]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_bsm_token.c
projects / apple / xnu.git / blob
? search:


201e9c72682c4c385777b525f942dae12a3f2444
[apple/xnu.git] / bsd / kern / kern_bsm_token.c
1 /*
2 * Copyright (c) 2003-2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include <sys/types.h>
25 #include <sys/un.h>
26 #include <sys/event.h>
27 #include <sys/ucred.h>
28
29 #include <sys/ipc.h>
30 #include <bsm/audit.h>
31 #include <bsm/audit_record.h>
32 #include <bsm/audit_klib.h>
33 #include <bsm/audit_kernel.h>
34
35 #include <kern/clock.h>
36 #include <kern/kalloc.h>
37
38 #include <string.h>
39
40 #define GET_TOKEN_AREA(tok, dptr, length) \
41 do {\
42 tok = (token_t *)kalloc(sizeof(*tok) + length); \
43 if(tok != NULL)\
44 {\
45 tok->len = length;\
46 dptr = tok->t_data = (u_char *)&tok[1];\
47 memset(dptr, 0, length);\
48 }\
49 }while(0)
50
51
52
53 /*
54 * token ID 1 byte
55 * argument # 1 byte
56 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
57 * text length 2 bytes
58 * text N bytes + 1 terminating NULL byte
59 */
60 token_t *au_to_arg32(char n, char *text, u_int32_t v)
61 {
62 token_t *t;
63 u_char *dptr;
64 u_int16_t textlen;
65
66 if(text == NULL) {
67 return NULL;
68 }
69
70 /* Make sure that text is null terminated */
71 textlen = strlen(text);
72 if(text[textlen] != '\0') {
73 return NULL;
74 }
75
76 GET_TOKEN_AREA(t, dptr, 9 + textlen);
77 if(t == NULL) {
78 return NULL;
79 }
80
81 textlen += 1;
82
83 ADD_U_CHAR(dptr, AU_ARG32_TOKEN);
84 ADD_U_CHAR(dptr, n);
85 ADD_U_INT32(dptr, v);
86 ADD_U_INT16(dptr, textlen);
87 ADD_STRING(dptr, text, textlen);
88
89 return t;
90
91 }
92
93 token_t *au_to_arg64(char n, char *text, u_int64_t v)
94 {
95 token_t *t;
96 u_char *dptr;
97 u_int16_t textlen;
98
99 if(text == NULL) {
100 return NULL;
101 }
102
103 /* Make sure that text is null terminated */
104 textlen = strlen(text);
105 if(text[textlen] != '\0') {
106 return NULL;
107 }
108
109 GET_TOKEN_AREA(t, dptr, 13 + textlen);
110 if(t == NULL) {
111 return NULL;
112 }
113
114 textlen += 1;
115
116 ADD_U_CHAR(dptr, AU_ARG64_TOKEN);
117 ADD_U_CHAR(dptr, n);
118 ADD_U_INT64(dptr, v);
119 ADD_U_INT16(dptr, textlen);
120 ADD_STRING(dptr, text, textlen);
121
122 return t;
123
124 }
125
126 token_t *au_to_arg(char n, char *text, u_int32_t v)
127 {
128 return au_to_arg32(n, text, v);
129 }
130
131 /*
132 * token ID 1 byte
133 * file access mode 4 bytes
134 * owner user ID 4 bytes
135 * owner group ID 4 bytes
136 * file system ID 4 bytes
137 * node ID 8 bytes
138 * device 4 bytes/8 bytes (32-bit/64-bit)
139 */
140 token_t *au_to_attr32(__unused struct vnode_attr *attr)
141 {
142 return NULL;
143 }
144
145 /* Kernel-specific version of the above function */
146 token_t *kau_to_attr32(struct vnode_au_info *vni)
147 {
148 token_t *t;
149 u_char *dptr;
150 u_int64_t fileid;
151 u_int16_t pad0_16 = 0;
152 u_int32_t pad0_32 = 0;
153
154 if(vni == NULL) {
155 return NULL;
156 }
157
158 GET_TOKEN_AREA(t, dptr, 29);
159 if(t == NULL) {
160 return NULL;
161 }
162
163 ADD_U_CHAR(dptr, AU_ATTR32_TOKEN);
164
165 /*
166 * Darwin defines the size for the file mode as 2 bytes;
167 * BSM defines 4. So we copy in a 0 first.
168 */
169 ADD_U_INT16(dptr, pad0_16);
170 ADD_U_INT16(dptr, vni->vn_mode);
171
172 ADD_U_INT32(dptr, vni->vn_uid);
173 ADD_U_INT32(dptr, vni->vn_gid);
174 ADD_U_INT32(dptr, vni->vn_fsid);
175
176 /*
177 * Darwin defines the size for fileid as 4 bytes;
178 * BSM defines 8. So we copy in a 0 first.
