1 | /*- |
2 | * Copyright (c) 2004-2009 Apple Inc. |
3 | * Copyright (c) 2005 SPARTA, Inc. |
4 | * All rights reserved. |
5 | * |
6 | * This code was developed in part by Robert N. M. Watson, Senior Principal |
7 | * Scientist, SPARTA, Inc. |
8 | * |
9 | * Redistribution and use in source and binary forms, with or without |
10 | * modification, are permitted provided that the following conditions |
11 | * are met: |
12 | * 1. Redistributions of source code must retain the above copyright |
13 | * notice, this list of conditions and the following disclaimer. |
14 | * 2. Redistributions in binary form must reproduce the above copyright |
15 | * notice, this list of conditions and the following disclaimer in the |
16 | * documentation and/or other materials provided with the distribution. |
17 | * 3. Neither the name of Apple Inc. ("Apple") nor the names of |
18 | * its contributors may be used to endorse or promote products derived |
19 | * from this software without specific prior written permission. |
20 | * |
21 | * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND |
22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
24 | * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR |
25 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
29 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING |
30 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
31 | * POSSIBILITY OF SUCH DAMAGE. |
32 | */ |
33 | |
34 | #include <sys/types.h> |
35 | #include <sys/un.h> |
36 | #include <sys/event.h> |
37 | #include <sys/ucred.h> |
38 | #include <sys/systm.h> |
39 | |
40 | #include <sys/ipc.h> |
41 | |
42 | #include <netinet/in.h> |
43 | #include <netinet/in_systm.h> |
44 | #include <netinet/ip.h> |
45 | |
46 | #include <bsm/audit.h> |
47 | #include <bsm/audit_internal.h> |
48 | #include <bsm/audit_record.h> |
49 | #include <security/audit/audit.h> |
50 | #include <security/audit/audit_bsd.h> |
51 | #include <security/audit/audit_private.h> |
52 | |
53 | #include <kern/host.h> |
54 | #include <kern/clock.h> |
55 | |
56 | #include <string.h> |
57 | |
58 | #if CONFIG_AUDIT |
59 | #define GET_TOKEN_AREA(t, dptr, length) do { \ |
60 | t = kalloc_type(token_t, Z_WAITOK | Z_NOFAIL); \ |
61 | t->t_data = kalloc_data(length, Z_WAITOK | Z_ZERO | Z_NOFAIL); \ |
62 | t->len = length; \ |
63 | dptr = t->t_data; \ |
64 | } while (0) |
65 | |
66 | /* |
67 | * token ID 1 byte |
68 | * argument # 1 byte |
69 | * argument value 4 bytes/8 bytes (32-bit/64-bit value) |
70 | * text length 2 bytes |
71 | * text N bytes + 1 terminating NULL byte |
72 | */ |
73 | token_t * |
74 | au_to_arg32(char n, const char *text, u_int32_t v) |
75 | { |
76 | token_t *t; |
77 | u_char *dptr = NULL; |
78 | u_int16_t textlen; |
79 | size_t tokenlen; |
80 | |
81 | textlen = strlen(s: text); |
82 | textlen += 1; |
83 | |
84 | tokenlen = 2 * sizeof(u_char) + sizeof(u_int32_t) + sizeof(u_int16_t) + textlen; |
85 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
86 | ("au_to_arg32: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
87 | |
88 | GET_TOKEN_AREA(t, dptr, tokenlen); |
89 | |
90 | ADD_U_CHAR(dptr, AUT_ARG32); |
91 | ADD_U_CHAR(dptr, n); |
92 | ADD_U_INT32(dptr, v); |
93 | ADD_U_INT16(dptr, textlen); |
94 | ADD_STRING(dptr, text, textlen); |
95 | |
96 | return t; |
97 | } |
98 | |
99 | token_t * |
100 | au_to_arg64(char n, const char *text, u_int64_t v) |
101 | { |
102 | token_t *t; |
103 | u_char *dptr = NULL; |
104 | u_int16_t textlen; |
105 | size_t tokenlen; |
106 | |
107 | textlen = strlen(s: text); |
108 | textlen += 1; |
109 | |
110 | tokenlen = 2 * sizeof(u_char) + sizeof(u_int64_t) + sizeof(u_int16_t) + textlen; |
111 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
112 | ("au_to_arg64: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
113 | |
114 | GET_TOKEN_AREA(t, dptr, tokenlen); |
115 | |
116 | ADD_U_CHAR(dptr, AUT_ARG64); |
117 | ADD_U_CHAR(dptr, n); |
118 | ADD_U_INT64(dptr, v); |
119 | ADD_U_INT16(dptr, textlen); |
120 | ADD_STRING(dptr, text, textlen); |
121 | |
122 | return t; |
123 | } |
124 | |
125 | token_t * |
126 | au_to_arg(char n, const char *text, u_int32_t v) |
127 | { |
128 | return au_to_arg32(n, text, v); |
129 | } |
130 | |
131 | #if defined(_KERNEL) || defined(KERNEL) |
132 | /* |
133 | * token ID 1 byte |
134 | * file access mode 4 bytes |
135 | * owner user ID 4 bytes |
136 | * owner group ID 4 bytes |
137 | * file system ID 4 bytes |
138 | * node ID 8 bytes |
139 | * device 4 bytes/8 bytes (32-bit/64-bit) |
140 | */ |
141 | token_t * |
142 | au_to_attr32(struct vnode_au_info *vni) |
143 | { |
144 | token_t *t; |
145 | u_char *dptr = NULL; |
146 | u_int16_t pad0_16 = 0; |
147 | u_int32_t pad0_32 = 0; |
148 | |
149 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + |
150 | 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); |
151 | |
152 | ADD_U_CHAR(dptr, AUT_ATTR32); |
153 | |
154 | /* |
155 | * Darwin defines the size for the file mode |
156 | * as 2 bytes; BSM defines 4 so pad with 0 |
157 | */ |
158 | ADD_U_INT16(dptr, pad0_16); |
159 | ADD_U_INT16(dptr, vni->vn_mode); |
160 | |
161 | ADD_U_INT32(dptr, vni->vn_uid); |
162 | ADD_U_INT32(dptr, vni->vn_gid); |
163 | ADD_U_INT32(dptr, vni->vn_fsid); |
164 | |
165 | /* |
166 | * Some systems use 32-bit file ID's, others use 64-bit file IDs. |
167 | * Attempt to handle both, and let the compiler sort it out. If we |
168 | * could pick this out at compile-time, it would be better, so as to |
169 | * avoid the else case below. |
170 | */ |
171 | if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { |
172 | ADD_U_INT32(dptr, pad0_32); |
173 | ADD_U_INT32(dptr, vni->vn_fileid); |
174 | } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) { |
175 | ADD_U_INT64(dptr, vni->vn_fileid); |
176 | } else { |
177 | ADD_U_INT64(dptr, 0LL); |
178 | } |
179 | |
180 | ADD_U_INT32(dptr, vni->vn_dev); |
181 | |
182 | return t; |
183 | } |
184 | |
185 | token_t * |
186 | au_to_attr64(struct vnode_au_info *vni) |
