]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_bsm_token.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-792.6.70.tar.gz
[apple/xnu.git] / bsd / kern / kern_bsm_token.c
1 /*
2 * Copyright (c) 2003-2004 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
11 *
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
18 * under the License.
19 *
20 * @APPLE_LICENSE_HEADER_END@
21 */
22
23 #include <sys/types.h>
24 #include <sys/un.h>
25 #include <sys/event.h>
26 #include <sys/ucred.h>
27
28 #include <sys/ipc.h>
29 #include <bsm/audit.h>
30 #include <bsm/audit_record.h>
31 #include <bsm/audit_klib.h>
32 #include <bsm/audit_kernel.h>
33
34 #include <kern/clock.h>
35 #include <kern/kalloc.h>
36
37 #include <string.h>
38
39 #define GET_TOKEN_AREA(tok, dptr, length) \
40 do {\
41 tok = (token_t *)kalloc(sizeof(*tok) + length); \
42 if(tok != NULL)\
43 {\
44 tok->len = length;\
45 dptr = tok->t_data = (u_char *)&tok[1];\
46 memset(dptr, 0, length);\
47 }\
48 }while(0)
49
50
51
52 /*
53 * token ID 1 byte
54 * argument # 1 byte
55 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
56 * text length 2 bytes
57 * text N bytes + 1 terminating NULL byte
58 */
59 token_t *au_to_arg32(char n, char *text, u_int32_t v)
60 {
61 token_t *t;
62 u_char *dptr;
63 u_int16_t textlen;
64
65 if(text == NULL) {
66 return NULL;
67 }
68
69 /* Make sure that text is null terminated */
70 textlen = strlen(text);
71 if(text[textlen] != '\0') {
72 return NULL;
73 }
74
75 GET_TOKEN_AREA(t, dptr, 9 + textlen);
76 if(t == NULL) {
77 return NULL;
78 }
79
80 textlen += 1;
81
82 ADD_U_CHAR(dptr, AU_ARG32_TOKEN);
83 ADD_U_CHAR(dptr, n);
84 ADD_U_INT32(dptr, v);
85 ADD_U_INT16(dptr, textlen);
86 ADD_STRING(dptr, text, textlen);
87
88 return t;
89
90 }
91
92 token_t *au_to_arg64(char n, char *text, u_int64_t v)
93 {
94 token_t *t;
95 u_char *dptr;
96 u_int16_t textlen;
97
98 if(text == NULL) {
99 return NULL;
100 }
101
102 /* Make sure that text is null terminated */
103 textlen = strlen(text);
104 if(text[textlen] != '\0') {
105 return NULL;
106 }
107
108 GET_TOKEN_AREA(t, dptr, 13 + textlen);
109 if(t == NULL) {
110 return NULL;
111 }
112
113 textlen += 1;
114
115 ADD_U_CHAR(dptr, AU_ARG64_TOKEN);
116 ADD_U_CHAR(dptr, n);
117 ADD_U_INT64(dptr, v);
118 ADD_U_INT16(dptr, textlen);
119 ADD_STRING(dptr, text, textlen);
120
121 return t;
122
123 }
124
125 token_t *au_to_arg(char n, char *text, u_int32_t v)
126 {
127 return au_to_arg32(n, text, v);
128 }
129
130 /*
131 * token ID 1 byte
132 * file access mode 4 bytes
133 * owner user ID 4 bytes
134 * owner group ID 4 bytes
135 * file system ID 4 bytes
136 * node ID 8 bytes
137 * device 4 bytes/8 bytes (32-bit/64-bit)
138 */
139 token_t *au_to_attr32(__unused struct vnode_attr *attr)
140 {
141 return NULL;
142 }
143
144 /* Kernel-specific version of the above function */
145 token_t *kau_to_attr32(struct vnode_au_info *vni)
146 {
147 token_t *t;
148 u_char *dptr;
149 u_int64_t fileid;
150 u_int16_t pad0_16 = 0;
151 u_int32_t pad0_32 = 0;
152
153 if(vni == NULL) {
154 return NULL;
155 }
156
157 GET_TOKEN_AREA(t, dptr, 29);
158 if(t == NULL) {
159 return NULL;
160 }
161
162 ADD_U_CHAR(dptr, AU_ATTR32_TOKEN);
163
164 /*
165 * Darwin defines the size for the file mode as 2 bytes;
166 * BSM defines 4. So we copy in a 0 first.
167 */
168 ADD_U_INT16(dptr, pad0_16);
169 ADD_U_INT16(dptr, vni->vn_mode);
170
171 ADD_U_INT32(dptr, vni->vn_uid);
172 ADD_U_INT32(dptr, vni->vn_gid);
173 ADD_U_INT32(dptr, vni->vn_fsid);
174
175 /*
176 * Darwin defines the size for fileid as 4 bytes;
177 * BSM defines 8. So we copy in a 0 first.
