2 * Copyright (c) 2004-2009 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
33 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#93 $
36 #include <sys/types.h>
38 #include <config/config.h>
39 #if defined(HAVE_SYS_ENDIAN_H) && defined(HAVE_BE32ENC)
40 #include <sys/endian.h>
41 #else /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */
42 #ifdef HAVE_MACHINE_ENDIAN_H
43 #include <machine/endian.h>
44 #else /* !HAVE_MACHINE_ENDIAN_H */
47 #else /* !HAVE_ENDIAN_H */
48 #error "No supported endian.h"
49 #endif /* !HAVE_ENDIAN_H */
50 #endif /* !HAVE_MACHINE_ENDIAN_H */
51 #include <compat/endian.h>
52 #endif /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */
53 #ifdef HAVE_FULL_QUEUE_H
54 #include <sys/queue.h>
55 #else /* !HAVE_FULL_QUEUE_H */
56 #include <compat/queue.h>
57 #endif /* !HAVE_FULL_QUEUE_H */
59 #include <sys/socket.h>
65 #include <netinet/in.h>
66 #include <netinet/in_systm.h>
67 #include <netinet/ip.h>
75 #include <bsm/audit_internal.h>
76 #include <bsm/libbsm.h>
78 #define GET_TOKEN_AREA(t, dptr, length) do { \
79 (t) = malloc(sizeof(token_t)); \
81 (t)->len = (length); \
82 (dptr) = (t->t_data) = malloc((length) * sizeof(u_char)); \
83 if ((dptr) == NULL) { \
87 memset((dptr), 0, (length)); \
90 assert((t) == NULL || (dptr) != NULL); \
96 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
98 * text N bytes + 1 terminating NULL byte
101 au_to_arg32(char n, const char *text, u_int32_t v)
107 textlen = strlen(text);
110 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
111 sizeof(u_int16_t) + textlen);
115 ADD_U_CHAR(dptr, AUT_ARG32);
117 ADD_U_INT32(dptr, v);
118 ADD_U_INT16(dptr, textlen);
119 ADD_STRING(dptr, text, textlen);
125 au_to_arg64(char n, const char *text, u_int64_t v)
131 textlen = strlen(text);
134 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
135 sizeof(u_int16_t) + textlen);
139 ADD_U_CHAR(dptr, AUT_ARG64);
141 ADD_U_INT64(dptr, v);
142 ADD_U_INT16(dptr, textlen);
143 ADD_STRING(dptr, text, textlen);
149 au_to_arg(char n, const char *text, u_int32_t v)
152 return (au_to_arg32(n, text, v));
155 #if defined(_KERNEL) || defined(KERNEL)
158 * file access mode 4 bytes
159 * owner user ID 4 bytes
160 * owner group ID 4 bytes
161 * file system ID 4 bytes
163 * device 4 bytes/8 bytes (32-bit/64-bit)
166 au_to_attr32(struct vnode_au_info *vni)
170 u_int16_t pad0_16 = 0;
171 u_int32_t pad0_32 = 0;
173 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
174 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
178 ADD_U_CHAR(dptr, AUT_ATTR32);
181 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
184 * XXXRW: Possibly should be conditionally compiled.
186 * XXXRW: Should any conversions take place on the mode?
188 ADD_U_INT16(dptr, pad0_16);
189 ADD_U_INT16(dptr, vni->vn_mode);
191 ADD_U_INT32(dptr, vni->vn_uid);
192 ADD_U_INT32(dptr, vni->vn_gid);
193 ADD_U_INT32(dptr, vni->vn_fsid);
196 * Some systems use 32-bit file ID's, others use 64-bit file IDs.
197 * Attempt to handle both, and let the compiler sort it out. If we
198 * could pick this out at compile-time, it would be better, so as to
199 * avoid the else case below.
201 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
202 ADD_U_INT32(dptr, pad0_32);
203 ADD_U_INT32(dptr, vni->vn_fileid);
204 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
205 ADD_U_INT64(dptr, vni->vn_fileid);
207 ADD_U_INT64(dptr, 0LL);
209 ADD_U_INT32(dptr, vni->vn_dev);
215 au_to_attr64(struct vnode_au_info *vni)
219 u_int16_t pad0_16 = 0;
220 u_int32_t pad0_32 = 0;
222 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
223 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
227 ADD_U_CHAR(dptr, AUT_ATTR64);
230 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
233 * XXXRW: Possibly should be conditionally compiled.
