1 /*
2 * Copyright (c) 2004 Apple Computer, Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * All rights reserved.
5 *
6 * This code was developed in part by Robert N. M. Watson, Senior Principal
7 * Scientist, SPARTA, Inc.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
25 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 *
33 * $P4: //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.c#23 $
34 * $FreeBSD: releng/6.2/sys/security/audit/audit_bsm_token.c 164286 2006-11-14 20:42:41Z cvs2svn $
35 */
36
37 #include <sys/types.h>
38 #include <sys/endian.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
41 #include <sys/time.h>
42
43 #include <sys/ipc.h>
44 #include <sys/libkern.h>
45 #include <sys/malloc.h>
46 #include <sys/un.h>
47
48 #include <netinet/in.h>
49 #include <netinet/in_systm.h>
50 #include <netinet/ip.h>
51
52 #include <sys/socketvar.h>
53
54 #include <bsm/audit.h>
55 #include <bsm/audit_internal.h>
56 #include <bsm/audit_record.h>
57 #include <security/audit/audit.h>
58 #include <security/audit/audit_private.h>
59
60 #define GET_TOKEN_AREA(t, dptr, length) do { \
61 t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \
62 t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \
63 t->len = length; \
64 dptr = t->t_data; \
65 } while (0)
66
67 /*
68 * token ID 1 byte
69 * argument # 1 byte
70 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
71 * text length 2 bytes
72 * text N bytes + 1 terminating NULL byte
73 */
74 token_t *
75 au_to_arg32(char n, char *text, u_int32_t v)
76 {
77 token_t *t;
78 u_char *dptr = NULL;
79 u_int16_t textlen;
80
81 textlen = strlen(text);
82 textlen += 1;
83
84 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
85 sizeof(u_int16_t) + textlen);
86
87 ADD_U_CHAR(dptr, AUT_ARG32);
88 ADD_U_CHAR(dptr, n);
89 ADD_U_INT32(dptr, v);
90 ADD_U_INT16(dptr, textlen);
91 ADD_STRING(dptr, text, textlen);
92
93 return (t);
94
95 }
96
97 token_t *
98 au_to_arg64(char n, char *text, u_int64_t v)
99 {
100 token_t *t;
101 u_char *dptr = NULL;
102 u_int16_t textlen;
103
104 textlen = strlen(text);
105 textlen += 1;
106
107 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
108 sizeof(u_int16_t) + textlen);
109
110 ADD_U_CHAR(dptr, AUT_ARG64);
111 ADD_U_CHAR(dptr, n);
112 ADD_U_INT64(dptr, v);
113 ADD_U_INT16(dptr, textlen);
114 ADD_STRING(dptr, text, textlen);
115
116 return (t);
117
118 }
119
120 token_t *
121 au_to_arg(char n, char *text, u_int32_t v)
122 {
123
124 return (au_to_arg32(n, text, v));
125 }
126
127 #if defined(_KERNEL) || defined(KERNEL)
128 /*
129 * token ID 1 byte
130 * file access mode 4 bytes
131 * owner user ID 4 bytes
132 * owner group ID 4 bytes
133 * file system ID 4 bytes
134 * node ID 8 bytes
135 * device 4 bytes/8 bytes (32-bit/64-bit)
136 */
137 token_t *
138 au_to_attr32(struct vnode_au_info *vni)
139 {
140 token_t *t;
141 u_char *dptr = NULL;
142 u_int16_t pad0_16 = 0;
143 u_int16_t pad0_32 = 0;
144
145 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
146 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
147
148 ADD_U_CHAR(dptr, AUT_ATTR32);
149
150 /*
151 * Darwin defines the size for the file mode
152 * as 2 bytes; BSM defines 4 so pad with 0
153 */
154 ADD_U_INT16(dptr, pad0_16);
155 ADD_U_INT16(dptr, vni->vn_mode);
156
157 ADD_U_INT32(dptr, vni->vn_uid);
158 ADD_U_INT32(dptr, vni->vn_gid);
159 ADD_U_INT32(dptr, vni->vn_fsid);
160
161 /*
162 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
163 * Attempt to handle both, and let the compiler sort it out. If we
164 * could pick this out at compile-time, it would be better, so as to
165 * avoid the else case below.
