search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
turns printfs back on
[freebsd-src/fkvm-freebsd.git] / contrib / openbsm / libbsm / bsm_io.c
blob29fdc879c548d3f7868616107cd6870f51a62806
1 /*
2 * Copyright (c) 2004 Apple Computer, Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
5 * Copyright (c) 2006 Martin Voros
6 * All rights reserved.
7 *
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
34 *
35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#50 $
36 */
37
38 #include <sys/types.h>
39
40 #include <config/config.h>
41 #ifdef HAVE_SYS_ENDIAN_H
42 #include <sys/endian.h>
43 #else /* !HAVE_SYS_ENDIAN_H */
44 #ifdef HAVE_MACHINE_ENDIAN_H
45 #include <machine/endian.h>
46 #else /* !HAVE_MACHINE_ENDIAN_H */
47 #ifdef HAVE_ENDIAN_H
48 #include <endian.h>
49 #else /* !HAVE_ENDIAN_H */
50 #error "No supported endian.h"
51 #endif /* !HAVE_ENDIAN_H */
52 #endif /* !HAVE_MACHINE_ENDIAN_H */
53 #include <compat/endian.h>
54 #endif /* !HAVE_SYS_ENDIAN_H */
55 #ifdef HAVE_FULL_QUEUE_H
56 #include <sys/queue.h>
57 #else /* !HAVE_FULL_QUEUE_H */
58 #include <compat/queue.h>
59 #endif /* !HAVE_FULL_QUEUE_H */
60
61 #include <sys/stat.h>
62 #include <sys/socket.h>
63
64 #include <bsm/libbsm.h>
65
66 #include <unistd.h>
67 #include <netinet/in.h>
68 #include <arpa/inet.h>
69 #include <errno.h>
70 #include <time.h>
71 #include <stdlib.h>
72 #include <stdio.h>
73 #include <string.h>
74 #include <pwd.h>
75 #include <grp.h>
76
77 #include <bsm/audit_internal.h>
78
79 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
80 if (bytesread + size > len) { \
81 err = 1; \
82 } else { \
83 memcpy(dest, buf + bytesread, size); \
84 bytesread += size; \
85 } \
86 } while (0)
87
88 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
89 if (bytesread + sizeof(u_char) <= len) { \
90 dest = buf[bytesread]; \
91 bytesread += sizeof(u_char); \
92 } else \
93 err = 1; \
94 } while (0)
95
96 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
97 if (bytesread + sizeof(u_int16_t) <= len) { \
98 dest = be16dec(buf + bytesread); \
99 bytesread += sizeof(u_int16_t); \
100 } else \
101 err = 1; \
102 } while (0)
103
104 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
105 if (bytesread + sizeof(u_int32_t) <= len) { \
106 dest = be32dec(buf + bytesread); \
107 bytesread += sizeof(u_int32_t); \
108 } else \
109 err = 1; \
110 } while (0)
111
112 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
113 if (bytesread + sizeof(u_int64_t) <= len) { \
114 dest = be64dec(buf + bytesread); \
115 bytesread += sizeof(u_int64_t); \
116 } else \
117 err = 1; \
118 } while (0)
119
120 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
121 if ((bytesread) + (size) > (len)) \
122 (err) = 1; \
123 else { \
124 (ptr) = (buf) + (bytesread); \
125 (bytesread) += (size); \
126 } \
127 } while (0)
128
129 /*
130 * XML option.
131 */
132 #define AU_PLAIN 0
133 #define AU_XML 1
134
135 /*
136 * Prints the delimiter string.
137 */
138 static void
139 print_delim(FILE *fp, const char *del)
140 {
141
142 fprintf(fp, "%s", del);
143 }
144
145 /*
146 * Prints a single byte in the given format.
147 */
148 static void
149 print_1_byte(FILE *fp, u_char val, const char *format)
150 {
151
152 fprintf(fp, format, val);
153 }
154
155 /*
156 * Print 2 bytes in the given format.
157 */
158 static void
159 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
160 {
161
162 fprintf(fp, format, val);
163 }
164
165 /*
166 * Prints 4 bytes in the given format.
167 */
168 static void
169 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
170 {
171
172 fprintf(fp, format, val);
173 }
174
175 /*
176 * Prints 8 bytes in the given format.
177 */
178 static void
179 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
180 {
181
182 fprintf(fp, format, val);
183 }
184
185 /*
186 * Prints the given size of data bytes in hex.
187 */
188 static void
189 print_mem(FILE *fp, u_char *data, size_t len)
190 {
191 int i;
192
193 if (len > 0) {
194 fprintf(fp, "0x");
195 for (i = 0; i < len; i++)
196 fprintf(fp, "%x", data[i]);
197 }
198 }
199
200 /*
201 * Prints the given data bytes as a string.
202 */
203 static void
204 print_string(FILE *fp, const char *str, size_t len)
205 {
206 int i;
207
208 if (len > 0) {
209 for (i = 0; i < len; i++) {
210 if (str[i] != '\0')
211 fprintf(fp, "%c", str[i]);
212 }
213 }
214 }
215
216 /*
217 * Prints the beggining of attribute.
218 */
219 static void
220 open_attr(FILE *fp, const char *str)
221 {
222
223 fprintf(fp,"%s=\"", str);
224 }
225
226 /*
227 * Prints the end of attribute.
228 */
229 static void
230 close_attr(FILE *fp)
231 {
232
233 fprintf(fp,"\" ");
234 }
235
236 /*
237 * Prints the end of tag.
238 */
239 static void
240 close_tag(FILE *fp, u_char type)
241 {
242
243 switch(type) {
244 case AUT_HEADER32:
245 fprintf(fp, ">");
246 break;
247
248 case AUT_HEADER32_EX:
249 fprintf(fp, ">");
250 break;
251
252 case AUT_HEADER64:
253 fprintf(fp, ">");
254 break;
255
256 case AUT_HEADER64_EX:
257 fprintf(fp, ">");
258 break;
259
260 case AUT_ARG32:
261 fprintf(fp, "/>");
262 break;
263
264 case AUT_ARG64:
265 fprintf(fp, "/>");
266 break;
267
268 case AUT_ATTR32:
269 fprintf(fp, "/>");
270 break;
271
272 case AUT_ATTR64:
273 fprintf(fp, "/>");
274 break;
275
276 case AUT_EXIT:
277 fprintf(fp, "/>");
278 break;
279
280 case AUT_EXEC_ARGS:
281 fprintf(fp, "</exec_args>");
282 break;
283
284 case AUT_EXEC_ENV:
285 fprintf(fp, "</exec_env>");
286 break;
287
288 case AUT_OTHER_FILE32:
289 fprintf(fp, "</file>");
290 break;
291
292 case AUT_NEWGROUPS:
293 fprintf(fp, "</group>");
294 break;
295
296 case AUT_IN_ADDR:
297 fprintf(fp, "</ip_address>");
298 break;
299
300 case AUT_IN_ADDR_EX:
301 fprintf(fp, "</ip_address>");
302 break;
303
304 case AUT_IP:
305 fprintf(fp, "/>");
306 break;
307
308 case AUT_IPC:
309 fprintf(fp, "/>");
310 break;
311
312 case AUT_IPC_PERM:
313 fprintf(fp, "/>");
314 break;
315
316 case AUT_IPORT:
317 fprintf(fp, "</ip_port>");
318 break;
319
320 case AUT_OPAQUE:
321 fprintf(fp, "</opaque>");
322 break;
323
324 case AUT_PATH:
325 fprintf(fp, "</path>");
326 break;
327
328 case AUT_PROCESS32:
329 fprintf(fp, "/>");
330 break;
331
332 case AUT_PROCESS32_EX:
333 fprintf(fp, "/>");
334 break;
335
336 case AUT_PROCESS64:
337 fprintf(fp, "/>");
338 break;
339
340 case AUT_PROCESS64_EX:
341 fprintf(fp, "/>");
342 break;
343
344 case AUT_RETURN32:
345 fprintf(fp, "/>");
346 break;
347
348 case AUT_RETURN64:
349 fprintf(fp, "/>");
350 break;
351
352 case AUT_SEQ:
353 fprintf(fp, "/>");
354 break;
355
356 case AUT_SOCKET:
357 fprintf(fp, "/>");
358 break;
359
360 case AUT_SOCKINET32:
361 fprintf(fp, "/>");
362 break;
363
364 case AUT_SOCKUNIX:
365 fprintf(fp, "/>");
366 break;
367
368 case AUT_SUBJECT32:
369 fprintf(fp, "/>");
370 break;
371
372 case AUT_SUBJECT64:
373 fprintf(fp, "/>");
374 break;
375
376 case AUT_SUBJECT32_EX:
377 fprintf(fp, "/>");
378 break;
379
380 case AUT_SUBJECT64_EX:
381 fprintf(fp, "/>");
382 break;
383
384 case AUT_TEXT:
385 fprintf(fp, "</text>");
386 break;
387
388 case AUT_SOCKET_EX:
389 fprintf(fp, "/>");
390 break;
391
392 case AUT_DATA:
393 fprintf(fp, "</arbitrary>");
394 break;
395
396 case AUT_ZONENAME:
397 fprintf(fp, "/>");
398 break;
399 }
400 }
401
402 /*
403 * Prints the token type in either the raw or the default form.
404 */
405 static void
406 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
407 {
408
409 if (xml) {
410 switch(type) {
411 case AUT_HEADER32:
412 fprintf(fp, "<record ");
413 break;
414
415 case AUT_HEADER32_EX:
416 fprintf(fp, "<record ");
417 break;
418
419 case AUT_HEADER64:
420 fprintf(fp, "<record ");
421 break;
422
423 case AUT_HEADER64_EX:
424 fprintf(fp, "<record ");
425 break;
426
427 case AUT_TRAILER:
428 fprintf(fp, "</record>");
429 break;
430
431 case AUT_ARG32:
432 fprintf(fp, "<argument ");
433 break;
434
435 case AUT_ARG64:
436 fprintf(fp, "<argument ");
437 break;
438
439 case AUT_ATTR32:
440 fprintf(fp, "<attribute ");
441 break;
442
443 case AUT_ATTR64:
444 fprintf(fp, "<attribute ");
445 break;
446
447 case AUT_EXIT:
448 fprintf(fp, "<exit ");
449 break;
450
451 case AUT_EXEC_ARGS:
452 fprintf(fp, "<exec_args>");
453 break;
454
455 case AUT_EXEC_ENV:
456 fprintf(fp, "<exec_env>");
457 break;
458
459 case AUT_OTHER_FILE32:
460 fprintf(fp, "<file ");
461 break;
462
463 case AUT_NEWGROUPS:
464 fprintf(fp, "<group>");
465 break;
466
467 case AUT_IN_ADDR:
468 fprintf(fp, "<ip_address>");
469 break;
470
471 case AUT_IN_ADDR_EX:
472 fprintf(fp, "<ip_address>");
473 break;
474
475 case AUT_IP:
476 fprintf(fp, "<ip ");
477 break;
478
479 case AUT_IPC:
480 fprintf(fp, "<IPC");
481 break;
482
483 case AUT_IPC_PERM:
484 fprintf(fp, "<IPC_perm ");
485 break;
486
487 case AUT_IPORT:
488 fprintf(fp, "<ip_port>");
489 break;
490
491 case AUT_OPAQUE:
492 fprintf(fp, "<opaque>");
493 break;
494
495 case AUT_PATH:
496 fprintf(fp, "<path>");
497 break;
498
499 case AUT_PROCESS32:
500 fprintf(fp, "<process ");
501 break;
502
503 case AUT_PROCESS32_EX:
504 fprintf(fp, "<process ");
505 break;
506
507 case AUT_PROCESS64:
508 fprintf(fp, "<process ");
509 break;
510
511 case AUT_PROCESS64_EX:
512 fprintf(fp, "<process ");
513 break;
514
515 case AUT_RETURN32:
516 fprintf(fp, "<return ");
517 break;
518
519 case AUT_RETURN64:
520 fprintf(fp, "<return ");
521 break;
522
523 case AUT_SEQ:
524 fprintf(fp, "<sequence ");
525 break;
526
527 case AUT_SOCKET:
528 fprintf(fp, "<socket ");
529 break;
530
531 case AUT_SOCKINET32:
532 fprintf(fp, "<old_socket");
533 break;
534
535 case AUT_SOCKUNIX:
536 fprintf(fp, "<old_socket");
537 break;
538
539 case AUT_SUBJECT32:
540 fprintf(fp, "<subject ");
541 break;
542
543 case AUT_SUBJECT64:
544 fprintf(fp, "<subject ");
545 break;
546
547 case AUT_SUBJECT32_EX:
548 fprintf(fp, "<subject ");
549 break;
550
551 case AUT_SUBJECT64_EX:
552 fprintf(fp, "<subject ");
553 break;
554
555 case AUT_TEXT:
556 fprintf(fp, "<text>");
557 break;
558
559 case AUT_SOCKET_EX:
560 fprintf(fp, "<socket ");
561 break;
562
563 case AUT_DATA:
564 fprintf(fp, "<arbitrary ");
565 break;
566
567 case AUT_ZONENAME:
568 fprintf(fp, "<zone ");
569 break;
570 }
571 } else {
572 if (raw)
573 fprintf(fp, "%u", type);
574 else
575 fprintf(fp, "%s", tokname);
576 }
577 }
578
579 /*
580 * Prints a user value.
