freebsd-dev/sys/security/audit/bsm_token.c
Robert Watson 6f1cbda73d Four .c files from OpenBSM are used, in modified form, by the kernel to
implement the BSM audit trail format.  Rename the kernel versions of the
files to match the userspace filenames so that it's easier to work out
what they correspond to, and therefore ensure they are kept in-sync.

Obtained from:	TrustedBSD Project
2012-12-15 15:21:09 +00:00

1598 lines
38 KiB
C

/*-
* Copyright (c) 2004-2009 Apple Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This code was developed in part by Robert N. M. Watson, Senior Principal
* Scientist, SPARTA, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#99
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/endian.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/ipc.h>
#include <sys/libkern.h>
#include <sys/malloc.h>
#include <sys/un.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <bsm/audit.h>
#include <bsm/audit_internal.h>
#include <bsm/audit_record.h>
#include <security/audit/audit.h>
#include <security/audit/audit_private.h>
#define GET_TOKEN_AREA(t, dptr, length) do { \
t = malloc(sizeof(token_t), M_AUDITBSM, M_WAITOK); \
t->t_data = malloc(length, M_AUDITBSM, M_WAITOK | M_ZERO); \
t->len = length; \
dptr = t->t_data; \
} while (0)
/*
* token ID 1 byte
* success/failure 1 byte
* privstrlen 2 bytes
* privstr N bytes + 1 (\0 byte)
*/
token_t *
au_to_upriv(char sorf, char *priv)
{
u_int16_t textlen;
u_char *dptr;
token_t *t;
textlen = strlen(priv) + 1;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) +
sizeof(u_int16_t) + textlen);
ADD_U_CHAR(dptr, AUT_UPRIV);
ADD_U_CHAR(dptr, sorf);
ADD_U_INT16(dptr, textlen);
ADD_STRING(dptr, priv, textlen);
return (t);
}
/*
* token ID 1 byte
* privtstrlen 2 bytes
* privtstr N bytes + 1
* privstrlen 2 bytes
* privstr N bytes + 1
*/
token_t *
au_to_privset(char *privtypestr, char *privstr)
{
u_int16_t type_len, priv_len;
u_char *dptr;
token_t *t;
type_len = strlen(privtypestr) + 1;
priv_len = strlen(privstr) + 1;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
sizeof(u_int16_t) + type_len + priv_len);
ADD_U_CHAR(dptr, AUT_PRIV);
ADD_U_INT16(dptr, type_len);
ADD_STRING(dptr, privtypestr, type_len);
ADD_U_INT16(dptr, priv_len);
ADD_STRING(dptr, privstr, priv_len);
return (t);
}
/*
* token ID 1 byte
* argument # 1 byte
* argument value 4 bytes/8 bytes (32-bit/64-bit value)
* text length 2 bytes
* text N bytes + 1 terminating NULL byte
*/
token_t *
au_to_arg32(char n, const char *text, u_int32_t v)
{
token_t *t;
u_char *dptr = NULL;
u_int16_t textlen;
textlen = strlen(text);
textlen += 1;
GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
sizeof(u_int16_t) + textlen);
ADD_U_CHAR(dptr, AUT_ARG32);
ADD_U_CHAR(dptr, n);
ADD_U_INT32(dptr, v);
ADD_U_INT16(dptr, textlen);
ADD_STRING(dptr, text, textlen);
return (t);
}
token_t *
au_to_arg64(char n, const char *text, u_int64_t v)
{
token_t *t;
u_char *dptr = NULL;
u_int16_t textlen;
textlen = strlen(text);
textlen += 1;
GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
sizeof(u_int16_t) + textlen);
ADD_U_CHAR(dptr, AUT_ARG64);
ADD_U_CHAR(dptr, n);
ADD_U_INT64(dptr, v);
ADD_U_INT16(dptr, textlen);
ADD_STRING(dptr, text, textlen);
return (t);
}
token_t *
au_to_arg(char n, const char *text, u_int32_t v)
{
return (au_to_arg32(n, text, v));
}
#if defined(_KERNEL) || defined(KERNEL)
/*
* token ID 1 byte
* file access mode 4 bytes
* owner user ID 4 bytes
* owner group ID 4 bytes
* file system ID 4 bytes
* node ID 8 bytes
* device 4 bytes/8 bytes (32-bit/64-bit)
*/
token_t *
au_to_attr32(struct vnode_au_info *vni)
{
token_t *t;
u_char *dptr = NULL;
u_int16_t pad0_16 = 0;
u_int32_t pad0_32 = 0;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_ATTR32);
/*
* BSD defines the size for the file mode as 2 bytes; BSM defines 4
* so pad with 0.
