2 * Copyright (c) 2004 Apple Computer, Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/types.h>
37 #include <sys/endian.h>
38 #include <sys/queue.h>
39 #include <sys/socket.h>
43 #include <sys/libkern.h>
44 #include <sys/malloc.h>
47 #include <netinet/in.h>
48 #include <netinet/in_systm.h>
49 #include <netinet/ip.h>
52 #include <bsm/audit.h>
53 #include <bsm/audit_internal.h>
54 #include <bsm/audit_record.h>
55 #include <security/audit/audit.h>
56 #include <security/audit/audit_private.h>
58 #define GET_TOKEN_AREA(t, dptr, length) do { \
59 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \
60 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \
68 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
70 * text N bytes + 1 terminating NULL byte
73 au_to_arg32(char n, char *text, u_int32_t v)
79 textlen = strlen(text);
82 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
83 sizeof(u_int16_t) + textlen);
85 ADD_U_CHAR(dptr, AUT_ARG32);
88 ADD_U_INT16(dptr, textlen);
89 ADD_STRING(dptr, text, textlen);
96 au_to_arg64(char n, char *text, u_int64_t v)
102 textlen = strlen(text);
105 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
106 sizeof(u_int16_t) + textlen);
108 ADD_U_CHAR(dptr, AUT_ARG64);
110 ADD_U_INT64(dptr, v);
111 ADD_U_INT16(dptr, textlen);
112 ADD_STRING(dptr, text, textlen);
119 au_to_arg(char n, char *text, u_int32_t v)
122 return (au_to_arg32(n, text, v));
125 #if defined(_KERNEL) || defined(KERNEL)
128 * file access mode 4 bytes
129 * owner user ID 4 bytes
130 * owner group ID 4 bytes
131 * file system ID 4 bytes
133 * device 4 bytes/8 bytes (32-bit/64-bit)
136 au_to_attr32(struct vnode_au_info *vni)
140 u_int16_t pad0_16 = 0;
141 u_int16_t pad0_32 = 0;
143 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
144 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
146 ADD_U_CHAR(dptr, AUT_ATTR32);
149 * Darwin defines the size for the file mode
150 * as 2 bytes; BSM defines 4 so pad with 0
152 ADD_U_INT16(dptr, pad0_16);
153 ADD_U_INT16(dptr, vni->vn_mode);
155 ADD_U_INT32(dptr, vni->vn_uid);
156 ADD_U_INT32(dptr, vni->vn_gid);
157 ADD_U_INT32(dptr, vni->vn_fsid);
160 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
161 * Attempt to handle both, and let the compiler sort it out. If we
162 * could pick this out at compile-time, it would be better, so as to
163 * avoid the else case below.
165 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
166 ADD_U_INT32(dptr, pad0_32);
167 ADD_U_INT32(dptr, vni->vn_fileid);
168 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
169 ADD_U_INT64(dptr, vni->vn_fileid);
171 ADD_U_INT64(dptr, 0LL);
173 ADD_U_INT32(dptr, vni->vn_dev);
179 au_to_attr64(struct vnode_au_info *vni)
183 u_int16_t pad0_16 = 0;
184 u_int16_t pad0_32 = 0;
186 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
187 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
189 ADD_U_CHAR(dptr, AUT_ATTR64);
192 * Darwin defines the size for the file mode
193 * as 2 bytes; BSM defines 4 so pad with 0
195 ADD_U_INT16(dptr, pad0_16);
196 ADD_U_INT16(dptr, vni->vn_mode);
198 ADD_U_INT32(dptr, vni->vn_uid);
199 ADD_U_INT32(dptr, vni->vn_gid);
200 ADD_U_INT32(dptr, vni->vn_fsid);
203 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
204 * Attempt to handle both, and let the compiler sort it out. If we
205 * could pick this out at compile-time, it would be better, so as to
206 * avoid the else case below.
