2 * Copyright (c) 2004 Apple Computer, Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
33 * $P4: //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.c#23 $
37 #include <sys/types.h>
38 #include <sys/endian.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
44 #include <sys/libkern.h>
45 #include <sys/malloc.h>
48 #include <netinet/in.h>
49 #include <netinet/in_systm.h>
50 #include <netinet/ip.h>
52 #include <sys/socketvar.h>
54 #include <bsm/audit.h>
55 #include <bsm/audit_internal.h>
56 #include <bsm/audit_record.h>
57 #include <security/audit/audit.h>
58 #include <security/audit/audit_private.h>
60 #define GET_TOKEN_AREA(t, dptr, length) do { \
61 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \
62 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \
70 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
72 * text N bytes + 1 terminating NULL byte
75 au_to_arg32(char n, char *text, u_int32_t v)
81 textlen = strlen(text);
84 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
85 sizeof(u_int16_t) + textlen);
87 ADD_U_CHAR(dptr, AUT_ARG32);
90 ADD_U_INT16(dptr, textlen);
91 ADD_STRING(dptr, text, textlen);
98 au_to_arg64(char n, char *text, u_int64_t v)
104 textlen = strlen(text);
107 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
108 sizeof(u_int16_t) + textlen);
110 ADD_U_CHAR(dptr, AUT_ARG64);
112 ADD_U_INT64(dptr, v);
113 ADD_U_INT16(dptr, textlen);
114 ADD_STRING(dptr, text, textlen);
121 au_to_arg(char n, char *text, u_int32_t v)
124 return (au_to_arg32(n, text, v));
127 #if defined(_KERNEL) || defined(KERNEL)
130 * file access mode 4 bytes
131 * owner user ID 4 bytes
132 * owner group ID 4 bytes
133 * file system ID 4 bytes
135 * device 4 bytes/8 bytes (32-bit/64-bit)
138 au_to_attr32(struct vnode_au_info *vni)
142 u_int16_t pad0_16 = 0;
143 u_int16_t pad0_32 = 0;
145 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
146 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
148 ADD_U_CHAR(dptr, AUT_ATTR32);
151 * Darwin defines the size for the file mode
152 * as 2 bytes; BSM defines 4 so pad with 0
154 ADD_U_INT16(dptr, pad0_16);
155 ADD_U_INT16(dptr, vni->vn_mode);
157 ADD_U_INT32(dptr, vni->vn_uid);
158 ADD_U_INT32(dptr, vni->vn_gid);
159 ADD_U_INT32(dptr, vni->vn_fsid);
162 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
163 * Attempt to handle both, and let the compiler sort it out. If we
164 * could pick this out at compile-time, it would be better, so as to
165 * avoid the else case below.
167 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
168 ADD_U_INT32(dptr, pad0_32);
169 ADD_U_INT32(dptr, vni->vn_fileid);
170 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
171 ADD_U_INT64(dptr, vni->vn_fileid);
173 ADD_U_INT64(dptr, 0LL);
175 ADD_U_INT32(dptr, vni->vn_dev);
181 au_to_attr64(struct vnode_au_info *vni)
188 au_to_attr(struct vnode_au_info *vni)
191 return (au_to_attr32(vni));
193 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
197 * how to print 1 byte
200 * data items (depends on basic unit)
203 au_to_data(char unit_print, char unit_type, char unit_count, char *p)
207 size_t datasize, totdata;
209 /* Determine the size of the basic unit. */
213 datasize = AUR_BYTE_SIZE;
217 datasize = AUR_SHORT_SIZE;
222 datasize = AUR_INT32_SIZE;
226 datasize = AUR_INT64_SIZE;
233 totdata = datasize * unit_count;
235 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
237 ADD_U_CHAR(dptr, AUT_DATA);
238 ADD_U_CHAR(dptr, unit_print);
239 ADD_U_CHAR(dptr, unit_type);
240 ADD_U_CHAR(dptr, unit_count);
241 ADD_MEM(dptr, p, totdata);
250 * return value 4 bytes
253 au_to_exit(int retval, int err)
258 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
260 ADD_U_CHAR(dptr, AUT_EXIT);
261 ADD_U_INT32(dptr, err);
262 ADD_U_INT32(dptr, retval);
270 au_to_groups(int *groups)
273 return (au_to_newgroups(AUDIT_MAX_GROUPS, groups));
278 * number groups 2 bytes
279 * group list count * 4 bytes
282 au_to_newgroups(u_int16_t n, gid_t *groups)
288 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
289 n * sizeof(u_int32_t));
291 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
292 ADD_U_INT16(dptr, n);
293 for (i = 0; i < n; i++)
294 ADD_U_INT32(dptr, groups[i]);
301 * internet address 4 bytes
304 au_to_in_addr(struct in_addr *internet_addr)
309 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
311 ADD_U_CHAR(dptr, AUT_IN_ADDR);
312 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
319 * address type/length 4 bytes
323 au_to_in_addr_ex(struct in6_addr *internet_addr)
327 u_int32_t type = AF_INET6;
329 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
331 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
332 ADD_U_INT32(dptr, type);
333 ADD_MEM(dptr, internet_addr, 5 * sizeof(uint32_t));
343 au_to_ip(struct ip *ip)
348 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
350 ADD_U_CHAR(dptr, AUT_IP);
352 * XXXRW: Any byte order work needed on the IP header before writing?
