2 * Copyright (c) 2004 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD$");
37 #include <sys/types.h>
38 #include <sys/endian.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
44 #include <sys/libkern.h>
45 #include <sys/malloc.h>
48 #include <netinet/in.h>
49 #include <netinet/in_systm.h>
50 #include <netinet/ip.h>
53 #include <bsm/audit.h>
54 #include <bsm/audit_internal.h>
55 #include <bsm/audit_record.h>
56 #include <security/audit/audit.h>
57 #include <security/audit/audit_private.h>
59 #define GET_TOKEN_AREA(t, dptr, length) do { \
60 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \
61 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \
69 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
71 * text N bytes + 1 terminating NULL byte
74 au_to_arg32(char n, char *text, u_int32_t v)
80 textlen = strlen(text);
83 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
84 sizeof(u_int16_t) + textlen);
86 ADD_U_CHAR(dptr, AUT_ARG32);
89 ADD_U_INT16(dptr, textlen);
90 ADD_STRING(dptr, text, textlen);
97 au_to_arg64(char n, char *text, u_int64_t v)
103 textlen = strlen(text);
106 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
107 sizeof(u_int16_t) + textlen);
109 ADD_U_CHAR(dptr, AUT_ARG64);
111 ADD_U_INT64(dptr, v);
112 ADD_U_INT16(dptr, textlen);
113 ADD_STRING(dptr, text, textlen);
120 au_to_arg(char n, char *text, u_int32_t v)
123 return (au_to_arg32(n, text, v));
126 #if defined(_KERNEL) || defined(KERNEL)
129 * file access mode 4 bytes
130 * owner user ID 4 bytes
131 * owner group ID 4 bytes
132 * file system ID 4 bytes
134 * device 4 bytes/8 bytes (32-bit/64-bit)
137 au_to_attr32(struct vnode_au_info *vni)
141 u_int16_t pad0_16 = 0;
142 u_int16_t pad0_32 = 0;
144 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
145 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
147 ADD_U_CHAR(dptr, AUT_ATTR32);
150 * Darwin defines the size for the file mode
151 * as 2 bytes; BSM defines 4 so pad with 0
153 ADD_U_INT16(dptr, pad0_16);
154 ADD_U_INT16(dptr, vni->vn_mode);
156 ADD_U_INT32(dptr, vni->vn_uid);
157 ADD_U_INT32(dptr, vni->vn_gid);
158 ADD_U_INT32(dptr, vni->vn_fsid);
161 * Some systems use 32-bit file ID's, others use 64-bit file IDs.
162 * Attempt to handle both, and let the compiler sort it out. If we
163 * could pick this out at compile-time, it would be better, so as to
164 * avoid the else case below.
166 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
167 ADD_U_INT32(dptr, pad0_32);
168 ADD_U_INT32(dptr, vni->vn_fileid);
169 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
170 ADD_U_INT64(dptr, vni->vn_fileid);
172 ADD_U_INT64(dptr, 0LL);
174 ADD_U_INT32(dptr, vni->vn_dev);
180 au_to_attr64(struct vnode_au_info *vni)
184 u_int16_t pad0_16 = 0;
185 u_int16_t pad0_32 = 0;
187 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
188 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
190 ADD_U_CHAR(dptr, AUT_ATTR64);
193 * Darwin defines the size for the file mode
194 * as 2 bytes; BSM defines 4 so pad with 0
196 ADD_U_INT16(dptr, pad0_16);
197 ADD_U_INT16(dptr, vni->vn_mode);
199 ADD_U_INT32(dptr, vni->vn_uid);
200 ADD_U_INT32(dptr, vni->vn_gid);
201 ADD_U_INT32(dptr, vni->vn_fsid);
204 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
205 * Attempt to handle both, and let the compiler sort it out. If we
206 * could pick this out at compile-time, it would be better, so as to
207 * avoid the else case below.