179 */
180 fileid = vni->vn_fileid;
181 ADD_U_INT32(dptr, pad0_32);
182 ADD_U_INT32(dptr, fileid);
183
184 ADD_U_INT32(dptr, vni->vn_dev);
185
186 return t;
187 }
188
189 token_t *au_to_attr64(__unused struct vnode_attr *attr)
190 {
191 return NULL;
192 }
193
194 token_t *kau_to_attr64(__unused struct vnode_au_info *vni)
195 {
196 return NULL;
197 }
198
199 token_t *au_to_attr(struct vnode_attr *attr)
200 {
201 return au_to_attr32(attr);
202
203 }
204
205
206 /*
207 * token ID 1 byte
208 * how to print 1 byte
209 * basic unit 1 byte
210 * unit count 1 byte
211 * data items (depends on basic unit)
212 */
213 token_t *au_to_data(char unit_print, char unit_type,
214 char unit_count, char *p)
215 {
216 token_t *t;
217 u_char *dptr;
218 size_t datasize, totdata;
219
220 if(p == NULL) {
221 return NULL;
222 }
223
224 /* Determine the size of the basic unit */
225 switch(unit_type) {
226 case AUR_BYTE: datasize = AUR_BYTE_SIZE;
227 break;
228
229 case AUR_SHORT: datasize = AUR_SHORT_SIZE;
230 break;
231
232 case AUR_LONG: datasize = AUR_LONG_SIZE;
233 break;
234
235 default: return NULL;
236 }
237
238 totdata = datasize * unit_count;
239
240 GET_TOKEN_AREA(t, dptr, totdata + 4);
241 if(t == NULL) {
242 return NULL;
243 }
244
245 ADD_U_CHAR(dptr, AU_ARB_TOKEN);
246 ADD_U_CHAR(dptr, unit_print);
247 ADD_U_CHAR(dptr, unit_type);
248 ADD_U_CHAR(dptr, unit_count);
249 ADD_MEM(dptr, p, totdata);
250
251 return t;
252 }
253
254 /*
255 * token ID 1 byte
256 * status 4 bytes
257 * return value 4 bytes
258 */
259 token_t *au_to_exit(int retval, int err)
260 {
261 token_t *t;
262 u_char *dptr;
263
264 GET_TOKEN_AREA(t, dptr, 9);
265 if(t == NULL) {
266 return NULL;
267 }
268
269 ADD_U_CHAR(dptr, AU_EXIT_TOKEN);
270 ADD_U_INT32(dptr, err);
271 ADD_U_INT32(dptr, retval);
272
273 return t;
274 }
275
276 /*
277 */
278 token_t *au_to_groups(int *groups)
279 {
280 return au_to_newgroups(MAX_GROUPS, groups);
281 }
282
283 /*
284 * token ID 1 byte
285 * number groups 2 bytes
286 * group list count * 4 bytes
287 */
288 token_t *au_to_newgroups(u_int16_t n, gid_t *groups)
289 {
290 token_t *t;
291 u_char *dptr;
292 int i;
293
294 if(groups == NULL) {
295 return NULL;
296 }
297
298 GET_TOKEN_AREA(t, dptr, n * 4 + 3);
299 if(t == NULL) {
300 return NULL;
301 }
302
303 ADD_U_CHAR(dptr, AU_NEWGROUPS_TOKEN);
304 ADD_U_INT16(dptr, n);
305 for(i = 0; i < n; i++) {
306 ADD_U_INT32(dptr, groups[i]);
307 }
308
309 return t;
310 }
311
312
313
314
315 /*
316 * token ID 1 byte
317 * internet address 4 bytes
318 */
319 token_t *au_to_in_addr(struct in_addr *internet_addr)
320 {
321 token_t *t;
322 u_char *dptr;
323
324 if(internet_addr == NULL) {
325 return NULL;
326 }
327
328 GET_TOKEN_AREA(t, dptr, 5);
329 if(t == NULL) {
330 return NULL;
331 }
332
333 ADD_U_CHAR(dptr, AU_IN_ADDR_TOKEN);
334 ADD_U_INT32(dptr, internet_addr->s_addr);
335
336 return t;
337 }
338
339 /*
340 * token ID 1 byte
341 * address type/length 4 bytes
342 * Address 16 bytes
343 */
344 token_t *au_to_in_addr_ex(struct in6_addr *internet_addr)
345 {
346 token_t *t;
347 u_char *dptr;
348 u_int32_t type = AF_INET6;
349
350 if(internet_addr == NULL) {
351 return NULL;
352 }
353
354 GET_TOKEN_AREA(t, dptr, 21);
355 if(t == NULL) {