208 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
209 ADD_U_INT32(dptr, pad0_32);
210 ADD_U_INT32(dptr, vni->vn_fileid);
211 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
212 ADD_U_INT64(dptr, vni->vn_fileid);
214 ADD_U_INT64(dptr, 0LL);
216 ADD_U_INT64(dptr, vni->vn_dev);
222 au_to_attr(struct vnode_au_info *vni)
225 return (au_to_attr32(vni));
227 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
231 * how to print 1 byte
234 * data items (depends on basic unit)
237 au_to_data(char unit_print, char unit_type, char unit_count, char *p)
241 size_t datasize, totdata;
243 /* Determine the size of the basic unit. */
247 datasize = AUR_BYTE_SIZE;
251 datasize = AUR_SHORT_SIZE;
256 datasize = AUR_INT32_SIZE;
260 datasize = AUR_INT64_SIZE;
267 totdata = datasize * unit_count;
269 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
271 ADD_U_CHAR(dptr, AUT_DATA);
272 ADD_U_CHAR(dptr, unit_print);
273 ADD_U_CHAR(dptr, unit_type);
274 ADD_U_CHAR(dptr, unit_count);
275 ADD_MEM(dptr, p, totdata);
284 * return value 4 bytes
287 au_to_exit(int retval, int err)
292 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
294 ADD_U_CHAR(dptr, AUT_EXIT);
295 ADD_U_INT32(dptr, err);
296 ADD_U_INT32(dptr, retval);
304 au_to_groups(int *groups)
307 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t*)groups));
312 * number groups 2 bytes
313 * group list count * 4 bytes
316 au_to_newgroups(u_int16_t n, gid_t *groups)
322 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
323 n * sizeof(u_int32_t));
325 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
326 ADD_U_INT16(dptr, n);
327 for (i = 0; i < n; i++)
328 ADD_U_INT32(dptr, groups[i]);
335 * internet address 4 bytes
338 au_to_in_addr(struct in_addr *internet_addr)
343 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
345 ADD_U_CHAR(dptr, AUT_IN_ADDR);
346 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
353 * address type/length 4 bytes
357 au_to_in_addr_ex(struct in6_addr *internet_addr)
361 u_int32_t type = AF_INET6;
363 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
365 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
366 ADD_U_INT32(dptr, type);
367 ADD_MEM(dptr, internet_addr, 5 * sizeof(uint32_t));
376 * The IP header should be submitted in network byte order.
379 au_to_ip(struct ip *ip)
384 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
386 ADD_U_CHAR(dptr, AUT_IP);
387 ADD_MEM(dptr, ip, sizeof(struct ip));
394 * object ID type 1 byte
398 au_to_ipc(char type, int id)
403 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
405 ADD_U_CHAR(dptr, AUT_IPC);
406 ADD_U_CHAR(dptr, type);
407 ADD_U_INT32(dptr, id);
414 * owner user ID 4 bytes
415 * owner group ID 4 bytes
416 * creator user ID 4 bytes
417 * creator group ID 4 bytes
418 * access mode 4 bytes
419 * slot sequence # 4 bytes
423 au_to_ipc_perm(struct ipc_perm *perm)
429 GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
431 ADD_U_CHAR(dptr, AUT_IPC_PERM);
434 * Darwin defines the sizes for ipc_perm members
435 * as 2 bytes; BSM defines 4 so pad with 0
437 ADD_U_INT16(dptr, pad0);
438 ADD_U_INT16(dptr, perm->uid);
440 ADD_U_INT16(dptr, pad0);
441 ADD_U_INT16(dptr, perm->gid);
443 ADD_U_INT16(dptr, pad0);
444 ADD_U_INT16(dptr, perm->cuid);
446 ADD_U_INT16(dptr, pad0);
447 ADD_U_INT16(dptr, perm->cgid);
449 ADD_U_INT16(dptr, pad0);
450 ADD_U_INT16(dptr, perm->mode);
452 ADD_U_INT16(dptr, pad0);
453 ADD_U_INT16(dptr, perm->seq);
455 ADD_U_INT32(dptr, perm->key);
462 * port IP address 2 bytes
465 au_to_iport(u_int16_t iport)
470 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
472 ADD_U_CHAR(dptr, AUT_IPORT);
473 ADD_U_INT16(dptr, iport);
484 au_to_opaque(char *data, u_int16_t bytes)
489 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
491 ADD_U_CHAR(dptr, AUT_OPAQUE);
492 ADD_U_INT16(dptr, bytes);
493 ADD_MEM(dptr, data, bytes);
500 * seconds of time 4 bytes
501 * milliseconds of time 4 bytes
502 * file name len 2 bytes
