search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / usr / src / lib / auditd_plugins / syslog / systoken.c
blob389e799733e71d932e99a4a671bcea3f2719ea42
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2012 Milan Jurik. All rights reserved.
25 */
26
27
28 /*
29 * Token processing for sysupd; each token function does one
30 * or more operations. All of them bump the buffer pointer
31 * to the next token; some of them extract one or more data
32 * from the token.
33 */
34
35 #define DEBUG 0
36 #if DEBUG
37 #define DPRINT(x) { (void) fprintf x; }
38 #else
39 #define DPRINT(x)
40 #endif
41
42 #include <locale.h>
43 #include <stdlib.h>
44 #include <stdio.h>
45 #include <string.h>
46 #include <sys/types.h>
47 #include <bsm/libbsm.h>
48 #include "toktable.h" /* ../praudit */
49 #include "sysplugin.h"
50 #include "systoken.h"
51 #include <audit_plugin.h>
52
53 #if DEBUG
54 static FILE *dbfp; /* debug file */
55 #endif
56
57 static void anchor_path(char *);
58 static size_t collapse_path(char *, size_t);
59 static void get_bytes_to_string(parse_context_t *, size_t *, char **,
60 size_t);
61 static void skip_bytes(parse_context_t *);
62 static void skip_string(parse_context_t *);
63 static int xgeneric(parse_context_t *);
64
65 /*
66 * Process a token in a record to (1) extract data of interest if any
67 * and (2) point to the next token.
68 *
69 * returns 0 if ok. + or - values are of debug value:
70 *
71 * returns -1 if the parsing of the token failed.
72 *
73 * returns +<previous id> if the token is not found. This value
74 * is used to help determine where in the record the problem
75 * occurred. The common failure case is that the parsing of
76 * token M is incorrect and the buffer pointer ends up pointing
77 * to garbage. The positive error value of M *may* be the id of
78 * the incorrectly parsed token.
79 */
80
81 int
82 parse_token(parse_context_t *ctx)
83 {
84 char tokenid;
85 static char prev_tokenid = -1;
86 int rc;
87
88 #if DEBUG
89 static boolean_t first = 1;
90
91 if (first) {
92 dbfp = __auditd_debug_file_open();
93 first = 0;
94 }
95 #endif
96
97 adrm_char(&(ctx->adr), &tokenid, 1);
98
99 if ((tokenid > 0) && (tokentable[tokenid].func != NOFUNC)) {
100 rc = (*tokentable[tokenid].func)(ctx);
101 prev_tokenid = tokenid;
102 return (rc);
103 }
104 /* here if token id is not in table */
105 return (prev_tokenid);
106 }
107
108 /* There should not be any file tokens in the middle of a record */
109
110 /* ARGSUSED */
111 int
112 file_token(parse_context_t *ctx)
113 {
114
115 return (-1);
116 }
117
118 /* ARGSUSED */
119 int
120 file64_token(parse_context_t *ctx)
121 {
122 return (-1);
123 }
124
125 static void
126 common_header(parse_context_t *ctx)
127 {
128 adrm_u_int32(&(ctx->adr), &(ctx->out.sf_reclen), 1);
129 ctx->adr.adr_now += sizeof (char); /* version number */
130 adrm_u_short(&(ctx->adr), &(ctx->out.sf_eventid), 1);
131 ctx->adr.adr_now += sizeof (short); /* modifier */
132 }
133
134 /*
135 * 32bit header
136 */
137 int
138 header_token(parse_context_t *ctx)
139 {
140 common_header(ctx);
141 ctx->adr.adr_now += 2 * sizeof (int32_t); /* time */
142
143 return (0);
144 }
145
146
147 int
148 header32_ex_token(parse_context_t *ctx)
149 {
150 int32_t type;
151
152 common_header(ctx);
153
154 adrm_int32(&(ctx->adr), &type, 1); /* tid type */
155 ctx->adr.adr_now += type * sizeof (char); /* ip address */
156
157 ctx->adr.adr_now += 2 * sizeof (int32_t); /* time */
158
159 return (0);
160 }
161
162
163 int
164 header64_ex_token(parse_context_t *ctx)
165 {
166 int32_t type;
167
168 common_header(ctx);
169
170 adrm_int32(&(ctx->adr), &type, 1); /* tid type */
171 ctx->adr.adr_now += type * sizeof (char); /* ip address */
172
173 ctx->adr.adr_now += 2 * sizeof (int64_t); /* time */
174
175 return (0);
176 }
177
178
179 int
180 header64_token(parse_context_t *ctx)
181 {
182 common_header(ctx);
183
184 ctx->adr.adr_now += 2 * sizeof (int64_t); /* time */
185
186 return (0);
187 }
188
189
190 /*
191 * ======================================================
192 * The following token processing routines return
193 * 0: if parsed ok
194 * -1: can't parse and can't determine location of next token
195 * ======================================================
196 */
197
198 int
199 trailer_token(parse_context_t *ctx)
200 {
201 short magic_number;
202 uint32_t bytes;
203
204 adrm_u_short(&(ctx->adr), (ushort_t *)&magic_number, 1);
205 if (magic_number != AUT_TRAILER_MAGIC)
206 return (-1);
207
208 adrm_u_int32(&(ctx->adr), &bytes, 1);
