2 * Copyright (c) 2004 Apple Computer, Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/types.h>
37 #include <sys/endian.h>
38 #include <sys/queue.h>
39 #include <sys/socket.h>
43 #include <sys/libkern.h>
44 #include <sys/malloc.h>
47 #include <netinet/in.h>
48 #include <netinet/in_systm.h>
49 #include <netinet/ip.h>
52 #include <bsm/audit.h>
53 #include <bsm/audit_internal.h>
54 #include <bsm/audit_record.h>
55 #include <security/audit/audit.h>
56 #include <security/audit/audit_private.h>
58 #define GET_TOKEN_AREA(t, dptr, length) do { \
59 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \
60 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \
68 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
70 * text N bytes + 1 terminating NULL byte
73 au_to_arg32(char n, char *text, u_int32_t v)
79 textlen = strlen(text);
82 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
83 sizeof(u_int16_t) + textlen);
85 ADD_U_CHAR(dptr, AUT_ARG32);
88 ADD_U_INT16(dptr, textlen);
89 ADD_STRING(dptr, text, textlen);
96 au_to_arg64(char n, char *text, u_int64_t v)
102 textlen = strlen(text);
105 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
106 sizeof(u_int16_t) + textlen);
108 ADD_U_CHAR(dptr, AUT_ARG64);
110 ADD_U_INT64(dptr, v);
111 ADD_U_INT16(dptr, textlen);
112 ADD_STRING(dptr, text, textlen);
119 au_to_arg(char n, char *text, u_int32_t v)
122 return (au_to_arg32(n, text, v));
125 #if defined(_KERNEL) || defined(KERNEL)
128 * file access mode 4 bytes
129 * owner user ID 4 bytes
130 * owner group ID 4 bytes
131 * file system ID 4 bytes
133 * device 4 bytes/8 bytes (32-bit/64-bit)
136 au_to_attr32(struct vnode_au_info *vni)
140 u_int16_t pad0_16 = 0;
141 u_int16_t pad0_32 = 0;
143 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
144 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
146 ADD_U_CHAR(dptr, AUT_ATTR32);
149 * Darwin defines the size for the file mode
150 * as 2 bytes; BSM defines 4 so pad with 0
152 ADD_U_INT16(dptr, pad0_16);
153 ADD_U_INT16(dptr, vni->vn_mode);
155 ADD_U_INT32(dptr, vni->vn_uid);
156 ADD_U_INT32(dptr, vni->vn_gid);
157 ADD_U_INT32(dptr, vni->vn_fsid);
160 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
161 * Attempt to handle both, and let the compiler sort it out. If we
162 * could pick this out at compile-time, it would be better, so as to
163 * avoid the else case below.
165 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
166 ADD_U_INT32(dptr, pad0_32);
167 ADD_U_INT32(dptr, vni->vn_fileid);
168 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
169 ADD_U_INT64(dptr, vni->vn_fileid);
171 ADD_U_INT64(dptr, 0LL);
173 ADD_U_INT32(dptr, vni->vn_dev);
179 au_to_attr64(struct vnode_au_info *vni)
183 u_int16_t pad0_16 = 0;
184 u_int16_t pad0_32 = 0;
186 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
187 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
189 ADD_U_CHAR(dptr, AUT_ATTR64);
192 * Darwin defines the size for the file mode
193 * as 2 bytes; BSM defines 4 so pad with 0
195 ADD_U_INT16(dptr, pad0_16);
196 ADD_U_INT16(dptr, vni->vn_mode);
198 ADD_U_INT32(dptr, vni->vn_uid);
199 ADD_U_INT32(dptr, vni->vn_gid);
200 ADD_U_INT32(dptr, vni->vn_fsid);
203 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
204 * Attempt to handle both, and let the compiler sort it out. If we
205 * could pick this out at compile-time, it would be better, so as to
206 * avoid the else case below.
