1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 2004-2009 Apple Inc.
5 * Copyright (c) 2005 SPARTA, Inc.
6 * All rights reserved.
7 *
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 #include <sys/cdefs.h>
37 #include <sys/param.h>
38 #include <sys/types.h>
39 #include <sys/endian.h>
40 #include <sys/queue.h>
41 #include <sys/socket.h>
42 #include <sys/time.h>
43
44 #include <sys/ipc.h>
45 #include <sys/libkern.h>
46 #include <sys/malloc.h>
47 #include <sys/un.h>
48
49 #include <netinet/in.h>
50 #include <netinet/in_systm.h>
51 #include <netinet/ip.h>
52
53 #include <bsm/audit.h>
54 #include <bsm/audit_internal.h>
55 #include <bsm/audit_record.h>
56 #include <security/audit/audit.h>
57 #include <security/audit/audit_private.h>
58
59 #define GET_TOKEN_AREA(t, dptr, length) do { \
60 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \
61 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \
62 t->len = length; \
63 dptr = t->t_data; \
64 } while (0)
65
66 /*
67 * token ID 1 byte
68 * success/failure 1 byte
69 * privstrlen 2 bytes
70 * privstr N bytes + 1 (\0 byte)
71 */
72 token_t *
au_to_upriv(char sorf,char * priv)73 au_to_upriv(char sorf, char *priv)
74 {
75 u_int16_t textlen;
76 u_char *dptr;
77 token_t *t;
78
79 textlen = strlen(priv) + 1;
80 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) +
81 sizeof(u_int16_t) + textlen);
82
83 ADD_U_CHAR(dptr, AUT_UPRIV);
84 ADD_U_CHAR(dptr, sorf);
85 ADD_U_INT16(dptr, textlen);
86 ADD_STRING(dptr, priv, textlen);
87 return (t);
88 }
89
90 /*
91 * token ID 1 byte
92 * privtstrlen 2 bytes
93 * privtstr N bytes + 1
94 * privstrlen 2 bytes
95 * privstr N bytes + 1
96 */
97 token_t *
au_to_privset(char * privtypestr,char * privstr)98 au_to_privset(char *privtypestr, char *privstr)
99 {
100 u_int16_t type_len, priv_len;
101 u_char *dptr;
102 token_t *t;
103
104 type_len = strlen(privtypestr) + 1;
105 priv_len = strlen(privstr) + 1;
106 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
107 sizeof(u_int16_t) + type_len + priv_len);
108
109 ADD_U_CHAR(dptr, AUT_PRIV);
110 ADD_U_INT16(dptr, type_len);
111 ADD_STRING(dptr, privtypestr, type_len);
112 ADD_U_INT16(dptr, priv_len);
113 ADD_STRING(dptr, privstr, priv_len);
114 return (t);
115 }
116
117 /*
118 * token ID 1 byte
119 * argument # 1 byte
120 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
121 * text length 2 bytes
122 * text N bytes + 1 terminating NULL byte
123 */
124 token_t *
au_to_arg32(char n,const char * text,u_int32_t v)125 au_to_arg32(char n, const char *text, u_int32_t v)
126 {
127 token_t *t;
128 u_char *dptr = NULL;
129 u_int16_t textlen;
130
131 textlen = strlen(text);
132 textlen += 1;
133
134 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
135 sizeof(u_int16_t) + textlen);
136
137 ADD_U_CHAR(dptr, AUT_ARG32);
138 ADD_U_CHAR(dptr, n);
139 ADD_U_INT32(dptr, v);
140 ADD_U_INT16(dptr, textlen);
141 ADD_STRING(dptr, text, textlen);
142
143 return (t);
144 }
145
146 token_t *
au_to_arg64(char n,const char * text,u_int64_t v)147 au_to_arg64(char n, const char *text, u_int64_t v)
148 {
149 token_t *t;
150 u_char *dptr = NULL;
151 u_int16_t textlen;
152
153 textlen = strlen(text);
154 textlen += 1;
155
156 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
157 sizeof(u_int16_t) + textlen);
158
159 ADD_U_CHAR(dptr, AUT_ARG64);
160 ADD_U_CHAR(dptr, n);
161 ADD_U_INT64(dptr, v);
162 ADD_U_INT16(dptr, textlen);
163 ADD_STRING(dptr, text, textlen);
164
165 return (t);
166 }
167
168 token_t *
au_to_arg(char n,const char * text,u_int32_t v)169 au_to_arg(char n, const char *text, u_int32_t v)
170 {
171
172 return (au_to_arg32(n, text, v));
173 }
174
175 #if defined(_KERNEL) || defined(KERNEL)
176 /*
177 * token ID 1 byte
178 * file access mode 4 bytes
179 * owner user ID 4 bytes
180 * owner group ID 4 bytes
181 * file system ID 4 bytes
182 * node ID 8 bytes
183 * device 4 bytes/8 bytes (32-bit/64-bit)
184 */
185 token_t *
au_to_attr32(struct vnode_au_info * vni)186 au_to_attr32(struct vnode_au_info *vni)
187 {
188 token_t *t;
189 u_char *dptr = NULL;
190 u_int16_t pad0_16 = 0;
191 u_int32_t pad0_32 = 0;
192
193 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
194 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
195
196 ADD_U_CHAR(dptr, AUT_ATTR32);
197
198 /*
199 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
200 * so pad with 0.
201 *
202 * XXXRW: Possibly should be conditionally compiled.
203 *
204 * XXXRW: Should any conversions take place on the mode?
205 */
206 ADD_U_INT16(dptr, pad0_16);
207 ADD_U_INT16(dptr, vni->vn_mode);
208
209 ADD_U_INT32(dptr, vni->vn_uid);
210 ADD_U_INT32(dptr, vni->vn_gid);
211 ADD_U_INT32(dptr, vni->vn_fsid);
212
213 /*
214 * Some systems use 32-bit file ID's, others use 64-bit file IDs.