178 */
179 fileid = vni->vn_fileid;
180 ADD_U_INT32(dptr, pad0_32);
181 ADD_U_INT32(dptr, fileid);
182
183 ADD_U_INT32(dptr, vni->vn_dev);
184
185 return t;
186 }
187
188 token_t *au_to_attr64(__unused struct vnode_attr *attr)
189 {
190 return NULL;
191 }
192
193 token_t *kau_to_attr64(__unused struct vnode_au_info *vni)
194 {
195 return NULL;
196 }
197
198 token_t *au_to_attr(struct vnode_attr *attr)
199 {
200 return au_to_attr32(attr);
201
202 }
203
204
205 /*
206 * token ID 1 byte
207 * how to print 1 byte
208 * basic unit 1 byte
209 * unit count 1 byte
210 * data items (depends on basic unit)
211 */
212 token_t *au_to_data(char unit_print, char unit_type,
213 char unit_count, char *p)
214 {
215 token_t *t;
216 u_char *dptr;
217 size_t datasize, totdata;
218
219 if(p == NULL) {
220 return NULL;
221 }
222
223 /* Determine the size of the basic unit */
224 switch(unit_type) {
225 case AUR_BYTE: datasize = AUR_BYTE_SIZE;
226 break;
227
228 case AUR_SHORT: datasize = AUR_SHORT_SIZE;
229 break;
230
231 case AUR_LONG: datasize = AUR_LONG_SIZE;
232 break;
233
234 default: return NULL;
235 }
236
237 totdata = datasize * unit_count;
238
239 GET_TOKEN_AREA(t, dptr, totdata + 4);
240 if(t == NULL) {
241 return NULL;
242 }
243
244 ADD_U_CHAR(dptr, AU_ARB_TOKEN);
245 ADD_U_CHAR(dptr, unit_print);
246 ADD_U_CHAR(dptr, unit_type);
247 ADD_U_CHAR(dptr, unit_count);
248 ADD_MEM(dptr, p, totdata);
249
250 return t;
251 }
252
253 /*
254 * token ID 1 byte
255 * status 4 bytes
256 * return value 4 bytes
257 */
258 token_t *au_to_exit(int retval, int err)
259 {
260 token_t *t;
261 u_char *dptr;
262
263 GET_TOKEN_AREA(t, dptr, 9);
264 if(t == NULL) {
265 return NULL;
266 }
267
268 ADD_U_CHAR(dptr, AU_EXIT_TOKEN);
269 ADD_U_INT32(dptr, err);
270 ADD_U_INT32(dptr, retval);
271
272 return t;
273 }
274
275 /*
276 */
277 token_t *au_to_groups(int *groups)
278 {
279 return au_to_newgroups(MAX_GROUPS, groups);
280 }
281
282 /*
283 * token ID 1 byte
284 * number groups 2 bytes
285 * group list count * 4 bytes
286 */
287 token_t *au_to_newgroups(u_int16_t n, gid_t *groups)
288 {
289 token_t *t;
290 u_char *dptr;
291 int i;
292
293 if(groups == NULL) {
294 return NULL;
295 }
296
297 GET_TOKEN_AREA(t, dptr, n * 4 + 3);
298 if(t == NULL) {
299 return NULL;
300 }
301
302 ADD_U_CHAR(dptr, AU_NEWGROUPS_TOKEN);
303 ADD_U_INT16(dptr, n);
304 for(i = 0; i < n; i++) {
305 ADD_U_INT32(dptr, groups[i]);
306 }
307
308 return t;
309 }
310
311
312
313
314 /*
315 * token ID 1 byte
316 * internet address 4 bytes
317 */
318 token_t *au_to_in_addr(struct in_addr *internet_addr)
319 {
320 token_t *t;
321 u_char *dptr;
322
323 if(internet_addr == NULL) {
324 return NULL;
325 }
326
327 GET_TOKEN_AREA(t, dptr, 5);
328 if(t == NULL) {
329 return NULL;
330 }
331
332 ADD_U_CHAR(dptr, AU_IN_ADDR_TOKEN);
333 ADD_U_INT32(dptr, internet_addr->s_addr);
334
335 return t;
336 }
337
338 /*
339 * token ID 1 byte
340 * address type/length 4 bytes
341 * Address 16 bytes
342 */
343 token_t *au_to_in_addr_ex(struct in6_addr *internet_addr)
344 {
345 token_t *t;
346 u_char *dptr;
347 u_int32_t type = AF_INET6;
348
349 if(internet_addr == NULL) {
350 return NULL;
351 }
352
353 GET_TOKEN_AREA(t, dptr, 21);
354 if(t == NULL) {
