2 * Copyright (c) 2004-2009 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
33 * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#99
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include <sys/param.h>
40 #include <sys/types.h>
41 #include <sys/endian.h>
42 #include <sys/queue.h>
43 #include <sys/socket.h>
47 #include <sys/libkern.h>
48 #include <sys/malloc.h>
51 #include <netinet/in.h>
52 #include <netinet/in_systm.h>
53 #include <netinet/ip.h>
56 #include <bsm/audit.h>
57 #include <bsm/audit_internal.h>
58 #include <bsm/audit_record.h>
59 #include <security/audit/audit.h>
60 #include <security/audit/audit_private.h>
62 #define GET_TOKEN_AREA(t, dptr, length) do { \
63 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \
64 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \
71 * success/failure 1 byte
73 * privstr N bytes + 1 (\0 byte)
76 au_to_upriv(char sorf, char *priv)
82 textlen = strlen(priv) + 1;
83 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) +
84 sizeof(u_int16_t) + textlen);
86 ADD_U_CHAR(dptr, AUT_UPRIV);
87 ADD_U_CHAR(dptr, sorf);
88 ADD_U_INT16(dptr, textlen);
89 ADD_STRING(dptr, priv, textlen);
96 * privtstr N bytes + 1
101 au_to_privset(char *privtypestr, char *privstr)
103 u_int16_t type_len, priv_len;
107 type_len = strlen(privtypestr) + 1;
108 priv_len = strlen(privstr) + 1;
109 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
110 sizeof(u_int16_t) + type_len + priv_len);
112 ADD_U_CHAR(dptr, AUT_PRIV);
113 ADD_U_INT16(dptr, type_len);
114 ADD_STRING(dptr, privtypestr, type_len);
115 ADD_U_INT16(dptr, priv_len);
116 ADD_STRING(dptr, privstr, priv_len);
123 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
124 * text length 2 bytes
125 * text N bytes + 1 terminating NULL byte
128 au_to_arg32(char n, const char *text, u_int32_t v)
134 textlen = strlen(text);
137 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
138 sizeof(u_int16_t) + textlen);
140 ADD_U_CHAR(dptr, AUT_ARG32);
142 ADD_U_INT32(dptr, v);
143 ADD_U_INT16(dptr, textlen);
144 ADD_STRING(dptr, text, textlen);
150 au_to_arg64(char n, const char *text, u_int64_t v)
156 textlen = strlen(text);
159 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
160 sizeof(u_int16_t) + textlen);
162 ADD_U_CHAR(dptr, AUT_ARG64);
164 ADD_U_INT64(dptr, v);
165 ADD_U_INT16(dptr, textlen);
166 ADD_STRING(dptr, text, textlen);
172 au_to_arg(char n, const char *text, u_int32_t v)
175 return (au_to_arg32(n, text, v));
178 #if defined(_KERNEL) || defined(KERNEL)
181 * file access mode 4 bytes
182 * owner user ID 4 bytes
183 * owner group ID 4 bytes
184 * file system ID 4 bytes
186 * device 4 bytes/8 bytes (32-bit/64-bit)
189 au_to_attr32(struct vnode_au_info *vni)
193 u_int16_t pad0_16 = 0;
194 u_int32_t pad0_32 = 0;
196 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
197 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
199 ADD_U_CHAR(dptr, AUT_ATTR32);
202 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
205 * XXXRW: Possibly should be conditionally compiled.
207 * XXXRW: Should any conversions take place on the mode?
209 ADD_U_INT16(dptr, pad0_16);
210 ADD_U_INT16(dptr, vni->vn_mode);
212 ADD_U_INT32(dptr, vni->vn_uid);
213 ADD_U_INT32(dptr, vni->vn_gid);
214 ADD_U_INT32(dptr, vni->vn_fsid);
217 * Some systems use 32-bit file ID's, others use 64-bit file IDs.
218 * Attempt to handle both, and let the compiler sort it out. If we
219 * could pick this out at compile-time, it would be better, so as to
220 * avoid the else case below.
222 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
223 ADD_U_INT32(dptr, pad0_32);
224 ADD_U_INT32(dptr, vni->vn_fileid);
225 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
226 ADD_U_INT64(dptr, vni->vn_fileid);
228 ADD_U_INT64(dptr, 0LL);
230 ADD_U_INT32(dptr, vni->vn_dev);
236 au_to_attr64(struct vnode_au_info *vni)
240 u_int16_t pad0_16 = 0;
241 u_int32_t pad0_32 = 0;
243 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
244 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
246 ADD_U_CHAR(dptr, AUT_ATTR64);
249 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
252 * XXXRW: Possibly should be conditionally compiled.