235 * XXXRW: Should any conversions take place on the mode?
237 ADD_U_INT16(dptr, pad0_16);
238 ADD_U_INT16(dptr, vni->vn_mode);
240 ADD_U_INT32(dptr, vni->vn_uid);
241 ADD_U_INT32(dptr, vni->vn_gid);
242 ADD_U_INT32(dptr, vni->vn_fsid);
245 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
246 * Attempt to handle both, and let the compiler sort it out. If we
247 * could pick this out at compile-time, it would be better, so as to
248 * avoid the else case below.
250 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
251 ADD_U_INT32(dptr, pad0_32);
252 ADD_U_INT32(dptr, vni->vn_fileid);
253 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
254 ADD_U_INT64(dptr, vni->vn_fileid);
256 ADD_U_INT64(dptr, 0LL);
258 ADD_U_INT64(dptr, vni->vn_dev);
264 au_to_attr(struct vnode_au_info *vni)
267 return (au_to_attr32(vni));
269 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
273 * how to print 1 byte
276 * data items (depends on basic unit)
279 au_to_data(char unit_print, char unit_type, char unit_count, const char *p)
283 size_t datasize, totdata;
285 /* Determine the size of the basic unit. */
289 datasize = AUR_BYTE_SIZE;
293 datasize = AUR_SHORT_SIZE;
298 datasize = AUR_INT32_SIZE;
302 datasize = AUR_INT64_SIZE;
310 totdata = datasize * unit_count;
312 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
317 * XXXRW: We should be byte-swapping each data item for multi-byte
320 ADD_U_CHAR(dptr, AUT_DATA);
321 ADD_U_CHAR(dptr, unit_print);
322 ADD_U_CHAR(dptr, unit_type);
323 ADD_U_CHAR(dptr, unit_count);
324 ADD_MEM(dptr, p, totdata);
333 * return value 4 bytes
336 au_to_exit(int retval, int err)
341 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
345 ADD_U_CHAR(dptr, AUT_EXIT);
346 ADD_U_INT32(dptr, err);
347 ADD_U_INT32(dptr, retval);
355 au_to_groups(int *groups)
358 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups));
363 * number groups 2 bytes
364 * group list count * 4 bytes
367 au_to_newgroups(u_int16_t n, gid_t *groups)
373 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
374 n * sizeof(u_int32_t));
378 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
379 ADD_U_INT16(dptr, n);
380 for (i = 0; i < n; i++)
381 ADD_U_INT32(dptr, groups[i]);
388 * internet address 4 bytes
391 au_to_in_addr(struct in_addr *internet_addr)
396 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
400 ADD_U_CHAR(dptr, AUT_IN_ADDR);
401 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
408 * address type/length 4 bytes
412 au_to_in_addr_ex(struct in6_addr *internet_addr)
416 u_int32_t type = AU_IPv6;
418 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
422 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
423 ADD_U_INT32(dptr, type);
424 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
433 * The IP header should be submitted in network byte order.
436 au_to_ip(struct ip *ip)
441 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
445 ADD_U_CHAR(dptr, AUT_IP);
446 ADD_MEM(dptr, ip, sizeof(struct ip));
453 * object ID type 1 byte
457 au_to_ipc(char type, int id)
462 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
466 ADD_U_CHAR(dptr, AUT_IPC);
467 ADD_U_CHAR(dptr, type);
468 ADD_U_INT32(dptr, id);
475 * owner user ID 4 bytes
476 * owner group ID 4 bytes
477 * creator user ID 4 bytes
478 * creator group ID 4 bytes
479 * access mode 4 bytes
480 * slot sequence # 4 bytes
484 au_to_ipc_perm(struct ipc_perm *perm)
490 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
495 ADD_U_CHAR(dptr, AUT_IPC_PERM);
498 * Systems vary significantly in what types they use in struct
499 * ipc_perm; at least a few still use 16-bit uid's and gid's, so
500 * allow for that, as BSM define 32-bit values here.
501 * Some systems define the sizes for ipc_perm members as 2 bytes;
502 * BSM defines 4 so pad with 0.
504 * XXXRW: Possibly shoulid be conditionally compiled, and more cases
505 * need to be handled.
