]>
git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_bsm_token.c
2 * Copyright (c) 2004 Apple Computer, Inc. All rights reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
20 * @APPLE_LICENSE_HEADER_END@
23 #include <sys/types.h>
25 #include <sys/event.h>
27 #include <bsm/audit.h>
28 #include <bsm/audit_record.h>
29 #include <bsm/audit_klib.h>
30 #include <bsm/audit_kernel.h>
32 #include <kern/clock.h>
34 #define GET_TOKEN_AREA(tok, dptr, length) \
36 tok = (token_t *)kalloc(sizeof(*tok) + length); \
40 dptr = tok->t_data = (u_char *)&tok[1];\
41 memset(dptr, 0, length);\
50 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
52 * text N bytes + 1 terminating NULL byte
54 token_t
*au_to_arg32(char n
, char *text
, u_int32_t v
)
64 /* Make sure that text is null terminated */
65 textlen
= strlen(text
);
66 if(text
[textlen
] != '\0') {
70 GET_TOKEN_AREA(t
, dptr
, 9 + textlen
);
77 ADD_U_CHAR(dptr
, AU_ARG32_TOKEN
);
80 ADD_U_INT16(dptr
, textlen
);
81 ADD_STRING(dptr
, text
, textlen
);
87 token_t
*au_to_arg64(char n
, char *text
, u_int64_t v
)
97 /* Make sure that text is null terminated */
98 textlen
= strlen(text
);
99 if(text
[textlen
] != '\0') {
103 GET_TOKEN_AREA(t
, dptr
, 13 + textlen
);
110 ADD_U_CHAR(dptr
, AU_ARG64_TOKEN
);
112 ADD_U_INT64(dptr
, v
);
113 ADD_U_INT16(dptr
, textlen
);
114 ADD_STRING(dptr
, text
, textlen
);
120 token_t
*au_to_arg(char n
, char *text
, u_int32_t v
)
122 return au_to_arg32(n
, text
, v
);
127 * file access mode 4 bytes
128 * owner user ID 4 bytes
129 * owner group ID 4 bytes
130 * file system ID 4 bytes
132 * device 4 bytes/8 bytes (32-bit/64-bit)
134 token_t
*au_to_attr32(struct vattr
*attr
)
139 /* Kernel-specific version of the above function */
140 token_t
*kau_to_attr32(struct vnode_au_info
*vni
)
145 u_int16_t pad0_16
= 0;
146 u_int32_t pad0_32
= 0;
152 GET_TOKEN_AREA(t
, dptr
, 29);
157 ADD_U_CHAR(dptr
, AU_ATTR32_TOKEN
);
160 * Darwin defines the size for the file mode as 2 bytes;
161 * BSM defines 4. So we copy in a 0 first.
163 ADD_U_INT16(dptr
, pad0_16
);
164 ADD_U_INT16(dptr
, vni
->vn_mode
);
166 ADD_U_INT32(dptr
, vni
->vn_uid
);
167 ADD_U_INT32(dptr
, vni
->vn_gid
);
168 ADD_U_INT32(dptr
, vni
->vn_fsid
);
171 * Darwin defines the size for fileid as 4 bytes;
172 * BSM defines 8. So we copy in a 0 first.