581 */
582 static void
583 print_user(FILE *fp, u_int32_t usr, char raw)
584 {
585 struct passwd *pwent;
586
587 if (raw)
588 fprintf(fp, "%d", usr);
589 else {
590 pwent = getpwuid(usr);
591 if (pwent != NULL)
592 fprintf(fp, "%s", pwent->pw_name);
593 else
594 fprintf(fp, "%d", usr);
595 }
596 }
597
598 /*
599 * Prints a group value.
600 */
601 static void
602 print_group(FILE *fp, u_int32_t grp, char raw)
603 {
604 struct group *grpent;
605
606 if (raw)
607 fprintf(fp, "%d", grp);
608 else {
609 grpent = getgrgid(grp);
610 if (grpent != NULL)
611 fprintf(fp, "%s", grpent->gr_name);
612 else
613 fprintf(fp, "%d", grp);
614 }
615 }
616
617 /*
618 * Prints the event from the header token in either the short, default or raw
619 * form.
620 */
621 static void
622 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
623 {
624 char event_ent_name[AU_EVENT_NAME_MAX];
625 char event_ent_desc[AU_EVENT_DESC_MAX];
626 struct au_event_ent e, *ep;
627
628 bzero(&e, sizeof(e));
629 bzero(event_ent_name, sizeof(event_ent_name));
630 bzero(event_ent_desc, sizeof(event_ent_desc));
631 e.ae_name = event_ent_name;
632 e.ae_desc = event_ent_desc;
633
634 ep = getauevnum_r(&e, ev);
635 if (ep == NULL) {
636 fprintf(fp, "%u", ev);
637 return;
638 }
639
640 if (raw)
641 fprintf(fp, "%u", ev);
642 else if (sfrm)
643 fprintf(fp, "%s", e.ae_name);
644 else
645 fprintf(fp, "%s", e.ae_desc);
646 }
647
648
649 /*
650 * Prints the event modifier from the header token in either the default or
651 * raw form.
652 */
653 static void
654 print_evmod(FILE *fp, u_int16_t evmod, char raw)
655 {
656 if (raw)
657 fprintf(fp, "%u", evmod);
658 else
659 fprintf(fp, "%u", evmod);
660 }
661
662 /*
663 * Prints seconds in the ctime format.
664 */
665 static void
666 print_sec32(FILE *fp, u_int32_t sec, char raw)
667 {
668 time_t timestamp;
669 char timestr[26];
670
671 if (raw)
672 fprintf(fp, "%u", sec);
673 else {
674 timestamp = (time_t)sec;
675 ctime_r(&timestamp, timestr);
676 timestr[24] = '\0'; /* No new line */
677 fprintf(fp, "%s", timestr);
678 }
679 }
680
681 /*
682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
683 * assume a 32-bit time_t, we simply truncate for now.
684 */
685 static void
686 print_sec64(FILE *fp, u_int64_t sec, char raw)
687 {
688 time_t timestamp;
689 char timestr[26];
690
691 if (raw)
692 fprintf(fp, "%u", (u_int32_t)sec);
693 else {
694 timestamp = (time_t)sec;
695 ctime_r(&timestamp, timestr);
696 timestr[24] = '\0'; /* No new line */
697 fprintf(fp, "%s", timestr);
698 }
699 }
700
701 /*
702 * Prints the excess milliseconds.
703 */
704 static void
705 print_msec32(FILE *fp, u_int32_t msec, char raw)
706 {
707 if (raw)
708 fprintf(fp, "%u", msec);
709 else
710 fprintf(fp, " + %u msec", msec);
711 }
712
713 /*
714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
715 * a 32-bit msec, we simply truncate for now.
716 */
717 static void
718 print_msec64(FILE *fp, u_int64_t msec, char raw)
719 {
720
721 msec &= 0xffffffff;
722 if (raw)
723 fprintf(fp, "%u", (u_int32_t)msec);
724 else
725 fprintf(fp, " + %u msec", (u_int32_t)msec);
726 }
727
728 /*
729 * Prints a dotted form for the IP address.
730 */
731 static void
732 print_ip_address(FILE *fp, u_int32_t ip)
733 {
734 struct in_addr ipaddr;
735
736 ipaddr.s_addr = ip;
737 fprintf(fp, "%s", inet_ntoa(ipaddr));
738 }
739
740 /*
741 * Prints a string value for the given ip address.
742 */
743 static void
744 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
745 {
746 struct in_addr ipv4;
747 struct in6_addr ipv6;
748 char dst[INET6_ADDRSTRLEN];
749
750 switch (type) {
751 case AU_IPv4:
752 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
754 INET6_ADDRSTRLEN));
755 break;
756
757 case AU_IPv6:
758 bcopy(ipaddr, &ipv6, sizeof(ipv6));
759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
760 INET6_ADDRSTRLEN));
761 break;
762
763 default:
764 fprintf(fp, "invalid");
765 }
766 }
767
768 /*
769 * Prints return value as success or failure.
770 */
771 static void
772 print_retval(FILE *fp, u_char status, char raw)
773 {
774 if (raw)
775 fprintf(fp, "%u", status);
776 else {
777 if (status == 0)
778 fprintf(fp, "success");
779 else
780 fprintf(fp, "failure : %s", strerror(status));
781 }
782 }
783
784 /*
785 * Prints the exit value.
786 */
787 static void
788 print_errval(FILE *fp, u_int32_t val)
789 {
790
791 fprintf(fp, "Error %u", val);
792 }
793
794 /*
795 * Prints IPC type.
796 */
797 static void
798 print_ipctype(FILE *fp, u_char type, char raw)
799 {
800 if (raw)
801 fprintf(fp, "%u", type);
802 else {
803 if (type == AT_IPC_MSG)
804 fprintf(fp, "Message IPC");
805 else if (type == AT_IPC_SEM)
806 fprintf(fp, "Semaphore IPC");
807 else if (type == AT_IPC_SHM)
808 fprintf(fp, "Shared Memory IPC");
809 else
810 fprintf(fp, "%u", type);
811 }
812 }
813
814 /*
815 * Print XML header.
816 */
817 void
818 au_print_xml_header(FILE *outfp)
819 {
820
821 fprintf(outfp, "<?xml version='1.0' ?>\n");
822 fprintf(outfp, "<audit>\n");
823 }
824
825 /*
826 * Print XML footer.
827 */
828 void
829 au_print_xml_footer(FILE *outfp)
830 {
831
832 fprintf(outfp, "</audit>\n");
833 }
834
835 /*
836 * record byte count 4 bytes
837 * version # 1 byte [2]
838 * event type 2 bytes
839 * event modifier 2 bytes
840 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
841 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
842 */
843 static int
844 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
845 {
846 int err = 0;
847
848 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
849 if (err)
850 return (-1);
851
852 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
853 if (err)
854 return (-1);
855
856 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
857 if (err)
858 return (-1);
859
860 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
861 if (err)
862 return (-1);
863
864 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
865 if (err)
866 return (-1);
867
868 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
869 if (err)
870 return (-1);
871
872 return (0);
873 }
874
875 static void
876 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
877 int xml)
878 {
879
880 print_tok_type(fp, tok->id, "header", raw, xml);
881 if (xml) {
882 open_attr(fp, "version");
883 print_1_byte(fp, tok->tt.hdr32.version, "%u");
884 close_attr(fp);
885 open_attr(fp, "event");
886 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
887 close_attr(fp);
888 open_attr(fp, "modifier");
889 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
890 close_attr(fp);
891 open_attr(fp, "time");
892 print_sec32(fp, tok->tt.hdr32.s, raw);
893 close_attr(fp);
894 open_attr(fp, "msec");
895 print_msec32(fp, tok->tt.hdr32.ms, 1);
896 close_attr(fp);
897 close_tag(fp, tok->id);
898 } else {
899 print_delim(fp, del);
900 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
901 print_delim(fp, del);
902 print_1_byte(fp, tok->tt.hdr32.version, "%u");
903 print_delim(fp, del);
904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
905 print_delim(fp, del);
906 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
907 print_delim(fp, del);
908 print_sec32(fp, tok->tt.hdr32.s, raw);
909 print_delim(fp, del);
910 print_msec32(fp, tok->tt.hdr32.ms, raw);
911 }
912 }
913
914 /*
915 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
916 * depending on the bit of the specifications found. The OpenSolaris source
917 * code uses a 4-byte address length, followed by some number of bytes of
918 * address data. This contrasts with the Solaris audit.log.5 man page, which
919 * specifies a 1-byte length field. We use the Solaris 10 definition so that
920 * we can parse audit trails from that system.
921 *
922 * record byte count 4 bytes
923 * version # 1 byte [2]
924 * event type 2 bytes
925 * event modifier 2 bytes
926 * address type/length 4 bytes
927 * [ Solaris man page: address type/length 1 byte]
928 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
929 * seconds of time 4 bytes/8 bytes (32/64-bits)
930 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
931 */
932 static int
933 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
934 {
935 int err = 0;
936
937 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
938 if (err)
939 return (-1);
940
941 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
942 if (err)
943 return (-1);
944
945 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
946 if (err)
947 return (-1);
948
949 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
950 if (err)
951 return (-1);
952
953 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
954 if (err)
955 return (-1);
956
957 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
958 switch (tok->tt.hdr32_ex.ad_type) {
959 case AU_IPv4:
960 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
961 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
962 if (err)
963 return (-1);
964 break;
965
966 case AU_IPv6:
967 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
968 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
969 break;
970 }
971
972 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
973 if (err)
974 return (-1);
975
976 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
977 if (err)
978 return (-1);
979
980 return (0);
981 }
982
983 static void
984 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
985 char sfrm, int xml)
986 {
987
988 print_tok_type(fp, tok->id, "header_ex", raw, xml);
989 if (xml) {
990 open_attr(fp, "version");
991 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
992 close_attr(fp);
993 open_attr(fp, "event");
994 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
995 close_attr(fp);
996 open_attr(fp, "modifier");
997 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
998 close_attr(fp);
999 /*
1000 * No attribute for additional types.
1001 *
1002 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1003 tok->tt.hdr32_ex.addr);
1004 */
1005 open_attr(fp, "time");
1006 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1007 close_attr(fp);
1008 open_attr(fp, "msec");
1009 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1010 close_attr(fp);
1011 close_tag(fp, tok->id);
1012 } else {
1013 print_delim(fp, del);
1014 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1015 print_delim(fp, del);
1016 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1017 print_delim(fp, del);
1018 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1019 print_delim(fp, del);
1020 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1021 print_delim(fp, del);
1022 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1023 tok->tt.hdr32_ex.addr);
1024 print_delim(fp, del);
1025 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1026 print_delim(fp, del);
1027 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1028 }
1029 }
1030
1031 /*
1032 * record byte count 4 bytes
1033 * event type 2 bytes
1034 * event modifier 2 bytes
1035 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1036 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1037 * version #
1038 */
1039 static int
1040 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1041 {
1042 int err = 0;
1043
1044 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1045 if (err)
1046 return (-1);
1047
1048 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1049 if (err)
1050 return (-1);
1051
1052 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1053 if (err)
1054 return (-1);
1055
1056 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1057 if (err)
1058 return (-1);
1059
1060 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1061 if (err)
1062 return (-1);
1063
1064 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1065 if (err)
1066 return (-1);
1067
1068 return (0);
1069 }
1070
1071 static void
1072 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
1073 int xml)
1074 {
1075
1076 print_tok_type(fp, tok->id, "header", raw, xml);
1077 if (xml) {
1078 open_attr(fp, "version");
1079 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1080 close_attr(fp);
1081 open_attr(fp, "event");
1082 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1083 close_attr(fp);
1084 open_attr(fp, "modifier");
1085 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1086 close_attr(fp);
1087 open_attr(fp, "time");
1088 print_sec64(fp, tok->tt.hdr64.s, raw);
1089 close_attr(fp);
1090 open_attr(fp, "msec");
1091 print_msec64(fp, tok->tt.hdr64.ms, raw);
1092 close_attr(fp);
1093 close_tag(fp, tok->id);
1094 } else {
1095 print_delim(fp, del);
1096 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1097 print_delim(fp, del);
1098 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1099 print_delim(fp, del);
1100 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1101 print_delim(fp, del);
1102 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1103 print_delim(fp, del);
1104 print_sec64(fp, tok->tt.hdr64.s, raw);
1105 print_delim(fp, del);
1106 print_msec64(fp, tok->tt.hdr64.ms, raw);
1107 }
1108 }
1109
1110 /*
1111 * record byte count 4 bytes
1112 * version # 1 byte [2]
1113 * event type 2 bytes
1114 * event modifier 2 bytes
1115 * address type/length 4 bytes
1116 * [ Solaris man page: address type/length 1 byte]
1117 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1118 * seconds of time 4 bytes/8 bytes (32/64-bits)
1119 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1120 *
1121 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1122 * accuracy of the BSM spec.
1123 */
1124 static int
1125 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1126 {
1127 int err = 0;
1128
1129 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1130 if (err)
1131 return (-1);
1132
1133 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1134 if (err)
1135 return (-1);
1136
1137 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1138 if (err)
1139 return (-1);
1140
1141 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1142 if (err)
1143 return (-1);
1144
1145 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1146 if (err)
1147 return (-1);
1148
1149 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1150 switch (tok->tt.hdr64_ex.ad_type) {
1151 case AU_IPv4:
1152 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1153 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1154 if (err)
1155 return (-1);
1156 break;
1157
1158 case AU_IPv6:
1159 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1160 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1161 break;
1162 }
1163
1164 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1165 if (err)
1166 return (-1);
1167
1168 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1169 if (err)
1170 return (-1);
1171
1172 return (0);
1173 }
1174
1175 static void
1176 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1177 char sfrm, int xml)
1178 {
1179
1180 print_tok_type(fp, tok->id, "header_ex", raw, xml);
1181 if (xml) {
1182 open_attr(fp, "version");
1183 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1184 close_attr(fp);
1185 open_attr(fp, "event");
1186 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1187 close_attr(fp);
1188 open_attr(fp, "modifier");
1189 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1190 close_attr(fp);
1191 /*
1192 * No attribute for additional types.
