bsd/kern/kern_bsm_token.c

   1 /*
   2  * Copyright (c) 2003-2004 Apple Computer, Inc. All rights reserved.
   3  *
   4  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. The rights granted to you under the License
  10  * may not be used to create, or enable the creation or redistribution of,
  11  * unlawful or unlicensed copies of an Apple operating system, or to
  12  * circumvent, violate, or enable the circumvention or violation of, any
  13  * terms of an Apple operating system software license agreement.
  14  *
  15  * Please obtain a copy of the License at
  16  * http://www.opensource.apple.com/apsl/ and read it before using this file.
  17  *
  18  * The Original Code and all software distributed under the License are
  19  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  20  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  21  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  22  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  23  * Please see the License for the specific language governing rights and
  24  * limitations under the License.
  25  *
  26  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  27  */
  28
  29 #include <sys/types.h>
  30 #include <sys/un.h>
  31 #include <sys/event.h>
  32 #include <sys/ucred.h>
  33
  34 #include <sys/ipc.h>
  35 #include <bsm/audit.h>
  36 #include <bsm/audit_record.h>
  37 #include <bsm/audit_klib.h>
  38 #include <bsm/audit_kernel.h>
  39
  40 #include <kern/clock.h>
  41 #include <kern/kalloc.h>
  42
  43 #include <string.h>
  44
  45 #define GET_TOKEN_AREA(tok, dptr, length) \
  46         do {\
  47                 tok = (token_t *)kalloc(sizeof(*tok) + length); \
  48                 if(tok != NULL)\
  49                 {\
  50                         tok->len = length;\
  51                         dptr = tok->t_data = (u_char *)&tok[1];\
  52                                 memset(dptr, 0, length);\
  53                         }\
  54         }while(0)
  55
  56
  57
  58 /*
  59  * token ID                1 byte
  60  * argument #              1 byte
  61  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
  62  * text length             2 bytes
  63  * text                    N bytes + 1 terminating NULL byte
  64  */
  65 token_t *
  66 au_to_arg32(char n, const char *text, u_int32_t v)
  67 {
  68         token_t *t;
  69         u_char *dptr;
  70         u_int16_t textlen;
  71
  72         if(text == NULL) {
  73                 return NULL;
  74         }
  75
  76         textlen = strlen(text);
  77
  78         GET_TOKEN_AREA(t, dptr, 9 + textlen);
  79         if(t == NULL) {
  80                 return NULL;
  81         }
  82
  83         textlen += 1;
  84
  85         ADD_U_CHAR(dptr, AU_ARG32_TOKEN);
  86         ADD_U_CHAR(dptr, n);
  87         ADD_U_INT32(dptr, v);
  88         ADD_U_INT16(dptr, textlen);
  89         ADD_STRING(dptr, text, textlen);
  90
  91         return t;
  92
  93 }
  94
  95 token_t *
  96 au_to_arg64(char n, const char *text, u_int64_t v)
  97 {
  98         token_t *t;
  99         u_char *dptr;
 100         u_int16_t textlen;
 101
 102         if(text == NULL) {
 103                 return NULL;
 104         }
 105
 106         textlen = strlen(text);
 107
 108         GET_TOKEN_AREA(t, dptr, 13 + textlen);
 109         if(t == NULL) {
 110                 return NULL;
 111         }
 112
 113         textlen += 1;
 114
 115         ADD_U_CHAR(dptr, AU_ARG64_TOKEN);
 116         ADD_U_CHAR(dptr, n);
 117         ADD_U_INT64(dptr, v);
 118         ADD_U_INT16(dptr, textlen);
 119         ADD_STRING(dptr, text, textlen);
 120
 121         return t;
 122
 123 }
 124
 125 token_t *
 126 au_to_arg(char n, char *text, u_int32_t v)
 127 {
 128         return au_to_arg32(n, text, v);
 129 }
 130
 131 /*
 132  * token ID                1 byte
 133  * file access mode        4 bytes
 134  * owner user ID           4 bytes
 135  * owner group ID          4 bytes
 136  * file system ID          4 bytes
 137  * node ID                 8 bytes
 138  * device                  4 bytes/8 bytes (32-bit/64-bit)
 139  */
 140 token_t *au_to_attr32(__unused struct vnode_attr *attr)
 141 {
 142         return NULL;
 143 }
 144
 145 /* Kernel-specific version of the above function */
 146 token_t *kau_to_attr32(struct vnode_au_info *vni)
 147 {
 148         token_t *t;
 149         u_char *dptr;
 150         u_int64_t fileid;
 151         u_int16_t pad0_16 = 0;
 152         u_int32_t pad0_32 = 0;
 153
 154         if(vni == NULL) {
 155                 return NULL;
 156         }
 157
 158         GET_TOKEN_AREA(t, dptr, 29);
 159         if(t == NULL) {
 160                 return NULL;
 161         }
 162
 163         ADD_U_CHAR(dptr, AU_ATTR32_TOKEN);
 164
 165         /*
 166          * Darwin defines the size for the file mode as 2 bytes;
 167          * BSM defines 4. So we copy in a 0 first.