*
* XXXRW: Possibly should be conditionally compiled.
*
* XXXRW: Should any conversions take place on the mode?
*/
ADD_U_INT16(dptr, pad0_16);
ADD_U_INT16(dptr, vni->vn_mode);
ADD_U_INT32(dptr, vni->vn_uid);
ADD_U_INT32(dptr, vni->vn_gid);
ADD_U_INT32(dptr, vni->vn_fsid);
/*
* Some systems use 32-bit file ID's, others use 64-bit file IDs.
* Attempt to handle both, and let the compiler sort it out. If we
* could pick this out at compile-time, it would be better, so as to
* avoid the else case below.
*/
if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
ADD_U_INT32(dptr, pad0_32);
ADD_U_INT32(dptr, vni->vn_fileid);
} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
ADD_U_INT64(dptr, vni->vn_fileid);
else
ADD_U_INT64(dptr, 0LL);
ADD_U_INT32(dptr, vni->vn_dev);
return (t);
}
token_t *
au_to_attr64(struct vnode_au_info *vni)
{
token_t *t;
u_char *dptr = NULL;
u_int16_t pad0_16 = 0;
u_int32_t pad0_32 = 0;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
ADD_U_CHAR(dptr, AUT_ATTR64);
/*
* BSD defines the size for the file mode as 2 bytes; BSM defines 4
* so pad with 0.
*
* XXXRW: Possibly should be conditionally compiled.
*
* XXXRW: Should any conversions take place on the mode?
*/
ADD_U_INT16(dptr, pad0_16);
ADD_U_INT16(dptr, vni->vn_mode);
ADD_U_INT32(dptr, vni->vn_uid);
ADD_U_INT32(dptr, vni->vn_gid);
ADD_U_INT32(dptr, vni->vn_fsid);
/*
* Some systems use 32-bit file ID's, other's use 64-bit file IDs.
* Attempt to handle both, and let the compiler sort it out. If we
* could pick this out at compile-time, it would be better, so as to
* avoid the else case below.
*/
if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
ADD_U_INT32(dptr, pad0_32);
ADD_U_INT32(dptr, vni->vn_fileid);
} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
ADD_U_INT64(dptr, vni->vn_fileid);
else
ADD_U_INT64(dptr, 0LL);
ADD_U_INT64(dptr, vni->vn_dev);
return (t);
}
token_t *
au_to_attr(struct vnode_au_info *vni)
{
return (au_to_attr32(vni));
}
#endif /* !(defined(_KERNEL) || defined(KERNEL) */
/*
* token ID 1 byte
* how to print 1 byte
* basic unit 1 byte
* unit count 1 byte
* data items (depends on basic unit)
*/
token_t *
au_to_data(char unit_print, char unit_type, char unit_count, const char *p)
{
token_t *t;
u_char *dptr = NULL;
size_t datasize, totdata;
/* Determine the size of the basic unit. */
switch (unit_type) {
case AUR_BYTE:
/* case AUR_CHAR: */
datasize = AUR_BYTE_SIZE;
break;
case AUR_SHORT:
datasize = AUR_SHORT_SIZE;
break;
case AUR_INT32:
/* case AUR_INT: */
datasize = AUR_INT32_SIZE;
break;
case AUR_INT64:
datasize = AUR_INT64_SIZE;
break;
default:
return (NULL);
}
totdata = datasize * unit_count;
GET_TOKEN_AREA(t, dptr, 4 * sizeof(u_char) + totdata);
/*
* XXXRW: We should be byte-swapping each data item for multi-byte
* types.