187 | { |
188 | token_t *t; |
189 | u_char *dptr = NULL; |
190 | u_int16_t pad0_16 = 0; |
191 | u_int16_t pad0_32 = 0; |
192 | |
193 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + |
194 | 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); |
195 | |
196 | ADD_U_CHAR(dptr, AUT_ATTR64); |
197 | |
198 | /* |
199 | * Darwin defines the size for the file mode |
200 | * as 2 bytes; BSM defines 4 so pad with 0 |
201 | */ |
202 | ADD_U_INT16(dptr, pad0_16); |
203 | ADD_U_INT16(dptr, vni->vn_mode); |
204 | |
205 | ADD_U_INT32(dptr, vni->vn_uid); |
206 | ADD_U_INT32(dptr, vni->vn_gid); |
207 | ADD_U_INT32(dptr, vni->vn_fsid); |
208 | |
209 | /* |
210 | * Some systems use 32-bit file ID's, other's use 64-bit file IDs. |
211 | * Attempt to handle both, and let the compiler sort it out. If we |
212 | * could pick this out at compile-time, it would be better, so as to |
213 | * avoid the else case below. |
214 | */ |
215 | if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { |
216 | ADD_U_INT32(dptr, pad0_32); |
217 | ADD_U_INT32(dptr, vni->vn_fileid); |
218 | } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) { |
219 | ADD_U_INT64(dptr, vni->vn_fileid); |
220 | } else { |
221 | ADD_U_INT64(dptr, 0LL); |
222 | } |
223 | |
224 | ADD_U_INT64(dptr, vni->vn_dev); |
225 | |
226 | return t; |
227 | } |
228 | |
229 | token_t * |
230 | au_to_attr(struct vnode_au_info *vni) |
231 | { |
232 | return au_to_attr32(vni); |
233 | } |
234 | #endif /* defined(_KERNEL) || defined(KERNEL) */ |
235 | |
236 | /* |
237 | * token ID 1 byte |
238 | * how to print 1 byte |
239 | * basic unit 1 byte |
240 | * unit count 1 byte |
241 | * data items (depends on basic unit) |
242 | */ |
243 | token_t * |
244 | au_to_data(char unit_print, char unit_type, char unit_count, const char *p) |
245 | { |
246 | token_t *t; |
247 | u_char *dptr = NULL; |
248 | size_t datasize, totdata, tokenlen; |
249 | |
250 | /* Determine the size of the basic unit. */ |
251 | switch (unit_type) { |
252 | case AUR_BYTE: |
253 | /* case AUR_CHAR: */ |
254 | datasize = AUR_BYTE_SIZE; |
255 | break; |
256 | |
257 | case AUR_SHORT: |
258 | datasize = AUR_SHORT_SIZE; |
259 | break; |
260 | |
261 | case AUR_INT32: |
262 | /* case AUR_INT: */ |
263 | datasize = AUR_INT32_SIZE; |
264 | break; |
265 | |
266 | case AUR_INT64: |
267 | datasize = AUR_INT64_SIZE; |
268 | break; |
269 | |
270 | default: |
271 | /* For unknown assume byte. */ |
272 | datasize = AUR_BYTE_SIZE; |
273 | break; |
274 | } |
275 | |
276 | totdata = datasize * (size_t)unit_count; |
277 | |
278 | tokenlen = 4 * sizeof(u_char) + totdata; |
279 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
280 | ("au_to_data: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
281 | |
282 | GET_TOKEN_AREA(t, dptr, tokenlen); |
283 | |
284 | ADD_U_CHAR(dptr, AUT_DATA); |
285 | ADD_U_CHAR(dptr, unit_print); |
286 | ADD_U_CHAR(dptr, unit_type); |
287 | ADD_U_CHAR(dptr, unit_count); |
288 | ADD_MEM(dptr, p, totdata); |
289 | |
290 | return t; |
291 | } |
292 | |
293 | /* |
294 | * token ID 1 byte |
295 | * status 4 bytes |
296 | * return value 4 bytes |
297 | */ |
298 | token_t * |
299 | au_to_exit(int retval, int err) |
300 | { |
301 | token_t *t; |
302 | u_char *dptr = NULL; |
303 | |
304 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t)); |
305 | |
306 | ADD_U_CHAR(dptr, AUT_EXIT); |
307 | ADD_U_INT32(dptr, err); |
308 | ADD_U_INT32(dptr, retval); |
309 | |
310 | return t; |
311 | } |
312 | |
313 | /* |
314 | */ |
315 | token_t * |
316 | au_to_groups(int *groups) |
317 | { |
318 | return au_to_newgroups(AUDIT_MAX_GROUPS, groups: (gid_t *)groups); |
319 | } |
320 | |
321 | /* |
322 | * token ID 1 byte |
323 | * number groups 2 bytes |
324 | * group list count * 4 bytes |
325 | */ |
326 | token_t * |
327 | au_to_newgroups(u_int16_t n, gid_t *groups) |
328 | { |
329 | token_t *t; |
330 | u_char *dptr = NULL; |
331 | int i; |
332 | size_t tokenlen; |
333 | |
334 | KASSERT(n <= AUDIT_MAX_GROUPS, "au_to_newgroups: groups exceed maximum number of those allowed" ); |
335 | |
336 | tokenlen = sizeof(u_char) + sizeof(u_int16_t) + n * sizeof(u_int32_t); |
337 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
338 | ("au_to_newgroups: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
339 | |
340 | GET_TOKEN_AREA(t, dptr, tokenlen); |
341 | |
342 | ADD_U_CHAR(dptr, AUT_NEWGROUPS); |
343 | ADD_U_INT16(dptr, n); |
344 | for (i = 0; i < n; i++) { |
345 | ADD_U_INT32(dptr, groups[i]); |
346 | } |
347 | |
348 | return t; |
349 | } |
350 | |
351 | /* |
352 | * token ID 1 byte |
353 | * internet address 4 bytes |
354 | */ |
355 | token_t * |
356 | au_to_in_addr(struct in_addr *internet_addr) |
357 | { |
358 | token_t *t; |
359 | u_char *dptr = NULL; |
360 | |
361 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t)); |
362 | |
363 | ADD_U_CHAR(dptr, AUT_IN_ADDR); |
364 | ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t)); |
365 | |
366 | return t; |
367 | } |
368 | |
369 | /* |
370 | * token ID 1 byte |
371 | * address type/length 4 bytes |
372 | * address 16 bytes |
373 | */ |
374 | token_t * |
375 | au_to_in_addr_ex(struct in6_addr *internet_addr) |
376 | { |
377 | token_t *t; |
378 | u_char *dptr = NULL; |
379 | u_int32_t type = AU_IPv6; |
380 | |
381 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t)); |
382 | |
383 | ADD_U_CHAR(dptr, AUT_IN_ADDR_EX); |
384 | ADD_U_INT32(dptr, type); |
385 | ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t)); |
386 | |
387 | return t; |
388 | } |
389 | |
390 | /* |
391 | * token ID 1 byte |
392 | * ip header 20 bytes |
393 | * |
394 | * The IP header should be submitted in network byte order. |
395 | */ |
396 | token_t * |
397 | au_to_ip(struct ip *ip) |
398 | { |
399 | token_t *t; |
400 | u_char *dptr = NULL; |
401 | |
402 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip)); |
403 | |
404 | ADD_U_CHAR(dptr, AUT_IP); |
405 | ADD_MEM(dptr, ip, sizeof(struct ip)); |
406 | |
407 | return t; |
408 | } |