 168          */
 169         ADD_U_INT16(dptr, pad0_16);
 170         ADD_U_INT16(dptr, vni->vn_mode);
 171
 172         ADD_U_INT32(dptr, vni->vn_uid);
 173         ADD_U_INT32(dptr, vni->vn_gid);
 174         ADD_U_INT32(dptr, vni->vn_fsid);
 175
 176         /*
 177          * Darwin defines the size for fileid as 4 bytes;
 178          * BSM defines 8. So we copy in a 0 first.
 179          */
 180         fileid = vni->vn_fileid;
 181         ADD_U_INT32(dptr, pad0_32);
 182         ADD_U_INT32(dptr, fileid);
 183
 184         ADD_U_INT32(dptr, vni->vn_dev);
 185
 186         return t;
 187 }
 188
 189 token_t *au_to_attr64(__unused struct vnode_attr *attr)
 190 {
 191         return NULL;
 192 }
 193
 194 token_t *kau_to_attr64(__unused struct vnode_au_info *vni)
 195 {
 196         return NULL;
 197 }
 198
 199 token_t *au_to_attr(struct vnode_attr *attr)
 200 {
 201         return au_to_attr32(attr);
 202
 203 }
 204
 205
 206 /*
 207  * token ID                1 byte
 208  * how to print            1 byte
 209  * basic unit              1 byte
 210  * unit count              1 byte
 211  * data items              (depends on basic unit)
 212  */
 213 token_t *au_to_data(char unit_print, char unit_type,
 214                     char unit_count, unsigned char *p)
 215 {
 216         token_t *t;
 217         u_char *dptr;
 218         size_t datasize, totdata;
 219
 220         if(p == NULL) {
 221                 return NULL;
 222         }
 223
 224         /* Determine the size of the basic unit */
 225         switch(unit_type) {
 226                 case AUR_BYTE:  datasize = AUR_BYTE_SIZE;
 227                                                 break;
 228
 229                 case AUR_SHORT: datasize = AUR_SHORT_SIZE;
 230                                                 break;
 231
 232                 case AUR_LONG:  datasize = AUR_LONG_SIZE;
 233                                                 break;
 234
 235                 default: return NULL;
 236         }
 237
 238         totdata = datasize * unit_count;
 239
 240         GET_TOKEN_AREA(t, dptr, totdata + 4);
 241         if(t == NULL) {
 242                 return NULL;
 243         }
 244
 245         ADD_U_CHAR(dptr, AU_ARB_TOKEN);
 246         ADD_U_CHAR(dptr, unit_print);
 247         ADD_U_CHAR(dptr, unit_type);
 248         ADD_U_CHAR(dptr, unit_count);
 249         ADD_MEM(dptr, p, totdata);
 250
 251         return t;
 252 }
 253
 254 /*
 255  * token ID                1 byte
 256  * status                  4 bytes
 257  * return value            4 bytes
 258  */
 259 token_t *au_to_exit(int retval, int err)
 260 {
 261         token_t *t;
 262         u_char *dptr;
 263
 264         GET_TOKEN_AREA(t, dptr, 9);
 265         if(t == NULL) {
 266                 return NULL;
 267         }
 268
 269         ADD_U_CHAR(dptr, AU_EXIT_TOKEN);
 270         ADD_U_INT32(dptr, err);
 271         ADD_U_INT32(dptr, retval);
 272
 273         return t;
 274 }
 275
 276 /*
 277  */
 278 token_t *
 279 au_to_groups(gid_t *groups)
 280 {
 281         return au_to_newgroups(MAX_GROUPS, groups);
 282 }
 283
 284 /*
 285  * token ID                1 byte
 286  * number groups           2 bytes
 287  * group list              count * 4 bytes
 288  */
 289 token_t *au_to_newgroups(u_int16_t n, gid_t *groups)
 290 {
 291         token_t *t;
 292         u_char *dptr;
 293         int i;
 294
 295         if(groups == NULL) {
 296                 return NULL;
 297         }
 298
 299         GET_TOKEN_AREA(t, dptr, n * 4 + 3);
 300         if(t == NULL) {
 301                 return NULL;
 302         }
 303
 304         ADD_U_CHAR(dptr, AU_NEWGROUPS_TOKEN);
 305         ADD_U_INT16(dptr, n);
 306         for(i = 0; i < n; i++) {
 307             ADD_U_INT32(dptr, groups[i]);
 308         }
 309
 310         return t;
 311 }
 312
 313
 314
 315
 316 /*
 317  * token ID                1 byte
 318  * internet address        4 bytes
 319  */
 320 token_t *au_to_in_addr(struct in_addr *internet_addr)
 321 {
 322         token_t *t;
 323         u_char *dptr;
 324
 325         if(internet_addr == NULL) {
 326                 return NULL;
 327         }
 328
 329         GET_TOKEN_AREA(t, dptr, 5);
 330         if(t == NULL) {
 331                 return NULL;
 332         }
 333
 334         ADD_U_CHAR(dptr, AU_IN_ADDR_TOKEN);
 335         ADD_U_INT32(dptr, internet_addr->s_addr);
 336
 337         return t;
 338 }
 339
 340 /*
 341  * token ID                1 byte
 342  * address type/length     4 bytes
 343  * Address                16 bytes