209
210 return (0);
211 }
212
213
214 /*
215 * Format of arbitrary data token:
216 * arbitrary data token id &(ctx->adr) char
217 * how to print adr_char
218 * basic unit adr_char
219 * unit count adr_char, specifying number of units of
220 * data items depends on basic unit
221 *
222 */
223 int
224 arbitrary_data_token(parse_context_t *ctx)
225 {
226 char basic_unit, unit_count;
227
228 ctx->adr.adr_now += sizeof (char); /* how to print */
229
230 adrm_char(&(ctx->adr), &basic_unit, 1);
231 adrm_char(&(ctx->adr), &unit_count, 1);
232
233 switch (basic_unit) {
234 case AUR_CHAR: /* same as AUR_BYTE */
235 ctx->adr.adr_now += unit_count * sizeof (char);
236 break;
237 case AUR_SHORT:
238 ctx->adr.adr_now += unit_count * sizeof (short);
239 break;
240 case AUR_INT32: /* same as AUR_INT */
241 ctx->adr.adr_now += unit_count * sizeof (int32_t);
242 break;
243 case AUR_INT64:
244 ctx->adr.adr_now += unit_count * sizeof (int64_t);
245 break;
246 default:
247 return (-1);
248 }
249 return (0);
250 }
251
252
253 /*
254 * Format of opaque token:
255 * opaque token id adr_char
256 * size adr_short
257 * data adr_char, size times
258 *
259 */
260 int
261 opaque_token(parse_context_t *ctx)
262 {
263 skip_bytes(ctx);
264 return (0);
265 }
266
267
268 /*
269 * Format of return32 value token:
270 * return value token id adr_char
271 * error number adr_char
272 * return value adr_u_int32
273 *
274 */
275 int
276 return_value32_token(parse_context_t *ctx)
277 {
278 char errnum;
279
280 adrm_char(&(ctx->adr), &errnum, 1); /* pass / fail */
281 ctx->adr.adr_now += sizeof (int32_t); /* error code */
282
283 ctx->out.sf_pass = (errnum == 0) ? 1 : -1;
284
285 return (0);
286 }
287
288 /*
289 * Format of return64 value token:
290 * return value token id adr_char
291 * error number adr_char
292 * return value adr_u_int64
293 *
294 */
295 int
296 return_value64_token(parse_context_t *ctx)
297 {
298 char errnum;
299
300 adrm_char(&(ctx->adr), &errnum, 1); /* pass / fail */
301 ctx->adr.adr_now += sizeof (int64_t); /* error code */
302
303 ctx->out.sf_pass = (errnum == 0) ? 1 : -1;
304
305 return (0);
306 }
307
308
309 /*
310 * Format of sequence token:
311 * sequence token id adr_char
312 * audit_count int32_t
313 *
314 */
315 int
316 sequence_token(parse_context_t *ctx)
317 {
318 adrm_int32(&(ctx->adr), &(ctx->out.sf_sequence), 1);
319 return (0);
320 }
321
322
323 /*
324 * Format of text token:
325 * text token id adr_char
326 * text adr_string
327 */
328 int
329 text_token(parse_context_t *ctx)
330 {
331 ushort_t len;
332 size_t separator_sz = 0;
333 char *bp; /* pointer to output string */
334
335 adrm_u_short(&(ctx->adr), &len, 1);
336
337 if (ctx->out.sf_textlen > 0)
338 separator_sz = sizeof (AU_TEXT_NAME) - 1;
339
340 DPRINT((dbfp, "text_token: start length=%d, add length=%d+%d\n",
341 ctx->out.sf_textlen, (size_t)len, separator_sz));
342
343 ctx->out.sf_text = realloc(ctx->out.sf_text,
344 ctx->out.sf_textlen + (size_t)len + separator_sz);
345
346 if (ctx->out.sf_text == NULL)
347 return (-1);
348
349 bp = ctx->out.sf_text;
350
351 if (ctx->out.sf_textlen != 0) { /* concatenation? */
352 bp += ctx->out.sf_textlen;
353 bp += strlcpy(bp, AU_TEXT_NAME, separator_sz + 1);
354 ctx->out.sf_textlen += separator_sz;
355 DPRINT((dbfp, "text_token: l is %d\n%s\n", ctx->out.sf_textlen,
356 ctx->out.sf_text));
357 }
358 adrm_char(&(ctx->adr), bp, len);
359 len--; /* includes EOS */
360 *(bp + len) = '\0';
361
362 ctx->out.sf_textlen += len;
363 DPRINT((dbfp, "text_token: l=%d\n%s\n", ctx->out.sf_textlen,
364 ctx->out.sf_text));
365
366 return (0);
367 }
368
369 /*
370 * Format of tid token:
371 * ip token id adr_char
372 * terminal type adr_char
373 * terminal type = AU_IPADR:
374 * remote port: ushort
375 * local port: ushort
376 * IP type: int32 -- AU_IPv4 or AU_IPv6
377 * address: int32 if IPv4, else 4 * int32
378 */
379 int
380 tid_token(parse_context_t *ctx)
381 {
382 uchar_t type;
383 int32_t ip_length;
384
385 adrm_char(&(ctx->adr), (char *)&type, 1);
386
387 switch (type) {
388 default:
389 return (-1); /* other than IP type is not implemented */
390 case AU_IPADR:
391 ctx->adr.adr_now += 2 * sizeof (ushort_t);
392 adrm_int32(&(ctx->adr), &ip_length, 1);
393 ctx->adr.adr_now += ip_length;
394 break;
395 }
396 return (0);
397 }
398
399 /*
400 * Format of ip_addr token:
401 * ip token id adr_char
402 * address adr_int32
403 *
404 */
405 int
406 ip_addr_token(parse_context_t *ctx)
407 {
408 ctx->adr.adr_now += sizeof (int32_t);