1193 *
1194 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1195 tok->tt.hdr64_ex.addr);
1196 */
1197 open_attr(fp, "time");
1198 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1199 close_attr(fp);
1200 open_attr(fp, "msec");
1201 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1202 close_attr(fp);
1203 close_tag(fp, tok->id);
1204 } else {
1205 print_delim(fp, del);
1206 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1207 print_delim(fp, del);
1208 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1209 print_delim(fp, del);
1210 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1211 print_delim(fp, del);
1212 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1213 print_delim(fp, del);
1214 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1215 tok->tt.hdr64_ex.addr);
1216 print_delim(fp, del);
1217 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1218 print_delim(fp, del);
1219 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1220 }
1221 }
1222
1223 /*
1224 * trailer magic 2 bytes
1225 * record size 4 bytes
1226 */
1227 static int
1228 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1229 {
1230 int err = 0;
1231
1232 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1233 if (err)
1234 return (-1);
1235
1236 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1237 if (err)
1238 return (-1);
1239
1240 return (0);
1241 }
1242
1243 static void
1244 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1245 __unused char sfrm, int xml)
1246 {
1247
1248 print_tok_type(fp, tok->id, "trailer", raw, xml);
1249 if (!xml) {
1250 print_delim(fp, del);
1251 print_4_bytes(fp, tok->tt.trail.count, "%u");
1252 }
1253 }
1254
1255 /*
1256 * argument # 1 byte
1257 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1258 * text length 2 bytes
1259 * text N bytes + 1 terminating NULL byte
1260 */
1261 static int
1262 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1263 {
1264 int err = 0;
1265
1266 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1267 if (err)
1268 return (-1);
1269
1270 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1271 if (err)
1272 return (-1);
1273
1274 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1275 if (err)
1276 return (-1);
1277
1278 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1279 tok->len, err);
1280 if (err)
1281 return (-1);
1282
1283 return (0);
1284 }
1285
1286 static void
1287 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1288 __unused char sfrm, int xml)
1289 {
1290
1291 print_tok_type(fp, tok->id, "argument", raw, xml);
1292 if (xml) {
1293 open_attr(fp, "arg-num");
1294 print_1_byte(fp, tok->tt.arg32.no, "%u");
1295 close_attr(fp);
1296 open_attr(fp, "value");
1297 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1298 close_attr(fp);
1299 open_attr(fp, "desc");
1300 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1301 close_attr(fp);
1302 close_tag(fp, tok->id);
1303 } else {
1304 print_delim(fp, del);
1305 print_1_byte(fp, tok->tt.arg32.no, "%u");
1306 print_delim(fp, del);
1307 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1308 print_delim(fp, del);
1309 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1310 }
1311 }
1312
1313 static int
1314 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1315 {
1316 int err = 0;
1317
1318 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1319 if (err)
1320 return (-1);
1321
1322 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1323 if (err)
1324 return (-1);
1325
1326 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1327 if (err)
1328 return (-1);
1329
1330 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1331 tok->len, err);
1332 if (err)
1333 return (-1);
1334
1335 return (0);
1336 }
1337
1338 static void
1339 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1340 __unused char sfrm, int xml)
1341 {
1342
1343 print_tok_type(fp, tok->id, "argument", raw, xml);
1344 if (xml) {
1345 open_attr(fp, "arg-num");
1346 print_1_byte(fp, tok->tt.arg64.no, "%u");
1347 close_attr(fp);
1348 open_attr(fp, "value");
1349 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1350 close_attr(fp);
1351 open_attr(fp, "desc");
1352 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1353 close_attr(fp);
1354 close_tag(fp, tok->id);
1355 } else {
1356 print_delim(fp, del);
1357 print_1_byte(fp, tok->tt.arg64.no, "%u");
1358 print_delim(fp, del);
1359 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1360 print_delim(fp, del);
1361 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1362 }
1363 }
1364
1365 /*
1366 * how to print 1 byte
1367 * basic unit 1 byte
1368 * unit count 1 byte
1369 * data items (depends on basic unit)
1370 */
1371 static int
1372 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1373 {
1374 int err = 0;
1375 int datasize;
1376
1377 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1378 if (err)
1379 return (-1);
1380
1381 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1382 if (err)
1383 return (-1);
1384
1385 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1386 if (err)
1387 return (-1);
1388
1389 /*
1390 * Determine the size of the basic unit.
1391 */
1392 switch(tok->tt.arb.bu) {
1393 case AUR_BYTE:
1394 /* case AUR_CHAR: */
1395 datasize = AUR_BYTE_SIZE;
1396 break;
1397
1398 case AUR_SHORT:
1399 datasize = AUR_SHORT_SIZE;
1400 break;
1401
1402 case AUR_INT32:
1403 /* case AUR_INT: */
1404 datasize = AUR_INT32_SIZE;
1405 break;
1406
1407 case AUR_INT64:
1408 datasize = AUR_INT64_SIZE;
1409 break;
1410
1411 default:
1412 return (-1);
1413 }
1414
1415 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1416 tok->len, err);
1417 if (err)
1418 return (-1);
1419
1420 return (0);
1421 }
1422
1423 static void
1424 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1425 __unused char sfrm, int xml)
1426 {
1427 char *str;
1428 char *format;
1429 size_t size;
1430 int i;
1431
1432 print_tok_type(fp, tok->id, "arbitrary", raw, xml);
1433 if (!xml)
1434 print_delim(fp, del);
1435
1436 switch(tok->tt.arb.howtopr) {
1437 case AUP_BINARY:
1438 str = "binary";
1439 format = " %c";
1440 break;
1441
1442 case AUP_OCTAL:
1443 str = "octal";
1444 format = " %o";
1445 break;
1446
1447 case AUP_DECIMAL:
1448 str = "decimal";
1449 format = " %d";
1450 break;
1451
1452 case AUP_HEX:
1453 str = "hex";
1454 format = " %x";
1455 break;
1456
1457 case AUP_STRING:
1458 str = "string";
1459 format = "%c";
1460 break;
1461
1462 default:
1463 return;
1464 }
1465
1466 if (xml) {
1467 open_attr(fp, "print");
1468 fprintf(fp, "%s",str);
1469 close_attr(fp);
1470 } else {
1471 print_string(fp, str, strlen(str));
1472 print_delim(fp, del);
1473 }
1474 switch(tok->tt.arb.bu) {
1475 case AUR_BYTE:
1476 /* case AUR_CHAR: */
1477 str = "byte";
1478 size = AUR_BYTE_SIZE;
1479 if (xml) {
1480 open_attr(fp, "type");
1481 fprintf(fp, "%u", size);
1482 close_attr(fp);
1483 open_attr(fp, "count");
1484 print_1_byte(fp, tok->tt.arb.uc, "%u");
1485 close_attr(fp);
1486 fprintf(fp, ">");
1487 for (i = 0; i<tok->tt.arb.uc; i++)
1488 fprintf(fp, format, *(tok->tt.arb.data +
1489 (size * i)));
1490 close_tag(fp, tok->id);
1491 } else {
1492 print_string(fp, str, strlen(str));
1493 print_delim(fp, del);
1494 print_1_byte(fp, tok->tt.arb.uc, "%u");
1495 print_delim(fp, del);
1496 for (i = 0; i<tok->tt.arb.uc; i++)
1497 fprintf(fp, format, *(tok->tt.arb.data +
1498 (size * i)));
1499 }
1500 break;
1501
1502 case AUR_SHORT:
1503 str = "short";
1504 size = AUR_SHORT_SIZE;
1505 if (xml) {
1506 open_attr(fp, "type");
1507 fprintf(fp, "%u", size);
1508 close_attr(fp);
1509 open_attr(fp, "count");
1510 print_1_byte(fp, tok->tt.arb.uc, "%u");
1511 close_attr(fp);
1512 fprintf(fp, ">");
1513 for (i = 0; i < tok->tt.arb.uc; i++)
1514 fprintf(fp, format,
1515 *((u_int16_t *)(tok->tt.arb.data +
1516 (size * i))));
1517 close_tag(fp, tok->id);
1518 } else {
1519 print_string(fp, str, strlen(str));
1520 print_delim(fp, del);
1521 print_1_byte(fp, tok->tt.arb.uc, "%u");
1522 print_delim(fp, del);
1523 for (i = 0; i < tok->tt.arb.uc; i++)
1524 fprintf(fp, format,
1525 *((u_int16_t *)(tok->tt.arb.data +
1526 (size * i))));
1527 }
1528 break;
1529
1530 case AUR_INT32:
1531 /* case AUR_INT: */
1532 str = "int";
1533 size = AUR_INT32_SIZE;
1534 if (xml) {
1535 open_attr(fp, "type");
1536 fprintf(fp, "%u", size);
1537 close_attr(fp);
1538 open_attr(fp, "count");
1539 print_1_byte(fp, tok->tt.arb.uc, "%u");
1540 close_attr(fp);
1541 fprintf(fp, ">");
1542 for (i = 0; i < tok->tt.arb.uc; i++)
1543 fprintf(fp, format,
1544 *((u_int32_t *)(tok->tt.arb.data +
1545 (size * i))));
1546 close_tag(fp, tok->id);
1547 } else {
1548 print_string(fp, str, strlen(str));
1549 print_delim(fp, del);
1550 print_1_byte(fp, tok->tt.arb.uc, "%u");
1551 print_delim(fp, del);
1552 for (i = 0; i < tok->tt.arb.uc; i++)
1553 fprintf(fp, format,
1554 *((u_int32_t *)(tok->tt.arb.data +
1555 (size * i))));
1556 }
1557 break;
1558
1559 case AUR_INT64:
1560 str = "int64";
1561 size = AUR_INT64_SIZE;
1562 if (xml) {
1563 open_attr(fp, "type");
1564 fprintf(fp, "%u", size);
1565 close_attr(fp);
1566 open_attr(fp, "count");
1567 print_1_byte(fp, tok->tt.arb.uc, "%u");
1568 close_attr(fp);
1569 fprintf(fp, ">");
1570 for (i = 0; i < tok->tt.arb.uc; i++)
1571 fprintf(fp, format,
1572 *((u_int64_t *)(tok->tt.arb.data +
1573 (size * i))));
1574 close_tag(fp, tok->id);
1575 } else {
1576 print_string(fp, str, strlen(str));
1577 print_delim(fp, del);
1578 print_1_byte(fp, tok->tt.arb.uc, "%u");
1579 print_delim(fp, del);
1580 for (i = 0; i < tok->tt.arb.uc; i++)
1581 fprintf(fp, format,
1582 *((u_int64_t *)(tok->tt.arb.data +
1583 (size * i))));
1584 }
1585 break;
1586
1587 default:
1588 return;
1589 }
1590 }
1591
1592 /*
1593 * file access mode 4 bytes
1594 * owner user ID 4 bytes
1595 * owner group ID 4 bytes
1596 * file system ID 4 bytes
1597 * node ID 8 bytes
1598 * device 4 bytes/8 bytes (32-bit/64-bit)
1599 */
1600 static int
1601 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1602 {
1603 int err = 0;
1604
1605 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1606 if (err)
1607 return (-1);
1608
1609 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1610 if (err)
1611 return (-1);
1612
1613 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1614 if (err)
1615 return (-1);
1616
1617 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1618 if (err)
1619 return (-1);
1620
1621 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1622 if (err)
1623 return (-1);
1624
1625 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1626 if (err)
1627 return (-1);
1628
1629 return (0);
1630 }
1631
1632 static void
1633 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1634 __unused char sfrm, int xml)
1635 {
1636
1637 print_tok_type(fp, tok->id, "attribute", raw, xml);
1638 if (xml) {
1639 open_attr(fp, "mode");
1640 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1641 close_attr(fp);
1642 open_attr(fp, "uid");
1643 print_user(fp, tok->tt.attr32.uid, raw);
1644 close_attr(fp);
1645 open_attr(fp, "gid");
1646 print_group(fp, tok->tt.attr32.gid, raw);
1647 close_attr(fp);
1648 open_attr(fp, "fsid");
1649 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1650 close_attr(fp);
1651 open_attr(fp, "nodeid");
1652 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1653 close_attr(fp);
1654 open_attr(fp, "device");
1655 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1656 close_attr(fp);
1657 close_tag(fp, tok->id);
1658 } else {
1659 print_delim(fp, del);
1660 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1661 print_delim(fp, del);
1662 print_user(fp, tok->tt.attr32.uid, raw);
1663 print_delim(fp, del);
1664 print_group(fp, tok->tt.attr32.gid, raw);
1665 print_delim(fp, del);
1666 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1667 print_delim(fp, del);
1668 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1669 print_delim(fp, del);
1670 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1671 }
1672 }
1673
1674 /*
1675 * file access mode 4 bytes
1676 * owner user ID 4 bytes
1677 * owner group ID 4 bytes
1678 * file system ID 4 bytes
1679 * node ID 8 bytes
1680 * device 4 bytes/8 bytes (32-bit/64-bit)
1681 */
1682 static int
1683 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1684 {
1685 int err = 0;
1686
1687 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1688 if (err)
1689 return (-1);
1690
1691 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1692 if (err)
1693 return (-1);
1694
1695 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1696 if (err)
1697 return (-1);
1698
1699 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1700 if (err)
1701 return (-1);
1702
1703 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1704 if (err)
1705 return (-1);
1706
1707 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1708 if (err)
1709 return (-1);
1710
1711 return (0);
1712 }
1713
1714 static void
1715 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1716 __unused char sfrm, int xml)
1717 {
1718
1719 print_tok_type(fp, tok->id, "attribute", raw, xml);
1720 if (xml) {
1721 open_attr(fp, "mode");
1722 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1723 close_attr(fp);
1724 open_attr(fp, "uid");
1725 print_user(fp, tok->tt.attr64.uid, raw);
1726 close_attr(fp);
1727 open_attr(fp, "gid");
1728 print_group(fp, tok->tt.attr64.gid, raw);
1729 close_attr(fp);
1730 open_attr(fp, "fsid");
1731 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1732 close_attr(fp);
1733 open_attr(fp, "nodeid");
1734 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1735 close_attr(fp);
1736 open_attr(fp, "device");
1737 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1738 close_attr(fp);
1739 close_tag(fp, tok->id);
1740 } else {
1741 print_delim(fp, del);
1742 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1743 print_delim(fp, del);
1744 print_user(fp, tok->tt.attr64.uid, raw);
1745 print_delim(fp, del);
1746 print_group(fp, tok->tt.attr64.gid, raw);
1747 print_delim(fp, del);
1748 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1749 print_delim(fp, del);
1750 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1751 print_delim(fp, del);
1752 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1753 }
1754 }
1755
1756 /*
1757 * status 4 bytes