 344  */
 345 token_t *au_to_in_addr_ex(struct in6_addr *internet_addr)
 346 {
 347         token_t *t;
 348         u_char *dptr;
 349         u_int32_t type = AF_INET6;
 350
 351         if(internet_addr == NULL) {
 352                 return NULL;
 353         }
 354
 355         GET_TOKEN_AREA(t, dptr, 21);
 356         if(t == NULL) {
 357                 return NULL;
 358         }
 359
 360         ADD_U_CHAR(dptr, AU_IN_ADDR_EX_TOKEN);
 361         ADD_U_INT32(dptr, type);
 362         ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[0]);
 363         ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[1]);
 364         ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[2]);
 365         ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[3]);
 366
 367         return t;
 368 }
 369
 370 /*
 371  * token ID                1 byte
 372  * ip header               20 bytes
 373  */
 374 token_t *au_to_ip(struct ip *ip)
 375 {
 376         token_t *t;
 377         u_char *dptr;
 378
 379         if(ip == NULL) {
 380                 return NULL;
 381         }
 382
 383         GET_TOKEN_AREA(t, dptr, 21);
 384         if(t == NULL) {
 385                 return NULL;
 386         }
 387
 388         ADD_U_CHAR(dptr, AU_IP_TOKEN);
 389         ADD_MEM(dptr, ip, sizeof(struct ip));
 390
 391         return t;
 392 }
 393
 394 /*
 395  * token ID                1 byte
 396  * object ID type          1 byte
 397  * object ID               4 bytes
 398  */
 399 token_t *au_to_ipc(char type, int id)
 400 {
 401         token_t *t;
 402         u_char *dptr;
 403
 404
 405         GET_TOKEN_AREA(t, dptr, 6);
 406         if(t == NULL) {
 407                 return NULL;
 408         }
 409
 410         ADD_U_CHAR(dptr, AU_IPC_TOKEN);
 411         ADD_U_CHAR(dptr, type);
 412         ADD_U_INT32(dptr, id);
 413
 414         return t;
 415 }
 416
 417 /*
 418  * token ID                1 byte
 419  * owner user ID           4 bytes
 420  * owner group ID          4 bytes
 421  * creator user ID         4 bytes
 422  * creator group ID        4 bytes
 423  * access mode             4 bytes
 424  * slot sequence #         4 bytes
 425  * key                     4 bytes
 426  */
 427 token_t *au_to_ipc_perm(struct ipc_perm *perm)
 428 {
 429         token_t *t;
 430         u_char *dptr;
 431         u_int16_t pad0 = 0;
 432
 433         if(perm == NULL) {
 434                 return NULL;
 435         }
 436
 437         GET_TOKEN_AREA(t, dptr, 29);
 438         if(t == NULL) {
 439                 return NULL;
 440         }
 441
 442         /*
 443          * Darwin defines the sizes for ipc_perm members
 444          * as 2 bytes; BSM defines 4. So we copy in a 0 first.
 445          */
 446         ADD_U_CHAR(dptr, AU_IPCPERM_TOKEN);
 447
 448         ADD_U_INT32(dptr, perm->uid);
 449         ADD_U_INT32(dptr, perm->gid);
 450         ADD_U_INT32(dptr, perm->cuid);
 451         ADD_U_INT32(dptr, perm->cgid);
 452
 453         ADD_U_INT16(dptr, pad0);
 454         ADD_U_INT16(dptr, perm->mode);
 455
 456         ADD_U_INT16(dptr, pad0);
 457         ADD_U_INT16(dptr, perm->_seq);
 458
 459         ADD_U_INT16(dptr, pad0);
 460         ADD_U_INT16(dptr, perm->_key);
 461
 462         return t;
 463 }
 464
 465
 466 /*
 467  * token ID                1 byte
 468  * port IP address         2 bytes
 469  */
 470 token_t *au_to_iport(u_int16_t iport)
 471 {
 472         token_t *t;
 473         u_char *dptr;
 474
 475
 476         GET_TOKEN_AREA(t, dptr, 3);
 477         if(t == NULL) {
 478                 return NULL;
 479         }
 480
 481         ADD_U_CHAR(dptr, AU_IPORT_TOKEN);
 482         ADD_U_INT16(dptr, iport);
 483
 484         return t;
 485 }
 486
 487
 488 /*
 489  * token ID                1 byte
 490  * size                                    2 bytes
 491  * data                    size bytes
 492  */
 493 token_t *au_to_opaque(char *data, u_int16_t bytes)
 494 {
 495         token_t *t;
 496         u_char *dptr;
 497
 498         if((data == NULL) || (bytes <= 0)) {
 499                 return NULL;
 500         }
 501
 502         GET_TOKEN_AREA(t, dptr, bytes + 3);
 503         if(t == NULL) {
 504                 return NULL;
 505         }
 506
 507         ADD_U_CHAR(dptr, AU_OPAQUE_TOKEN);
 508         ADD_U_INT16(dptr, bytes);
 509         ADD_MEM(dptr, data, bytes);
 510
 511         return t;
 512 }
 513
 514 /*
 515  * Kernel version of the add file token function, where the time value
 516  * is passed in as an additional parameter.
