Date: Tue, 14 Nov 2006 22:21:10 -0200 From: "Diego Giagio" <dgiagio@gmail.com> To: "Martin Voros" <martin_voros@yahoo.com> Cc: trustedbsd-audit@freebsd.org Subject: Re: Additional 64-bit token types to libbsm Message-ID: <1b0798830611141621s49b30399l68a2241be3e91dc3@mail.gmail.com> In-Reply-To: <1b0798830611131133q2c65d167if18fdd291bdfb391@mail.gmail.com> References: <1b0798830611121359r877d4ces5182f1ec1eb2b646@mail.gmail.com> <20061113151341.26309.qmail@web55504.mail.re4.yahoo.com> <1b0798830611131133q2c65d167if18fdd291bdfb391@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On 11/13/06, Diego Giagio <dgiagio@gmail.com> wrote:
> On 11/13/06, Martin Voros <martin_voros@yahoo.com> wrote:
> > Hi,
> >
> > I think that you should also define output functions (bsm_io.c) in your patch, because now it's not possible to display new tokens by praudit.
> >
>
> Thanks for pointing that out. I'll add those functions and re-submit the patch.
>
The new patch is attached. All needed output functions were implemented.
DG
[-- Attachment #2 --]
diff -u -r openbsm/bsm/audit_record.h openbsm-dgiagio/bsm/audit_record.h
--- openbsm/bsm/audit_record.h 2006-09-24 17:20:03.000000000 -0300
+++ openbsm-dgiagio/bsm/audit_record.h 2006-11-12 19:31:21.000000000 -0200
@@ -246,6 +246,8 @@
token_t *au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
struct timeval tm);
+token_t *au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm);
#if !defined(KERNEL) && !defined(_KERNEL)
token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
diff -u -r openbsm/bsm/libbsm.h openbsm-dgiagio/bsm/libbsm.h
--- openbsm/bsm/libbsm.h 2006-09-24 17:20:03.000000000 -0300
+++ openbsm-dgiagio/bsm/libbsm.h 2006-11-14 22:10:26.000000000 -0200
@@ -164,6 +164,12 @@
u_int32_t addr[4];
} au_tidaddr32_t;
+typedef struct au_tidaddr64 {
+ u_int64_t port;
+ u_int32_t type;
+ u_int32_t addr[4];
+} au_tidaddr64_t;
+
/*
* argument # 1 byte
* argument value 4 bytes/8 bytes (32-bit/64-bit value)
@@ -483,6 +489,17 @@
au_tidaddr32_t tid;
} au_proc32ex_t;
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tidaddr64_t tid;
+} au_proc64ex_t;
+
/*
* error status 1 byte
* return value 4 bytes/8 bytes (32-bit/64-bit value)
@@ -616,6 +633,17 @@
au_tidaddr32_t tid;
} au_subject32ex_t;
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tidaddr64_t tid;
+} au_subject64ex_t;
+
/*
* text length 2 bytes
* text N bytes + 1 terminating NULL byte
@@ -675,8 +703,9 @@
au_opaque_t opaque;
au_path_t path;
au_proc32_t proc32;
- au_proc64_t proc64;
au_proc32ex_t proc32_ex;
+ au_proc64_t proc64;
+ au_proc64ex_t proc64_ex;
au_ret32_t ret32;
au_ret64_t ret64;
au_seq_t seq;
@@ -685,8 +714,9 @@
au_socketinet32_t sockinet32;
au_socketunix_t sockunix;
au_subject32_t subj32;
- au_subject64_t subj64;
au_subject32ex_t subj32_ex;
+ au_subject64_t subj64;
+ au_subject64ex_t subj64_ex;
au_text_t text;
au_kevent_t kevent;
au_invalid_t invalid;
diff -u -r openbsm/libbsm/bsm_io.c openbsm-dgiagio/libbsm/bsm_io.c
--- openbsm/libbsm/bsm_io.c 2006-09-24 17:20:10.000000000 -0300
+++ openbsm-dgiagio/libbsm/bsm_io.c 2006-11-14 22:01:12.000000000 -0200
@@ -1778,6 +1778,105 @@
print_ip_address(fp, tok->tt.proc32.tid.addr);
}
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * euid 4 bytes
+ * egid 4 bytes
+ * ruid 4 bytes
+ * rgid 4 bytes
+ * pid 4 bytes
+ * sessid 4 bytes
+ * terminal ID
+ * portid 8 bytes
+ * machine id 4 bytes
+ */
+static int
+fetch_process64_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
+ sizeof(tok->tt.proc64.tid.addr), tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "process", raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc64.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc64.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc64.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc64.sid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.proc64.tid.addr);
+}
+
+
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes
+ * address type-len 4 bytes
+ * machine address 16 bytes
+ */
static int
fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len)
{
@@ -1864,6 +1963,106 @@
tok->tt.proc32_ex.tid.addr);
}
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 8 bytes
+ * address type-len 4 bytes
+ * machine address 16 bytes
+ */
+static int
