2 * Copyright (c) 2004-2008 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
33 * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#72
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include <sys/types.h>
40 #include <sys/endian.h>
41 #include <sys/queue.h>
42 #include <sys/socket.h>
46 #include <sys/libkern.h>
47 #include <sys/malloc.h>
50 #include <netinet/in.h>
51 #include <netinet/in_systm.h>
52 #include <netinet/ip.h>
55 #include <bsm/audit.h>
56 #include <bsm/audit_internal.h>
57 #include <bsm/audit_record.h>
58 #include <security/audit/audit.h>
59 #include <security/audit/audit_private.h>
61 #define GET_TOKEN_AREA(t, dptr, length) do { \
62 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \
63 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \
71 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
73 * text N bytes + 1 terminating NULL byte
76 au_to_arg32(char n, const char *text, u_int32_t v)
82 textlen = strlen(text);
85 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
86 sizeof(u_int16_t) + textlen);
88 ADD_U_CHAR(dptr, AUT_ARG32);
91 ADD_U_INT16(dptr, textlen);
92 ADD_STRING(dptr, text, textlen);
98 au_to_arg64(char n, const char *text, u_int64_t v)
104 textlen = strlen(text);
107 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
108 sizeof(u_int16_t) + textlen);
110 ADD_U_CHAR(dptr, AUT_ARG64);
112 ADD_U_INT64(dptr, v);
113 ADD_U_INT16(dptr, textlen);
114 ADD_STRING(dptr, text, textlen);
120 au_to_arg(char n, const char *text, u_int32_t v)
123 return (au_to_arg32(n, text, v));
126 #if defined(_KERNEL) || defined(KERNEL)
129 * file access mode 4 bytes
130 * owner user ID 4 bytes
131 * owner group ID 4 bytes
132 * file system ID 4 bytes
134 * device 4 bytes/8 bytes (32-bit/64-bit)
137 au_to_attr32(struct vnode_au_info *vni)
141 u_int16_t pad0_16 = 0;
142 u_int16_t pad0_32 = 0;
144 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
145 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
147 ADD_U_CHAR(dptr, AUT_ATTR32);
150 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
153 * XXXRW: Possibly should be conditionally compiled.
155 * XXXRW: Should any conversions take place on the mode?
157 ADD_U_INT16(dptr, pad0_16);
158 ADD_U_INT16(dptr, vni->vn_mode);
160 ADD_U_INT32(dptr, vni->vn_uid);
161 ADD_U_INT32(dptr, vni->vn_gid);
162 ADD_U_INT32(dptr, vni->vn_fsid);
165 * Some systems use 32-bit file ID's, others use 64-bit file IDs.
166 * Attempt to handle both, and let the compiler sort it out. If we
167 * could pick this out at compile-time, it would be better, so as to
168 * avoid the else case below.
170 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
171 ADD_U_INT32(dptr, pad0_32);
172 ADD_U_INT32(dptr, vni->vn_fileid);
173 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
174 ADD_U_INT64(dptr, vni->vn_fileid);
176 ADD_U_INT64(dptr, 0LL);
178 ADD_U_INT32(dptr, vni->vn_dev);
184 au_to_attr64(struct vnode_au_info *vni)
188 u_int16_t pad0_16 = 0;
189 u_int16_t pad0_32 = 0;
191 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
192 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
194 ADD_U_CHAR(dptr, AUT_ATTR64);
197 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
200 * XXXRW: Possibly should be conditionally compiled.
202 * XXXRW: Should any conversions take place on the mode?
204 ADD_U_INT16(dptr, pad0_16);
205 ADD_U_INT16(dptr, vni->vn_mode);
207 ADD_U_INT32(dptr, vni->vn_uid);
208 ADD_U_INT32(dptr, vni->vn_gid);
209 ADD_U_INT32(dptr, vni->vn_fsid);
212 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
213 * Attempt to handle both, and let the compiler sort it out. If we
214 * could pick this out at compile-time, it would be better, so as to
215 * avoid the else case below.