 517  * token ID                     1 byte
 518  * seconds of time              4 bytes
 519  * milliseconds of time         4 bytes
 520  * file name len                2 bytes
 521  * file pathname                N bytes + 1 terminating NULL byte
 522  */
 523 token_t *kau_to_file(const char *file, const struct timeval *tv)
 524 {
 525         token_t *t;
 526         u_char *dptr;
 527         u_int16_t filelen;
 528         u_int32_t timems = tv->tv_usec/1000; /* We need time in ms */
 529
 530         if(file == NULL) {
 531                 return NULL;
 532         }
 533         filelen = strlen(file);
 534
 535         GET_TOKEN_AREA(t, dptr, filelen + 12);
 536         if(t == NULL) {
 537                 return NULL;
 538         }
 539
 540         filelen += 1;
 541
 542         ADD_U_CHAR(dptr, AU_FILE_TOKEN);
 543
 544         /* Add the timestamp */
 545         ADD_U_INT32(dptr, tv->tv_sec);
 546         ADD_U_INT32(dptr, timems);
 547
 548         ADD_U_INT16(dptr, filelen);
 549         ADD_STRING(dptr, file, filelen);
 550
 551         return t;
 552
 553 }
 554
 555 /*
 556  * token ID                1 byte
 557  * text length             2 bytes
 558  * text                    N bytes + 1 terminating NULL byte
 559  */
 560 token_t *au_to_text(const char *text)
 561 {
 562         token_t *t;
 563         u_char *dptr;
 564         u_int16_t textlen;
 565
 566         if(text == NULL) {
 567                 return NULL;
 568         }
 569         textlen = strlen(text);
 570
 571         GET_TOKEN_AREA(t, dptr, textlen + 4);
 572         if(t == NULL) {
 573                 return NULL;
 574         }
 575
 576         textlen += 1;
 577
 578         ADD_U_CHAR(dptr, AU_TEXT_TOKEN);
 579         ADD_U_INT16(dptr, textlen);
 580         ADD_STRING(dptr, text, textlen);
 581
 582         return t;
 583 }
 584
 585 /*
 586  * token ID                1 byte
 587  * path length             2 bytes
 588  * path                    N bytes + 1 terminating NULL byte
 589  */
 590 token_t *au_to_path(char *text)
 591 {
 592         token_t *t;
 593         u_char *dptr;
 594         u_int16_t textlen;
 595
 596         if(text == NULL) {
 597                 return NULL;
 598         }
 599         textlen = strlen(text);
 600
 601         GET_TOKEN_AREA(t, dptr, textlen + 4);
 602         if(t == NULL) {
 603                 return NULL;
 604         }
 605
 606         textlen += 1;
 607
 608         ADD_U_CHAR(dptr, AU_PATH_TOKEN);
 609         ADD_U_INT16(dptr, textlen);
 610         ADD_STRING(dptr, text, textlen);
 611
 612         return t;
 613 }
 614
 615 /*
 616  * token ID                1 byte
 617  * audit ID                4 bytes
 618  * effective user ID       4 bytes
 619  * effective group ID      4 bytes
 620  * real user ID            4 bytes
 621  * real group ID           4 bytes
 622  * process ID              4 bytes
 623  * session ID              4 bytes
 624  * terminal ID
 625  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
 626  *   machine address       4 bytes
 627  */
 628 token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid,
 629                                uid_t ruid, gid_t rgid, pid_t pid,
 630                                au_asid_t sid, au_tid_t *tid)
 631 {
 632         token_t *t;
 633         u_char *dptr;
 634
 635         if(tid == NULL) {
 636                 return NULL;
 637         }
 638
 639         GET_TOKEN_AREA(t, dptr, 37);
 640         if(t == NULL) {
 641                 return NULL;
 642         }
 643
 644         ADD_U_CHAR(dptr, AU_PROCESS_32_TOKEN);
 645         ADD_U_INT32(dptr, auid);
 646         ADD_U_INT32(dptr, euid);
 647         ADD_U_INT32(dptr, egid);
 648         ADD_U_INT32(dptr, ruid);
 649         ADD_U_INT32(dptr, rgid);
 650         ADD_U_INT32(dptr, pid);
 651         ADD_U_INT32(dptr, sid);
 652         ADD_U_INT32(dptr, tid->port);
 653         ADD_U_INT32(dptr, tid->machine);
 654
 655         return t;
 656 }
 657
 658 token_t *au_to_process64(__unused au_id_t auid,
 659                          __unused uid_t euid,
 660                          __unused gid_t egid,
 661                          __unused uid_t ruid,
 662                          __unused gid_t rgid,
 663                          __unused pid_t pid,
 664                          __unused au_asid_t sid,
 665                          __unused au_tid_t *tid)
 666 {
 667                 return NULL;
 668         }
 669
 670 token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid,
 671                                uid_t ruid, gid_t rgid, pid_t pid,