507 if (sizeof(perm->uid) != sizeof(u_int32_t)) {
508 ADD_U_INT16(dptr, pad0);
509 ADD_U_INT16(dptr, perm->uid);
510 ADD_U_INT16(dptr, pad0);
511 ADD_U_INT16(dptr, perm->gid);
512 ADD_U_INT16(dptr, pad0);
513 ADD_U_INT16(dptr, perm->cuid);
514 ADD_U_INT16(dptr, pad0);
515 ADD_U_INT16(dptr, perm->cgid);
517 ADD_U_INT32(dptr, perm->uid);
518 ADD_U_INT32(dptr, perm->gid);
519 ADD_U_INT32(dptr, perm->cuid);
520 ADD_U_INT32(dptr, perm->cgid);
523 ADD_U_INT16(dptr, pad0);
524 ADD_U_INT16(dptr, perm->mode);
526 ADD_U_INT16(dptr, pad0);
528 #ifdef HAVE_IPC_PERM___SEQ
529 ADD_U_INT16(dptr, perm->__seq);
530 #else /* HAVE_IPC_PERM___SEQ */
531 #ifdef HAVE_IPC_PERM__SEQ
532 ADD_U_INT16(dptr, perm->_seq);
533 #else /* HAVE_IPC_PERM__SEQ */
534 ADD_U_INT16(dptr, perm->seq);
535 #endif /* HAVE_IPC_PERM__SEQ */
536 #endif /* HAVE_IPC_PERM___SEQ */
538 #ifdef HAVE_IPC_PERM___KEY
539 ADD_U_INT32(dptr, perm->__key);
540 #else /* HAVE_IPC_PERM___KEY */
541 #ifdef HAVE_IPC_PERM__KEY
542 ADD_U_INT32(dptr, perm->_key);
543 #else /* HAVE_IPC_PERM__KEY */
544 ADD_U_INT32(dptr, perm->key);
545 #endif /* HAVE_IPC_PERM__KEY */
546 #endif /* HAVE_IPC_PERM___KEY */
553 * port IP address 2 bytes
556 au_to_iport(u_int16_t iport)
561 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
565 ADD_U_CHAR(dptr, AUT_IPORT);
566 ADD_U_INT16(dptr, iport);
577 au_to_opaque(const char *data, u_int16_t bytes)
582 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
586 ADD_U_CHAR(dptr, AUT_OPAQUE);
587 ADD_U_INT16(dptr, bytes);
588 ADD_MEM(dptr, data, bytes);
595 * seconds of time 4 bytes
596 * milliseconds of time 4 bytes
597 * file name len 2 bytes
598 * file pathname N bytes + 1 terminating NULL byte
601 au_to_file(const char *file, struct timeval tm)
608 filelen = strlen(file);
611 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
612 sizeof(u_int16_t) + filelen);
616 timems = tm.tv_usec/1000;
618 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
619 ADD_U_INT32(dptr, tm.tv_sec);
620 ADD_U_INT32(dptr, timems); /* We need time in ms. */
621 ADD_U_INT16(dptr, filelen);
622 ADD_STRING(dptr, file, filelen);
629 * text length 2 bytes
630 * text N bytes + 1 terminating NULL byte
633 au_to_text(const char *text)
639 textlen = strlen(text);
642 /* XXXRW: Should validate length against token size limit. */
644 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
648 ADD_U_CHAR(dptr, AUT_TEXT);
649 ADD_U_INT16(dptr, textlen);
650 ADD_STRING(dptr, text, textlen);
657 * path length 2 bytes
658 * path N bytes + 1 terminating NULL byte
661 au_to_path(const char *text)
667 textlen = strlen(text);
670 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
674 ADD_U_CHAR(dptr, AUT_PATH);
675 ADD_U_INT16(dptr, textlen);
676 ADD_STRING(dptr, text, textlen);
684 * effective user ID 4 bytes
685 * effective group ID 4 bytes
686 * real user ID 4 bytes
687 * real group ID 4 bytes
691 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
692 * machine address 4 bytes
695 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
696 pid_t pid, au_asid_t sid, au_tid_t *tid)
701 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
705 ADD_U_CHAR(dptr, AUT_PROCESS32);
706 ADD_U_INT32(dptr, auid);
707 ADD_U_INT32(dptr, euid);
708 ADD_U_INT32(dptr, egid);
709 ADD_U_INT32(dptr, ruid);
710 ADD_U_INT32(dptr, rgid);
711 ADD_U_INT32(dptr, pid);
712 ADD_U_INT32(dptr, sid);
713 ADD_U_INT32(dptr, tid->port);
716 * Note: Solaris will write out IPv6 addresses here as a 32-bit
717 * address type and 16 bytes of address, but for IPv4 addresses it
718 * simply writes the 4-byte address directly. We support only IPv4
719 * addresses for process32 tokens.