217 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
218 ADD_U_INT32(dptr, pad0_32);
219 ADD_U_INT32(dptr, vni->vn_fileid);
220 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
221 ADD_U_INT64(dptr, vni->vn_fileid);
223 ADD_U_INT64(dptr, 0LL);
225 ADD_U_INT64(dptr, vni->vn_dev);
231 au_to_attr(struct vnode_au_info *vni)
234 return (au_to_attr32(vni));
236 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
240 * how to print 1 byte
243 * data items (depends on basic unit)
246 au_to_data(char unit_print, char unit_type, char unit_count, const char *p)
250 size_t datasize, totdata;
252 /* Determine the size of the basic unit. */
256 datasize = AUR_BYTE_SIZE;
260 datasize = AUR_SHORT_SIZE;
265 datasize = AUR_INT32_SIZE;
269 datasize = AUR_INT64_SIZE;
276 totdata = datasize * unit_count;
278 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
281 * XXXRW: We should be byte-swapping each data item for multi-byte
284 ADD_U_CHAR(dptr, AUT_DATA);
285 ADD_U_CHAR(dptr, unit_print);
286 ADD_U_CHAR(dptr, unit_type);
287 ADD_U_CHAR(dptr, unit_count);
288 ADD_MEM(dptr, p, totdata);
297 * return value 4 bytes
300 au_to_exit(int retval, int err)
305 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
307 ADD_U_CHAR(dptr, AUT_EXIT);
308 ADD_U_INT32(dptr, err);
309 ADD_U_INT32(dptr, retval);
317 au_to_groups(int *groups)
320 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups));
325 * number groups 2 bytes
326 * group list count * 4 bytes
329 au_to_newgroups(u_int16_t n, gid_t *groups)
335 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
336 n * sizeof(u_int32_t));
338 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
339 ADD_U_INT16(dptr, n);
340 for (i = 0; i < n; i++)
341 ADD_U_INT32(dptr, groups[i]);
348 * internet address 4 bytes
351 au_to_in_addr(struct in_addr *internet_addr)
356 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
358 ADD_U_CHAR(dptr, AUT_IN_ADDR);
359 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
366 * address type/length 4 bytes
370 au_to_in_addr_ex(struct in6_addr *internet_addr)
374 u_int32_t type = AU_IPv6;
376 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
378 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
379 ADD_U_INT32(dptr, type);
380 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
389 * The IP header should be submitted in network byte order.
392 au_to_ip(struct ip *ip)
397 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
399 ADD_U_CHAR(dptr, AUT_IP);
400 ADD_MEM(dptr, ip, sizeof(struct ip));
407 * object ID type 1 byte
411 au_to_ipc(char type, int id)
416 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
418 ADD_U_CHAR(dptr, AUT_IPC);
419 ADD_U_CHAR(dptr, type);
420 ADD_U_INT32(dptr, id);
427 * owner user ID 4 bytes
428 * owner group ID 4 bytes
429 * creator user ID 4 bytes
430 * creator group ID 4 bytes
431 * access mode 4 bytes
432 * slot sequence # 4 bytes
436 au_to_ipc_perm(struct ipc_perm *perm)
442 GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
444 ADD_U_CHAR(dptr, AUT_IPC_PERM);
447 * Systems vary significantly in what types they use in struct
448 * ipc_perm; at least a few still use 16-bit uid's and gid's, so
449 * allow for that, as BSM define 32-bit values here.
450 * Some systems define the sizes for ipc_perm members as 2 bytes;
451 * BSM defines 4 so pad with 0.
453 * XXXRW: Possibly shoulid be conditionally compiled, and more cases
454 * need to be handled.