 672                                au_asid_t sid, au_tid_t *tid)
 673 {
 674         return au_to_process32(auid, euid, egid, ruid, rgid, pid,
 675                         sid, tid);
 676 }
 677
 678
 679 /*
 680  * token ID                1 byte
 681  * audit ID                4 bytes
 682  * effective user ID       4 bytes
 683  * effective group ID      4 bytes
 684  * real user ID            4 bytes
 685  * real group ID           4 bytes
 686  * process ID              4 bytes
 687  * session ID              4 bytes
 688  * terminal ID
 689  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
 690  *   address type-len      4 bytes
 691  *   machine address      16 bytes
 692  */
 693 token_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
 694                                    uid_t ruid, gid_t rgid, pid_t pid,
 695                                    au_asid_t sid, au_tid_addr_t *tid)
 696 {
 697         token_t *t;
 698         u_char *dptr;
 699
 700         if(tid == NULL) {
 701                 return NULL;
 702         }
 703
 704         GET_TOKEN_AREA(t, dptr, 53);
 705         if(t == NULL) {
 706                 return NULL;
 707         }
 708
 709         ADD_U_CHAR(dptr, AU_PROCESS_32_EX_TOKEN);
 710         ADD_U_INT32(dptr, auid);
 711         ADD_U_INT32(dptr, euid);
 712         ADD_U_INT32(dptr, egid);
 713         ADD_U_INT32(dptr, ruid);
 714         ADD_U_INT32(dptr, rgid);
 715         ADD_U_INT32(dptr, pid);
 716         ADD_U_INT32(dptr, sid);
 717         ADD_U_INT32(dptr, tid->at_port);
 718         ADD_U_INT32(dptr, tid->at_type);
 719         ADD_U_INT32(dptr, tid->at_addr[0]);
 720         ADD_U_INT32(dptr, tid->at_addr[1]);
 721         ADD_U_INT32(dptr, tid->at_addr[2]);
 722         ADD_U_INT32(dptr, tid->at_addr[3]);
 723
 724         return t;
 725 }
 726
 727 token_t *au_to_process64_ex(
 728         __unused au_id_t auid,
 729         __unused uid_t euid,
 730         __unused gid_t egid,
 731         __unused uid_t ruid,
 732         __unused gid_t rgid,
 733         __unused pid_t pid,
 734         __unused au_asid_t sid,
 735         __unused au_tid_addr_t *tid)
 736 {
 737         return NULL;
 738 }
 739
 740 token_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid,
 741                                    uid_t ruid, gid_t rgid, pid_t pid,
 742                                    au_asid_t sid, au_tid_addr_t *tid)
 743 {
 744         return au_to_process32_ex(auid, euid, egid, ruid, rgid,
 745                         pid, sid, tid);
 746 }
 747
 748 /*
 749  * token ID                1 byte
 750  * error status            1 byte
 751  * return value            4 bytes/8 bytes (32-bit/64-bit value)
 752  */
 753 token_t *au_to_return32(char status, u_int32_t ret)
 754 {
 755         token_t *t;
 756         u_char *dptr;
 757
 758
 759         GET_TOKEN_AREA(t, dptr, 6);
 760         if(t == NULL) {
 761                 return NULL;
 762         }
 763
 764         ADD_U_CHAR(dptr, AU_RETURN_32_TOKEN);
 765         ADD_U_CHAR(dptr, status);
 766         ADD_U_INT32(dptr, ret);
 767
 768         return t;
 769 }
 770
 771 token_t *au_to_return64(char status, u_int64_t ret)
 772 {
 773         token_t *t;
 774         u_char *dptr;
 775
 776
 777         GET_TOKEN_AREA(t, dptr, 10);
 778         if(t == NULL) {
 779                 return NULL;
 780         }
 781
 782         ADD_U_CHAR(dptr, AU_RETURN_64_TOKEN);
 783         ADD_U_CHAR(dptr, status);
 784         ADD_U_INT64(dptr, ret);
 785
 786         return t;
 787 }
 788
 789 token_t *au_to_return(char status, u_int32_t ret)
 790 {
 791         return au_to_return32(status, ret);
 792 }
 793
 794 /*
 795  * token ID                1 byte
 796  * sequence number         4 bytes
 797  */
 798 token_t *au_to_seq(u_int32_t audit_count)
 799 {
 800         token_t *t;
 801         u_char *dptr;
 802
 803
 804         GET_TOKEN_AREA(t, dptr, 5);
 805         if(t == NULL) {
 806                 return NULL;
 807         }
 808
 809         ADD_U_CHAR(dptr, AU_SEQ_TOKEN);
 810         ADD_U_INT32(dptr, audit_count);
 811
 812         return t;
 813 }
 814
 815 /*
 816  * token ID                1 byte
 817  * socket type             2 bytes
 818  * local port              2 bytes
 819  * local Internet address  4 bytes
 820  * remote port             2 bytes
 821  * remote Internet address 4 bytes
 822  */
 823 token_t *au_to_socket(__unused struct socket *so)
 824 {
 825         return NULL;
 826 }
 827
 828 /*
 829  * Kernel-specific version of the above function.