1758 * return value 4 bytes
1759 */
1760 static int
1761 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1762 {
1763 int err = 0;
1764
1765 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1766 if (err)
1767 return (-1);
1768
1769 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1770 if (err)
1771 return (-1);
1772
1773 return (0);
1774 }
1775
1776 static void
1777 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1778 __unused char sfrm, int xml)
1779 {
1780
1781 print_tok_type(fp, tok->id, "exit", raw, xml);
1782 if (xml) {
1783 open_attr(fp, "errval");
1784 print_errval(fp, tok->tt.exit.status);
1785 close_attr(fp);
1786 open_attr(fp, "retval");
1787 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1788 close_attr(fp);
1789 close_tag(fp, tok->id);
1790 } else {
1791 print_delim(fp, del);
1792 print_errval(fp, tok->tt.exit.status);
1793 print_delim(fp, del);
1794 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1795 }
1796 }
1797
1798 /*
1799 * count 4 bytes
1800 * text count null-terminated string(s)
1801 */
1802 static int
1803 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1804 {
1805 int err = 0;
1806 int i;
1807 u_char *bptr;
1808
1809 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1810 if (err)
1811 return (-1);
1812
1813 for (i = 0; i < tok->tt.execarg.count; i++) {
1814 bptr = buf + tok->len;
1815 if (i < AUDIT_MAX_ARGS)
1816 tok->tt.execarg.text[i] = (char*)bptr;
1817
1818 /* Look for a null terminated string. */
1819 while (bptr && (*bptr != '\0')) {
1820 if (++tok->len >=len)
1821 return (-1);
1822 bptr = buf + tok->len;
1823 }
1824 if (!bptr)
1825 return (-1);
1826 tok->len++; /* \0 character */
1827 }
1828 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1829 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1830
1831 return (0);
1832 }
1833
1834 static void
1835 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1836 __unused char sfrm, int xml)
1837 {
1838 int i;
1839
1840 print_tok_type(fp, tok->id, "exec arg", raw, xml);
1841 for (i = 0; i < tok->tt.execarg.count; i++) {
1842 if (xml) {
1843 fprintf(fp, "<arg>");
1844 print_string(fp, tok->tt.execarg.text[i],
1845 strlen(tok->tt.execarg.text[i]));
1846 fprintf(fp, "</arg>");
1847 } else {
1848 print_delim(fp, del);
1849 print_string(fp, tok->tt.execarg.text[i],
1850 strlen(tok->tt.execarg.text[i]));
1851 }
1852 }
1853 if (xml)
1854 close_tag(fp, tok->id);
1855 }
1856
1857 /*
1858 * count 4 bytes
1859 * text count null-terminated string(s)
1860 */
1861 static int
1862 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1863 {
1864 int err = 0;
1865 int i;
1866 u_char *bptr;
1867
1868 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1869 if (err)
1870 return (-1);
1871
1872 for (i = 0; i < tok->tt.execenv.count; i++) {
1873 bptr = buf + tok->len;
1874 if (i < AUDIT_MAX_ENV)
1875 tok->tt.execenv.text[i] = (char*)bptr;
1876
1877 /* Look for a null terminated string. */
1878 while (bptr && (*bptr != '\0')) {
1879 if (++tok->len >=len)
1880 return (-1);
1881 bptr = buf + tok->len;
1882 }
1883 if (!bptr)
1884 return (-1);
1885 tok->len++; /* \0 character */
1886 }
1887 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1888 tok->tt.execenv.count = AUDIT_MAX_ENV;
1889
1890 return (0);
1891 }
1892
1893 static void
1894 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1895 __unused char sfrm, int xml)
1896 {
1897 int i;
1898
1899 print_tok_type(fp, tok->id, "exec env", raw, xml);
1900 for (i = 0; i< tok->tt.execenv.count; i++) {
1901 if (xml) {
1902 fprintf(fp, "<env>");
1903 print_string(fp, tok->tt.execenv.text[i],
1904 strlen(tok->tt.execenv.text[i]));
1905 fprintf(fp, "</env>");
1906 } else {
1907 print_delim(fp, del);
1908 print_string(fp, tok->tt.execenv.text[i],
1909 strlen(tok->tt.execenv.text[i]));
1910 }
1911 }
1912 if (xml)
1913 close_tag(fp, tok->id);
1914 }
1915
1916 /*
1917 * seconds of time 4 bytes
1918 * milliseconds of time 4 bytes
1919 * file name len 2 bytes
1920 * file pathname N bytes + 1 terminating NULL byte
1921 */
1922 static int
1923 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1924 {
1925 int err = 0;
1926
1927 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1928 if (err)
1929 return (-1);
1930
1931 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1932 if (err)
1933 return (-1);
1934
1935 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1936 if (err)
1937 return (-1);
1938
1939 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1940 err);
1941 if (err)
1942 return (-1);
1943
1944 return (0);
1945 }
1946
1947 static void
1948 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1949 __unused char sfrm, int xml)
1950 {
1951
1952 print_tok_type(fp, tok->id, "file", raw, xml);
1953 if (xml) {
1954 open_attr(fp, "time");
1955 print_sec32(fp, tok->tt.file.s, raw);
1956 close_attr(fp);
1957 open_attr(fp, "msec");
1958 print_msec32(fp, tok->tt.file.ms, raw);
1959 close_attr(fp);
1960 fprintf(fp, ">");
1961 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1962 close_tag(fp, tok->id);
1963 } else {
1964 print_delim(fp, del);
1965 print_sec32(fp, tok->tt.file.s, raw);
1966 print_delim(fp, del);
1967 print_msec32(fp, tok->tt.file.ms, raw);
1968 print_delim(fp, del);
1969 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1970 }
1971 }
1972
1973 /*
1974 * number groups 2 bytes
1975 * group list count * 4 bytes
1976 */
1977 static int
1978 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
1979 {
1980 int i;
1981 int err = 0;
1982
1983 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1984 if (err)
1985 return (-1);
1986
1987 for (i = 0; i<tok->tt.grps.no; i++) {
1988 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
1989 err);
1990 if (err)
1991 return (-1);
1992 }
1993
1994 return (0);
1995 }
1996
1997 static void
1998 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1999 __unused char sfrm, int xml)
2000 {
2001 int i;
2002
2003 print_tok_type(fp, tok->id, "group", raw, xml);
2004 for (i = 0; i < tok->tt.grps.no; i++) {
2005 if (xml) {
2006 fprintf(fp, "<gid>");
2007 print_group(fp, tok->tt.grps.list[i], raw);
2008 fprintf(fp, "</gid>");
2009 close_tag(fp, tok->id);
2010 } else {
2011 print_delim(fp, del);
2012 print_group(fp, tok->tt.grps.list[i], raw);
2013 }
2014 }
2015 }
2016
2017 /*
2018 * Internet addr 4 bytes
2019 */
2020 static int
2021 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2022 {
2023 int err = 0;
2024
2025 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2026 tok->len, err);
2027 if (err)
2028 return (-1);
2029
2030 return (0);
2031
2032 }
2033
2034 static void
2035 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2036 __unused char sfrm, int xml)
2037 {
2038
2039 print_tok_type(fp, tok->id, "ip addr", raw, xml);
2040 if (xml) {
2041 print_ip_address(fp, tok->tt.inaddr.addr);
2042 close_tag(fp, tok->id);
2043 } else {
2044 print_delim(fp, del);
2045 print_ip_address(fp, tok->tt.inaddr.addr);
2046 }
2047 }
2048
2049 /*
2050 * type 4 bytes
2051 * address 16 bytes
2052 */
2053 static int
2054 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2055 {
2056 int err = 0;
2057
2058 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2059 if (err)
2060 return (-1);
2061
2062 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2063 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2064 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2065 if (err)
2066 return (-1);
2067 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2068 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2069 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2070 if (err)
2071 return (-1);
2072 } else
2073 return (-1);
2074
2075 return (0);
2076 }
2077
2078 static void
2079 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2080 __unused char sfrm, int xml)
2081 {
2082
2083 print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
2084 if (xml) {
2085 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2086 tok->tt.inaddr_ex.addr);
2087 close_tag(fp, tok->id);
2088 } else {
2089 print_delim(fp, del);
2090 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2091 tok->tt.inaddr_ex.addr);
2092 }
2093 }
2094
2095 /*
2096 * ip header 20 bytes
2097 */
2098 static int
2099 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2100 {
2101 int err = 0;
2102
2103 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2104 if (err)
2105 return (-1);
2106
2107 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2108 if (err)
2109 return (-1);
2110
2111 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2112 tok->len, err);
2113 if (err)
2114 return (-1);
2115
2116 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2117 tok->len, err);
2118 if (err)
2119 return (-1);
2120
2121 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2122 tok->len, err);
2123 if (err)
2124 return (-1);
2125
2126 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2127 if (err)
2128 return (-1);
2129
2130 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2131 if (err)
2132 return (-1);
2133
2134 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2135 tok->len, err);
2136 if (err)
2137 return (-1);
2138
2139 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2140 tok->len, err);
2141 if (err)
2142 return (-1);
2143
2144 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2145 tok->len, err);
2146 if (err)
2147 return (-1);
2148
2149 return (0);
2150 }
2151
2152 static void
2153 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2154 __unused char sfrm, int xml)
2155 {
2156
2157 print_tok_type(fp, tok->id, "ip", raw, xml);
2158 if (xml) {
2159 open_attr(fp, "version");
2160 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2161 sizeof(u_char));
2162 close_attr(fp);
2163 open_attr(fp, "service_type");
2164 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2165 close_attr(fp);
2166 open_attr(fp, "len");
2167 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2168 close_attr(fp);
2169 open_attr(fp, "id");
2170 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2171 close_attr(fp);
2172 open_attr(fp, "offset");
2173 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2174 close_attr(fp);
2175 open_attr(fp, "time_to_live");
2176 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2177 close_attr(fp);
2178 open_attr(fp, "protocol");
2179 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2180 close_attr(fp);
2181 open_attr(fp, "cksum");
2182 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2183 close_attr(fp);
2184 open_attr(fp, "src_addr");
2185 print_ip_address(fp, tok->tt.ip.src);
2186 close_attr(fp);
2187 open_attr(fp, "dest_addr");
2188 print_ip_address(fp, tok->tt.ip.dest);
2189 close_attr(fp);
2190 close_tag(fp, tok->id);
2191 } else {
2192 print_delim(fp, del);
2193 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2194 sizeof(u_char));
2195 print_delim(fp, del);
2196 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2197 print_delim(fp, del);
2198 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2199 print_delim(fp, del);
2200 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2201 print_delim(fp, del);
2202 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2203 print_delim(fp, del);
2204 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2205 print_delim(fp, del);
2206 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2207 print_delim(fp, del);
2208 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2209 print_delim(fp, del);
2210 print_ip_address(fp, tok->tt.ip.src);
2211 print_delim(fp, del);
2212 print_ip_address(fp, tok->tt.ip.dest);
2213 }
2214 }
2215
2216 /*
2217 * object ID type 1 byte
2218 * Object ID 4 bytes
2219 */
2220 static int
2221 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2222 {
2223 int err = 0;
2224
2225 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2226 if (err)
2227 return (-1);
2228
2229 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2230 if (err)
2231 return (-1);
2232
2233 return (0);
2234 }
2235
2236 static void
2237 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2238 __unused char sfrm, int xml)
2239 {
2240
2241 print_tok_type(fp, tok->id, "IPC", raw, xml);
2242 if (xml) {
2243 open_attr(fp, "ipc-type");
2244 print_ipctype(fp, tok->tt.ipc.type, raw);
2245 close_attr(fp);
2246 open_attr(fp, "ipc-id");
2247 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2248 close_attr(fp);
2249 close_tag(fp, tok->id);
2250 } else {
2251 print_delim(fp, del);
2252 print_ipctype(fp, tok->tt.ipc.type, raw);
2253 print_delim(fp, del);
2254 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2255 }
2256 }
2257
2258 /*
2259 * owner user id 4 bytes
2260 * owner group id 4 bytes
2261 * creator user id 4 bytes
2262 * creator group id 4 bytes
2263 * access mode 4 bytes
2264 * slot seq 4 bytes
2265 * key 4 bytes
2266 */
2267 static int
2268 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2269 {
2270 int err = 0;
2271
2272 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2273 if (err)
2274 return (-1);
2275
2276 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2277 if (err)
2278 return (-1);
2279
2280 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2281 if (err)
2282 return (-1);
2283
2284 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2285 if (err)
2286 return (-1);
2287
2288 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2289 if (err)
2290 return (-1);
2291
2292 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2293 if (err)
2294 return (-1);
2295
2296 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2297 if (err)
2298 return (-1);
2299
2300 return (0);
2301 }
2302
2303 static void
2304 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2305 __unused char sfrm, int xml)
2306 {
2307
2308 print_tok_type(fp, tok->id, "IPC perm", raw, xml);
2309 if (xml) {
2310 open_attr(fp, "uid");
2311 print_user(fp, tok->tt.ipcperm.uid, raw);
2312 close_attr(fp);
2313 open_attr(fp, "gid");
2314 print_group(fp, tok->tt.ipcperm.gid, raw);
2315 close_attr(fp);
2316 open_attr(fp, "creator-uid");
2317 print_user(fp, tok->tt.ipcperm.puid, raw);
2318 close_attr(fp);
2319 open_attr(fp, "creator-gid");
2320 print_group(fp, tok->tt.ipcperm.pgid, raw);
2321 close_attr(fp);
2322 open_attr(fp, "mode");
2323 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2324 close_attr(fp);