166 */
167 if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
168 ADD_U_INT32(dptr, pad0_32);
169 ADD_U_INT32(dptr, vni->vn_fileid);
170 } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
171 ADD_U_INT64(dptr, vni->vn_fileid);
172 else
173 ADD_U_INT64(dptr, 0LL);
174
175 ADD_U_INT32(dptr, vni->vn_dev);
176
177 return (t);
178 }
179
180 token_t *
181 au_to_attr64(struct vnode_au_info *vni)
182 {
183
184 return (NULL);
185 }
186
187 token_t *
188 au_to_attr(struct vnode_au_info *vni)
189 {
190
191 return (au_to_attr32(vni));
192 }
193 #endif /* !(defined(_KERNEL) || defined(KERNEL) */
194
195 /*
196 * token ID 1 byte
197 * how to print 1 byte
198 * basic unit 1 byte
199 * unit count 1 byte
200 * data items (depends on basic unit)
201 */
202 token_t *
203 au_to_data(char unit_print, char unit_type, char unit_count, char *p)
204 {
205 token_t *t;
206 u_char *dptr = NULL;
207 size_t datasize, totdata;
208
209 /* Determine the size of the basic unit. */
210 switch (unit_type) {
211 case AUR_BYTE:
212 /* case AUR_CHAR: */
213 datasize = AUR_BYTE_SIZE;
214 break;
215
216 case AUR_SHORT:
217 datasize = AUR_SHORT_SIZE;
218 break;
219
220 case AUR_INT32:
221 /* case AUR_INT: */
222 datasize = AUR_INT32_SIZE;
223 break;
224
225 case AUR_INT64:
226 datasize = AUR_INT64_SIZE;
227 break;
228
229 default:
230 return (NULL);
231 }
232
233 totdata = datasize * unit_count;
234
235 GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
236
237 ADD_U_CHAR(dptr, AUT_DATA);
238 ADD_U_CHAR(dptr, unit_print);
239 ADD_U_CHAR(dptr, unit_type);
240 ADD_U_CHAR(dptr, unit_count);
241 ADD_MEM(dptr, p, totdata);
242
243 return (t);
244 }
245
246
247 /*
248 * token ID 1 byte
249 * status 4 bytes
250 * return value 4 bytes
251 */
252 token_t *
253 au_to_exit(int retval, int err)
254 {
255 token_t *t;
256 u_char *dptr = NULL;
257
258 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
259
260 ADD_U_CHAR(dptr, AUT_EXIT);
261 ADD_U_INT32(dptr, err);
262 ADD_U_INT32(dptr, retval);
263
264 return (t);
265 }
266
267 /*
268 */
269 token_t *
270 au_to_groups(int *groups)
271 {
272
273 return (au_to_newgroups(AUDIT_MAX_GROUPS, groups));
274 }
275
276 /*
277 * token ID 1 byte
278 * number groups 2 bytes
279 * group list count * 4 bytes
280 */
281 token_t *
282 au_to_newgroups(u_int16_t n, gid_t *groups)
283 {
284 token_t *t;
285 u_char *dptr = NULL;
286 int i;
287
288 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
289 n * sizeof(u_int32_t));
290
291 ADD_U_CHAR(dptr, AUT_NEWGROUPS);
292 ADD_U_INT16(dptr, n);
293 for (i = 0; i < n; i++)
294 ADD_U_INT32(dptr, groups[i]);
295
296 return (t);
297 }
298
299 /*
300 * token ID 1 byte
301 * internet address 4 bytes
302 */
303 token_t *
304 au_to_in_addr(struct in_addr *internet_addr)
305 {
306 token_t *t;
307 u_char *dptr = NULL;
308
309 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
310
311 ADD_U_CHAR(dptr, AUT_IN_ADDR);
312 ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
313
314 return (t);
315 }
316
317 /*
318 * token ID 1 byte
319 * address type/length 4 bytes
320 * Address 16 bytes
321 */
322 token_t *