 830  */
 831 token_t *kau_to_socket(struct socket_au_info *soi)
 832 {
 833         token_t *t;
 834         u_char *dptr;
 835         u_int16_t so_type;
 836
 837         if(soi == NULL) {
 838                 return NULL;
 839         }
 840
 841         GET_TOKEN_AREA(t, dptr, 15);
 842         if(t == NULL) {
 843                 return NULL;
 844         }
 845
 846         ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
 847         /* Coerce the socket type into a short value */
 848         so_type = soi->so_type;
 849         ADD_U_INT16(dptr, so_type);
 850         ADD_U_INT16(dptr, soi->so_lport);
 851         ADD_U_INT32(dptr, soi->so_laddr);
 852         ADD_U_INT16(dptr, soi->so_rport);
 853         ADD_U_INT32(dptr, soi->so_raddr);
 854
 855         return t;
 856 }
 857
 858 /*
 859  * token ID                1 byte
 860  * socket type             2 bytes
 861  * local port              2 bytes
 862  * address type/length     4 bytes
 863  * local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
 864  * remote port             4 bytes
 865  * address type/length     4 bytes
 866  * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
 867  */
 868 token_t *au_to_socket_ex_32(
 869         __unused u_int16_t lp,
 870         __unused u_int16_t rp,
 871         __unused struct sockaddr *la,
 872         __unused struct sockaddr *ra)
 873 {
 874         return NULL;
 875 }
 876
 877 token_t *au_to_socket_ex_128(
 878         __unused u_int16_t lp,
 879         __unused u_int16_t rp,
 880         __unused struct sockaddr *la,
 881         __unused struct sockaddr *ra)
 882 {
 883         return NULL;
 884 }
 885
 886 /*
 887  * token ID                1 byte
 888  * socket family           2 bytes
 889  * local port              2 bytes
 890  * socket address          4 bytes
 891  */
 892 token_t *au_to_sock_inet32(struct sockaddr_in *so)
 893 {
 894         token_t *t;
 895         u_char *dptr;
 896
 897         if(so == NULL) {
 898                 return NULL;
 899         }
 900
 901         GET_TOKEN_AREA(t, dptr, 9);
 902         if(t == NULL) {
 903                 return NULL;
 904         }
 905
 906         ADD_U_CHAR(dptr, AU_SOCK_INET_32_TOKEN);
 907         /* In Darwin, sin_family is one octet, but BSM defines the token
 908          * to store two. So we copy in a 0 first.
 909          */
 910         ADD_U_CHAR(dptr, 0);
 911         ADD_U_CHAR(dptr, so->sin_family);
 912         ADD_U_INT16(dptr, so->sin_port);
 913         ADD_U_INT32(dptr, so->sin_addr.s_addr);
 914
 915         return t;
 916
 917 }
 918
 919 token_t *au_to_sock_inet128(struct sockaddr_in6 *so)
 920 {
 921         token_t *t;
 922         u_char *dptr;
 923
 924         if(so == NULL) {
 925                 return NULL;
 926         }
 927
 928         GET_TOKEN_AREA(t, dptr, 21);
 929         if(t == NULL) {
 930                 return NULL;
 931         }
 932
 933         ADD_U_CHAR(dptr, AU_SOCK_INET_128_TOKEN);
 934         /* In Darwin, sin_family is one octet, but BSM defines the token
 935          * to store two. So we copy in a 0 first.