*/
ADD_U_CHAR(dptr, AUT_DATA);
ADD_U_CHAR(dptr, unit_print);
ADD_U_CHAR(dptr, unit_type);
ADD_U_CHAR(dptr, unit_count);
ADD_MEM(dptr, p, totdata);
return (t);
}
/*
* token ID 1 byte
* status 4 bytes
* return value 4 bytes
*/
token_t *
au_to_exit(int retval, int err)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_EXIT);
ADD_U_INT32(dptr, err);
ADD_U_INT32(dptr, retval);
return (t);
}
/*
*/
token_t *
au_to_groups(int *groups)
{
return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups));
}
/*
* token ID 1 byte
* number groups 2 bytes
* group list count * 4 bytes
*/
token_t *
au_to_newgroups(u_int16_t n, gid_t *groups)
{
token_t *t;
u_char *dptr = NULL;
int i;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
n * sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_NEWGROUPS);
ADD_U_INT16(dptr, n);
for (i = 0; i < n; i++)
ADD_U_INT32(dptr, groups[i]);
return (t);
}
/*
* token ID 1 byte
* internet address 4 bytes
*/
token_t *
au_to_in_addr(struct in_addr *internet_addr)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(uint32_t));
ADD_U_CHAR(dptr, AUT_IN_ADDR);
ADD_MEM(dptr, &internet_addr->s_addr, sizeof(uint32_t));
return (t);
}
/*
* token ID 1 byte
* address type/length 4 bytes
* address 16 bytes
*/
token_t *
au_to_in_addr_ex(struct in6_addr *internet_addr)
{
token_t *t;
u_char *dptr = NULL;
u_int32_t type = AU_IPv6;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
ADD_U_INT32(dptr, type);
ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
return (t);
}
/*
* token ID 1 byte
* ip header 20 bytes
*
* The IP header should be submitted in network byte order.
*/
token_t *
au_to_ip(struct ip *ip)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
ADD_U_CHAR(dptr, AUT_IP);
ADD_MEM(dptr, ip, sizeof(struct ip));
return (t);
}
/*
* token ID 1 byte
* object ID type 1 byte
* object ID 4 bytes
*/
token_t *
au_to_ipc(char type, int id)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_IPC);
ADD_U_CHAR(dptr, type);
ADD_U_INT32(dptr, id);
return (t);
}
/*
* token ID 1 byte
* owner user ID 4 bytes
* owner group ID 4 bytes
* creator user ID 4 bytes
* creator group ID 4 bytes
* access mode 4 bytes
* slot sequence # 4 bytes
* key 4 bytes
*/
token_t *
au_to_ipc_perm(struct ipc_perm *perm)
{
token_t *t;
u_char *dptr = NULL;
u_int16_t pad0 = 0;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_IPC_PERM);
/*
* Systems vary significantly in what types they use in struct
* ipc_perm; at least a few still use 16-bit uid's and gid's, so
* allow for that, as BSM define 32-bit values here.
* Some systems define the sizes for ipc_perm members as 2 bytes;
* BSM defines 4 so pad with 0.
*
* XXXRW: Possibly shoulid be conditionally compiled, and more cases
* need to be handled.
*/
if (sizeof(perm->uid) != sizeof(u_int32_t)) {
ADD_U_INT16(dptr, pad0);
ADD_U_INT16(dptr, perm->uid);
ADD_U_INT16(dptr, pad0);
ADD_U_INT16(dptr, perm->gid);
ADD_U_INT16(dptr, pad0);
ADD_U_INT16(dptr, perm->cuid);
ADD_U_INT16(dptr, pad0);
ADD_U_INT16(dptr, perm->cgid);
} else {
ADD_U_INT32(dptr, perm->uid);
ADD_U_INT32(dptr, perm->gid);
ADD_U_INT32(dptr, perm->cuid);
ADD_U_INT32(dptr, perm->cgid);
}
ADD_U_INT16(dptr, pad0);
ADD_U_INT16(dptr, perm->mode);
ADD_U_INT16(dptr, pad0);
ADD_U_INT16(dptr, perm->seq);
ADD_U_INT32(dptr, perm->key);
return (t);
}
/*
* token ID 1 byte
* port IP address 2 bytes
*/
token_t *
au_to_iport(u_int16_t iport)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