409 | |
410 | /* |
411 | * token ID 1 byte |
412 | * object ID type 1 byte |
413 | * object ID 4 bytes |
414 | */ |
415 | token_t * |
416 | au_to_ipc(char type, int id) |
417 | { |
418 | token_t *t; |
419 | u_char *dptr = NULL; |
420 | |
421 | GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); |
422 | |
423 | ADD_U_CHAR(dptr, AUT_IPC); |
424 | ADD_U_CHAR(dptr, type); |
425 | ADD_U_INT32(dptr, id); |
426 | |
427 | return t; |
428 | } |
429 | |
430 | /* |
431 | * token ID 1 byte |
432 | * owner user ID 4 bytes |
433 | * owner group ID 4 bytes |
434 | * creator user ID 4 bytes |
435 | * creator group ID 4 bytes |
436 | * access mode 4 bytes |
437 | * slot sequence # 4 bytes |
438 | * key 4 bytes |
439 | */ |
440 | token_t * |
441 | au_to_ipc_perm(struct ipc_perm *perm) |
442 | { |
443 | token_t *t; |
444 | u_char *dptr = NULL; |
445 | u_int16_t pad0 = 0; |
446 | |
447 | if (perm == NULL) { |
448 | return NULL; |
449 | } |
450 | |
451 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) + |
452 | sizeof(u_int32_t)); |
453 | |
454 | ADD_U_CHAR(dptr, AUT_IPC_PERM); |
455 | |
456 | /* |
457 | * Darwin defines the size for the file mode |
458 | * as 2 bytes; BSM defines 4 so pad with 0 |
459 | */ |
460 | ADD_U_INT32(dptr, perm->uid); |
461 | ADD_U_INT32(dptr, perm->gid); |
462 | ADD_U_INT32(dptr, perm->cuid); |
463 | ADD_U_INT32(dptr, perm->cgid); |
464 | |
465 | ADD_U_INT16(dptr, pad0); |
466 | ADD_U_INT16(dptr, perm->mode); |
467 | |
468 | ADD_U_INT16(dptr, pad0); |
469 | ADD_U_INT16(dptr, perm->_seq); |
470 | |
471 | ADD_U_INT16(dptr, pad0); |
472 | ADD_U_INT16(dptr, perm->_key); |
473 | |
474 | return t; |
475 | } |
476 | |
477 | /* |
478 | * token ID 1 byte |
479 | * port IP address 2 bytes |
480 | */ |
481 | token_t * |
482 | au_to_iport(u_int16_t iport) |
483 | { |
484 | token_t *t; |
485 | u_char *dptr = NULL; |
486 | |
487 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t)); |
488 | |
489 | ADD_U_CHAR(dptr, AUT_IPORT); |
490 | ADD_U_INT16(dptr, iport); |
491 | |
492 | return t; |
493 | } |
494 | |
495 | /* |
496 | * token ID 1 byte |
497 | * size 2 bytes |
498 | * data size bytes |
499 | */ |
500 | token_t * |
501 | au_to_opaque(const char *data, uint16_t bytes) |
502 | { |
503 | token_t *t; |
504 | u_char *dptr = NULL; |
505 | size_t tokenlen; |
506 | |
507 | tokenlen = sizeof(u_char) + sizeof(u_int16_t) + bytes; |
508 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
509 | ("au_to_opaque: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
510 | |
511 | GET_TOKEN_AREA(t, dptr, tokenlen); |
512 | |
513 | ADD_U_CHAR(dptr, AUT_OPAQUE); |
514 | ADD_U_INT16(dptr, bytes); |
515 | ADD_MEM(dptr, data, bytes); |
516 | |
517 | return t; |
518 | } |
519 | |
520 | /* |
521 | * token ID 1 byte |
522 | * seconds of time 4 bytes |
523 | * milliseconds of time 4 bytes |
524 | * file name len 2 bytes |
525 | * file pathname N bytes + 1 terminating NULL byte |
526 | */ |
527 | token_t * |
528 | au_to_file(const char *file, struct timeval tm) |
529 | { |
530 | token_t *t; |
531 | u_char *dptr = NULL; |
532 | u_int16_t filelen; |
533 | u_int32_t timems; |
534 | size_t tokenlen; |
535 | |
536 | filelen = strlen(s: file); |
537 | filelen += 1; |
538 | |
539 | tokenlen = sizeof(u_char) + 2 * sizeof(u_int32_t) + sizeof(u_int16_t) + filelen; |
540 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
541 | ("au_to_file: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
542 | |
543 | GET_TOKEN_AREA(t, dptr, tokenlen); |
544 | |
545 | timems = tm.tv_usec / 1000; |
546 | |
547 | ADD_U_CHAR(dptr, AUT_OTHER_FILE32); |
548 | ADD_U_INT32(dptr, tm.tv_sec); |
549 | ADD_U_INT32(dptr, timems); /* We need time in ms. */ |
550 | ADD_U_INT16(dptr, filelen); |
551 | ADD_STRING(dptr, file, filelen); |
552 | |
553 | return t; |
554 | } |
555 | |
556 | /* |
557 | * token ID 1 byte |
558 | * text length 2 bytes |
559 | * text N bytes + 1 terminating NULL byte |
560 | */ |
561 | token_t * |
562 | au_to_text(const char *text) |
563 | { |
564 | token_t *t; |
565 | u_char *dptr = NULL; |
566 | u_int16_t textlen; |
567 | size_t tokenlen; |
568 | |
569 | textlen = strlen(s: text); |
570 | textlen += 1; |
571 | |
572 | tokenlen = sizeof(u_char) + sizeof(u_int16_t) + textlen; |
573 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
574 | ("au_to_text: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
575 | |
576 | GET_TOKEN_AREA(t, dptr, tokenlen); |
577 | |
578 | ADD_U_CHAR(dptr, AUT_TEXT); |
579 | ADD_U_INT16(dptr, textlen); |
580 | ADD_STRING(dptr, text, textlen); |
581 | |
582 | return t; |
583 | } |
584 | |
585 | /* |
586 | * token ID 1 byte |
587 | * path length 2 bytes |
588 | * path N bytes + 1 terminating NULL byte |
589 | */ |
590 | token_t * |
591 | au_to_path(const char *text) |
592 | { |
593 | token_t *t; |
594 | u_char *dptr = NULL; |
595 | u_int16_t textlen; |
596 | size_t tokenlen; |
597 | |
598 | textlen = strlen(s: text); |
599 | textlen += 1; |
600 | |
601 | tokenlen = sizeof(u_char) + sizeof(u_int16_t) + textlen; |
602 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
603 | ("au_to_path: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
604 | |
605 | GET_TOKEN_AREA(t, dptr, tokenlen); |
606 | |
607 | ADD_U_CHAR(dptr, AUT_PATH); |
608 | ADD_U_INT16(dptr, textlen); |
609 | ADD_STRING(dptr, text, textlen); |
610 | |
611 | return t; |
612 | } |
613 | |
614 | /* |
615 | * token ID 1 byte |
616 | * audit ID 4 bytes |
617 | * effective user ID 4 bytes |
618 | * effective group ID 4 bytes |
619 | * real user ID 4 bytes |
620 | * real group ID 4 bytes |
621 | * process ID 4 bytes |
622 | * session ID 4 bytes |
623 | * terminal ID |
624 | * port ID 4 bytes/8 bytes (32-bit/64-bit value) |
625 | * machine address 4 bytes |
626 | */ |
627 | token_t * |
628 | au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, |
629 | pid_t pid, au_asid_t sid, au_tid_t *tid) |
630 | { |
631 | token_t *t; |
632 | u_char *dptr = NULL; |
633 | |
634 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); |