254 * XXXRW: Should any conversions take place on the mode?
256 ADD_U_INT16(dptr, pad0_16);
257 ADD_U_INT16(dptr, vni->vn_mode);
259 ADD_U_INT32(dptr, vni->vn_uid);
260 ADD_U_INT32(dptr, vni->vn_gid);
261 ADD_U_INT32(dptr, vni->vn_fsid);
264 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
265 * Attempt to handle both, and let the compiler sort it out. If we
266 * could pick this out at compile-time, it would be better, so as to
267 * avoid the else case below.
269 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
270 ADD_U_INT32(dptr, pad0_32);
271 ADD_U_INT32(dptr, vni->vn_fileid);
272 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
273 ADD_U_INT64(dptr, vni->vn_fileid);
275 ADD_U_INT64(dptr, 0LL);
277 ADD_U_INT64(dptr, vni->vn_dev);
283 au_to_attr(struct vnode_au_info *vni)
286 return (au_to_attr32(vni));
288 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
292 * how to print 1 byte
295 * data items (depends on basic unit)
298 au_to_data(char unit_print, char unit_type, char unit_count, const char *p)
302 size_t datasize, totdata;
304 /* Determine the size of the basic unit. */
308 datasize = AUR_BYTE_SIZE;
312 datasize = AUR_SHORT_SIZE;
317 datasize = AUR_INT32_SIZE;
321 datasize = AUR_INT64_SIZE;
328 totdata = datasize * unit_count;
330 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
333 * XXXRW: We should be byte-swapping each data item for multi-byte
336 ADD_U_CHAR(dptr, AUT_DATA);
337 ADD_U_CHAR(dptr, unit_print);
338 ADD_U_CHAR(dptr, unit_type);
339 ADD_U_CHAR(dptr, unit_count);
340 ADD_MEM(dptr, p, totdata);
349 * return value 4 bytes
352 au_to_exit(int retval, int err)
357 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
359 ADD_U_CHAR(dptr, AUT_EXIT);
360 ADD_U_INT32(dptr, err);
361 ADD_U_INT32(dptr, retval);
369 au_to_groups(int *groups)
372 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups));
377 * number groups 2 bytes
378 * group list count * 4 bytes
381 au_to_newgroups(u_int16_t n, gid_t *groups)
387 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
388 n * sizeof(u_int32_t));
390 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
391 ADD_U_INT16(dptr, n);
392 for (i = 0; i < n; i++)
393 ADD_U_INT32(dptr, groups[i]);
400 * internet address 4 bytes
403 au_to_in_addr(struct in_addr *internet_addr)
408 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
410 ADD_U_CHAR(dptr, AUT_IN_ADDR);
411 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
418 * address type/length 4 bytes
422 au_to_in_addr_ex(struct in6_addr *internet_addr)
426 u_int32_t type = AU_IPv6;
428 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
430 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
431 ADD_U_INT32(dptr, type);
432 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
441 * The IP header should be submitted in network byte order.
444 au_to_ip(struct ip *ip)
449 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
451 ADD_U_CHAR(dptr, AUT_IP);
452 ADD_MEM(dptr, ip, sizeof(struct ip));
459 * object ID type 1 byte
463 au_to_ipc(char type, int id)
468 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
470 ADD_U_CHAR(dptr, AUT_IPC);
471 ADD_U_CHAR(dptr, type);
472 ADD_U_INT32(dptr, id);
479 * owner user ID 4 bytes
480 * owner group ID 4 bytes
481 * creator user ID 4 bytes
482 * creator group ID 4 bytes
483 * access mode 4 bytes
484 * slot sequence # 4 bytes
488 au_to_ipc_perm(struct ipc_perm *perm)
494 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
497 ADD_U_CHAR(dptr, AUT_IPC_PERM);
500 * Systems vary significantly in what types they use in struct
501 * ipc_perm; at least a few still use 16-bit uid's and gid's, so
502 * allow for that, as BSM define 32-bit values here.
503 * Some systems define the sizes for ipc_perm members as 2 bytes;
504 * BSM defines 4 so pad with 0.
