]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_bsm_token.c
xnu-517.11.1.tar.gz
[apple/xnu.git] / bsd / kern / kern_bsm_token.c
1 /*
2 * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22
23 #include <sys/types.h>
24 #include <sys/un.h>
25 #include <sys/event.h>
26
27 #include <bsm/audit.h>
28 #include <bsm/audit_record.h>
29 #include <bsm/audit_klib.h>
30 #include <bsm/audit_kernel.h>
31
32 #include <kern/clock.h>
33
34 #define GET_TOKEN_AREA(tok, dptr, length) \
35 do {\
36 tok = (token_t *)kalloc(sizeof(*tok) + length); \
37 if(tok != NULL)\
38 {\
39 tok->len = length;\
40 dptr = tok->t_data = (u_char *)&tok[1];\
41 memset(dptr, 0, length);\
42 }\
43 }while(0)
44
45
46
47 /*
48 * token ID 1 byte
49 * argument # 1 byte
50 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
51 * text length 2 bytes
52 * text N bytes + 1 terminating NULL byte
53 */
54 token_t *au_to_arg32(char n, char *text, u_int32_t v)
55 {
56 token_t *t;
57 u_char *dptr;
58 u_int16_t textlen;
59
60 if(text == NULL) {
61 return NULL;
62 }
63
64 /* Make sure that text is null terminated */
65 textlen = strlen(text);
66 if(text[textlen] != '\0') {
67 return NULL;
68 }
69
70 GET_TOKEN_AREA(t, dptr, 9 + textlen);
71 if(t == NULL) {
72 return NULL;
73 }
74
75 textlen += 1;
76
77 ADD_U_CHAR(dptr, AU_ARG32_TOKEN);
78 ADD_U_CHAR(dptr, n);
79 ADD_U_INT32(dptr, v);
80 ADD_U_INT16(dptr, textlen);
81 ADD_STRING(dptr, text, textlen);
82
83 return t;
84
85 }
86
87 token_t *au_to_arg64(char n, char *text, u_int64_t v)
88 {
89 token_t *t;
90 u_char *dptr;
91 u_int16_t textlen;
92
93 if(text == NULL) {
94 return NULL;
95 }
96
97 /* Make sure that text is null terminated */
98 textlen = strlen(text);
99 if(text[textlen] != '\0') {
100 return NULL;
101 }
102
103 GET_TOKEN_AREA(t, dptr, 13 + textlen);
104 if(t == NULL) {
105 return NULL;
106 }
107
108 textlen += 1;
109
110 ADD_U_CHAR(dptr, AU_ARG64_TOKEN);
111 ADD_U_CHAR(dptr, n);
112 ADD_U_INT64(dptr, v);
113 ADD_U_INT16(dptr, textlen);
114 ADD_STRING(dptr, text, textlen);
115
116 return t;
117
118 }
119
120 token_t *au_to_arg(char n, char *text, u_int32_t v)
121 {
122 return au_to_arg32(n, text, v);
123 }
124
125 /*
126 * token ID 1 byte
127 * file access mode 4 bytes
128 * owner user ID 4 bytes
129 * owner group ID 4 bytes
130 * file system ID 4 bytes
131 * node ID 8 bytes
132 * device 4 bytes/8 bytes (32-bit/64-bit)
133 */
134 token_t *au_to_attr32(struct vattr *attr)
135 {
136 return NULL;
137 }
138
139 /* Kernel-specific version of the above function */
140 token_t *kau_to_attr32(struct vnode_au_info *vni)
141 {
142 token_t *t;
143 u_char *dptr;
144 u_int64_t fileid;
145 u_int16_t pad0_16 = 0;
146 u_int32_t pad0_32 = 0;
147
148 if(vni == NULL) {
149 return NULL;
150 }
151
152 GET_TOKEN_AREA(t, dptr, 29);
153 if(t == NULL) {
154 return NULL;
155 }
156
157 ADD_U_CHAR(dptr, AU_ATTR32_TOKEN);
158
159 /*
160 * Darwin defines the size for the file mode as 2 bytes;
161 * BSM defines 4. So we copy in a 0 first.
162 */
163 ADD_U_INT16(dptr, pad0_16);
164 ADD_U_INT16(dptr, vni->vn_mode);
165
166 ADD_U_INT32(dptr, vni->vn_uid);
167 ADD_U_INT32(dptr, vni->vn_gid);
168 ADD_U_INT32(dptr, vni->vn_fsid);
169
170 /*
171 * Darwin defines the size for fileid as 4 bytes;
172 * BSM defines 8. So we copy in a 0 first.