635 | |
636 | ADD_U_CHAR(dptr, AUT_PROCESS32); |
637 | ADD_U_INT32(dptr, auid); |
638 | ADD_U_INT32(dptr, euid); |
639 | ADD_U_INT32(dptr, egid); |
640 | ADD_U_INT32(dptr, ruid); |
641 | ADD_U_INT32(dptr, rgid); |
642 | ADD_U_INT32(dptr, pid); |
643 | ADD_U_INT32(dptr, sid); |
644 | ADD_U_INT32(dptr, tid->port); |
645 | ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); |
646 | |
647 | return t; |
648 | } |
649 | |
650 | token_t * |
651 | au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, |
652 | pid_t pid, au_asid_t sid, au_tid_t *tid) |
653 | { |
654 | token_t *t; |
655 | u_char *dptr = NULL; |
656 | |
657 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + |
658 | sizeof(u_int64_t)); |
659 | |
660 | ADD_U_CHAR(dptr, AUT_PROCESS64); |
661 | ADD_U_INT32(dptr, auid); |
662 | ADD_U_INT32(dptr, euid); |
663 | ADD_U_INT32(dptr, egid); |
664 | ADD_U_INT32(dptr, ruid); |
665 | ADD_U_INT32(dptr, rgid); |
666 | ADD_U_INT32(dptr, pid); |
667 | ADD_U_INT32(dptr, sid); |
668 | ADD_U_INT64(dptr, tid->port); |
669 | ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); |
670 | |
671 | return t; |
672 | } |
673 | |
674 | token_t * |
675 | au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, |
676 | pid_t pid, au_asid_t sid, au_tid_t *tid) |
677 | { |
678 | return au_to_process32(auid, euid, egid, ruid, rgid, pid, sid, |
679 | tid); |
680 | } |
681 | |
682 | /* |
683 | * token ID 1 byte |
684 | * audit ID 4 bytes |
685 | * effective user ID 4 bytes |
686 | * effective group ID 4 bytes |
687 | * real user ID 4 bytes |
688 | * real group ID 4 bytes |
689 | * process ID 4 bytes |
690 | * session ID 4 bytes |
691 | * terminal ID |
692 | * port ID 4 bytes/8 bytes (32-bit/64-bit value) |
693 | * address type-len 4 bytes |
694 | * machine address 4/16 bytes |
695 | */ |
696 | token_t * |
697 | au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, |
698 | gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) |
699 | { |
700 | token_t *t; |
701 | u_char *dptr = NULL; |
702 | |
703 | KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), |
704 | ("au_to_process32_ex: type %u" , (unsigned int)tid->at_type)); |
705 | if (tid->at_type == AU_IPv6) { |
706 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * |
707 | sizeof(u_int32_t)); |
708 | } else { |
709 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * |
710 | sizeof(u_int32_t)); |
711 | } |
712 | |
713 | ADD_U_CHAR(dptr, AUT_PROCESS32_EX); |
714 | ADD_U_INT32(dptr, auid); |
715 | ADD_U_INT32(dptr, euid); |
716 | ADD_U_INT32(dptr, egid); |
717 | ADD_U_INT32(dptr, ruid); |
718 | ADD_U_INT32(dptr, rgid); |
719 | ADD_U_INT32(dptr, pid); |
720 | ADD_U_INT32(dptr, sid); |
721 | ADD_U_INT32(dptr, tid->at_port); |
722 | ADD_U_INT32(dptr, tid->at_type); |
723 | if (tid->at_type == AU_IPv6) { |
724 | ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); |
725 | } else { |
726 | ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); |
727 | } |
728 | |
729 | return t; |
730 | } |
731 | |
732 | token_t * |
733 | au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, |
734 | gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) |
735 | { |
736 | token_t *t = NULL; |
737 | u_char *dptr = NULL; |
738 | |
739 | if (tid->at_type == AU_IPv4) { |
740 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + |
741 | 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + |
742 | 2 * sizeof(u_int32_t)); |
743 | } else if (tid->at_type == AU_IPv6) { |
744 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + |
745 | 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + |
746 | 5 * sizeof(u_int32_t)); |
747 | } else { |
748 | panic("au_to_process64_ex: invalidate at_type (%d)" , |
749 | tid->at_type); |
750 | } |
751 | |
752 | ADD_U_CHAR(dptr, AUT_PROCESS64_EX); |
753 | ADD_U_INT32(dptr, auid); |
754 | ADD_U_INT32(dptr, euid); |
755 | ADD_U_INT32(dptr, egid); |
756 | ADD_U_INT32(dptr, ruid); |
757 | ADD_U_INT32(dptr, rgid); |
758 | ADD_U_INT32(dptr, pid); |
759 | ADD_U_INT32(dptr, sid); |
760 | ADD_U_INT64(dptr, tid->at_port); |
761 | ADD_U_INT32(dptr, tid->at_type); |
762 | ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); |
763 | if (tid->at_type == AU_IPv6) { |
764 | ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t)); |
765 | ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t)); |
766 | ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t)); |
767 | } |
768 | |
769 | return t; |
770 | } |
771 | |
772 | token_t * |
773 | au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, |
774 | gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) |
775 | { |
776 | return au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid, |
777 | tid); |
778 | } |
779 | |
780 | /* |
781 | * token ID 1 byte |
782 | * error status 1 byte |
783 | * return value 4 bytes/8 bytes (32-bit/64-bit value) |
784 | */ |
785 | token_t * |
786 | au_to_return32(char status, u_int32_t ret) |
787 | { |
788 | token_t *t; |
789 | u_char *dptr = NULL; |
790 | |
791 | GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t)); |
792 | |
793 | ADD_U_CHAR(dptr, AUT_RETURN32); |
794 | ADD_U_CHAR(dptr, status); |
795 | ADD_U_INT32(dptr, ret); |
796 | |
797 | return t; |
798 | } |
799 | |
800 | token_t * |
801 | au_to_return64(char status, u_int64_t ret) |
802 | { |
803 | token_t *t; |
804 | u_char *dptr = NULL; |
805 | |
806 | GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t)); |
807 | |
808 | ADD_U_CHAR(dptr, AUT_RETURN64); |
809 | ADD_U_CHAR(dptr, status); |
810 | ADD_U_INT64(dptr, ret); |
811 | |
812 | return t; |
813 | } |
814 | |
815 | token_t * |
816 | au_to_return(char status, u_int32_t ret) |
817 | { |
818 | return au_to_return32(status, ret); |
819 | } |
820 | |
821 | /* |
822 | * token ID 1 byte |
823 | * sequence number 4 bytes |
824 | */ |
825 | token_t * |
826 | au_to_seq(long audit_count) |
827 | { |
828 | token_t *t; |
829 | u_char *dptr = NULL; |
830 | |
831 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t)); |