409
410 return (0);
411 }
412
413 /*
414 * Format of ip_addr_ex token:
415 * ip token id adr_char
416 * ip type adr_int32
417 * ip address adr_u_char*type
418 *
419 */
420 int
421 ip_addr_ex_token(parse_context_t *ctx)
422 {
423 int32_t type;
424
425 adrm_int32(&(ctx->adr), &type, 1); /* ip type */
426 ctx->adr.adr_now += type * sizeof (uchar_t); /* ip address */
427
428 return (0);
429 }
430
431 /*
432 * Format of ip token:
433 * ip header token id adr_char
434 * version adr_char
435 * type of service adr_char
436 * length adr_short
437 * id adr_u_short
438 * offset adr_u_short
439 * ttl adr_char
440 * protocol adr_char
441 * checksum adr_u_short
442 * source address adr_int32
443 * destination address adr_int32
444 *
445 */
446 int
447 ip_token(parse_context_t *ctx)
448 {
449 ctx->adr.adr_now += (2 * sizeof (char)) + (3 * sizeof (short)) +
450 (2 * sizeof (char)) + sizeof (short) + (2 * sizeof (int32_t));
451 return (0);
452 }
453
454
455 /*
456 * Format of iport token:
457 * ip port address token id adr_char
458 * port address adr_short
459 *
460 */
461 int
462 iport_token(parse_context_t *ctx)
463 {
464 ctx->adr.adr_now += sizeof (short);
465
466 return (0);
467 }
468
469
470 /*
471 * Format of groups token:
472 * group token id adr_char
473 * group list adr_int32, 16 times
474 *
475 */
476 int
477 group_token(parse_context_t *ctx)
478 {
479 ctx->adr.adr_now += 16 * sizeof (int32_t);
480
481 return (0);
482 }
483
484 /*
485 * Format of newgroups token:
486 * group token id adr_char
487 * number of groups adr_short
488 * group list adr_int32, "number" times
489 *
490 */
491 int
492 newgroup_token(parse_context_t *ctx)
493 {
494 short int number;
495
496 adrm_short(&(ctx->adr), &number, 1);
497
498 ctx->adr.adr_now += number * sizeof (int32_t);
499
500 return (0);
501 }
502
503 /*
504 * Format of argument32 token:
505 * argument token id adr_char
506 * argument number adr_char
507 * argument value adr_int32
508 * argument description adr_string
509 *
510 */
511 int
512 argument32_token(parse_context_t *ctx)
513 {
514 ctx->adr.adr_now += sizeof (char) + sizeof (int32_t);
515 skip_bytes(ctx);
516
517 return (0);
518 }
519
520 /*
521 * Format of argument64 token:
522 * argument token id adr_char
523 * argument number adr_char
524 * argument value adr_int64
525 * argument description adr_string
526 *
527 */
528 int
529 argument64_token(parse_context_t *ctx)
530 {
531 ctx->adr.adr_now += sizeof (char) + sizeof (int64_t);
532 skip_bytes(ctx);
533
534 return (0);
535 }
536
537 /*
538 * Format of acl token:
539 * acl token id adr_char
540 * type adr_u_int32
541 * value adr_u_int32
542 * mode adr_u_int32
543 */
544 int
545 acl_token(parse_context_t *ctx)
546 {
547 ctx->adr.adr_now += 3 * sizeof (uint32_t);
548
549 return (0);
550 }
551
552 /*
553 * Format of ace token:
554 * ace token id adr_char
555 * id adr_u_int32
556 * access_mask adr_u_int32
557 * flags adr_u_short
558 * type adr_u_short
559 */
560 int
561 ace_token(parse_context_t *ctx)
562 {
563 ctx->adr.adr_now += 2 * sizeof (uint32_t) + 2 * sizeof (ushort_t);
564
565 return (0);
566 }
567
568 /*
569 * Format of attribute token: (old pre SunOS 5.7 format)
570 * attribute token id adr_char
571 * mode adr_int32 (printed in octal)
572 * uid adr_int32
573 * gid adr_int32
574 * file system id adr_int32
575 * node id adr_int32
576 * device adr_int32
577 *
578 */
579 int
580 attribute_token(parse_context_t *ctx)
581 {
582 ctx->adr.adr_now += 6 * sizeof (int32_t);
583
584 return (0);
585 }
586
587 /*
588 * Format of attribute32 token:
589 * attribute token id adr_char
590 * mode adr_int32 (printed in octal)
591 * uid adr_int32
592 * gid adr_int32
593 * file system id adr_int32
594 * node id adr_int64
595 * device adr_int32
596 *
597 */
598 int
599 attribute32_token(parse_context_t *ctx)
600 {
601 ctx->adr.adr_now += (5 * sizeof (int32_t)) + sizeof (int64_t);
602
603 return (0);
604 }
605
606 /*
607 * Format of attribute64 token:
608 * attribute token id adr_char
609 * mode adr_int32 (printed in octal)
610 * uid adr_int32
611 * gid adr_int32
612 * file system id adr_int32
613 * node id adr_int64
614 * device adr_int64
615 *
616 */
617 int
618 attribute64_token(parse_context_t *ctx)
619 {
620 ctx->adr.adr_now += (4 * sizeof (int32_t)) + (2 * sizeof (int64_t));
621
622 return (0);
623 }
624
625
626 /*
627 * Format of command token:
628 * attribute token id adr_char
629 * argc adr_short
630 * argv len adr_short variable amount of argv len
631 * argv text argv len and text
632 * .
