 1062 ADD_U_INT32(dptr, euid); 1063 ADD_U_INT32(dptr, egid); 1064 ADD_U_INT32(dptr, ruid); 1065 ADD_U_INT32(dptr, rgid); 1066 ADD_U_INT32(dptr, pid); 1067 ADD_U_INT32(dptr, sid); 1068 ADD_U_INT32(dptr, tid->at_port); 1069 ADD_U_INT32(dptr, tid->at_type); 1070 if (tid->at_type == AU_IPv6) 1071 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1072 else 1073 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1074 return (t); 1075} 1076 1077token_t * 1078au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1079 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1080{ 1081 token_t *t; 1082 u_char *dptr = NULL; 1083 1084 if (tid->at_type == AU_IPv4) 1085 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1086 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1087 2 * sizeof(u_int32_t)); 1088 else if (tid->at_type == AU_IPv6) 1089 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 1090 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + 1091 5 * sizeof(u_int32_t)); 1092 else 1093 panic("au_to_subject64_ex: invalid at_type (%d)", 1094 tid->at_type); 1095 1096 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); 1097 ADD_U_INT32(dptr, auid); 1098 ADD_U_INT32(dptr, euid); 1099 ADD_U_INT32(dptr, egid); 1100 ADD_U_INT32(dptr, ruid); 1101 ADD_U_INT32(dptr, rgid); 1102 ADD_U_INT32(dptr, pid); 1103 ADD_U_INT32(dptr, sid); 1104 ADD_U_INT64(dptr, tid->at_port); 1105 ADD_U_INT32(dptr, tid->at_type); 1106 if (tid->at_type == AU_IPv6) 1107 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); 1108 else 1109 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); 1110 1111 return (t); 1112} 1113 1114token_t * 1115au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 1116 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) 1117{ 1118 1119 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, 1120 tid)); 1121} 1122 1123#if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) 1124/* 1125 * Collects audit information for the current process 1126 * and creates a subject token from it 1127 */ 1128token_t * 1129au_to_me(void) 1130{ 1131 auditinfo_t auinfo; 1132 1133 if (getaudit(&auinfo) != 0) 1134 return (NULL); 1135 1136 return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(), 1137 getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid)); 1138} 1139#endif 1140 1141#if defined(_KERNEL) || defined(KERNEL) 1142static token_t * 1143au_to_exec_strings(char *strs, int count, u_char type) 1144{ 1145 token_t *t; 1146 u_char *dptr = NULL; 1147 u_int32_t totlen; 1148 int ctr; 1149 char *p; 1150 1151 totlen = 0; 1152 ctr = count; 1153 p = strs; 1154 while (ctr-- > 0) { 1155 totlen += strlen(p) + 1; 1156 p = strs + totlen; 1157 } 1158 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1159 ADD_U_CHAR(dptr, type); 1160 ADD_U_INT32(dptr, count); 1161 ADD_STRING(dptr, strs, totlen); 1162 1163 return (t); 1164} 1165 1166/* 1167 * token ID 1 byte 1168 * count 4 bytes 1169 * text count null-terminated strings 1170 */ 1171token_t * 1172au_to_exec_args(char *args, int argc) 1173{ 1174 1175 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS)); 1176} 1177 1178/* 1179 * token ID 1 byte 1180 * count 4 bytes 1181 * text count null-terminated strings 1182 */ 1183token_t * 1184au_to_exec_env(char *envs, int envc) 1185{ 1186 1187 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV)); 1188} 1189#else 1190/* 1191 * token ID 1 byte 1192 * count 4 bytes 1193 * text count null-terminated strings 1194 */ 1195token_t * 1196au_to_exec_args(char **argv) 1197{ 1198 token_t *t; 1199 u_char *dptr = NULL; 1200 const char *nextarg; 1201 int i, count = 0; 1202 size_t totlen = 0; 1203 1204 nextarg = *argv; 1205 1206 while (nextarg != NULL) { 1207 int nextlen; 1208 1209 nextlen = strlen(nextarg); 1210 totlen += nextlen + 1; 1211 count++; 1212 nextarg = *(argv + count); 