ADD_U_CHAR(dptr, AUT_IPORT);
ADD_U_INT16(dptr, iport);
return (t);
}
/*
* token ID 1 byte
* size 2 bytes
* data size bytes
*/
token_t *
au_to_opaque(const char *data, u_int16_t bytes)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
ADD_U_CHAR(dptr, AUT_OPAQUE);
ADD_U_INT16(dptr, bytes);
ADD_MEM(dptr, data, bytes);
return (t);
}
/*
* token ID 1 byte
* seconds of time 4 bytes
* milliseconds of time 4 bytes
* file name len 2 bytes
* file pathname N bytes + 1 terminating NULL byte
*/
token_t *
au_to_file(const char *file, struct timeval tm)
{
token_t *t;
u_char *dptr = NULL;
u_int16_t filelen;
u_int32_t timems;
filelen = strlen(file);
filelen += 1;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
sizeof(u_int16_t) + filelen);
timems = tm.tv_usec/1000;
ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
ADD_U_INT32(dptr, tm.tv_sec);
ADD_U_INT32(dptr, timems); /* We need time in ms. */
ADD_U_INT16(dptr, filelen);
ADD_STRING(dptr, file, filelen);
return (t);
}
/*
* token ID 1 byte
* text length 2 bytes
* text N bytes + 1 terminating NULL byte
*/
token_t *
au_to_text(const char *text)
{
token_t *t;
u_char *dptr = NULL;
u_int16_t textlen;
textlen = strlen(text);
textlen += 1;
/* XXXRW: Should validate length against token size limit. */
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
ADD_U_CHAR(dptr, AUT_TEXT);
ADD_U_INT16(dptr, textlen);
ADD_STRING(dptr, text, textlen);
return (t);
}
/*
* token ID 1 byte
* path length 2 bytes
* path N bytes + 1 terminating NULL byte
*/
token_t *
au_to_path(const char *text)
{
token_t *t;
u_char *dptr = NULL;
u_int16_t textlen;
textlen = strlen(text);
textlen += 1;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
ADD_U_CHAR(dptr, AUT_PATH);
ADD_U_INT16(dptr, textlen);
ADD_STRING(dptr, text, textlen);
return (t);
}
/*
* token ID 1 byte
* audit ID 4 bytes
* effective user ID 4 bytes
* effective group ID 4 bytes
* real user ID 4 bytes
* real group ID 4 bytes
* process ID 4 bytes
* session ID 4 bytes
* terminal ID
* port ID 4 bytes/8 bytes (32-bit/64-bit value)
* machine address 4 bytes
*/
token_t *
au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
pid_t pid, au_asid_t sid, au_tid_t *tid)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_PROCESS32);
ADD_U_INT32(dptr, auid);
ADD_U_INT32(dptr, euid);
ADD_U_INT32(dptr, egid);
ADD_U_INT32(dptr, ruid);
ADD_U_INT32(dptr, rgid);
ADD_U_INT32(dptr, pid);
ADD_U_INT32(dptr, sid);
ADD_U_INT32(dptr, tid->port);
/*
* Note: Solaris will write out IPv6 addresses here as a 32-bit
* address type and 16 bytes of address, but for IPv4 addresses it
* simply writes the 4-byte address directly. We support only IPv4
* addresses for process32 tokens.
*/
ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
return (t);
}
token_t *
au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
pid_t pid, au_asid_t sid, au_tid_t *tid)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
sizeof(u_int64_t));
ADD_U_CHAR(dptr, AUT_PROCESS64);
ADD_U_INT32(dptr, auid);
ADD_U_INT32(dptr, euid);
ADD_U_INT32(dptr, egid);
ADD_U_INT32(dptr, ruid);
ADD_U_INT32(dptr, rgid);
ADD_U_INT32(dptr, pid);
ADD_U_INT32(dptr, sid);
ADD_U_INT64(dptr, tid->port);
/*
* Note: Solaris will write out IPv6 addresses here as a 32-bit
* address type and 16 bytes of address, but for IPv4 addresses it
* simply writes the 4-byte address directly. We support only IPv4
* addresses for process64 tokens.