356 return NULL;
357 }
358
359 ADD_U_CHAR(dptr, AU_IN_ADDR_EX_TOKEN);
360 ADD_U_INT32(dptr, type);
361 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[0]);
362 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[1]);
363 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[2]);
364 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[3]);
365
366 return t;
367 }
368
369 /*
370 * token ID 1 byte
371 * ip header 20 bytes
372 */
373 token_t *au_to_ip(struct ip *ip)
374 {
375 token_t *t;
376 u_char *dptr;
377
378 if(ip == NULL) {
379 return NULL;
380 }
381
382 GET_TOKEN_AREA(t, dptr, 21);
383 if(t == NULL) {
384 return NULL;
385 }
386
387 ADD_U_CHAR(dptr, AU_IP_TOKEN);
388 ADD_MEM(dptr, ip, sizeof(struct ip));
389
390 return t;
391 }
392
393 /*
394 * token ID 1 byte
395 * object ID type 1 byte
396 * object ID 4 bytes
397 */
398 token_t *au_to_ipc(char type, int id)
399 {
400 token_t *t;
401 u_char *dptr;
402
403
404 GET_TOKEN_AREA(t, dptr, 6);
405 if(t == NULL) {
406 return NULL;
407 }
408
409 ADD_U_CHAR(dptr, AU_IPC_TOKEN);
410 ADD_U_CHAR(dptr, type);
411 ADD_U_INT32(dptr, id);
412
413 return t;
414 }
415
416 /*
417 * token ID 1 byte
418 * owner user ID 4 bytes
419 * owner group ID 4 bytes
420 * creator user ID 4 bytes
421 * creator group ID 4 bytes
422 * access mode 4 bytes
423 * slot sequence # 4 bytes
424 * key 4 bytes
425 */
426 token_t *au_to_ipc_perm(struct ipc_perm *perm)
427 {
428 token_t *t;
429 u_char *dptr;
430 u_int16_t pad0 = 0;
431
432 if(perm == NULL) {
433 return NULL;
434 }
435
436 GET_TOKEN_AREA(t, dptr, 29);
437 if(t == NULL) {
438 return NULL;
439 }
440
441 /*
442 * Darwin defines the sizes for ipc_perm members
443 * as 2 bytes; BSM defines 4. So we copy in a 0 first.
444 */
445 ADD_U_CHAR(dptr, AU_IPCPERM_TOKEN);
446
447 ADD_U_INT16(dptr, pad0);
448 ADD_U_INT16(dptr, perm->uid);
449
450 ADD_U_INT16(dptr, pad0);
451 ADD_U_INT16(dptr, perm->gid);
452
453 ADD_U_INT16(dptr, pad0);
454 ADD_U_INT16(dptr, perm->cuid);
455
456 ADD_U_INT16(dptr, pad0);
457 ADD_U_INT16(dptr, perm->cgid);
458
459 ADD_U_INT16(dptr, pad0);
460 ADD_U_INT16(dptr, perm->mode);
461
462 ADD_U_INT16(dptr, pad0);
463 ADD_U_INT16(dptr, perm->seq);
464
465 ADD_U_INT16(dptr, pad0);
466 ADD_U_INT16(dptr, perm->key);
467
468 return t;
469 }
470
471
472 /*
473 * token ID 1 byte
474 * port IP address 2 bytes
475 */
476 token_t *au_to_iport(u_int16_t iport)
477 {
478 token_t *t;
479 u_char *dptr;
480
481
482 GET_TOKEN_AREA(t, dptr, 3);
483 if(t == NULL) {
484 return NULL;
485 }
486
487 ADD_U_CHAR(dptr, AU_IPORT_TOKEN);
488 ADD_U_INT16(dptr, iport);
489
490 return t;
491 }
492
493
494 /*
495 * token ID 1 byte
496 * size 2 bytes
497 * data size bytes
498 */
499 token_t *au_to_opaque(char *data, u_int16_t bytes)
500 {
501 token_t *t;
502 u_char *dptr;
503
504 if((data == NULL) || (bytes <= 0)) {
505 return NULL;
506 }
507
508 GET_TOKEN_AREA(t, dptr, bytes + 3);
509 if(t == NULL) {
510 return NULL;
511 }
512
513 ADD_U_CHAR(dptr, AU_OPAQUE_TOKEN);
514 ADD_U_INT16(dptr, bytes);
515 ADD_MEM(dptr, data, bytes);
516
517 return t;
518 }
519
520 /*
521 * Kernel version of the add file token function, where the time value
522 * is passed in as an additional parameter.