354 ADD_MEM(dptr, ip, sizeof(struct ip));
361 * object ID type 1 byte
365 au_to_ipc(char type, int id)
370 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
372 ADD_U_CHAR(dptr, AUT_IPC);
373 ADD_U_CHAR(dptr, type);
374 ADD_U_INT32(dptr, id);
381 * owner user ID 4 bytes
382 * owner group ID 4 bytes
383 * creator user ID 4 bytes
384 * creator group ID 4 bytes
385 * access mode 4 bytes
386 * slot sequence # 4 bytes
390 au_to_ipc_perm(struct ipc_perm *perm)
396 GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
398 ADD_U_CHAR(dptr, AUT_IPC_PERM);
401 * Darwin defines the sizes for ipc_perm members
402 * as 2 bytes; BSM defines 4 so pad with 0
404 ADD_U_INT16(dptr, pad0);
405 ADD_U_INT16(dptr, perm->uid);
407 ADD_U_INT16(dptr, pad0);
408 ADD_U_INT16(dptr, perm->gid);
410 ADD_U_INT16(dptr, pad0);
411 ADD_U_INT16(dptr, perm->cuid);
413 ADD_U_INT16(dptr, pad0);
414 ADD_U_INT16(dptr, perm->cgid);
416 ADD_U_INT16(dptr, pad0);
417 ADD_U_INT16(dptr, perm->mode);
419 ADD_U_INT16(dptr, pad0);
420 ADD_U_INT16(dptr, perm->seq);
422 ADD_U_INT32(dptr, perm->key);
429 * port IP address 2 bytes
432 au_to_iport(u_int16_t iport)
437 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
439 ADD_U_CHAR(dptr, AUT_IPORT);
440 ADD_U_INT16(dptr, iport);
451 au_to_opaque(char *data, u_int16_t bytes)
456 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
458 ADD_U_CHAR(dptr, AUT_OPAQUE);
459 ADD_U_INT16(dptr, bytes);
460 ADD_MEM(dptr, data, bytes);
467 * seconds of time 4 bytes
468 * milliseconds of time 4 bytes
469 * file name len 2 bytes
470 * file pathname N bytes + 1 terminating NULL byte
473 au_to_file(char *file, struct timeval tm)
480 filelen = strlen(file);
483 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
484 sizeof(u_int16_t) + filelen);
486 timems = tm.tv_usec/1000;
488 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
489 ADD_U_INT32(dptr, tm.tv_sec);
490 ADD_U_INT32(dptr, timems); /* We need time in ms. */
491 ADD_U_INT16(dptr, filelen);
492 ADD_STRING(dptr, file, filelen);
499 * text length 2 bytes
500 * text N bytes + 1 terminating NULL byte
503 au_to_text(char *text)
509 textlen = strlen(text);
512 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
514 ADD_U_CHAR(dptr, AUT_TEXT);
515 ADD_U_INT16(dptr, textlen);
516 ADD_STRING(dptr, text, textlen);
523 * path length 2 bytes
524 * path N bytes + 1 terminating NULL byte
527 au_to_path(char *text)
533 textlen = strlen(text);
536 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
538 ADD_U_CHAR(dptr, AUT_PATH);
539 ADD_U_INT16(dptr, textlen);
540 ADD_STRING(dptr, text, textlen);
548 * effective user ID 4 bytes
549 * effective group ID 4 bytes
550 * real user ID 4 bytes
551 * real group ID 4 bytes
555 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
556 * machine address 4 bytes
559 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
560 pid_t pid, au_asid_t sid, au_tid_t *tid)
565 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
567 ADD_U_CHAR(dptr, AUT_PROCESS32);
568 ADD_U_INT32(dptr, auid);
569 ADD_U_INT32(dptr, euid);
570 ADD_U_INT32(dptr, egid);
571 ADD_U_INT32(dptr, ruid);
572 ADD_U_INT32(dptr, rgid);
573 ADD_U_INT32(dptr, pid);
574 ADD_U_INT32(dptr, sid);
575 ADD_U_INT32(dptr, tid->port);
576 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
582 au_to_process64(__unused au_id_t auid, __unused uid_t euid,
583 __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
584 __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
591 au_to_process(__unused au_id_t auid, __unused uid_t euid,
592 __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
593 __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
596 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
603 * effective user ID 4 bytes
604 * effective group ID 4 bytes
605 * real user ID 4 bytes
606 * real group ID 4 bytes
610 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
611 * address type-len 4 bytes
612 * machine address 4/16 bytes
615 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
616 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
621 if (tid->at_type == AU_IPv6)