173 */
174 fileid = vni->vn_fileid;
175 ADD_U_INT32(dptr, pad0_32);
176 ADD_U_INT32(dptr, fileid);
177
178 ADD_U_INT32(dptr, vni->vn_dev);
179
180 return t;
181 }
182
183 token_t *au_to_attr64(struct vattr *attr)
184 {
185 }
186
187 token_t *kau_to_attr64(struct vnode_au_info *vni)
188 {
189 return NULL;
190 }
191
192 token_t *au_to_attr(struct vattr *attr)
193 {
194 return au_to_attr32(attr);
195
196 }
197
198
199 /*
200 * token ID 1 byte
201 * how to print 1 byte
202 * basic unit 1 byte
203 * unit count 1 byte
204 * data items (depends on basic unit)
205 */
206 token_t *au_to_data(char unit_print, char unit_type,
207 char unit_count, char *p)
208 {
209 token_t *t;
210 u_char *dptr;
211 size_t datasize, totdata;
212
213 if(p == NULL) {
214 return NULL;
215 }
216
217 /* Determine the size of the basic unit */
218 switch(unit_type) {
219 case AUR_BYTE: datasize = AUR_BYTE_SIZE;
220 break;
221
222 case AUR_SHORT: datasize = AUR_SHORT_SIZE;
223 break;
224
225 case AUR_LONG: datasize = AUR_LONG_SIZE;
226 break;
227
228 default: return NULL;
229 }
230
231 totdata = datasize * unit_count;
232
233 GET_TOKEN_AREA(t, dptr, totdata + 4);
234 if(t == NULL) {
235 return NULL;
236 }
237
238 ADD_U_CHAR(dptr, AU_ARB_TOKEN);
239 ADD_U_CHAR(dptr, unit_print);
240 ADD_U_CHAR(dptr, unit_type);
241 ADD_U_CHAR(dptr, unit_count);
242 ADD_MEM(dptr, p, totdata);
243
244 return t;
245 }
246
247 /*
248 * token ID 1 byte
249 * status 4 bytes
250 * return value 4 bytes
251 */
252 token_t *au_to_exit(int retval, int err)
253 {
254 token_t *t;
255 u_char *dptr;
256
257 GET_TOKEN_AREA(t, dptr, 9);
258 if(t == NULL) {
259 return NULL;
260 }
261
262 ADD_U_CHAR(dptr, AU_EXIT_TOKEN);
263 ADD_U_INT32(dptr, err);
264 ADD_U_INT32(dptr, retval);
265
266 return t;
267 }
268
269 /*
270 */
271 token_t *au_to_groups(int *groups)
272 {
273 return au_to_newgroups(MAX_GROUPS, groups);
274 }
275
276 /*
277 * token ID 1 byte
278 * number groups 2 bytes
279 * group list count * 4 bytes
280 */
281 token_t *au_to_newgroups(u_int16_t n, gid_t *groups)
282 {
283 token_t *t;
284 u_char *dptr;
285 int i;
286
287 if(groups == NULL) {
288 return NULL;
289 }
290
291 GET_TOKEN_AREA(t, dptr, n * 4 + 3);
292 if(t == NULL) {
293 return NULL;
294 }
295
296 ADD_U_CHAR(dptr, AU_NEWGROUPS_TOKEN);
297 ADD_U_INT16(dptr, n);
298 for(i = 0; i < n; i++) {
299 ADD_U_INT32(dptr, groups[i]);
300 }
301
302 return t;
303 }
304
305
306
307
308 /*
309 * token ID 1 byte
310 * internet address 4 bytes
311 */
312 token_t *au_to_in_addr(struct in_addr *internet_addr)
313 {
314 token_t *t;
315 u_char *dptr;
316
317 if(internet_addr == NULL) {
318 return NULL;
319 }
320
321 GET_TOKEN_AREA(t, dptr, 5);
322 if(t == NULL) {
323 return NULL;
324 }
325
326 ADD_U_CHAR(dptr, AU_IN_ADDR_TOKEN);
327 ADD_U_INT32(dptr, internet_addr->s_addr);
328
329 return t;
330 }
331
332 /*
333 * token ID 1 byte
334 * address type/length 4 bytes
335 * Address 16 bytes
336 */
337 token_t *au_to_in_addr_ex(struct in6_addr *internet_addr)
338 {
339 token_t *t;
340 u_char *dptr;
341 u_int32_t type = AF_INET6;
342
343 if(internet_addr == NULL) {
344 return NULL;
345 }
346
347 GET_TOKEN_AREA(t, dptr, 21);
348 if(t == NULL) {
349 return NULL;