355 return NULL;
356 }
357
358 ADD_U_CHAR(dptr, AU_IN_ADDR_EX_TOKEN);
359 ADD_U_INT32(dptr, type);
360 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[0]);
361 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[1]);
362 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[2]);
363 ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[3]);
364
365 return t;
366 }
367
368 /*
369 * token ID 1 byte
370 * ip header 20 bytes
371 */
372 token_t *au_to_ip(struct ip *ip)
373 {
374 token_t *t;
375 u_char *dptr;
376
377 if(ip == NULL) {
378 return NULL;
379 }
380
381 GET_TOKEN_AREA(t, dptr, 21);
382 if(t == NULL) {
383 return NULL;
384 }
385
386 ADD_U_CHAR(dptr, AU_IP_TOKEN);
387 ADD_MEM(dptr, ip, sizeof(struct ip));
388
389 return t;
390 }
391
392 /*
393 * token ID 1 byte
394 * object ID type 1 byte
395 * object ID 4 bytes
396 */
397 token_t *au_to_ipc(char type, int id)
398 {
399 token_t *t;
400 u_char *dptr;
401
402
403 GET_TOKEN_AREA(t, dptr, 6);
404 if(t == NULL) {
405 return NULL;
406 }
407
408 ADD_U_CHAR(dptr, AU_IPC_TOKEN);
409 ADD_U_CHAR(dptr, type);
410 ADD_U_INT32(dptr, id);
411
412 return t;
413 }
414
415 /*
416 * token ID 1 byte
417 * owner user ID 4 bytes
418 * owner group ID 4 bytes
419 * creator user ID 4 bytes
420 * creator group ID 4 bytes
421 * access mode 4 bytes
422 * slot sequence # 4 bytes
423 * key 4 bytes
424 */
425 token_t *au_to_ipc_perm(struct ipc_perm *perm)
426 {
427 token_t *t;
428 u_char *dptr;
429 u_int16_t pad0 = 0;
430
431 if(perm == NULL) {
432 return NULL;
433 }
434
435 GET_TOKEN_AREA(t, dptr, 29);
436 if(t == NULL) {
437 return NULL;
438 }
439
440 /*
441 * Darwin defines the sizes for ipc_perm members
442 * as 2 bytes; BSM defines 4. So we copy in a 0 first.
443 */
444 ADD_U_CHAR(dptr, AU_IPCPERM_TOKEN);
445
446 ADD_U_INT16(dptr, pad0);
447 ADD_U_INT16(dptr, perm->uid);
448
449 ADD_U_INT16(dptr, pad0);
450 ADD_U_INT16(dptr, perm->gid);
451
452 ADD_U_INT16(dptr, pad0);
453 ADD_U_INT16(dptr, perm->cuid);
454
455 ADD_U_INT16(dptr, pad0);
456 ADD_U_INT16(dptr, perm->cgid);
457
458 ADD_U_INT16(dptr, pad0);
459 ADD_U_INT16(dptr, perm->mode);
460
461 ADD_U_INT16(dptr, pad0);
462 ADD_U_INT16(dptr, perm->seq);
463
464 ADD_U_INT16(dptr, pad0);
465 ADD_U_INT16(dptr, perm->key);
466
467 return t;
468 }
469
470
471 /*
472 * token ID 1 byte
473 * port IP address 2 bytes
474 */
475 token_t *au_to_iport(u_int16_t iport)
476 {
477 token_t *t;
478 u_char *dptr;
479
480
481 GET_TOKEN_AREA(t, dptr, 3);
482 if(t == NULL) {
483 return NULL;
484 }
485
486 ADD_U_CHAR(dptr, AU_IPORT_TOKEN);
487 ADD_U_INT16(dptr, iport);
488
489 return t;
490 }
491
492
493 /*
494 * token ID 1 byte
495 * size 2 bytes
496 * data size bytes
497 */
498 token_t *au_to_opaque(char *data, u_int16_t bytes)
499 {
500 token_t *t;
501 u_char *dptr;
502
503 if((data == NULL) || (bytes <= 0)) {
504 return NULL;
505 }
506
507 GET_TOKEN_AREA(t, dptr, bytes + 3);
508 if(t == NULL) {
509 return NULL;
510 }
511
512 ADD_U_CHAR(dptr, AU_OPAQUE_TOKEN);
513 ADD_U_INT16(dptr, bytes);
514 ADD_MEM(dptr, data, bytes);
515
516 return t;
517 }
518
519 /*
520 * Kernel version of the add file token function, where the time value
521 * is passed in as an additional parameter.