503 * file pathname N bytes + 1 terminating NULL byte
506 au_to_file(char *file, struct timeval tm)
513 filelen = strlen(file);
516 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
517 sizeof(u_int16_t) + filelen);
519 timems = tm.tv_usec/1000;
521 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
522 ADD_U_INT32(dptr, tm.tv_sec);
523 ADD_U_INT32(dptr, timems); /* We need time in ms. */
524 ADD_U_INT16(dptr, filelen);
525 ADD_STRING(dptr, file, filelen);
532 * text length 2 bytes
533 * text N bytes + 1 terminating NULL byte
536 au_to_text(char *text)
542 textlen = strlen(text);
545 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
547 ADD_U_CHAR(dptr, AUT_TEXT);
548 ADD_U_INT16(dptr, textlen);
549 ADD_STRING(dptr, text, textlen);
556 * path length 2 bytes
557 * path N bytes + 1 terminating NULL byte
560 au_to_path(char *text)
566 textlen = strlen(text);
569 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
571 ADD_U_CHAR(dptr, AUT_PATH);
572 ADD_U_INT16(dptr, textlen);
573 ADD_STRING(dptr, text, textlen);
581 * effective user ID 4 bytes
582 * effective group ID 4 bytes
583 * real user ID 4 bytes
584 * real group ID 4 bytes
588 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
589 * machine address 4 bytes
592 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
593 pid_t pid, au_asid_t sid, au_tid_t *tid)
598 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
600 ADD_U_CHAR(dptr, AUT_PROCESS32);
601 ADD_U_INT32(dptr, auid);
602 ADD_U_INT32(dptr, euid);
603 ADD_U_INT32(dptr, egid);
604 ADD_U_INT32(dptr, ruid);
605 ADD_U_INT32(dptr, rgid);
606 ADD_U_INT32(dptr, pid);
607 ADD_U_INT32(dptr, sid);
608 ADD_U_INT32(dptr, tid->port);
609 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
615 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
616 pid_t pid, au_asid_t sid, au_tid_t *tid)
621 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
624 ADD_U_CHAR(dptr, AUT_PROCESS64);
625 ADD_U_INT32(dptr, auid);
626 ADD_U_INT32(dptr, euid);
627 ADD_U_INT32(dptr, egid);
628 ADD_U_INT32(dptr, ruid);
629 ADD_U_INT32(dptr, rgid);
630 ADD_U_INT32(dptr, pid);
631 ADD_U_INT32(dptr, sid);
632 ADD_U_INT64(dptr, tid->port);
633 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
639 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
640 pid_t pid, au_asid_t sid, au_tid_t *tid)
643 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
650 * effective user ID 4 bytes
651 * effective group ID 4 bytes
652 * real user ID 4 bytes
653 * real group ID 4 bytes
657 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
658 * address type-len 4 bytes
659 * machine address 4/16 bytes
662 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
663 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
668 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
669 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
670 if (tid->at_type == AU_IPv6)
671 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
674 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
677 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
678 ADD_U_INT32(dptr, auid);
679 ADD_U_INT32(dptr, euid);
680 ADD_U_INT32(dptr, egid);
681 ADD_U_INT32(dptr, ruid);
682 ADD_U_INT32(dptr, rgid);
683 ADD_U_INT32(dptr, pid);
684 ADD_U_INT32(dptr, sid);
685 ADD_U_INT32(dptr, tid->at_port);
686 ADD_U_INT32(dptr, tid->at_type);
687 if (tid->at_type == AU_IPv6)
688 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
690 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
695 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
696 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
701 if (tid->at_type == AU_IPv4)
702 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
703 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
704 2 * sizeof(u_int32_t));
705 else if (tid->at_type == AU_IPv6)
706 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
707 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
708 5 * sizeof(u_int32_t));
710 panic("au_to_process64_ex: invalidate at_type (%d)",