832 | |
833 | ADD_U_CHAR(dptr, AUT_SEQ); |
834 | ADD_U_INT32(dptr, (u_int32_t) audit_count); |
835 | |
836 | return t; |
837 | } |
838 | |
839 | /* |
840 | * token ID 1 byte |
841 | * socket domain 2 bytes |
842 | * socket type 2 bytes |
843 | * address type 2 bytes |
844 | * local port 2 bytes |
845 | * local address 4 bytes/16 bytes (IPv4/IPv6 address) |
846 | * remote port 2 bytes |
847 | * remote address 4 bytes/16 bytes (IPv4/IPv6 address) |
848 | */ |
849 | token_t * |
850 | au_to_socket_ex(u_short so_domain, u_short so_type, |
851 | struct sockaddr *sa_local, struct sockaddr *sa_remote) |
852 | { |
853 | token_t *t; |
854 | u_char *dptr = NULL; |
855 | struct sockaddr_in *sin; |
856 | struct sockaddr_in6 *sin6; |
857 | |
858 | if (so_domain == AF_INET) { |
859 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + |
860 | 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); |
861 | } else if (so_domain == AF_INET6) { |
862 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + |
863 | 5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t)); |
864 | } else { |
865 | return NULL; |
866 | } |
867 | |
868 | ADD_U_CHAR(dptr, AUT_SOCKET_EX); |
869 | ADD_U_INT16(dptr, au_domain_to_bsm(so_domain)); |
870 | ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type)); |
871 | if (so_domain == AF_INET) { |
872 | ADD_U_INT16(dptr, AU_IPv4); |
873 | sin = (struct sockaddr_in *)sa_local; |
874 | ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); |
875 | ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); |
876 | sin = (struct sockaddr_in *)sa_remote; |
877 | ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); |
878 | ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); |
879 | } else { /* if (so_domain == AF_INET6) */ |
880 | ADD_U_INT16(dptr, AU_IPv6); |
881 | sin6 = (struct sockaddr_in6 *)sa_local; |
882 | ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); |
883 | ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); |
884 | sin6 = (struct sockaddr_in6 *)sa_remote; |
885 | ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); |
886 | ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); |
887 | } |
888 | |
889 | return t; |
890 | } |
891 | |
892 | /* |
893 | * token ID 1 byte |
894 | * socket family 2 bytes |
895 | * path (up to) 104 bytes + NULL |
896 | */ |
897 | token_t * |
898 | au_to_sock_unix(struct sockaddr_un *so) |
899 | { |
900 | token_t *t; |
901 | u_char *dptr; |
902 | size_t slen; |
903 | |
904 | static_assert(3 * sizeof(u_char) + sizeof(so->sun_path) + 1 <= KALLOC_SAFE_ALLOC_SIZE); |
905 | |
906 | /* |
907 | * Please note that sun_len may not be correctly set and sun_path may |
908 | * not be NULL terminated. |
909 | */ |
910 | if (so->sun_len >= offsetof(struct sockaddr_un, sun_path)) { |
911 | slen = min(a: so->sun_len - offsetof(struct sockaddr_un, sun_path), |
912 | b: strnlen(s: so->sun_path, n: sizeof(so->sun_path))); |
913 | } else { |
914 | slen = strnlen(s: so->sun_path, n: sizeof(so->sun_path)); |
915 | } |
916 | |
917 | GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + slen + 1); |
918 | |
919 | ADD_U_CHAR(dptr, AUT_SOCKUNIX); |
920 | /* BSM token has two bytes for family */ |
921 | ADD_U_CHAR(dptr, 0); |
922 | ADD_U_CHAR(dptr, so->sun_family); |
923 | if (slen) { |
924 | ADD_MEM(dptr, so->sun_path, slen); |
925 | } |
926 | ADD_U_CHAR(dptr, '\0'); /* make the path a null-terminated string */ |
927 | |
928 | return t; |
929 | } |
930 | |
931 | /* |
932 | * token ID 1 byte |
933 | * socket family 2 bytes |
934 | * local port 2 bytes |
935 | * socket address 4 bytes |
936 | */ |
937 | token_t * |
938 | au_to_sock_inet32(struct sockaddr_in *so) |
939 | { |
940 | token_t *t; |
941 | u_char *dptr = NULL; |
942 | |
943 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) + |
944 | sizeof(uint32_t)); |
945 | |
946 | ADD_U_CHAR(dptr, AUT_SOCKINET32); |
947 | /* |
948 | * Convert sin_family to the BSM value. Assume that both the port and |
949 | * the address in the sockaddr_in are already in network byte order, |
950 | * but family is in local byte order. |
951 | */ |
952 | ADD_U_INT16(dptr, au_domain_to_bsm(so->sin_family)); |
953 | ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t)); |
954 | ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t)); |
955 | |
956 | return t; |
957 | } |
958 | |
959 | /* |
960 | * token ID 1 byte |
961 | * socket family 2 bytes |
962 | * local port 2 bytes |
963 | * socket address 16 bytes |
964 | */ |
965 | token_t * |
966 | au_to_sock_inet128(struct sockaddr_in6 *so) |
967 | { |
968 | token_t *t; |
969 | u_char *dptr = NULL; |
970 | |
971 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + |
972 | 4 * sizeof(u_int32_t)); |
973 | |
974 | ADD_U_CHAR(dptr, AUT_SOCKINET128); |
975 | ADD_U_INT16(dptr, au_domain_to_bsm(so->sin6_family)); |
976 | |
977 | ADD_U_INT16(dptr, so->sin6_port); |
978 | ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); |
979 | |
980 | return t; |
981 | } |
982 | |
983 | token_t * |
984 | au_to_sock_inet(struct sockaddr_in *so) |
985 | { |
986 | return au_to_sock_inet32(so); |
987 | } |
988 | |
989 | /* |
990 | * token ID 1 byte |
991 | * audit ID 4 bytes |
992 | * effective user ID 4 bytes |
993 | * effective group ID 4 bytes |
994 | * real user ID 4 bytes |
995 | * real group ID 4 bytes |
996 | * process ID 4 bytes |
997 | * session ID 4 bytes |
998 | * terminal ID |
999 | * port ID 4 bytes/8 bytes (32-bit/64-bit value) |
1000 | * machine address 4 bytes |
1001 | */ |
1002 | token_t * |
1003 | au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, |
1004 | pid_t pid, au_asid_t sid, au_tid_t *tid) |
1005 | { |
1006 | token_t *t; |
1007 | u_char *dptr = NULL; |
1008 | |
1009 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); |
1010 | |
1011 | ADD_U_CHAR(dptr, AUT_SUBJECT32); |
1012 | ADD_U_INT32(dptr, auid); |
1013 | ADD_U_INT32(dptr, euid); |
1014 | ADD_U_INT32(dptr, egid); |
1015 | ADD_U_INT32(dptr, ruid); |