208 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
209 ADD_U_INT32(dptr, pad0_32);
210 ADD_U_INT32(dptr, vni->vn_fileid);
211 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
212 ADD_U_INT64(dptr, vni->vn_fileid);
214 ADD_U_INT64(dptr, 0LL);
216 ADD_U_INT64(dptr, vni->vn_dev);
222 au_to_attr(struct vnode_au_info *vni)
225 return (au_to_attr32(vni));
227 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
231 * how to print 1 byte
234 * data items (depends on basic unit)
237 au_to_data(char unit_print, char unit_type, char unit_count, char *p)
241 size_t datasize, totdata;
243 /* Determine the size of the basic unit. */
247 datasize = AUR_BYTE_SIZE;
251 datasize = AUR_SHORT_SIZE;
256 datasize = AUR_INT32_SIZE;
260 datasize = AUR_INT64_SIZE;
267 totdata = datasize * unit_count;
269 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
271 ADD_U_CHAR(dptr, AUT_DATA);
272 ADD_U_CHAR(dptr, unit_print);
273 ADD_U_CHAR(dptr, unit_type);
274 ADD_U_CHAR(dptr, unit_count);
275 ADD_MEM(dptr, p, totdata);
284 * return value 4 bytes
287 au_to_exit(int retval, int err)
292 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
294 ADD_U_CHAR(dptr, AUT_EXIT);
295 ADD_U_INT32(dptr, err);
296 ADD_U_INT32(dptr, retval);
304 au_to_groups(int *groups)
307 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t*)groups));
312 * number groups 2 bytes
313 * group list count * 4 bytes
316 au_to_newgroups(u_int16_t n, gid_t *groups)
322 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
323 n * sizeof(u_int32_t));
325 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
326 ADD_U_INT16(dptr, n);
327 for (i = 0; i < n; i++)
328 ADD_U_INT32(dptr, groups[i]);
335 * internet address 4 bytes
338 au_to_in_addr(struct in_addr *internet_addr)
343 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
345 ADD_U_CHAR(dptr, AUT_IN_ADDR);
346 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
353 * address type/length 4 bytes
357 au_to_in_addr_ex(struct in6_addr *internet_addr)
361 u_int32_t type = AU_IPv6;
363 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
365 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
366 ADD_U_INT32(dptr, type);
367 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
376 * The IP header should be submitted in network byte order.
379 au_to_ip(struct ip *ip)
384 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
386 ADD_U_CHAR(dptr, AUT_IP);
387 ADD_MEM(dptr, ip, sizeof(struct ip));
394 * object ID type 1 byte
398 au_to_ipc(char type, int id)
403 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
405 ADD_U_CHAR(dptr, AUT_IPC);
406 ADD_U_CHAR(dptr, type);
407 ADD_U_INT32(dptr, id);
414 * owner user ID 4 bytes
415 * owner group ID 4 bytes
416 * creator user ID 4 bytes
417 * creator group ID 4 bytes
418 * access mode 4 bytes
419 * slot sequence # 4 bytes
423 au_to_ipc_perm(struct ipc_perm *perm)
429 GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
431 ADD_U_CHAR(dptr, AUT_IPC_PERM);
434 * Darwin defines the sizes for ipc_perm members
435 * as 2 bytes; BSM defines 4 so pad with 0
437 ADD_U_INT16(dptr, pad0);
438 ADD_U_INT16(dptr, perm->uid);
440 ADD_U_INT16(dptr, pad0);
441 ADD_U_INT16(dptr, perm->gid);
443 ADD_U_INT16(dptr, pad0);
444 ADD_U_INT16(dptr, perm->cuid);
446 ADD_U_INT16(dptr, pad0);
447 ADD_U_INT16(dptr, perm->cgid);
449 ADD_U_INT16(dptr, pad0);
450 ADD_U_INT16(dptr, perm->mode);
452 ADD_U_INT16(dptr, pad0);
453 ADD_U_INT16(dptr, perm->seq);
455 ADD_U_INT32(dptr, perm->key);
462 * port IP address 2 bytes
465 au_to_iport(u_int16_t iport)
470 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
472 ADD_U_CHAR(dptr, AUT_IPORT);
473 ADD_U_INT16(dptr, iport);
484 au_to_opaque(char *data, u_int16_t bytes)
489 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
491 ADD_U_CHAR(dptr, AUT_OPAQUE);
492 ADD_U_INT16(dptr, bytes);
493 ADD_MEM(dptr, data, bytes);
500 * seconds of time 4 bytes
501 * milliseconds of time 4 bytes
502 * file name len 2 bytes