523 * token ID 1 byte
524 * seconds of time 4 bytes
525 * milliseconds of time 4 bytes
526 * file name len 2 bytes
527 * file pathname N bytes + 1 terminating NULL byte
528 */
529 token_t *kau_to_file(const char *file, const struct timeval *tv)
530 {
531 token_t *t;
532 u_char *dptr;
533 u_int16_t filelen;
534 u_int32_t timems = tv->tv_usec/1000; /* We need time in ms */
535
536 if(file == NULL) {
537 return NULL;
538 }
539 /* Make sure that text is null terminated */
540 filelen = strlen(file);
541 if(file[filelen] != '\0') {
542 return NULL;
543 }
544
545 GET_TOKEN_AREA(t, dptr, filelen + 12);
546 if(t == NULL) {
547 return NULL;
548 }
549
550 filelen += 1;
551
552 ADD_U_CHAR(dptr, AU_FILE_TOKEN);
553
554 /* Add the timestamp */
555 ADD_U_INT32(dptr, tv->tv_sec);
556 ADD_U_INT32(dptr, timems);
557
558 ADD_U_INT16(dptr, filelen);
559 ADD_STRING(dptr, file, filelen);
560
561 return t;
562
563 }
564
565 /*
566 * token ID 1 byte
567 * text length 2 bytes
568 * text N bytes + 1 terminating NULL byte
569 */
570 token_t *au_to_text(char *text)
571 {
572 token_t *t;
573 u_char *dptr;
574 u_int16_t textlen;
575
576 if(text == NULL) {
577 return NULL;
578 }
579 /* Make sure that text is null terminated */
580 textlen = strlen(text);
581 if(text[textlen] != '\0') {
582 return NULL;
583 }
584
585 GET_TOKEN_AREA(t, dptr, textlen + 4);
586 if(t == NULL) {
587 return NULL;
588 }
589
590 textlen += 1;
591
592 ADD_U_CHAR(dptr, AU_TEXT_TOKEN);
593 ADD_U_INT16(dptr, textlen);
594 ADD_STRING(dptr, text, textlen);
595
596 return t;
597 }
598
599 /*
600 * token ID 1 byte
601 * path length 2 bytes
602 * path N bytes + 1 terminating NULL byte
603 */
604 token_t *au_to_path(char *text)
605 {
606 token_t *t;
607 u_char *dptr;
608 u_int16_t textlen;
609
610 if(text == NULL) {
611 return NULL;
612 }
613 /* Make sure that text is null terminated */
614 textlen = strlen(text);
615 if(text[textlen] != '\0') {
616 return NULL;
617 }
618
619 GET_TOKEN_AREA(t, dptr, textlen + 4);
620 if(t == NULL) {
621 return NULL;
622 }
623
624 textlen += 1;
625
626 ADD_U_CHAR(dptr, AU_PATH_TOKEN);
627 ADD_U_INT16(dptr, textlen);
628 ADD_STRING(dptr, text, textlen);
629
630 return t;
631 }
632
633 /*
634 * token ID 1 byte
635 * audit ID 4 bytes
636 * effective user ID 4 bytes
637 * effective group ID 4 bytes
638 * real user ID 4 bytes
639 * real group ID 4 bytes
640 * process ID 4 bytes
641 * session ID 4 bytes
642 * terminal ID
643 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
644 * machine address 4 bytes
645 */
646 token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid,
647 uid_t ruid, gid_t rgid, pid_t pid,
648 au_asid_t sid, au_tid_t *tid)
649 {
650 token_t *t;
651 u_char *dptr;
652
653 if(tid == NULL) {
654 return NULL;
655 }
656
657 GET_TOKEN_AREA(t, dptr, 37);
658 if(t == NULL) {
659 return NULL;
660 }
661
662 ADD_U_CHAR(dptr, AU_PROCESS_32_TOKEN);
663 ADD_U_INT32(dptr, auid);
664 ADD_U_INT32(dptr, euid);
665 ADD_U_INT32(dptr, egid);
666 ADD_U_INT32(dptr, ruid);
667 ADD_U_INT32(dptr, rgid);
668 ADD_U_INT32(dptr, pid);
669 ADD_U_INT32(dptr, sid);
670 ADD_U_INT32(dptr, tid->port);
671 ADD_U_INT32(dptr, tid->machine);
672
673 return t;
674 }
675
676 token_t *au_to_process64(__unused au_id_t auid,
677 __unused uid_t euid,
678 __unused gid_t egid,
679 __unused uid_t ruid,
680 __unused gid_t rgid,
681 __unused pid_t pid,
682 __unused au_asid_t sid,
683 __unused au_tid_t *tid)
684 {
685 return NULL;
686 }
687