215 * Attempt to handle both, and let the compiler sort it out. If we
216 * could pick this out at compile-time, it would be better, so as to
217 * avoid the else case below.
218 */
219 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
220 ADD_U_INT32(dptr, pad0_32);
221 ADD_U_INT32(dptr, vni->vn_fileid);
222 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
223 ADD_U_INT64(dptr, vni->vn_fileid);
224 else
225 ADD_U_INT64(dptr, 0LL);
226
227 ADD_U_INT32(dptr, vni->vn_dev);
228
229 return (t);
230 }
231
232 token_t *
au_to_attr64(struct vnode_au_info * vni)233 au_to_attr64(struct vnode_au_info *vni)
234 {
235 token_t *t;
236 u_char *dptr = NULL;
237 u_int16_t pad0_16 = 0;
238 u_int32_t pad0_32 = 0;
239
240 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
241 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
242
243 ADD_U_CHAR(dptr, AUT_ATTR64);
244
245 /*
246 * BSD defines the size for the file mode as 2 bytes; BSM defines 4
247 * so pad with 0.
248 *
249 * XXXRW: Possibly should be conditionally compiled.
250 *
251 * XXXRW: Should any conversions take place on the mode?
252 */
253 ADD_U_INT16(dptr, pad0_16);
254 ADD_U_INT16(dptr, vni->vn_mode);
255
256 ADD_U_INT32(dptr, vni->vn_uid);
257 ADD_U_INT32(dptr, vni->vn_gid);
258 ADD_U_INT32(dptr, vni->vn_fsid);
259
260 /*
261 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
262 * Attempt to handle both, and let the compiler sort it out. If we
263 * could pick this out at compile-time, it would be better, so as to
264 * avoid the else case below.
265 */
266 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
267 ADD_U_INT32(dptr, pad0_32);
268 ADD_U_INT32(dptr, vni->vn_fileid);
269 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
270 ADD_U_INT64(dptr, vni->vn_fileid);
271 else
272 ADD_U_INT64(dptr, 0LL);
273
274 ADD_U_INT64(dptr, vni->vn_dev);
275
276 return (t);
277 }
278
279 token_t *
au_to_attr(struct vnode_au_info * vni)280 au_to_attr(struct vnode_au_info *vni)
281 {
282
283 return (au_to_attr32(vni));
284 }
285 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
286
287 /*
288 * token ID 1 byte
289 * how to print 1 byte
290 * basic unit 1 byte
291 * unit count 1 byte
292 * data items (depends on basic unit)
293 */
294 token_t *
au_to_data(char unit_print,char unit_type,char unit_count,const char * p)295 au_to_data(char unit_print, char unit_type, char unit_count, const char *p)
296 {
297 token_t *t;
298 u_char *dptr = NULL;
299 size_t datasize, totdata;
300
301 /* Determine the size of the basic unit. */
302 switch (unit_type) {
303 case AUR_BYTE:
304 /* case AUR_CHAR: */
305 datasize = AUR_BYTE_SIZE;
306 break;
307
308 case AUR_SHORT:
309 datasize = AUR_SHORT_SIZE;
310 break;
311
312 case AUR_INT32:
313 /* case AUR_INT: */
314 datasize = AUR_INT32_SIZE;
315 break;
316
317 case AUR_INT64:
318 datasize = AUR_INT64_SIZE;
319 break;
320
321 default:
322 return (NULL);
323 }
324
325 totdata = datasize * unit_count;
326
327 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
328
329 /*
330 * XXXRW: We should be byte-swapping each data item for multi-byte
331 * types.
332 */
333 ADD_U_CHAR(dptr, AUT_DATA);
334 ADD_U_CHAR(dptr, unit_print);
335 ADD_U_CHAR(dptr, unit_type);
336 ADD_U_CHAR(dptr, unit_count);
337 ADD_MEM(dptr, p, totdata);
338
339 return (t);
340 }
341
342 /*
343 * token ID 1 byte
344 * status 4 bytes
345 * return value 4 bytes
346 */
347 token_t *
au_to_exit(int retval,int err)348 au_to_exit(int retval, int err)
349 {
350 token_t *t;
351 u_char *dptr = NULL;
352
353 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
354
355 ADD_U_CHAR(dptr, AUT_EXIT);
356 ADD_U_INT32(dptr, err);
357 ADD_U_INT32(dptr, retval);
358
359 return (t);
360 }
361
362 /*
363 */
364 token_t *
au_to_groups(int * groups)365 au_to_groups(int *groups)
366 {
367
368 return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups));
369 }
370
371 /*
372 * token ID 1 byte
373 * number groups 2 bytes
374 * group list count * 4 bytes
375 */
376 token_t *
au_to_newgroups(u_int16_t n,gid_t * groups)377 au_to_newgroups(u_int16_t n, gid_t *groups)
378 {
379 token_t *t;
380 u_char *dptr = NULL;
381 int i;
382
383 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
384 n * sizeof(u_int32_t));
385
386 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
387 ADD_U_INT16(dptr, n);
388 for (i = 0; i < n; i++)
389 ADD_U_INT32(dptr, groups[i]);
390
391 return (t);
392 }
393
394 /*
395 * token ID 1 byte
396 * internet address 4 bytes
397 */
398 token_t *
au_to_in_addr(struct in_addr * internet_addr)399 au_to_in_addr(struct in_addr *internet_addr)
400 {
401 token_t *t;
402 u_char *dptr = NULL;
403
404 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
405
406 ADD_U_CHAR(dptr, AUT_IN_ADDR);
407 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
408
409 return (t);
410 }
411
412 /*
413 * token ID 1 byte
414 * address type/length 4 bytes
415 * address 16 bytes
416 */
417 token_t *
au_to_in_addr_ex(struct in6_addr * internet_addr)418 au_to_in_addr_ex(struct in6_addr *internet_addr)
419 {
420 token_t *t;
421 u_char *dptr = NULL;
422 u_int32_t type = AU_IPv6;
423
424 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
425
426 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
427 ADD_U_INT32(dptr, type);
428 ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
429
430 return (t);
431 }
432
433 /*
434 * token ID 1 byte
435 * ip header 20 bytes
436 *
437 * The IP header should be submitted in network byte order.