713 ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
714 ADD_U_INT32(dptr, auid);
715 ADD_U_INT32(dptr, euid);
716 ADD_U_INT32(dptr, egid);
717 ADD_U_INT32(dptr, ruid);
718 ADD_U_INT32(dptr, rgid);
719 ADD_U_INT32(dptr, pid);
720 ADD_U_INT32(dptr, sid);
721 ADD_U_INT64(dptr, tid->at_port);
722 ADD_U_INT32(dptr, tid->at_type);
723 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
724 if (tid->at_type == AU_IPv6) {
725 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
726 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
727 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
734 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
735 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
738 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
744 * error status 1 byte
745 * return value 4 bytes/8 bytes (32-bit/64-bit value)
748 au_to_return32(char status, u_int32_t ret)
753 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
755 ADD_U_CHAR(dptr, AUT_RETURN32);
756 ADD_U_CHAR(dptr, status);
757 ADD_U_INT32(dptr, ret);
763 au_to_return64(char status, u_int64_t ret)
768 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
770 ADD_U_CHAR(dptr, AUT_RETURN64);
771 ADD_U_CHAR(dptr, status);
772 ADD_U_INT64(dptr, ret);
778 au_to_return(char status, u_int32_t ret)
781 return (au_to_return32(status, ret));
786 * sequence number 4 bytes
789 au_to_seq(long audit_count)
794 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
796 ADD_U_CHAR(dptr, AUT_SEQ);
797 ADD_U_INT32(dptr, audit_count);
804 * socket type 2 bytes
806 * local Internet address 4 bytes
807 * remote port 2 bytes
808 * remote Internet address 4 bytes
811 au_to_socket(struct socket *so)
819 * Kernel-specific version of the above function.
823 kau_to_socket(struct socket_au_info *soi)
829 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
830 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
832 ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
833 /* Coerce the socket type into a short value */
834 so_type = soi->so_type;
835 ADD_U_INT16(dptr, so_type);
836 ADD_U_INT16(dptr, soi->so_lport);
837 ADD_U_INT32(dptr, soi->so_laddr);
838 ADD_U_INT16(dptr, soi->so_rport);
839 ADD_U_INT32(dptr, soi->so_raddr);
847 * socket type 2 bytes
849 * address type/length 4 bytes
850 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
851 * remote port 4 bytes
852 * address type/length 4 bytes
853 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
856 au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
864 au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
873 * socket family 2 bytes
877 au_to_sock_unix(struct sockaddr_un *so)
882 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
884 ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
885 /* BSM token has two bytes for family */
887 ADD_U_CHAR(dptr, so->sun_family);
888 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
895 * socket family 2 bytes
897 * socket address 4 bytes
900 au_to_sock_inet32(struct sockaddr_in *so)
906 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
909 ADD_U_CHAR(dptr, AUT_SOCKINET32);
911 * BSM defines the family field as 16 bits, but many operating
912 * systems have an 8-bit sin_family field. Extend to 16 bits before
913 * writing into the token. Assume that both the port and the address
914 * in the sockaddr_in are already in network byte order, but family
915 * is in local byte order.
917 * XXXRW: Should a name space conversion be taking place on the value
920 family = so->sin_family;
921 ADD_U_INT16(dptr, family);
922 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
923 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
930 au_to_sock_inet128(struct sockaddr_in6 *so)
935 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
936 4 * sizeof(u_int32_t));
938 ADD_U_CHAR(dptr, AUT_SOCKINET128);
940 * In Darwin, sin6_family is one octet, but BSM defines the token
941 * to store two. So we copy in a 0 first.