174 fileid
= vni
->vn_fileid
;
175 ADD_U_INT32(dptr
, pad0_32
);
176 ADD_U_INT32(dptr
, fileid
);
178 ADD_U_INT32(dptr
, vni
->vn_dev
);
183 token_t
*au_to_attr64(struct vattr
*attr
)
187 token_t
*kau_to_attr64(struct vnode_au_info
*vni
)
192 token_t
*au_to_attr(struct vattr
*attr
)
194 return au_to_attr32(attr
);
201 * how to print 1 byte
204 * data items (depends on basic unit)
206 token_t
*au_to_data(char unit_print
, char unit_type
,
207 char unit_count
, char *p
)
211 size_t datasize
, totdata
;
217 /* Determine the size of the basic unit */
219 case AUR_BYTE
: datasize
= AUR_BYTE_SIZE
;
222 case AUR_SHORT
: datasize
= AUR_SHORT_SIZE
;
225 case AUR_LONG
: datasize
= AUR_LONG_SIZE
;
228 default: return NULL
;
231 totdata
= datasize
* unit_count
;
233 GET_TOKEN_AREA(t
, dptr
, totdata
+ 4);
238 ADD_U_CHAR(dptr
, AU_ARB_TOKEN
);
239 ADD_U_CHAR(dptr
, unit_print
);
240 ADD_U_CHAR(dptr
, unit_type
);
241 ADD_U_CHAR(dptr
, unit_count
);
242 ADD_MEM(dptr
, p
, totdata
);
250 * return value 4 bytes
252 token_t
*au_to_exit(int retval
, int err
)
257 GET_TOKEN_AREA(t
, dptr
, 9);
262 ADD_U_CHAR(dptr
, AU_EXIT_TOKEN
);
263 ADD_U_INT32(dptr
, err
);
264 ADD_U_INT32(dptr
, retval
);
271 token_t
*au_to_groups(int *groups
)
273 return au_to_newgroups(MAX_GROUPS
, groups
);
278 * number groups 2 bytes
279 * group list count * 4 bytes
281 token_t
*au_to_newgroups(u_int16_t n
, gid_t
*groups
)
291 GET_TOKEN_AREA(t
, dptr
, n
* 4 + 3);
296 ADD_U_CHAR(dptr
, AU_NEWGROUPS_TOKEN
);
297 ADD_U_INT16(dptr
, n
);
298 for(i
= 0; i
< n
; i
++) {
299 ADD_U_INT32(dptr
, groups
[i
]);
310 * internet address 4 bytes
312 token_t
*au_to_in_addr(struct in_addr
*internet_addr
)
317 if(internet_addr
== NULL
) {
321 GET_TOKEN_AREA(t
, dptr
, 5);
326 ADD_U_CHAR(dptr
, AU_IN_ADDR_TOKEN
);
327 ADD_U_INT32(dptr
, internet_addr
->s_addr
);
334 * address type/length 4 bytes
337 token_t
*au_to_in_addr_ex(struct in6_addr
*internet_addr
)
341 u_int32_t type
= AF_INET6
;
343 if(internet_addr
== NULL
) {
347 GET_TOKEN_AREA(t
, dptr
, 21);
352 ADD_U_CHAR(dptr
, AU_IN_ADDR_EX_TOKEN
);
353 ADD_U_INT32(dptr
, type
);
354 ADD_U_INT32(dptr
, internet_addr
->__u6_addr
.__u6_addr32
[0]);
355 ADD_U_INT32(dptr
, internet_addr
->__u6_addr
.__u6_addr32
[1]);
356 ADD_U_INT32(dptr
, internet_addr
->__u6_addr
.__u6_addr32
[2]);
357 ADD_U_INT32(dptr
, internet_addr
->__u6_addr
.__u6_addr32
[3]);
366 token_t
*au_to_ip(struct ip
*ip
)
375 GET_TOKEN_AREA(t
, dptr
, 21);
380 ADD_U_CHAR(dptr
, AU_IP_TOKEN
);
381 ADD_MEM(dptr
, ip
, sizeof(struct ip
));
388 * object ID type 1 byte
391 token_t
*au_to_ipc(char type
, int id
)
397 GET_TOKEN_AREA(t
, dptr
, 6);
402 ADD_U_CHAR(dptr
, AU_IPC_TOKEN
);
403 ADD_U_CHAR(dptr
, type
);
404 ADD_U_INT32(dptr
, id
);
411 * owner user ID 4 bytes
412 * owner group ID 4 bytes
413 * creator user ID 4 bytes
414 * creator group ID 4 bytes
415 * access mode 4 bytes
416 * slot sequence # 4 bytes
419 token_t
*au_to_ipc_perm(struct ipc_perm
*perm
)
429 GET_TOKEN_AREA(t
, dptr
, 29);
435 * Darwin defines the sizes for ipc_perm members
436 * as 2 bytes; BSM defines 4. So we copy in a 0 first.