633 * .
634 * .
635 * envp count adr_short variable amount of envp len
636 * envp len adr_short and text
637 * envp text envp len
638 * .
639 * .
640 * .
641 *
642 */
643 int
644 cmd_token(parse_context_t *ctx)
645 {
646 short cnt;
647 short i;
648
649 adrm_short(&(ctx->adr), &cnt, 1);
650
651 for (i = 0; i < cnt; i++)
652 skip_bytes(ctx);
653
654 adrm_short(&(ctx->adr), &cnt, 1);
655
656 for (i = 0; i < cnt; i++)
657 skip_bytes(ctx);
658
659 return (0);
660 }
661
662
663 /*
664 * Format of exit token:
665 * attribute token id adr_char
666 * return value adr_int32
667 * errno adr_int32
668 *
669 */
670 int
671 exit_token(parse_context_t *ctx)
672 {
673 int32_t retval;
674
675 adrm_int32(&(ctx->adr), &retval, 1);
676 ctx->adr.adr_now += sizeof (int32_t);
677
678 ctx->out.sf_pass = (retval == 0) ? 1 : -1;
679 return (0);
680 }
681
682 /*
683 * Format of exec_args token:
684 * attribute token id adr_char
685 * count value adr_int32
686 * strings null terminated strings
687 *
688 */
689 int
690 exec_args_token(parse_context_t *ctx)
691 {
692 int count, i;
693
694 adrm_int32(&(ctx->adr), (int32_t *)&count, 1);
695 for (i = 1; i <= count; i++) {
696 skip_string(ctx);
697 }
698
699 return (0);
700 }
701
702 /*
703 * Format of exec_env token:
704 * attribute token id adr_char
705 * count value adr_int32
706 * strings null terminated strings
707 *
708 */
709 int
710 exec_env_token(parse_context_t *ctx)
711 {
712 int count, i;
713
714 adrm_int32(&(ctx->adr), (int32_t *)&count, 1);
715 for (i = 1; i <= count; i++)
716 skip_string(ctx);
717
718 return (0);
719 }
720
721 /*
722 * Format of liaison token:
723 */
724 int
725 liaison_token(parse_context_t *ctx)
726 {
727 ctx->adr.adr_now += sizeof (int32_t);
728
729 return (0);
730 }
731
732
733 /*
734 * Format of path token:
735 * path adr_string
736 */
737 int
738 path_token(parse_context_t *ctx)
739 {
740 get_bytes_to_string(ctx, &(ctx->out.sf_pathlen), &(ctx->out.sf_path),
741 0);
742 if (ctx->out.sf_path == NULL)
743 return (-1);
744 /*
745 * anchor the path because collapse_path needs it
746 */
747 if (*(ctx->out.sf_path) != '/') {
748 anchor_path(ctx->out.sf_path);
749 ctx->out.sf_pathlen++;
750 }
751 ctx->out.sf_pathlen = collapse_path(ctx->out.sf_path,
752 ctx->out.sf_pathlen);
753
754 return (0);
755 }
756
757 /*
758 * path attr token / AUT_XATPATH
759 *
760 * Format of path attr token:
761 * token id adr_char
762 * string count adr_int32
763 * strings adr_string
764 *
765 * the sequence of strings is converted to a single string with
766 * a blank separator replacing the EOS for all but the last
767 * string.