622 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
625 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
628 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
629 ADD_U_INT32(dptr, auid);
630 ADD_U_INT32(dptr, euid);
631 ADD_U_INT32(dptr, egid);
632 ADD_U_INT32(dptr, ruid);
633 ADD_U_INT32(dptr, rgid);
634 ADD_U_INT32(dptr, pid);
635 ADD_U_INT32(dptr, sid);
636 ADD_U_INT32(dptr, tid->at_port);
637 ADD_U_INT32(dptr, tid->at_type);
638 ADD_U_INT32(dptr, tid->at_addr[0]);
639 if (tid->at_type == AU_IPv6) {
640 ADD_U_INT32(dptr, tid->at_addr[1]);
641 ADD_U_INT32(dptr, tid->at_addr[2]);
642 ADD_U_INT32(dptr, tid->at_addr[3]);
648 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
649 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
656 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
657 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
660 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
666 * error status 1 byte
667 * return value 4 bytes/8 bytes (32-bit/64-bit value)
670 au_to_return32(char status, u_int32_t ret)
675 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
677 ADD_U_CHAR(dptr, AUT_RETURN32);
678 ADD_U_CHAR(dptr, status);
679 ADD_U_INT32(dptr, ret);
685 au_to_return64(char status, u_int64_t ret)
690 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
692 ADD_U_CHAR(dptr, AUT_RETURN64);
693 ADD_U_CHAR(dptr, status);
694 ADD_U_INT64(dptr, ret);
700 au_to_return(char status, u_int32_t ret)
703 return (au_to_return32(status, ret));
708 * sequence number 4 bytes
711 au_to_seq(long audit_count)
716 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
718 ADD_U_CHAR(dptr, AUT_SEQ);
719 ADD_U_INT32(dptr, audit_count);
726 * socket type 2 bytes
728 * local Internet address 4 bytes
729 * remote port 2 bytes
730 * remote Internet address 4 bytes
733 au_to_socket(struct socket *so)
741 * Kernel-specific version of the above function.
745 kau_to_socket(struct socket_au_info *soi)
751 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
752 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
754 ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
755 /* Coerce the socket type into a short value */
756 so_type = soi->so_type;
757 ADD_U_INT16(dptr, so_type);
758 ADD_U_INT16(dptr, soi->so_lport);
759 ADD_U_INT32(dptr, soi->so_laddr);
760 ADD_U_INT16(dptr, soi->so_rport);
761 ADD_U_INT32(dptr, soi->so_raddr);
769 * socket type 2 bytes
771 * address type/length 4 bytes
772 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
773 * remote port 4 bytes
774 * address type/length 4 bytes
775 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
778 au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
786 au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
795 * socket family 2 bytes
799 au_to_sock_unix(struct sockaddr_un *so)
804 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
806 ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
807 /* BSM token has two bytes for family */
809 ADD_U_CHAR(dptr, so->sun_family);
810 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
817 * socket family 2 bytes
819 * socket address 4 bytes
822 au_to_sock_inet32(struct sockaddr_in *so)
828 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
831 ADD_U_CHAR(dptr, AUT_SOCKINET32);
833 * BSM defines the family field as 16 bits, but many operating
834 * systems have an 8-bit sin_family field. Extend to 16 bits before
835 * writing into the token. Assume that both the port and the address
836 * in the sockaddr_in are already in network byte order, but family
837 * is in local byte order.
839 * XXXRW: Should a name space conversion be taking place on the value
842 family = so->sin_family;
843 ADD_U_INT16(dptr, family);
844 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
845 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
852 au_to_sock_inet128(struct sockaddr_in6 *so)
857 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
858 4 * sizeof(u_int32_t));
860 ADD_U_CHAR(dptr, AUT_SOCKINET128);
862 * In Darwin, sin6_family is one octet, but BSM defines the token
863 * to store two. So we copy in a 0 first.