438 */
439 token_t *
au_to_ip(struct ip * ip)440 au_to_ip(struct ip *ip)
441 {
442 token_t *t;
443 u_char *dptr = NULL;
444
445 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
446
447 ADD_U_CHAR(dptr, AUT_IP);
448 ADD_MEM(dptr, ip, sizeof(struct ip));
449
450 return (t);
451 }
452
453 /*
454 * token ID 1 byte
455 * object ID type 1 byte
456 * object ID 4 bytes
457 */
458 token_t *
au_to_ipc(char type,int id)459 au_to_ipc(char type, int id)
460 {
461 token_t *t;
462 u_char *dptr = NULL;
463
464 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
465
466 ADD_U_CHAR(dptr, AUT_IPC);
467 ADD_U_CHAR(dptr, type);
468 ADD_U_INT32(dptr, id);
469
470 return (t);
471 }
472
473 /*
474 * token ID 1 byte
475 * owner user ID 4 bytes
476 * owner group ID 4 bytes
477 * creator user ID 4 bytes
478 * creator group ID 4 bytes
479 * access mode 4 bytes
480 * slot sequence # 4 bytes
481 * key 4 bytes
482 */
483 token_t *
au_to_ipc_perm(struct ipc_perm * perm)484 au_to_ipc_perm(struct ipc_perm *perm)
485 {
486 token_t *t;
487 u_char *dptr = NULL;
488 u_int16_t pad0 = 0;
489
490 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
491 sizeof(u_int32_t));
492
493 ADD_U_CHAR(dptr, AUT_IPC_PERM);
494
495 /*
496 * Systems vary significantly in what types they use in struct
497 * ipc_perm; at least a few still use 16-bit uid's and gid's, so
498 * allow for that, as BSM define 32-bit values here.
499 * Some systems define the sizes for ipc_perm members as 2 bytes;
500 * BSM defines 4 so pad with 0.
501 *
502 * XXXRW: Possibly shoulid be conditionally compiled, and more cases
503 * need to be handled.
504 */
505 if (sizeof(perm->uid) != sizeof(u_int32_t)) {
506 ADD_U_INT16(dptr, pad0);
507 ADD_U_INT16(dptr, perm->uid);
508 ADD_U_INT16(dptr, pad0);
509 ADD_U_INT16(dptr, perm->gid);
510 ADD_U_INT16(dptr, pad0);
511 ADD_U_INT16(dptr, perm->cuid);
512 ADD_U_INT16(dptr, pad0);
513 ADD_U_INT16(dptr, perm->cgid);
514 } else {
515 ADD_U_INT32(dptr, perm->uid);
516 ADD_U_INT32(dptr, perm->gid);
517 ADD_U_INT32(dptr, perm->cuid);
518 ADD_U_INT32(dptr, perm->cgid);
519 }
520
521 ADD_U_INT16(dptr, pad0);
522 ADD_U_INT16(dptr, perm->mode);
523
524 ADD_U_INT16(dptr, pad0);
525
526 ADD_U_INT16(dptr, perm->seq);
527
528 ADD_U_INT32(dptr, perm->key);
529
530 return (t);
531 }
532
533 /*
534 * token ID 1 byte
535 * port IP address 2 bytes
536 */
537 token_t *
au_to_iport(u_int16_t iport)538 au_to_iport(u_int16_t iport)
539 {
540 token_t *t;
541 u_char *dptr = NULL;
542
543 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
544
545 ADD_U_CHAR(dptr, AUT_IPORT);
546 ADD_U_INT16(dptr, iport);
547
548 return (t);
549 }
550
551 /*
552 * token ID 1 byte
553 * size 2 bytes
554 * data size bytes
555 */
556 token_t *
au_to_opaque(const char * data,u_int16_t bytes)557 au_to_opaque(const char *data, u_int16_t bytes)
558 {
559 token_t *t;
560 u_char *dptr = NULL;
561
562 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
563
564 ADD_U_CHAR(dptr, AUT_OPAQUE);
565 ADD_U_INT16(dptr, bytes);
566 ADD_MEM(dptr, data, bytes);
567
568 return (t);
569 }
570
571 /*
572 * token ID 1 byte
573 * seconds of time 4 bytes
574 * milliseconds of time 4 bytes
575 * file name len 2 bytes
576 * file pathname N bytes + 1 terminating NULL byte
577 */
578 token_t *
au_to_file(const char * file,struct timeval tm)579 au_to_file(const char *file, struct timeval tm)
580 {
581 token_t *t;
582 u_char *dptr = NULL;
583 u_int16_t filelen;
584 u_int32_t timems;
585
586 filelen = strlen(file);
587 filelen += 1;
588
589 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
590 sizeof(u_int16_t) + filelen);
591
592 timems = tm.tv_usec/1000;
593
594 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
595 ADD_U_INT32(dptr, tm.tv_sec);
596 ADD_U_INT32(dptr, timems); /* We need time in ms. */
597 ADD_U_INT16(dptr, filelen);
598 ADD_STRING(dptr, file, filelen);
599
600 return (t);
601 }
602
603 /*
604 * token ID 1 byte
605 * text length 2 bytes
606 * text N bytes + 1 terminating NULL byte
607 */
608 token_t *
au_to_text(const char * text)609 au_to_text(const char *text)
610 {
611 token_t *t;
612 u_char *dptr = NULL;
613 u_int16_t textlen;
614
615 textlen = strlen(text);
616 textlen += 1;
617
618 /* XXXRW: Should validate length against token size limit. */
619
620 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
621
622 ADD_U_CHAR(dptr, AUT_TEXT);
623 ADD_U_INT16(dptr, textlen);
624 ADD_STRING(dptr, text, textlen);
625
626 return (t);
627 }
628
629 /*
630 * token ID 1 byte
631 * path length 2 bytes
632 * path N bytes + 1 terminating NULL byte
633 */
634 token_t *
au_to_path(const char * text)635 au_to_path(const char *text)
636 {
637 token_t *t;
638 u_char *dptr = NULL;
639 u_int16_t textlen;
640
641 textlen = strlen(text);
642 textlen += 1;
643
644 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
645
646 ADD_U_CHAR(dptr, AUT_PATH);
647 ADD_U_INT16(dptr, textlen);
648 ADD_STRING(dptr, text, textlen);
649
650 return (t);
651 }
652
653 /*
654 * token ID 1 byte
655 * audit ID 4 bytes
656 * effective user ID 4 bytes
657 * effective group ID 4 bytes
658 * real user ID 4 bytes
659 * real group ID 4 bytes
660 * process ID 4 bytes
661 * session ID 4 bytes
662 * terminal ID
663 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
664 * machine address 4 bytes
665 */
666 token_t *
au_to_process32(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)667 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
668 pid_t pid, au_asid_t sid, au_tid_t *tid)
669 {
670 token_t *t;