503 * file pathname N bytes + 1 terminating NULL byte
506 au_to_file(char *file, struct timeval tm)
513 filelen = strlen(file);
516 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
517 sizeof(u_int16_t) + filelen);
519 timems = tm.tv_usec/1000;
521 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
522 ADD_U_INT32(dptr, tm.tv_sec);
523 ADD_U_INT32(dptr, timems); /* We need time in ms. */
524 ADD_U_INT16(dptr, filelen);
525 ADD_STRING(dptr, file, filelen);
532 * text length 2 bytes
533 * text N bytes + 1 terminating NULL byte
536 au_to_text(char *text)
542 textlen = strlen(text);
545 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
547 ADD_U_CHAR(dptr, AUT_TEXT);
548 ADD_U_INT16(dptr, textlen);
549 ADD_STRING(dptr, text, textlen);
556 * path length 2 bytes
557 * path N bytes + 1 terminating NULL byte
560 au_to_path(char *text)
566 textlen = strlen(text);
569 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
571 ADD_U_CHAR(dptr, AUT_PATH);
572 ADD_U_INT16(dptr, textlen);
573 ADD_STRING(dptr, text, textlen);
581 * effective user ID 4 bytes
582 * effective group ID 4 bytes
583 * real user ID 4 bytes
584 * real group ID 4 bytes
588 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
589 * machine address 4 bytes
592 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
593 pid_t pid, au_asid_t sid, au_tid_t *tid)
598 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
600 ADD_U_CHAR(dptr, AUT_PROCESS32);
601 ADD_U_INT32(dptr, auid);
602 ADD_U_INT32(dptr, euid);
603 ADD_U_INT32(dptr, egid);
604 ADD_U_INT32(dptr, ruid);
605 ADD_U_INT32(dptr, rgid);
606 ADD_U_INT32(dptr, pid);
607 ADD_U_INT32(dptr, sid);
608 ADD_U_INT32(dptr, tid->port);
609 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
615 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
616 pid_t pid, au_asid_t sid, au_tid_t *tid)
621 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
624 ADD_U_CHAR(dptr, AUT_PROCESS64);
625 ADD_U_INT32(dptr, auid);
626 ADD_U_INT32(dptr, euid);
627 ADD_U_INT32(dptr, egid);
628 ADD_U_INT32(dptr, ruid);
629 ADD_U_INT32(dptr, rgid);
630 ADD_U_INT32(dptr, pid);
631 ADD_U_INT32(dptr, sid);
632 ADD_U_INT64(dptr, tid->port);
633 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
639 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
640 pid_t pid, au_asid_t sid, au_tid_t *tid)
643 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
650 * effective user ID 4 bytes
651 * effective group ID 4 bytes
652 * real user ID 4 bytes
653 * real group ID 4 bytes
657 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
658 * address type-len 4 bytes
659 * machine address 4/16 bytes
662 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
663 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
668 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
669 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
670 if (tid->at_type == AU_IPv6)
671 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
674 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
677 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
678 ADD_U_INT32(dptr, auid);
679 ADD_U_INT32(dptr, euid);
680 ADD_U_INT32(dptr, egid);
681 ADD_U_INT32(dptr, ruid);
682 ADD_U_INT32(dptr, rgid);
683 ADD_U_INT32(dptr, pid);
684 ADD_U_INT32(dptr, sid);
685 ADD_U_INT32(dptr, tid->at_port);
686 ADD_U_INT32(dptr, tid->at_type);
687 if (tid->at_type == AU_IPv6)
688 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
690 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
696 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
697 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
702 if (tid->at_type == AU_IPv4)
703 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
704 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
705 2 * sizeof(u_int32_t));
706 else if (tid->at_type == AU_IPv6)
707 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
708 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
709 5 * sizeof(u_int32_t));
711 panic("au_to_process64_ex: invalidate at_type (%d)",