323 au_to_in_addr_ex(struct in6_addr *internet_addr)
324 {
325 token_t *t;
326 u_char *dptr = NULL;
327 u_int32_t type = AF_INET6;
328
329 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
330
331 ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
332 ADD_U_INT32(dptr, type);
333 ADD_MEM(dptr, internet_addr, 5 * sizeof(uint32_t));
334
335 return (t);
336 }
337
338 /*
339 * token ID 1 byte
340 * ip header 20 bytes
341 */
342 token_t *
343 au_to_ip(struct ip *ip)
344 {
345 token_t *t;
346 u_char *dptr = NULL;
347
348 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
349
350 ADD_U_CHAR(dptr, AUT_IP);
351 /*
352 * XXXRW: Any byte order work needed on the IP header before writing?
353 */
354 ADD_MEM(dptr, ip, sizeof(struct ip));
355
356 return (t);
357 }
358
359 /*
360 * token ID 1 byte
361 * object ID type 1 byte
362 * object ID 4 bytes
363 */
364 token_t *
365 au_to_ipc(char type, int id)
366 {
367 token_t *t;
368 u_char *dptr = NULL;
369
370 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
371
372 ADD_U_CHAR(dptr, AUT_IPC);
373 ADD_U_CHAR(dptr, type);
374 ADD_U_INT32(dptr, id);
375
376 return (t);
377 }
378
379 /*
380 * token ID 1 byte
381 * owner user ID 4 bytes
382 * owner group ID 4 bytes
383 * creator user ID 4 bytes
384 * creator group ID 4 bytes
385 * access mode 4 bytes
386 * slot sequence # 4 bytes
387 * key 4 bytes
388 */
389 token_t *
390 au_to_ipc_perm(struct ipc_perm *perm)
391 {
392 token_t *t;
393 u_char *dptr = NULL;
394 u_int16_t pad0 = 0;
395
396 GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
397
398 ADD_U_CHAR(dptr, AUT_IPC_PERM);
399
400 /*
401 * Darwin defines the sizes for ipc_perm members
402 * as 2 bytes; BSM defines 4 so pad with 0
403 */
404 ADD_U_INT16(dptr, pad0);
405 ADD_U_INT16(dptr, perm->uid);
406
407 ADD_U_INT16(dptr, pad0);
408 ADD_U_INT16(dptr, perm->gid);
409
410 ADD_U_INT16(dptr, pad0);
411 ADD_U_INT16(dptr, perm->cuid);
412
413 ADD_U_INT16(dptr, pad0);
414 ADD_U_INT16(dptr, perm->cgid);
415
416 ADD_U_INT16(dptr, pad0);
417 ADD_U_INT16(dptr, perm->mode);
418
419 ADD_U_INT16(dptr, pad0);
420 ADD_U_INT16(dptr, perm->seq);
421
422 ADD_U_INT32(dptr, perm->key);
423
424 return (t);
425 }
426
427 /*
428 * token ID 1 byte
429 * port IP address 2 bytes
430 */
431 token_t *
432 au_to_iport(u_int16_t iport)
433 {
434 token_t *t;
435 u_char *dptr = NULL;
436
437 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
438
439 ADD_U_CHAR(dptr, AUT_IPORT);
440 ADD_U_INT16(dptr, iport);
441
442 return (t);
443 }
444
445 /*
446 * token ID 1 byte
447 * size 2 bytes
448 * data size bytes
449 */
450 token_t *
451 au_to_opaque(char *data, u_int16_t bytes)
452 {
453 token_t *t;
454 u_char *dptr = NULL;
455
456 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
457
458 ADD_U_CHAR(dptr, AUT_OPAQUE);
459 ADD_U_INT16(dptr, bytes);
460 ADD_MEM(dptr, data, bytes);
461
462 return (t);
463 }
464
465 /*
466 * token ID 1 byte
467 * seconds of time 4 bytes
468 * milliseconds of time 4 bytes
469 * file name len 2 bytes
470 * file pathname N bytes + 1 terminating NULL byte
471 */
472 token_t *