506 * XXXRW: Possibly shoulid be conditionally compiled, and more cases
507 * need to be handled.
509 if (sizeof(perm->uid) != sizeof(u_int32_t)) {
510 ADD_U_INT16(dptr, pad0);
511 ADD_U_INT16(dptr, perm->uid);
512 ADD_U_INT16(dptr, pad0);
513 ADD_U_INT16(dptr, perm->gid);
514 ADD_U_INT16(dptr, pad0);
515 ADD_U_INT16(dptr, perm->cuid);
516 ADD_U_INT16(dptr, pad0);
517 ADD_U_INT16(dptr, perm->cgid);
519 ADD_U_INT32(dptr, perm->uid);
520 ADD_U_INT32(dptr, perm->gid);
521 ADD_U_INT32(dptr, perm->cuid);
522 ADD_U_INT32(dptr, perm->cgid);
525 ADD_U_INT16(dptr, pad0);
526 ADD_U_INT16(dptr, perm->mode);
528 ADD_U_INT16(dptr, pad0);
530 ADD_U_INT16(dptr, perm->seq);
532 ADD_U_INT32(dptr, perm->key);
539 * port IP address 2 bytes
542 au_to_iport(u_int16_t iport)
547 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
549 ADD_U_CHAR(dptr, AUT_IPORT);
550 ADD_U_INT16(dptr, iport);
561 au_to_opaque(const char *data, u_int16_t bytes)
566 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
568 ADD_U_CHAR(dptr, AUT_OPAQUE);
569 ADD_U_INT16(dptr, bytes);
570 ADD_MEM(dptr, data, bytes);
577 * seconds of time 4 bytes
578 * milliseconds of time 4 bytes
579 * file name len 2 bytes
580 * file pathname N bytes + 1 terminating NULL byte
583 au_to_file(const char *file, struct timeval tm)
590 filelen = strlen(file);
593 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
594 sizeof(u_int16_t) + filelen);
596 timems = tm.tv_usec/1000;
598 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
599 ADD_U_INT32(dptr, tm.tv_sec);
600 ADD_U_INT32(dptr, timems); /* We need time in ms. */
601 ADD_U_INT16(dptr, filelen);
602 ADD_STRING(dptr, file, filelen);
609 * text length 2 bytes
610 * text N bytes + 1 terminating NULL byte
613 au_to_text(const char *text)
619 textlen = strlen(text);
622 /* XXXRW: Should validate length against token size limit. */
624 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
626 ADD_U_CHAR(dptr, AUT_TEXT);
627 ADD_U_INT16(dptr, textlen);
628 ADD_STRING(dptr, text, textlen);
635 * path length 2 bytes
636 * path N bytes + 1 terminating NULL byte
639 au_to_path(const char *text)
645 textlen = strlen(text);
648 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
650 ADD_U_CHAR(dptr, AUT_PATH);
651 ADD_U_INT16(dptr, textlen);
652 ADD_STRING(dptr, text, textlen);
660 * effective user ID 4 bytes
661 * effective group ID 4 bytes
662 * real user ID 4 bytes
663 * real group ID 4 bytes
667 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
668 * machine address 4 bytes
671 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
672 pid_t pid, au_asid_t sid, au_tid_t *tid)
677 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
679 ADD_U_CHAR(dptr, AUT_PROCESS32);
680 ADD_U_INT32(dptr, auid);
681 ADD_U_INT32(dptr, euid);
682 ADD_U_INT32(dptr, egid);
683 ADD_U_INT32(dptr, ruid);
684 ADD_U_INT32(dptr, rgid);
685 ADD_U_INT32(dptr, pid);
686 ADD_U_INT32(dptr, sid);
687 ADD_U_INT32(dptr, tid->port);
690 * Note: Solaris will write out IPv6 addresses here as a 32-bit
691 * address type and 16 bytes of address, but for IPv4 addresses it
692 * simply writes the 4-byte address directly. We support only IPv4
693 * addresses for process32 tokens.