522 * token ID 1 byte
523 * seconds of time 4 bytes
524 * milliseconds of time 4 bytes
525 * file name len 2 bytes
526 * file pathname N bytes + 1 terminating NULL byte
527 */
528 token_t *kau_to_file(const char *file, const struct timeval *tv)
529 {
530 token_t *t;
531 u_char *dptr;
532 u_int16_t filelen;
533 u_int32_t timems = tv->tv_usec/1000; /* We need time in ms */
534
535 if(file == NULL) {
536 return NULL;
537 }
538 /* Make sure that text is null terminated */
539 filelen = strlen(file);
540 if(file[filelen] != '\0') {
541 return NULL;
542 }
543
544 GET_TOKEN_AREA(t, dptr, filelen + 12);
545 if(t == NULL) {
546 return NULL;
547 }
548
549 filelen += 1;
550
551 ADD_U_CHAR(dptr, AU_FILE_TOKEN);
552
553 /* Add the timestamp */
554 ADD_U_INT32(dptr, tv->tv_sec);
555 ADD_U_INT32(dptr, timems);
556
557 ADD_U_INT16(dptr, filelen);
558 ADD_STRING(dptr, file, filelen);
559
560 return t;
561
562 }
563
564 /*
565 * token ID 1 byte
566 * text length 2 bytes
567 * text N bytes + 1 terminating NULL byte
568 */
569 token_t *au_to_text(char *text)
570 {
571 token_t *t;
572 u_char *dptr;
573 u_int16_t textlen;
574
575 if(text == NULL) {
576 return NULL;
577 }
578 /* Make sure that text is null terminated */
579 textlen = strlen(text);
580 if(text[textlen] != '\0') {
581 return NULL;
582 }
583
584 GET_TOKEN_AREA(t, dptr, textlen + 4);
585 if(t == NULL) {
586 return NULL;
587 }
588
589 textlen += 1;
590
591 ADD_U_CHAR(dptr, AU_TEXT_TOKEN);
592 ADD_U_INT16(dptr, textlen);
593 ADD_STRING(dptr, text, textlen);
594
595 return t;
596 }
597
598 /*
599 * token ID 1 byte
600 * path length 2 bytes
601 * path N bytes + 1 terminating NULL byte
602 */
603 token_t *au_to_path(char *text)
604 {
605 token_t *t;
606 u_char *dptr;
607 u_int16_t textlen;
608
609 if(text == NULL) {
610 return NULL;
611 }
612 /* Make sure that text is null terminated */
613 textlen = strlen(text);
614 if(text[textlen] != '\0') {
615 return NULL;
616 }
617
618 GET_TOKEN_AREA(t, dptr, textlen + 4);
619 if(t == NULL) {
620 return NULL;
621 }
622
623 textlen += 1;
624
625 ADD_U_CHAR(dptr, AU_PATH_TOKEN);
626 ADD_U_INT16(dptr, textlen);
627 ADD_STRING(dptr, text, textlen);
628
629 return t;
630 }
631
632 /*
633 * token ID 1 byte
634 * audit ID 4 bytes
635 * effective user ID 4 bytes
636 * effective group ID 4 bytes
637 * real user ID 4 bytes
638 * real group ID 4 bytes
639 * process ID 4 bytes
640 * session ID 4 bytes
641 * terminal ID
642 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
643 * machine address 4 bytes
644 */
645 token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid,
646 uid_t ruid, gid_t rgid, pid_t pid,
647 au_asid_t sid, au_tid_t *tid)
648 {
649 token_t *t;
650 u_char *dptr;
651
652 if(tid == NULL) {
653 return NULL;
654 }
655
656 GET_TOKEN_AREA(t, dptr, 37);
657 if(t == NULL) {
658 return NULL;
659 }
660
661 ADD_U_CHAR(dptr, AU_PROCESS_32_TOKEN);
662 ADD_U_INT32(dptr, auid);
663 ADD_U_INT32(dptr, euid);
664 ADD_U_INT32(dptr, egid);
665 ADD_U_INT32(dptr, ruid);
666 ADD_U_INT32(dptr, rgid);
667 ADD_U_INT32(dptr, pid);
668 ADD_U_INT32(dptr, sid);
669 ADD_U_INT32(dptr, tid->port);
670 ADD_U_INT32(dptr, tid->machine);
671
672 return t;
673 }
674
675 token_t *au_to_process64(__unused au_id_t auid,
676 __unused uid_t euid,
677 __unused gid_t egid,
678 __unused uid_t ruid,
679 __unused gid_t rgid,
680 __unused pid_t pid,
681 __unused au_asid_t sid,
682 __unused au_tid_t *tid)
683 {
684 return NULL;
685 }
686