768 */
769 int
770 path_attr_token(parse_context_t *ctx)
771 {
772 int count, i;
773 int last_len;
774 size_t offset;
775 char *p;
776
777 adrm_int32(&(ctx->adr), &count, 1);
778
779 offset = ctx->out.sf_atpathlen;
780 p = ctx->adr.adr_now;
781 for (i = 0; i <= count; i++) {
782 last_len = strlen(p);
783 ctx->out.sf_atpathlen += last_len + 1;
784 p += last_len + 1;
785 }
786 ctx->out.sf_atpath = realloc(ctx->out.sf_atpath, ctx->out.sf_atpathlen);
787 ctx->out.sf_atpath += offset;
788 p = ctx->out.sf_atpath; /* save for fix up, below */
789 (void) memcpy(ctx->out.sf_atpath, ctx->adr.adr_now,
790 ctx->out.sf_atpathlen - offset);
791 ctx->out.sf_atpathlen--;
792
793 /* fix up: replace each eos except the last with ' ' */
794
795 for (i = 0; i < count; i++) {
796 while (*p++ != '\0')
797 ;
798 *(p - 1) = ' ';
799 }
800 return (0);
801 }
802
803
804 /*
805 * Format of System V IPC permission token:
806 * System V IPC permission token id adr_char
807 * uid adr_int32
808 * gid adr_int32
809 * cuid adr_int32
810 * cgid adr_int32
811 * mode adr_int32
812 * seq adr_int32
813 * key adr_int32
814 */
815 int
816 s5_IPC_perm_token(parse_context_t *ctx)
817 {
818 ctx->adr.adr_now += (7 * sizeof (int32_t));
819 return (0);
820 }
821
822 static void
823 common_process(parse_context_t *ctx)
824 {
825 int32_t ruid, rgid, egid, pid;
826 uint32_t asid;
827
828 adrm_u_int32(&(ctx->adr), (uint32_t *)&(ctx->out.sf_pauid), 1);
829 adrm_u_int32(&(ctx->adr), (uint32_t *)&(ctx->out.sf_peuid), 1);
830 adrm_int32(&(ctx->adr), &egid, 1);
831 adrm_int32(&(ctx->adr), &ruid, 1);
832 adrm_int32(&(ctx->adr), &rgid, 1);
833 adrm_int32(&(ctx->adr), &pid, 1);
834 adrm_u_int32(&(ctx->adr), &asid, 1);
835 }
836
837 /*
838 * Format of process32 token:
839 * process token id adr_char
840 * auid adr_int32
841 * euid adr_int32
842 * egid adr_int32
843 * ruid adr_int32
844 * rgid adr_int32
845 * pid adr_int32
846 * sid adr_int32
847 * termid adr_int32*2
848 *
849 */
850 int
851 process32_token(parse_context_t *ctx)
852 {
853 int32_t port, machine;
854
855 common_process(ctx);
856
857 adrm_int32(&(ctx->adr), &port, 1);
858 adrm_int32(&(ctx->adr), &machine, 1);
859
860 return (0);
861 }
862
863 /*
864 * Format of process32_ex token:
865 * process token id adr_char
866 * auid adr_int32
867 * euid adr_int32
868 * egid adr_int32
869 * ruid adr_int32
870 * rgid adr_int32
871 * pid adr_int32
872 * sid adr_int32
873 * termid
874 * port adr_int32
875 * type adr_int32
876 * ip address adr_u_char*type
877 *
878 */
879 int
880 process32_ex_token(parse_context_t *ctx)
881 {
882 int32_t port, type;
883 uchar_t addr[16];
884
885 common_process(ctx);
886
887 adrm_int32(&(ctx->adr), &port, 1);
888 adrm_int32(&(ctx->adr), &type, 1);
889 adrm_u_char(&(ctx->adr), addr, type);
890
891 return (0);
892 }
893
894 /*
895 * Format of process64 token:
896 * process token id adr_char
897 * auid adr_int32
898 * euid adr_int32
899 * egid adr_int32
900 * ruid adr_int32
901 * rgid adr_int32
902 * pid adr_int32
903 * sid adr_int32
904 * termid adr_int64+adr_int32
905 *
906 */
907 int
908 process64_token(parse_context_t *ctx)
909 {
910 int64_t port;
911 int32_t machine;
912
913 common_process(ctx);
914
915 adrm_int64(&(ctx->adr), &port, 1);
916 adrm_int32(&(ctx->adr), &machine, 1);
917
918 return (0);
919 }
920
921 /*
922 * Format of process64_ex token:
923 * process token id adr_char
924 * auid adr_int32
925 * euid adr_int32
926 * egid adr_int32
927 * ruid adr_int32
928 * rgid adr_int32
929 * pid adr_int32
930 * sid adr_int32
931 * termid
932 * port adr_int64
933 * type adr_int32
934 * ip address adr_u_char*type
935 *
936 */
937 int
938 process64_ex_token(parse_context_t *ctx)
939 {
940 int64_t port;
941 int32_t type;
942 uchar_t addr[16];
943
944 common_process(ctx);
945
946 adrm_int64(&(ctx->adr), &port, 1);
947 adrm_int32(&(ctx->adr), &type, 1);
948 adrm_u_char(&(ctx->adr), addr, type);
949
950 return (0);
951 }
952
953 /*
954 * Format of System V IPC token:
955 * System V IPC token id adr_char
956 * System V IPC type adr_char
957 * object id adr_int32
958 *
959 */
960 int
961 s5_IPC_token(parse_context_t *ctx)
962 {
963 ctx->adr.adr_now += sizeof (char);
964 ctx->adr.adr_now += sizeof (int32_t);
965
966 return (0);
967 }
968
969
970 /*
971 * Format of socket token:
972 * socket_type adrm_short
973 * remote_port adrm_short
974 * remote_inaddr adrm_int32
975 *
976 */
977 int
978 socket_token(parse_context_t *ctx)