*/
ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
return (t);
}
token_t *
au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
pid_t pid, au_asid_t sid, au_tid_t *tid)
{
return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
tid));
}
/*
* token ID 1 byte
* audit ID 4 bytes
* effective user ID 4 bytes
* effective group ID 4 bytes
* real user ID 4 bytes
* real group ID 4 bytes
* process ID 4 bytes
* session ID 4 bytes
* terminal ID
* port ID 4 bytes/8 bytes (32-bit/64-bit value)
* address type-len 4 bytes
* machine address 16 bytes
*/
token_t *
au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
token_t *t;
u_char *dptr = NULL;
KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
if (tid->at_type == AU_IPv4)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
10 * sizeof(u_int32_t));
else
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
13 * sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
ADD_U_INT32(dptr, auid);
ADD_U_INT32(dptr, euid);
ADD_U_INT32(dptr, egid);
ADD_U_INT32(dptr, ruid);
ADD_U_INT32(dptr, rgid);
ADD_U_INT32(dptr, pid);
ADD_U_INT32(dptr, sid);
ADD_U_INT32(dptr, tid->at_port);
ADD_U_INT32(dptr, tid->at_type);
ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
if (tid->at_type == AU_IPv6) {
ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
}
return (t);
}
token_t *
au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
token_t *t;
u_char *dptr = NULL;
if (tid->at_type == AU_IPv4)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
2 * sizeof(u_int32_t));
else if (tid->at_type == AU_IPv6)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
5 * sizeof(u_int32_t));
else
panic("au_to_process64_ex: invalidate at_type (%d)",
tid->at_type);
ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
ADD_U_INT32(dptr, auid);
ADD_U_INT32(dptr, euid);
ADD_U_INT32(dptr, egid);
ADD_U_INT32(dptr, ruid);
ADD_U_INT32(dptr, rgid);
ADD_U_INT32(dptr, pid);
ADD_U_INT32(dptr, sid);
ADD_U_INT64(dptr, tid->at_port);
ADD_U_INT32(dptr, tid->at_type);
ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
if (tid->at_type == AU_IPv6) {
ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
}
return (t);
}
token_t *
au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
tid));
}
/*
* token ID 1 byte
* error status 1 byte
* return value 4 bytes/8 bytes (32-bit/64-bit value)
*/
token_t *
au_to_return32(char status, u_int32_t ret)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_RETURN32);
ADD_U_CHAR(dptr, status);
ADD_U_INT32(dptr, ret);
return (t);
}
token_t *
au_to_return64(char status, u_int64_t ret)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
ADD_U_CHAR(dptr, AUT_RETURN64);
ADD_U_CHAR(dptr, status);
ADD_U_INT64(dptr, ret);
return (t);
}
token_t *
au_to_return(char status, u_int32_t ret)
{
return (au_to_return32(status, ret));
}
/*
* token ID 1 byte
* sequence number 4 bytes
*/
token_t *
au_to_seq(long audit_count)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_SEQ);
ADD_U_INT32(dptr, audit_count);
return (t);
}
/*
* token ID 1 byte
* socket domain 2 bytes
* socket type 2 bytes
* address type 2 byte
* local port 2 bytes
* local address 4 bytes/16 bytes (IPv4/IPv6 address)
* remote port 2 bytes
* remote address 4 bytes/16 bytes (IPv4/IPv6 address)
*
* Domain and type arguments to this routine are assumed to already have been
* converted to the BSM constant space, so we don't do that here.
*/
token_t *
au_to_socket_ex(u_short so_domain, u_short so_type,
struct sockaddr *sa_local, struct sockaddr *sa_remote)
{
token_t *t;
u_char *dptr = NULL;
struct sockaddr_in *sin;
struct sockaddr_in6 *sin6;
if (so_domain == AF_INET)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
else if (so_domain == AF_INET6)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
else
return (NULL);
ADD_U_CHAR(dptr, AUT_SOCKET_EX);
ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
if (so_domain == AF_INET) {
ADD_U_INT16(dptr, AU_IPv4);
sin = (struct sockaddr_in *)sa_local;
ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
sin = (struct sockaddr_in *)sa_remote;
ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
} else {
ADD_U_INT16(dptr, AU_IPv6);
sin6 = (struct sockaddr_in6 *)sa_local;
ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
sin6 = (struct sockaddr_in6 *)sa_remote;
ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
}
return (t);
}
/*
* Kernel-specific version of the above function.
*
* XXXRW: Should now use au_to_socket_ex() here.
