1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 *
25 * Copyright 2012 Milan Jurik. All rights reserved.
26 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
27 */
28
29
30 /*
31 * Token processing for auditreduce.
32 */
33
34 #include <locale.h>
35 #include <sys/zone.h>
36 #include "auditr.h"
37 #include "toktable.h"
38
39 extern int re_exec2(char *);
40
41 static void anchor_path(char *path);
42 static char *collapse_path(char *s);
43 static void get_string(adr_t *adr, char **p);
44 static int ipc_type_match(int flag, char type);
45 static void skip_string(adr_t *adr);
46 static int xgeneric(adr_t *adr);
47
48 #if AUDIT_REC
49 void
50 print_id(int id)
51 {
52 char *suffix;
53
54 if ((id < 0) || (id > MAXTOKEN) ||
55 (tokentable[id].func == NOFUNC)) {
56 (void) fprintf(stderr,
57 "token_processing: token %d not found\n", id);
58 return;
59 }
60
61 switch (id) {
62 case AUT_NEWGROUPS:
63 suffix = "_new";
64 break;
65 case AUT_ATTR32:
66 suffix = "32";
67 break;
68 case AUT_ARG64:
69 case AUT_RETURN64:
70 case AUT_ATTR64:
71 case AUT_HEADER64:
72 case AUT_SUBJECT64:
73 case AUT_PROCESS64:
74 case AUT_OTHER_FILE64:
75 suffix = "64";
76 break;
77 case AUT_SOCKET_EX:
78 case AUT_IN_ADDR_EX:
79 suffix = "_ex";
80 break;
81 case AUT_HEADER32_EX:
82 case AUT_SUBJECT32_EX:
83 case AUT_PROCESS32_EX:
84 suffix = "32_ex";
85 break;
86 case AUT_HEADER64_EX:
87 case AUT_SUBJECT64_EX:
88 case AUT_PROCESS64_EX:
89 suffix = "64_ex";
90 break;
91 default:
92 suffix = "";
93 break;
94 }
95 (void) fprintf(stderr, "token_processing: %s%s\n",
96 tokentable[id].t_name, suffix);
97 }
98 #endif /* AUDIT_REC */
99
100 /*
101 * Process a token in a record to determine whether the record is interesting.
102 */
103
104 int
105 token_processing(adr_t *adr, int tokenid)
106 {
107 if ((tokenid > 0) && (tokenid <= MAXTOKEN) &&
108 (tokentable[tokenid].func != NOFUNC)) {
109 #if AUDIT_REC
110 print_id(tokenid);
111 #endif /* AUDIT_REC */
112 return ((*tokentable[tokenid].func)(adr));
113 }
114
115 /* here if token id is not in table */
116 return (-2);
117 }
118
119
120 /* There should not be any file or header tokens in the middle of a record */
121
122 /* ARGSUSED */
123 int
124 file_token(adr_t *adr)
125 {
126 return (-2);
127 }
128
129 /* ARGSUSED */
130 int
131 file64_token(adr_t *adr)
132 {
133 return (-2);
134 }
135
136 /* ARGSUSED */
137 int
138 header_token(adr_t *adr)
139 {
140 return (-2);
141 }
142
143 /* ARGSUSED */
144 int
145 header32_ex_token(adr_t *adr)
146 {
147 return (-2);
148 }
149
150 /* ARGSUSED */
151 int
152 header64_ex_token(adr_t *adr)
153 {
154 return (-2);
155 }
156
157 /* ARGSUSED */
158 int
159 header64_token(adr_t *adr)
160 {
161 return (-2);
162 }
163
164
165 /*
166 * ======================================================
167 * The following token processing routines return
168 * -1: if the record is not interesting
169 * -2: if an error is found
170 * ======================================================
171 */
172
173 int
174 trailer_token(adr_t *adr)
175 {
176 short magic_number;
177 uint32_t bytes;
178
179 adrm_u_short(adr, (ushort_t *)&magic_number, 1);
180 if (magic_number != AUT_TRAILER_MAGIC) {
181 (void) fprintf(stderr, "%s\n",
182 gettext("auditreduce: Bad trailer token"));
183 return (-2);
184 }
185 adrm_u_int32(adr, &bytes, 1);
186
187 return (-1);
188 }
189
190
191 /*
192 * Format of arbitrary data token:
193 * arbitrary data token id adr char
194 * how to print adr_char
195 * basic unit adr_char
196 * unit count adr_char, specifying number of units of
197 * data items depends on basic unit
198 */
199 int
200 arbitrary_data_token(adr_t *adr)
201 {
202 int i;
203 char c1;
204 short c2;
205 int32_t c3;
206 int64_t c4;
207 char how_to_print, basic_unit, unit_count;
208
209 /* get how_to_print, basic_unit, and unit_count */
210 adrm_char(adr, &how_to_print, 1);
211 adrm_char(adr, &basic_unit, 1);
212 adrm_char(adr, &unit_count, 1);
213 for (i = 0; i < unit_count; i++) {
214 switch (basic_unit) {
215 /* case AUR_BYTE: has same value as AUR_CHAR */
216 case AUR_CHAR:
217 adrm_char(adr, &c1, 1);
218 break;
219 case AUR_SHORT:
220 adrm_short(adr, &c2, 1);
221 break;
222 case AUR_INT32:
223 adrm_int32(adr, (int32_t *)&c3, 1);
224 break;