1016 | ADD_U_INT32(dptr, rgid); |
1017 | ADD_U_INT32(dptr, pid); |
1018 | ADD_U_INT32(dptr, sid); |
1019 | ADD_U_INT32(dptr, tid->port); |
1020 | ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); |
1021 | |
1022 | return t; |
1023 | } |
1024 | |
1025 | token_t * |
1026 | au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, |
1027 | pid_t pid, au_asid_t sid, au_tid_t *tid) |
1028 | { |
1029 | token_t *t; |
1030 | u_char *dptr = NULL; |
1031 | |
1032 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + |
1033 | sizeof(u_int64_t) + sizeof(u_int32_t)); |
1034 | |
1035 | ADD_U_CHAR(dptr, AUT_SUBJECT64); |
1036 | ADD_U_INT32(dptr, auid); |
1037 | ADD_U_INT32(dptr, euid); |
1038 | ADD_U_INT32(dptr, egid); |
1039 | ADD_U_INT32(dptr, ruid); |
1040 | ADD_U_INT32(dptr, rgid); |
1041 | ADD_U_INT32(dptr, pid); |
1042 | ADD_U_INT32(dptr, sid); |
1043 | ADD_U_INT64(dptr, tid->port); |
1044 | ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); |
1045 | |
1046 | return t; |
1047 | } |
1048 | |
1049 | token_t * |
1050 | au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, |
1051 | pid_t pid, au_asid_t sid, au_tid_t *tid) |
1052 | { |
1053 | return au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, |
1054 | tid); |
1055 | } |
1056 | |
1057 | /* |
1058 | * token ID 1 byte |
1059 | * audit ID 4 bytes |
1060 | * effective user ID 4 bytes |
1061 | * effective group ID 4 bytes |
1062 | * real user ID 4 bytes |
1063 | * real group ID 4 bytes |
1064 | * process ID 4 bytes |
1065 | * session ID 4 bytes |
1066 | * terminal ID |
1067 | * port ID 4 bytes/8 bytes (32-bit/64-bit value) |
1068 | * address type/length 4 bytes |
1069 | * machine address 4/16 bytes |
1070 | */ |
1071 | token_t * |
1072 | au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, |
1073 | gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) |
1074 | { |
1075 | token_t *t; |
1076 | u_char *dptr = NULL; |
1077 | |
1078 | KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6), |
1079 | ("au_to_subject32_ex: type %u" , (unsigned int)tid->at_type)); |
1080 | if (tid->at_type == AU_IPv6) { |
1081 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * |
1082 | sizeof(u_int32_t)); |
1083 | } else { |
1084 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * |
1085 | sizeof(u_int32_t)); |
1086 | } |
1087 | |
1088 | ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); |
1089 | ADD_U_INT32(dptr, auid); |
1090 | ADD_U_INT32(dptr, euid); |
1091 | ADD_U_INT32(dptr, egid); |
1092 | ADD_U_INT32(dptr, ruid); |
1093 | ADD_U_INT32(dptr, rgid); |
1094 | ADD_U_INT32(dptr, pid); |
1095 | ADD_U_INT32(dptr, sid); |
1096 | ADD_U_INT32(dptr, tid->at_port); |
1097 | ADD_U_INT32(dptr, tid->at_type); |
1098 | if (tid->at_type == AU_IPv6) { |
1099 | ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); |
1100 | } else { |
1101 | ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); |
1102 | } |
1103 | |
1104 | return t; |
1105 | } |
1106 | |
1107 | token_t * |
1108 | au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, |
1109 | gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) |
1110 | { |
1111 | token_t *t = NULL; |
1112 | u_char *dptr = NULL; |
1113 | |
1114 | if (tid->at_type == AU_IPv4) { |
1115 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + |
1116 | 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + |
1117 | 2 * sizeof(u_int32_t)); |
1118 | } else if (tid->at_type == AU_IPv6) { |
1119 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + |
1120 | 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + |
1121 | 5 * sizeof(u_int32_t)); |
1122 | } else { |
1123 | panic("au_to_subject64_ex: invalid at_type (%d)" , |
1124 | tid->at_type); |
1125 | } |
1126 | |
1127 | ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); |
1128 | ADD_U_INT32(dptr, auid); |
1129 | ADD_U_INT32(dptr, euid); |
1130 | ADD_U_INT32(dptr, egid); |
1131 | ADD_U_INT32(dptr, ruid); |
1132 | ADD_U_INT32(dptr, rgid); |
1133 | ADD_U_INT32(dptr, pid); |
1134 | ADD_U_INT32(dptr, sid); |
1135 | ADD_U_INT64(dptr, tid->at_port); |
1136 | ADD_U_INT32(dptr, tid->at_type); |
1137 | if (tid->at_type == AU_IPv6) { |
1138 | ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); |
1139 | } else { |
1140 | ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); |
1141 | } |
1142 | |
1143 | return t; |
1144 | } |
1145 | |
1146 | token_t * |
1147 | au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, |
1148 | gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) |
1149 | { |
1150 | return au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, |
1151 | tid); |
1152 | } |
1153 | |
1154 | #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) |
1155 | /* |
1156 | * Collects audit information for the current process |
1157 | * and creates a subject token from it |
1158 | */ |
1159 | token_t * |
1160 | au_to_me(void) |
1161 | { |
1162 | auditinfo_t auinfo; |
1163 | |
1164 | if (getaudit(&auinfo) != 0) { |
1165 | return NULL; |
1166 | } |
1167 | |
1168 | return au_to_subject32(auinfo.ai_auid, geteuid(), getegid(), |
1169 | getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid); |
1170 | } |
1171 | #endif |
1172 | |
1173 | #if defined(_KERNEL) || defined(KERNEL) |
1174 | static token_t * |
1175 | au_to_exec_strings(const char *strs, int count, u_char type) |
1176 | { |
1177 | token_t *t; |
1178 | u_char *dptr = NULL; |
1179 | u_int32_t totlen; |
1180 | int ctr; |
1181 | const char *p; |
1182 | size_t nextlen; |
1183 | size_t tokenlen; |
1184 | const size_t totlen_max = KALLOC_SAFE_ALLOC_SIZE - sizeof(u_char) - sizeof(u_int32_t); |
1185 | |
1186 | totlen = 0; |
1187 | ctr = count; |
1188 | p = strs; |
1189 | while (ctr-- > 0) { |
1190 | nextlen = strlen(s: p); |
1191 | |
1192 | if (totlen + nextlen + 1 >= totlen_max) { |
1193 | break; |
1194 | } |
1195 | |
1196 | totlen += nextlen + 1; |
1197 | p = strs + totlen; |
1198 | } |
1199 | |
1200 | tokenlen = sizeof(u_char) + sizeof(u_int32_t) + totlen; |
1201 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