695 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
701 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
702 pid_t pid, au_asid_t sid, au_tid_t *tid)
707 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
710 ADD_U_CHAR(dptr, AUT_PROCESS64);
711 ADD_U_INT32(dptr, auid);
712 ADD_U_INT32(dptr, euid);
713 ADD_U_INT32(dptr, egid);
714 ADD_U_INT32(dptr, ruid);
715 ADD_U_INT32(dptr, rgid);
716 ADD_U_INT32(dptr, pid);
717 ADD_U_INT32(dptr, sid);
718 ADD_U_INT64(dptr, tid->port);
721 * Note: Solaris will write out IPv6 addresses here as a 32-bit
722 * address type and 16 bytes of address, but for IPv4 addresses it
723 * simply writes the 4-byte address directly. We support only IPv4
724 * addresses for process64 tokens.
726 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
732 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
733 pid_t pid, au_asid_t sid, au_tid_t *tid)
736 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
743 * effective user ID 4 bytes
744 * effective group ID 4 bytes
745 * real user ID 4 bytes
746 * real group ID 4 bytes
750 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
751 * address type-len 4 bytes
752 * machine address 16 bytes
755 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
756 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
761 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
762 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
763 if (tid->at_type == AU_IPv4)
764 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
765 10 * sizeof(u_int32_t));
767 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
768 13 * sizeof(u_int32_t));
770 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
771 ADD_U_INT32(dptr, auid);
772 ADD_U_INT32(dptr, euid);
773 ADD_U_INT32(dptr, egid);
774 ADD_U_INT32(dptr, ruid);
775 ADD_U_INT32(dptr, rgid);
776 ADD_U_INT32(dptr, pid);
777 ADD_U_INT32(dptr, sid);
778 ADD_U_INT32(dptr, tid->at_port);
779 ADD_U_INT32(dptr, tid->at_type);
780 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
781 if (tid->at_type == AU_IPv6) {
782 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
783 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
784 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
791 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
792 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
797 if (tid->at_type == AU_IPv4)
798 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
799 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
800 2 * sizeof(u_int32_t));
801 else if (tid->at_type == AU_IPv6)
802 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
803 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
804 5 * sizeof(u_int32_t));
806 panic("au_to_process64_ex: invalidate at_type (%d)",
809 ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
810 ADD_U_INT32(dptr, auid);
811 ADD_U_INT32(dptr, euid);
812 ADD_U_INT32(dptr, egid);
813 ADD_U_INT32(dptr, ruid);
814 ADD_U_INT32(dptr, rgid);
815 ADD_U_INT32(dptr, pid);
816 ADD_U_INT32(dptr, sid);
817 ADD_U_INT64(dptr, tid->at_port);
818 ADD_U_INT32(dptr, tid->at_type);
819 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
820 if (tid->at_type == AU_IPv6) {
821 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
822 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
823 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
830 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
831 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
834 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
840 * error status 1 byte
841 * return value 4 bytes/8 bytes (32-bit/64-bit value)
844 au_to_return32(char status, u_int32_t ret)
849 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
851 ADD_U_CHAR(dptr, AUT_RETURN32);
852 ADD_U_CHAR(dptr, status);
853 ADD_U_INT32(dptr, ret);
859 au_to_return64(char status, u_int64_t ret)
864 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
866 ADD_U_CHAR(dptr, AUT_RETURN64);
867 ADD_U_CHAR(dptr, status);
868 ADD_U_INT64(dptr, ret);
874 au_to_return(char status, u_int32_t ret)
877 return (au_to_return32(status, ret));
882 * sequence number 4 bytes
885 au_to_seq(long audit_count)
890 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
892 ADD_U_CHAR(dptr, AUT_SEQ);
893 ADD_U_INT32(dptr, audit_count);
900 * socket domain 2 bytes
901 * socket type 2 bytes
902 * address type 2 byte
904 * local address 4 bytes/16 bytes (IPv4/IPv6 address)
905 * remote port 2 bytes
906 * remote address 4 bytes/16 bytes (IPv4/IPv6 address)
908 * Domain and type arguments to this routine are assumed to already have been
909 * converted to the BSM constant space, so we don't do that here.
912 au_to_socket_ex(u_short so_domain, u_short so_type,
913 struct sockaddr *sa_local, struct sockaddr *sa_remote)
917 struct sockaddr_in *sin;
918 struct sockaddr_in6 *sin6;
920 if (so_domain == AF_INET)
921 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
922 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
923 else if (so_domain == AF_INET6)
924 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
925 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
929 ADD_U_CHAR(dptr, AUT_SOCKET_EX);
930 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
931 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
932 if (so_domain == AF_INET) {
933 ADD_U_INT16(dptr, AU_IPv4);
934 sin = (struct sockaddr_in *)sa_local;
935 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
936 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
937 sin = (struct sockaddr_in *)sa_remote;
938 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
939 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
941 ADD_U_INT16(dptr, AU_IPv6);
942 sin6 = (struct sockaddr_in6 *)sa_local;
943 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
944 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
945 sin6 = (struct sockaddr_in6 *)sa_remote;
946 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
947 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
954 * Kernel-specific version of the above function.