944 ADD_U_CHAR(dptr, so->sin6_family);
946 ADD_U_INT16(dptr, so->sin6_port);
947 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
954 au_to_sock_inet(struct sockaddr_in *so)
957 return (au_to_sock_inet32(so));
963 * effective user ID 4 bytes
964 * effective group ID 4 bytes
965 * real user ID 4 bytes
966 * real group ID 4 bytes
970 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
971 * machine address 4 bytes
974 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
975 pid_t pid, au_asid_t sid, au_tid_t *tid)
980 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
982 ADD_U_CHAR(dptr, AUT_SUBJECT32);
983 ADD_U_INT32(dptr, auid);
984 ADD_U_INT32(dptr, euid);
985 ADD_U_INT32(dptr, egid);
986 ADD_U_INT32(dptr, ruid);
987 ADD_U_INT32(dptr, rgid);
988 ADD_U_INT32(dptr, pid);
989 ADD_U_INT32(dptr, sid);
990 ADD_U_INT32(dptr, tid->port);
991 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
997 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
998 pid_t pid, au_asid_t sid, au_tid_t *tid)
1001 u_char *dptr = NULL;
1003 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1004 sizeof(u_int64_t) + sizeof(u_int32_t));
1006 ADD_U_CHAR(dptr, AUT_SUBJECT64);
1007 ADD_U_INT32(dptr, auid);
1008 ADD_U_INT32(dptr, euid);
1009 ADD_U_INT32(dptr, egid);
1010 ADD_U_INT32(dptr, ruid);
1011 ADD_U_INT32(dptr, rgid);
1012 ADD_U_INT32(dptr, pid);
1013 ADD_U_INT32(dptr, sid);
1014 ADD_U_INT64(dptr, tid->port);
1015 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1021 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1022 pid_t pid, au_asid_t sid, au_tid_t *tid)
1025 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1032 * effective user ID 4 bytes
1033 * effective group ID 4 bytes
1034 * real user ID 4 bytes
1035 * real group ID 4 bytes
1036 * process ID 4 bytes
1037 * session ID 4 bytes
1039 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1040 * address type/length 4 bytes
1041 * machine address 4/16 bytes
1044 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1045 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1048 u_char *dptr = NULL;
1050 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1051 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
1052 if (tid->at_type == AU_IPv6)
1053 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1056 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1059 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1060 ADD_U_INT32(dptr, auid);
1061 ADD_U_INT32(dptr, euid);
1062 ADD_U_INT32(dptr, egid);
1063 ADD_U_INT32(dptr, ruid);
1064 ADD_U_INT32(dptr, rgid);
1065 ADD_U_INT32(dptr, pid);
1066 ADD_U_INT32(dptr, sid);
1067 ADD_U_INT32(dptr, tid->at_port);
1068 ADD_U_INT32(dptr, tid->at_type);
1069 if (tid->at_type == AU_IPv6)
1070 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1072 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1077 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1078 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1081 u_char *dptr = NULL;
1083 if (tid->at_type == AU_IPv4)
1084 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1085 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1086 2 * sizeof(u_int32_t));
1087 else if (tid->at_type == AU_IPv6)
1088 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1089 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1090 5 * sizeof(u_int32_t));
1092 panic("au_to_subject64_ex: invalid at_type (%d)",
1095 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1096 ADD_U_INT32(dptr, auid);
1097 ADD_U_INT32(dptr, euid);
1098 ADD_U_INT32(dptr, egid);
1099 ADD_U_INT32(dptr, ruid);
1100 ADD_U_INT32(dptr, rgid);
1101 ADD_U_INT32(dptr, pid);
1102 ADD_U_INT32(dptr, sid);
1103 ADD_U_INT64(dptr, tid->at_port);
1104 ADD_U_INT32(dptr, tid->at_type);
1105 if (tid->at_type == AU_IPv6)
1106 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1108 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1114 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1115 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1118 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1122 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1124 * Collects audit information for the current process