*/
#ifdef _KERNEL
token_t *
kau_to_socket(struct socket_au_info *soi)
{
token_t *t;
u_char *dptr;
u_int16_t so_type;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_SOCKET);
/* Coerce the socket type into a short value */
so_type = soi->so_type;
ADD_U_INT16(dptr, so_type);
ADD_U_INT16(dptr, soi->so_lport);
ADD_U_INT32(dptr, soi->so_laddr);
ADD_U_INT16(dptr, soi->so_rport);
ADD_U_INT32(dptr, soi->so_raddr);
return (t);
}
#endif
/*
* token ID 1 byte
* socket family 2 bytes
* path (up to) 104 bytes + NULL (NULL terminated string)
*/
token_t *
au_to_sock_unix(struct sockaddr_un *so)
{
token_t *t;
u_char *dptr;
GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
ADD_U_CHAR(dptr, AUT_SOCKUNIX);
/* BSM token has two bytes for family */
ADD_U_CHAR(dptr, 0);
ADD_U_CHAR(dptr, so->sun_family);
ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
return (t);
}
/*
* token ID 1 byte
* socket family 2 bytes
* local port 2 bytes
* socket address 4 bytes
*/
token_t *
au_to_sock_inet32(struct sockaddr_in *so)
{
token_t *t;
u_char *dptr = NULL;
uint16_t family;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(uint16_t) +
sizeof(uint32_t));
ADD_U_CHAR(dptr, AUT_SOCKINET32);
/*
* BSM defines the family field as 16 bits, but many operating
* systems have an 8-bit sin_family field. Extend to 16 bits before
* writing into the token. Assume that both the port and the address
* in the sockaddr_in are already in network byte order, but family
* is in local byte order.
*
* XXXRW: Should a name space conversion be taking place on the value
* of sin_family?
*/
family = so->sin_family;
ADD_U_INT16(dptr, family);
ADD_MEM(dptr, &so->sin_port, sizeof(uint16_t));
ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
return (t);
}
token_t *
au_to_sock_inet128(struct sockaddr_in6 *so)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
4 * sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_SOCKINET128);
/*
* In BSD, sin6_family is one octet, but BSM defines the token to
* store two. So we copy in a 0 first. XXXRW: Possibly should be
* conditionally compiled.
*/
ADD_U_CHAR(dptr, 0);
ADD_U_CHAR(dptr, so->sin6_family);
ADD_U_INT16(dptr, so->sin6_port);
ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
return (t);
}
token_t *
au_to_sock_inet(struct sockaddr_in *so)
{
return (au_to_sock_inet32(so));
}
/*
* token ID 1 byte
* audit ID 4 bytes
* effective user ID 4 bytes
* effective group ID 4 bytes
* real user ID 4 bytes
* real group ID 4 bytes
* process ID 4 bytes
* session ID 4 bytes
* terminal ID
* port ID 4 bytes/8 bytes (32-bit/64-bit value)
* machine address 4 bytes
*/
token_t *
au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
pid_t pid, au_asid_t sid, au_tid_t *tid)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_SUBJECT32);
ADD_U_INT32(dptr, auid);
ADD_U_INT32(dptr, euid);
ADD_U_INT32(dptr, egid);
ADD_U_INT32(dptr, ruid);
ADD_U_INT32(dptr, rgid);
ADD_U_INT32(dptr, pid);
ADD_U_INT32(dptr, sid);
ADD_U_INT32(dptr, tid->port);
ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
return (t);
}
token_t *
au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
pid_t pid, au_asid_t sid, au_tid_t *tid)
{
token_t *t;
u_char *dptr = NULL;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
sizeof(u_int64_t) + sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_SUBJECT64);
ADD_U_INT32(dptr, auid);
ADD_U_INT32(dptr, euid);
ADD_U_INT32(dptr, egid);
ADD_U_INT32(dptr, ruid);
ADD_U_INT32(dptr, rgid);
ADD_U_INT32(dptr, pid);
ADD_U_INT32(dptr, sid);
ADD_U_INT64(dptr, tid->port);
ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
return (t);
}
token_t *
au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
pid_t pid, au_asid_t sid, au_tid_t *tid)
{
return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
tid));
}
/*
* token ID 1 byte
* audit ID 4 bytes
* effective user ID 4 bytes
* effective group ID 4 bytes
* real user ID 4 bytes
* real group ID 4 bytes
* process ID 4 bytes
* session ID 4 bytes
* terminal ID
* port ID 4 bytes/8 bytes (32-bit/64-bit value)
* address type/length 4 bytes
* machine address 16 bytes
*/
token_t *
au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
token_t *t;
u_char *dptr = NULL;
KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
if (tid->at_type == AU_IPv4)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
sizeof(u_int32_t));
else
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
ADD_U_INT32(dptr, auid);
ADD_U_INT32(dptr, euid);
ADD_U_INT32(dptr, egid);
ADD_U_INT32(dptr, ruid);
ADD_U_INT32(dptr, rgid);
ADD_U_INT32(dptr, pid);
ADD_U_INT32(dptr, sid);
ADD_U_INT32(dptr, tid->at_port);
ADD_U_INT32(dptr, tid->at_type);
if (tid->at_type == AU_IPv6)
ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
else
ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
return (t);
}
token_t *
au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
token_t *t;
u_char *dptr = NULL;
KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
("au_to_subject64_ex: type %u", (unsigned int)tid->at_type));
if (tid->at_type == AU_IPv4)
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
2 * sizeof(u_int32_t));
else
GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
5 * sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
ADD_U_INT32(dptr, auid);
ADD_U_INT32(dptr, euid);
ADD_U_INT32(dptr, egid);
ADD_U_INT32(dptr, ruid);
ADD_U_INT32(dptr, rgid);
ADD_U_INT32(dptr, pid);
ADD_U_INT32(dptr, sid);
ADD_U_INT64(dptr, tid->at_port);
ADD_U_INT32(dptr, tid->at_type);
if (tid->at_type == AU_IPv6)
ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
else
ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
return (t);
}
token_t *
au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
tid));
}
#if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
/*
* Collects audit information for the current process and creates a subject
* token from it.