721 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
727 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
728 pid_t pid, au_asid_t sid, au_tid_t *tid)
733 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
738 ADD_U_CHAR(dptr, AUT_PROCESS64);
739 ADD_U_INT32(dptr, auid);
740 ADD_U_INT32(dptr, euid);
741 ADD_U_INT32(dptr, egid);
742 ADD_U_INT32(dptr, ruid);
743 ADD_U_INT32(dptr, rgid);
744 ADD_U_INT32(dptr, pid);
745 ADD_U_INT32(dptr, sid);
746 ADD_U_INT64(dptr, tid->port);
749 * Note: Solaris will write out IPv6 addresses here as a 32-bit
750 * address type and 16 bytes of address, but for IPv4 addresses it
751 * simply writes the 4-byte address directly. We support only IPv4
752 * addresses for process64 tokens.
754 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
760 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
761 pid_t pid, au_asid_t sid, au_tid_t *tid)
764 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
771 * effective user ID 4 bytes
772 * effective group ID 4 bytes
773 * real user ID 4 bytes
774 * real group ID 4 bytes
778 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
779 * address type-len 4 bytes
780 * machine address 16 bytes
783 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
784 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
789 if (tid->at_type == AU_IPv4)
790 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
791 10 * sizeof(u_int32_t));
792 else if (tid->at_type == AU_IPv6)
793 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
794 13 * sizeof(u_int32_t));
802 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
803 ADD_U_INT32(dptr, auid);
804 ADD_U_INT32(dptr, euid);
805 ADD_U_INT32(dptr, egid);
806 ADD_U_INT32(dptr, ruid);
807 ADD_U_INT32(dptr, rgid);
808 ADD_U_INT32(dptr, pid);
809 ADD_U_INT32(dptr, sid);
810 ADD_U_INT32(dptr, tid->at_port);
811 ADD_U_INT32(dptr, tid->at_type);
812 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
813 if (tid->at_type == AU_IPv6) {
814 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
815 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
816 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
823 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
824 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
829 if (tid->at_type == AU_IPv4)
830 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
831 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
832 2 * sizeof(u_int32_t));
833 else if (tid->at_type == AU_IPv6)
834 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
835 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
836 5 * sizeof(u_int32_t));
844 ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
845 ADD_U_INT32(dptr, auid);
846 ADD_U_INT32(dptr, euid);
847 ADD_U_INT32(dptr, egid);
848 ADD_U_INT32(dptr, ruid);
849 ADD_U_INT32(dptr, rgid);
850 ADD_U_INT32(dptr, pid);
851 ADD_U_INT32(dptr, sid);
852 ADD_U_INT64(dptr, tid->at_port);
853 ADD_U_INT32(dptr, tid->at_type);
854 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
855 if (tid->at_type == AU_IPv6) {
856 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
857 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
858 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
865 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
866 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
869 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
875 * error status 1 byte
876 * return value 4 bytes/8 bytes (32-bit/64-bit value)
879 au_to_return32(char status, u_int32_t ret)
884 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
888 ADD_U_CHAR(dptr, AUT_RETURN32);
889 ADD_U_CHAR(dptr, status);
890 ADD_U_INT32(dptr, ret);
896 au_to_return64(char status, u_int64_t ret)
901 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
905 ADD_U_CHAR(dptr, AUT_RETURN64);
906 ADD_U_CHAR(dptr, status);
907 ADD_U_INT64(dptr, ret);
913 au_to_return(char status, u_int32_t ret)
916 return (au_to_return32(status, ret));
921 * sequence number 4 bytes
924 au_to_seq(long audit_count)
929 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
933 ADD_U_CHAR(dptr, AUT_SEQ);
934 ADD_U_INT32(dptr, audit_count);
941 * socket domain 2 bytes
942 * socket type 2 bytes
943 * address type 2 byte
945 * local address 4 bytes/16 bytes (IPv4/IPv6 address)
946 * remote port 2 bytes
947 * remote address 4 bytes/16 bytes (IPv4/IPv6 address)
949 * Domain and type arguments to this routine are assumed to already have been
950 * converted to the BSM constant space, so we don't do that here.