866 ADD_U_CHAR(dptr, so->sin6_family);
868 ADD_U_INT16(dptr, so->sin6_port);
869 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
876 au_to_sock_inet(struct sockaddr_in *so)
879 return (au_to_sock_inet32(so));
885 * effective user ID 4 bytes
886 * effective group ID 4 bytes
887 * real user ID 4 bytes
888 * real group ID 4 bytes
892 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
893 * machine address 4 bytes
896 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
897 pid_t pid, au_asid_t sid, au_tid_t *tid)
902 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
904 ADD_U_CHAR(dptr, AUT_SUBJECT32);
905 ADD_U_INT32(dptr, auid);
906 ADD_U_INT32(dptr, euid);
907 ADD_U_INT32(dptr, egid);
908 ADD_U_INT32(dptr, ruid);
909 ADD_U_INT32(dptr, rgid);
910 ADD_U_INT32(dptr, pid);
911 ADD_U_INT32(dptr, sid);
912 ADD_U_INT32(dptr, tid->port);
913 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
919 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
920 pid_t pid, au_asid_t sid, au_tid_t *tid)
927 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
928 pid_t pid, au_asid_t sid, au_tid_t *tid)
931 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
938 * effective user ID 4 bytes
939 * effective group ID 4 bytes
940 * real user ID 4 bytes
941 * real group ID 4 bytes
945 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
946 * address type/length 4 bytes
947 * machine address 4/16 bytes
950 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
951 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
956 if (tid->at_type == AU_IPv6)
957 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
960 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
963 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
964 ADD_U_INT32(dptr, auid);
965 ADD_U_INT32(dptr, euid);
966 ADD_U_INT32(dptr, egid);
967 ADD_U_INT32(dptr, ruid);
968 ADD_U_INT32(dptr, rgid);
969 ADD_U_INT32(dptr, pid);
970 ADD_U_INT32(dptr, sid);
971 ADD_U_INT32(dptr, tid->at_port);
972 ADD_U_INT32(dptr, tid->at_type);
973 ADD_U_INT32(dptr, tid->at_addr[0]);
974 if (tid->at_type == AU_IPv6) {
975 ADD_U_INT32(dptr, tid->at_addr[1]);
976 ADD_U_INT32(dptr, tid->at_addr[2]);
977 ADD_U_INT32(dptr, tid->at_addr[3]);
983 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
984 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
991 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
992 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
995 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
999 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1001 * Collects audit information for the current process
1002 * and creates a subject token from it
1009 if (getaudit(&auinfo) != 0)
1012 return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(),
1013 getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid));
1017 #if defined(_KERNEL) || defined(KERNEL)
1019 au_to_exec_strings(char *strs, int count, u_char type)
1022 u_char *dptr = NULL;
1031 totlen += strlen(p) + 1;
1034 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1035 ADD_U_CHAR(dptr, type);
1036 ADD_U_INT32(dptr, count);
1037 ADD_STRING(dptr, strs, totlen);
1045 * text count null-terminated strings
1048 au_to_exec_args(char *args, int argc)
1051 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1057 * text count null-terminated strings
1060 au_to_exec_env(char *envs, int envc)
1063 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1069 * text count null-terminated strings
1072 au_to_exec_args(char **argv)
1075 u_char *dptr = NULL;
1076 const char *nextarg;
1082 while (nextarg != NULL) {
1085 nextlen = strlen(nextarg);
1086 totlen += nextlen + 1;
1088 nextarg = *(argv + count);
1091 totlen += count * sizeof(char); /* nul terminations. */
1092 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1094 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1095 ADD_U_INT32(dptr, count);
1097 for (i = 0; i < count; i++) {
1098 nextarg = *(argv + i);
1099 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1108 * text count null-terminated strings
1111 au_to_exec_env(char **envp)
1114 u_char *dptr = NULL;
1117 const char *nextenv;
1121 while (nextenv != NULL) {
1124 nextlen = strlen(nextenv);
1125 totlen += nextlen + 1;
1127 nextenv = *(envp + count);
1130 totlen += sizeof(char) * count;
1131 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1133 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1134 ADD_U_INT32(dptr, count);
1136 for (i = 0; i < count; i++) {
1137 nextenv = *(envp + i);
1138 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1147 * record byte count 4 bytes
1148 * version # 1 byte [2]
1149 * event type 2 bytes
1150 * event modifier 2 bytes
1151 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1152 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1155 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1159 u_char *dptr = NULL;
1162 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1163 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1165 ADD_U_CHAR(dptr, AUT_HEADER32);
1166 ADD_U_INT32(dptr, rec_size);
1167 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1168 ADD_U_INT16(dptr, e_type);
1169 ADD_U_INT16(dptr, e_mod);
1171 timems = tm.tv_usec/1000;
1172 /* Add the timestamp */
1173 ADD_U_INT32(dptr, tm.tv_sec);
1174 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1181 * trailer magic number 2 bytes
1182 * record byte count 4 bytes
1185 au_to_trailer(int rec_size)
1188 u_char *dptr = NULL;
1189 u_int16_t magic = TRAILER_PAD_MAGIC;
1191 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1194 ADD_U_CHAR(dptr, AUT_TRAILER);
1195 ADD_U_INT16(dptr, magic);
1196 ADD_U_INT32(dptr, rec_size);