*/
token_t *
au_to_me(void)
{
auditinfo_t auinfo;
auditinfo_addr_t aia;
/*
* Try to use getaudit_addr(2) first. If this kernel does not support
* it, then fall back on to getaudit(2).
*/
if (getaudit_addr(&aia, sizeof(aia)) != 0) {
if (errno == ENOSYS) {
if (getaudit(&auinfo) != 0)
return (NULL);
return (au_to_subject32(auinfo.ai_auid, geteuid(),
getegid(), getuid(), getgid(), getpid(),
auinfo.ai_asid, &auinfo.ai_termid));
} else {
/* getaudit_addr(2) failed for some other reason. */
return (NULL);
}
}
return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(),
getgid(), getpid(), aia.ai_asid, &aia.ai_termid));
}
#endif
#if defined(_KERNEL) || defined(KERNEL)
static token_t *
au_to_exec_strings(char *strs, int count, u_char type)
{
token_t *t;
u_char *dptr = NULL;
u_int32_t totlen;
int ctr;
char *p;
totlen = 0;
ctr = count;
p = strs;
while (ctr-- > 0) {
totlen += strlen(p) + 1;
p = strs + totlen;
}
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
ADD_U_CHAR(dptr, type);
ADD_U_INT32(dptr, count);
ADD_STRING(dptr, strs, totlen);
return (t);
}
/*
* token ID 1 byte
* count 4 bytes
* text count null-terminated strings
*/
token_t *
au_to_exec_args(char *args, int argc)
{
return (au_to_exec_strings(args, argc, AUT_EXEC_ARGS));
}
/*
* token ID 1 byte
* count 4 bytes
* text count null-terminated strings
*/
token_t *
au_to_exec_env(char *envs, int envc)
{
return (au_to_exec_strings(envs, envc, AUT_EXEC_ENV));
}
#else
/*
* token ID 1 byte
* count 4 bytes
* text count null-terminated strings
*/
token_t *
au_to_exec_args(char **argv)
{
token_t *t;
u_char *dptr = NULL;
const char *nextarg;
int i, count = 0;
size_t totlen = 0;
nextarg = *argv;
while (nextarg != NULL) {
int nextlen;
nextlen = strlen(nextarg);
totlen += nextlen + 1;
count++;
nextarg = *(argv + count);
}
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
ADD_U_INT32(dptr, count);
for (i = 0; i < count; i++) {
nextarg = *(argv + i);
ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
}
return (t);
}
/*
* token ID 1 byte
* count 4 bytes
* text count null-terminated strings
*/
token_t *
au_to_exec_env(char **envp)
{
token_t *t;
u_char *dptr = NULL;
int i, count = 0;
size_t totlen = 0;
const char *nextenv;
nextenv = *envp;
while (nextenv != NULL) {
int nextlen;
nextlen = strlen(nextenv);
totlen += nextlen + 1;
count++;
nextenv = *(envp + count);
}
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
ADD_U_CHAR(dptr, AUT_EXEC_ENV);
ADD_U_INT32(dptr, count);
for (i = 0; i < count; i++) {
nextenv = *(envp + i);
ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
}
return (t);
}
#endif
/*
* token ID 1 byte
* zonename length 2 bytes
* zonename N bytes + 1 terminating NULL byte
*/
token_t *
au_to_zonename(const char *zonename)
{
u_char *dptr = NULL;
u_int16_t textlen;
token_t *t;
textlen = strlen(zonename) + 1;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
ADD_U_CHAR(dptr, AUT_ZONENAME);
ADD_U_INT16(dptr, textlen);
ADD_STRING(dptr, zonename, textlen);
return (t);
}
/*
* token ID 1 byte
* record byte count 4 bytes
* version # 1 byte [2]
* event type 2 bytes
* event modifier 2 bytes
* seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
* milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
*/
token_t *
au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
struct timeval tm)
{
token_t *t;
u_char *dptr = NULL;
u_int32_t timems;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_HEADER32);
ADD_U_INT32(dptr, rec_size);
ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
ADD_U_INT16(dptr, e_type);