688 token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid,
689 uid_t ruid, gid_t rgid, pid_t pid,
690 au_asid_t sid, au_tid_t *tid)
691 {
692 return au_to_process32(auid, euid, egid, ruid, rgid, pid,
693 sid, tid);
694 }
695
696
697 /*
698 * token ID 1 byte
699 * audit ID 4 bytes
700 * effective user ID 4 bytes
701 * effective group ID 4 bytes
702 * real user ID 4 bytes
703 * real group ID 4 bytes
704 * process ID 4 bytes
705 * session ID 4 bytes
706 * terminal ID
707 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
708 * address type-len 4 bytes
709 * machine address 16 bytes
710 */
711 token_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
712 uid_t ruid, gid_t rgid, pid_t pid,
713 au_asid_t sid, au_tid_addr_t *tid)
714 {
715 token_t *t;
716 u_char *dptr;
717
718 if(tid == NULL) {
719 return NULL;
720 }
721
722 GET_TOKEN_AREA(t, dptr, 53);
723 if(t == NULL) {
724 return NULL;
725 }
726
727 ADD_U_CHAR(dptr, AU_PROCESS_32_EX_TOKEN);
728 ADD_U_INT32(dptr, auid);
729 ADD_U_INT32(dptr, euid);
730 ADD_U_INT32(dptr, egid);
731 ADD_U_INT32(dptr, ruid);
732 ADD_U_INT32(dptr, rgid);
733 ADD_U_INT32(dptr, pid);
734 ADD_U_INT32(dptr, sid);
735 ADD_U_INT32(dptr, tid->at_port);
736 ADD_U_INT32(dptr, tid->at_type);
737 ADD_U_INT32(dptr, tid->at_addr[0]);
738 ADD_U_INT32(dptr, tid->at_addr[1]);
739 ADD_U_INT32(dptr, tid->at_addr[2]);
740 ADD_U_INT32(dptr, tid->at_addr[3]);
741
742 return t;
743 }
744
745 token_t *au_to_process64_ex(
746 __unused au_id_t auid,
747 __unused uid_t euid,
748 __unused gid_t egid,
749 __unused uid_t ruid,
750 __unused gid_t rgid,
751 __unused pid_t pid,
752 __unused au_asid_t sid,
753 __unused au_tid_addr_t *tid)
754 {
755 return NULL;
756 }
757
758 token_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid,
759 uid_t ruid, gid_t rgid, pid_t pid,
760 au_asid_t sid, au_tid_addr_t *tid)
761 {
762 return au_to_process32_ex(auid, euid, egid, ruid, rgid,
763 pid, sid, tid);
764 }
765
766 /*
767 * token ID 1 byte
768 * error status 1 byte
769 * return value 4 bytes/8 bytes (32-bit/64-bit value)
770 */
771 token_t *au_to_return32(char status, u_int32_t ret)
772 {
773 token_t *t;
774 u_char *dptr;
775
776
777 GET_TOKEN_AREA(t, dptr, 6);
778 if(t == NULL) {
779 return NULL;
780 }
781
782 ADD_U_CHAR(dptr, AU_RETURN_32_TOKEN);
783 ADD_U_CHAR(dptr, status);
784 ADD_U_INT32(dptr, ret);
785
786 return t;
787 }
788
789 token_t *au_to_return64(char status, u_int64_t ret)
790 {
791 token_t *t;
792 u_char *dptr;
793
794
795 GET_TOKEN_AREA(t, dptr, 10);
796 if(t == NULL) {
797 return NULL;
798 }
799
800 ADD_U_CHAR(dptr, AU_RETURN_64_TOKEN);
801 ADD_U_CHAR(dptr, status);
802 ADD_U_INT64(dptr, ret);
803
804 return t;
805 }
806
807 token_t *au_to_return(char status, u_int32_t ret)
808 {
809 return au_to_return32(status, ret);
810 }
811
812 /*
813 * token ID 1 byte
814 * sequence number 4 bytes
815 */
816 token_t *au_to_seq(long audit_count)
817 {
818 token_t *t;
819 u_char *dptr;
820
821
822 GET_TOKEN_AREA(t, dptr, 5);
823 if(t == NULL) {
824 return NULL;
825 }
826
827 ADD_U_CHAR(dptr, AU_SEQ_TOKEN);
828 ADD_U_INT32(dptr, audit_count);
829
830 return t;
831 }
832
833 /*
834 * token ID 1 byte
835 * socket type 2 bytes
836 * local port 2 bytes
837 * local Internet address 4 bytes
838 * remote port 2 bytes
839 * remote Internet address 4 bytes
840 */
841 token_t *au_to_socket(__unused struct socket *so)
842 {
843 return NULL;
844 }
845
846 /*
847 * Kernel-specific version of the above function.