979 {
980 ctx->adr.adr_now += (2 * sizeof (short)) + sizeof (int32_t);
981
982 return (0);
983 }
984
985
986 /*
987 * Format of socket_ex token:
988 * socket_domain adrm_short
989 * socket_type adrm_short
990 * address_type adrm_short
991 * local_port adrm_short
992 * local_inaddr adrm_u_char*address_type
993 * remote_port adrm_short
994 * remote_inaddr adrm_u_char*address_type
995 *
996 */
997 int
998 socket_ex_token(parse_context_t *ctx)
999 {
1000 short ip_size;
1001
1002 ctx->adr.adr_now += (2 * sizeof (short));
1003 adrm_short(&(ctx->adr), &ip_size, 1);
1004
1005 ctx->adr.adr_now += sizeof (short) + (ip_size * sizeof (char)) +
1006 sizeof (short) + (ip_size * sizeof (char));
1007 return (0);
1008 }
1009
1010
1011 static void
1012 common_subject(parse_context_t *ctx)
1013 {
1014 int32_t ruid, rgid, pid;
1015
1016 adrm_u_int32(&(ctx->adr), (uint32_t *)&(ctx->out.sf_auid), 1);
1017 adrm_u_int32(&(ctx->adr), (uint32_t *)&(ctx->out.sf_euid), 1);
1018 adrm_u_int32(&(ctx->adr), (uint32_t *)&(ctx->out.sf_egid), 1);
1019 adrm_int32(&(ctx->adr), &ruid, 1);
1020 adrm_int32(&(ctx->adr), &rgid, 1);
1021 adrm_int32(&(ctx->adr), &pid, 1);
1022 adrm_u_int32(&(ctx->adr), (uint32_t *)&(ctx->out.sf_asid), 1);
1023 }
1024
1025 /*
1026 * Format of subject32 token:
1027 * subject token id adr_char
1028 * auid adr_int32
1029 * euid adr_int32
1030 * egid adr_int32
1031 * ruid adr_int32
1032 * rgid adr_int32
1033 * pid adr_int32
1034 * sid adr_int32
1035 * termid adr_int32*2
1036 *
1037 */
1038 int
1039 subject32_token(parse_context_t *ctx)
1040 {
1041 int32_t port; /* not used in output */
1042
1043 common_subject(ctx);
1044
1045 adrm_int32(&(ctx->adr), &port, 1);
1046 ctx->out.sf_tid.at_type = AU_IPv4;
1047 adrm_u_char(&(ctx->adr), (uchar_t *)&(ctx->out.sf_tid.at_addr[0]), 4);
1048
1049 return (0);
1050 }
1051
1052 /*
1053 * Format of subject32_ex token:
1054 * subject token id adr_char
1055 * auid adr_int32
1056 * euid adr_int32
1057 * egid adr_int32
1058 * ruid adr_int32
1059 * rgid adr_int32
1060 * pid adr_int32
1061 * sid adr_int32
1062 * termid
1063 * port adr_int32
1064 * type adr_int32
1065 * ip address adr_u_char*type
1066 *
1067 */
1068 int
1069 subject32_ex_token(parse_context_t *ctx)
1070 {
1071 int32_t port; /* not used in output */
1072
1073 common_subject(ctx);
1074
1075 adrm_int32(&(ctx->adr), &port, 1);
1076 adrm_u_int32(&(ctx->adr), &(ctx->out.sf_tid.at_type), 1);
1077 adrm_u_char(&(ctx->adr), (uchar_t *)&(ctx->out.sf_tid.at_addr[0]),
1078 ctx->out.sf_tid.at_type);
1079
1080 return (0);
1081 }
1082
1083 /*
1084 * Format of subject64 token:
1085 * subject token id adr_char
1086 * auid adr_int32
1087 * euid adr_int32
1088 * egid adr_int32
1089 * ruid adr_int32
1090 * rgid adr_int32
1091 * pid adr_int32
1092 * sid adr_int32
1093 * termid adr_int64+adr_int32
1094 *
1095 */
1096 int
1097 subject64_token(parse_context_t *ctx)
1098 {
1099 int64_t port;
1100
1101 common_subject(ctx);
1102
1103 adrm_int64(&(ctx->adr), &port, 1);
1104 ctx->out.sf_tid.at_type = AU_IPv4;
1105 adrm_u_char(&(ctx->adr), (uchar_t *)&(ctx->out.sf_tid.at_addr[0]), 4);
1106
1107 return (0);
1108 }
1109
1110 /*
1111 * Format of subject64_ex token:
1112 * subject token id adr_char
1113 * auid adr_int32
1114 * euid adr_int32
1115 * egid adr_int32
1116 * ruid adr_int32
1117 * rgid adr_int32
1118 * pid adr_int32
1119 * sid adr_int32
1120 * termid
1121 * port adr_int64
1122 * type adr_int32
1123 * ip address adr_u_char*type
1124 *
1125 */
1126 int
1127 subject64_ex_token(parse_context_t *ctx)
1128 {
1129 int64_t port;
1130
1131 common_subject(ctx);
1132
1133 adrm_int64(&(ctx->adr), &port, 1);
1134 adrm_u_int32(&(ctx->adr), &(ctx->out.sf_tid.at_type), 1);
1135 adrm_u_char(&(ctx->adr), (uchar_t *)&(ctx->out.sf_tid.at_addr[0]),
1136 ctx->out.sf_tid.at_type);
1137
1138 return (0);
1139 }
1140
1141
1142 int
1143 xatom_token(parse_context_t *ctx)
1144 {
1145 skip_bytes(ctx);
1146
1147 return (0);
1148 }
1149
1150
1151 int
1152 xselect_token(parse_context_t *ctx)
1153 {
1154 skip_bytes(ctx);
1155 skip_bytes(ctx);
1156 skip_bytes(ctx);
1157
1158 return (0);
1159 }
1160
1161 /*
1162 * anchor a path name with a slash
1163 * assume we have enough space
1164 */
1165 static void
1166 anchor_path(char *path)
1167 {
1168
1169 (void) memmove((void *)(path + 1), (void *)path, strlen(path) + 1);
1170 *path = '/';
1171 }
1172
1173
1174 /*
1175 * copy path to collapsed path.