953 au_to_socket_ex(u_short so_domain, u_short so_type,
954 struct sockaddr *sa_local, struct sockaddr *sa_remote)
958 struct sockaddr_in *sin;
959 struct sockaddr_in6 *sin6;
961 if (so_domain == AF_INET)
962 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
963 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
964 else if (so_domain == AF_INET6)
965 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
966 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
972 ADD_U_CHAR(dptr, AUT_SOCKET_EX);
973 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
974 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
975 if (so_domain == AF_INET) {
976 ADD_U_INT16(dptr, AU_IPv4);
977 sin = (struct sockaddr_in *)sa_local;
978 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
979 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
980 sin = (struct sockaddr_in *)sa_remote;
981 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
982 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
984 ADD_U_INT16(dptr, AU_IPv6);
985 sin6 = (struct sockaddr_in6 *)sa_local;
986 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
987 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
988 sin6 = (struct sockaddr_in6 *)sa_remote;
989 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
990 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
998 * socket family 2 bytes
999 * path (up to) 104 bytes + NULL (NULL terminated string)
1002 au_to_sock_unix(struct sockaddr_un *so)
1007 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
1011 ADD_U_CHAR(dptr, AUT_SOCKUNIX);
1012 /* BSM token has two bytes for family */
1013 ADD_U_CHAR(dptr, 0);
1014 ADD_U_CHAR(dptr, so->sun_family);
1015 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
1022 * socket family 2 bytes
1023 * local port 2 bytes
1024 * socket address 4 bytes
1027 au_to_sock_inet32(struct sockaddr_in *so)
1030 u_char *dptr = NULL;
1033 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
1038 ADD_U_CHAR(dptr, AUT_SOCKINET32);
1040 * BSM defines the family field as 16 bits, but many operating
1041 * systems have an 8-bit sin_family field. Extend to 16 bits before
1042 * writing into the token. Assume that both the port and the address
1043 * in the sockaddr_in are already in network byte order, but family
1044 * is in local byte order.
1046 * XXXRW: Should a name space conversion be taking place on the value
1049 family = so->sin_family;
1050 ADD_U_INT16(dptr, family);
1051 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
1052 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
1058 au_to_sock_inet128(struct sockaddr_in6 *so)
1061 u_char *dptr = NULL;
1063 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
1064 4 * sizeof(u_int32_t));
1068 ADD_U_CHAR(dptr, AUT_SOCKINET128);
1070 * In BSD, sin6_family is one octet, but BSM defines the token to
1071 * store two. So we copy in a 0 first. XXXRW: Possibly should be
1072 * conditionally compiled.
1074 ADD_U_CHAR(dptr, 0);
1075 ADD_U_CHAR(dptr, so->sin6_family);
1077 ADD_U_INT16(dptr, so->sin6_port);
1078 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
1084 au_to_sock_inet(struct sockaddr_in *so)
1087 return (au_to_sock_inet32(so));
1093 * effective user ID 4 bytes
1094 * effective group ID 4 bytes
1095 * real user ID 4 bytes
1096 * real group ID 4 bytes
1097 * process ID 4 bytes
1098 * session ID 4 bytes
1100 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1101 * machine address 4 bytes
1104 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1105 pid_t pid, au_asid_t sid, au_tid_t *tid)
1108 u_char *dptr = NULL;
1110 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
1114 ADD_U_CHAR(dptr, AUT_SUBJECT32);
1115 ADD_U_INT32(dptr, auid);
1116 ADD_U_INT32(dptr, euid);
1117 ADD_U_INT32(dptr, egid);
1118 ADD_U_INT32(dptr, ruid);
1119 ADD_U_INT32(dptr, rgid);
1120 ADD_U_INT32(dptr, pid);
1121 ADD_U_INT32(dptr, sid);
1122 ADD_U_INT32(dptr, tid->port);
1123 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1129 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1130 pid_t pid, au_asid_t sid, au_tid_t *tid)
1133 u_char *dptr = NULL;
1135 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1136 sizeof(u_int64_t) + sizeof(u_int32_t));
1140 ADD_U_CHAR(dptr, AUT_SUBJECT64);
1141 ADD_U_INT32(dptr, auid);
1142 ADD_U_INT32(dptr, euid);
1143 ADD_U_INT32(dptr, egid);
1144 ADD_U_INT32(dptr, ruid);
