From owner-trustedbsd-audit@FreeBSD.ORG Wed Nov 15 21:42:12 2006 Return-Path: X-Original-To: trustedbsd-audit@freebsd.org Delivered-To: trustedbsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9825816A512 for ; Wed, 15 Nov 2006 21:42:12 +0000 (UTC) (envelope-from dgiagio@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08B8343D68 for ; Wed, 15 Nov 2006 21:42:11 +0000 (GMT) (envelope-from dgiagio@gmail.com) Received: by nz-out-0102.google.com with SMTP id i11so147289nzh for ; Wed, 15 Nov 2006 13:42:11 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type; b=oyTTzTsFz4owF4QM3pt5hhTj4u1mwcD6antf+vryKar504i0Lo5dGxDuIyVOmEp4uZ9s4tUpug9U5j60zF3UFtsK6qcKd+taeevzuko616ne3NA+yppDjwrBiK7vB+vAn75SMP2J+2xlvNzorvni3gUYfBM6CO7N/kaJ6fSFTAs= Received: by 10.65.84.5 with SMTP id m5mr4122828qbl.1163626931021; Wed, 15 Nov 2006 13:42:11 -0800 (PST) Received: from ?192.168.0.100? ( [201.37.35.25]) by mx.google.com with ESMTP id p4sm1815844qba.2006.11.15.13.42.06; Wed, 15 Nov 2006 13:42:09 -0800 (PST) Message-ID: <455B89A5.1070607@gmail.com> Date: Wed, 15 Nov 2006 19:41:57 -0200 From: Diego Giagio User-Agent: Thunderbird 1.5.0.8 (Macintosh/20061025) MIME-Version: 1.0 To: Martin Voros References: <33453.36565.qm@web55503.mail.re4.yahoo.com> In-Reply-To: <33453.36565.qm@web55503.mail.re4.yahoo.com> Content-Type: multipart/mixed; boundary="------------010907030009030504070804" Cc: trustedbsd-audit@FreeBSD.org Subject: Re: Additional 64-bit token types to libbsm X-BeenThere: trustedbsd-audit@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD Audit Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2006 21:42:12 -0000 This is a multi-part message in MIME format. --------------010907030009030504070804 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Martin Voros wrote: > Hi, > > I'm so sorry but I forgot to tell you that you have to get fresh sources, beacause in alpha12 there is not xml output support. You can easily get fresh sources by cvsup. More here http://www.trustedbsd.org/components.html > No problem. Attached is a patch with XML printing support that applies cleanly to HEAD as of today. DG --------------010907030009030504070804 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0"; name="tokens64_3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="tokens64_3.patch" diff -u -r openbsm/bsm/audit_record.h openbsm-dgiagio/bsm/audit_record.h --- openbsm/bsm/audit_record.h 2006-08-23 03:15:34.000000000 -0300 +++ openbsm-dgiagio/bsm/audit_record.h 2006-11-15 14:22:53.000000000 -0200 @@ -246,6 +246,8 @@ token_t *au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, struct timeval tm); +token_t *au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, + struct timeval tm); #if !defined(KERNEL) && !defined(_KERNEL) token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod); token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod); diff -u -r openbsm/bsm/libbsm.h openbsm-dgiagio/bsm/libbsm.h --- openbsm/bsm/libbsm.h 2006-11-05 21:32:00.000000000 -0200 +++ openbsm-dgiagio/bsm/libbsm.h 2006-11-15 14:22:53.000000000 -0200 @@ -164,6 +164,12 @@ u_int32_t addr[4]; } au_tidaddr32_t; +typedef struct au_tidaddr64 { + u_int64_t port; + u_int32_t type; + u_int32_t addr[4]; +} au_tidaddr64_t; + /* * argument # 1 byte * argument value 4 bytes/8 bytes (32-bit/64-bit value) @@ -483,6 +489,17 @@ au_tidaddr32_t tid; } au_proc32ex_t; +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tidaddr64_t tid; +} au_proc64ex_t; + /* * error status 1 byte * return value 4 bytes/8 bytes (32-bit/64-bit value) @@ -616,6 +633,17 @@ au_tidaddr32_t tid; } au_subject32ex_t; +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tidaddr64_t tid; +} au_subject64ex_t; + /* * text length 2 bytes * text N bytes + 1 terminating NULL byte @@ -675,8 +703,9 @@ au_opaque_t opaque; au_path_t path; au_proc32_t proc32; - au_proc64_t proc64; au_proc32ex_t proc32_ex; + au_proc64_t proc64; + au_proc64ex_t proc64_ex; au_ret32_t ret32; au_ret64_t ret64; au_seq_t seq; @@ -685,8 +714,9 @@ au_socketinet32_t sockinet32; au_socketunix_t sockunix; au_subject32_t