209 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
210 ADD_U_INT32(dptr, pad0_32);
211 ADD_U_INT32(dptr, vni->vn_fileid);
212 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
213 ADD_U_INT64(dptr, vni->vn_fileid);
215 ADD_U_INT64(dptr, 0LL);
217 ADD_U_INT64(dptr, vni->vn_dev);
223 au_to_attr(struct vnode_au_info *vni)
226 return (au_to_attr32(vni));
228 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
232 * how to print 1 byte
235 * data items (depends on basic unit)
238 au_to_data(char unit_print, char unit_type, char unit_count, char *p)
242 size_t datasize, totdata;
244 /* Determine the size of the basic unit. */
248 datasize = AUR_BYTE_SIZE;
252 datasize = AUR_SHORT_SIZE;
257 datasize = AUR_INT32_SIZE;
261 datasize = AUR_INT64_SIZE;
268 totdata = datasize * unit_count;
270 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
272 ADD_U_CHAR(dptr, AUT_DATA);
273 ADD_U_CHAR(dptr, unit_print);
274 ADD_U_CHAR(dptr, unit_type);
275 ADD_U_CHAR(dptr, unit_count);
276 ADD_MEM(dptr, p, totdata);
285 * return value 4 bytes
288 au_to_exit(int retval, int err)
293 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
295 ADD_U_CHAR(dptr, AUT_EXIT);
296 ADD_U_INT32(dptr, err);
297 ADD_U_INT32(dptr, retval);
305 au_to_groups(int *groups)
308 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t*)groups));
313 * number groups 2 bytes
314 * group list count * 4 bytes
317 au_to_newgroups(u_int16_t n, gid_t *groups)
323 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
324 n * sizeof(u_int32_t));
326 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
327 ADD_U_INT16(dptr, n);
328 for (i = 0; i < n; i++)
329 ADD_U_INT32(dptr, groups[i]);
336 * internet address 4 bytes
339 au_to_in_addr(struct in_addr *internet_addr)
344 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
346 ADD_U_CHAR(dptr, AUT_IN_ADDR);
347 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
354 * address type/length 4 bytes
358 au_to_in_addr_ex(struct in6_addr *internet_addr)
362 u_int32_t type = AU_IPv6;
364 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
366 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
367 ADD_U_INT32(dptr, type);
368 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
377 * The IP header should be submitted in network byte order.
380 au_to_ip(struct ip *ip)
385 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
387 ADD_U_CHAR(dptr, AUT_IP);
388 ADD_MEM(dptr, ip, sizeof(struct ip));
395 * object ID type 1 byte
399 au_to_ipc(char type, int id)
404 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
406 ADD_U_CHAR(dptr, AUT_IPC);
407 ADD_U_CHAR(dptr, type);
408 ADD_U_INT32(dptr, id);
415 * owner user ID 4 bytes
416 * owner group ID 4 bytes
417 * creator user ID 4 bytes
418 * creator group ID 4 bytes
419 * access mode 4 bytes
420 * slot sequence # 4 bytes
424 au_to_ipc_perm(struct ipc_perm *perm)
430 GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
432 ADD_U_CHAR(dptr, AUT_IPC_PERM);
435 * Darwin defines the sizes for ipc_perm members
436 * as 2 bytes; BSM defines 4 so pad with 0
438 ADD_U_INT16(dptr, pad0);
439 ADD_U_INT16(dptr, perm->uid);
441 ADD_U_INT16(dptr, pad0);
442 ADD_U_INT16(dptr, perm->gid);
444 ADD_U_INT16(dptr, pad0);
445 ADD_U_INT16(dptr, perm->cuid);
447 ADD_U_INT16(dptr, pad0);
448 ADD_U_INT16(dptr, perm->cgid);
450 ADD_U_INT16(dptr, pad0);
451 ADD_U_INT16(dptr, perm->mode);
453 ADD_U_INT16(dptr, pad0);
454 ADD_U_INT16(dptr, perm->seq);
456 ADD_U_INT32(dptr, perm->key);
463 * port IP address 2 bytes
466 au_to_iport(u_int16_t iport)
471 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
473 ADD_U_CHAR(dptr, AUT_IPORT);
474 ADD_U_INT16(dptr, iport);
485 au_to_opaque(char *data, u_int16_t bytes)
490 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
492 ADD_U_CHAR(dptr, AUT_OPAQUE);
493 ADD_U_INT16(dptr, bytes);
494 ADD_MEM(dptr, data, bytes);
501 * seconds of time 4 bytes
502 * milliseconds of time 4 bytes
503 * file name len 2 bytes