350 }
351
352 ADD_U_CHAR(dptr, AU_IN_ADDR_EX_TOKEN);
353 ADD_U_INT32(dptr, type);
354 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[0]);
355 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[1]);
356 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[2]);
357 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[3]);
358
359 return t;
360 }
361
362 /*
363 * token ID 1 byte
364 * ip header 20 bytes
365 */
366 token_t *au_to_ip(struct ip *ip)
367 {
368 token_t *t;
369 u_char *dptr;
370
371 if(ip == NULL) {
372 return NULL;
373 }
374
375 GET_TOKEN_AREA(t, dptr, 21);
376 if(t == NULL) {
377 return NULL;
378 }
379
380 ADD_U_CHAR(dptr, AU_IP_TOKEN);
381 ADD_MEM(dptr, ip, sizeof(struct ip));
382
383 return t;
384 }
385
386 /*
387 * token ID 1 byte
388 * object ID type 1 byte
389 * object ID 4 bytes
390 */
391 token_t *au_to_ipc(char type, int id)
392 {
393 token_t *t;
394 u_char *dptr;
395
396
397 GET_TOKEN_AREA(t, dptr, 6);
398 if(t == NULL) {
399 return NULL;
400 }
401
402 ADD_U_CHAR(dptr, AU_IPC_TOKEN);
403 ADD_U_CHAR(dptr, type);
404 ADD_U_INT32(dptr, id);
405
406 return t;
407 }
408
409 /*
410 * token ID 1 byte
411 * owner user ID 4 bytes
412 * owner group ID 4 bytes
413 * creator user ID 4 bytes
414 * creator group ID 4 bytes
415 * access mode 4 bytes
416 * slot sequence # 4 bytes
417 * key 4 bytes
418 */
419 token_t *au_to_ipc_perm(struct ipc_perm *perm)
420 {
421 token_t *t;
422 u_char *dptr;
423 u_int16_t pad0 = 0;
424
425 if(perm == NULL) {
426 return NULL;
427 }
428
429 GET_TOKEN_AREA(t, dptr, 29);
430 if(t == NULL) {
431 return NULL;
432 }
433
434 /*
435 * Darwin defines the sizes for ipc_perm members
436 * as 2 bytes; BSM defines 4. So we copy in a 0 first.
437 */
438 ADD_U_CHAR(dptr, AU_IPCPERM_TOKEN);
439
440 ADD_U_INT16(dptr, pad0);
441 ADD_U_INT16(dptr, perm->uid);
442
443 ADD_U_INT16(dptr, pad0);
444 ADD_U_INT16(dptr, perm->gid);
445
446 ADD_U_INT16(dptr, pad0);
447 ADD_U_INT16(dptr, perm->cuid);
448
449 ADD_U_INT16(dptr, pad0);
450 ADD_U_INT16(dptr, perm->cgid);
451
452 ADD_U_INT16(dptr, pad0);
453 ADD_U_INT16(dptr, perm->mode);
454
455 ADD_U_INT16(dptr, pad0);
456 ADD_U_INT16(dptr, perm->seq);
457
458 ADD_U_INT16(dptr, pad0);
459 ADD_U_INT16(dptr, perm->key);
460
461 return t;
462 }
463
464
465 /*
466 * token ID 1 byte
467 * port IP address 2 bytes
468 */
469 token_t *au_to_iport(u_int16_t iport)
470 {
471 token_t *t;
472 u_char *dptr;
473
474
475 GET_TOKEN_AREA(t, dptr, 3);
476 if(t == NULL) {
477 return NULL;
478 }
479
480 ADD_U_CHAR(dptr, AU_IPORT_TOKEN);
481 ADD_U_INT16(dptr, iport);
482
483 return t;
484 }
485
486
487 /*
488 * token ID 1 byte
489 * size 2 bytes
490 * data size bytes
491 */
492 token_t *au_to_opaque(char *data, u_int16_t bytes)
493 {
494 token_t *t;
495 u_char *dptr;
496
497 if((data == NULL) || (bytes <= 0)) {
498 return NULL;
499 }
500
501 GET_TOKEN_AREA(t, dptr, bytes + 3);
502 if(t == NULL) {
503 return NULL;
504 }
505
506 ADD_U_CHAR(dptr, AU_OPAQUE_TOKEN);
507 ADD_U_INT16(dptr, bytes);
508 ADD_MEM(dptr, data, bytes);
509
510 return t;
511 }
512
513 /*
514 * Kernel version of the add file token function, where the time value
515 * is passed in as an additional parameter.