1125 * and creates a subject token from it
1132 if (getaudit(&auinfo) != 0)
1135 return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(),
1136 getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid));
1140 #if defined(_KERNEL) || defined(KERNEL)
1142 au_to_exec_strings(char *strs, int count, u_char type)
1145 u_char *dptr = NULL;
1154 totlen += strlen(p) + 1;
1157 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1158 ADD_U_CHAR(dptr, type);
1159 ADD_U_INT32(dptr, count);
1160 ADD_STRING(dptr, strs, totlen);
1168 * text count null-terminated strings
1171 au_to_exec_args(char *args, int argc)
1174 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1180 * text count null-terminated strings
1183 au_to_exec_env(char *envs, int envc)
1186 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1192 * text count null-terminated strings
1195 au_to_exec_args(char **argv)
1198 u_char *dptr = NULL;
1199 const char *nextarg;
1205 while (nextarg != NULL) {
1208 nextlen = strlen(nextarg);
1209 totlen += nextlen + 1;
1211 nextarg = *(argv + count);
1214 totlen += count * sizeof(char); /* nul terminations. */
1215 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1217 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1218 ADD_U_INT32(dptr, count);
1220 for (i = 0; i < count; i++) {
1221 nextarg = *(argv + i);
1222 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1230 * zonename length 2 bytes
1231 * zonename N bytes + 1 terminating NULL byte
1234 au_to_zonename(char *zonename)
1236 u_char *dptr = NULL;
1240 textlen = strlen(zonename);
1242 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1243 ADD_U_CHAR(dptr, AUT_ZONENAME);
1244 ADD_U_INT16(dptr, textlen);
1245 ADD_STRING(dptr, zonename, textlen);
1252 * text count null-terminated strings
1255 au_to_exec_env(char **envp)
1258 u_char *dptr = NULL;
1261 const char *nextenv;
1265 while (nextenv != NULL) {
1268 nextlen = strlen(nextenv);
1269 totlen += nextlen + 1;
1271 nextenv = *(envp + count);
1274 totlen += sizeof(char) * count;
1275 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1277 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1278 ADD_U_INT32(dptr, count);
1280 for (i = 0; i < count; i++) {
1281 nextenv = *(envp + i);
1282 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1291 * record byte count 4 bytes
1292 * version # 1 byte [2]
1293 * event type 2 bytes
1294 * event modifier 2 bytes
1295 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1296 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1299 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1303 u_char *dptr = NULL;
1306 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1307 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1309 ADD_U_CHAR(dptr, AUT_HEADER32);
1310 ADD_U_INT32(dptr, rec_size);
1311 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1312 ADD_U_INT16(dptr, e_type);
1313 ADD_U_INT16(dptr, e_mod);
1315 timems = tm.tv_usec/1000;
1316 /* Add the timestamp */
1317 ADD_U_INT32(dptr, tm.tv_sec);
1318 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1324 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1328 u_char *dptr = NULL;
1331 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1332 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1334 ADD_U_CHAR(dptr, AUT_HEADER64);
1335 ADD_U_INT32(dptr, rec_size);
1336 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1337 ADD_U_INT16(dptr, e_type);
1338 ADD_U_INT16(dptr, e_mod);
1340 timems = tm.tv_usec/1000;
1341 /* Add the timestamp */
1342 ADD_U_INT64(dptr, tm.tv_sec);
1343 ADD_U_INT64(dptr, timems); /* We need time in ms. */
1350 * trailer magic number 2 bytes
1351 * record byte count 4 bytes
1354 au_to_trailer(int rec_size)
1357 u_char *dptr = NULL;
1358 u_int16_t magic = TRAILER_PAD_MAGIC;
1360 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1363 ADD_U_CHAR(dptr, AUT_TRAILER);
1364 ADD_U_INT16(dptr, magic);
1365 ADD_U_INT32(dptr, rec_size);