504 * file pathname N bytes + 1 terminating NULL byte
507 au_to_file(char *file, struct timeval tm)
514 filelen = strlen(file);
517 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
518 sizeof(u_int16_t) + filelen);
520 timems = tm.tv_usec/1000;
522 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
523 ADD_U_INT32(dptr, tm.tv_sec);
524 ADD_U_INT32(dptr, timems); /* We need time in ms. */
525 ADD_U_INT16(dptr, filelen);
526 ADD_STRING(dptr, file, filelen);
533 * text length 2 bytes
534 * text N bytes + 1 terminating NULL byte
537 au_to_text(char *text)
543 textlen = strlen(text);
546 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
548 ADD_U_CHAR(dptr, AUT_TEXT);
549 ADD_U_INT16(dptr, textlen);
550 ADD_STRING(dptr, text, textlen);
557 * path length 2 bytes
558 * path N bytes + 1 terminating NULL byte
561 au_to_path(char *text)
567 textlen = strlen(text);
570 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
572 ADD_U_CHAR(dptr, AUT_PATH);
573 ADD_U_INT16(dptr, textlen);
574 ADD_STRING(dptr, text, textlen);
582 * effective user ID 4 bytes
583 * effective group ID 4 bytes
584 * real user ID 4 bytes
585 * real group ID 4 bytes
589 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
590 * machine address 4 bytes
593 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
594 pid_t pid, au_asid_t sid, au_tid_t *tid)
599 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
601 ADD_U_CHAR(dptr, AUT_PROCESS32);
602 ADD_U_INT32(dptr, auid);
603 ADD_U_INT32(dptr, euid);
604 ADD_U_INT32(dptr, egid);
605 ADD_U_INT32(dptr, ruid);
606 ADD_U_INT32(dptr, rgid);
607 ADD_U_INT32(dptr, pid);
608 ADD_U_INT32(dptr, sid);
609 ADD_U_INT32(dptr, tid->port);
610 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
616 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
617 pid_t pid, au_asid_t sid, au_tid_t *tid)
622 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
625 ADD_U_CHAR(dptr, AUT_PROCESS64);
626 ADD_U_INT32(dptr, auid);
627 ADD_U_INT32(dptr, euid);
628 ADD_U_INT32(dptr, egid);
629 ADD_U_INT32(dptr, ruid);
630 ADD_U_INT32(dptr, rgid);
631 ADD_U_INT32(dptr, pid);
632 ADD_U_INT32(dptr, sid);
633 ADD_U_INT64(dptr, tid->port);
634 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
640 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
641 pid_t pid, au_asid_t sid, au_tid_t *tid)
644 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
651 * effective user ID 4 bytes
652 * effective group ID 4 bytes
653 * real user ID 4 bytes
654 * real group ID 4 bytes
658 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
659 * address type-len 4 bytes
660 * machine address 4/16 bytes
663 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
664 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
669 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
670 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
671 if (tid->at_type == AU_IPv6)
672 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
675 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
678 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
679 ADD_U_INT32(dptr, auid);
680 ADD_U_INT32(dptr, euid);
681 ADD_U_INT32(dptr, egid);
682 ADD_U_INT32(dptr, ruid);
683 ADD_U_INT32(dptr, rgid);
684 ADD_U_INT32(dptr, pid);
685 ADD_U_INT32(dptr, sid);
686 ADD_U_INT32(dptr, tid->at_port);
687 ADD_U_INT32(dptr, tid->at_type);
688 if (tid->at_type == AU_IPv6)
689 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
691 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
697 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
698 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
703 if (tid->at_type == AU_IPv4)
704 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
705 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
706 2 * sizeof(u_int32_t));
707 else if (tid->at_type == AU_IPv6)
708 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
709 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
710 5 * sizeof(u_int32_t));
712 panic("au_to_process64_ex: invalidate at_type (%d)",