1202 | ("au_to_exec_strings: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
1203 | |
1204 | GET_TOKEN_AREA(t, dptr, tokenlen); |
1205 | ADD_U_CHAR(dptr, type); |
1206 | ADD_U_INT32(dptr, count); |
1207 | ADD_STRING(dptr, strs, totlen); |
1208 | |
1209 | return t; |
1210 | } |
1211 | |
1212 | /* |
1213 | * token ID 1 byte |
1214 | * count 4 bytes |
1215 | * text count null-terminated strings |
1216 | */ |
1217 | token_t * |
1218 | au_to_exec_args(char *args, int argc) |
1219 | { |
1220 | return au_to_exec_strings(strs: args, count: argc, AUT_EXEC_ARGS); |
1221 | } |
1222 | |
1223 | /* |
1224 | * token ID 1 byte |
1225 | * count 4 bytes |
1226 | * text count null-terminated strings |
1227 | */ |
1228 | token_t * |
1229 | au_to_exec_env(char *envs, int envc) |
1230 | { |
1231 | return au_to_exec_strings(strs: envs, count: envc, AUT_EXEC_ENV); |
1232 | } |
1233 | |
1234 | /* |
1235 | * token ID 1 byte |
1236 | * count 4 bytes |
1237 | * text count null-terminated strings |
1238 | */ |
1239 | token_t * |
1240 | au_to_certificate_hash(char *hashes, int hashc) |
1241 | { |
1242 | return au_to_exec_strings(strs: hashes, count: hashc, AUT_CERT_HASH); |
1243 | } |
1244 | |
1245 | /* |
1246 | * token ID 1 byte |
1247 | * count 4 bytes |
1248 | * text count null-terminated strings |
1249 | */ |
1250 | token_t * |
1251 | au_to_krb5_principal(char *principals, int princ) |
1252 | { |
1253 | return au_to_exec_strings(strs: principals, count: princ, AUT_KRB5_PRINCIPAL); |
1254 | } |
1255 | #else |
1256 | /* |
1257 | * token ID 1 byte |
1258 | * count 4 bytes |
1259 | * text count null-terminated strings |
1260 | */ |
1261 | token_t * |
1262 | au_to_exec_args(char **argv) |
1263 | { |
1264 | token_t *t; |
1265 | u_char *dptr = NULL; |
1266 | const char *nextarg; |
1267 | size_t nextlen; |
1268 | int i, count = 0; |
1269 | size_t totlen = 0; |
1270 | size_t tokenlen; |
1271 | const size_t totlen_max = KALLOC_SAFE_ALLOC_SIZE - sizeof(u_char) - sizeof(u_int32_t); |
1272 | |
1273 | nextarg = *argv; |
1274 | |
1275 | while (nextarg != NULL) { |
1276 | nextlen = strlen(nextarg); |
1277 | |
1278 | if (totlen + nextlen + 1 >= totlen_max) { |
1279 | break; |
1280 | } |
1281 | |
1282 | totlen += nextlen + 1; |
1283 | count++; |
1284 | nextarg = *(argv + count); |
1285 | } |
1286 | |
1287 | tokenlen = sizeof(u_char) + sizeof(u_int32_t) + totlen; |
1288 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
1289 | ("au_to_exec_args: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
1290 | |
1291 | GET_TOKEN_AREA(t, dptr, tokenlen); |
1292 | |
1293 | ADD_U_CHAR(dptr, AUT_EXEC_ARGS); |
1294 | ADD_U_INT32(dptr, count); |
1295 | |
1296 | for (i = 0; i < count; i++) { |
1297 | nextarg = *(argv + i); |
1298 | ADD_MEM(dptr, nextarg, strlen(nextarg) + 1); |
1299 | } |
1300 | |
1301 | return t; |
1302 | } |
1303 | |
1304 | /* |
1305 | * token ID 1 byte |
1306 | * zonename length 2 bytes |
1307 | * zonename N bytes + 1 terminating NULL byte |
1308 | */ |
1309 | token_t * |
1310 | au_to_zonename(char *zonename) |
1311 | { |
1312 | u_char *dptr = NULL; |
1313 | u_int16_t textlen; |
1314 | size_t tokenlen; |
1315 | token_t *t; |
1316 | |
1317 | textlen = strlen(zonename); |
1318 | textlen += 1; |
1319 | |
1320 | tokenlen = sizeof(u_char) + sizeof(u_int16_t) + textlen; |
1321 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
1322 | ("au_to_zonename: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
1323 | |
1324 | GET_TOKEN_AREA(t, dptr, tokenlen); |
1325 | ADD_U_CHAR(dptr, AUT_ZONENAME); |
1326 | ADD_U_INT16(dptr, textlen); |
1327 | ADD_STRING(dptr, zonename, textlen); |
1328 | return t; |
1329 | } |
1330 | |
1331 | /* |
1332 | * token ID 1 byte |
1333 | * count 4 bytes |
1334 | * text count null-terminated strings |
1335 | */ |
1336 | token_t * |
1337 | au_to_exec_env(char **envp) |
1338 | { |
1339 | token_t *t; |
1340 | u_char *dptr = NULL; |
1341 | int i, count = 0; |
1342 | size_t nextlen; |
1343 | size_t totlen = 0; |
1344 | const char *nextenv; |
1345 | size_t tokenlen; |
1346 | const size_t totlen_max = KALLOC_SAFE_ALLOC_SIZE - sizeof(u_char) - sizeof(u_int32_t); |
1347 | |
1348 | nextenv = *envp; |
1349 | |
1350 | while (nextenv != NULL) { |
1351 | nextlen = strlen(nextenv); |
1352 | |
1353 | if (totlen + nextlen + 1 >= totlen_max) { |
1354 | break; |
1355 | } |
1356 | |
1357 | totlen += nextlen + 1; |
1358 | count++; |
1359 | nextenv = *(envp + count); |
1360 | } |
1361 | |
1362 | tokenlen = sizeof(u_char) + sizeof(u_int32_t) + totlen; |
1363 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
1364 | ("au_to_exec_env: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
1365 | |
1366 | GET_TOKEN_AREA(t, dptr, tokenlen); |
1367 | |
1368 | ADD_U_CHAR(dptr, AUT_EXEC_ENV); |
1369 | ADD_U_INT32(dptr, count); |
1370 | |
1371 | for (i = 0; i < count; i++) { |
1372 | nextenv = *(envp + i); |
1373 | ADD_MEM(dptr, nextenv, strlen(nextenv) + 1); |
1374 | } |
1375 | |
1376 | return t; |
1377 | } |
1378 | #endif /* !(defined(_KERNEL) || defined(KERNEL)) */ |
1379 | |
1380 | /* |
1381 | * token ID 1 byte |
1382 | * signer type 4 bytes |
1383 | * signer id length 2 bytes |
1384 | * signer id n bytes |
1385 | * signer id truncated 1 byte |
1386 | * team id length 2 bytes |
1387 | * team id n bytes |
1388 | * team id truncated 1 byte |
1389 | * cdhash length 2 bytes |
1390 | * cdhash n bytes |
1391 | */ |
1392 | token_t* |
1393 | au_to_identity(uint32_t signer_type, const char* signing_id, |
1394 | u_char signing_id_trunc, const char* team_id, u_char team_id_trunc, |
1395 | uint8_t* cdhash, uint16_t cdhash_len) |
1396 | { |
1397 | token_t *t = NULL; |
1398 | u_char *dptr = NULL; |
1399 | size_t signing_id_len = 0; |
1400 | size_t team_id_len = 0; |
1401 | size_t totlen = 0; |
1402 | |
1403 | if (signing_id) { |
1404 | signing_id_len = strlen(s: signing_id); |
1405 | } |
1406 | |
1407 | if (team_id) { |
1408 | team_id_len = strlen(s: team_id); |
1409 | } |
1410 | |
1411 | totlen = |