671 u_char *dptr = NULL;
672
673 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
674
675 ADD_U_CHAR(dptr, AUT_PROCESS32);
676 ADD_U_INT32(dptr, auid);
677 ADD_U_INT32(dptr, euid);
678 ADD_U_INT32(dptr, egid);
679 ADD_U_INT32(dptr, ruid);
680 ADD_U_INT32(dptr, rgid);
681 ADD_U_INT32(dptr, pid);
682 ADD_U_INT32(dptr, sid);
683 ADD_U_INT32(dptr, tid->port);
684
685 /*
686 * Note: Solaris will write out IPv6 addresses here as a 32-bit
687 * address type and 16 bytes of address, but for IPv4 addresses it
688 * simply writes the 4-byte address directly. We support only IPv4
689 * addresses for process32 tokens.
690 */
691 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
692
693 return (t);
694 }
695
696 token_t *
au_to_process64(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)697 au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
698 pid_t pid, au_asid_t sid, au_tid_t *tid)
699 {
700 token_t *t;
701 u_char *dptr = NULL;
702
703 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
704 sizeof(u_int64_t));
705
706 ADD_U_CHAR(dptr, AUT_PROCESS64);
707 ADD_U_INT32(dptr, auid);
708 ADD_U_INT32(dptr, euid);
709 ADD_U_INT32(dptr, egid);
710 ADD_U_INT32(dptr, ruid);
711 ADD_U_INT32(dptr, rgid);
712 ADD_U_INT32(dptr, pid);
713 ADD_U_INT32(dptr, sid);
714 ADD_U_INT64(dptr, tid->port);
715
716 /*
717 * Note: Solaris will write out IPv6 addresses here as a 32-bit
718 * address type and 16 bytes of address, but for IPv4 addresses it
719 * simply writes the 4-byte address directly. We support only IPv4
720 * addresses for process64 tokens.
721 */
722 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
723
724 return (t);
725 }
726
727 token_t *
au_to_process(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)728 au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
729 pid_t pid, au_asid_t sid, au_tid_t *tid)
730 {
731
732 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
733 tid));
734 }
735
736 /*
737 * token ID 1 byte
738 * audit ID 4 bytes
739 * effective user ID 4 bytes
740 * effective group ID 4 bytes
741 * real user ID 4 bytes
742 * real group ID 4 bytes
743 * process ID 4 bytes
744 * session ID 4 bytes
745 * terminal ID
746 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
747 * address type-len 4 bytes
748 * machine address 16 bytes
749 */
750 token_t *
au_to_process32_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)751 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
752 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
753 {
754 token_t *t;
755 u_char *dptr = NULL;
756
757 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
758 ("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
759 if (tid->at_type == AU_IPv4)
760 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
761 10 * sizeof(u_int32_t));
762 else
763 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
764 13 * sizeof(u_int32_t));
765
766 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
767 ADD_U_INT32(dptr, auid);
768 ADD_U_INT32(dptr, euid);
769 ADD_U_INT32(dptr, egid);
770 ADD_U_INT32(dptr, ruid);
771 ADD_U_INT32(dptr, rgid);
772 ADD_U_INT32(dptr, pid);
773 ADD_U_INT32(dptr, sid);
774 ADD_U_INT32(dptr, tid->at_port);
775 ADD_U_INT32(dptr, tid->at_type);
776 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
777 if (tid->at_type == AU_IPv6) {
778 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
779 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
780 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
781 }
782
783 return (t);
784 }
785
786 token_t *
au_to_process64_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)787 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
788 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
789 {
790 token_t *t;
791 u_char *dptr = NULL;
792
793 if (tid->at_type == AU_IPv4)
794 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
795 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
796 2 * sizeof(u_int32_t));
797 else if (tid->at_type == AU_IPv6)
798 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
799 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
800 5 * sizeof(u_int32_t));
801 else
802 panic("au_to_process64_ex: invalidate at_type (%d)",
803 tid->at_type);
804
805 ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
806 ADD_U_INT32(dptr, auid);
807 ADD_U_INT32(dptr, euid);
808 ADD_U_INT32(dptr, egid);
809 ADD_U_INT32(dptr, ruid);
810 ADD_U_INT32(dptr, rgid);
811 ADD_U_INT32(dptr, pid);
812 ADD_U_INT32(dptr, sid);
813 ADD_U_INT64(dptr, tid->at_port);
814 ADD_U_INT32(dptr, tid->at_type);
815 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
816 if (tid->at_type == AU_IPv6) {
817 ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
818 ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
819 ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
820 }
821
822 return (t);
823 }
824
825 token_t *
au_to_process_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)826 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
827 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
828 {
829
830 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
831 tid));
832 }
833
834 token_t *
au_to_rights(cap_rights_t * rightsp)835 au_to_rights(cap_rights_t *rightsp)
836 {
837 token_t *t;
838 u_char *dptr;
839 int i;
840
841 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(*rightsp));
842
843 ADD_U_CHAR(dptr, AUT_RIGHTS);
844 for (i = 0; i < nitems(rightsp->cr_rights); i++)
845 ADD_U_INT64(dptr, rightsp->cr_rights[i]);