687 token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid,
688 uid_t ruid, gid_t rgid, pid_t pid,
689 au_asid_t sid, au_tid_t *tid)
690 {
691 return au_to_process32(auid, euid, egid, ruid, rgid, pid,
692 sid, tid);
693 }
694
695
696 /*
697 * token ID 1 byte
698 * audit ID 4 bytes
699 * effective user ID 4 bytes
700 * effective group ID 4 bytes
701 * real user ID 4 bytes
702 * real group ID 4 bytes
703 * process ID 4 bytes
704 * session ID 4 bytes
705 * terminal ID
706 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
707 * address type-len 4 bytes
708 * machine address 16 bytes
709 */
710 token_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
711 uid_t ruid, gid_t rgid, pid_t pid,
712 au_asid_t sid, au_tid_addr_t *tid)
713 {
714 token_t *t;
715 u_char *dptr;
716
717 if(tid == NULL) {
718 return NULL;
719 }
720
721 GET_TOKEN_AREA(t, dptr, 53);
722 if(t == NULL) {
723 return NULL;
724 }
725
726 ADD_U_CHAR(dptr, AU_PROCESS_32_EX_TOKEN);
727 ADD_U_INT32(dptr, auid);
728 ADD_U_INT32(dptr, euid);
729 ADD_U_INT32(dptr, egid);
730 ADD_U_INT32(dptr, ruid);
731 ADD_U_INT32(dptr, rgid);
732 ADD_U_INT32(dptr, pid);
733 ADD_U_INT32(dptr, sid);
734 ADD_U_INT32(dptr, tid->at_port);
735 ADD_U_INT32(dptr, tid->at_type);
736 ADD_U_INT32(dptr, tid->at_addr[0]);
737 ADD_U_INT32(dptr, tid->at_addr[1]);
738 ADD_U_INT32(dptr, tid->at_addr[2]);
739 ADD_U_INT32(dptr, tid->at_addr[3]);
740
741 return t;
742 }
743
744 token_t *au_to_process64_ex(
745 __unused au_id_t auid,
746 __unused uid_t euid,
747 __unused gid_t egid,
748 __unused uid_t ruid,
749 __unused gid_t rgid,
750 __unused pid_t pid,
751 __unused au_asid_t sid,
752 __unused au_tid_addr_t *tid)
753 {
754 return NULL;
755 }
756
757 token_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid,
758 uid_t ruid, gid_t rgid, pid_t pid,
759 au_asid_t sid, au_tid_addr_t *tid)
760 {
761 return au_to_process32_ex(auid, euid, egid, ruid, rgid,
762 pid, sid, tid);
763 }
764
765 /*
766 * token ID 1 byte
767 * error status 1 byte
768 * return value 4 bytes/8 bytes (32-bit/64-bit value)
769 */
770 token_t *au_to_return32(char status, u_int32_t ret)
771 {
772 token_t *t;
773 u_char *dptr;
774
775
776 GET_TOKEN_AREA(t, dptr, 6);
777 if(t == NULL) {
778 return NULL;
779 }
780
781 ADD_U_CHAR(dptr, AU_RETURN_32_TOKEN);
782 ADD_U_CHAR(dptr, status);
783 ADD_U_INT32(dptr, ret);
784
785 return t;
786 }
787
788 token_t *au_to_return64(char status, u_int64_t ret)
789 {
790 token_t *t;
791 u_char *dptr;
792
793
794 GET_TOKEN_AREA(t, dptr, 10);
795 if(t == NULL) {
796 return NULL;
797 }
798
799 ADD_U_CHAR(dptr, AU_RETURN_64_TOKEN);
800 ADD_U_CHAR(dptr, status);
801 ADD_U_INT64(dptr, ret);
802
803 return t;
804 }
805
806 token_t *au_to_return(char status, u_int32_t ret)
807 {
808 return au_to_return32(status, ret);
809 }
810
811 /*
812 * token ID 1 byte
813 * sequence number 4 bytes
814 */
815 token_t *au_to_seq(long audit_count)
816 {
817 token_t *t;
818 u_char *dptr;
819
820
821 GET_TOKEN_AREA(t, dptr, 5);
822 if(t == NULL) {
823 return NULL;
824 }
825
826 ADD_U_CHAR(dptr, AU_SEQ_TOKEN);
827 ADD_U_INT32(dptr, audit_count);
828
829 return t;
830 }
831
832 /*
833 * token ID 1 byte
834 * socket type 2 bytes
835 * local port 2 bytes
836 * local Internet address 4 bytes
837 * remote port 2 bytes
838 * remote Internet address 4 bytes
839 */
840 token_t *au_to_socket(__unused struct socket *so)
841 {
842 return NULL;
843 }
844
845 /*
846 * Kernel-specific version of the above function.