473 au_to_file(char *file, struct timeval tm)
474 {
475 token_t *t;
476 u_char *dptr = NULL;
477 u_int16_t filelen;
478 u_int32_t timems;
479
480 filelen = strlen(file);
481 filelen += 1;
482
483 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
484 sizeof(u_int16_t) + filelen);
485
486 timems = tm.tv_usec/1000;
487
488 ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
489 ADD_U_INT32(dptr, tm.tv_sec);
490 ADD_U_INT32(dptr, timems); /* We need time in ms. */
491 ADD_U_INT16(dptr, filelen);
492 ADD_STRING(dptr, file, filelen);
493
494 return (t);
495 }
496
497 /*
498 * token ID 1 byte
499 * text length 2 bytes
500 * text N bytes + 1 terminating NULL byte
501 */
502 token_t *
503 au_to_text(char *text)
504 {
505 token_t *t;
506 u_char *dptr = NULL;
507 u_int16_t textlen;
508
509 textlen = strlen(text);
510 textlen += 1;
511
512 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
513
514 ADD_U_CHAR(dptr, AUT_TEXT);
515 ADD_U_INT16(dptr, textlen);
516 ADD_STRING(dptr, text, textlen);
517
518 return (t);
519 }
520
521 /*
522 * token ID 1 byte
523 * path length 2 bytes
524 * path N bytes + 1 terminating NULL byte
525 */
526 token_t *
527 au_to_path(char *text)
528 {
529 token_t *t;
530 u_char *dptr = NULL;
531 u_int16_t textlen;
532
533 textlen = strlen(text);
534 textlen += 1;
535
536 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
537
538 ADD_U_CHAR(dptr, AUT_PATH);
539 ADD_U_INT16(dptr, textlen);
540 ADD_STRING(dptr, text, textlen);
541
542 return (t);
543 }
544
545 /*
546 * token ID 1 byte
547 * audit ID 4 bytes
548 * effective user ID 4 bytes
549 * effective group ID 4 bytes
550 * real user ID 4 bytes
551 * real group ID 4 bytes
552 * process ID 4 bytes
553 * session ID 4 bytes
554 * terminal ID
555 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
556 * machine address 4 bytes
557 */
558 token_t *
559 au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
560 pid_t pid, au_asid_t sid, au_tid_t *tid)
561 {
562 token_t *t;
563 u_char *dptr = NULL;
564
565 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
566
567 ADD_U_CHAR(dptr, AUT_PROCESS32);
568 ADD_U_INT32(dptr, auid);
569 ADD_U_INT32(dptr, euid);
570 ADD_U_INT32(dptr, egid);
571 ADD_U_INT32(dptr, ruid);
572 ADD_U_INT32(dptr, rgid);
573 ADD_U_INT32(dptr, pid);
574 ADD_U_INT32(dptr, sid);
575 ADD_U_INT32(dptr, tid->port);
576 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
577
578 return (t);
579 }
580
581 token_t *
582 au_to_process64(__unused au_id_t auid, __unused uid_t euid,
583 __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
584 __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
585 {
586
587 return (NULL);
588 }
589
590 token_t *
591 au_to_process(__unused au_id_t auid, __unused uid_t euid,
592 __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
593 __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
594 {
595
596 return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
597 tid));
598 }
599
600 /*
601 * token ID 1 byte
602 * audit ID 4 bytes
603 * effective user ID 4 bytes
604 * effective group ID 4 bytes
605 * real user ID 4 bytes