+fetch_process64ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
+ sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
+ READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
+ sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
+ if (err)
+ return (-1);
+ } else
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "process_ex", raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64_ex.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64_ex.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc64_ex.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64_ex.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc64_ex.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
+ tok->tt.proc64_ex.tid.addr);
+}
+
/*
* errno 1 byte
* return value 4 bytes
@@ -2348,6 +2547,105 @@
}
/*
+ * audit ID 4 bytes
+ * euid 4 bytes
+ * egid 4 bytes
+ * ruid 4 bytes
+ * rgid 4 bytes
+ * pid 4 bytes
+ * sessid 4 bytes
+ * terminal ID
+ * portid 8 bytes
+ * type 4 bytes
+ * machine id 16 bytes
+ */
+static int
+fetch_subject64ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
+ sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
+ READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
+ sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
+ if (err)
+ return (-1);
+ } else
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "subject_ex", raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64_ex.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64_ex.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj64_ex.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64_ex.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj64_ex.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
+ tok->tt.subj64_ex.tid.addr);
+}
+
+/*
* size 2 bytes
* data size bytes
*/
@@ -2565,6 +2863,12 @@
case AUT_PROCESS32_EX:
return (fetch_process32ex_tok(tok, buf, len));
+ case AUT_PROCESS64:
+ return (fetch_process64_tok(tok, buf, len));
+
+ case AUT_PROCESS64_EX:
+ return (fetch_process64ex_tok(tok, buf, len));
+
case AUT_RETURN32:
return (fetch_return32_tok(tok, buf, len));
@@ -2586,11 +2890,14 @@
case AUT_SUBJECT32:
return (fetch_subject32_tok(tok, buf, len));
+ case AUT_SUBJECT32_EX:
+ return (fetch_subject32ex_tok(tok, buf, len));
+
case AUT_SUBJECT64:
return (fetch_subject64_tok(tok, buf, len));
- case AUT_SUBJECT32_EX:
- return (fetch_subject32ex_tok(tok, buf, len));
+ case AUT_SUBJECT64_EX:
+ return (fetch_subject64ex_tok(tok, buf, len));
case AUT_TEXT:
return (fetch_text_tok(tok, buf, len));
@@ -2714,6 +3021,14 @@
print_process32ex_tok(outfp, tok, del, raw, sfrm);
return;
+ case AUT_PROCESS64:
+ print_process64_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_PROCESS64_EX:
+ print_process64ex_tok(outfp, tok, del, raw, sfrm);
+ return;
+
case AUT_RETURN32:
print_return32_tok(outfp, tok, del, raw, sfrm);
return;
@@ -2742,12 +3057,16 @@
print_subject32_tok(outfp, tok, del, raw, sfrm);
return;
+ case AUT_SUBJECT32_EX:
+ print_subject32ex_tok(outfp, tok, del, raw, sfrm);
+ return;
+
case AUT_SUBJECT64:
print_subject64_tok(outfp, tok, del, raw, sfrm);
return;
- case AUT_SUBJECT32_EX:
- print_subject32ex_tok(outfp, tok, del, raw, sfrm);
+ case AUT_SUBJECT64_EX:
+ print_subject64ex_tok(outfp, tok, del, raw, sfrm);
return;
case AUT_TEXT:
diff -u -r openbsm/libbsm/bsm_token.c openbsm-dgiagio/libbsm/bsm_token.c
--- openbsm/libbsm/bsm_token.c 2006-09-24 17:20:11.000000000 -0300
+++ openbsm-dgiagio/libbsm/bsm_token.c 2006-11-12 19:31:21.000000000 -0200
@@ -212,9 +212,46 @@
token_t *
au_to_attr64(struct vnode_au_info *vni)
{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int16_t pad0_16 = 0;
+ u_int16_t pad0_32 = 0;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
+ 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_ATTR64);
+
+ /*
+ * Darwin defines the size for the file mode
+ * as 2 bytes; BSM defines 4 so pad with 0
+ */
+ ADD_U_INT16(dptr, pad0_16);
+ ADD_U_INT16(dptr, vni->vn_mode);
+
+ ADD_U_INT32(dptr, vni->vn_uid);
+ ADD_U_INT32(dptr, vni->vn_gid);
+ ADD_U_INT32(dptr, vni->vn_fsid);
+
+ /*
+ * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
+ * Attempt to handle both, and let the compiler sort it out. If we
+ * could pick this out at compile-time, it would be better, so as to
+ * avoid the else case below.