456 if (sizeof(perm->uid) != sizeof(u_int32_t)) {
457 ADD_U_INT16(dptr, pad0);
458 ADD_U_INT16(dptr, perm->uid);
459 ADD_U_INT16(dptr, pad0);
460 ADD_U_INT16(dptr, perm->gid);
461 ADD_U_INT16(dptr, pad0);
462 ADD_U_INT16(dptr, perm->cuid);
463 ADD_U_INT16(dptr, pad0);
464 ADD_U_INT16(dptr, perm->cgid);
466 ADD_U_INT32(dptr, perm->uid);
467 ADD_U_INT32(dptr, perm->gid);
468 ADD_U_INT32(dptr, perm->cuid);
469 ADD_U_INT32(dptr, perm->cgid);
472 ADD_U_INT16(dptr, pad0);
473 ADD_U_INT16(dptr, perm->mode);
475 ADD_U_INT16(dptr, pad0);
477 ADD_U_INT16(dptr, perm->seq);
479 ADD_U_INT32(dptr, perm->key);
486 * port IP address 2 bytes
489 au_to_iport(u_int16_t iport)
494 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
496 ADD_U_CHAR(dptr, AUT_IPORT);
497 ADD_U_INT16(dptr, iport);
508 au_to_opaque(const char *data, u_int16_t bytes)
513 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
515 ADD_U_CHAR(dptr, AUT_OPAQUE);
516 ADD_U_INT16(dptr, bytes);
517 ADD_MEM(dptr, data, bytes);
524 * seconds of time 4 bytes
525 * milliseconds of time 4 bytes
526 * file name len 2 bytes
527 * file pathname N bytes + 1 terminating NULL byte
530 au_to_file(const char *file, struct timeval tm)
537 filelen = strlen(file);
540 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
541 sizeof(u_int16_t) + filelen);
543 timems = tm.tv_usec/1000;
545 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
546 ADD_U_INT32(dptr, tm.tv_sec);
547 ADD_U_INT32(dptr, timems); /* We need time in ms. */
548 ADD_U_INT16(dptr, filelen);
549 ADD_STRING(dptr, file, filelen);
556 * text length 2 bytes
557 * text N bytes + 1 terminating NULL byte
560 au_to_text(const char *text)
566 textlen = strlen(text);
569 /* XXXRW: Should validate length against token size limit. */
571 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
573 ADD_U_CHAR(dptr, AUT_TEXT);
574 ADD_U_INT16(dptr, textlen);
575 ADD_STRING(dptr, text, textlen);
582 * path length 2 bytes
583 * path N bytes + 1 terminating NULL byte
586 au_to_path(const char *text)
592 textlen = strlen(text);
595 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
597 ADD_U_CHAR(dptr, AUT_PATH);
598 ADD_U_INT16(dptr, textlen);
599 ADD_STRING(dptr, text, textlen);
607 * effective user ID 4 bytes
608 * effective group ID 4 bytes
609 * real user ID 4 bytes
610 * real group ID 4 bytes
614 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
615 * machine address 4 bytes
618 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
619 pid_t pid, au_asid_t sid, au_tid_t *tid)
624 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
626 ADD_U_CHAR(dptr, AUT_PROCESS32);
627 ADD_U_INT32(dptr, auid);
628 ADD_U_INT32(dptr, euid);
629 ADD_U_INT32(dptr, egid);
630 ADD_U_INT32(dptr, ruid);
631 ADD_U_INT32(dptr, rgid);
632 ADD_U_INT32(dptr, pid);
633 ADD_U_INT32(dptr, sid);
634 ADD_U_INT32(dptr, tid->port);
637 * Note: Solaris will write out IPv6 addresses here as a 32-bit
638 * address type and 16 bytes of address, but for IPv4 addresses it
639 * simply writes the 4-byte address directly. We support only IPv4
640 * addresses for process32 tokens.
642 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
648 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
649 pid_t pid, au_asid_t sid, au_tid_t *tid)
654 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
657 ADD_U_CHAR(dptr, AUT_PROCESS64);
658 ADD_U_INT32(dptr, auid);
659 ADD_U_INT32(dptr, euid);
660 ADD_U_INT32(dptr, egid);
661 ADD_U_INT32(dptr, ruid);
662 ADD_U_INT32(dptr, rgid);
663 ADD_U_INT32(dptr, pid);
664 ADD_U_INT32(dptr, sid);
665 ADD_U_INT64(dptr, tid->port);
668 * Note: Solaris will write out IPv6 addresses here as a 32-bit
669 * address type and 16 bytes of address, but for IPv4 addresses it
670 * simply writes the 4-byte address directly. We support only IPv4
671 * addresses for process64 tokens.