516 * token ID 1 byte
517 * seconds of time 4 bytes
518 * milliseconds of time 4 bytes
519 * file name len 2 bytes
520 * file pathname N bytes + 1 terminating NULL byte
521 */
522 token_t *kau_to_file(char *file, struct timeval *tv)
523 {
524 token_t *t;
525 u_char *dptr;
526 u_int16_t filelen;
527 u_int32_t timems = tv->tv_usec/1000; /* We need time in ms */
528
529 if(file == NULL) {
530 return NULL;
531 }
532 /* Make sure that text is null terminated */
533 filelen = strlen(file);
534 if(file[filelen] != '\0') {
535 return NULL;
536 }
537
538 GET_TOKEN_AREA(t, dptr, filelen + 12);
539 if(t == NULL) {
540 return NULL;
541 }
542
543 filelen += 1;
544
545 ADD_U_CHAR(dptr, AU_FILE_TOKEN);
546
547 /* Add the timestamp */
548 ADD_U_INT32(dptr, tv->tv_sec);
549 ADD_U_INT32(dptr, timems);
550
551 ADD_U_INT16(dptr, filelen);
552 ADD_STRING(dptr, file, filelen);
553
554 return t;
555
556 }
557
558 /*
559 * token ID 1 byte
560 * text length 2 bytes
561 * text N bytes + 1 terminating NULL byte
562 */
563 token_t *au_to_text(char *text)
564 {
565 token_t *t;
566 u_char *dptr;
567 u_int16_t textlen;
568
569 if(text == NULL) {
570 return NULL;
571 }
572 /* Make sure that text is null terminated */
573 textlen = strlen(text);
574 if(text[textlen] != '\0') {
575 return NULL;
576 }
577
578 GET_TOKEN_AREA(t, dptr, textlen + 4);
579 if(t == NULL) {
580 return NULL;
581 }
582
583 textlen += 1;
584
585 ADD_U_CHAR(dptr, AU_TEXT_TOKEN);
586 ADD_U_INT16(dptr, textlen);
587 ADD_STRING(dptr, text, textlen);
588
589 return t;
590 }
591
592 /*
593 * token ID 1 byte
594 * path length 2 bytes
595 * path N bytes + 1 terminating NULL byte
596 */
597 token_t *au_to_path(char *text)
598 {
599 token_t *t;
600 u_char *dptr;
601 u_int16_t textlen;
602
603 if(text == NULL) {
604 return NULL;
605 }
606 /* Make sure that text is null terminated */
607 textlen = strlen(text);
608 if(text[textlen] != '\0') {
609 return NULL;
610 }
611
612 GET_TOKEN_AREA(t, dptr, textlen + 4);
613 if(t == NULL) {
614 return NULL;
615 }
616
617 textlen += 1;
618
619 ADD_U_CHAR(dptr, AU_PATH_TOKEN);
620 ADD_U_INT16(dptr, textlen);
621 ADD_STRING(dptr, text, textlen);
622
623 return t;
624 }
625
626 /*
627 * token ID 1 byte
628 * audit ID 4 bytes
629 * effective user ID 4 bytes
630 * effective group ID 4 bytes
631 * real user ID 4 bytes
632 * real group ID 4 bytes
633 * process ID 4 bytes
634 * session ID 4 bytes
635 * terminal ID
636 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
637 * machine address 4 bytes
638 */
639 token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid,
640 uid_t ruid, gid_t rgid, pid_t pid,
641 au_asid_t sid, au_tid_t *tid)
642 {
643 token_t *t;
644 u_char *dptr;
645
646 if(tid == NULL) {
647 return NULL;
648 }
649
650 GET_TOKEN_AREA(t, dptr, 37);
651 if(t == NULL) {
652 return NULL;
653 }
654
655 ADD_U_CHAR(dptr, AU_PROCESS_32_TOKEN);
656 ADD_U_INT32(dptr, auid);
657 ADD_U_INT32(dptr, euid);
658 ADD_U_INT32(dptr, egid);
659 ADD_U_INT32(dptr, ruid);
660 ADD_U_INT32(dptr, rgid);
661 ADD_U_INT32(dptr, pid);
662 ADD_U_INT32(dptr, sid);
663 ADD_U_INT32(dptr, tid->port);
664 ADD_U_INT32(dptr, tid->machine);
665
666 return t;
667 }
668
669 token_t *au_to_process64(au_id_t auid, uid_t euid, gid_t egid,
670 uid_t ruid, gid_t rgid, pid_t pid,
671 au_asid_t sid, au_tid_t *tid)
672 {
673 return NULL;
674 }
675