606 * real group ID 4 bytes
607 * process ID 4 bytes
608 * session ID 4 bytes
609 * terminal ID
610 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
611 * address type-len 4 bytes
612 * machine address 4/16 bytes
613 */
614 token_t *
615 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
616 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
617 {
618 token_t *t;
619 u_char *dptr = NULL;
620
621 if (tid->at_type == AU_IPv6)
622 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
623 sizeof(u_int32_t));
624 else
625 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
626 sizeof(u_int32_t));
627
628 ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
629 ADD_U_INT32(dptr, auid);
630 ADD_U_INT32(dptr, euid);
631 ADD_U_INT32(dptr, egid);
632 ADD_U_INT32(dptr, ruid);
633 ADD_U_INT32(dptr, rgid);
634 ADD_U_INT32(dptr, pid);
635 ADD_U_INT32(dptr, sid);
636 ADD_U_INT32(dptr, tid->at_port);
637 ADD_U_INT32(dptr, tid->at_type);
638 ADD_U_INT32(dptr, tid->at_addr[0]);
639 if (tid->at_type == AU_IPv6) {
640 ADD_U_INT32(dptr, tid->at_addr[1]);
641 ADD_U_INT32(dptr, tid->at_addr[2]);
642 ADD_U_INT32(dptr, tid->at_addr[3]);
643 }
644 return (t);
645 }
646
647 token_t *
648 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
649 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
650 {
651
652 return (NULL);
653 }
654
655 token_t *
656 au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
657 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
658 {
659
660 return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
661 tid));
662 }
663
664 /*
665 * token ID 1 byte
666 * error status 1 byte
667 * return value 4 bytes/8 bytes (32-bit/64-bit value)
668 */
669 token_t *
670 au_to_return32(char status, u_int32_t ret)
671 {
672 token_t *t;
673 u_char *dptr = NULL;
674
675 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
676
677 ADD_U_CHAR(dptr, AUT_RETURN32);
678 ADD_U_CHAR(dptr, status);
679 ADD_U_INT32(dptr, ret);
680
681 return (t);
682 }
683
684 token_t *
685 au_to_return64(char status, u_int64_t ret)
686 {
687 token_t *t;
688 u_char *dptr = NULL;
689
690 GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
691
692 ADD_U_CHAR(dptr, AUT_RETURN64);
693 ADD_U_CHAR(dptr, status);
694 ADD_U_INT64(dptr, ret);
695
696 return (t);
697 }
698
699 token_t *
700 au_to_return(char status, u_int32_t ret)
701 {
702
703 return (au_to_return32(status, ret));
704 }
705
706 /*
707 * token ID 1 byte
708 * sequence number 4 bytes
709 */
710 token_t *
711 au_to_seq(long audit_count)
712 {
713 token_t *t;
714 u_char *dptr = NULL;
715
716 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
717
718 ADD_U_CHAR(dptr, AUT_SEQ);
719 ADD_U_INT32(dptr, audit_count);
720
721 return (t);
722 }
723
724 /*
725 * token ID 1 byte
726 * socket type 2 bytes
727 * local port 2 bytes
728 * local Internet address 4 bytes
729 * remote port 2 bytes
730 * remote Internet address 4 bytes
731 */
732 token_t *
733 au_to_socket(struct socket *so)
734 {
735
736 /* XXXRW ... */
737 return (NULL);
738 }
739
740 /*
741 * Kernel-specific version of the above function.