848 */
849 token_t *kau_to_socket(struct socket_au_info *soi)
850 {
851 token_t *t;
852 u_char *dptr;
853 u_int16_t so_type;
854
855 if(soi == NULL) {
856 return NULL;
857 }
858
859 GET_TOKEN_AREA(t, dptr, 15);
860 if(t == NULL) {
861 return NULL;
862 }
863
864 ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
865 /* Coerce the socket type into a short value */
866 so_type = soi->so_type;
867 ADD_U_INT16(dptr, so_type);
868 ADD_U_INT16(dptr, soi->so_lport);
869 ADD_U_INT32(dptr, soi->so_laddr);
870 ADD_U_INT16(dptr, soi->so_rport);
871 ADD_U_INT32(dptr, soi->so_raddr);
872
873 return t;
874 }
875
876 /*
877 * token ID 1 byte
878 * socket type 2 bytes
879 * local port 2 bytes
880 * address type/length 4 bytes
881 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
882 * remote port 4 bytes
883 * address type/length 4 bytes
884 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
885 */
886 token_t *au_to_socket_ex_32(
887 __unused u_int16_t lp,
888 __unused u_int16_t rp,
889 __unused struct sockaddr *la,
890 __unused struct sockaddr *ra)
891 {
892 return NULL;
893 }
894
895 token_t *au_to_socket_ex_128(
896 __unused u_int16_t lp,
897 __unused u_int16_t rp,
898 __unused struct sockaddr *la,
899 __unused struct sockaddr *ra)
900 {
901 return NULL;
902 }
903
904 /*
905 * token ID 1 byte
906 * socket family 2 bytes
907 * local port 2 bytes
908 * socket address 4 bytes
909 */
910 token_t *au_to_sock_inet32(struct sockaddr_in *so)
911 {
912 token_t *t;
913 u_char *dptr;
914
915 if(so == NULL) {
916 return NULL;
917 }
918
919 GET_TOKEN_AREA(t, dptr, 9);
920 if(t == NULL) {
921 return NULL;
922 }
923
924 ADD_U_CHAR(dptr, AU_SOCK_INET_32_TOKEN);
925 /* In Darwin, sin_family is one octet, but BSM defines the token
926 * to store two. So we copy in a 0 first.
927 */
928 ADD_U_CHAR(dptr, 0);
929 ADD_U_CHAR(dptr, so->sin_family);
930 ADD_U_INT16(dptr, so->sin_port);
931 ADD_U_INT32(dptr, so->sin_addr.s_addr);
932
933 return t;
934
935 }
936
937 token_t *au_to_sock_inet128(struct sockaddr_in6 *so)
938 {
939 token_t *t;
940 u_char *dptr;
941
942 if(so == NULL) {
943 return NULL;
944 }
945
946 GET_TOKEN_AREA(t, dptr, 21);
947 if(t == NULL) {
948 return NULL;
949 }
950
951 ADD_U_CHAR(dptr, AU_SOCK_INET_128_TOKEN);
952 /* In Darwin, sin_family is one octet, but BSM defines the token
953 * to store two. So we copy in a 0 first.
954 */
955 ADD_U_CHAR(dptr, 0);
956 ADD_U_CHAR(dptr, so->sin6_family);
957 ADD_U_INT16(dptr, so->sin6_port);
958 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[0]);
959 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[1]);
960 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[2]);
961 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[3]);
962
963 return t;
964
965
966
967 }
968
969 /*
970 * token ID 1 byte
971 * socket family 2 bytes
972 * path 104 bytes
973 */
974 token_t *au_to_sock_unix(struct sockaddr_un *so)
975 {
976 token_t *t;
977 u_char *dptr;
978
979 if(so == NULL) {
980 return NULL;
981 }
982
983 GET_TOKEN_AREA(t, dptr, 107);
984 if(t == NULL) {
985 return NULL;
986 }
987
988 ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
989 /* BSM token has two bytes for family */
990 ADD_U_CHAR(dptr, 0);
991 ADD_U_CHAR(dptr, so->sun_family);
992 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path));
993
994 return t;
995
996 }
997
998 token_t *au_to_sock_inet(struct sockaddr_in *so)
999 {
1000 return au_to_sock_inet32(so);
1001 }
1002
1003 /*
1004 * token ID 1 byte
1005 * audit ID 4 bytes
1006 * effective user ID 4 bytes
1007 * effective group ID 4 bytes