847 */
848 token_t *kau_to_socket(struct socket_au_info *soi)
849 {
850 token_t *t;
851 u_char *dptr;
852 u_int16_t so_type;
853
854 if(soi == NULL) {
855 return NULL;
856 }
857
858 GET_TOKEN_AREA(t, dptr, 15);
859 if(t == NULL) {
860 return NULL;
861 }
862
863 ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
864 /* Coerce the socket type into a short value */
865 so_type = soi->so_type;
866 ADD_U_INT16(dptr, so_type);
867 ADD_U_INT16(dptr, soi->so_lport);
868 ADD_U_INT32(dptr, soi->so_laddr);
869 ADD_U_INT16(dptr, soi->so_rport);
870 ADD_U_INT32(dptr, soi->so_raddr);
871
872 return t;
873 }
874
875 /*
876 * token ID 1 byte
877 * socket type 2 bytes
878 * local port 2 bytes
879 * address type/length 4 bytes
880 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
881 * remote port 4 bytes
882 * address type/length 4 bytes
883 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
884 */
885 token_t *au_to_socket_ex_32(
886 __unused u_int16_t lp,
887 __unused u_int16_t rp,
888 __unused struct sockaddr *la,
889 __unused struct sockaddr *ra)
890 {
891 return NULL;
892 }
893
894 token_t *au_to_socket_ex_128(
895 __unused u_int16_t lp,
896 __unused u_int16_t rp,
897 __unused struct sockaddr *la,
898 __unused struct sockaddr *ra)
899 {
900 return NULL;
901 }
902
903 /*
904 * token ID 1 byte
905 * socket family 2 bytes
906 * local port 2 bytes
907 * socket address 4 bytes
908 */
909 token_t *au_to_sock_inet32(struct sockaddr_in *so)
910 {
911 token_t *t;
912 u_char *dptr;
913
914 if(so == NULL) {
915 return NULL;
916 }
917
918 GET_TOKEN_AREA(t, dptr, 9);
919 if(t == NULL) {
920 return NULL;
921 }
922
923 ADD_U_CHAR(dptr, AU_SOCK_INET_32_TOKEN);
924 /* In Darwin, sin_family is one octet, but BSM defines the token
925 * to store two. So we copy in a 0 first.
926 */
927 ADD_U_CHAR(dptr, 0);
928 ADD_U_CHAR(dptr, so->sin_family);
929 ADD_U_INT16(dptr, so->sin_port);
930 ADD_U_INT32(dptr, so->sin_addr.s_addr);
931
932 return t;
933
934 }
935
936 token_t *au_to_sock_inet128(struct sockaddr_in6 *so)
937 {
938 token_t *t;
939 u_char *dptr;
940
941 if(so == NULL) {
942 return NULL;
943 }
944
945 GET_TOKEN_AREA(t, dptr, 21);
946 if(t == NULL) {
947 return NULL;
948 }
949
950 ADD_U_CHAR(dptr, AU_SOCK_INET_128_TOKEN);
951 /* In Darwin, sin_family is one octet, but BSM defines the token
952 * to store two. So we copy in a 0 first.
953 */
954 ADD_U_CHAR(dptr, 0);
955 ADD_U_CHAR(dptr, so->sin6_family);
956 ADD_U_INT16(dptr, so->sin6_port);
957 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[0]);
958 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[1]);
959 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[2]);
960 ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[3]);
961
962 return t;
963
964
965
966 }
967
968 /*
969 * token ID 1 byte
970 * socket family 2 bytes
971 * path 104 bytes
972 */
973 token_t *au_to_sock_unix(struct sockaddr_un *so)
974 {
975 token_t *t;
976 u_char *dptr;
977
978 if(so == NULL) {
979 return NULL;
980 }
981
982 GET_TOKEN_AREA(t, dptr, 107);
983 if(t == NULL) {
984 return NULL;
985 }
986
987 ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
988 /* BSM token has two bytes for family */
989 ADD_U_CHAR(dptr, 0);
990 ADD_U_CHAR(dptr, so->sun_family);
991 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path));
992
993 return t;
994
995 }
996
997 token_t *au_to_sock_inet(struct sockaddr_in *so)
998 {
999 return au_to_sock_inet32(so);
1000 }
1001
1002 /*
1003 * token ID 1 byte
1004 * audit ID 4 bytes
1005 * effective user ID 4 bytes
1006 * effective group ID 4 bytes