 936          */
 937         ADD_U_CHAR(dptr, 0);
 938         ADD_U_CHAR(dptr, so->sin6_family);
 939         ADD_U_INT16(dptr, so->sin6_port);
 940         ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[0]);
 941         ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[1]);
 942         ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[2]);
 943         ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[3]);
 944
 945         return t;
 946
 947
 948
 949 }
 950
 951 /*
 952  * token ID                1 byte
 953  * socket family           2 bytes
 954  * path                    104 bytes
 955  */
 956 token_t *au_to_sock_unix(struct sockaddr_un *so)
 957 {
 958         token_t *t;
 959         u_char *dptr;
 960
 961         if(so == NULL) {
 962                 return NULL;
 963         }
 964
 965         GET_TOKEN_AREA(t, dptr, 107);
 966         if(t == NULL) {
 967                 return NULL;
 968         }
 969
 970         ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
 971         /* BSM token has two bytes for family */
 972         ADD_U_CHAR(dptr, 0);
 973         ADD_U_CHAR(dptr, so->sun_family);
 974         ADD_STRING(dptr, so->sun_path, strlen(so->sun_path));
 975
 976         return t;
 977
 978 }
 979
 980 token_t *au_to_sock_inet(struct sockaddr_in *so)
 981 {
 982         return au_to_sock_inet32(so);
 983 }
 984
 985 /*
 986  * token ID                1 byte
 987  * audit ID                4 bytes
 988  * effective user ID       4 bytes
 989  * effective group ID      4 bytes
 990  * real user ID            4 bytes
 991  * real group ID           4 bytes
 992  * process ID              4 bytes
 993  * session ID              4 bytes
 994  * terminal ID
 995  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
 996  *   machine address       4 bytes
 997  */
 998 token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid,
 999                                                 uid_t ruid, gid_t rgid, pid_t pid,
1000                                                 au_asid_t sid, au_tid_t *tid)
1001 {
1002         token_t *t;
1003         u_char *dptr;
1004
1005         if(tid == NULL) {
1006                 return NULL;
1007         }
1008
1009         GET_TOKEN_AREA(t, dptr, 37);
1010         if(t == NULL) {
1011                 return NULL;
1012         }
1013
1014         ADD_U_CHAR(dptr, AU_SUBJECT_32_TOKEN);
1015         ADD_U_INT32(dptr, auid);
1016         ADD_U_INT32(dptr, euid);
1017         ADD_U_INT32(dptr, egid);
1018         ADD_U_INT32(dptr, ruid);
1019         ADD_U_INT32(dptr, rgid);
1020         ADD_U_INT32(dptr, pid);
1021         ADD_U_INT32(dptr, sid);
1022         ADD_U_INT32(dptr, tid->port);
1023         ADD_U_INT32(dptr, tid->machine);
1024
1025         return t;
1026 }
1027
1028 token_t *au_to_subject64(
1029         __unused au_id_t auid,
1030         __unused uid_t euid,
1031         __unused gid_t egid,
1032         __unused uid_t ruid,
1033         __unused gid_t rgid,
1034         __unused pid_t pid,
1035         __unused au_asid_t sid,
1036         __unused au_tid_t *tid)
1037 {
1038                 return NULL;
1039         }
1040
1041 token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid,
1042                                                 uid_t ruid, gid_t rgid, pid_t pid,
1043                                                 au_asid_t sid, au_tid_t *tid)
1044 {
1045         return au_to_subject32(auid, euid, egid, ruid, rgid,
1046                         pid, sid, tid);
1047
1048 }
1049
1050 /*
1051  * token ID                1 byte
1052  * audit ID                4 bytes
1053  * effective user ID       4 bytes
1054  * effective group ID      4 bytes
1055  * real user ID            4 bytes
1056  * real group ID           4 bytes
1057  * process ID              4 bytes
1058  * session ID              4 bytes
1059  * terminal ID
1060  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
1061  *   address type/length   4 bytes
1062  *   machine address      16 bytes
1063  */
1064 token_t *au_to_subject32_ex(au_id_t auid, uid_t euid,
1065                                gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1066                                    au_asid_t sid, au_tid_addr_t *tid)
1067 {
1068         token_t *t;
1069         u_char *dptr;
1070
1071         if(tid == NULL) {
1072                 return NULL;
1073         }
1074
1075         GET_TOKEN_AREA(t, dptr, 53);
1076         if(t == NULL) {
1077                 return NULL;
1078         }
1079
1080         ADD_U_CHAR(dptr, AU_SUBJECT_32_EX_TOKEN);
1081         ADD_U_INT32(dptr, auid);
1082         ADD_U_INT32(dptr, euid);
1083         ADD_U_INT32(dptr, egid);
1084         ADD_U_INT32(dptr, ruid);
1085         ADD_U_INT32(dptr, rgid);
1086         ADD_U_INT32(dptr, pid);
1087         ADD_U_INT32(dptr, sid);
1088         ADD_U_INT32(dptr, tid->at_port);
1089         ADD_U_INT32(dptr, tid->at_type);
1090         ADD_U_INT32(dptr, tid->at_addr[0]);
1091         ADD_U_INT32(dptr, tid->at_addr[1]);
1092         ADD_U_INT32(dptr, tid->at_addr[2]);
1093         ADD_U_INT32(dptr, tid->at_addr[3]);
1094
1095         return t;
1096 }
1097
1098 token_t *au_to_subject64_ex(
1099         __unused au_id_t auid,
1100         __unused uid_t euid,
1101         __unused gid_t egid,
1102         __unused uid_t ruid,
1103         __unused gid_t rgid,