1008 * real user ID 4 bytes
1009 * real group ID 4 bytes
1010 * process ID 4 bytes
1011 * session ID 4 bytes
1012 * terminal ID
1013 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1014 * machine address 4 bytes
1015 */
1016 token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid,
1017 uid_t ruid, gid_t rgid, pid_t pid,
1018 au_asid_t sid, au_tid_t *tid)
1019 {
1020 token_t *t;
1021 u_char *dptr;
1022
1023 if(tid == NULL) {
1024 return NULL;
1025 }
1026
1027 GET_TOKEN_AREA(t, dptr, 37);
1028 if(t == NULL) {
1029 return NULL;
1030 }
1031
1032 ADD_U_CHAR(dptr, AU_SUBJECT_32_TOKEN);
1033 ADD_U_INT32(dptr, auid);
1034 ADD_U_INT32(dptr, euid);
1035 ADD_U_INT32(dptr, egid);
1036 ADD_U_INT32(dptr, ruid);
1037 ADD_U_INT32(dptr, rgid);
1038 ADD_U_INT32(dptr, pid);
1039 ADD_U_INT32(dptr, sid);
1040 ADD_U_INT32(dptr, tid->port);
1041 ADD_U_INT32(dptr, tid->machine);
1042
1043 return t;
1044 }
1045
1046 token_t *au_to_subject64(
1047 __unused au_id_t auid,
1048 __unused uid_t euid,
1049 __unused gid_t egid,
1050 __unused uid_t ruid,
1051 __unused gid_t rgid,
1052 __unused pid_t pid,
1053 __unused au_asid_t sid,
1054 __unused au_tid_t *tid)
1055 {
1056 return NULL;
1057 }
1058
1059 token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid,
1060 uid_t ruid, gid_t rgid, pid_t pid,
1061 au_asid_t sid, au_tid_t *tid)
1062 {
1063 return au_to_subject32(auid, euid, egid, ruid, rgid,
1064 pid, sid, tid);
1065
1066 }
1067
1068 /*
1069 * token ID 1 byte
1070 * audit ID 4 bytes
1071 * effective user ID 4 bytes
1072 * effective group ID 4 bytes
1073 * real user ID 4 bytes
1074 * real group ID 4 bytes
1075 * process ID 4 bytes
1076 * session ID 4 bytes
1077 * terminal ID
1078 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1079 * address type/length 4 bytes
1080 * machine address 16 bytes
1081 */
1082 token_t *au_to_subject32_ex(au_id_t auid, uid_t euid,
1083 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1084 au_asid_t sid, au_tid_addr_t *tid)
1085 {
1086 token_t *t;
1087 u_char *dptr;
1088
1089 if(tid == NULL) {
1090 return NULL;
1091 }
1092
1093 GET_TOKEN_AREA(t, dptr, 53);
1094 if(t == NULL) {
1095 return NULL;
1096 }
1097
1098 ADD_U_CHAR(dptr, AU_SUBJECT_32_EX_TOKEN);
1099 ADD_U_INT32(dptr, auid);
1100 ADD_U_INT32(dptr, euid);
1101 ADD_U_INT32(dptr, egid);
1102 ADD_U_INT32(dptr, ruid);
1103 ADD_U_INT32(dptr, rgid);
1104 ADD_U_INT32(dptr, pid);
1105 ADD_U_INT32(dptr, sid);
1106 ADD_U_INT32(dptr, tid->at_port);
1107 ADD_U_INT32(dptr, tid->at_type);
1108 ADD_U_INT32(dptr, tid->at_addr[0]);
1109 ADD_U_INT32(dptr, tid->at_addr[1]);
1110 ADD_U_INT32(dptr, tid->at_addr[2]);
1111 ADD_U_INT32(dptr, tid->at_addr[3]);
1112
1113 return t;
1114 }
1115
1116 token_t *au_to_subject64_ex(
1117 __unused au_id_t auid,
1118 __unused uid_t euid,
1119 __unused gid_t egid,
1120 __unused uid_t ruid,
1121 __unused gid_t rgid,
1122 __unused pid_t pid,
1123 __unused au_asid_t sid,
1124 __unused au_tid_addr_t *tid)
1125 {
1126 return NULL;
1127 }
1128
1129 token_t *au_to_subject_ex(au_id_t auid, uid_t euid,
1130 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1131 au_asid_t sid, au_tid_addr_t *tid)
1132 {
1133 return au_to_subject32_ex(auid, euid, egid, ruid, rgid,
1134 pid, sid, tid);
1135
1136 }
1137
1138 /*
1139 * token ID 1 byte
1140 * count 4 bytes
1141 * text count null-terminated strings
1142 */
1143 token_t *au_to_exec_args(const char **args)
1144 {
1145 token_t *t;
1146 u_char *dptr;
1147 const char *nextarg;
1148 int i, count = 0;
1149 size_t totlen = 0;
1150
1151 if(args == NULL) {