+ */
+ if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
+ ADD_U_INT32(dptr, pad0_32);
+ ADD_U_INT32(dptr, vni->vn_fileid);
+ } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
+ ADD_U_INT64(dptr, vni->vn_fileid);
+ else
+ ADD_U_INT64(dptr, 0LL);
- errno = ENOTSUP;
- return (NULL);
+ ADD_U_INT64(dptr, vni->vn_dev);
+
+ return (t);
}
token_t *
@@ -654,9 +691,26 @@
__unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
__unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
+ sizeof(u_int64_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_PROCESS64);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT64(dptr, tid->port);
+ ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
- errno = ENOTSUP;
- return (NULL);
+ return (t);
}
token_t *
@@ -727,9 +781,42 @@
au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ if (tid->at_type == AU_IPv4)
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+ 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+ 2 * sizeof(u_int32_t));
+ else if (tid->at_type == AU_IPv6)
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+ 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+ 5 * sizeof(u_int32_t));
+ else {
+ errno = EINVAL;
+ return (NULL);
+ }
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT64(dptr, tid->at_port);
+ ADD_U_INT32(dptr, tid->at_type);
+ ADD_U_INT32(dptr, tid->at_addr[0]);
+ if (tid->at_type == AU_IPv6) {
+ ADD_U_INT32(dptr, tid->at_addr[1]);
+ ADD_U_INT32(dptr, tid->at_addr[2]);
+ ADD_U_INT32(dptr, tid->at_addr[3]);
+ }
- errno = ENOTSUP;
- return (NULL);
+ return (t);
}
token_t *
@@ -944,9 +1031,26 @@
au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
pid_t pid, au_asid_t sid, au_tid_t *tid)
{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
+ sizeof(u_int64_t) + sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
- errno = ENOTSUP;
- return (NULL);
+ ADD_U_CHAR(dptr, AUT_SUBJECT64);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT64(dptr, tid->port);
+ ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
+
+ return (t);
}
token_t *
@@ -1016,9 +1120,42 @@
au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ if (tid->at_type == AU_IPv4)
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+ 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+ 2 * sizeof(u_int32_t));
+ else if (tid->at_type == AU_IPv6)
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+ 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+ 5 * sizeof(u_int32_t));
+ else {
+ errno = EINVAL;
+ return (NULL);
+ }
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT64(dptr, tid->at_port);
+ ADD_U_INT32(dptr, tid->at_type);
+ ADD_U_INT32(dptr, tid->at_addr[0]);
+ if (tid->at_type == AU_IPv6) {
+ ADD_U_INT32(dptr, tid->at_addr[1]);
+ ADD_U_INT32(dptr, tid->at_addr[2]);
+ ADD_U_INT32(dptr, tid->at_addr[3]);
+ }
- errno = ENOTSUP;
- return (NULL);
+ return (t);
}
token_t *
@@ -1166,6 +1303,33 @@
return (t);
}
+token_t *
+au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int32_t timems;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
+ sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_HEADER64);
+ ADD_U_INT32(dptr, rec_size);
+ ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
+ ADD_U_INT16(dptr, e_type);
+ ADD_U_INT16(dptr, e_mod);
+
+ timems = tm.tv_usec/1000;
+ /* Add the timestamp */
+ ADD_U_INT64(dptr, tm.tv_sec);
+ ADD_U_INT64(dptr, timems); /* We need time in ms. */
+
+ return (t);
+}
+
#if !defined(KERNEL) && !defined(_KERNEL)
token_t *
au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
@@ -1181,9 +1345,11 @@
au_to_header64(__unused int rec_size, __unused au_event_t e_type,
__unused au_emod_t e_mod)
{
+ struct timeval tm;
- errno = ENOTSUP;
- return (NULL);
+ if (gettimeofday(&tm, NULL) == -1)
+ return (NULL);
+ return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
}
token_t *
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1b0798830611141621s49b30399l68a2241be3e91dc3>