956 * XXXRW: Should now use au_to_socket_ex() here.
960 kau_to_socket(struct socket_au_info *soi)
966 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
967 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
969 ADD_U_CHAR(dptr, AUT_SOCKET);
970 /* Coerce the socket type into a short value */
971 so_type = soi->so_type;
972 ADD_U_INT16(dptr, so_type);
973 ADD_U_INT16(dptr, soi->so_lport);
974 ADD_U_INT32(dptr, soi->so_laddr);
975 ADD_U_INT16(dptr, soi->so_rport);
976 ADD_U_INT32(dptr, soi->so_raddr);
984 * socket family 2 bytes
985 * path (up to) 104 bytes + NULL (NULL terminated string)
988 au_to_sock_unix(struct sockaddr_un *so)
993 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
995 ADD_U_CHAR(dptr, AUT_SOCKUNIX);
996 /* BSM token has two bytes for family */
998 ADD_U_CHAR(dptr, so->sun_family);
999 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
1006 * socket family 2 bytes
1007 * local port 2 bytes
1008 * socket address 4 bytes
1011 au_to_sock_inet32(struct sockaddr_in *so)
1014 u_char *dptr = NULL;
1017 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
1020 ADD_U_CHAR(dptr, AUT_SOCKINET32);
1022 * BSM defines the family field as 16 bits, but many operating
1023 * systems have an 8-bit sin_family field. Extend to 16 bits before
1024 * writing into the token. Assume that both the port and the address
1025 * in the sockaddr_in are already in network byte order, but family
1026 * is in local byte order.
1028 * XXXRW: Should a name space conversion be taking place on the value
1031 family = so->sin_family;
1032 ADD_U_INT16(dptr, family);
1033 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
1034 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
1040 au_to_sock_inet128(struct sockaddr_in6 *so)
1043 u_char *dptr = NULL;
1045 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
1046 4 * sizeof(u_int32_t));
1048 ADD_U_CHAR(dptr, AUT_SOCKINET128);
1050 * In BSD, sin6_family is one octet, but BSM defines the token to
1051 * store two. So we copy in a 0 first. XXXRW: Possibly should be
1052 * conditionally compiled.
1054 ADD_U_CHAR(dptr, 0);
1055 ADD_U_CHAR(dptr, so->sin6_family);
1057 ADD_U_INT16(dptr, so->sin6_port);
1058 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
1064 au_to_sock_inet(struct sockaddr_in *so)
1067 return (au_to_sock_inet32(so));
1073 * effective user ID 4 bytes
1074 * effective group ID 4 bytes
1075 * real user ID 4 bytes
1076 * real group ID 4 bytes
1077 * process ID 4 bytes
1078 * session ID 4 bytes
1080 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1081 * machine address 4 bytes
1084 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1085 pid_t pid, au_asid_t sid, au_tid_t *tid)
1088 u_char *dptr = NULL;
1090 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
1092 ADD_U_CHAR(dptr, AUT_SUBJECT32);
1093 ADD_U_INT32(dptr, auid);
1094 ADD_U_INT32(dptr, euid);
1095 ADD_U_INT32(dptr, egid);
1096 ADD_U_INT32(dptr, ruid);
1097 ADD_U_INT32(dptr, rgid);
1098 ADD_U_INT32(dptr, pid);
1099 ADD_U_INT32(dptr, sid);
1100 ADD_U_INT32(dptr, tid->port);
1101 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1107 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1108 pid_t pid, au_asid_t sid, au_tid_t *tid)
1111 u_char *dptr = NULL;
1113 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1114 sizeof(u_int64_t) + sizeof(u_int32_t));
1116 ADD_U_CHAR(dptr, AUT_SUBJECT64);
1117 ADD_U_INT32(dptr, auid);
1118 ADD_U_INT32(dptr, euid);
1119 ADD_U_INT32(dptr, egid);
1120 ADD_U_INT32(dptr, ruid);
1121 ADD_U_INT32(dptr, rgid);
1122 ADD_U_INT32(dptr, pid);
1123 ADD_U_INT32(dptr, sid);
1124 ADD_U_INT64(dptr, tid->port);
1125 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1131 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1132 pid_t pid, au_asid_t sid, au_tid_t *tid)
1135 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1142 * effective user ID 4 bytes
1143 * effective group ID 4 bytes
1144 * real user ID 4 bytes
1145 * real group ID 4 bytes
1146 * process ID 4 bytes
1147 * session ID 4 bytes
1149 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1150 * address type/length 4 bytes
1151 * machine address 16 bytes
1154 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1155 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1158 u_char *dptr = NULL;
1160 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1161 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