1213 } 1214 1215 totlen += count * sizeof(char); /* nul terminations. */ 1216 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1217 1218 ADD_U_CHAR(dptr, AUT_EXEC_ARGS); 1219 ADD_U_INT32(dptr, count); 1220 1221 for (i = 0; i < count; i++) { 1222 nextarg = *(argv + i); 1223 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); 1224 } 1225 1226 return (t); 1227} 1228 1229/* 1230 * token ID 1 byte 1231 * zonename length 2 bytes 1232 * zonename N bytes + 1 terminating NULL byte 1233 */ 1234token_t * 1235au_to_zonename(char *zonename) 1236{ 1237 u_char *dptr = NULL; 1238 u_int16_t textlen; 1239 token_t *t; 1240 1241 textlen = strlen(zonename); 1242 textlen += 1; 1243 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen); 1244 ADD_U_CHAR(dptr, AUT_ZONENAME); 1245 ADD_U_INT16(dptr, textlen); 1246 ADD_STRING(dptr, zonename, textlen); 1247 return (t); 1248} 1249 1250/* 1251 * token ID 1 byte 1252 * count 4 bytes 1253 * text count null-terminated strings 1254 */ 1255token_t * 1256au_to_exec_env(char **envp) 1257{ 1258 token_t *t; 1259 u_char *dptr = NULL; 1260 int i, count = 0; 1261 size_t totlen = 0; 1262 const char *nextenv; 1263 1264 nextenv = *envp; 1265 1266 while (nextenv != NULL) { 1267 int nextlen; 1268 1269 nextlen = strlen(nextenv); 1270 totlen += nextlen + 1; 1271 count++; 1272 nextenv = *(envp + count); 1273 } 1274 1275 totlen += sizeof(char) * count; 1276 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen); 1277 1278 ADD_U_CHAR(dptr, AUT_EXEC_ENV); 1279 ADD_U_INT32(dptr, count); 1280 1281 for (i = 0; i < count; i++) { 1282 nextenv = *(envp + i); 1283 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); 1284 } 1285 1286 return (t); 1287} 1288#endif 1289 1290/* 1291 * token ID 1 byte 1292 * record byte count 4 bytes 1293 * version # 1 byte [2] 1294 * event type 2 bytes 1295 * event modifier 2 bytes 1296 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1297 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1298 */ 1299token_t * 1300au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1301 struct timeval tm) 1302{ 1303 token_t *t; 1304 u_char *dptr = NULL; 1305 u_int32_t timems; 1306 1307 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1308 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); 1309 1310 ADD_U_CHAR(dptr, AUT_HEADER32); 1311 ADD_U_INT32(dptr, rec_size); 1312 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1313 ADD_U_INT16(dptr, e_type); 1314 ADD_U_INT16(dptr, e_mod); 1315 1316 timems = tm.tv_usec/1000; 1317 /* Add the timestamp */ 1318 ADD_U_INT32(dptr, tm.tv_sec); 1319 ADD_U_INT32(dptr, timems); /* We need time in ms. */ 1320 1321 return (t); 1322} 1323 1324token_t * 1325au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 1326 struct timeval tm) 1327{ 1328 token_t *t; 1329 u_char *dptr = NULL; 1330 u_int32_t timems; 1331 1332 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + 1333 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); 1334 1335 ADD_U_CHAR(dptr, AUT_HEADER64); 1336 ADD_U_INT32(dptr, rec_size); 1337 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); 1338 ADD_U_INT16(dptr, e_type); 1339 ADD_U_INT16(dptr, e_mod); 1340 1341 timems = tm.tv_usec/1000; 1342 /* Add the timestamp */ 1343 ADD_U_INT64(dptr, tm.tv_sec); 1344 ADD_U_INT64(dptr, timems); /* We need time in ms. */ 1345 1346 return (t); 1347} 1348 1349/* 1350 * token ID 1 byte 1351 * trailer magic number 2 bytes 1352 * record byte count 4 bytes 1353 */ 1354token_t * 1355au_to_trailer(int rec_size) 1356{ 1357 token_t *t; 1358 u_char *dptr = NULL; 1359 u_int16_t magic = TRAILER_PAD_MAGIC; 1360 1361 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + 1362 sizeof(u_int32_t)); 1363 1364 ADD_U_CHAR(dptr, AUT_TRAILER); 1365 ADD_U_INT16(dptr, magic); 1366 ADD_U_INT32(dptr, rec_size); 1367 1368 return (t); 1369} 1370