673 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
679 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
680 pid_t pid, au_asid_t sid, au_tid_t *tid)
683 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
690 * effective user ID 4 bytes
691 * effective group ID 4 bytes
692 * real user ID 4 bytes
693 * real group ID 4 bytes
697 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
698 * address type-len 4 bytes
699 * machine address 16 bytes
702 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
703 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
708 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
709 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
710 if (tid->at_type == AU_IPv4)
711 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
712 10 * sizeof(u_int32_t));
714 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
715 13 * sizeof(u_int32_t));
717 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
718 ADD_U_INT32(dptr, auid);
719 ADD_U_INT32(dptr, euid);
720 ADD_U_INT32(dptr, egid);
721 ADD_U_INT32(dptr, ruid);
722 ADD_U_INT32(dptr, rgid);
723 ADD_U_INT32(dptr, pid);
724 ADD_U_INT32(dptr, sid);
725 ADD_U_INT32(dptr, tid->at_port);
726 ADD_U_INT32(dptr, tid->at_type);
727 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
728 if (tid->at_type == AU_IPv6) {
729 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
730 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
731 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
738 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
739 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
744 if (tid->at_type == AU_IPv4)
745 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
746 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
747 2 * sizeof(u_int32_t));
748 else if (tid->at_type == AU_IPv6)
749 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
750 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
751 5 * sizeof(u_int32_t));
753 panic("au_to_process64_ex: invalidate at_type (%d)",
756 ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
757 ADD_U_INT32(dptr, auid);
758 ADD_U_INT32(dptr, euid);
759 ADD_U_INT32(dptr, egid);
760 ADD_U_INT32(dptr, ruid);
761 ADD_U_INT32(dptr, rgid);
762 ADD_U_INT32(dptr, pid);
763 ADD_U_INT32(dptr, sid);
764 ADD_U_INT64(dptr, tid->at_port);
765 ADD_U_INT32(dptr, tid->at_type);
766 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
767 if (tid->at_type == AU_IPv6) {
768 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
769 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
770 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
777 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
778 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
781 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
787 * error status 1 byte
788 * return value 4 bytes/8 bytes (32-bit/64-bit value)
791 au_to_return32(char status, u_int32_t ret)
796 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
798 ADD_U_CHAR(dptr, AUT_RETURN32);
799 ADD_U_CHAR(dptr, status);
800 ADD_U_INT32(dptr, ret);
806 au_to_return64(char status, u_int64_t ret)
811 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
813 ADD_U_CHAR(dptr, AUT_RETURN64);
814 ADD_U_CHAR(dptr, status);
815 ADD_U_INT64(dptr, ret);
821 au_to_return(char status, u_int32_t ret)
824 return (au_to_return32(status, ret));
829 * sequence number 4 bytes
832 au_to_seq(long audit_count)
837 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
839 ADD_U_CHAR(dptr, AUT_SEQ);
840 ADD_U_INT32(dptr, audit_count);
847 * socket domain 2 bytes
848 * socket type 2 bytes
849 * address type 2 byte
851 * local address 4 bytes/16 bytes (IPv4/IPv6 address)
852 * remote port 2 bytes
853 * remote address 4 bytes/16 bytes (IPv4/IPv6 address)
855 * Domain and type arguments to this routine are assumed to already have been
856 * converted to the BSM constant space, so we don't do that here.
859 au_to_socket_ex(u_short so_domain, u_short so_type,
860 struct sockaddr *sa_local, struct sockaddr *sa_remote)
864 struct sockaddr_in *sin;
865 struct sockaddr_in6 *sin6;
867 if (so_domain == AF_INET)
868 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
869 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
870 else if (so_domain == AF_INET6)
871 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
872 5 * sizeof(u_int16_t) + 16 * sizeof(u_int32_t));
876 ADD_U_CHAR(dptr, AUT_SOCKET_EX);
877 ADD_U_INT16(dptr, so_domain); /* XXXRW: explicitly convert? */
878 ADD_U_INT16(dptr, so_type); /* XXXRW: explicitly convert? */
879 if (so_domain == AF_INET) {
880 ADD_U_INT16(dptr, AU_IPv4);
881 sin = (struct sockaddr_in *)sa_local;
882 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
883 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
884 sin = (struct sockaddr_in *)sa_remote;
885 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
886 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
888 ADD_U_INT16(dptr, AU_IPv6);
889 sin6 = (struct sockaddr_in6 *)sa_local;
890 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
891 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
892 sin6 = (struct sockaddr_in6 *)sa_remote;
893 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
894 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
901 * Kernel-specific version of the above function.