676 token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid,
677 uid_t ruid, gid_t rgid, pid_t pid,
678 au_asid_t sid, au_tid_t *tid)
679 {
680 return au_to_process32(auid, euid, egid, ruid, rgid, pid,
681 sid, tid);
682 }
683
684
685 /*
686 * token ID 1 byte
687 * audit ID 4 bytes
688 * effective user ID 4 bytes
689 * effective group ID 4 bytes
690 * real user ID 4 bytes
691 * real group ID 4 bytes
692 * process ID 4 bytes
693 * session ID 4 bytes
694 * terminal ID
695 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
696 * address type-len 4 bytes
697 * machine address 16 bytes
698 */
699 token_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
700 uid_t ruid, gid_t rgid, pid_t pid,
701 au_asid_t sid, au_tid_addr_t *tid)
702 {
703 token_t *t;
704 u_char *dptr;
705
706 if(tid == NULL) {
707 return NULL;
708 }
709
710 GET_TOKEN_AREA(t, dptr, 53);
711 if(t == NULL) {
712 return NULL;
713 }
714
715 ADD_U_CHAR(dptr, AU_PROCESS_32_EX_TOKEN);
716 ADD_U_INT32(dptr, auid);
717 ADD_U_INT32(dptr, euid);
718 ADD_U_INT32(dptr, egid);
719 ADD_U_INT32(dptr, ruid);
720 ADD_U_INT32(dptr, rgid);
721 ADD_U_INT32(dptr, pid);
722 ADD_U_INT32(dptr, sid);
723 ADD_U_INT32(dptr, tid->at_port);
724 ADD_U_INT32(dptr, tid->at_type);
725 ADD_U_INT32(dptr, tid->at_addr[0]);
726 ADD_U_INT32(dptr, tid->at_addr[1]);
727 ADD_U_INT32(dptr, tid->at_addr[2]);
728 ADD_U_INT32(dptr, tid->at_addr[3]);
729
730 return t;
731 }
732
733 token_t *au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid,
734 uid_t ruid, gid_t rgid, pid_t pid,
735 au_asid_t sid, au_tid_addr_t *tid)
736 {
737 return NULL;
738 }
739
740 token_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid,
741 uid_t ruid, gid_t rgid, pid_t pid,
742 au_asid_t sid, au_tid_addr_t *tid)
743 {
744 return au_to_process32_ex(auid, euid, egid, ruid, rgid,
745 pid, sid, tid);
746 }
747
748 /*
749 * token ID 1 byte
750 * error status 1 byte
751 * return value 4 bytes/8 bytes (32-bit/64-bit value)
752 */
753 token_t *au_to_return32(char status, u_int32_t ret)
754 {
755 token_t *t;
756 u_char *dptr;
757
758
759 GET_TOKEN_AREA(t, dptr, 6);
760 if(t == NULL) {
761 return NULL;
762 }
763
764 ADD_U_CHAR(dptr, AU_RETURN_32_TOKEN);
765 ADD_U_CHAR(dptr, status);
766 ADD_U_INT32(dptr, ret);
767
768 return t;
769 }
770
771 token_t *au_to_return64(char status, u_int64_t ret)
772 {
773 token_t *t;
774 u_char *dptr;
775
776
777 GET_TOKEN_AREA(t, dptr, 10);
778 if(t == NULL) {
779 return NULL;
780 }
781
782 ADD_U_CHAR(dptr, AU_RETURN_64_TOKEN);
783 ADD_U_CHAR(dptr, status);
784 ADD_U_INT64(dptr, ret);
785
786 return t;
787 }
788
789 token_t *au_to_return(char status, u_int32_t ret)
790 {
791 return au_to_return32(status, ret);
792 }
793
794 /*
795 * token ID 1 byte
796 * sequence number 4 bytes
797 */
798 token_t *au_to_seq(long audit_count)
799 {
800 token_t *t;
801 u_char *dptr;
802
803
804 GET_TOKEN_AREA(t, dptr, 5);
805 if(t == NULL) {
806 return NULL;
807 }
808
809 ADD_U_CHAR(dptr, AU_SEQ_TOKEN);
810 ADD_U_INT32(dptr, audit_count);
811
812 return t;
813 }
814
815 /*
816 * token ID 1 byte
817 * socket type 2 bytes
818 * local port 2 bytes
819 * local Internet address 4 bytes
820 * remote port 2 bytes
821 * remote Internet address 4 bytes
822 */
823 token_t *au_to_socket(struct socket *so)
824 {
825 return NULL;
826 }
827
828 /*
829 * Kernel-specific version of the above function.