1104         __unused pid_t pid,
1105         __unused au_asid_t sid,
1106         __unused au_tid_addr_t *tid)
1107 {
1108         return NULL;
1109 }
1110
1111 token_t *au_to_subject_ex(au_id_t auid, uid_t euid,
1112                                gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1113                                    au_asid_t sid, au_tid_addr_t *tid)
1114 {
1115         return au_to_subject32_ex(auid, euid, egid, ruid, rgid,
1116                         pid, sid, tid);
1117
1118 }
1119
1120 /*
1121  * token ID                             1 byte
1122  * count                                4 bytes
1123  * text                                 count null-terminated strings
1124  */
1125 token_t *au_to_exec_args(const char **args)
1126 {
1127         token_t *t;
1128         u_char *dptr;
1129         const char *nextarg;
1130         int i, count = 0;
1131         size_t totlen = 0;
1132
1133         if(args == NULL) {
1134                 return NULL;
1135         }
1136
1137         nextarg = *args;
1138
1139         while(nextarg != NULL) {
1140                 int nextlen;
1141
1142                 nextlen = strlen(nextarg);
1143                 totlen += nextlen + 1;
1144                 count++;
1145                 nextarg = *(args + count);
1146         }
1147
1148
1149         GET_TOKEN_AREA(t, dptr, 5 + totlen);
1150         if(t == NULL) {
1151                 return NULL;
1152         }
1153
1154         ADD_U_CHAR(dptr, AU_EXEC_ARG_TOKEN);
1155         ADD_U_INT32(dptr, count);
1156
1157         for(i =0; i< count; i++) {
1158                 nextarg = *(args + i);
1159                 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1160         }
1161
1162         return t;
1163 }
1164
1165
1166 /*
1167  * token ID                             1 byte
1168  * count                                4 bytes
1169  * text                                 count null-terminated strings
1170  */
1171 token_t *au_to_exec_env(const char **env)
1172 {
1173         token_t *t;
1174         u_char *dptr;
1175         int i, count = 0;
1176         size_t totlen = 0;
1177         const char *nextenv;
1178
1179         if(env == NULL) {
1180                 return NULL;
1181         }
1182
1183         nextenv = *env;
1184
1185         while(nextenv != NULL) {
1186                 int nextlen;
1187
1188                 nextlen = strlen(nextenv);
1189                 totlen += nextlen + 1;
1190                 count++;
1191                 nextenv = *(env + count);
1192         }
1193
1194
1195         GET_TOKEN_AREA(t, dptr, 5 + totlen);
1196         if(t == NULL) {
1197                 return NULL;
1198         }
1199
1200         ADD_U_CHAR(dptr, AU_EXEC_ENV_TOKEN);
1201         ADD_U_INT32(dptr, count);
1202
1203         for(i =0; i< count; i++) {
1204                 nextenv = *(env + i);
1205                 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1206         }
1207
1208         return t;
1209 }
1210
1211
1212 /*
1213  * Kernel version of the BSM header token functions. These versions take
1214  * a timespec struct as an additional parameter in order to obtain the
1215  * create time value for the BSM audit record.
1216  * token ID                1 byte
1217  * record byte count       4 bytes
1218  * version #               1 byte    [2]
1219  * event type              2 bytes
1220  * event modifier          2 bytes
1221  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1222  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1223  */
1224 token_t *kau_to_header32(const struct timespec *ctime, int rec_size,
1225                           au_event_t e_type, au_emod_t e_mod)
1226 {
1227         token_t *t;
1228         u_char *dptr;
1229         u_int32_t timems = ctime->tv_nsec/1000000; /* We need time in ms */
1230
1231         GET_TOKEN_AREA(t, dptr, 18);
1232         if(t == NULL) {
1233                 return NULL;
1234         }
1235
1236         ADD_U_CHAR(dptr, AU_HEADER_32_TOKEN);
1237         ADD_U_INT32(dptr, rec_size);
1238         ADD_U_CHAR(dptr, HEADER_VERSION);
1239         ADD_U_INT16(dptr, e_type);
1240         ADD_U_INT16(dptr, e_mod);
1241
1242         /* Add the timestamp */
1243         ADD_U_INT32(dptr, ctime->tv_sec);
1244         ADD_U_INT32(dptr, timems);
1245
1246         return t;
1247 }
1248
1249 token_t *kau_to_header64(
1250         __unused const struct timespec *ctime,
1251         __unused int rec_size,
1252         __unused au_event_t e_type,
1253         __unused au_emod_t e_mod)
1254 {
1255         return NULL;
1256 }
1257
1258 token_t *kau_to_header(const struct timespec *ctime, int rec_size,
1259                           au_event_t e_type, au_emod_t e_mod)
1260 {
1261         return kau_to_header32(ctime, rec_size, e_type, e_mod);
1262 }
1263
1264 /*
1265  * token ID                1 byte
1266  * trailer magic number    2 bytes
1267  * record byte count       4 bytes
1268  */
1269 token_t *au_to_trailer(int rec_size)
1270 {
1271         token_t *t;
1272         u_char *dptr;
1273         u_int16_t magic = TRAILER_PAD_MAGIC;
1274
1275
1276         GET_TOKEN_AREA(t, dptr, 7);
1277         if(t == NULL) {
1278                 return NULL;
1279         }
1280
1281         ADD_U_CHAR(dptr, AU_TRAILER_TOKEN);
1282         ADD_U_INT16(dptr, magic);
1283         ADD_U_INT32(dptr, rec_size);
1284
1285         return t;
1286
1287 }
1288