846
847 return (t);
848 }
849
850 /*
851 * token ID 1 byte
852 * error status 1 byte
853 * return value 4 bytes/8 bytes (32-bit/64-bit value)
854 */
855 token_t *
au_to_return32(char status,u_int32_t ret)856 au_to_return32(char status, u_int32_t ret)
857 {
858 token_t *t;
859 u_char *dptr = NULL;
860
861 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
862
863 ADD_U_CHAR(dptr, AUT_RETURN32);
864 ADD_U_CHAR(dptr, status);
865 ADD_U_INT32(dptr, ret);
866
867 return (t);
868 }
869
870 token_t *
au_to_return64(char status,u_int64_t ret)871 au_to_return64(char status, u_int64_t ret)
872 {
873 token_t *t;
874 u_char *dptr = NULL;
875
876 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
877
878 ADD_U_CHAR(dptr, AUT_RETURN64);
879 ADD_U_CHAR(dptr, status);
880 ADD_U_INT64(dptr, ret);
881
882 return (t);
883 }
884
885 token_t *
au_to_return(char status,u_int32_t ret)886 au_to_return(char status, u_int32_t ret)
887 {
888
889 return (au_to_return32(status, ret));
890 }
891
892 /*
893 * token ID 1 byte
894 * sequence number 4 bytes
895 */
896 token_t *
au_to_seq(long audit_count)897 au_to_seq(long audit_count)
898 {
899 token_t *t;
900 u_char *dptr = NULL;
901
902 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
903
904 ADD_U_CHAR(dptr, AUT_SEQ);
905 ADD_U_INT32(dptr, audit_count);
906
907 return (t);
908 }
909
910 /*
911 * token ID 1 byte
912 * socket domain 2 bytes
913 * socket type 2 bytes
914 * address type 2 byte
915 * local port 2 bytes
916 * local address 4 bytes/16 bytes (IPv4/IPv6 address)
917 * remote port 2 bytes
918 * remote address 4 bytes/16 bytes (IPv4/IPv6 address)
919 *
920 * Domain and type arguments to this routine are assumed to already have been
921 * converted to the BSM constant space, so we don't do that here.
922 */
923 token_t *
au_to_socket_ex(u_short so_domain,u_short so_type,struct sockaddr * sa_local,struct sockaddr * sa_remote)924 au_to_socket_ex(u_short so_domain, u_short so_type,
925 struct sockaddr *sa_local, struct sockaddr *sa_remote)
926 {
927 token_t *t;
928 u_char *dptr = NULL;
929 struct sockaddr_in *sin;
930 struct sockaddr_in6 *sin6;
931
932 if (so_domain == AF_INET)
933 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
934 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
935 else if (so_domain == AF_INET6)
936 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
937 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
938 else
939 return (NULL);
940
941 ADD_U_CHAR(dptr, AUT_SOCKET_EX);
942 ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
943 ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
944 if (so_domain == AF_INET) {
945 ADD_U_INT16(dptr, AU_IPv4);
946 sin = (struct sockaddr_in *)sa_local;
947 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
948 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
949 sin = (struct sockaddr_in *)sa_remote;
950 ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
951 ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
952 } else {
953 ADD_U_INT16(dptr, AU_IPv6);
954 sin6 = (struct sockaddr_in6 *)sa_local;
955 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
956 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
957 sin6 = (struct sockaddr_in6 *)sa_remote;
958 ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
959 ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
960 }
961
962 return (t);
963 }
964
965 /*
966 * Kernel-specific version of the above function.
967 *
968 * XXXRW: Should now use au_to_socket_ex() here.
969 */
970 #ifdef _KERNEL
971 token_t *
kau_to_socket(struct socket_au_info * soi)972 kau_to_socket(struct socket_au_info *soi)
973 {
974 token_t *t;
975 u_char *dptr;
976 u_int16_t so_type;
977
978 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
979 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
980
981 ADD_U_CHAR(dptr, AUT_SOCKET);
982 /* Coerce the socket type into a short value */
983 so_type = soi->so_type;
984 ADD_U_INT16(dptr, so_type);
985 ADD_U_INT16(dptr, soi->so_lport);
986 ADD_U_INT32(dptr, soi->so_laddr);
987 ADD_U_INT16(dptr, soi->so_rport);
988 ADD_U_INT32(dptr, soi->so_raddr);
989
990 return (t);
991 }
992 #endif
993
994 /*
995 * token ID 1 byte
996 * socket family 2 bytes
997 * path (up to) 104 bytes + NULL (NULL terminated string)
998 */
999 token_t *
au_to_sock_unix(struct sockaddr_un * so)1000 au_to_sock_unix(struct sockaddr_un *so)
1001 {
1002 token_t *t;
1003 u_char *dptr;
1004
1005 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
1006
1007 ADD_U_CHAR(dptr, AUT_SOCKUNIX);
1008 /* BSM token has two bytes for family */
1009 ADD_U_CHAR(dptr, 0);
1010 ADD_U_CHAR(dptr, so->sun_family);
1011 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
1012
1013 return (t);
1014 }
1015
1016 /*
1017 * token ID 1 byte
1018 * socket family 2 bytes
1019 * local port 2 bytes
1020 * socket address 4 bytes
1021 */
1022 token_t *
au_to_sock_inet32(struct sockaddr_in * so)1023 au_to_sock_inet32(struct sockaddr_in *so)
1024 {
1025 token_t *t;
1026 u_char *dptr = NULL;
1027 uint16_t family;
1028
1029 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
1030 sizeof(uint32_t));
1031
1032 ADD_U_CHAR(dptr, AUT_SOCKINET32);
1033 /*
1034 * BSM defines the family field as 16 bits, but many operating
1035 * systems have an 8-bit sin_family field. Extend to 16 bits before
1036 * writing into the token. Assume that both the port and the address
1037 * in the sockaddr_in are already in network byte order, but family
1038 * is in local byte order.