1007 * real user ID 4 bytes
1008 * real group ID 4 bytes
1009 * process ID 4 bytes
1010 * session ID 4 bytes
1011 * terminal ID
1012 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1013 * machine address 4 bytes
1014 */
1015 token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid,
1016 uid_t ruid, gid_t rgid, pid_t pid,
1017 au_asid_t sid, au_tid_t *tid)
1018 {
1019 token_t *t;
1020 u_char *dptr;
1021
1022 if(tid == NULL) {
1023 return NULL;
1024 }
1025
1026 GET_TOKEN_AREA(t, dptr, 37);
1027 if(t == NULL) {
1028 return NULL;
1029 }
1030
1031 ADD_U_CHAR(dptr, AU_SUBJECT_32_TOKEN);
1032 ADD_U_INT32(dptr, auid);
1033 ADD_U_INT32(dptr, euid);
1034 ADD_U_INT32(dptr, egid);
1035 ADD_U_INT32(dptr, ruid);
1036 ADD_U_INT32(dptr, rgid);
1037 ADD_U_INT32(dptr, pid);
1038 ADD_U_INT32(dptr, sid);
1039 ADD_U_INT32(dptr, tid->port);
1040 ADD_U_INT32(dptr, tid->machine);
1041
1042 return t;
1043 }
1044
1045 token_t *au_to_subject64(
1046 __unused au_id_t auid,
1047 __unused uid_t euid,
1048 __unused gid_t egid,
1049 __unused uid_t ruid,
1050 __unused gid_t rgid,
1051 __unused pid_t pid,
1052 __unused au_asid_t sid,
1053 __unused au_tid_t *tid)
1054 {
1055 return NULL;
1056 }
1057
1058 token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid,
1059 uid_t ruid, gid_t rgid, pid_t pid,
1060 au_asid_t sid, au_tid_t *tid)
1061 {
1062 return au_to_subject32(auid, euid, egid, ruid, rgid,
1063 pid, sid, tid);
1064
1065 }
1066
1067 /*
1068 * token ID 1 byte
1069 * audit ID 4 bytes
1070 * effective user ID 4 bytes
1071 * effective group ID 4 bytes
1072 * real user ID 4 bytes
1073 * real group ID 4 bytes
1074 * process ID 4 bytes
1075 * session ID 4 bytes
1076 * terminal ID
1077 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
1078 * address type/length 4 bytes
1079 * machine address 16 bytes
1080 */
1081 token_t *au_to_subject32_ex(au_id_t auid, uid_t euid,
1082 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1083 au_asid_t sid, au_tid_addr_t *tid)
1084 {
1085 token_t *t;
1086 u_char *dptr;
1087
1088 if(tid == NULL) {
1089 return NULL;
1090 }
1091
1092 GET_TOKEN_AREA(t, dptr, 53);
1093 if(t == NULL) {
1094 return NULL;
1095 }
1096
1097 ADD_U_CHAR(dptr, AU_SUBJECT_32_EX_TOKEN);
1098 ADD_U_INT32(dptr, auid);
1099 ADD_U_INT32(dptr, euid);
1100 ADD_U_INT32(dptr, egid);
1101 ADD_U_INT32(dptr, ruid);
1102 ADD_U_INT32(dptr, rgid);
1103 ADD_U_INT32(dptr, pid);
1104 ADD_U_INT32(dptr, sid);
1105 ADD_U_INT32(dptr, tid->at_port);
1106 ADD_U_INT32(dptr, tid->at_type);
1107 ADD_U_INT32(dptr, tid->at_addr[0]);
1108 ADD_U_INT32(dptr, tid->at_addr[1]);
1109 ADD_U_INT32(dptr, tid->at_addr[2]);
1110 ADD_U_INT32(dptr, tid->at_addr[3]);
1111
1112 return t;
1113 }
1114
1115 token_t *au_to_subject64_ex(
1116 __unused au_id_t auid,
1117 __unused uid_t euid,
1118 __unused gid_t egid,
1119 __unused uid_t ruid,
1120 __unused gid_t rgid,
1121 __unused pid_t pid,
1122 __unused au_asid_t sid,
1123 __unused au_tid_addr_t *tid)
1124 {
1125 return NULL;
1126 }
1127
1128 token_t *au_to_subject_ex(au_id_t auid, uid_t euid,
1129 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1130 au_asid_t sid, au_tid_addr_t *tid)
1131 {
1132 return au_to_subject32_ex(auid, euid, egid, ruid, rgid,
1133 pid, sid, tid);
1134
1135 }
1136
1137 /*
1138 * token ID 1 byte
1139 * count 4 bytes
1140 * text count null-terminated strings
1141 */
1142 token_t *au_to_exec_args(const char **args)
1143 {
1144 token_t *t;
1145 u_char *dptr;
1146 const char *nextarg;
1147 int i, count = 0;
1148 size_t totlen = 0;
1149
1150 if(args == NULL) {