438 ADD_U_CHAR(dptr
, AU_IPCPERM_TOKEN
);
440 ADD_U_INT16(dptr
, pad0
);
441 ADD_U_INT16(dptr
, perm
->uid
);
443 ADD_U_INT16(dptr
, pad0
);
444 ADD_U_INT16(dptr
, perm
->gid
);
446 ADD_U_INT16(dptr
, pad0
);
447 ADD_U_INT16(dptr
, perm
->cuid
);
449 ADD_U_INT16(dptr
, pad0
);
450 ADD_U_INT16(dptr
, perm
->cgid
);
452 ADD_U_INT16(dptr
, pad0
);
453 ADD_U_INT16(dptr
, perm
->mode
);
455 ADD_U_INT16(dptr
, pad0
);
456 ADD_U_INT16(dptr
, perm
->seq
);
458 ADD_U_INT16(dptr
, pad0
);
459 ADD_U_INT16(dptr
, perm
->key
);
467 * port IP address 2 bytes
469 token_t
*au_to_iport(u_int16_t iport
)
475 GET_TOKEN_AREA(t
, dptr
, 3);
480 ADD_U_CHAR(dptr
, AU_IPORT_TOKEN
);
481 ADD_U_INT16(dptr
, iport
);
492 token_t
*au_to_opaque(char *data
, u_int16_t bytes
)
497 if((data
== NULL
) || (bytes
<= 0)) {
501 GET_TOKEN_AREA(t
, dptr
, bytes
+ 3);
506 ADD_U_CHAR(dptr
, AU_OPAQUE_TOKEN
);
507 ADD_U_INT16(dptr
, bytes
);
508 ADD_MEM(dptr
, data
, bytes
);
514 * Kernel version of the add file token function, where the time value
515 * is passed in as an additional parameter.
517 * seconds of time 4 bytes
518 * milliseconds of time 4 bytes
519 * file name len 2 bytes
520 * file pathname N bytes + 1 terminating NULL byte
522 token_t
*kau_to_file(char *file
, struct timeval
*tv
)
527 u_int32_t timems
= tv
->tv_usec
/1000; /* We need time in ms */
532 /* Make sure that text is null terminated */
533 filelen
= strlen(file
);
534 if(file
[filelen
] != '\0') {
538 GET_TOKEN_AREA(t
, dptr
, filelen
+ 12);
545 ADD_U_CHAR(dptr
, AU_FILE_TOKEN
);
547 /* Add the timestamp */
548 ADD_U_INT32(dptr
, tv
->tv_sec
);
549 ADD_U_INT32(dptr
, timems
);
551 ADD_U_INT16(dptr
, filelen
);
552 ADD_STRING(dptr
, file
, filelen
);
560 * text length 2 bytes
561 * text N bytes + 1 terminating NULL byte
563 token_t
*au_to_text(char *text
)
572 /* Make sure that text is null terminated */
573 textlen
= strlen(text
);
574 if(text
[textlen
] != '\0') {
578 GET_TOKEN_AREA(t
, dptr
, textlen
+ 4);
585 ADD_U_CHAR(dptr
, AU_TEXT_TOKEN
);
586 ADD_U_INT16(dptr
, textlen
);
587 ADD_STRING(dptr
, text
, textlen
);
594 * path length 2 bytes
595 * path N bytes + 1 terminating NULL byte
597 token_t
*au_to_path(char *text
)
606 /* Make sure that text is null terminated */
607 textlen
= strlen(text
);
608 if(text
[textlen
] != '\0') {
612 GET_TOKEN_AREA(t
, dptr
, textlen
+ 4);
619 ADD_U_CHAR(dptr
, AU_PATH_TOKEN
);
620 ADD_U_INT16(dptr
, textlen
);
621 ADD_STRING(dptr
, text
, textlen
);
629 * effective user ID 4 bytes
630 * effective group ID 4 bytes
631 * real user ID 4 bytes
632 * real group ID 4 bytes
636 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
637 * machine address 4 bytes
639 token_t
*au_to_process32(au_id_t auid
, uid_t euid
, gid_t egid
,
640 uid_t ruid
, gid_t rgid
, pid_t pid
,
641 au_asid_t sid
, au_tid_t
*tid
)
650 GET_TOKEN_AREA(t
, dptr
, 37);
655 ADD_U_CHAR(dptr
, AU_PROCESS_32_TOKEN
);
656 ADD_U_INT32(dptr
, auid