1145 ADD_U_INT32(dptr, rgid);
1146 ADD_U_INT32(dptr, pid);
1147 ADD_U_INT32(dptr, sid);
1148 ADD_U_INT64(dptr, tid->port);
1149 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1155 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1156 pid_t pid, au_asid_t sid, au_tid_t *tid)
1159 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1166 * effective user ID 4 bytes
1167 * effective group ID 4 bytes
1168 * real user ID 4 bytes
1169 * real group ID 4 bytes
1170 * process ID 4 bytes
1171 * session ID 4 bytes
1173 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1174 * address type/length 4 bytes
1175 * machine address 16 bytes
1178 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1179 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1182 u_char *dptr = NULL;
1184 if (tid->at_type == AU_IPv4)
1185 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1187 else if (tid->at_type == AU_IPv6)
1188 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1197 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1198 ADD_U_INT32(dptr, auid);
1199 ADD_U_INT32(dptr, euid);
1200 ADD_U_INT32(dptr, egid);
1201 ADD_U_INT32(dptr, ruid);
1202 ADD_U_INT32(dptr, rgid);
1203 ADD_U_INT32(dptr, pid);
1204 ADD_U_INT32(dptr, sid);
1205 ADD_U_INT32(dptr, tid->at_port);
1206 ADD_U_INT32(dptr, tid->at_type);
1207 if (tid->at_type == AU_IPv6)
1208 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1210 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1216 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1217 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1220 u_char *dptr = NULL;
1222 if (tid->at_type == AU_IPv4)
1223 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1224 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1225 2 * sizeof(u_int32_t));
1226 else if (tid->at_type == AU_IPv6)
1227 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1228 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1229 5 * sizeof(u_int32_t));
1237 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1238 ADD_U_INT32(dptr, auid);
1239 ADD_U_INT32(dptr, euid);
1240 ADD_U_INT32(dptr, egid);
1241 ADD_U_INT32(dptr, ruid);
1242 ADD_U_INT32(dptr, rgid);
1243 ADD_U_INT32(dptr, pid);
1244 ADD_U_INT32(dptr, sid);
1245 ADD_U_INT64(dptr, tid->at_port);
1246 ADD_U_INT32(dptr, tid->at_type);
1247 if (tid->at_type == AU_IPv6)
1248 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1250 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1256 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1257 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1260 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1264 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1266 * Collects audit information for the current process and creates a subject
1273 auditinfo_addr_t aia;
1276 * Try to use getaudit_addr(2) first. If this kernel does not support
1277 * it, then fall back on to getaudit(2).
1279 if (getaudit_addr(&aia, sizeof(aia)) != 0) {
1280 if (errno == ENOSYS) {
1281 if (getaudit(&auinfo) != 0)
1283 return (au_to_subject32(auinfo.ai_auid, geteuid(),
1284 getegid(), getuid(), getgid(), getpid(),
1285 auinfo.ai_asid, &auinfo.ai_termid));
1287 /* getaudit_addr(2) failed for some other reason. */
1292 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(),
1293 getgid(), getpid(), aia.ai_asid, &aia.ai_termid));
1300 * text count null-terminated strings
1303 au_to_exec_args(char **argv)
1306 u_char *dptr = NULL;
1307 const char *nextarg;
1313 while (nextarg != NULL) {
1316 nextlen = strlen(nextarg);
1317 totlen += nextlen + 1;
1319 nextarg = *(argv + count);
1322 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1326 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1327 ADD_U_INT32(dptr, count);
1329 for (i = 0; i < count; i++) {
1330 nextarg = *(argv + i);
1331 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1340 * text count null-terminated strings
1343 au_to_exec_env(char **envp)
1346 u_char *dptr = NULL;
1349 const char *nextenv;
1353 while (nextenv != NULL) {
1356 nextlen = strlen(nextenv);
1357 totlen += nextlen + 1;
1359 nextenv = *(envp + count);
1362 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1366 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1367 ADD_U_INT32(dptr, count);
1369 for (i = 0; i < count; i++) {
1370 nextenv = *(envp + i);
1371 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1379 * zonename length 2 bytes