2325 open_attr(fp, "seq");
2326 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2327 close_attr(fp);
2328 open_attr(fp, "key");
2329 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2330 close_attr(fp);
2331 close_tag(fp, tok->id);
2332 } else {
2333 print_delim(fp, del);
2334 print_user(fp, tok->tt.ipcperm.uid, raw);
2335 print_delim(fp, del);
2336 print_group(fp, tok->tt.ipcperm.gid, raw);
2337 print_delim(fp, del);
2338 print_user(fp, tok->tt.ipcperm.puid, raw);
2339 print_delim(fp, del);
2340 print_group(fp, tok->tt.ipcperm.pgid, raw);
2341 print_delim(fp, del);
2342 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2343 print_delim(fp, del);
2344 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2345 print_delim(fp, del);
2346 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2347 }
2348 }
2349
2350 /*
2351 * port Ip address 2 bytes
2352 */
2353 static int
2354 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2355 {
2356 int err = 0;
2357
2358 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2359 tok->len, err);
2360 if (err)
2361 return (-1);
2362
2363 return (0);
2364 }
2365
2366 static void
2367 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2368 __unused char sfrm, int xml)
2369 {
2370
2371 print_tok_type(fp, tok->id, "ip port", raw, xml);
2372 if (xml) {
2373 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2374 close_tag(fp, tok->id);
2375 } else {
2376 print_delim(fp, del);
2377 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2378 }
2379 }
2380
2381 /*
2382 * size 2 bytes
2383 * data size bytes
2384 */
2385 static int
2386 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2387 {
2388 int err = 0;
2389
2390 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2391 if (err)
2392 return (-1);
2393
2394 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2395 tok->len, err);
2396 if (err)
2397 return (-1);
2398
2399 return (0);
2400 }
2401
2402 static void
2403 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2404 __unused char sfrm, int xml)
2405 {
2406
2407 print_tok_type(fp, tok->id, "opaque", raw, xml);
2408 if (xml) {
2409 print_mem(fp, (u_char*)tok->tt.opaque.data,
2410 tok->tt.opaque.size);
2411 close_tag(fp, tok->id);
2412 } else {
2413 print_delim(fp, del);
2414 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2415 print_delim(fp, del);
2416 print_mem(fp, (u_char*)tok->tt.opaque.data,
2417 tok->tt.opaque.size);
2418 }
2419 }
2420
2421 /*
2422 * size 2 bytes
2423 * data size bytes
2424 */
2425 static int
2426 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2427 {
2428 int err = 0;
2429
2430 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2431 if (err)
2432 return (-1);
2433
2434 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2435 err);
2436 if (err)
2437 return (-1);
2438
2439 return (0);
2440 }
2441
2442 static void
2443 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2444 __unused char sfrm, int xml)
2445 {
2446
2447 print_tok_type(fp, tok->id, "path", raw, xml);
2448 if (xml) {
2449 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2450 close_tag(fp, tok->id);
2451 } else {
2452 print_delim(fp, del);
2453 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2454 }
2455 }
2456
2457 /*
2458 * token ID 1 byte
2459 * audit ID 4 bytes
2460 * euid 4 bytes
2461 * egid 4 bytes
2462 * ruid 4 bytes
2463 * rgid 4 bytes
2464 * pid 4 bytes
2465 * sessid 4 bytes
2466 * terminal ID
2467 * portid 4 bytes
2468 * machine id 4 bytes
2469 */
2470 static int
2471 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2472 {
2473 int err = 0;
2474
2475 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2476 if (err)
2477 return (-1);
2478
2479 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2480 if (err)
2481 return (-1);
2482
2483 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2484 if (err)
2485 return (-1);
2486
2487 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2488 if (err)
2489 return (-1);
2490
2491 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2492 if (err)
2493 return (-1);
2494
2495 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2496 if (err)
2497 return (-1);
2498
2499 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2500 if (err)
2501 return (-1);
2502
2503 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2504 if (err)
2505 return (-1);
2506
2507 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2508 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2509 if (err)
2510 return (-1);
2511
2512 return (0);
2513 }
2514
2515 static void
2516 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2517 __unused char sfrm, int xml)
2518 {
2519
2520 print_tok_type(fp, tok->id, "process", raw, xml);
2521 if (xml) {
2522 open_attr(fp, "audit-uid");
2523 print_user(fp, tok->tt.proc32.auid, raw);
2524 close_attr(fp);
2525 open_attr(fp, "uid");
2526 print_user(fp, tok->tt.proc32.euid, raw);
2527 close_attr(fp);
2528 open_attr(fp, "gid");
2529 print_group(fp, tok->tt.proc32.egid, raw);
2530 close_attr(fp);
2531 open_attr(fp, "ruid");
2532 print_user(fp, tok->tt.proc32.ruid, raw);
2533 close_attr(fp);
2534 open_attr(fp, "rgid");
2535 print_group(fp, tok->tt.proc32.rgid, raw);
2536 close_attr(fp);
2537 open_attr(fp, "pid");
2538 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2539 close_attr(fp);
2540 open_attr(fp, "sid");
2541 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2542 close_attr(fp);
2543 open_attr(fp, "tid");
2544 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2545 print_ip_address(fp, tok->tt.proc32.tid.addr);
2546 close_attr(fp);
2547 close_tag(fp, tok->id);
2548 } else {
2549 print_delim(fp, del);
2550 print_user(fp, tok->tt.proc32.auid, raw);
2551 print_delim(fp, del);
2552 print_user(fp, tok->tt.proc32.euid, raw);
2553 print_delim(fp, del);
2554 print_group(fp, tok->tt.proc32.egid, raw);
2555 print_delim(fp, del);
2556 print_user(fp, tok->tt.proc32.ruid, raw);
2557 print_delim(fp, del);
2558 print_group(fp, tok->tt.proc32.rgid, raw);
2559 print_delim(fp, del);
2560 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2561 print_delim(fp, del);
2562 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2563 print_delim(fp, del);
2564 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2565 print_delim(fp, del);
2566 print_ip_address(fp, tok->tt.proc32.tid.addr);
2567 }
2568 }
2569
2570 /*
2571 * token ID 1 byte
2572 * audit ID 4 bytes
2573 * euid 4 bytes
2574 * egid 4 bytes
2575 * ruid 4 bytes
2576 * rgid 4 bytes
2577 * pid 4 bytes
2578 * sessid 4 bytes
2579 * terminal ID
2580 * portid 8 bytes
2581 * machine id 4 bytes
2582 */
2583 static int
2584 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2585 {
2586 int err = 0;
2587
2588 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2589 if (err)
2590 return (-1);
2591
2592 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2593 if (err)
2594 return (-1);
2595
2596 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2597 if (err)
2598 return (-1);
2599
2600 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2601 if (err)
2602 return (-1);
2603
2604 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2605 if (err)
2606 return (-1);
2607
2608 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2609 if (err)
2610 return (-1);
2611
2612 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2613 if (err)
2614 return (-1);
2615
2616 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2617 if (err)
2618 return (-1);
2619
2620 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2621 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2622 if (err)
2623 return (-1);
2624
2625 return (0);
2626 }
2627
2628 static void
2629 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2630 __unused char sfrm, int xml)
2631 {
2632 print_tok_type(fp, tok->id, "process", raw, xml);
2633 if (xml) {
2634 open_attr(fp, "audit-uid");
2635 print_user(fp, tok->tt.proc64.auid, raw);
2636 close_attr(fp);
2637 open_attr(fp, "uid");
2638 print_user(fp, tok->tt.proc64.euid, raw);
2639 close_attr(fp);
2640 open_attr(fp, "gid");
2641 print_group(fp, tok->tt.proc64.egid, raw);
2642 close_attr(fp);
2643 open_attr(fp, "ruid");
2644 print_user(fp, tok->tt.proc64.ruid, raw);
2645 close_attr(fp);
2646 open_attr(fp, "rgid");
2647 print_group(fp, tok->tt.proc64.rgid, raw);
2648 close_attr(fp);
2649 open_attr(fp, "pid");
2650 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2651 close_attr(fp);
2652 open_attr(fp, "sid");
2653 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2654 close_attr(fp);
2655 open_attr(fp, "tid");
2656 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2657 print_ip_address(fp, tok->tt.proc64.tid.addr);
2658 close_attr(fp);
2659 close_tag(fp, tok->id);
2660 } else {
2661 print_delim(fp, del);
2662 print_user(fp, tok->tt.proc64.auid, raw);
2663 print_delim(fp, del);
2664 print_user(fp, tok->tt.proc64.euid, raw);
2665 print_delim(fp, del);
2666 print_group(fp, tok->tt.proc64.egid, raw);
2667 print_delim(fp, del);
2668 print_user(fp, tok->tt.proc64.ruid, raw);
2669 print_delim(fp, del);
2670 print_group(fp, tok->tt.proc64.rgid, raw);
2671 print_delim(fp, del);
2672 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2673 print_delim(fp, del);
2674 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2675 print_delim(fp, del);
2676 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2677 print_delim(fp, del);
2678 print_ip_address(fp, tok->tt.proc64.tid.addr);
2679 }
2680 }
2681
2682 /*
2683 * token ID 1 byte
2684 * audit ID 4 bytes
2685 * effective user ID 4 bytes
2686 * effective group ID 4 bytes
2687 * real user ID 4 bytes
2688 * real group ID 4 bytes
2689 * process ID 4 bytes
2690 * session ID 4 bytes
2691 * terminal ID
2692 * port ID 4 bytes
2693 * address type-len 4 bytes
2694 * machine address 16 bytes
2695 */
2696 static int
2697 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2698 {
2699 int err = 0;
2700
2701 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2702 if (err)
2703 return (-1);
2704
2705 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2706 if (err)
2707 return (-1);
2708
2709 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2710 if (err)
2711 return (-1);
2712
2713 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2714 if (err)
2715 return (-1);
2716
2717 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2718 if (err)
2719 return (-1);
2720
2721 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2722 if (err)
2723 return (-1);
2724
2725 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2726 if (err)
2727 return (-1);
2728
2729 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2730 err);
2731 if (err)
2732 return (-1);
2733
2734 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2735 err);
2736 if (err)
2737 return (-1);
2738
2739 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2740 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2741 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2742 if (err)
2743 return (-1);
2744 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2745 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2746 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2747 if (err)
2748 return (-1);
2749 } else
2750 return (-1);
2751
2752 return (0);
2753 }
2754
2755 static void
2756 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2757 __unused char sfrm, int xml)
2758 {
2759
2760 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2761 if (xml) {
2762 open_attr(fp, "audit-uid");
2763 print_user(fp, tok->tt.proc32_ex.auid, raw);
2764 close_attr(fp);
2765 open_attr(fp, "uid");
2766 print_user(fp, tok->tt.proc32_ex.euid, raw);
2767 close_attr(fp);
2768 open_attr(fp, "gid");
2769 print_group(fp, tok->tt.proc32_ex.egid, raw);
2770 close_attr(fp);
2771 open_attr(fp, "ruid");
2772 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2773 close_attr(fp);
2774 open_attr(fp, "rgid");
2775 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2776 close_attr(fp);
2777 open_attr(fp, "pid");
2778 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2779 close_attr(fp);
2780 open_attr(fp, "sid");
2781 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2782 close_attr(fp);
2783 open_attr(fp, "tid");
2784 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2785 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2786 tok->tt.proc32_ex.tid.addr);
2787 close_attr(fp);
2788 close_tag(fp, tok->id);
2789 } else {
2790 print_delim(fp, del);
2791 print_user(fp, tok->tt.proc32_ex.auid, raw);
2792 print_delim(fp, del);
2793 print_user(fp, tok->tt.proc32_ex.euid, raw);
2794 print_delim(fp, del);
2795 print_group(fp, tok->tt.proc32_ex.egid, raw);
2796 print_delim(fp, del);
2797 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2798 print_delim(fp, del);
2799 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2800 print_delim(fp, del);
2801 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2802 print_delim(fp, del);
2803 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2804 print_delim(fp, del);
2805 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2806 print_delim(fp, del);
2807 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2808 tok->tt.proc32_ex.tid.addr);
2809 }
2810 }
2811
2812 /*
2813 * token ID 1 byte
2814 * audit ID 4 bytes
2815 * effective user ID 4 bytes
2816 * effective group ID 4 bytes
2817 * real user ID 4 bytes
2818 * real group ID 4 bytes
2819 * process ID 4 bytes
2820 * session ID 4 bytes
2821 * terminal ID
2822 * port ID 8 bytes
2823 * address type-len 4 bytes
2824 * machine address 16 bytes
2825 */
2826 static int
2827 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2828 {
2829 int err = 0;
2830
2831 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2832 if (err)
2833 return (-1);
2834
2835 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2836 if (err)
2837 return (-1);
2838
2839 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2840 if (err)
2841 return (-1);
2842
2843 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2844 if (err)
2845 return (-1);
2846
2847 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2848 if (err)
2849 return (-1);
2850
2851 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2852 if (err)
2853 return (-1);
2854
2855 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2856 if (err)