);
657 ADD_U_INT32(dptr
, euid
);
658 ADD_U_INT32(dptr
, egid
);
659 ADD_U_INT32(dptr
, ruid
);
660 ADD_U_INT32(dptr
, rgid
);
661 ADD_U_INT32(dptr
, pid
);
662 ADD_U_INT32(dptr
, sid
);
663 ADD_U_INT32(dptr
, tid
->port
);
664 ADD_U_INT32(dptr
, tid
->machine
);
669 token_t
*au_to_process64(au_id_t auid
, uid_t euid
, gid_t egid
,
670 uid_t ruid
, gid_t rgid
, pid_t pid
,
671 au_asid_t sid
, au_tid_t
*tid
)
676 token_t
*au_to_process(au_id_t auid
, uid_t euid
, gid_t egid
,
677 uid_t ruid
, gid_t rgid
, pid_t pid
,
678 au_asid_t sid
, au_tid_t
*tid
)
680 return au_to_process32(auid
, euid
, egid
, ruid
, rgid
, pid
,
688 * effective user ID 4 bytes
689 * effective group ID 4 bytes
690 * real user ID 4 bytes
691 * real group ID 4 bytes
695 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
696 * address type-len 4 bytes
697 * machine address 16 bytes
699 token_t
*au_to_process32_ex(au_id_t auid
, uid_t euid
, gid_t egid
,
700 uid_t ruid
, gid_t rgid
, pid_t pid
,
701 au_asid_t sid
, au_tid_addr_t
*tid
)
710 GET_TOKEN_AREA(t
, dptr
, 53);
715 ADD_U_CHAR(dptr
, AU_PROCESS_32_EX_TOKEN
);
716 ADD_U_INT32(dptr
, auid
);
717 ADD_U_INT32(dptr
, euid
);
718 ADD_U_INT32(dptr
, egid
);
719 ADD_U_INT32(dptr
, ruid
);
720 ADD_U_INT32(dptr
, rgid
);
721 ADD_U_INT32(dptr
, pid
);
722 ADD_U_INT32(dptr
, sid
);
723 ADD_U_INT32(dptr
, tid
->at_port
);
724 ADD_U_INT32(dptr
, tid
->at_type
);
725 ADD_U_INT32(dptr
, tid
->at_addr
[0]);
726 ADD_U_INT32(dptr
, tid
->at_addr
[1]);
727 ADD_U_INT32(dptr
, tid
->at_addr
[2]);
728 ADD_U_INT32(dptr
, tid
->at_addr
[3]);
733 token_t
*au_to_process64_ex(au_id_t auid
, uid_t euid
, gid_t egid
,
734 uid_t ruid
, gid_t rgid
, pid_t pid
,
735 au_asid_t sid
, au_tid_addr_t
*tid
)
740 token_t
*au_to_process_ex(au_id_t auid
, uid_t euid
, gid_t egid
,
741 uid_t ruid
, gid_t rgid
, pid_t pid
,
742 au_asid_t sid
, au_tid_addr_t
*tid
)
744 return au_to_process32_ex(auid
, euid
, egid
, ruid
, rgid
,
750 * error status 1 byte
751 * return value 4 bytes/8 bytes (32-bit/64-bit value)
753 token_t
*au_to_return32(char status
, u_int32_t ret
)
759 GET_TOKEN_AREA(t
, dptr
, 6);
764 ADD_U_CHAR(dptr
, AU_RETURN_32_TOKEN
);
765 ADD_U_CHAR(dptr
, status
);
766 ADD_U_INT32(dptr
, ret
);
771 token_t
*au_to_return64(char status
, u_int64_t ret
)
777 GET_TOKEN_AREA(t
, dptr
, 10);
782 ADD_U_CHAR(dptr
, AU_RETURN_64_TOKEN
);
783 ADD_U_CHAR(dptr
, status
);
784 ADD_U_INT64(dptr
, ret
);
789 token_t
*au_to_return(char status
, u_int32_t ret
)
791 return au_to_return32(status
, ret
);
796 * sequence number 4 bytes
798 token_t
*au_to_seq(long audit_count
)
804 GET_TOKEN_AREA(t
, dptr
, 5);
809 ADD_U_CHAR(dptr
, AU_SEQ_TOKEN
);
810 ADD_U_INT32(dptr
, audit_count
);
817 * socket type 2 bytes
819 * local Internet address 4 bytes
820 * remote port 2 bytes
821 * remote Internet address 4 bytes
823 token_t
*au_to_socket(struct socket
*so
)
829 * Kernel-specific version of the above function.