714 ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
715 ADD_U_INT32(dptr, auid);
716 ADD_U_INT32(dptr, euid);
717 ADD_U_INT32(dptr, egid);
718 ADD_U_INT32(dptr, ruid);
719 ADD_U_INT32(dptr, rgid);
720 ADD_U_INT32(dptr, pid);
721 ADD_U_INT32(dptr, sid);
722 ADD_U_INT64(dptr, tid->at_port);
723 ADD_U_INT32(dptr, tid->at_type);
724 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
725 if (tid->at_type == AU_IPv6) {
726 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
727 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
728 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
735 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
736 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
739 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
745 * error status 1 byte
746 * return value 4 bytes/8 bytes (32-bit/64-bit value)
749 au_to_return32(char status, u_int32_t ret)
754 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
756 ADD_U_CHAR(dptr, AUT_RETURN32);
757 ADD_U_CHAR(dptr, status);
758 ADD_U_INT32(dptr, ret);
764 au_to_return64(char status, u_int64_t ret)
769 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
771 ADD_U_CHAR(dptr, AUT_RETURN64);
772 ADD_U_CHAR(dptr, status);
773 ADD_U_INT64(dptr, ret);
779 au_to_return(char status, u_int32_t ret)
782 return (au_to_return32(status, ret));
787 * sequence number 4 bytes
790 au_to_seq(long audit_count)
795 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
797 ADD_U_CHAR(dptr, AUT_SEQ);
798 ADD_U_INT32(dptr, audit_count);
805 * socket type 2 bytes
807 * local Internet address 4 bytes
808 * remote port 2 bytes
809 * remote Internet address 4 bytes
812 au_to_socket(struct socket *so)
820 * Kernel-specific version of the above function.
824 kau_to_socket(struct socket_au_info *soi)
830 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
831 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
833 ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
834 /* Coerce the socket type into a short value */
835 so_type = soi->so_type;
836 ADD_U_INT16(dptr, so_type);
837 ADD_U_INT16(dptr, soi->so_lport);
838 ADD_U_INT32(dptr, soi->so_laddr);
839 ADD_U_INT16(dptr, soi->so_rport);
840 ADD_U_INT32(dptr, soi->so_raddr);
848 * socket type 2 bytes
850 * address type/length 4 bytes
851 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
852 * remote port 4 bytes
853 * address type/length 4 bytes
854 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
857 au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
865 au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
874 * socket family 2 bytes
878 au_to_sock_unix(struct sockaddr_un *so)
883 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
885 ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
886 /* BSM token has two bytes for family */
888 ADD_U_CHAR(dptr, so->sun_family);
889 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
896 * socket family 2 bytes
898 * socket address 4 bytes
901 au_to_sock_inet32(struct sockaddr_in *so)
907 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
910 ADD_U_CHAR(dptr, AUT_SOCKINET32);
912 * BSM defines the family field as 16 bits, but many operating
913 * systems have an 8-bit sin_family field. Extend to 16 bits before
914 * writing into the token. Assume that both the port and the address
915 * in the sockaddr_in are already in network byte order, but family
916 * is in local byte order.
918 * XXXRW: Should a name space conversion be taking place on the value
921 family = so->sin_family;
922 ADD_U_INT16(dptr, family);
923 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
924 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
931 au_to_sock_inet128(struct sockaddr_in6 *so)
936 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
937 4 * sizeof(u_int32_t));
939 ADD_U_CHAR(dptr, AUT_SOCKINET128);
941 * In Darwin, sin6_family is one octet, but BSM defines the token
942 * to store two. So we copy in a 0 first.