903 * XXXRW: Should now use au_to_socket_ex() here.
907 kau_to_socket(struct socket_au_info *soi)
913 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
914 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
916 ADD_U_CHAR(dptr, AUT_SOCKET);
917 /* Coerce the socket type into a short value */
918 so_type = soi->so_type;
919 ADD_U_INT16(dptr, so_type);
920 ADD_U_INT16(dptr, soi->so_lport);
921 ADD_U_INT32(dptr, soi->so_laddr);
922 ADD_U_INT16(dptr, soi->so_rport);
923 ADD_U_INT32(dptr, soi->so_raddr);
931 * socket family 2 bytes
935 au_to_sock_unix(struct sockaddr_un *so)
940 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
942 ADD_U_CHAR(dptr, AUT_SOCKUNIX);
943 /* BSM token has two bytes for family */
945 ADD_U_CHAR(dptr, so->sun_family);
946 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
953 * socket family 2 bytes
955 * socket address 4 bytes
958 au_to_sock_inet32(struct sockaddr_in *so)
964 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
967 ADD_U_CHAR(dptr, AUT_SOCKINET32);
969 * BSM defines the family field as 16 bits, but many operating
970 * systems have an 8-bit sin_family field. Extend to 16 bits before
971 * writing into the token. Assume that both the port and the address
972 * in the sockaddr_in are already in network byte order, but family
973 * is in local byte order.
975 * XXXRW: Should a name space conversion be taking place on the value
978 family = so->sin_family;
979 ADD_U_INT16(dptr, family);
980 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
981 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
987 au_to_sock_inet128(struct sockaddr_in6 *so)
992 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
993 4 * sizeof(u_int32_t));
995 ADD_U_CHAR(dptr, AUT_SOCKINET128);
997 * In BSD, sin6_family is one octet, but BSM defines the token to
998 * store two. So we copy in a 0 first. XXXRW: Possibly should be
999 * conditionally compiled.
1001 ADD_U_CHAR(dptr, 0);
1002 ADD_U_CHAR(dptr, so->sin6_family);
1004 ADD_U_INT16(dptr, so->sin6_port);
1005 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
1011 au_to_sock_inet(struct sockaddr_in *so)
1014 return (au_to_sock_inet32(so));
1020 * effective user ID 4 bytes
1021 * effective group ID 4 bytes
1022 * real user ID 4 bytes
1023 * real group ID 4 bytes
1024 * process ID 4 bytes
1025 * session ID 4 bytes
1027 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1028 * machine address 4 bytes
1031 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1032 pid_t pid, au_asid_t sid, au_tid_t *tid)
1035 u_char *dptr = NULL;
1037 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
1039 ADD_U_CHAR(dptr, AUT_SUBJECT32);
1040 ADD_U_INT32(dptr, auid);
1041 ADD_U_INT32(dptr, euid);
1042 ADD_U_INT32(dptr, egid);
1043 ADD_U_INT32(dptr, ruid);
1044 ADD_U_INT32(dptr, rgid);
1045 ADD_U_INT32(dptr, pid);
1046 ADD_U_INT32(dptr, sid);
1047 ADD_U_INT32(dptr, tid->port);
1048 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1054 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1055 pid_t pid, au_asid_t sid, au_tid_t *tid)
1058 u_char *dptr = NULL;
1060 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1061 sizeof(u_int64_t) + sizeof(u_int32_t));
1063 ADD_U_CHAR(dptr, AUT_SUBJECT64);
1064 ADD_U_INT32(dptr, auid);
1065 ADD_U_INT32(dptr, euid);
1066 ADD_U_INT32(dptr, egid);
1067 ADD_U_INT32(dptr, ruid);
1068 ADD_U_INT32(dptr, rgid);
1069 ADD_U_INT32(dptr, pid);
1070 ADD_U_INT32(dptr, sid);
1071 ADD_U_INT64(dptr, tid->port);
1072 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1078 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1079 pid_t pid, au_asid_t sid, au_tid_t *tid)
1082 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1089 * effective user ID 4 bytes
1090 * effective group ID 4 bytes
1091 * real user ID 4 bytes
1092 * real group ID 4 bytes
1093 * process ID 4 bytes
1094 * session ID 4 bytes
1096 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1097 * address type/length 4 bytes
1098 * machine address 16 bytes
1101 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1102 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1105 u_char *dptr = NULL;