1380 * zonename N bytes + 1 terminating NULL byte
1383 au_to_zonename(const char *zonename)
1385 u_char *dptr = NULL;
1389 textlen = strlen(zonename) + 1;
1390 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1394 ADD_U_CHAR(dptr, AUT_ZONENAME);
1395 ADD_U_INT16(dptr, textlen);
1396 ADD_STRING(dptr, zonename, textlen);
1402 * record byte count 4 bytes
1403 * version # 1 byte [2]
1404 * event type 2 bytes
1405 * event modifier 2 bytes
1406 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1407 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1410 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1414 u_char *dptr = NULL;
1417 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1418 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1422 ADD_U_CHAR(dptr, AUT_HEADER32);
1423 ADD_U_INT32(dptr, rec_size);
1424 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1425 ADD_U_INT16(dptr, e_type);
1426 ADD_U_INT16(dptr, e_mod);
1428 timems = tm.tv_usec/1000;
1429 /* Add the timestamp */
1430 ADD_U_INT32(dptr, tm.tv_sec);
1431 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1438 * record byte count 4 bytes
1439 * version # 1 byte [2]
1440 * event type 2 bytes
1441 * event modifier 2 bytes
1442 * address type/length 4 bytes
1443 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1444 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1445 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1448 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1449 struct timeval tm, struct auditinfo_addr *aia)
1452 u_char *dptr = NULL;
1456 tid = &aia->ai_termid;
1457 if (tid->at_type != AU_IPv4 && tid->at_type != AU_IPv6)
1459 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1460 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 *
1461 sizeof(u_int32_t) + tid->at_type);
1465 ADD_U_CHAR(dptr, AUT_HEADER32_EX);
1466 ADD_U_INT32(dptr, rec_size);
1467 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1468 ADD_U_INT16(dptr, e_type);
1469 ADD_U_INT16(dptr, e_mod);
1471 ADD_U_INT32(dptr, tid->at_type);
1472 if (tid->at_type == AU_IPv6)
1473 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1475 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1476 timems = tm.tv_usec/1000;
1477 /* Add the timestamp */
1478 ADD_U_INT32(dptr, tm.tv_sec);
1479 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1485 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1489 u_char *dptr = NULL;
1492 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1493 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1497 ADD_U_CHAR(dptr, AUT_HEADER64);
1498 ADD_U_INT32(dptr, rec_size);
1499 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1500 ADD_U_INT16(dptr, e_type);
1501 ADD_U_INT16(dptr, e_mod);
1503 timems = tm.tv_usec/1000;
1504 /* Add the timestamp */
1505 ADD_U_INT64(dptr, tm.tv_sec);
1506 ADD_U_INT64(dptr, timems); /* We need time in ms. */
1511 #if !defined(KERNEL) && !defined(_KERNEL)
1512 #ifdef HAVE_AUDIT_SYSCALLS
1514 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1517 struct auditinfo_addr aia;
1519 if (gettimeofday(&tm, NULL) == -1)
1521 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) {
1522 if (errno != ENOSYS)
1524 return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1526 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia));
1528 #endif /* HAVE_AUDIT_SYSCALLS */
1531 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
1535 if (gettimeofday(&tm, NULL) == -1)
1537 return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1541 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
1542 __unused au_emod_t e_mod)
1546 if (gettimeofday(&tm, NULL) == -1)
1548 return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
1552 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
1555 return (au_to_header32(rec_size, e_type, e_mod));
1558 #ifdef HAVE_AUDIT_SYSCALLS
1560 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1563 return (au_to_header32_ex(rec_size, e_type, e_mod));
1565 #endif /* HAVE_AUDIT_SYSCALLS */
1566 #endif /* !defined(KERNEL) && !defined(_KERNEL) */
1570 * trailer magic number 2 bytes
1571 * record byte count 4 bytes
1574 au_to_trailer(int rec_size)
1577 u_char *dptr = NULL;
1578 u_int16_t magic = AUT_TRAILER_MAGIC;
1580 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1585 ADD_U_CHAR(dptr, AUT_TRAILER);
1586 ADD_U_INT16(dptr, magic);
1587 ADD_U_INT32(dptr, rec_size);