742 */
743 #ifdef _KERNEL
744 token_t *
745 kau_to_socket(struct socket_au_info *soi)
746 {
747 token_t *t;
748 u_char *dptr;
749 u_int16_t so_type;
750
751 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
752 sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
753
754 ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
755 /* Coerce the socket type into a short value */
756 so_type = soi->so_type;
757 ADD_U_INT16(dptr, so_type);
758 ADD_U_INT16(dptr, soi->so_lport);
759 ADD_U_INT32(dptr, soi->so_laddr);
760 ADD_U_INT16(dptr, soi->so_rport);
761 ADD_U_INT32(dptr, soi->so_raddr);
762
763 return (t);
764 }
765 #endif
766
767 /*
768 * token ID 1 byte
769 * socket type 2 bytes
770 * local port 2 bytes
771 * address type/length 4 bytes
772 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
773 * remote port 4 bytes
774 * address type/length 4 bytes
775 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
776 */
777 token_t *
778 au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
779 struct sockaddr *ra)
780 {
781
782 return (NULL);
783 }
784
785 token_t *
786 au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
787 struct sockaddr *ra)
788 {
789
790 return (NULL);
791 }
792
793 /*
794 * token ID 1 byte
795 * socket family 2 bytes
796 * path 104 bytes
797 */
798 token_t *
799 au_to_sock_unix(struct sockaddr_un *so)
800 {
801 token_t *t;
802 u_char *dptr;
803
804 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
805
806 ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
807 /* BSM token has two bytes for family */
808 ADD_U_CHAR(dptr, 0);
809 ADD_U_CHAR(dptr, so->sun_family);
810 ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
811
812 return (t);
813 }
814
815 /*
816 * token ID 1 byte
817 * socket family 2 bytes
818 * local port 2 bytes
819 * socket address 4 bytes
820 */
821 token_t *
822 au_to_sock_inet32(struct sockaddr_in *so)
823 {
824 token_t *t;
825 u_char *dptr = NULL;
826 uint16_t family;
827
828 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
829 sizeof(uint32_t));
830
831 ADD_U_CHAR(dptr, AUT_SOCKINET32);
832 /*
833 * BSM defines the family field as 16 bits, but many operating
834 * systems have an 8-bit sin_family field. Extend to 16 bits before
835 * writing into the token. Assume that both the port and the address
836 * in the sockaddr_in are already in network byte order, but family
837 * is in local byte order.
838 *
839 * XXXRW: Should a name space conversion be taking place on the value
840 * of sin_family?
841 */
842 family = so->sin_family;
843 ADD_U_INT16(dptr, family);
844 ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
845 ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
846
847 return (t);
848
849 }
850
851 token_t *
852 au_to_sock_inet128(struct sockaddr_in6 *so)
853 {
854 token_t *t;
855 u_char *dptr = NULL;
856
857 GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
858 4 * sizeof(u_int32_t));
859
860 ADD_U_CHAR(dptr, AUT_SOCKINET128);
861 /*
862 * In Darwin, sin6_family is one octet, but BSM defines the token
863 * to store two. So we copy in a 0 first.