830 */
831 token_t *kau_to_socket(struct socket_au_info *soi)
832 {
833 token_t *t;
834 u_char *dptr;
835 u_int16_t so_type;
836
837 if(soi == NULL) {
838 return NULL;
839 }
840
841 GET_TOKEN_AREA(t, dptr, 15);
842 if(t == NULL) {
843 return NULL;
844 }
845
846 ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
847 /* Coerce the socket type into a short value */
848 so_type = soi->so_type;
849 ADD_U_INT16(dptr, so_type);
850 ADD_U_INT16(dptr, soi->so_lport);
851 ADD_U_INT32(dptr, soi->so_laddr);
852 ADD_U_INT16(dptr, soi->so_rport);
853 ADD_U_INT32(dptr, soi->so_raddr);
854
855 return t;
856 }
857
858 /*
859 * token ID 1 byte
860 * socket type 2 bytes
861 * local port 2 bytes
862 * address type/length 4 bytes
863 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
864 * remote port 4 bytes
865 * address type/length 4 bytes
866 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
867 */
868 token_t *au_to_socket_ex_32(u_int16_t lp, u_int16_t rp,
869 struct sockaddr *la, struct sockaddr *ra)
870 {
871 return NULL;
872 }
873
874 token_t *au_to_socket_ex_128(u_int16_t lp, u_int16_t rp,
875 struct sockaddr *la, struct sockaddr *ra)
876 {
877 return NULL;
878 }
879
880 /*
881 * token ID 1 byte
882 * socket family 2 bytes
883 * local port 2 bytes
884 * socket address 4 bytes
885 */
886 token_t *au_to_sock_inet32(struct sockaddr_in *so)
887 {
888 token_t *t;
889 u_char *dptr;
890
891 if(so == NULL) {
892 return NULL;
893 }
894
895 GET_TOKEN_AREA(t, dptr, 9);
896 if(t == NULL) {
897 return NULL;
898 }
899
900 ADD_U_CHAR(dptr, AU_SOCK_INET_32_TOKEN);
901 /* In Darwin, sin_family is one octet, but BSM defines the token
902 * to store two. So we copy in a 0 first.
903 */
904 ADD_U_CHAR(dptr, 0);
905 ADD_U_CHAR(dptr, so->sin_family);
906 ADD_U_INT16(dptr, so->sin_port);
907 ADD_U_INT32(dptr, so->sin_addr.s_addr);
908
909 return t;
910
911 }
912
913 token_t *au_to_sock_inet128(struct sockaddr_in6 *so)
914 {
915 token_t *t;
916 u_char *dptr;
917
918 if(so == NULL) {
919 return NULL;
920 }
921
922 GET_TOKEN_AREA(t, dptr, 21);
923 if(t == NULL) {
924 return NULL;
925 }
926
927 ADD_U_CHAR(dptr, AU_SOCK_INET_128_TOKEN);
928 /* In Darwin, sin_family is one octet, but BSM defines the token
929 * to store two. So we copy in a 0 first.
930 */
931 ADD_U_CHAR(dptr, 0);
932 ADD_U_CHAR(dptr, so->sin6_family);
933 ADD_U_INT16(dptr, so->sin6_port);
934 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[0]);
935 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[1]);
936 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[2]);
937 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[3]);
938
939 return t;
940
941
942
943 }
944
945 /*
946 * token ID 1 byte
947 * socket family 2 bytes
948 * path 104 bytes
949 */
950 token_t *au_to_sock_unix(struct sockaddr_un *so)
951 {
952 token_t *t;
953 u_char *dptr;
954
955 if(so == NULL) {
956 return NULL;
957 }
958
959 GET_TOKEN_AREA(t, dptr, 107);
960 if(t == NULL) {
961 return NULL;
962 }
963
964 ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
965 /* BSM token has two bytes for family */
966 ADD_U_CHAR(dptr, 0);
967 ADD_U_CHAR(dptr, so->sun_family);
968 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path));
969
970 return t;
971
972 }
973
974 token_t *au_to_sock_inet(struct sockaddr_in *so)
975 {
976 return au_to_sock_inet32(so);
977 }
978
979 /*
980 * token ID 1 byte
981 * audit ID 4 bytes
982 * effective user ID 4 bytes