945 ADD_U_CHAR(dptr, so->sin6_family);
947 ADD_U_INT16(dptr, so->sin6_port);
948 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
955 au_to_sock_inet(struct sockaddr_in *so)
958 return (au_to_sock_inet32(so));
964 * effective user ID 4 bytes
965 * effective group ID 4 bytes
966 * real user ID 4 bytes
967 * real group ID 4 bytes
971 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
972 * machine address 4 bytes
975 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
976 pid_t pid, au_asid_t sid, au_tid_t *tid)
981 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
983 ADD_U_CHAR(dptr, AUT_SUBJECT32);
984 ADD_U_INT32(dptr, auid);
985 ADD_U_INT32(dptr, euid);
986 ADD_U_INT32(dptr, egid);
987 ADD_U_INT32(dptr, ruid);
988 ADD_U_INT32(dptr, rgid);
989 ADD_U_INT32(dptr, pid);
990 ADD_U_INT32(dptr, sid);
991 ADD_U_INT32(dptr, tid->port);
992 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
998 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
999 pid_t pid, au_asid_t sid, au_tid_t *tid)
1002 u_char *dptr = NULL;
1004 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1005 sizeof(u_int64_t) + sizeof(u_int32_t));
1007 ADD_U_CHAR(dptr, AUT_SUBJECT64);
1008 ADD_U_INT32(dptr, auid);
1009 ADD_U_INT32(dptr, euid);
1010 ADD_U_INT32(dptr, egid);
1011 ADD_U_INT32(dptr, ruid);
1012 ADD_U_INT32(dptr, rgid);
1013 ADD_U_INT32(dptr, pid);
1014 ADD_U_INT32(dptr, sid);
1015 ADD_U_INT64(dptr, tid->port);
1016 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1022 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1023 pid_t pid, au_asid_t sid, au_tid_t *tid)
1026 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1033 * effective user ID 4 bytes
1034 * effective group ID 4 bytes
1035 * real user ID 4 bytes
1036 * real group ID 4 bytes
1037 * process ID 4 bytes
1038 * session ID 4 bytes
1040 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1041 * address type/length 4 bytes
1042 * machine address 4/16 bytes
1045 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1046 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1049 u_char *dptr = NULL;
1051 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1052 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
1053 if (tid->at_type == AU_IPv6)
1054 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1057 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1060 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1061 ADD_U_INT32(dptr, auid);
1062 ADD_U_INT32(dptr, euid);
1063 ADD_U_INT32(dptr, egid);
1064 ADD_U_INT32(dptr, ruid);
1065 ADD_U_INT32(dptr, rgid);
1066 ADD_U_INT32(dptr, pid);
1067 ADD_U_INT32(dptr, sid);
1068 ADD_U_INT32(dptr, tid->at_port);
1069 ADD_U_INT32(dptr, tid->at_type);
1070 if (tid->at_type == AU_IPv6)
1071 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1073 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1079 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1080 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1083 u_char *dptr = NULL;
1085 if (tid->at_type == AU_IPv4)
1086 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1087 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1088 2 * sizeof(u_int32_t));
1089 else if (tid->at_type == AU_IPv6)
1090 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1091 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1092 5 * sizeof(u_int32_t));
1094 panic("au_to_subject64_ex: invalid at_type (%d)",
1097 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1098 ADD_U_INT32(dptr, auid);
1099 ADD_U_INT32(dptr, euid);
1100 ADD_U_INT32(dptr, egid);
1101 ADD_U_INT32(dptr, ruid);
1102 ADD_U_INT32(dptr, rgid);
1103 ADD_U_INT32(dptr, pid);
1104 ADD_U_INT32(dptr, sid);
1105 ADD_U_INT64(dptr, tid->at_port);
1106 ADD_U_INT32(dptr, tid->at_type);
1107 if (tid->at_type == AU_IPv6)
1108 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1110 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1116 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1117 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1120 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1124 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1126 * Collects audit information for the current process