2857 return (-1);
2858
2859 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2860 err);
2861 if (err)
2862 return (-1);
2863
2864 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2865 err);
2866 if (err)
2867 return (-1);
2868
2869 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2870 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2871 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2872 if (err)
2873 return (-1);
2874 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2875 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2876 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2877 if (err)
2878 return (-1);
2879 } else
2880 return (-1);
2881
2882 return (0);
2883 }
2884
2885 static void
2886 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2887 __unused char sfrm, int xml)
2888 {
2889 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2890 if (xml) {
2891 open_attr(fp, "audit-uid");
2892 print_user(fp, tok->tt.proc64_ex.auid, raw);
2893 close_attr(fp);
2894 open_attr(fp, "uid");
2895 print_user(fp, tok->tt.proc64_ex.euid, raw);
2896 close_attr(fp);
2897 open_attr(fp, "gid");
2898 print_group(fp, tok->tt.proc64_ex.egid, raw);
2899 close_attr(fp);
2900 open_attr(fp, "ruid");
2901 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2902 close_attr(fp);
2903 open_attr(fp, "rgid");
2904 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2905 close_attr(fp);
2906 open_attr(fp, "pid");
2907 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2908 close_attr(fp);
2909 open_attr(fp, "sid");
2910 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2911 close_attr(fp);
2912 open_attr(fp, "tid");
2913 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2914 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2915 tok->tt.proc64_ex.tid.addr);
2916 close_attr(fp);
2917 close_tag(fp, tok->id);
2918 } else {
2919 print_delim(fp, del);
2920 print_user(fp, tok->tt.proc64_ex.auid, raw);
2921 print_delim(fp, del);
2922 print_user(fp, tok->tt.proc64_ex.euid, raw);
2923 print_delim(fp, del);
2924 print_group(fp, tok->tt.proc64_ex.egid, raw);
2925 print_delim(fp, del);
2926 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2927 print_delim(fp, del);
2928 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2929 print_delim(fp, del);
2930 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2931 print_delim(fp, del);
2932 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2933 print_delim(fp, del);
2934 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2935 print_delim(fp, del);
2936 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2937 tok->tt.proc64_ex.tid.addr);
2938 }
2939 }
2940
2941 /*
2942 * errno 1 byte
2943 * return value 4 bytes
2944 */
2945 static int
2946 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2947 {
2948 int err = 0;
2949
2950 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2951 if (err)
2952 return (-1);
2953
2954 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2955 if (err)
2956 return (-1);
2957
2958 return (0);
2959 }
2960
2961 static void
2962 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2963 __unused char sfrm, int xml)
2964 {
2965
2966 print_tok_type(fp, tok->id, "return", raw, xml);
2967 if (xml) {
2968 open_attr(fp ,"errval");
2969 print_retval(fp, tok->tt.ret32.status, raw);
2970 close_attr(fp);
2971 open_attr(fp, "retval");
2972 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2973 close_attr(fp);
2974 close_tag(fp, tok->id);
2975 } else {
2976 print_delim(fp, del);
2977 print_retval(fp, tok->tt.ret32.status, raw);
2978 print_delim(fp, del);
2979 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2980 }
2981 }
2982
2983 static int
2984 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
2985 {
2986 int err = 0;
2987
2988 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
2989 if (err)
2990 return (-1);
2991
2992 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
2993 if (err)
2994 return (-1);
2995
2996 return (0);
2997 }
2998
2999 static void
3000 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3001 __unused char sfrm, int xml)
3002 {
3003
3004 print_tok_type(fp, tok->id, "return", raw, xml);
3005 if (xml) {
3006 open_attr(fp, "errval");
3007 print_retval(fp, tok->tt.ret64.err, raw);
3008 close_attr(fp);
3009 open_attr(fp, "retval");
3010 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3011 close_attr(fp);
3012 close_tag(fp, tok->id);
3013 } else {
3014 print_delim(fp, del);
3015 print_retval(fp, tok->tt.ret64.err, raw);
3016 print_delim(fp, del);
3017 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3018 }
3019 }
3020
3021 /*
3022 * seq 4 bytes
3023 */
3024 static int
3025 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3026 {
3027 int err = 0;
3028
3029 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3030 if (err)
3031 return (-1);
3032
3033 return (0);
3034 }
3035
3036 static void
3037 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3038 __unused char sfrm, int xml)
3039 {
3040
3041 print_tok_type(fp, tok->id, "sequence", raw, xml);
3042 if (xml) {
3043 open_attr(fp, "seq-num");
3044 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3045 close_attr(fp);
3046 close_tag(fp, tok->id);
3047 } else {
3048 print_delim(fp, del);
3049 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3050 }
3051 }
3052
3053 /*
3054 * socket family 2 bytes
3055 * local port 2 bytes
3056 * socket address 4 bytes
3057 */
3058 static int
3059 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3060 {
3061 int err = 0;
3062
3063 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
3064 err);
3065 if (err)
3066 return (-1);
3067
3068 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port,
3069 sizeof(uint16_t), tok->len, err);
3070 if (err)
3071 return (-1);
3072
3073 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
3074 sizeof(tok->tt.sockinet32.addr), tok->len, err);
3075 if (err)
3076 return (-1);
3077
3078 return (0);
3079 }
3080
3081 static void
3082 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3083 __unused char sfrm, int xml)
3084 {
3085
3086 print_tok_type(fp, tok->id, "socket-inet", raw, xml);
3087 if (xml) {
3088 open_attr(fp, "type");
3089 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3090 close_attr(fp);
3091 open_attr(fp, "port");
3092 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3093 close_attr(fp);
3094 open_attr(fp, "addr");
3095 print_ip_address(fp, tok->tt.sockinet32.addr);
3096 close_attr(fp);
3097 close_tag(fp, tok->id);
3098 } else {
3099 print_delim(fp, del);
3100 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3101 print_delim(fp, del);
3102 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3103 print_delim(fp, del);
3104 print_ip_address(fp, tok->tt.sockinet32.addr);
3105 }
3106 }
3107
3108 /*
3109 * socket family 2 bytes
3110 * path 104 bytes
3111 */
3112 static int
3113 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3114 {
3115 int err = 0;
3116
3117 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3118 if (err)
3119 return (-1);
3120
3121 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
3122 err);
3123 if (err)
3124 return (-1);
3125
3126 return (0);
3127 }
3128
3129 static void
3130 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3131 __unused char sfrm, int xml)
3132 {
3133
3134 print_tok_type(fp, tok->id, "socket-unix", raw, xml);
3135 if (xml) {
3136 open_attr(fp, "type");
3137 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3138 close_attr(fp);
3139 open_attr(fp, "port");
3140 close_attr(fp);
3141 open_attr(fp, "addr");
3142 print_string(fp, tok->tt.sockunix.path,
3143 strlen(tok->tt.sockunix.path));
3144 close_attr(fp);
3145 close_tag(fp, tok->id);
3146 } else {
3147 print_delim(fp, del);
3148 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3149 print_delim(fp, del);
3150 print_string(fp, tok->tt.sockunix.path,
3151 strlen(tok->tt.sockunix.path));
3152 }
3153 }
3154
3155 /*
3156 * socket type 2 bytes
3157 * local port 2 bytes
3158 * local address 4 bytes
3159 * remote port 2 bytes
3160 * remote address 4 bytes
3161 */
3162 static int
3163 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3164 {
3165 int err = 0;
3166
3167 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3168 if (err)
3169 return (-1);
3170
3171 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3172 tok->len, err);
3173 if (err)
3174 return (-1);
3175
3176 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3177 sizeof(tok->tt.socket.l_addr), tok->len, err);
3178 if (err)
3179 return (-1);
3180
3181 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3182 tok->len, err);
3183 if (err)
3184 return (-1);
3185
3186 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3187 sizeof(tok->tt.socket.r_addr), tok->len, err);
3188 if (err)
3189 return (-1);
3190
3191 return (0);
3192 }
3193
3194 static void
3195 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3196 __unused char sfrm, int xml)
3197 {
3198
3199 print_tok_type(fp, tok->id, "socket", raw, xml);
3200 if (xml) {
3201 open_attr(fp, "sock_type");
3202 print_2_bytes(fp, tok->tt.socket.type, "%u");
3203 close_attr(fp);
3204 open_attr(fp, "lport");
3205 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3206 close_attr(fp);
3207 open_attr(fp, "laddr");
3208 print_ip_address(fp, tok->tt.socket.l_addr);
3209 close_attr(fp);
3210 open_attr(fp, "fport");
3211 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3212 close_attr(fp);
3213 open_attr(fp, "faddr");
3214 print_ip_address(fp, tok->tt.socket.r_addr);
3215 close_attr(fp);
3216 close_tag(fp, tok->id);
3217 } else {
3218 print_delim(fp, del);
3219 print_2_bytes(fp, tok->tt.socket.type, "%u");
3220 print_delim(fp, del);
3221 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3222 print_delim(fp, del);
3223 print_ip_address(fp, tok->tt.socket.l_addr);
3224 print_delim(fp, del);
3225 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3226 print_delim(fp, del);
3227 print_ip_address(fp, tok->tt.socket.r_addr);
3228 }
3229 }
3230
3231 /*
3232 * audit ID 4 bytes
3233 * euid 4 bytes
3234 * egid 4 bytes
3235 * ruid 4 bytes
3236 * rgid 4 bytes
3237 * pid 4 bytes
3238 * sessid 4 bytes
3239 * terminal ID
3240 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3241 * machine id 4 bytes
3242 */
3243 static int
3244 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3245 {
3246 int err = 0;
3247
3248 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3249 if (err)
3250 return (-1);
3251
3252 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3253 if (err)
3254 return (-1);
3255
3256 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3257 if (err)
3258 return (-1);
3259
3260 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3261 if (err)
3262 return (-1);
3263
3264 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3265 if (err)
3266 return (-1);
3267
3268 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3269 if (err)
3270 return (-1);
3271
3272 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3273 if (err)
3274 return (-1);
3275
3276 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3277 if (err)
3278 return (-1);
3279
3280 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3281 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3282 if (err)
3283 return (-1);
3284
3285 return (0);
3286 }
3287
3288 static void
3289 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3290 __unused char sfrm, int xml)
3291 {
3292
3293 print_tok_type(fp, tok->id, "subject", raw, xml);
3294 if (xml) {
3295 open_attr(fp, "audit-uid");
3296 print_user(fp, tok->tt.subj32.auid, raw);
3297 close_attr(fp);
3298 open_attr(fp, "uid");
3299 print_user(fp, tok->tt.subj32.euid, raw);
3300 close_attr(fp);
3301 open_attr(fp, "gid");
3302 print_group(fp, tok->tt.subj32.egid, raw);
3303 close_attr(fp);
3304 open_attr(fp, "ruid");
3305 print_user(fp, tok->tt.subj32.ruid, raw);
3306 close_attr(fp);
3307 open_attr(fp, "rgid");
3308 print_group(fp, tok->tt.subj32.rgid, raw);
3309 close_attr(fp);
3310 open_attr(fp,"pid");
3311 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3312 close_attr(fp);
3313 open_attr(fp,"sid");
3314 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3315 close_attr(fp);
3316 open_attr(fp,"tid");
3317 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3318 print_ip_address(fp, tok->tt.subj32.tid.addr);
3319 close_attr(fp);
3320 close_tag(fp, tok->id);
3321 } else {
3322 print_delim(fp, del);
3323 print_user(fp, tok->tt.subj32.auid, raw);
3324 print_delim(fp, del);
3325 print_user(fp, tok->tt.subj32.euid, raw);
3326 print_delim(fp, del);
3327 print_group(fp, tok->tt.subj32.egid, raw);
3328 print_delim(fp, del);
3329 print_user(fp, tok->tt.subj32.ruid, raw);
3330 print_delim(fp, del);
3331 print_group(fp, tok->tt.subj32.rgid, raw);
3332 print_delim(fp, del);
3333 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3334 print_delim(fp, del);
3335 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3336 print_delim(fp, del);
3337 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3338 print_delim(fp, del);
3339 print_ip_address(fp, tok->tt.subj32.tid.addr);
3340 }
3341 }
3342
3343 /*
3344 * audit ID 4 bytes
3345 * euid 4 bytes
3346 * egid 4 bytes
3347 * ruid 4 bytes
3348 * rgid 4 bytes
3349 * pid 4 bytes
3350 * sessid 4 bytes
3351 * terminal ID
3352 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3353 * machine id 4 bytes
3354 */
3355 static int
3356 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3357 {
3358 int err = 0;
3359
3360 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3361 if (err)
3362 return (-1);
3363
3364 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3365 if (err)
3366 return (-1);
3367
3368 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3369 if (err)
3370 return (-1);
3371
3372 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3373 if (err)
3374 return (-1);
3375
3376 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3377 if (err)
3378 return (-1);
3379
3380 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3381 if (err)
3382 return (-1);
3383
3384 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3385 if (err)
3386 return (-1);
3387
3388 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3389 if (err)
3390 return (-1);
3391