983 * effective group ID 4 bytes
984 * real user ID 4 bytes
985 * real group ID 4 bytes
986 * process ID 4 bytes
987 * session ID 4 bytes
988 * terminal ID
989 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
990 * machine address 4 bytes
991 */
992 token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid,
993 uid_t ruid, gid_t rgid, pid_t pid,
994 au_asid_t sid, au_tid_t *tid)
995 {
996 token_t *t;
997 u_char *dptr;
998
999 if(tid == NULL) {
1000 return NULL;
1001 }
1002
1003 GET_TOKEN_AREA(t, dptr, 37);
1004 if(t == NULL) {
1005 return NULL;
1006 }
1007
1008 ADD_U_CHAR(dptr, AU_SUBJECT_32_TOKEN);
1009 ADD_U_INT32(dptr, auid);
1010 ADD_U_INT32(dptr, euid);
1011 ADD_U_INT32(dptr, egid);
1012 ADD_U_INT32(dptr, ruid);
1013 ADD_U_INT32(dptr, rgid);
1014 ADD_U_INT32(dptr, pid);
1015 ADD_U_INT32(dptr, sid);
1016 ADD_U_INT32(dptr, tid->port);
1017 ADD_U_INT32(dptr, tid->machine);
1018
1019 return t;
1020 }
1021
1022 token_t *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid,
1023 uid_t ruid, gid_t rgid, pid_t pid,
1024 au_asid_t sid, au_tid_t *tid)
1025 {
1026 return NULL;
1027 }
1028
1029 token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid,
1030 uid_t ruid, gid_t rgid, pid_t pid,
1031 au_asid_t sid, au_tid_t *tid)
1032 {
1033 return au_to_subject32(auid, euid, egid, ruid, rgid,
1034 pid, sid, tid);
1035
1036 }
1037
1038 /*
1039 * token ID 1 byte
1040 * audit ID 4 bytes
1041 * effective user ID 4 bytes
1042 * effective group ID 4 bytes
1043 * real user ID 4 bytes
1044 * real group ID 4 bytes
1045 * process ID 4 bytes
1046 * session ID 4 bytes
1047 * terminal ID
1048 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1049 * address type/length 4 bytes
1050 * machine address 16 bytes
1051 */
1052 token_t *au_to_subject32_ex(au_id_t auid, uid_t euid,
1053 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1054 au_asid_t sid, au_tid_addr_t *tid)
1055 {
1056 token_t *t;
1057 u_char *dptr;
1058
1059 if(tid == NULL) {
1060 return NULL;
1061 }
1062
1063 GET_TOKEN_AREA(t, dptr, 53);
1064 if(t == NULL) {
1065 return NULL;
1066 }
1067
1068 ADD_U_CHAR(dptr, AU_SUBJECT_32_EX_TOKEN);
1069 ADD_U_INT32(dptr, auid);
1070 ADD_U_INT32(dptr, euid);
1071 ADD_U_INT32(dptr, egid);
1072 ADD_U_INT32(dptr, ruid);
1073 ADD_U_INT32(dptr, rgid);
1074 ADD_U_INT32(dptr, pid);
1075 ADD_U_INT32(dptr, sid);
1076 ADD_U_INT32(dptr, tid->at_port);
1077 ADD_U_INT32(dptr, tid->at_type);
1078 ADD_U_INT32(dptr, tid->at_addr[0]);
1079 ADD_U_INT32(dptr, tid->at_addr[1]);
1080 ADD_U_INT32(dptr, tid->at_addr[2]);
1081 ADD_U_INT32(dptr, tid->at_addr[3]);
1082
1083 return t;
1084 }
1085
1086 token_t *au_to_subject64_ex(au_id_t auid, uid_t euid,
1087 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1088 au_asid_t sid, au_tid_addr_t *tid)
1089 {
1090 return NULL;
1091 }
1092
1093 token_t *au_to_subject_ex(au_id_t auid, uid_t euid,
1094 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1095 au_asid_t sid, au_tid_addr_t *tid)
1096 {
1097 return au_to_subject32_ex(auid, euid, egid, ruid, rgid,
1098 pid, sid, tid);
1099
1100 }
1101
1102 /*
1103 * token ID 1 byte
1104 * count 4 bytes
1105 * text count null-terminated strings
1106 */
1107 token_t *au_to_exec_args(const char **args)
1108 {
1109 token_t *t;
1110 u_char *dptr;
1111 const char *nextarg;
1112 int i, count = 0;
1113 size_t totlen = 0;
1114
1115 if(args == NULL) {
1116 return NULL;
1117 }
1118
1119 nextarg = *args;