1152 return NULL;
1153 }
1154
1155 nextarg = *args;
1156
1157 while(nextarg != NULL) {
1158 int nextlen;
1159
1160 nextlen = strlen(nextarg);
1161 if(nextarg[nextlen] != '\0') {
1162 return NULL;
1163 }
1164
1165 totlen += nextlen + 1;
1166 count++;
1167 nextarg = *(args + count);
1168 }
1169
1170
1171 GET_TOKEN_AREA(t, dptr, 5 + totlen);
1172 if(t == NULL) {
1173 return NULL;
1174 }
1175
1176 ADD_U_CHAR(dptr, AU_EXEC_ARG_TOKEN);
1177 ADD_U_INT32(dptr, count);
1178
1179 for(i =0; i< count; i++) {
1180 nextarg = *(args + i);
1181 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1182 }
1183
1184 return t;
1185 }
1186
1187
1188 /*
1189 * token ID 1 byte
1190 * count 4 bytes
1191 * text count null-terminated strings
1192 */
1193 token_t *au_to_exec_env(const char **env)
1194 {
1195 token_t *t;
1196 u_char *dptr;
1197 int i, count = 0;
1198 size_t totlen = 0;
1199 const char *nextenv;
1200
1201 if(env == NULL) {
1202 return NULL;
1203 }
1204
1205 nextenv = *env;
1206
1207 while(nextenv != NULL) {
1208 int nextlen;
1209
1210 nextlen = strlen(nextenv);
1211 if(nextenv[nextlen] != '\0') {
1212 return NULL;
1213 }
1214
1215 totlen += nextlen + 1;
1216 count++;
1217 nextenv = *(env + count);
1218 }
1219
1220
1221 GET_TOKEN_AREA(t, dptr, 5 + totlen);
1222 if(t == NULL) {
1223 return NULL;
1224 }
1225
1226 ADD_U_CHAR(dptr, AU_EXEC_ENV_TOKEN);
1227 ADD_U_INT32(dptr, count);
1228
1229 for(i =0; i< count; i++) {
1230 nextenv = *(env + i);
1231 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1232 }
1233
1234 return t;
1235 }
1236
1237
1238 /*
1239 * Kernel version of the BSM header token functions. These versions take
1240 * a timespec struct as an additional parameter in order to obtain the
1241 * create time value for the BSM audit record.
1242 * token ID 1 byte
1243 * record byte count 4 bytes
1244 * version # 1 byte [2]
1245 * event type 2 bytes
1246 * event modifier 2 bytes
1247 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1248 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1249 */
1250 token_t *kau_to_header32(const struct timespec *ctime, int rec_size,
1251 au_event_t e_type, au_emod_t e_mod)
1252 {
1253 token_t *t;
1254 u_char *dptr;
1255 u_int32_t timems = ctime->tv_nsec/1000000; /* We need time in ms */
1256
1257 GET_TOKEN_AREA(t, dptr, 18);
1258 if(t == NULL) {
1259 return NULL;
1260 }
1261
1262 ADD_U_CHAR(dptr, AU_HEADER_32_TOKEN);
1263 ADD_U_INT32(dptr, rec_size);
1264 ADD_U_CHAR(dptr, HEADER_VERSION);
1265 ADD_U_INT16(dptr, e_type);
1266 ADD_U_INT16(dptr, e_mod);
1267
1268 /* Add the timestamp */
1269 ADD_U_INT32(dptr, ctime->tv_sec);
1270 ADD_U_INT32(dptr, timems);
1271
1272 return t;
1273 }
1274
1275 token_t *kau_to_header64(
1276 __unused const struct timespec *ctime,
1277 __unused int rec_size,
1278 __unused au_event_t e_type,
1279 __unused au_emod_t e_mod)
1280 {
1281 return NULL;
1282 }
1283
1284 token_t *kau_to_header(const struct timespec *ctime, int rec_size,
1285 au_event_t e_type, au_emod_t e_mod)
1286 {
1287 return kau_to_header32(ctime, rec_size, e_type, e_mod);
1288 }
1289
1290 /*
1291 * token ID 1 byte
1292 * trailer magic number 2 bytes
1293 * record byte count 4 bytes
1294 */
1295 token_t *au_to_trailer(int rec_size)
1296 {
1297 token_t *t;
1298 u_char *dptr;
1299 u_int16_t magic = TRAILER_PAD_MAGIC;
1300
1301
1302 GET_TOKEN_AREA(t, dptr, 7);
1303 if(t == NULL) {
1304 return NULL;
1305 }
1306
1307 ADD_U_CHAR(dptr, AU_TRAILER_TOKEN);
1308 ADD_U_INT16(dptr, magic);
1309 ADD_U_INT32(dptr, rec_size);
1310
1311 return t;
1312
1313 }
1314
mirror of XNU