ADD_U_INT16(dptr, e_mod);
timems = tm.tv_usec/1000;
/* Add the timestamp */
ADD_U_INT32(dptr, tm.tv_sec);
ADD_U_INT32(dptr, timems); /* We need time in ms. */
return (t);
}
/*
* token ID 1 byte
* record byte count 4 bytes
* version # 1 byte [2]
* event type 2 bytes
* event modifier 2 bytes
* address type/length 4 bytes
* machine address 4 bytes/16 bytes (IPv4/IPv6 address)
* seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
* milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
*/
token_t *
au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
struct timeval tm, struct auditinfo_addr *aia)
{
token_t *t;
u_char *dptr = NULL;
u_int32_t timems;
au_tid_addr_t *tid;
tid = &aia->ai_termid;
KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6,
("au_to_header32_ex_tm: invalid address family"));
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 *
sizeof(u_int32_t) + tid->at_type);
ADD_U_CHAR(dptr, AUT_HEADER32_EX);
ADD_U_INT32(dptr, rec_size);
ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
ADD_U_INT16(dptr, e_type);
ADD_U_INT16(dptr, e_mod);
ADD_U_INT32(dptr, tid->at_type);
if (tid->at_type == AU_IPv6)
ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
else
ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
timems = tm.tv_usec/1000;
/* Add the timestamp */
ADD_U_INT32(dptr, tm.tv_sec);
ADD_U_INT32(dptr, timems); /* We need time in ms. */
return (t);
}
token_t *
au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
struct timeval tm)
{
token_t *t;
u_char *dptr = NULL;
u_int32_t timems;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
ADD_U_CHAR(dptr, AUT_HEADER64);
ADD_U_INT32(dptr, rec_size);
ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
ADD_U_INT16(dptr, e_type);
ADD_U_INT16(dptr, e_mod);
timems = tm.tv_usec/1000;
/* Add the timestamp */
ADD_U_INT64(dptr, tm.tv_sec);
ADD_U_INT64(dptr, timems); /* We need time in ms. */
return (t);
}
#if !defined(KERNEL) && !defined(_KERNEL)
#ifdef HAVE_AUDIT_SYSCALLS
token_t *
au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
{
struct timeval tm;
struct auditinfo_addr aia;
if (gettimeofday(&tm, NULL) == -1)
return (NULL);
if (audit_get_kaudit(&aia, sizeof(aia)) != 0) {
if (errno != ENOSYS)
return (NULL);
return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
}
return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia));
}
#endif /* HAVE_AUDIT_SYSCALLS */
token_t *
au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
{
struct timeval tm;
if (gettimeofday(&tm, NULL) == -1)
return (NULL);
return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
}
token_t *
au_to_header64(__unused int rec_size, __unused au_event_t e_type,
__unused au_emod_t e_mod)
{
struct timeval tm;
if (gettimeofday(&tm, NULL) == -1)
return (NULL);
return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
}
token_t *
au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
{
return (au_to_header32(rec_size, e_type, e_mod));
}
#ifdef HAVE_AUDIT_SYSCALLS
token_t *
au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
{
return (au_to_header32_ex(rec_size, e_type, e_mod));
}
#endif /* HAVE_AUDIT_SYSCALLS */
#endif /* !defined(KERNEL) && !defined(_KERNEL) */
/*
* token ID 1 byte
* trailer magic number 2 bytes
* record byte count 4 bytes
*/
token_t *
au_to_trailer(int rec_size)
{
token_t *t;
u_char *dptr = NULL;
u_int16_t magic = AUT_TRAILER_MAGIC;
GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
sizeof(u_int32_t));
ADD_U_CHAR(dptr, AUT_TRAILER);
ADD_U_INT16(dptr, magic);
ADD_U_INT32(dptr, rec_size);
return (t);
}