864 */
865 ADD_U_CHAR(dptr, 0);
866 ADD_U_CHAR(dptr, so->sin6_family);
867
868 ADD_U_INT16(dptr, so->sin6_port);
869 ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
870
871 return (t);
872
873 }
874
875 token_t *
876 au_to_sock_inet(struct sockaddr_in *so)
877 {
878
879 return (au_to_sock_inet32(so));
880 }
881
882 /*
883 * token ID 1 byte
884 * audit ID 4 bytes
885 * effective user ID 4 bytes
886 * effective group ID 4 bytes
887 * real user ID 4 bytes
888 * real group ID 4 bytes
889 * process ID 4 bytes
890 * session ID 4 bytes
891 * terminal ID
892 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
893 * machine address 4 bytes
894 */
895 token_t *
896 au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
897 pid_t pid, au_asid_t sid, au_tid_t *tid)
898 {
899 token_t *t;
900 u_char *dptr = NULL;
901
902 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
903
904 ADD_U_CHAR(dptr, AUT_SUBJECT32);
905 ADD_U_INT32(dptr, auid);
906 ADD_U_INT32(dptr, euid);
907 ADD_U_INT32(dptr, egid);
908 ADD_U_INT32(dptr, ruid);
909 ADD_U_INT32(dptr, rgid);
910 ADD_U_INT32(dptr, pid);
911 ADD_U_INT32(dptr, sid);
912 ADD_U_INT32(dptr, tid->port);
913 ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
914
915 return (t);
916 }
917
918 token_t *
919 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
920 pid_t pid, au_asid_t sid, au_tid_t *tid)
921 {
922
923 return (NULL);
924 }
925
926 token_t *
927 au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
928 pid_t pid, au_asid_t sid, au_tid_t *tid)
929 {
930
931 return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
932 tid));
933 }
934
935 /*
936 * token ID 1 byte
937 * audit ID 4 bytes
938 * effective user ID 4 bytes
939 * effective group ID 4 bytes
940 * real user ID 4 bytes
941 * real group ID 4 bytes
942 * process ID 4 bytes
943 * session ID 4 bytes
944 * terminal ID
945 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
946 * address type/length 4 bytes
947 * machine address 4/16 bytes
948 */
949 token_t *
950 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
951 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
952 {
953 token_t *t;
954 u_char *dptr = NULL;
955
956 if (tid->at_type == AU_IPv6)
957 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
958 sizeof(u_int32_t));
959 else
960 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
961 sizeof(u_int32_t));
962
963 ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
964 ADD_U_INT32(dptr, auid);
965 ADD_U_INT32(dptr, euid);
966 ADD_U_INT32(dptr, egid);
967 ADD_U_INT32(dptr, ruid);
968 ADD_U_INT32(dptr, rgid);
969 ADD_U_INT32(dptr, pid);
970 ADD_U_INT32(dptr, sid);
971 ADD_U_INT32(dptr, tid->at_port);
972 ADD_U_INT32(dptr, tid->at_type);
973 ADD_U_INT32(dptr, tid->at_addr[0]);
974 if (tid->at_type == AU_IPv6) {
975 ADD_U_INT32(dptr, tid->at_addr[1]);
976 ADD_U_INT32(dptr, tid->at_addr[2]);
977 ADD_U_INT32(dptr, tid->at_addr[3]);
978 }
979 return (t);
980 }
981
982 token_t *
983 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
984 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
985 {
986
987 return (NULL);
988 }
989
990 token_t *
991 au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
992 gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
993 {
994
995 return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
996 tid));
997 }
998
999 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
1000 /*
1001 * Collects audit information for the current process
1002 * and creates a subject token from it
1003 */
1004 token_t *
1005 au_to_me(void)
1006 {
1007 auditinfo_t auinfo;
1008
1009 if (getaudit(&auinfo) != 0)
1010 return (NULL);
1011
1012 return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(),
1013 getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid));
1014 }
1015 #endif
1016
1017 #if defined(_KERNEL) || defined(KERNEL)
1018 static token_t *
1019 au_to_exec_strings(char *strs, int count, u_char type)
1020 {
1021 token_t *t;
1022 u_char *dptr = NULL;
1023 u_int32_t totlen;
1024 int ctr;