1412 | sizeof(u_char) + // token id |
1413 | sizeof(uint32_t) + // signer type |
1414 | sizeof(uint16_t) + // singing id length |
1415 | signing_id_len + // length of signing id to copy |
1416 | sizeof(u_char) + // null terminator for signing id |
1417 | sizeof(u_char) + // if signing id truncated |
1418 | sizeof(uint16_t) + // team id length |
1419 | team_id_len + // length of team id to copy |
1420 | sizeof(u_char) + // null terminator for team id |
1421 | sizeof(u_char) + // if team id truncated |
1422 | sizeof(uint16_t) + // cdhash length |
1423 | cdhash_len; // cdhash buffer |
1424 | |
1425 | KASSERT(totlen <= KALLOC_SAFE_ALLOC_SIZE, |
1426 | ("au_to_identity: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
1427 | GET_TOKEN_AREA(t, dptr, totlen); |
1428 | |
1429 | ADD_U_CHAR(dptr, AUT_IDENTITY); // token id |
1430 | ADD_U_INT32(dptr, signer_type); // signer type |
1431 | ADD_U_INT16(dptr, signing_id_len + 1); // signing id length+null |
1432 | ADD_STRING(dptr, signing_id, signing_id_len); // truncated signing id |
1433 | ADD_U_CHAR(dptr, 0); // null terminator byte |
1434 | ADD_U_CHAR(dptr, signing_id_trunc); // if signing id is trunc |
1435 | ADD_U_INT16(dptr, team_id_len + 1); // team id length+null |
1436 | ADD_STRING(dptr, team_id, team_id_len); // truncated team id |
1437 | ADD_U_CHAR(dptr, 0); // null terminator byte |
1438 | ADD_U_CHAR(dptr, team_id_trunc); // if team id is trunc |
1439 | ADD_U_INT16(dptr, cdhash_len); // cdhash length |
1440 | ADD_MEM(dptr, cdhash, cdhash_len); // cdhash |
1441 | |
1442 | return t; |
1443 | } |
1444 | |
1445 | /* |
1446 | * token ID 1 byte |
1447 | * record byte count 4 bytes |
1448 | * version # 1 byte |
1449 | * event type 2 bytes |
1450 | * event modifier 2 bytes |
1451 | * address type/length 4 bytes |
1452 | * machine address 4 bytes/16 bytes (IPv4/IPv6 address) |
1453 | * seconds of time 4 bytes/8 bytes (32/64-bits) |
1454 | * milliseconds of time 4 bytes/8 bytes (32/64-bits) |
1455 | */ |
1456 | token_t * |
1457 | (int rec_size, au_event_t e_type, au_emod_t e_mod, |
1458 | struct timeval tm, struct auditinfo_addr *aia) |
1459 | { |
1460 | token_t *t; |
1461 | u_char *dptr = NULL; |
1462 | u_int32_t timems; |
1463 | struct au_tid_addr *tid; |
1464 | size_t tokenlen; |
1465 | |
1466 | tid = &aia->ai_termid; |
1467 | KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6, |
1468 | ("au_to_header32_ex_tm: invalid address family" )); |
1469 | |
1470 | tokenlen = sizeof(u_char) + sizeof(u_int32_t) + |
1471 | sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * sizeof(u_int32_t) + |
1472 | tid->at_type; |
1473 | KASSERT(tokenlen <= KALLOC_SAFE_ALLOC_SIZE, |
1474 | ("au_to_header32_ex_tm: token length (%zu) exceeds maximum allowed size" , tokenlen)); |
1475 | |
1476 | GET_TOKEN_AREA(t, dptr, tokenlen); |
1477 | |
1478 | ADD_U_CHAR(dptr, AUT_HEADER32_EX); |
1479 | ADD_U_INT32(dptr, rec_size); |
1480 | ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); |
1481 | ADD_U_INT16(dptr, e_type); |
1482 | ADD_U_INT16(dptr, e_mod); |
1483 | ADD_U_INT32(dptr, tid->at_type); |
1484 | if (tid->at_type == AU_IPv6) { |
1485 | ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t)); |
1486 | } else { |
1487 | ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t)); |
1488 | } |
1489 | timems = tm.tv_usec / 1000; |
1490 | /* Add the timestamp */ |
1491 | ADD_U_INT32(dptr, tm.tv_sec); |
1492 | ADD_U_INT32(dptr, timems); /* We need time in ms. */ |
1493 | return t; |
1494 | } |
1495 | |
1496 | /* |
1497 | * token ID 1 byte |
1498 | * record byte count 4 bytes |
1499 | * version # 1 byte [2] |
1500 | * event type 2 bytes |
1501 | * event modifier 2 bytes |
1502 | * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) |
1503 | * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) |
1504 | */ |
1505 | token_t * |
1506 | (int rec_size, au_event_t e_type, au_emod_t e_mod, |
1507 | struct timeval tm) |
1508 | { |
1509 | token_t *t; |
1510 | u_char *dptr = NULL; |
1511 | u_int32_t timems; |
1512 | |
1513 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + |
1514 | sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); |
1515 | |
1516 | ADD_U_CHAR(dptr, AUT_HEADER32); |
1517 | ADD_U_INT32(dptr, rec_size); |
1518 | ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); |
1519 | ADD_U_INT16(dptr, e_type); |
1520 | ADD_U_INT16(dptr, e_mod); |
1521 | |
1522 | timems = tm.tv_usec / 1000; |
1523 | /* Add the timestamp */ |
1524 | ADD_U_INT32(dptr, tm.tv_sec); |
1525 | ADD_U_INT32(dptr, timems); /* We need time in ms. */ |
1526 | |
1527 | return t; |
1528 | } |
1529 | |
1530 | token_t * |
1531 | (int rec_size, au_event_t e_type, au_emod_t e_mod, |
1532 | struct timeval tm) |
1533 | { |
1534 | token_t *t; |
1535 | u_char *dptr = NULL; |
1536 | u_int32_t timems; |
1537 | |
1538 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + |
1539 | sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); |
1540 | |
1541 | ADD_U_CHAR(dptr, AUT_HEADER64); |
1542 | ADD_U_INT32(dptr, rec_size); |
1543 | ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); |
1544 | ADD_U_INT16(dptr, e_type); |
1545 | ADD_U_INT16(dptr, e_mod); |
1546 | |
1547 | timems = tm.tv_usec / 1000; |
1548 | /* Add the timestamp */ |
1549 | ADD_U_INT64(dptr, tm.tv_sec); |
1550 | ADD_U_INT64(dptr, timems); /* We need time in ms. */ |
1551 | |
1552 | return t; |
1553 | } |
1554 | |
1555 | /* |
1556 | * token ID 1 byte |
1557 | * trailer magic number 2 bytes |
1558 | * record byte count 4 bytes |
1559 | */ |
1560 | token_t * |
1561 | au_to_trailer(int rec_size) |
1562 | { |
1563 | token_t *t; |
1564 | u_char *dptr = NULL; |
1565 | u_int16_t magic = AUT_TRAILER_MAGIC; |
1566 | |
1567 | GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + |
1568 | sizeof(u_int32_t)); |
1569 | |
1570 | ADD_U_CHAR(dptr, AUT_TRAILER); |
1571 | ADD_U_INT16(dptr, magic); |
1572 | ADD_U_INT32(dptr, rec_size); |
1573 | |
1574 | return t; |
1575 | } |
1576 | #endif /* CONFIG_AUDIT */ |
1577 | |