715 ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
716 ADD_U_INT32(dptr, auid);
717 ADD_U_INT32(dptr, euid);
718 ADD_U_INT32(dptr, egid);
719 ADD_U_INT32(dptr, ruid);
720 ADD_U_INT32(dptr, rgid);
721 ADD_U_INT32(dptr, pid);
722 ADD_U_INT32(dptr, sid);
723 ADD_U_INT64(dptr, tid->at_port);
724 ADD_U_INT32(dptr, tid->at_type);
725 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
726 if (tid->at_type == AU_IPv6) {
727 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
728 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
729 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
736 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
737 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
740 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
746 * error status 1 byte
747 * return value 4 bytes/8 bytes (32-bit/64-bit value)
750 au_to_return32(char status, u_int32_t ret)
755 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
757 ADD_U_CHAR(dptr, AUT_RETURN32);
758 ADD_U_CHAR(dptr, status);
759 ADD_U_INT32(dptr, ret);
765 au_to_return64(char status, u_int64_t ret)
770 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
772 ADD_U_CHAR(dptr, AUT_RETURN64);
773 ADD_U_CHAR(dptr, status);
774 ADD_U_INT64(dptr, ret);
780 au_to_return(char status, u_int32_t ret)
783 return (au_to_return32(status, ret));
788 * sequence number 4 bytes
791 au_to_seq(long audit_count)
796 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
798 ADD_U_CHAR(dptr, AUT_SEQ);
799 ADD_U_INT32(dptr, audit_count);
806 * socket type 2 bytes
808 * local Internet address 4 bytes
809 * remote port 2 bytes
810 * remote Internet address 4 bytes
813 au_to_socket(struct socket *so)
821 * Kernel-specific version of the above function.
825 kau_to_socket(struct socket_au_info *soi)
831 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
832 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
834 ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
835 /* Coerce the socket type into a short value */
836 so_type = soi->so_type;
837 ADD_U_INT16(dptr, so_type);
838 ADD_U_INT16(dptr, soi->so_lport);
839 ADD_U_INT32(dptr, soi->so_laddr);
840 ADD_U_INT16(dptr, soi->so_rport);
841 ADD_U_INT32(dptr, soi->so_raddr);
849 * socket type 2 bytes
851 * address type/length 4 bytes
852 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
853 * remote port 4 bytes
854 * address type/length 4 bytes
855 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
858 au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
866 au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
875 * socket family 2 bytes
879 au_to_sock_unix(struct sockaddr_un *so)
884 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
886 ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
887 /* BSM token has two bytes for family */
889 ADD_U_CHAR(dptr, so->sun_family);
890 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
897 * socket family 2 bytes
899 * socket address 4 bytes
902 au_to_sock_inet32(struct sockaddr_in *so)
908 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
911 ADD_U_CHAR(dptr, AUT_SOCKINET32);
913 * BSM defines the family field as 16 bits, but many operating
914 * systems have an 8-bit sin_family field. Extend to 16 bits before
915 * writing into the token. Assume that both the port and the address
916 * in the sockaddr_in are already in network byte order, but family
917 * is in local byte order.
919 * XXXRW: Should a name space conversion be taking place on the value
922 family = so->sin_family;
923 ADD_U_INT16(dptr, family);
924 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
925 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
932 au_to_sock_inet128(struct sockaddr_in6 *so)
937 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
938 4 * sizeof(u_int32_t));
940 ADD_U_CHAR(dptr, AUT_SOCKINET128);
942 * In Darwin, sin6_family is one octet, but BSM defines the token
943 * to store two. So we copy in a 0 first.