subj32; - au_subject64_t subj64; au_subject32ex_t subj32_ex; + au_subject64_t subj64; + au_subject64ex_t subj64_ex; au_text_t text; au_kevent_t kevent; au_invalid_t invalid; diff -u -r openbsm/libbsm/bsm_io.c openbsm-dgiagio/libbsm/bsm_io.c --- openbsm/libbsm/bsm_io.c 2006-11-05 21:32:01.000000000 -0200 +++ openbsm-dgiagio/libbsm/bsm_io.c 2006-11-15 15:25:11.000000000 -0200 @@ -333,6 +333,14 @@ fprintf(fp, "/>"); break; + case AUT_PROCESS64: + fprintf(fp, "/>"); + break; + + case AUT_PROCESS64_EX: + fprintf(fp, "/>"); + break; + case AUT_RETURN32: fprintf(fp, "/>"); break; @@ -369,6 +377,10 @@ fprintf(fp, "/>"); break; + case AUT_SUBJECT64_EX: + fprintf(fp, "/>"); + break; + case AUT_TEXT: fprintf(fp, ""); break; @@ -488,6 +500,14 @@ fprintf(fp, ""); break; @@ -2530,6 +2554,132 @@ } } +/* + * token ID 1 byte + * audit ID 4 bytes + * euid 4 bytes + * egid 4 bytes + * ruid 4 bytes + * rgid 4 bytes + * pid 4 bytes + * sessid 4 bytes + * terminal ID + * portid 8 bytes + * machine id 4 bytes + */ +static int +fetch_process64_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, + sizeof(tok->tt.proc64.tid.addr), tok->len, err); + if (err) + return (-1); + + return (0); +} + +static void +print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm, int xml) +{ + print_tok_type(fp, tok->id, "process", raw, xml); + if (xml) { + open_attr(fp, "audit-uid"); + print_user(fp, tok->tt.proc64.auid, raw); + close_attr(fp); + open_attr(fp, "uid"); + print_user(fp, tok->tt.proc64.euid, raw); + close_attr(fp); + open_attr(fp, "gid"); + print_group(fp, tok->tt.proc64.egid, raw); + close_attr(fp); + open_attr(fp, "ruid"); + print_user(fp, tok->tt.proc64.ruid, raw); + close_attr(fp); + open_attr(fp, "rgid"); + print_group(fp, tok->tt.proc64.rgid, raw); + close_attr(fp); + open_attr(fp, "pid"); + print_4_bytes(fp, tok->tt.proc64.pid, "%u"); + close_attr(fp); + open_attr(fp, "sid"); + print_4_bytes(fp, tok->tt.proc64.sid, "%u"); + close_attr(fp); + open_attr(fp, "tid"); + print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); + print_ip_address(fp, tok->tt.proc64.tid.addr); + close_attr(fp); + close_tag(fp, tok->id); + } else { + print_delim(fp, del); + print_user(fp, tok->tt.proc64.auid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.proc64.euid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.proc64.egid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.proc64.ruid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.proc64.rgid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.proc64.pid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.proc64.sid, "%u"); + print_delim(fp, del); + print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); + print_delim(fp, del); + print_ip_address(fp, tok->tt.proc64.tid.addr); + } +} + +/* + * token ID 1 byte + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes + * address type-len 4 bytes + * machine address 16 bytes + */ static int fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len) { @@ -2646,6 +2796,135 @@ } } +/* + * token ID 1 byte + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 8 bytes + * address type-len 4 bytes + * machine address 16 bytes + */ +static int +fetch_process64ex_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, + err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, + err); + if (err) + return (-1); + + if (tok->tt.proc64_ex.tid.type == AU_IPv4) { + READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], + sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); + if (err) + return (-1); + } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { + READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, + sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); + if (err) + return (-1); + } else + return (-1); + + return (0); +} + +static void +print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm, int xml) +{ + print_tok_type(fp, tok->id, "process_ex", raw, xml); + if (xml) { + open_attr(fp, "audit-uid"); + print_user(fp, tok->tt.proc64_ex.auid, raw); + close_attr(fp); + open_attr(fp, "uid"); + print_user(fp, tok->tt.proc64_ex.euid, raw); + close_attr(fp); + open_attr(fp, "gid"); + print_group(fp, tok->tt.proc64_ex.egid, raw); + close_attr(fp); + open_attr(fp, "ruid"); + print_user(fp, tok->tt.proc64_ex.ruid, raw); + close_attr(fp); + open_attr(fp, "rgid"); + print_group(fp, tok->tt.proc64_ex.rgid, raw); + close_attr(fp); + open_attr(fp, "pid"); + print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); + close_attr(fp); + open_attr(fp, "sid"); + print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); + close_attr(fp); + open_attr(fp, "tid"); + print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); + print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, + tok->tt.proc64_ex.tid.addr); + close_attr(fp); + close_tag(fp, tok->id); + } else { + print_delim(fp, del); + print_user(fp, tok->tt.proc64_ex.auid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.proc64_ex.euid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.proc64_ex.egid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.proc64_ex.ruid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.proc64_ex.rgid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); + print_delim(fp, del); + print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); + print_delim(fp, del); + print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, + tok->tt.proc64_ex.tid.addr); + } +} + /* * errno 1 byte * return value 4 bytes @@ -3290,6 +3569,134 @@ } /* + * audit ID 4 bytes + * euid 4 bytes + * egid 4 bytes + * ruid 4 bytes + * rgid 4 bytes + * pid 4 bytes + * sessid 4 bytes + * terminal ID + * portid 8 bytes + * type 4 bytes + * machine id 16 bytes + */ +static int +fetch_subject64ex_tok(tokenstr_t *tok, char *buf, int len) +{ + int err = 0; + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); + if (err) + return (-1); + + READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, + err); + if (err) + return (-1); + + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, + err); + if (err) + return (-1); + + if (tok->tt.subj64_ex.tid.type == AU_IPv4) { + READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], + sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); + if (err) + return (-1); + } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { + READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, + sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); + if (err) + return (-1); + } else + return (-1); + + return (0); +} + +static void +print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, + __unused char sfrm, int xml) +{ + print_tok_type(fp, tok->id, "subject_ex", raw, xml); + if (xml) { + open_attr(fp, "audit-uid"); + print_user(fp, tok->tt.subj64_ex.auid, raw); + close_attr(fp); + open_attr(fp, "uid"); + print_user(fp, tok->tt.subj64_ex.euid, raw); + close_attr(fp); + open_attr(fp, "gid"); + print_group(fp, tok->tt.subj64_ex.egid, raw); + close_attr(fp); + open_attr(fp, "ruid"); + print_user(fp, tok->tt.subj64_ex.ruid, raw); + close_attr(fp); + open_attr(fp, "rgid"); + print_group(fp, tok->tt.subj64_ex.rgid, raw); + close_attr(fp); + open_attr(fp, "pid"); + print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); + close_attr(fp); + open_attr(fp, "sid"); + print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); + close_attr(fp); + open_attr(fp, "tid"); + print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); + print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, + tok->tt.subj64_ex.tid.addr); + close_attr(fp); + close_tag(fp, tok->id); + } else { + print_delim(fp, del); + print_user(fp, tok->tt.subj64_ex.auid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj64_ex.euid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.subj64_ex.egid, raw); + print_delim(fp, del); + print_user(fp, tok->tt.subj64_ex.ruid, raw); + print_delim(fp, del); + print_group(fp, tok->tt.subj64_ex.rgid, raw); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); + print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); + print_delim(fp, del); + print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); + print_delim(fp, del); + print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, + tok->tt.subj64_ex.tid.addr); + } +} + +/* * size 