831 token_t
*kau_to_socket(struct socket_au_info
*soi
)
841 GET_TOKEN_AREA(t
, dptr
, 15);
846 ADD_U_CHAR(dptr
, AU_SOCK_TOKEN
);
847 /* Coerce the socket type into a short value */
848 so_type
= soi
->so_type
;
849 ADD_U_INT16(dptr
, so_type
);
850 ADD_U_INT16(dptr
, soi
->so_lport
);
851 ADD_U_INT32(dptr
, soi
->so_laddr
);
852 ADD_U_INT16(dptr
, soi
->so_rport
);
853 ADD_U_INT32(dptr
, soi
->so_raddr
);
860 * socket type 2 bytes
862 * address type/length 4 bytes
863 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
864 * remote port 4 bytes
865 * address type/length 4 bytes
866 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
868 token_t
*au_to_socket_ex_32(u_int16_t lp
, u_int16_t rp
,
869 struct sockaddr
*la
, struct sockaddr
*ra
)
874 token_t
*au_to_socket_ex_128(u_int16_t lp
, u_int16_t rp
,
875 struct sockaddr
*la
, struct sockaddr
*ra
)
882 * socket family 2 bytes
884 * socket address 4 bytes
886 token_t
*au_to_sock_inet32(struct sockaddr_in
*so
)
895 GET_TOKEN_AREA(t
, dptr
, 9);
900 ADD_U_CHAR(dptr
, AU_SOCK_INET_32_TOKEN
);
901 /* In Darwin, sin_family is one octet, but BSM defines the token
902 * to store two. So we copy in a 0 first.
905 ADD_U_CHAR(dptr
, so
->sin_family
);
906 ADD_U_INT16(dptr
, so
->sin_port
);
907 ADD_U_INT32(dptr
, so
->sin_addr
.s_addr
);
913 token_t
*au_to_sock_inet128(struct sockaddr_in6
*so
)
922 GET_TOKEN_AREA(t
, dptr
, 21);
927 ADD_U_CHAR(dptr
, AU_SOCK_INET_128_TOKEN
);
928 /* In Darwin, sin_family is one octet, but BSM defines the token
929 * to store two. So we copy in a 0 first.