1039 *
1040 * XXXRW: Should a name space conversion be taking place on the value
1041 * of sin_family?
1042 */
1043 family = so->sin_family;
1044 ADD_U_INT16(dptr, family);
1045 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
1046 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
1047
1048 return (t);
1049 }
1050
1051 token_t *
au_to_sock_inet128(struct sockaddr_in6 * so)1052 au_to_sock_inet128(struct sockaddr_in6 *so)
1053 {
1054 token_t *t;
1055 u_char *dptr = NULL;
1056
1057 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
1058 4 * sizeof(u_int32_t));
1059
1060 ADD_U_CHAR(dptr, AUT_SOCKINET128);
1061 /*
1062 * In BSD, sin6_family is one octet, but BSM defines the token to
1063 * store two. So we copy in a 0 first. XXXRW: Possibly should be
1064 * conditionally compiled.
1065 */
1066 ADD_U_CHAR(dptr, 0);
1067 ADD_U_CHAR(dptr, so->sin6_family);
1068
1069 ADD_U_INT16(dptr, so->sin6_port);
1070 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
1071
1072 return (t);
1073 }
1074
1075 token_t *
au_to_sock_inet(struct sockaddr_in * so)1076 au_to_sock_inet(struct sockaddr_in *so)
1077 {
1078
1079 return (au_to_sock_inet32(so));
1080 }
1081
1082 /*
1083 * token ID 1 byte
1084 * audit ID 4 bytes
1085 * effective user ID 4 bytes
1086 * effective group ID 4 bytes
1087 * real user ID 4 bytes
1088 * real group ID 4 bytes
1089 * process ID 4 bytes
1090 * session ID 4 bytes
1091 * terminal ID
1092 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1093 * machine address 4 bytes
1094 */
1095 token_t *
au_to_subject32(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)1096 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1097 pid_t pid, au_asid_t sid, au_tid_t *tid)
1098 {
1099 token_t *t;
1100 u_char *dptr = NULL;
1101
1102 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
1103
1104 ADD_U_CHAR(dptr, AUT_SUBJECT32);
1105 ADD_U_INT32(dptr, auid);
1106 ADD_U_INT32(dptr, euid);
1107 ADD_U_INT32(dptr, egid);
1108 ADD_U_INT32(dptr, ruid);
1109 ADD_U_INT32(dptr, rgid);
1110 ADD_U_INT32(dptr, pid);
1111 ADD_U_INT32(dptr, sid);
1112 ADD_U_INT32(dptr, tid->port);
1113 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1114
1115 return (t);
1116 }
1117
1118 token_t *
au_to_subject64(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)1119 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1120 pid_t pid, au_asid_t sid, au_tid_t *tid)
1121 {
1122 token_t *t;
1123 u_char *dptr = NULL;
1124
1125 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
1126 sizeof(u_int64_t) + sizeof(u_int32_t));
1127
1128 ADD_U_CHAR(dptr, AUT_SUBJECT64);
1129 ADD_U_INT32(dptr, auid);
1130 ADD_U_INT32(dptr, euid);
1131 ADD_U_INT32(dptr, egid);
1132 ADD_U_INT32(dptr, ruid);
1133 ADD_U_INT32(dptr, rgid);
1134 ADD_U_INT32(dptr, pid);
1135 ADD_U_INT32(dptr, sid);
1136 ADD_U_INT64(dptr, tid->port);
1137 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
1138
1139 return (t);
1140 }
1141
1142 token_t *
au_to_subject(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_t * tid)1143 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1144 pid_t pid, au_asid_t sid, au_tid_t *tid)
1145 {
1146
1147 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
1148 tid));
1149 }
1150
1151 /*
1152 * token ID 1 byte
1153 * audit ID 4 bytes
1154 * effective user ID 4 bytes
1155 * effective group ID 4 bytes
1156 * real user ID 4 bytes
1157 * real group ID 4 bytes
1158 * process ID 4 bytes
1159 * session ID 4 bytes
1160 * terminal ID
1161 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1162 * address type/length 4 bytes
1163 * machine address 16 bytes
1164 */
1165 token_t *
au_to_subject32_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)1166 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1167 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1168 {
1169 token_t *t;
1170 u_char *dptr = NULL;
1171
1172 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1173 ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
1174
1175 if (tid->at_type == AU_IPv4)
1176 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
1177 sizeof(u_int32_t));
1178 else
1179 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
1180 sizeof(u_int32_t));
1181
1182 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
1183 ADD_U_INT32(dptr, auid);
1184 ADD_U_INT32(dptr, euid);
1185 ADD_U_INT32(dptr, egid);
1186 ADD_U_INT32(dptr, ruid);
1187 ADD_U_INT32(dptr, rgid);
1188 ADD_U_INT32(dptr, pid);
1189 ADD_U_INT32(dptr, sid);
1190 ADD_U_INT32(dptr, tid->at_port);
1191 ADD_U_INT32(dptr, tid->at_type);
1192 if (tid->at_type == AU_IPv6)
1193 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1194 else
1195 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1196
1197 return (t);
1198 }
1199
1200 token_t *
au_to_subject64_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)1201 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1202 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1203 {
1204 token_t *t;
1205 u_char *dptr = NULL;
1206
1207 KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
1208 ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type));
1209
1210 if (tid->at_type == AU_IPv4)
1211 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1212 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1213 2 * sizeof(u_int32_t));
1214 else
1215 GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
1216 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
1217 5 * sizeof(u_int32_t));
1218
1219 ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
1220 ADD_U_INT32(dptr, auid);
1221 ADD_U_INT32(dptr, euid);
1222 ADD_U_INT32(dptr, egid);
1223 ADD_U_INT32(dptr, ruid);
1224 ADD_U_INT32(dptr, rgid);
1225 ADD_U_INT32(dptr, pid);
1226 ADD_U_INT32(dptr, sid);
1227 ADD_U_INT64(dptr, tid->at_port);
1228 ADD_U_INT32(dptr, tid->at_type);
1229 if (tid->at_type == AU_IPv6)
1230 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1231 else
1232 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1233
1234 return (t);
1235 }
1236
1237 token_t *
au_to_subject_ex(au_id_t auid,uid_t euid,gid_t egid,uid_t ruid,gid_t rgid,pid_t pid,au_asid_t sid,au_tid_addr_t * tid)1238 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
1239 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
1240 {
1241
1242 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
1243 tid));
1244 }
1245
1246 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1247 /*
1248 * Collects audit information for the current process and creates a subject
1249 * token from it.