2 bytes * data size bytes */ @@ -3533,6 +3940,12 @@ case AUT_PROCESS32_EX: return (fetch_process32ex_tok(tok, buf, len)); + case AUT_PROCESS64: + return (fetch_process64_tok(tok, buf, len)); + + case AUT_PROCESS64_EX: + return (fetch_process64ex_tok(tok, buf, len)); + case AUT_RETURN32: return (fetch_return32_tok(tok, buf, len)); @@ -3554,11 +3967,14 @@ case AUT_SUBJECT32: return (fetch_subject32_tok(tok, buf, len)); + case AUT_SUBJECT32_EX: + return (fetch_subject32ex_tok(tok, buf, len)); + case AUT_SUBJECT64: return (fetch_subject64_tok(tok, buf, len)); - case AUT_SUBJECT32_EX: - return (fetch_subject32ex_tok(tok, buf, len)); + case AUT_SUBJECT64_EX: + return (fetch_subject64ex_tok(tok, buf, len)); case AUT_TEXT: return (fetch_text_tok(tok, buf, len)); @@ -3682,6 +4098,14 @@ print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); return; + case AUT_PROCESS64: + print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); + return; + + case AUT_PROCESS64_EX: + print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); + return; + case AUT_RETURN32: print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); return; @@ -3718,6 +4142,10 @@ print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); return; + case AUT_SUBJECT64_EX: + print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); + return; + case AUT_TEXT: print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); return; @@ -3840,6 +4268,14 @@ print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); return; + case AUT_PROCESS64: + print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); + return; + + case AUT_PROCESS64_EX: + print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); + return; + case AUT_RETURN32: print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); return; @@ -3876,6 +4312,10 @@ print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); return; + case AUT_SUBJECT64_EX: + print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); + return; + case AUT_TEXT: print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); return; diff -u -r openbsm/libbsm/bsm_token.c openbsm-dgiagio/libbsm/bsm_token.c --- openbsm/libbsm/bsm_token.c 2006-09-20 12:08:21.000000000 -0300 +++ openbsm-dgiagio/libbsm/bsm_token.c 2006-11-15 14:22:53.000000000 -0200 @@ -212,9 +212,46 @@ token_t * au_to_attr64(struct vnode_au_info *vni) { + token_t *t; + u_char *dptr = NULL; + u_int16_t pad0_16 = 0; + u_int16_t pad0_32 = 0; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) + + 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_ATTR64); + + /* + * Darwin defines the size for the file mode + * as 2 bytes; BSM defines 4 so pad with 0 + */ + ADD_U_INT16(dptr, pad0_16); + ADD_U_INT16(dptr, vni->vn_mode); + + ADD_U_INT32(dptr, vni->vn_uid); + ADD_U_INT32(dptr, vni->vn_gid); + ADD_U_INT32(dptr, vni->vn_fsid); + + /* + * Some systems use 32-bit file ID's, other's use 64-bit file IDs. + * Attempt to handle both, and let the compiler sort it out. If we + * could pick this out at compile-time, it would be better, so as to + * avoid the else case below. + */ + if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) { + ADD_U_INT32(dptr, pad0_32); + ADD_U_INT32(dptr, vni->vn_fileid); + } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t)) + ADD_U_INT64(dptr, vni->vn_fileid); + else + ADD_U_INT64(dptr, 0LL); - errno = ENOTSUP; - return (NULL); + ADD_U_INT64(dptr, vni->vn_dev); + + return (t); } token_t * @@ -654,9 +691,26 @@ __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid, __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid) { + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + + sizeof(u_int64_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_PROCESS64); + ADD_U_INT32(dptr, auid); + ADD_U_INT32(dptr, euid); + ADD_U_INT32(dptr, egid); + ADD_U_INT32(dptr, ruid); + ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, pid); + ADD_U_INT32(dptr, sid); + ADD_U_INT64(dptr, tid->port); + ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); - errno = ENOTSUP; - return (NULL); + return (t); } token_t * @@ -727,9 +781,42 @@ au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) { + token_t *t; + u_char *dptr = NULL; + + if (tid->at_type == AU_IPv4) + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + + 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + + 2 * sizeof(u_int32_t)); + else if (tid->at_type == AU_IPv6) + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + + 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + + 5 * sizeof(u_int32_t)); + else { + errno = EINVAL; + return (NULL); + } + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_PROCESS64_EX); + ADD_U_INT32(dptr, auid); + ADD_U_INT32(dptr, euid); + ADD_U_INT32(dptr, egid); + ADD_U_INT32(dptr, ruid); + ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, pid); + ADD_U_INT32(dptr, sid); + ADD_U_INT64(dptr, tid->at_port); + ADD_U_INT32(dptr, tid->at_type); + ADD_U_INT32(dptr, tid->at_addr[0]); + if (tid->at_type == AU_IPv6) { + ADD_U_INT32(dptr, tid->at_addr[1]); + ADD_U_INT32(dptr, tid->at_addr[2]); + ADD_U_INT32(dptr, tid->at_addr[3]); + } - errno = ENOTSUP; - return (NULL); + return (t); } token_t * @@ -944,9 +1031,26 @@ au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid) { + token_t *t; + u_char *dptr = NULL; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + + sizeof(u_int64_t) + sizeof(u_int32_t)); + if (t == NULL) + return (NULL); - errno = ENOTSUP; - return (NULL); + ADD_U_CHAR(dptr, AUT_SUBJECT64); + ADD_U_INT32(dptr, auid); + ADD_U_INT32(dptr, euid); + ADD_U_INT32(dptr, egid); + ADD_U_INT32(dptr, ruid); + ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, pid); + ADD_U_INT32(dptr, sid); + ADD_U_INT64(dptr, tid->port); + ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t)); + + return (t); } token_t * @@ -1016,9 +1120,42 @@ au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) { + token_t *t; + u_char *dptr = NULL; + + if (tid->at_type == AU_IPv4) + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + + 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + + 2 * sizeof(u_int32_t)); + else if (tid->at_type == AU_IPv6) + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + + 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + + 5 * sizeof(u_int32_t)); + else { + errno = EINVAL; + return (NULL); + } + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); + ADD_U_INT32(dptr, auid); + ADD_U_INT32(dptr, euid); + ADD_U_INT32(dptr, egid); + ADD_U_INT32(dptr, ruid); + ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, pid); + ADD_U_INT32(dptr, sid); + ADD_U_INT64(dptr, tid->at_port); + ADD_U_INT32(dptr, tid->at_type); + ADD_U_INT32(dptr, tid->at_addr[0]); + if (tid->at_type == AU_IPv6) { + ADD_U_INT32(dptr, tid->at_addr[1]); + ADD_U_INT32(dptr, tid->at_addr[2]); + ADD_U_INT32(dptr, tid->at_addr[3]); + } - errno = ENOTSUP; - return (NULL); + return (t); } token_t * @@ -1166,6 +1303,33 @@ return (t); } +token_t * +au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, + struct timeval tm) +{ + token_t *t; + u_char *dptr = NULL; + u_int32_t timems; + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + + sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t)); + if (t == NULL) + return (NULL); + + ADD_U_CHAR(dptr, AUT_HEADER64); + ADD_U_INT32(dptr, rec_size); + ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM); + ADD_U_INT16(dptr, e_type); + ADD_U_INT16(dptr, e_mod); + + timems = tm.tv_usec/1000; + /* Add the timestamp */ + ADD_U_INT64(dptr, tm.tv_sec); + ADD_U_INT64(dptr, timems); /* We need time in ms. */ + + return (t); +} + #if !defined(KERNEL) && !defined(_KERNEL) token_t * au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod) @@ -1181,9 +1345,11 @@ au_to_header64(__unused int rec_size, __unused au_event_t e_type, __unused au_emod_t e_mod) { + struct timeval tm; - errno = ENOTSUP; - return (NULL); + if (gettimeofday(&tm, NULL) == -1) + return (NULL); + return (au_to_header64_tm(rec_size, e_type, e_mod, tm)); } token_t * --------------010907030009030504070804--