1120
1121 while(nextarg != NULL) {
1122 int nextlen;
1123
1124 nextlen = strlen(nextarg);
1125 if(nextarg[nextlen] != '\0') {
1126 return NULL;
1127 }
1128
1129 totlen += nextlen + 1;
1130 count++;
1131 nextarg = *(args + count);
1132 }
1133
1134
1135 GET_TOKEN_AREA(t, dptr, 5 + totlen);
1136 if(t == NULL) {
1137 return NULL;
1138 }
1139
1140 ADD_U_CHAR(dptr, AU_EXEC_ARG_TOKEN);
1141 ADD_U_INT32(dptr, count);
1142
1143 for(i =0; i< count; i++) {
1144 nextarg = *(args + i);
1145 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1146 }
1147
1148 return t;
1149 }
1150
1151
1152 /*
1153 * token ID 1 byte
1154 * count 4 bytes
1155 * text count null-terminated strings
1156 */
1157 token_t *au_to_exec_env(const char **env)
1158 {
1159 token_t *t;
1160 u_char *dptr;
1161 int i, count = 0;
1162 size_t totlen = 0;
1163 const char *nextenv;
1164
1165 if(env == NULL) {
1166 return NULL;
1167 }
1168
1169 nextenv = *env;
1170
1171 while(nextenv != NULL) {
1172 int nextlen;
1173
1174 nextlen = strlen(nextenv);
1175 if(nextenv[nextlen] != '\0') {
1176 return NULL;
1177 }
1178
1179 totlen += nextlen + 1;
1180 count++;
1181 nextenv = *(env + count);
1182 }
1183
1184
1185 GET_TOKEN_AREA(t, dptr, 5 + totlen);
1186 if(t == NULL) {
1187 return NULL;
1188 }
1189
1190 ADD_U_CHAR(dptr, AU_EXEC_ENV_TOKEN);
1191 ADD_U_INT32(dptr, count);
1192
1193 for(i =0; i< count; i++) {
1194 nextenv = *(env + i);
1195 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1196 }
1197
1198 return t;
1199 }
1200
1201
1202 /*
1203 * Kernel version of the BSM header token functions. These versions take
1204 * a timespec struct as an additional parameter in order to obtain the
1205 * create time value for the BSM audit record.
1206 * token ID 1 byte
1207 * record byte count 4 bytes
1208 * version # 1 byte [2]
1209 * event type 2 bytes
1210 * event modifier 2 bytes
1211 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1212 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1213 */
1214 token_t *kau_to_header32(struct timespec *ctime, int rec_size,
1215 au_event_t e_type, au_emod_t e_mod)
1216 {
1217 token_t *t;
1218 u_char *dptr;
1219 u_int32_t timems = ctime->tv_nsec/1000000; /* We need time in ms */
1220
1221 GET_TOKEN_AREA(t, dptr, 18);
1222 if(t == NULL) {
1223 return NULL;
1224 }
1225
1226 ADD_U_CHAR(dptr, AU_HEADER_32_TOKEN);
1227 ADD_U_INT32(dptr, rec_size);
1228 ADD_U_CHAR(dptr, HEADER_VERSION);
1229 ADD_U_INT16(dptr, e_type);
1230 ADD_U_INT16(dptr, e_mod);
1231
1232 /* Add the timestamp */
1233 ADD_U_INT32(dptr, ctime->tv_sec);
1234 ADD_U_INT32(dptr, timems);
1235
1236 return t;
1237 }
1238
1239 token_t *kau_to_header64(struct timespec *ctime, int rec_size,
1240 au_event_t e_type, au_emod_t e_mod)
1241 {
1242 return NULL;
1243 }
1244
1245 token_t *kau_to_header(struct timespec *ctime, int rec_size,
1246 au_event_t e_type, au_emod_t e_mod)
1247 {
1248 return kau_to_header32(ctime, rec_size, e_type, e_mod);
1249 }
1250
1251 /*
1252 * token ID 1 byte
1253 * trailer magic number 2 bytes
1254 * record byte count 4 bytes
1255 */
1256 token_t *au_to_trailer(int rec_size)
1257 {
1258 token_t *t;
1259 u_char *dptr;
1260 u_int16_t magic = TRAILER_PAD_MAGIC;
1261
1262
1263 GET_TOKEN_AREA(t, dptr, 7);
1264 if(t == NULL) {
1265 return NULL;
1266 }
1267
1268 ADD_U_CHAR(dptr, AU_TRAILER_TOKEN);
1269 ADD_U_INT16(dptr, magic);
1270 ADD_U_INT32(dptr, rec_size);
1271
1272 return t;
1273
1274 }
1275