1163 if (tid->at_type == AU_IPv4)
1164 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1167 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1170 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1171 ADD_U_INT32(dptr, auid);
1172 ADD_U_INT32(dptr, euid);
1173 ADD_U_INT32(dptr, egid);
1174 ADD_U_INT32(dptr, ruid);
1175 ADD_U_INT32(dptr, rgid);
1176 ADD_U_INT32(dptr, pid);
1177 ADD_U_INT32(dptr, sid);
1178 ADD_U_INT32(dptr, tid->at_port);
1179 ADD_U_INT32(dptr, tid->at_type);
1180 if (tid->at_type == AU_IPv6)
1181 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1183 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1189 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1190 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1193 u_char *dptr = NULL;
1195 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1196 ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type));
1198 if (tid->at_type == AU_IPv4)
1199 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1200 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1201 2 * sizeof(u_int32_t));
1203 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1204 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1205 5 * sizeof(u_int32_t));
1207 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1208 ADD_U_INT32(dptr, auid);
1209 ADD_U_INT32(dptr, euid);
1210 ADD_U_INT32(dptr, egid);
1211 ADD_U_INT32(dptr, ruid);
1212 ADD_U_INT32(dptr, rgid);
1213 ADD_U_INT32(dptr, pid);
1214 ADD_U_INT32(dptr, sid);
1215 ADD_U_INT64(dptr, tid->at_port);
1216 ADD_U_INT32(dptr, tid->at_type);
1217 if (tid->at_type == AU_IPv6)
1218 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1220 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1226 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1227 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1230 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1234 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1236 * Collects audit information for the current process and creates a subject
1243 auditinfo_addr_t aia;
1246 * Try to use getaudit_addr(2) first. If this kernel does not support
1247 * it, then fall back on to getaudit(2).
1249 if (getaudit_addr(&aia, sizeof(aia)) != 0) {
1250 if (errno == ENOSYS) {
1251 if (getaudit(&auinfo) != 0)
1253 return (au_to_subject32(auinfo.ai_auid, geteuid(),
1254 getegid(), getuid(), getgid(), getpid(),
1255 auinfo.ai_asid, &auinfo.ai_termid));
1257 /* getaudit_addr(2) failed for some other reason. */
1262 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(),
1263 getgid(), getpid(), aia.ai_asid, &aia.ai_termid));
1267 #if defined(_KERNEL) || defined(KERNEL)
1269 au_to_exec_strings(char *strs, int count, u_char type)
1272 u_char *dptr = NULL;
1281 totlen += strlen(p) + 1;
1284 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1285 ADD_U_CHAR(dptr, type);
1286 ADD_U_INT32(dptr, count);
1287 ADD_STRING(dptr, strs, totlen);
1295 * text count null-terminated strings
1298 au_to_exec_args(char *args, int argc)
1301 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1307 * text count null-terminated strings
1310 au_to_exec_env(char *envs, int envc)
1313 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1319 * text count null-terminated strings
1322 au_to_exec_args(char **argv)
1325 u_char *dptr = NULL;
1326 const char *nextarg;
1332 while (nextarg != NULL) {
1335 nextlen = strlen(nextarg);
1336 totlen += nextlen + 1;
1338 nextarg = *(argv + count);
1341 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1343 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1344 ADD_U_INT32(dptr, count);
1346 for (i = 0; i < count; i++) {
1347 nextarg = *(argv + i);
1348 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1357 * text count null-terminated strings
1360 au_to_exec_env(char **envp)
1363 u_char *dptr = NULL;
1366 const char *nextenv;
1370 while (nextenv != NULL) {
1373 nextlen = strlen(nextenv);
1374 totlen += nextlen + 1;
1376 nextenv = *(envp + count);
1379 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1381 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1382 ADD_U_INT32(dptr, count);
1384 for (i = 0; i < count; i++) {
1385 nextenv = *(envp + i);
1386 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1395 * zonename length 2 bytes
1396 * zonename N bytes + 1 terminating NULL byte
1399 au_to_zonename(const char *zonename)