946 ADD_U_CHAR(dptr, so->sin6_family);
948 ADD_U_INT16(dptr, so->sin6_port);
949 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
956 au_to_sock_inet(struct sockaddr_in *so)
959 return (au_to_sock_inet32(so));
965 * effective user ID 4 bytes
966 * effective group ID 4 bytes
967 * real user ID 4 bytes
968 * real group ID 4 bytes
972 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
973 * machine address 4 bytes
976 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
977 pid_t pid, au_asid_t sid, au_tid_t *tid)
982 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
984 ADD_U_CHAR(dptr, AUT_SUBJECT32);
985 ADD_U_INT32(dptr, auid);
986 ADD_U_INT32(dptr, euid);
987 ADD_U_INT32(dptr, egid);
988 ADD_U_INT32(dptr, ruid);
989 ADD_U_INT32(dptr, rgid);
990 ADD_U_INT32(dptr, pid);
991 ADD_U_INT32(dptr, sid);
992 ADD_U_INT32(dptr, tid->port);
993 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
999 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1000 pid_t pid, au_asid_t sid, au_tid_t *tid)
1003 u_char *dptr = NULL;
1005 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1006 sizeof(u_int64_t) + sizeof(u_int32_t));
1008 ADD_U_CHAR(dptr, AUT_SUBJECT64);
1009 ADD_U_INT32(dptr, auid);
1010 ADD_U_INT32(dptr, euid);
1011 ADD_U_INT32(dptr, egid);
1012 ADD_U_INT32(dptr, ruid);
1013 ADD_U_INT32(dptr, rgid);
1014 ADD_U_INT32(dptr, pid);
1015 ADD_U_INT32(dptr, sid);
1016 ADD_U_INT64(dptr, tid->port);
1017 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1023 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1024 pid_t pid, au_asid_t sid, au_tid_t *tid)
1027 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1034 * effective user ID 4 bytes
1035 * effective group ID 4 bytes
1036 * real user ID 4 bytes
1037 * real group ID 4 bytes
1038 * process ID 4 bytes
1039 * session ID 4 bytes
1041 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1042 * address type/length 4 bytes
1043 * machine address 4/16 bytes
1046 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1047 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1050 u_char *dptr = NULL;
1052 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1053 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
1054 if (tid->at_type == AU_IPv6)
1055 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1058 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1061 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1062 ADD_U_INT32(dptr, auid);
1063 ADD_U_INT32(dptr, euid);
1064 ADD_U_INT32(dptr, egid);
1065 ADD_U_INT32(dptr, ruid);
1066 ADD_U_INT32(dptr, rgid);
1067 ADD_U_INT32(dptr, pid);
1068 ADD_U_INT32(dptr, sid);
1069 ADD_U_INT32(dptr, tid->at_port);
1070 ADD_U_INT32(dptr, tid->at_type);
1071 if (tid->at_type == AU_IPv6)
1072 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1074 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1080 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1081 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1084 u_char *dptr = NULL;
1086 if (tid->at_type == AU_IPv4)
1087 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1088 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1089 2 * sizeof(u_int32_t));
1090 else if (tid->at_type == AU_IPv6)
1091 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1092 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1093 5 * sizeof(u_int32_t));
1095 panic("au_to_subject64_ex: invalid at_type (%d)",
1098 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1099 ADD_U_INT32(dptr, auid);
1100 ADD_U_INT32(dptr, euid);
1101 ADD_U_INT32(dptr, egid);
1102 ADD_U_INT32(dptr, ruid);
1103 ADD_U_INT32(dptr, rgid);
1104 ADD_U_INT32(dptr, pid);
1105 ADD_U_INT32(dptr, sid);
1106 ADD_U_INT64(dptr, tid->at_port);
1107 ADD_U_INT32(dptr, tid->at_type);
1108 if (tid->at_type == AU_IPv6)
1109 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1111 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1117 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1118 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1121 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1125 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1127 * Collects audit information for the current process