1151 return NULL;
1152 }
1153
1154 nextarg = *args;
1155
1156 while(nextarg != NULL) {
1157 int nextlen;
1158
1159 nextlen = strlen(nextarg);
1160 if(nextarg[nextlen] != '\0') {
1161 return NULL;
1162 }
1163
1164 totlen += nextlen + 1;
1165 count++;
1166 nextarg = *(args + count);
1167 }
1168
1169
1170 GET_TOKEN_AREA(t, dptr, 5 + totlen);
1171 if(t == NULL) {
1172 return NULL;
1173 }
1174
1175 ADD_U_CHAR(dptr, AU_EXEC_ARG_TOKEN);
1176 ADD_U_INT32(dptr, count);
1177
1178 for(i =0; i< count; i++) {
1179 nextarg = *(args + i);
1180 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1181 }
1182
1183 return t;
1184 }
1185
1186
1187 /*
1188 * token ID 1 byte
1189 * count 4 bytes
1190 * text count null-terminated strings
1191 */
1192 token_t *au_to_exec_env(const char **env)
1193 {
1194 token_t *t;
1195 u_char *dptr;
1196 int i, count = 0;
1197 size_t totlen = 0;
1198 const char *nextenv;
1199
1200 if(env == NULL) {
1201 return NULL;
1202 }
1203
1204 nextenv = *env;
1205
1206 while(nextenv != NULL) {
1207 int nextlen;
1208
1209 nextlen = strlen(nextenv);
1210 if(nextenv[nextlen] != '\0') {
1211 return NULL;
1212 }
1213
1214 totlen += nextlen + 1;
1215 count++;
1216 nextenv = *(env + count);
1217 }
1218
1219
1220 GET_TOKEN_AREA(t, dptr, 5 + totlen);
1221 if(t == NULL) {
1222 return NULL;
1223 }
1224
1225 ADD_U_CHAR(dptr, AU_EXEC_ENV_TOKEN);
1226 ADD_U_INT32(dptr, count);
1227
1228 for(i =0; i< count; i++) {
1229 nextenv = *(env + i);
1230 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1231 }
1232
1233 return t;
1234 }
1235
1236
1237 /*
1238 * Kernel version of the BSM header token functions. These versions take
1239 * a timespec struct as an additional parameter in order to obtain the
1240 * create time value for the BSM audit record.
1241 * token ID 1 byte
1242 * record byte count 4 bytes
1243 * version # 1 byte [2]
1244 * event type 2 bytes
1245 * event modifier 2 bytes
1246 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1247 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1248 */
1249 token_t *kau_to_header32(const struct timespec *ctime, int rec_size,
1250 au_event_t e_type, au_emod_t e_mod)
1251 {
1252 token_t *t;
1253 u_char *dptr;
1254 u_int32_t timems = ctime->tv_nsec/1000000; /* We need time in ms */
1255
1256 GET_TOKEN_AREA(t, dptr, 18);
1257 if(t == NULL) {
1258 return NULL;
1259 }
1260
1261 ADD_U_CHAR(dptr, AU_HEADER_32_TOKEN);
1262 ADD_U_INT32(dptr, rec_size);
1263 ADD_U_CHAR(dptr, HEADER_VERSION);
1264 ADD_U_INT16(dptr, e_type);
1265 ADD_U_INT16(dptr, e_mod);
1266
1267 /* Add the timestamp */
1268 ADD_U_INT32(dptr, ctime->tv_sec);
1269 ADD_U_INT32(dptr, timems);
1270
1271 return t;
1272 }
1273
1274 token_t *kau_to_header64(
1275 __unused const struct timespec *ctime,
1276 __unused int rec_size,
1277 __unused au_event_t e_type,
1278 __unused au_emod_t e_mod)
1279 {
1280 return NULL;
1281 }
1282
1283 token_t *kau_to_header(const struct timespec *ctime, int rec_size,
1284 au_event_t e_type, au_emod_t e_mod)
1285 {
1286 return kau_to_header32(ctime, rec_size, e_type, e_mod);
1287 }
1288
1289 /*
1290 * token ID 1 byte
1291 * trailer magic number 2 bytes
1292 * record byte count 4 bytes
1293 */
1294 token_t *au_to_trailer(int rec_size)
1295 {
1296 token_t *t;
1297 u_char *dptr;
1298 u_int16_t magic = TRAILER_PAD_MAGIC;
1299
1300
1301 GET_TOKEN_AREA(t, dptr, 7);
1302 if(t == NULL) {
1303 return NULL;
1304 }
1305
1306 ADD_U_CHAR(dptr, AU_TRAILER_TOKEN);
1307 ADD_U_INT16(dptr, magic);
1308 ADD_U_INT32(dptr, rec_size);
1309
1310 return t;
1311
1312 }
1313
mirror of XNU