3392 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3393 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3394 if (err)
3395 return (-1);
3396
3397 return (0);
3398 }
3399
3400 static void
3401 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3402 __unused char sfrm, int xml)
3403 {
3404
3405 print_tok_type(fp, tok->id, "subject", raw, xml);
3406 if (xml) {
3407 open_attr(fp, "audit-uid");
3408 print_user(fp, tok->tt.subj64.auid, raw);
3409 close_attr(fp);
3410 open_attr(fp, "uid");
3411 print_user(fp, tok->tt.subj64.euid, raw);
3412 close_attr(fp);
3413 open_attr(fp, "gid");
3414 print_group(fp, tok->tt.subj64.egid, raw);
3415 close_attr(fp);
3416 open_attr(fp, "ruid");
3417 print_user(fp, tok->tt.subj64.ruid, raw);
3418 close_attr(fp);
3419 open_attr(fp, "rgid");
3420 print_group(fp, tok->tt.subj64.rgid, raw);
3421 close_attr(fp);
3422 open_attr(fp, "pid");
3423 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3424 close_attr(fp);
3425 open_attr(fp, "sid");
3426 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3427 close_attr(fp);
3428 open_attr(fp, "tid");
3429 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3430 print_ip_address(fp, tok->tt.subj64.tid.addr);
3431 close_attr(fp);
3432 close_tag(fp, tok->id);
3433 } else {
3434 print_delim(fp, del);
3435 print_user(fp, tok->tt.subj64.auid, raw);
3436 print_delim(fp, del);
3437 print_user(fp, tok->tt.subj64.euid, raw);
3438 print_delim(fp, del);
3439 print_group(fp, tok->tt.subj64.egid, raw);
3440 print_delim(fp, del);
3441 print_user(fp, tok->tt.subj64.ruid, raw);
3442 print_delim(fp, del);
3443 print_group(fp, tok->tt.subj64.rgid, raw);
3444 print_delim(fp, del);
3445 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3446 print_delim(fp, del);
3447 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3448 print_delim(fp, del);
3449 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3450 print_delim(fp, del);
3451 print_ip_address(fp, tok->tt.subj64.tid.addr);
3452 }
3453 }
3454
3455 /*
3456 * audit ID 4 bytes
3457 * euid 4 bytes
3458 * egid 4 bytes
3459 * ruid 4 bytes
3460 * rgid 4 bytes
3461 * pid 4 bytes
3462 * sessid 4 bytes
3463 * terminal ID
3464 * portid 4 bytes
3465 * type 4 bytes
3466 * machine id 16 bytes
3467 */
3468 static int
3469 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3470 {
3471 int err = 0;
3472
3473 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3474 if (err)
3475 return (-1);
3476
3477 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3478 if (err)
3479 return (-1);
3480
3481 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3482 if (err)
3483 return (-1);
3484
3485 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3486 if (err)
3487 return (-1);
3488
3489 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3490 if (err)
3491 return (-1);
3492
3493 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3494 if (err)
3495 return (-1);
3496
3497 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3498 if (err)
3499 return (-1);
3500
3501 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3502 err);
3503 if (err)
3504 return (-1);
3505
3506 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3507 err);
3508 if (err)
3509 return (-1);
3510
3511 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3512 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3513 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3514 if (err)
3515 return (-1);
3516 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3517 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3518 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3519 if (err)
3520 return (-1);
3521 } else
3522 return (-1);
3523
3524 return (0);
3525 }
3526
3527 static void
3528 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3529 __unused char sfrm, int xml)
3530 {
3531
3532 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3533 if (xml) {
3534 open_attr(fp, "audit-uid");
3535 print_user(fp, tok->tt.subj32_ex.auid, raw);
3536 close_attr(fp);
3537 open_attr(fp, "uid");
3538 print_user(fp, tok->tt.subj32_ex.euid, raw);
3539 close_attr(fp);
3540 open_attr(fp, "gid");
3541 print_group(fp, tok->tt.subj32_ex.egid, raw);
3542 close_attr(fp);
3543 open_attr(fp, "ruid");
3544 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3545 close_attr(fp);
3546 open_attr(fp, "rgid");
3547 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3548 close_attr(fp);
3549 open_attr(fp, "pid");
3550 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3551 close_attr(fp);
3552 open_attr(fp, "sid");
3553 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3554 close_attr(fp);
3555 open_attr(fp, "tid");
3556 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3557 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3558 tok->tt.subj32_ex.tid.addr);
3559 close_attr(fp);
3560 close_tag(fp, tok->id);
3561 } else {
3562 print_delim(fp, del);
3563 print_user(fp, tok->tt.subj32_ex.auid, raw);
3564 print_delim(fp, del);
3565 print_user(fp, tok->tt.subj32_ex.euid, raw);
3566 print_delim(fp, del);
3567 print_group(fp, tok->tt.subj32_ex.egid, raw);
3568 print_delim(fp, del);
3569 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3570 print_delim(fp, del);
3571 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3572 print_delim(fp, del);
3573 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3574 print_delim(fp, del);
3575 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3576 print_delim(fp, del);
3577 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3578 print_delim(fp, del);
3579 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3580 tok->tt.subj32_ex.tid.addr);
3581 }
3582 }
3583
3584 /*
3585 * audit ID 4 bytes
3586 * euid 4 bytes
3587 * egid 4 bytes
3588 * ruid 4 bytes
3589 * rgid 4 bytes
3590 * pid 4 bytes
3591 * sessid 4 bytes
3592 * terminal ID
3593 * portid 8 bytes
3594 * type 4 bytes
3595 * machine id 16 bytes
3596 */
3597 static int
3598 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3599 {
3600 int err = 0;
3601
3602 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3603 if (err)
3604 return (-1);
3605
3606 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3607 if (err)
3608 return (-1);
3609
3610 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3611 if (err)
3612 return (-1);
3613
3614 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3615 if (err)
3616 return (-1);
3617
3618 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3619 if (err)
3620 return (-1);
3621
3622 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3623 if (err)
3624 return (-1);
3625
3626 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3627 if (err)
3628 return (-1);
3629
3630 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3631 err);
3632 if (err)
3633 return (-1);
3634
3635 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3636 err);
3637 if (err)
3638 return (-1);
3639
3640 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3641 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3642 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3643 if (err)
3644 return (-1);
3645 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3646 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3647 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3648 if (err)
3649 return (-1);
3650 } else
3651 return (-1);
3652
3653 return (0);
3654 }
3655
3656 static void
3657 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3658 __unused char sfrm, int xml)
3659 {
3660 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3661 if (xml) {
3662 open_attr(fp, "audit-uid");
3663 print_user(fp, tok->tt.subj64_ex.auid, raw);
3664 close_attr(fp);
3665 open_attr(fp, "uid");
3666 print_user(fp, tok->tt.subj64_ex.euid, raw);
3667 close_attr(fp);
3668 open_attr(fp, "gid");
3669 print_group(fp, tok->tt.subj64_ex.egid, raw);
3670 close_attr(fp);
3671 open_attr(fp, "ruid");
3672 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3673 close_attr(fp);
3674 open_attr(fp, "rgid");
3675 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3676 close_attr(fp);
3677 open_attr(fp, "pid");
3678 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3679 close_attr(fp);
3680 open_attr(fp, "sid");
3681 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3682 close_attr(fp);
3683 open_attr(fp, "tid");
3684 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3685 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3686 tok->tt.subj64_ex.tid.addr);
3687 close_attr(fp);
3688 close_tag(fp, tok->id);
3689 } else {
3690 print_delim(fp, del);
3691 print_user(fp, tok->tt.subj64_ex.auid, raw);
3692 print_delim(fp, del);
3693 print_user(fp, tok->tt.subj64_ex.euid, raw);
3694 print_delim(fp, del);
3695 print_group(fp, tok->tt.subj64_ex.egid, raw);
3696 print_delim(fp, del);
3697 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3698 print_delim(fp, del);
3699 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3700 print_delim(fp, del);
3701 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3702 print_delim(fp, del);
3703 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3704 print_delim(fp, del);
3705 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3706 print_delim(fp, del);
3707 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3708 tok->tt.subj64_ex.tid.addr);
3709 }
3710 }
3711
3712 /*
3713 * size 2 bytes
3714 * data size bytes
3715 */
3716 static int
3717 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3718 {
3719 int err = 0;
3720
3721 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3722 if (err)
3723 return (-1);
3724
3725 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3726 err);
3727 if (err)
3728 return (-1);
3729
3730 return (0);
3731 }
3732
3733 static void
3734 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3735 __unused char sfrm, int xml)
3736 {
3737
3738 print_tok_type(fp, tok->id, "text", raw, xml);
3739 if (xml) {
3740 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3741 close_tag(fp, tok->id);
3742 } else {
3743 print_delim(fp, del);
3744 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3745 }
3746 }
3747
3748 /*
3749 * socket type 2 bytes
3750 * local port 2 bytes
3751 * address type/length 4 bytes
3752 * local Internet address 4 bytes
3753 * remote port 4 bytes
3754 * address type/length 4 bytes
3755 * remote Internet address 4 bytes
3756 */
3757 static int
3758 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3759 {
3760 int err = 0;
3761
3762 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3763 err);
3764 if (err)
3765 return (-1);
3766
3767 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3768 sizeof(uint16_t), tok->len, err);
3769 if (err)
3770 return (-1);
3771
3772 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
3773 err);
3774 if (err)
3775 return (-1);
3776
3777 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3778 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3779 if (err)
3780 return (-1);
3781
3782 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3783 sizeof(uint16_t), tok->len, err);
3784 if (err)
3785 return (-1);
3786
3787 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
3788 err);
3789 if (err)
3790 return (-1);
3791
3792 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3793 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
3794 if (err)
3795 return (-1);
3796
3797 return (0);
3798 }
3799
3800 static void
3801 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3802 __unused char sfrm, int xml)
3803 {
3804
3805 print_tok_type(fp, tok->id, "socket", raw, xml);
3806 if (xml) {
3807 open_attr(fp, "sock_type");
3808 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3809 close_attr(fp);
3810 open_attr(fp, "lport");
3811 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3812 close_attr(fp);
3813 open_attr(fp, "laddr");
3814 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3815 close_attr(fp);
3816 open_attr(fp, "faddr");
3817 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3818 close_attr(fp);
3819 open_attr(fp, "fport");
3820 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3821 close_attr(fp);
3822 close_tag(fp, tok->id);
3823 } else {
3824 print_delim(fp, del);
3825 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3826 print_delim(fp, del);
3827 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3828 print_delim(fp, del);
3829 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3830 print_delim(fp, del);
3831 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3832 print_delim(fp, del);
3833 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3834 }
3835 }
3836
3837 static int
3838 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
3839 {
3840 int err = 0;
3841 int recoversize;
3842
3843 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
3844 if (recoversize <= 0)
3845 return (-1);
3846
3847 tok->tt.invalid.length = recoversize;
3848
3849 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
3850 err);
3851 if (err)
3852 return (-1);
3853
3854 return (0);
3855 }
3856
3857 static void
3858 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3859 __unused char sfrm, int xml)
3860 {
3861
3862 if (!xml) {
3863 print_tok_type(fp, tok->id, "unknown", raw, 0);
3864 print_delim(fp, del);
3865 print_mem(fp, (u_char*)tok->tt.invalid.data,
3866 tok->tt.invalid.length);
3867 }
3868 }
3869
3870
3871 /*
3872 * size 2 bytes;
3873 * zonename size bytes;
3874 */
3875 static int
3876 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
3877 {
3878 int err = 0;
3879
3880 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
3881 if (err)
3882 return (-1);
3883 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
3884 tok->len, err);
3885 if (err)
3886 return (-1);
3887 return (0);
3888 }
3889
3890 static void
3891 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3892 __unused char sfrm, int xml)
3893 {
3894
3895 print_tok_type(fp, tok->id, "zone", raw, xml);
3896 if (xml) {
3897 open_attr(fp, "name");
3898 print_string(fp, tok->tt.zonename.zonename,
3899 tok->tt.zonename.len);
3900 close_attr(fp);
3901 close_tag(fp, tok->id);
3902 } else {
3903 print_delim(fp, del);
3904 print_string(fp, tok->tt.zonename.zonename,
3905 tok->tt.zonename.len);
3906 }
3907 }
3908
3909 /*
3910 * Reads the token beginning at buf into tok.