1250 */
1251 token_t *
au_to_me(void)1252 au_to_me(void)
1253 {
1254 auditinfo_t auinfo;
1255 auditinfo_addr_t aia;
1256
1257 /*
1258 * Try to use getaudit_addr(2) first. If this kernel does not support
1259 * it, then fall back on to getaudit(2).
1260 */
1261 if (getaudit_addr(&aia, sizeof(aia)) != 0) {
1262 if (errno == ENOSYS) {
1263 if (getaudit(&auinfo) != 0)
1264 return (NULL);
1265 return (au_to_subject32(auinfo.ai_auid, geteuid(),
1266 getegid(), getuid(), getgid(), getpid(),
1267 auinfo.ai_asid, &auinfo.ai_termid));
1268 } else {
1269 /* getaudit_addr(2) failed for some other reason. */
1270 return (NULL);
1271 }
1272 }
1273
1274 return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(),
1275 getgid(), getpid(), aia.ai_asid, &aia.ai_termid));
1276 }
1277 #endif
1278
1279 #if defined(_KERNEL) || defined(KERNEL)
1280 static token_t *
au_to_exec_strings(char * strs,int count,u_char type)1281 au_to_exec_strings(char *strs, int count, u_char type)
1282 {
1283 token_t *t;
1284 u_char *dptr = NULL;
1285 u_int32_t totlen;
1286 int ctr;
1287 char *p;
1288
1289 totlen = 0;
1290 ctr = count;
1291 p = strs;
1292 while (ctr-- > 0) {
1293 totlen += strlen(p) + 1;
1294 p = strs + totlen;
1295 }
1296 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1297 ADD_U_CHAR(dptr, type);
1298 ADD_U_INT32(dptr, count);
1299 ADD_STRING(dptr, strs, totlen);
1300
1301 return (t);
1302 }
1303
1304 /*
1305 * token ID 1 byte
1306 * count 4 bytes
1307 * text count null-terminated strings
1308 */
1309 token_t *
au_to_exec_args(char * args,int argc)1310 au_to_exec_args(char *args, int argc)
1311 {
1312
1313 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1314 }
1315
1316 /*
1317 * token ID 1 byte
1318 * count 4 bytes
1319 * text count null-terminated strings
1320 */
1321 token_t *
au_to_exec_env(char * envs,int envc)1322 au_to_exec_env(char *envs, int envc)
1323 {
1324
1325 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1326 }
1327 #else
1328 /*
1329 * token ID 1 byte
1330 * count 4 bytes
1331 * text count null-terminated strings
1332 */
1333 token_t *
au_to_exec_args(char ** argv)1334 au_to_exec_args(char **argv)
1335 {
1336 token_t *t;
1337 u_char *dptr = NULL;
1338 const char *nextarg;
1339 int i, count = 0;
1340 size_t totlen = 0;
1341
1342 nextarg = *argv;
1343
1344 while (nextarg != NULL) {
1345 int nextlen;
1346
1347 nextlen = strlen(nextarg);
1348 totlen += nextlen + 1;
1349 count++;
1350 nextarg = *(argv + count);
1351 }
1352
1353 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1354
1355 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1356 ADD_U_INT32(dptr, count);
1357
1358 for (i = 0; i < count; i++) {
1359 nextarg = *(argv + i);
1360 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1361 }
1362
1363 return (t);
1364 }
1365
1366 /*
1367 * token ID 1 byte
1368 * count 4 bytes
1369 * text count null-terminated strings
1370 */
1371 token_t *
au_to_exec_env(char ** envp)1372 au_to_exec_env(char **envp)
1373 {
1374 token_t *t;
1375 u_char *dptr = NULL;
1376 int i, count = 0;
1377 size_t totlen = 0;
1378 const char *nextenv;
1379
1380 nextenv = *envp;
1381
1382 while (nextenv != NULL) {
1383 int nextlen;
1384
1385 nextlen = strlen(nextenv);
1386 totlen += nextlen + 1;
1387 count++;
1388 nextenv = *(envp + count);
1389 }
1390
1391 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1392
1393 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1394 ADD_U_INT32(dptr, count);
1395
1396 for (i = 0; i < count; i++) {
1397 nextenv = *(envp + i);
1398 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1399 }
1400
1401 return (t);
1402 }
1403 #endif
1404
1405 /*
1406 * token ID 1 byte
1407 * zonename length 2 bytes
1408 * zonename N bytes + 1 terminating NULL byte
1409 */
1410 token_t *
au_to_zonename(const char * zonename)1411 au_to_zonename(const char *zonename)
1412 {
1413 u_char *dptr = NULL;
1414 u_int16_t textlen;
1415 token_t *t;
1416
1417 textlen = strlen(zonename) + 1;
1418 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
1419
1420 ADD_U_CHAR(dptr, AUT_ZONENAME);
1421 ADD_U_INT16(dptr, textlen);
1422 ADD_STRING(dptr, zonename, textlen);
1423 return (t);
1424 }
1425
1426 /*
1427 * token ID 1 byte
1428 * record byte count 4 bytes
1429 * version # 1 byte [2]
1430 * event type 2 bytes
1431 * event modifier 2 bytes
1432 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1433 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1434 */
1435 token_t *
au_to_header32_tm(int rec_size,au_event_t e_type,au_emod_t e_mod,struct timeval tm)1436 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1437 struct timeval tm)
1438 {
1439 token_t *t;
1440 u_char *dptr = NULL;
1441 u_int32_t timems;
1442
1443 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1444 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1445
1446 ADD_U_CHAR(dptr, AUT_HEADER32);
1447 ADD_U_INT32(dptr, rec_size);
1448 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1449 ADD_U_INT16(dptr, e_type);