1127 * and creates a subject token from it
1134 if (getaudit(&auinfo) != 0)
1137 return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(),
1138 getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid));
1142 #if defined(_KERNEL) || defined(KERNEL)
1144 au_to_exec_strings(char *strs, int count, u_char type)
1147 u_char *dptr = NULL;
1156 totlen += strlen(p) + 1;
1159 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1160 ADD_U_CHAR(dptr, type);
1161 ADD_U_INT32(dptr, count);
1162 ADD_STRING(dptr, strs, totlen);
1170 * text count null-terminated strings
1173 au_to_exec_args(char *args, int argc)
1176 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1182 * text count null-terminated strings
1185 au_to_exec_env(char *envs, int envc)
1188 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1194 * text count null-terminated strings
1197 au_to_exec_args(char **argv)
1200 u_char *dptr = NULL;
1201 const char *nextarg;
1207 while (nextarg != NULL) {
1210 nextlen = strlen(nextarg);
1211 totlen += nextlen + 1;
1213 nextarg = *(argv + count);
1216 totlen += count * sizeof(char); /* nul terminations. */
1217 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1219 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1220 ADD_U_INT32(dptr, count);
1222 for (i = 0; i < count; i++) {
1223 nextarg = *(argv + i);
1224 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1232 * zonename length 2 bytes
1233 * zonename N bytes + 1 terminating NULL byte
1236 au_to_zonename(char *zonename)
1238 u_char *dptr = NULL;
1242 textlen = strlen(zonename);
1244 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1245 ADD_U_CHAR(dptr, AUT_ZONENAME);
1246 ADD_U_INT16(dptr, textlen);
1247 ADD_STRING(dptr, zonename, textlen);
1254 * text count null-terminated strings
1257 au_to_exec_env(char **envp)
1260 u_char *dptr = NULL;
1263 const char *nextenv;
1267 while (nextenv != NULL) {
1270 nextlen = strlen(nextenv);
1271 totlen += nextlen + 1;
1273 nextenv = *(envp + count);
1276 totlen += sizeof(char) * count;
1277 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1279 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1280 ADD_U_INT32(dptr, count);
1282 for (i = 0; i < count; i++) {
1283 nextenv = *(envp + i);
1284 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1293 * record byte count 4 bytes
1294 * version # 1 byte [2]
1295 * event type 2 bytes
1296 * event modifier 2 bytes
1297 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1298 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1301 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1305 u_char *dptr = NULL;
1308 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1309 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1311 ADD_U_CHAR(dptr, AUT_HEADER32);
1312 ADD_U_INT32(dptr, rec_size);
1313 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1314 ADD_U_INT16(dptr, e_type);
1315 ADD_U_INT16(dptr, e_mod);
1317 timems = tm.tv_usec/1000;
1318 /* Add the timestamp */
1319 ADD_U_INT32(dptr, tm.tv_sec);
1320 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1326 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1330 u_char *dptr = NULL;
1333 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1334 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1336 ADD_U_CHAR(dptr, AUT_HEADER64);
1337 ADD_U_INT32(dptr, rec_size);
1338 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1339 ADD_U_INT16(dptr, e_type);
1340 ADD_U_INT16(dptr, e_mod);
1342 timems = tm.tv_usec/1000;
1343 /* Add the timestamp */
1344 ADD_U_INT64(dptr, tm.tv_sec);
1345 ADD_U_INT64(dptr, timems); /* We need time in ms. */
1352 * trailer magic number 2 bytes
1353 * record byte count 4 bytes
1356 au_to_trailer(int rec_size)
1359 u_char *dptr = NULL;
1360 u_int16_t magic = TRAILER_PAD_MAGIC;
1362 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1365 ADD_U_CHAR(dptr, AUT_TRAILER);
1366 ADD_U_INT16(dptr, magic);
1367 ADD_U_INT32(dptr, rec_size);