1128 * and creates a subject token from it
1135 if (getaudit(&auinfo) != 0)
1138 return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(),
1139 getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid));
1143 #if defined(_KERNEL) || defined(KERNEL)
1145 au_to_exec_strings(char *strs, int count, u_char type)
1148 u_char *dptr = NULL;
1157 totlen += strlen(p) + 1;
1160 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1161 ADD_U_CHAR(dptr, type);
1162 ADD_U_INT32(dptr, count);
1163 ADD_STRING(dptr, strs, totlen);
1171 * text count null-terminated strings
1174 au_to_exec_args(char *args, int argc)
1177 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1183 * text count null-terminated strings
1186 au_to_exec_env(char *envs, int envc)
1189 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1195 * text count null-terminated strings
1198 au_to_exec_args(char **argv)
1201 u_char *dptr = NULL;
1202 const char *nextarg;
1208 while (nextarg != NULL) {
1211 nextlen = strlen(nextarg);
1212 totlen += nextlen + 1;
1214 nextarg = *(argv + count);
1217 totlen += count * sizeof(char); /* nul terminations. */
1218 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1220 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1221 ADD_U_INT32(dptr, count);
1223 for (i = 0; i < count; i++) {
1224 nextarg = *(argv + i);
1225 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1233 * zonename length 2 bytes
1234 * zonename N bytes + 1 terminating NULL byte
1237 au_to_zonename(char *zonename)
1239 u_char *dptr = NULL;
1243 textlen = strlen(zonename);
1245 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1246 ADD_U_CHAR(dptr, AUT_ZONENAME);
1247 ADD_U_INT16(dptr, textlen);
1248 ADD_STRING(dptr, zonename, textlen);
1255 * text count null-terminated strings
1258 au_to_exec_env(char **envp)
1261 u_char *dptr = NULL;
1264 const char *nextenv;
1268 while (nextenv != NULL) {
1271 nextlen = strlen(nextenv);
1272 totlen += nextlen + 1;
1274 nextenv = *(envp + count);
1277 totlen += sizeof(char) * count;
1278 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1280 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1281 ADD_U_INT32(dptr, count);
1283 for (i = 0; i < count; i++) {
1284 nextenv = *(envp + i);
1285 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1294 * record byte count 4 bytes
1295 * version # 1 byte [2]
1296 * event type 2 bytes
1297 * event modifier 2 bytes
1298 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1299 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1302 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1306 u_char *dptr = NULL;
1309 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1310 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1312 ADD_U_CHAR(dptr, AUT_HEADER32);
1313 ADD_U_INT32(dptr, rec_size);
1314 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1315 ADD_U_INT16(dptr, e_type);
1316 ADD_U_INT16(dptr, e_mod);
1318 timems = tm.tv_usec/1000;
1319 /* Add the timestamp */
1320 ADD_U_INT32(dptr, tm.tv_sec);
1321 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1327 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1331 u_char *dptr = NULL;
1334 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1335 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1337 ADD_U_CHAR(dptr, AUT_HEADER64);
1338 ADD_U_INT32(dptr, rec_size);
1339 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1340 ADD_U_INT16(dptr, e_type);
1341 ADD_U_INT16(dptr, e_mod);
1343 timems = tm.tv_usec/1000;
1344 /* Add the timestamp */
1345 ADD_U_INT64(dptr, tm.tv_sec);
1346 ADD_U_INT64(dptr, timems); /* We need time in ms. */
1353 * trailer magic number 2 bytes
1354 * record byte count 4 bytes
1357 au_to_trailer(int rec_size)
1360 u_char *dptr = NULL;
1361 u_int16_t magic = TRAILER_PAD_MAGIC;
1363 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1366 ADD_U_CHAR(dptr, AUT_TRAILER);
1367 ADD_U_INT16(dptr, magic);
1368 ADD_U_INT32(dptr, rec_size);