1401 u_char *dptr = NULL;
1405 textlen = strlen(zonename) + 1;
1406 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1408 ADD_U_CHAR(dptr, AUT_ZONENAME);
1409 ADD_U_INT16(dptr, textlen);
1410 ADD_STRING(dptr, zonename, textlen);
1416 * record byte count 4 bytes
1417 * version # 1 byte [2]
1418 * event type 2 bytes
1419 * event modifier 2 bytes
1420 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1421 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1424 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1428 u_char *dptr = NULL;
1431 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1432 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1434 ADD_U_CHAR(dptr, AUT_HEADER32);
1435 ADD_U_INT32(dptr, rec_size);
1436 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1437 ADD_U_INT16(dptr, e_type);
1438 ADD_U_INT16(dptr, e_mod);
1440 timems = tm.tv_usec/1000;
1441 /* Add the timestamp */
1442 ADD_U_INT32(dptr, tm.tv_sec);
1443 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1450 * record byte count 4 bytes
1451 * version # 1 byte [2]
1452 * event type 2 bytes
1453 * event modifier 2 bytes
1454 * address type/length 4 bytes
1455 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1456 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1457 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1460 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1461 struct timeval tm, struct auditinfo_addr *aia)
1464 u_char *dptr = NULL;
1468 tid = &aia->ai_termid;
1469 KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6,
1470 ("au_to_header32_ex_tm: invalid address family"));
1472 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1473 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 *
1474 sizeof(u_int32_t) + tid->at_type);
1476 ADD_U_CHAR(dptr, AUT_HEADER32_EX);
1477 ADD_U_INT32(dptr, rec_size);
1478 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1479 ADD_U_INT16(dptr, e_type);
1480 ADD_U_INT16(dptr, e_mod);
1482 ADD_U_INT32(dptr, tid->at_type);
1483 if (tid->at_type == AU_IPv6)
1484 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1486 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1487 timems = tm.tv_usec/1000;
1488 /* Add the timestamp */
1489 ADD_U_INT32(dptr, tm.tv_sec);
1490 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1496 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1500 u_char *dptr = NULL;
1503 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1504 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1506 ADD_U_CHAR(dptr, AUT_HEADER64);
1507 ADD_U_INT32(dptr, rec_size);
1508 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1509 ADD_U_INT16(dptr, e_type);
1510 ADD_U_INT16(dptr, e_mod);
1512 timems = tm.tv_usec/1000;
1513 /* Add the timestamp */
1514 ADD_U_INT64(dptr, tm.tv_sec);
1515 ADD_U_INT64(dptr, timems); /* We need time in ms. */
1520 #if !defined(KERNEL) && !defined(_KERNEL)
1521 #ifdef HAVE_AUDIT_SYSCALLS
1523 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1526 struct auditinfo_addr aia;
1528 if (gettimeofday(&tm, NULL) == -1)
1530 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) {
1531 if (errno != ENOSYS)
1533 return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1535 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia));
1537 #endif /* HAVE_AUDIT_SYSCALLS */
1540 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
1544 if (gettimeofday(&tm, NULL) == -1)
1546 return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1550 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
1551 __unused au_emod_t e_mod)
1555 if (gettimeofday(&tm, NULL) == -1)
1557 return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
1561 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
1564 return (au_to_header32(rec_size, e_type, e_mod));
1567 #ifdef HAVE_AUDIT_SYSCALLS
1569 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1572 return (au_to_header32_ex(rec_size, e_type, e_mod));
1574 #endif /* HAVE_AUDIT_SYSCALLS */
1575 #endif /* !defined(KERNEL) && !defined(_KERNEL) */
1579 * trailer magic number 2 bytes
1580 * record byte count 4 bytes
1583 au_to_trailer(int rec_size)
1586 u_char *dptr = NULL;
1587 u_int16_t magic = AUT_TRAILER_MAGIC;
1589 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1592 ADD_U_CHAR(dptr, AUT_TRAILER);
1593 ADD_U_INT16(dptr, magic);
1594 ADD_U_INT32(dptr, rec_size);