1176 * collapsed path does not contain:
1177 * successive slashes
1178 * instances of dot-slash
1179 * instances of dot-dot-slash
1180 * passed path must be anchored with a '/'
1181 */
1182 static size_t
1183 collapse_path(char *s, size_t ls)
1184 {
1185 int id; /* index of where we are in destination string */
1186 int is; /* index of where we are in source string */
1187 int slashseen; /* have we seen a slash */
1188
1189 ls++; /* source length including '\0' */
1190
1191 slashseen = 0;
1192 for (is = 0, id = 0; is < ls; is++) {
1193 if (s[is] == '\0') {
1194 if (id > 1 && s[id-1] == '/') {
1195 --id;
1196 }
1197 s[id++] = '\0';
1198 break;
1199 }
1200 /* previous character was a / */
1201 if (slashseen) {
1202 if (s[is] == '/')
1203 continue; /* another slash, ignore it */
1204 } else if (s[is] == '/') {
1205 /* we see a /, just copy it and try again */
1206 slashseen = 1;
1207 s[id++] = '/';
1208 continue;
1209 }
1210 /* /./ seen */
1211 if (s[is] == '.' && s[is+1] == '/') {
1212 is += 1;
1213 continue;
1214 }
1215 /* XXX/. seen */
1216 if (s[is] == '.' && s[is+1] == '\0') {
1217 if (id > 1)
1218 id--;
1219 continue;
1220 }
1221 /* XXX/.. seen */
1222 if (s[is] == '.' && s[is+1] == '.' && s[is+2] == '\0') {
1223 is += 1;
1224 if (id > 0)
1225 id--;
1226 while (id > 0 && s[--id] != '/')
1227 ;
1228 id++;
1229 continue;
1230 }
1231 /* XXX/../ seen */
1232 if (s[is] == '.' && s[is+1] == '.' && s[is+2] == '/') {
1233 is += 2;
1234 if (id > 0)
1235 id--;
1236 while (id > 0 && s[--id] != '/')
1237 ;
1238 id++;
1239 continue;
1240 }
1241 while (is < ls && (s[id++] = s[is++]) != '/')
1242 ;
1243 is--;
1244 }
1245 return ((size_t)id - 1);
1246 }
1247
1248 /*
1249 * for tokens with sub-fields that include a length, this
1250 * skips the sub-field.
1251 */
1252
1253 static void
1254 skip_bytes(parse_context_t *ctx)
1255 {
1256 ushort_t c;
1257
1258 adrm_u_short(&(ctx->adr), &c, 1);
1259 ctx->adr.adr_now += c;
1260 }
1261
1262 static void
1263 skip_string(parse_context_t *ctx)
1264 {
1265 char c;
1266
1267 do {
1268 adrm_char(&(ctx->adr), &c, 1);
1269 } while (c != '\0');
1270 }
1271
1272 /*
1273 * add a byte to specified length so there can be a prefix of
1274 * '/' added (if needed for paths). Another is added for '\0'
1275 *
1276 * if offset is zero, new data overwrites old, if any. Otherwise
1277 * new data is appended to the end.