932 ADD_U_CHAR(dptr
, so
->sin6_family
);
933 ADD_U_INT16(dptr
, so
->sin6_port
);
934 ADD_U_INT32(dptr
, so
->sin6_addr
.__u6_addr
.__u6_addr32
[0]);
935 ADD_U_INT32(dptr
, so
->sin6_addr
.__u6_addr
.__u6_addr32
[1]);
936 ADD_U_INT32(dptr
, so
->sin6_addr
.__u6_addr
.__u6_addr32
[2]);
937 ADD_U_INT32(dptr
, so
->sin6_addr
.__u6_addr
.__u6_addr32
[3]);
947 * socket family 2 bytes
950 token_t
*au_to_sock_unix(struct sockaddr_un
*so
)
959 GET_TOKEN_AREA(t
, dptr
, 107);
964 ADD_U_CHAR(dptr
, AU_SOCK_UNIX_TOKEN
);
965 /* BSM token has two bytes for family */
967 ADD_U_CHAR(dptr
, so
->sun_family
);
968 ADD_STRING(dptr
, so
->sun_path
, strlen(so
->sun_path
));
974 token_t
*au_to_sock_inet(struct sockaddr_in
*so
)
976 return au_to_sock_inet32(so
);
982 * effective user ID 4 bytes
983 * effective group ID 4 bytes
984 * real user ID 4 bytes
985 * real group ID 4 bytes
989 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
990 * machine address 4 bytes
992 token_t
*au_to_subject32(au_id_t auid
, uid_t euid
, gid_t egid
,
993 uid_t ruid
, gid_t rgid
, pid_t pid
,
994 au_asid_t sid
, au_tid_t
*tid
)
1003 GET_TOKEN_AREA(t
, dptr
, 37);
1008 ADD_U_CHAR(dptr
, AU_SUBJECT_32_TOKEN
);
1009 ADD_U_INT32(dptr
, auid
);
1010 ADD_U_INT32(dptr
, euid
);
1011 ADD_U_INT32(dptr
, egid
);
1012 ADD_U_INT32(dptr
, ruid
);
1013 ADD_U_INT32(dptr
, rgid
);
1014 ADD_U_INT32(dptr
, pid
);
1015 ADD_U_INT32(dptr
, sid
);
1016 ADD_U_INT32(dptr
, tid
->port
);
1017 ADD_U_INT32(dptr
, tid
->machine
);
1022 token_t
*au_to_subject64(au_id_t auid
, uid_t euid
, gid_t egid
,
1023 uid_t ruid
, gid_t rgid
, pid_t pid
,
1024 au_asid_t sid
, au_tid_t
*tid
)
1029 token_t
*au_to_subject(au_id_t auid
, uid_t euid
, gid_t egid
,
1030 uid_t ruid
, gid_t rgid
, pid_t pid
,
1031 au_asid_t sid
, au_tid_t
*tid
)
1033 return au_to_subject32(auid
, euid
, egid
, ruid
, rgid
,
1041 * effective user ID 4 bytes
1042 * effective group ID 4 bytes
1043 * real user ID 4 bytes
1044 * real group ID 4 bytes
1045 * process ID 4 bytes
1046 * session ID 4 bytes
1048 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1049 * address type/length 4 bytes
1050 * machine address 16 bytes
1052 token_t
*au_to_subject32_ex(au_id_t auid
, uid_t euid
,
1053 gid_t egid
, uid_t ruid
, gid_t rgid
, pid_t pid
,
1054 au_asid_t sid
, au_tid_addr_t
*tid
)
1063 GET_TOKEN_AREA(t
, dptr
, 53);
1068 ADD_U_CHAR(dptr
, AU_SUBJECT_32_EX_TOKEN
);
1069 ADD_U_INT32(dptr
, auid
);
1070 ADD_U_INT32(dptr
, euid
);
1071 ADD_U_INT32(dptr
, egid
);
1072 ADD_U_INT32(dptr
, ruid
);
1073 ADD_U_INT32(dptr
, rgid
);
1074 ADD_U_INT32(dptr
, pid
);
1075 ADD_U_INT32(dptr
, sid
);
1076 ADD_U_INT32(dptr
, tid
->at_port
);
1077 ADD_U_INT32(dptr
, tid
->at_type
);
1078 ADD_U_INT32(dptr
, tid
->at_addr
[0]);
1079 ADD_U_INT32(dptr
, tid
->at_addr
[1]);
1080 ADD_U_INT32(dptr
, tid
->at_addr
[2]);
1081 ADD_U_INT32(dptr
, tid
->at_addr
[3]);
1086 token_t
*au_to_subject64_ex(au_id_t auid