1107 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1108 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
1110 if (tid->at_type == AU_IPv4)
1111 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1114 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1117 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1118 ADD_U_INT32(dptr, auid);
1119 ADD_U_INT32(dptr, euid);
1120 ADD_U_INT32(dptr, egid);
1121 ADD_U_INT32(dptr, ruid);
1122 ADD_U_INT32(dptr, rgid);
1123 ADD_U_INT32(dptr, pid);
1124 ADD_U_INT32(dptr, sid);
1125 ADD_U_INT32(dptr, tid->at_port);
1126 ADD_U_INT32(dptr, tid->at_type);
1127 if (tid->at_type == AU_IPv6)
1128 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1130 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1136 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1137 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1140 u_char *dptr = NULL;
1142 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1143 ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type));
1145 if (tid->at_type == AU_IPv4)
1146 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1147 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1148 2 * sizeof(u_int32_t));
1150 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1151 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1152 5 * sizeof(u_int32_t));
1154 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1155 ADD_U_INT32(dptr, auid);
1156 ADD_U_INT32(dptr, euid);
1157 ADD_U_INT32(dptr, egid);
1158 ADD_U_INT32(dptr, ruid);
1159 ADD_U_INT32(dptr, rgid);
1160 ADD_U_INT32(dptr, pid);
1161 ADD_U_INT32(dptr, sid);
1162 ADD_U_INT64(dptr, tid->at_port);
1163 ADD_U_INT32(dptr, tid->at_type);
1164 if (tid->at_type == AU_IPv6)
1165 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1167 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1173 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1174 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1177 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1181 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1183 * Collects audit information for the current process and creates a subject
1191 if (getaudit(&auinfo) != 0)
1194 return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(),
1195 getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid));
1199 #if defined(_KERNEL) || defined(KERNEL)
1201 au_to_exec_strings(char *strs, int count, u_char type)
1204 u_char *dptr = NULL;
1213 totlen += strlen(p) + 1;
1216 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1217 ADD_U_CHAR(dptr, type);
1218 ADD_U_INT32(dptr, count);
1219 ADD_STRING(dptr, strs, totlen);
1227 * text count null-terminated strings
1230 au_to_exec_args(char *args, int argc)
1233 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1239 * text count null-terminated strings
1242 au_to_exec_env(char *envs, int envc)
1245 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1251 * text count null-terminated strings
1254 au_to_exec_args(char **argv)
1257 u_char *dptr = NULL;
1258 const char *nextarg;
1264 while (nextarg != NULL) {
1267 nextlen = strlen(nextarg);
1268 totlen += nextlen + 1;
1270 nextarg = *(argv + count);
1273 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1275 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1276 ADD_U_INT32(dptr, count);
1278 for (i = 0; i < count; i++) {
1279 nextarg = *(argv + i);
1280 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1289 * text count null-terminated strings
1292 au_to_exec_env(char **envp)
1295 u_char *dptr = NULL;
1298 const char *nextenv;
1302 while (nextenv != NULL) {
1305 nextlen = strlen(nextenv);
1306 totlen += nextlen + 1;
1308 nextenv = *(envp + count);
1311 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1313 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1314 ADD_U_INT32(dptr, count);
1316 for (i = 0; i < count; i++) {
1317 nextenv = *(envp + i);
1318 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1327 * zonename length 2 bytes
1328 * zonename N bytes + 1 terminating NULL byte
1331 au_to_zonename(const char *zonename)
1333 u_char *dptr = NULL;
1337 textlen = strlen(zonename) + 1;
1338 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1340 ADD_U_CHAR(dptr, AUT_ZONENAME);