1450 ADD_U_INT16(dptr, e_mod);
1451
1452 timems = tm.tv_usec/1000;
1453 /* Add the timestamp */
1454 ADD_U_INT32(dptr, tm.tv_sec);
1455 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1456
1457 return (t);
1458 }
1459
1460 /*
1461 * token ID 1 byte
1462 * record byte count 4 bytes
1463 * version # 1 byte [2]
1464 * event type 2 bytes
1465 * event modifier 2 bytes
1466 * address type/length 4 bytes
1467 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1468 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1469 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1470 */
1471 token_t *
au_to_header32_ex_tm(int rec_size,au_event_t e_type,au_emod_t e_mod,struct timeval tm,struct auditinfo_addr * aia)1472 au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1473 struct timeval tm, struct auditinfo_addr *aia)
1474 {
1475 token_t *t;
1476 u_char *dptr = NULL;
1477 u_int32_t timems;
1478 au_tid_addr_t *tid;
1479
1480 tid = &aia->ai_termid;
1481 KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6,
1482 ("au_to_header32_ex_tm: invalid address family"));
1483
1484 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1485 sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 *
1486 sizeof(u_int32_t) + tid->at_type);
1487
1488 ADD_U_CHAR(dptr, AUT_HEADER32_EX);
1489 ADD_U_INT32(dptr, rec_size);
1490 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1491 ADD_U_INT16(dptr, e_type);
1492 ADD_U_INT16(dptr, e_mod);
1493
1494 ADD_U_INT32(dptr, tid->at_type);
1495 if (tid->at_type == AU_IPv6)
1496 ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
1497 else
1498 ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
1499 timems = tm.tv_usec/1000;
1500 /* Add the timestamp */
1501 ADD_U_INT32(dptr, tm.tv_sec);
1502 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1503
1504 return (t);
1505 }
1506
1507 token_t *
au_to_header64_tm(int rec_size,au_event_t e_type,au_emod_t e_mod,struct timeval tm)1508 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1509 struct timeval tm)
1510 {
1511 token_t *t;
1512 u_char *dptr = NULL;
1513 u_int32_t timems;
1514
1515 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1516 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
1517
1518 ADD_U_CHAR(dptr, AUT_HEADER64);
1519 ADD_U_INT32(dptr, rec_size);
1520 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1521 ADD_U_INT16(dptr, e_type);
1522 ADD_U_INT16(dptr, e_mod);
1523
1524 timems = tm.tv_usec/1000;
1525 /* Add the timestamp */
1526 ADD_U_INT64(dptr, tm.tv_sec);
1527 ADD_U_INT64(dptr, timems); /* We need time in ms. */
1528
1529 return (t);
1530 }
1531
1532 #if !defined(KERNEL) && !defined(_KERNEL)
1533 #ifdef HAVE_AUDIT_SYSCALLS
1534 token_t *
au_to_header32_ex(int rec_size,au_event_t e_type,au_emod_t e_mod)1535 au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1536 {
1537 struct timeval tm;
1538 struct auditinfo_addr aia;
1539
1540 if (gettimeofday(&tm, NULL) == -1)
1541 return (NULL);
1542 if (audit_get_kaudit(&aia, sizeof(aia)) != 0) {
1543 if (errno != ENOSYS)
1544 return (NULL);
1545 return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1546 }
1547 return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia));
1548 }
1549 #endif /* HAVE_AUDIT_SYSCALLS */
1550
1551 token_t *
au_to_header32(int rec_size,au_event_t e_type,au_emod_t e_mod)1552 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
1553 {
1554 struct timeval tm;
1555
1556 if (gettimeofday(&tm, NULL) == -1)
1557 return (NULL);
1558 return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
1559 }
1560
1561 token_t *
au_to_header64(__unused int rec_size,__unused au_event_t e_type,__unused au_emod_t e_mod)1562 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
1563 __unused au_emod_t e_mod)
1564 {
1565 struct timeval tm;
1566
1567 if (gettimeofday(&tm, NULL) == -1)
1568 return (NULL);
1569 return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
1570 }
1571
1572 token_t *
au_to_header(int rec_size,au_event_t e_type,au_emod_t e_mod)1573 au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
1574 {
1575
1576 return (au_to_header32(rec_size, e_type, e_mod));
1577 }
1578
1579 #ifdef HAVE_AUDIT_SYSCALLS
1580 token_t *
au_to_header_ex(int rec_size,au_event_t e_type,au_emod_t e_mod)1581 au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
1582 {
1583
1584 return (au_to_header32_ex(rec_size, e_type, e_mod));
1585 }
1586 #endif /* HAVE_AUDIT_SYSCALLS */
1587 #endif /* !defined(KERNEL) && !defined(_KERNEL) */
1588
1589 /*
1590 * token ID 1 byte
1591 * trailer magic number 2 bytes
1592 * record byte count 4 bytes
1593 */
1594 token_t *
au_to_trailer(int rec_size)1595 au_to_trailer(int rec_size)
1596 {
1597 token_t *t;
1598 u_char *dptr = NULL;
1599 u_int16_t magic = AUT_TRAILER_MAGIC;
1600
1601 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1602 sizeof(u_int32_t));
1603
1604 ADD_U_CHAR(dptr, AUT_TRAILER);
1605 ADD_U_INT16(dptr, magic);
1606 ADD_U_INT32(dptr, rec_size);
1607
1608 return (t);
1609 }
1610