, uid_t euid
,
1087 gid_t egid
, uid_t ruid
, gid_t rgid
, pid_t pid
,
1088 au_asid_t sid
, au_tid_addr_t
*tid
)
1093 token_t
*au_to_subject_ex(au_id_t auid
, uid_t euid
,
1094 gid_t egid
, uid_t ruid
, gid_t rgid
, pid_t pid
,
1095 au_asid_t sid
, au_tid_addr_t
*tid
)
1097 return au_to_subject32_ex(auid
, euid
, egid
, ruid
, rgid
,
1105 * text count null-terminated strings
1107 token_t
*au_to_exec_args(const char **args
)
1111 const char *nextarg
;
1121 while(nextarg
!= NULL
) {
1124 nextlen
= strlen(nextarg
);
1125 if(nextarg
[nextlen
] != '\0') {
1129 totlen
+= nextlen
+ 1;
1131 nextarg
= *(args
+ count
);
1135 GET_TOKEN_AREA(t
, dptr
, 5 + totlen
);
1140 ADD_U_CHAR(dptr
, AU_EXEC_ARG_TOKEN
);
1141 ADD_U_INT32(dptr
, count
);
1143 for(i
=0; i
< count
; i
++) {
1144 nextarg
= *(args
+ i
);
1145 ADD_MEM(dptr
, nextarg
, strlen(nextarg
) + 1);
1155 * text count null-terminated strings
1157 token_t
*au_to_exec_env(const char **env
)
1163 const char *nextenv
;
1171 while(nextenv
!= NULL
) {
1174 nextlen
= strlen(nextenv
);
1175 if(nextenv
[nextlen
] != '\0') {
1179 totlen
+= nextlen
+ 1;
1181 nextenv
= *(env
+ count
);
1185 GET_TOKEN_AREA(t
, dptr
, 5 + totlen
);
1190 ADD_U_CHAR(dptr
, AU_EXEC_ENV_TOKEN
);
1191 ADD_U_INT32(dptr
, count
);
1193 for(i
=0; i
< count
; i
++) {
1194 nextenv
= *(env
+ i
);
1195 ADD_MEM(dptr
, nextenv
, strlen(nextenv
) + 1);
1203 * Kernel version of the BSM header token functions. These versions take
1204 * a timespec struct as an additional parameter in order to obtain the
1205 * create time value for the BSM audit record.
1207 * record byte count 4 bytes
1208 * version # 1 byte [2]
1209 * event type 2 bytes
1210 * event modifier 2 bytes
1211 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1212 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1214 token_t
*kau_to_header32(struct timespec
*ctime
, int rec_size
,
1215 au_event_t e_type
, au_emod_t e_mod
)
1219 u_int32_t timems
= ctime
->tv_nsec
/1000000; /* We need time in ms */
1221 GET_TOKEN_AREA(t
, dptr
, 18);
1226 ADD_U_CHAR(dptr
, AU_HEADER_32_TOKEN
);
1227 ADD_U_INT32(dptr
, rec_size
);
1228 ADD_U_CHAR(dptr
, HEADER_VERSION
);
1229 ADD_U_INT16(dptr
, e_type
);
1230 ADD_U_INT16(dptr
, e_mod
);
1232 /* Add the timestamp */
1233 ADD_U_INT32(dptr
, ctime
->tv_sec
);
1234 ADD_U_INT32(dptr
, timems
);
1239 token_t
*kau_to_header64(struct timespec
*ctime
, int rec_size
,
1240 au_event_t e_type
, au_emod_t e_mod
)
1245 token_t
*kau_to_header(struct timespec
*ctime
, int rec_size
,
1246 au_event_t e_type
, au_emod_t e_mod
)
1248 return kau_to_header32(ctime
, rec_size
, e_type
, e_mod
);
1253 * trailer magic number 2 bytes
1254 * record byte count 4 bytes
1256 token_t
*au_to_trailer(int rec_size
)
1260 u_int16_t magic
= TRAILER_PAD_MAGIC
;
1263 GET_TOKEN_AREA(t
, dptr
, 7);
1268 ADD_U_CHAR(dptr
, AU_TRAILER_TOKEN
);
1269 ADD_U_INT16(dptr
, magic
);
1270 ADD_U_INT32(dptr
, rec_size
);