1278 */
1279
1280 static void
1281 get_bytes_to_string(parse_context_t *ctx, size_t *l, char **p,
1282 size_t offset)
1283 {
1284 ushort_t len;
1285 char *bp;
1286
1287 adrm_u_short(&(ctx->adr), &len, 1);
1288
1289 len++; /* in case need to add '/' prefix */
1290 *p = realloc(*p, 1 + (size_t)len + offset);
1291 if (*p == NULL) {
1292 perror("audit_sysudp.so");
1293 return;
1294 }
1295 if (offset > 0)
1296 offset--; /* overwrite end of string */
1297
1298 *l = (size_t)len - 2 + offset;
1299
1300 bp = *p + offset;
1301 adrm_char(&(ctx->adr), bp, len - 1);
1302 *(bp + len - 1) = '\0';
1303 }
1304
1305
1306 /*
1307 * Format of host token:
1308 * host adr_uint32
1309 */
1310 int
1311 host_token(parse_context_t *ctx)
1312 {
1313 ctx->adr.adr_now += sizeof (int32_t);
1314
1315 return (0);
1316 }
1317
1318 /*
1319 * Format of useofauth token:
1320 * uauth token id adr_char
1321 * uauth adr_string
1322 *
1323 */
1324 int
1325 useofauth_token(parse_context_t *ctx)
1326 {
1327 get_bytes_to_string(ctx, &(ctx->out.sf_uauthlen),
1328 &(ctx->out.sf_uauth), 0);
1329
1330 return (0);
1331 }
1332
1333 /*
1334 * Format of user token:
1335 * user token id adr_char
1336 * uid adr_uid
1337 * username adr_string
1338 *
1339 */
1340 int
1341 user_token(parse_context_t *ctx)
1342 {
1343 ctx->adr.adr_now += sizeof (uid_t);
1344 skip_bytes(ctx);
1345
1346 return (0);
1347 }
1348
1349 /*
1350 * Format of zonename token:
1351 * zonename token id adr_char
1352 * zonename adr_string
1353 *
1354 */
1355 int
1356 zonename_token(parse_context_t *ctx)
1357 {
1358 get_bytes_to_string(ctx,
1359 &(ctx->out.sf_zonelen),
1360 &(ctx->out.sf_zonename),
1361 0);
1362
1363 return (0);
1364 }
1365
1366 /*
1367 * Format of fmri token:
1368 * fmri token id adr_char
1369 * fmri adr_string
1370 */
1371 int
1372 fmri_token(parse_context_t *ctx)
1373 {
1374 skip_bytes(ctx);
1375
1376 return (0);
1377 }
1378
1379 int
1380 xcolormap_token(parse_context_t *ctx)
1381 {
1382 return (xgeneric(ctx));
1383 }
1384
1385 int
1386 xcursor_token(parse_context_t *ctx)
1387 {
1388 return (xgeneric(ctx));
1389 }
1390
1391 int
1392 xfont_token(parse_context_t *ctx)
1393 {
1394 return (xgeneric(ctx));
1395 }
1396
1397 int
1398 xgc_token(parse_context_t *ctx)
1399 {
1400 return (xgeneric(ctx));
1401 }
1402
1403 int
1404 xpixmap_token(parse_context_t *ctx)
1405 {
1406 return (xgeneric(ctx));
1407 }
1408
1409 int
1410 xwindow_token(parse_context_t *ctx)
1411 {
1412 return (xgeneric(ctx));
1413 }
1414 /*
1415 * Format of xgeneric token:
1416 * XID adr_int32
1417 * creator UID adr_int32
1418 *
1419 * Includes: xcolormap, xcursor, xfont, xgc, xpixmap, and xwindow
1420 */
1421 static int
1422 xgeneric(parse_context_t *ctx)
1423 {
1424 ctx->adr.adr_now += 2 * sizeof (int32_t);
1425
1426 return (0);
1427 }
1428 /*
1429 * Format of xproperty token:
1430 * XID adr_int32
1431 * creator UID adr_int32
1432 * atom string adr_string
1433 */
1434 int
1435 xproperty_token(parse_context_t *ctx)
1436 {
1437 ctx->adr.adr_now += 2 * sizeof (int32_t);
1438
1439 return (0);
1440 }
1441 /*
1442 * Format of xclient token:
1443 * xclient id adr_int32
1444 */
1445 int
1446 xclient_token(parse_context_t *ctx)
1447 {
1448 ctx->adr.adr_now += sizeof (int32_t);
1449
1450 return (0);
1451 }
1452
1453 /*
1454 * -----------------------------------------------------------------------
1455 * privilege_token() : Process privilege token and display contents
1456 *
1457 * Format of privilege token:
1458 * privilege token id adr_char
1459 * privilege type adr_string
1460 * privilege adr_string
1461 * -----------------------------------------------------------------------
1462 */
1463
1464 int
1465 privilege_token(parse_context_t *ctx)
1466 {
1467 skip_bytes(ctx);
1468 skip_bytes(ctx);
1469
1470 return (0);
1471 }
1472
1473 /*
1474 * -----------------------------------------------------------------------
1475 * secflags_token() : Process secflags token and display contents
1476 *
1477 * Format of privilege token:
1478 * secflags token id adr_char
1479 * secflag set name adr_string
1480 * secflags adr_string
1481 * -----------------------------------------------------------------------
1482 */
1483 int
1484 secflags_token(parse_context_t *ctx)
1485 {
1486 skip_bytes(ctx);
1487 skip_bytes(ctx);
1488
1489 return (0);
1490 }
1491
1492 /*
1493 * Format of label token:
1494 * label ID 1 byte
1495 * compartment length 1 byte
1496 * classification 2 bytes
1497 * compartment words <compartment length> * 4 bytes
1498 */
1499 int
1500 label_token(parse_context_t *ctx)
1501 {
1502 char c;
1503
1504 ctx->adr.adr_now += sizeof (char); /* label ID */
1505 adrm_char(&(ctx->adr), &c, 1);
1506
1507 ctx->adr.adr_now += sizeof (ushort_t); /* classification */
1508 ctx->adr.adr_now += 4 * c; /* compartments */
1509
1510 return (0);
1511 }
1512
1513 /*
1514 * Format of useofpriv token:
1515 * priv_type adr_char
1516 * priv_set_t adr_short
1517 * priv_set adr_char*(sizeof (priv_set_t))
1518 */
1519 int
1520 useofpriv_token(parse_context_t *ctx)
1521 {
1522 ctx->adr.adr_now += sizeof (char); /* success / fail */
1523 skip_bytes(ctx);
1524
1525 return (0);
1526 }
unleashed repo fork