1341 ADD_U_INT16(dptr, textlen);
1342 ADD_STRING(dptr, zonename, textlen);
1348 * record byte count 4 bytes
1349 * version # 1 byte [2]
1350 * event type 2 bytes
1351 * event modifier 2 bytes
1352 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1353 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1356 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1360 u_char *dptr = NULL;
1363 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1364 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1366 ADD_U_CHAR(dptr, AUT_HEADER32);
1367 ADD_U_INT32(dptr, rec_size);
1368 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1369 ADD_U_INT16(dptr, e_type);
1370 ADD_U_INT16(dptr, e_mod);
1372 timems = tm.tv_usec/1000;
1373 /* Add the timestamp */
1374 ADD_U_INT32(dptr, tm.tv_sec);
1375 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1382 * record byte count 4 bytes
1383 * version # 1 byte [2]
1384 * event type 2 bytes
1385 * event modifier 2 bytes
1386 * address type/length 4 bytes
1387 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1388 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1389 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1392 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1393 struct timeval tm, struct auditinfo_addr *aia)
1396 u_char *dptr = NULL;
1400 tid = &aia->ai_termid;
1401 KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6,
1402 ("au_to_header32_ex_tm: invalid address family"));
1404 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1405 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 *
1406 sizeof(u_int32_t) + tid->at_type);
1408 ADD_U_CHAR(dptr, AUT_HEADER32_EX);
1409 ADD_U_INT32(dptr, rec_size);
1410 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1411 ADD_U_INT16(dptr, e_type);
1412 ADD_U_INT16(dptr, e_mod);
1414 ADD_U_INT32(dptr, tid->at_type);
1415 if (tid->at_type == AU_IPv6)
1416 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1418 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1419 timems = tm.tv_usec/1000;
1420 /* Add the timestamp */
1421 ADD_U_INT32(dptr, tm.tv_sec);
1422 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1428 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1432 u_char *dptr = NULL;
1435 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1436 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1438 ADD_U_CHAR(dptr, AUT_HEADER64);
1439 ADD_U_INT32(dptr, rec_size);
1440 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1441 ADD_U_INT16(dptr, e_type);
1442 ADD_U_INT16(dptr, e_mod);
1444 timems = tm.tv_usec/1000;
1445 /* Add the timestamp */
1446 ADD_U_INT64(dptr, tm.tv_sec);
1447 ADD_U_INT64(dptr, timems); /* We need time in ms. */
1452 #if !defined(KERNEL) && !defined(_KERNEL)
1453 #ifdef HAVE_AUDIT_SYSCALLS
1455 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1458 struct auditinfo_addr aia;
1460 if (gettimeofday(&tm, NULL) == -1)
1462 if (auditon(A_GETKAUDIT, &aia, sizeof(aia)) < 0) {
1463 if (errno != ENOSYS)
1465 return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1467 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia));
1469 #endif /* HAVE_AUDIT_SYSCALLS */
1472 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
1476 if (gettimeofday(&tm, NULL) == -1)
1478 return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1482 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
1483 __unused au_emod_t e_mod)
1487 if (gettimeofday(&tm, NULL) == -1)
1489 return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
1493 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
1496 return (au_to_header32(rec_size, e_type, e_mod));
1499 #ifdef HAVE_AUDIT_SYSCALLS
1501 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1504 return (au_to_header32_ex(rec_size, e_type, e_mod));
1506 #endif /* HAVE_AUDIT_SYSCALLS */
1507 #endif /* !defined(KERNEL) && !defined(_KERNEL) */
1511 * trailer magic number 2 bytes
1512 * record byte count 4 bytes
1515 au_to_trailer(int rec_size)
1518 u_char *dptr = NULL;
1519 u_int16_t magic = AUT_TRAILER_MAGIC;
1521 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1524 ADD_U_CHAR(dptr, AUT_TRAILER);
1525 ADD_U_INT16(dptr, magic);
1526 ADD_U_INT32(dptr, rec_size);