1025 char *p;
1026
1027 totlen = 0;
1028 ctr = count;
1029 p = strs;
1030 while (ctr-- > 0) {
1031 totlen += strlen(p) + 1;
1032 p = strs + totlen;
1033 }
1034 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1035 ADD_U_CHAR(dptr, type);
1036 ADD_U_INT32(dptr, count);
1037 ADD_STRING(dptr, strs, totlen);
1038
1039 return (t);
1040 }
1041
1042 /*
1043 * token ID 1 byte
1044 * count 4 bytes
1045 * text count null-terminated strings
1046 */
1047 token_t *
1048 au_to_exec_args(char *args, int argc)
1049 {
1050
1051 return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
1052 }
1053
1054 /*
1055 * token ID 1 byte
1056 * count 4 bytes
1057 * text count null-terminated strings
1058 */
1059 token_t *
1060 au_to_exec_env(char *envs, int envc)
1061 {
1062
1063 return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
1064 }
1065 #else
1066 /*
1067 * token ID 1 byte
1068 * count 4 bytes
1069 * text count null-terminated strings
1070 */
1071 token_t *
1072 au_to_exec_args(char **argv)
1073 {
1074 token_t *t;
1075 u_char *dptr = NULL;
1076 const char *nextarg;
1077 int i, count = 0;
1078 size_t totlen = 0;
1079
1080 nextarg = *argv;
1081
1082 while (nextarg != NULL) {
1083 int nextlen;
1084
1085 nextlen = strlen(nextarg);
1086 totlen += nextlen + 1;
1087 count++;
1088 nextarg = *(argv + count);
1089 }
1090
1091 totlen += count * sizeof(char); /* nul terminations. */
1092 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1093
1094 ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
1095 ADD_U_INT32(dptr, count);
1096
1097 for (i = 0; i < count; i++) {
1098 nextarg = *(argv + i);
1099 ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
1100 }
1101
1102 return (t);
1103 }
1104
1105 /*
1106 * token ID 1 byte
1107 * count 4 bytes
1108 * text count null-terminated strings
1109 */
1110 token_t *
1111 au_to_exec_env(char **envp)
1112 {
1113 token_t *t;
1114 u_char *dptr = NULL;
1115 int i, count = 0;
1116 size_t totlen = 0;
1117 const char *nextenv;
1118
1119 nextenv = *envp;
1120
1121 while (nextenv != NULL) {
1122 int nextlen;
1123
1124 nextlen = strlen(nextenv);
1125 totlen += nextlen + 1;
1126 count++;
1127 nextenv = *(envp + count);
1128 }
1129
1130 totlen += sizeof(char) * count;
1131 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
1132
1133 ADD_U_CHAR(dptr, AUT_EXEC_ENV);
1134 ADD_U_INT32(dptr, count);
1135
1136 for (i = 0; i < count; i++) {
1137 nextenv = *(envp + i);
1138 ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
1139 }
1140
1141 return (t);
1142 }
1143 #endif
1144
1145 /*
1146 * token ID 1 byte
1147 * record byte count 4 bytes
1148 * version # 1 byte [2]
1149 * event type 2 bytes
1150 * event modifier 2 bytes
1151 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1152 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1153 */
1154 token_t *
1155 au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
1156 struct timeval tm)
1157 {
1158 token_t *t;
1159 u_char *dptr = NULL;
1160 u_int32_t timems;
1161
1162 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
1163 sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
1164
1165 ADD_U_CHAR(dptr, AUT_HEADER32);
1166 ADD_U_INT32(dptr, rec_size);
1167 ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
1168 ADD_U_INT16(dptr, e_type);
1169 ADD_U_INT16(dptr, e_mod);
1170
1171 timems = tm.tv_usec/1000;
1172 /* Add the timestamp */
1173 ADD_U_INT32(dptr, tm.tv_sec);
1174 ADD_U_INT32(dptr, timems); /* We need time in ms. */
1175
1176 return (t);
1177 }
1178
1179 /*
1180 * token ID 1 byte
1181 * trailer magic number 2 bytes
1182 * record byte count 4 bytes
1183 */
1184 token_t *
1185 au_to_trailer(int rec_size)
1186 {
1187 token_t *t;
1188 u_char *dptr = NULL;
1189 u_int16_t magic = TRAILER_PAD_MAGIC;
1190
1191 GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
1192 sizeof(u_int32_t));
1193
1194 ADD_U_CHAR(dptr, AUT_TRAILER);
1195 ADD_U_INT16(dptr, magic);
1196 ADD_U_INT32(dptr, rec_size);
1197
1198 return (t);
1199 }
Cache object: 1e20f19010d198954ce13afc77f6aaa5
|