3911 */
3912 int
3913 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
3914 {
3915
3916 if (len <= 0)
3917 return (-1);
3918
3919 tok->len = 1;
3920 tok->data = buf;
3921 tok->id = *buf;
3922
3923 switch(tok->id) {
3924 case AUT_HEADER32:
3925 return (fetch_header32_tok(tok, buf, len));
3926
3927 case AUT_HEADER32_EX:
3928 return (fetch_header32_ex_tok(tok, buf, len));
3929
3930 case AUT_HEADER64:
3931 return (fetch_header64_tok(tok, buf, len));
3932
3933 case AUT_HEADER64_EX:
3934 return (fetch_header64_ex_tok(tok, buf, len));
3935
3936 case AUT_TRAILER:
3937 return (fetch_trailer_tok(tok, buf, len));
3938
3939 case AUT_ARG32:
3940 return (fetch_arg32_tok(tok, buf, len));
3941
3942 case AUT_ARG64:
3943 return (fetch_arg64_tok(tok, buf, len));
3944
3945 case AUT_ATTR32:
3946 return (fetch_attr32_tok(tok, buf, len));
3947
3948 case AUT_ATTR64:
3949 return (fetch_attr64_tok(tok, buf, len));
3950
3951 case AUT_EXIT:
3952 return (fetch_exit_tok(tok, buf, len));
3953
3954 case AUT_EXEC_ARGS:
3955 return (fetch_execarg_tok(tok, buf, len));
3956
3957 case AUT_EXEC_ENV:
3958 return (fetch_execenv_tok(tok, buf, len));
3959
3960 case AUT_OTHER_FILE32:
3961 return (fetch_file_tok(tok, buf, len));
3962
3963 case AUT_NEWGROUPS:
3964 return (fetch_newgroups_tok(tok, buf, len));
3965
3966 case AUT_IN_ADDR:
3967 return (fetch_inaddr_tok(tok, buf, len));
3968
3969 case AUT_IN_ADDR_EX:
3970 return (fetch_inaddr_ex_tok(tok, buf, len));
3971
3972 case AUT_IP:
3973 return (fetch_ip_tok(tok, buf, len));
3974
3975 case AUT_IPC:
3976 return (fetch_ipc_tok(tok, buf, len));
3977
3978 case AUT_IPC_PERM:
3979 return (fetch_ipcperm_tok(tok, buf, len));
3980
3981 case AUT_IPORT:
3982 return (fetch_iport_tok(tok, buf, len));
3983
3984 case AUT_OPAQUE:
3985 return (fetch_opaque_tok(tok, buf, len));
3986
3987 case AUT_PATH:
3988 return (fetch_path_tok(tok, buf, len));
3989
3990 case AUT_PROCESS32:
3991 return (fetch_process32_tok(tok, buf, len));
3992
3993 case AUT_PROCESS32_EX:
3994 return (fetch_process32ex_tok(tok, buf, len));
3995
3996 case AUT_PROCESS64:
3997 return (fetch_process64_tok(tok, buf, len));
3998
3999 case AUT_PROCESS64_EX:
4000 return (fetch_process64ex_tok(tok, buf, len));
4001
4002 case AUT_RETURN32:
4003 return (fetch_return32_tok(tok, buf, len));
4004
4005 case AUT_RETURN64:
4006 return (fetch_return64_tok(tok, buf, len));
4007
4008 case AUT_SEQ:
4009 return (fetch_seq_tok(tok, buf, len));
4010
4011 case AUT_SOCKET:
4012 return (fetch_socket_tok(tok, buf, len));
4013
4014 case AUT_SOCKINET32:
4015 return (fetch_sock_inet32_tok(tok, buf, len));
4016
4017 case AUT_SOCKUNIX:
4018 return (fetch_sock_unix_tok(tok, buf, len));
4019
4020 case AUT_SUBJECT32:
4021 return (fetch_subject32_tok(tok, buf, len));
4022
4023 case AUT_SUBJECT32_EX:
4024 return (fetch_subject32ex_tok(tok, buf, len));
4025
4026 case AUT_SUBJECT64:
4027 return (fetch_subject64_tok(tok, buf, len));
4028
4029 case AUT_SUBJECT64_EX:
4030 return (fetch_subject64ex_tok(tok, buf, len));
4031
4032 case AUT_TEXT:
4033 return (fetch_text_tok(tok, buf, len));
4034
4035 case AUT_SOCKET_EX:
4036 return (fetch_socketex32_tok(tok, buf, len));
4037
4038 case AUT_DATA:
4039 return (fetch_arb_tok(tok, buf, len));
4040
4041 case AUT_ZONENAME:
4042 return (fetch_zonename_tok(tok, buf, len));
4043
4044 default:
4045 return (fetch_invalid_tok(tok, buf, len));
4046 }
4047 }
4048
4049 /*
4050 * 'prints' the token out to outfp.
4051 */
4052 void
4053 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4054 {
4055
4056 switch(tok->id) {
4057 case AUT_HEADER32:
4058 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4059 return;
4060
4061 case AUT_HEADER32_EX:
4062 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4063 return;
4064
4065 case AUT_HEADER64:
4066 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4067 return;
4068
4069 case AUT_HEADER64_EX:
4070 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4071 return;
4072
4073 case AUT_TRAILER:
4074 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4075 return;
4076
4077 case AUT_ARG32:
4078 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4079 return;
4080
4081 case AUT_ARG64:
4082 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4083 return;
4084
4085 case AUT_DATA:
4086 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4087 return;
4088
4089 case AUT_ATTR32:
4090 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4091 return;
4092
4093 case AUT_ATTR64:
4094 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4095 return;
4096
4097 case AUT_EXIT:
4098 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4099 return;
4100
4101 case AUT_EXEC_ARGS:
4102 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4103 return;
4104
4105 case AUT_EXEC_ENV:
4106 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4107 return;
4108
4109 case AUT_OTHER_FILE32:
4110 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4111 return;
4112
4113 case AUT_NEWGROUPS:
4114 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4115 return;
4116
4117 case AUT_IN_ADDR:
4118 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4119 return;
4120
4121 case AUT_IN_ADDR_EX:
4122 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4123 return;
4124
4125 case AUT_IP:
4126 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4127 return;
4128
4129 case AUT_IPC:
4130 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4131 return;
4132
4133 case AUT_IPC_PERM:
4134 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4135 return;
4136
4137 case AUT_IPORT:
4138 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4139 return;
4140
4141 case AUT_OPAQUE:
4142 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4143 return;
4144
4145 case AUT_PATH:
4146 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4147 return;
4148
4149 case AUT_PROCESS32:
4150 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4151 return;
4152
4153 case AUT_PROCESS32_EX:
4154 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4155 return;
4156
4157 case AUT_PROCESS64:
4158 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4159 return;
4160
4161 case AUT_PROCESS64_EX:
4162 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4163 return;
4164
4165 case AUT_RETURN32:
4166 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4167 return;
4168
4169 case AUT_RETURN64:
4170 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4171 return;
4172
4173 case AUT_SEQ:
4174 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4175 return;
4176
4177 case AUT_SOCKET:
4178 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4179 return;
4180
4181 case AUT_SOCKINET32:
4182 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4183 return;
4184
4185 case AUT_SOCKUNIX:
4186 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4187 return;
4188
4189 case AUT_SUBJECT32:
4190 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4191 return;
4192
4193 case AUT_SUBJECT64:
4194 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4195 return;
4196
4197 case AUT_SUBJECT32_EX:
4198 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4199 return;
4200
4201 case AUT_SUBJECT64_EX:
4202 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4203 return;
4204
4205 case AUT_TEXT:
4206 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4207 return;
4208
4209 case AUT_SOCKET_EX:
4210 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4211 return;
4212
4213 case AUT_ZONENAME:
4214 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4215 return;
4216
4217 default:
4218 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4219 }
4220 }
4221
4222 /*
4223 * 'prints' the token out to outfp in XML format.
4224 */
4225 void
4226 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4227 char sfrm)
4228 {
4229
4230 switch(tok->id) {
4231 case AUT_HEADER32:
4232 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4233 return;
4234
4235 case AUT_HEADER32_EX:
4236 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4237 return;
4238
4239 case AUT_HEADER64:
4240 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4241 return;
4242
4243 case AUT_HEADER64_EX:
4244 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4245 return;
4246
4247 case AUT_TRAILER:
4248 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
4249 return;
4250
4251 case AUT_ARG32:
4252 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4253 return;
4254
4255 case AUT_ARG64:
4256 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4257 return;
4258
4259 case AUT_DATA:
4260 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
4261 return;
4262
4263 case AUT_ATTR32:
4264 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4265 return;
4266
4267 case AUT_ATTR64:
4268 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4269 return;
4270
4271 case AUT_EXIT:
4272 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
4273 return;
4274
4275 case AUT_EXEC_ARGS:
4276 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
4277 return;
4278
4279 case AUT_EXEC_ENV:
4280 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
4281 return;
4282
4283 case AUT_OTHER_FILE32:
4284 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
4285 return;
4286
4287 case AUT_NEWGROUPS:
4288 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
4289 return;
4290
4291 case AUT_IN_ADDR:
4292 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
4293 return;
4294
4295 case AUT_IN_ADDR_EX:
4296 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4297 return;
4298
4299 case AUT_IP:
4300 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
4301 return;
4302
4303 case AUT_IPC:
4304 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
4305 return;
4306
4307 case AUT_IPC_PERM:
4308 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
4309 return;
4310
4311 case AUT_IPORT:
4312 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
4313 return;
4314
4315 case AUT_OPAQUE:
4316 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
4317 return;
4318
4319 case AUT_PATH:
4320 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
4321 return;
4322
4323 case AUT_PROCESS32:
4324 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4325 return;
4326
4327 case AUT_PROCESS32_EX:
4328 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4329 return;
4330
4331 case AUT_PROCESS64:
4332 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4333 return;
4334
4335 case AUT_PROCESS64_EX:
4336 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4337 return;
4338
4339 case AUT_RETURN32:
4340 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4341 return;
4342
4343 case AUT_RETURN64:
4344 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4345 return;
4346
4347 case AUT_SEQ:
4348 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
4349 return;
4350
4351 case AUT_SOCKET:
4352 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
4353 return;
4354
4355 case AUT_SOCKINET32:
4356 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4357 return;
4358
4359 case AUT_SOCKUNIX:
4360 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
4361 return;
4362
4363 case AUT_SUBJECT32:
4364 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4365 return;
4366
4367 case AUT_SUBJECT64:
4368 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4369 return;
4370
4371 case AUT_SUBJECT32_EX:
4372 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4373 return;
4374
4375 case AUT_SUBJECT64_EX:
4376 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4377 return;
4378
4379 case AUT_TEXT:
4380 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
4381 return;
4382
4383 case AUT_SOCKET_EX:
4384 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4385 return;
4386
4387 case AUT_ZONENAME:
4388 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
4389 return;
4390
4391 default:
4392 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
4393 }
4394 }
4395
4396 /*
4397 * Read a record from the file pointer, store data in buf memory for buf is
4398 * also allocated in this function and has to be free'd outside this call.
4399 *
4400 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4401 * complete audit record.
4402 *
4403 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4404 * state, because it will be partly offset into a record. We should rewind
4405 * or do something more intelligent. Particularly interesting is the case
4406 * where we perform a partial read of a record from a non-blockable file
4407 * descriptor. We should return the partial read and continue...?
4408 */
4409 int
4410 au_read_rec(FILE *fp, u_char **buf)
4411 {
4412 u_char *bptr;
4413 u_int32_t recsize;
4414 u_int32_t bytestoread;
4415 u_char type;
4416
4417 u_int32_t sec, msec;
4418 u_int16_t filenamelen;
4419
4420 type = fgetc(fp);
4421
4422 switch (type) {
4423 case AUT_HEADER32:
4424 case AUT_HEADER32_EX:
4425 case AUT_HEADER64:
4426 case AUT_HEADER64_EX:
4427 /* read the record size from the token */
4428 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4429 sizeof(u_int32_t)) {
4430 errno = EINVAL;
4431 return (-1);
4432 }
4433 recsize = be32toh(recsize);
4434
4435 /* Check for recsize sanity */
4436 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4437 errno = EINVAL;
4438 return (-1);
4439 }
4440
4441 *buf = malloc(recsize * sizeof(u_char));
4442 if (*buf == NULL)
4443 return (-1);
4444 bptr = *buf;
4445 memset(bptr, 0, recsize);
4446
4447 /* store the token contents already read, back to the buffer*/
4448 *bptr = type;
4449 bptr++;
4450 be32enc(bptr, recsize);
4451 bptr += sizeof(u_int32_t);
4452
4453 /* now read remaining record bytes */
4454 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4455
4456 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4457 free(*buf);
4458 errno = EINVAL;
4459 return (-1);
4460 }
4461 break;
4462
4463 case AUT_OTHER_FILE32:
4464 /*
4465 * The file token is variable-length, as it includes a
4466 * pathname. As a result, we have to read incrementally
4467 * until we know the total length, then allocate space and
4468 * read the rest.
4469 */
4470 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4471 errno = EINVAL;
4472 return (-1);
4473 }
4474 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4475 errno = EINVAL;
4476 return (-1);
4477 }
4478 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4479 sizeof(filenamelen)) {
4480 errno = EINVAL;
4481 return (-1);
4482 }
4483 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4484 sizeof(filenamelen) + ntohs(filenamelen);
4485 *buf = malloc(recsize);
4486 if (*buf == NULL)
4487 return (-1);
4488 bptr = *buf;
4489
4490 bcopy(&type, bptr, sizeof(type));
4491 bptr += sizeof(type);
4492 bcopy(&sec, bptr, sizeof(sec));
4493 bptr += sizeof(sec);
4494 bcopy(&msec, bptr, sizeof(msec));
4495 bptr += sizeof(msec);
4496 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4497 bptr += sizeof(filenamelen);
4498
4499 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4500 ntohs(filenamelen)) {
4501 free(buf);
4502 errno = EINVAL;
4503 return (-1);
4504 }
4505 break;
4506
4507 default:
4508 errno = EINVAL;
4509 return (-1);
4510 }
4511
4512 return (recsize);
4513 }
FreeBSD kvm: FreeBSD sources