225 case AUR_INT64:
226 adrm_int64(adr, (int64_t *)&c4, 1);
227 break;
228 default:
229 return (-2);
230 }
231 }
232 return (-1);
233 }
234
235
236 /*
237 * Format of opaque token:
238 * opaque token id adr_char
239 * size adr_short
240 * data adr_char, size times
241 */
242 int
243 opaque_token(adr_t *adr)
244 {
245 skip_string(adr);
246 return (-1);
247 }
248
249
250
251 /*
252 * Format of return32 value token:
253 * return value token id adr_char
254 * error number adr_char
255 * return value adr_u_int32
256 */
257 int
258 return_value32_token(adr_t *adr)
259 {
260 char errnum;
261 uint32_t value;
262
263 adrm_char(adr, &errnum, 1);
264 adrm_u_int32(adr, &value, 1);
265 if ((flags & M_SORF) &&
266 ((global_class & mask.am_success) && (errnum == 0)) ||
267 ((global_class & mask.am_failure) && (errnum != 0))) {
268 checkflags |= M_SORF;
269 }
270 return (-1);
271 }
272
273 /*
274 * Format of return64 value token:
275 * return value token id adr_char
276 * error number adr_char
277 * return value adr_u_int64
278 */
279 int
280 return_value64_token(adr_t *adr)
281 {
282 char errnum;
283 uint64_t value;
284
285 adrm_char(adr, &errnum, 1);
286 adrm_u_int64(adr, &value, 1);
287 if ((flags & M_SORF) &&
288 ((global_class & mask.am_success) && (errnum == 0)) ||
289 ((global_class & mask.am_failure) && (errnum != 0))) {
290 checkflags |= M_SORF;
291 }
292 return (-1);
293 }
294
295
296 /*
297 * Format of sequence token:
298 * sequence token id adr_char
299 * audit_count int32_t
300 */
301 int
302 sequence_token(adr_t *adr)
303 {
304 int32_t audit_count;
305
306 adrm_int32(adr, &audit_count, 1);
307 return (-1);
308 }
309
310
311 /*
312 * Format of text token:
313 * text token id adr_char
314 * text adr_string
315 */
316 int
317 text_token(adr_t *adr)
318 {
319 skip_string(adr);
320 return (-1);
321 }
322
323
324 /*
325 * Format of ip_addr token:
326 * ip token id adr_char
327 * address adr_int32
328 */
329 int
330 ip_addr_token(adr_t *adr)
331 {
332 int32_t address;
333
334 adrm_char(adr, (char *)&address, 4);
335
336 return (-1);
337 }
338
339 /*
340 * Format of ip_addr_ex token:
341 * ip token id adr_char
342 * ip type adr_int32
343 * ip address adr_u_char*type
344 */
345 int
346 ip_addr_ex_token(adr_t *adr)
347 {
348 int32_t type;
349 uchar_t address[16];
350
351 adrm_int32(adr, (int32_t *)&type, 1);
352 adrm_u_char(adr, address, type);
353
354 return (-1);
355 }
356
357 /*
358 * Format of ip token:
359 * ip header token id adr_char
360 * version adr_char
361 * type of service adr_char
362 * length adr_short
363 * id adr_u_short
364 * offset adr_u_short
365 * ttl adr_char
366 * protocol adr_char
367 * checksum adr_u_short
368 * source address adr_int32
369 * destination address adr_int32
370 */
371 int
372 ip_token(adr_t *adr)
373 {
374 char version;
375 char type;
376 short len;
377 unsigned short id, offset, checksum;
378 char ttl, protocol;
379 int32_t src, dest;
380
381 adrm_char(adr, &version, 1);
382 adrm_char(adr, &type, 1);
383 adrm_short(adr, &len, 1);
384 adrm_u_short(adr, &id, 1);
385 adrm_u_short(adr, &offset, 1);
386 adrm_char(adr, &ttl, 1);
387 adrm_char(adr, &protocol, 1);
388 adrm_u_short(adr, &checksum, 1);
389 adrm_char(adr, (char *)&src, 4);
390 adrm_char(adr, (char *)&dest, 4);
391
392 return (-1);
393 }
394
395
396 /*
397 * Format of iport token:
398 * ip port address token id adr_char
399 * port address adr_short
400 */
401 int
402 iport_token(adr_t *adr)
403 {
404 short address;
405
406 adrm_short(adr, &address, 1);
407
408 return (-1);
409 }
410
411
412 /*
413 * Format of groups token:
414 * group token id adr_char
415 * group list adr_int32, 16 times
416 */
417 int
418 group_token(adr_t *adr)
419 {
420 int gid[16];
421 int i;
422 int flag = 0;
423
424 for (i = 0; i < 16; i++) {
425 adrm_int32(adr, (int32_t *)&gid[i], 1);
426 if (flags & M_GROUPR) {
427 if ((unsigned short)m_groupr == gid[i])
428 flag = 1;
429 }
430 }
431
432 if (flags & M_GROUPR) {
433 if (flag)
434 checkflags |= M_GROUPR;
435 }
436 return (-1);
437 }
438
439 /*
440 * Format of newgroups token:
441 * group token id adr_char
442 * number of groups adr_short
443 * group list adr_int32, "number" times
444 */
445 int
446 newgroup_token(adr_t *adr)
447 {
448 gid_t gid;
449 int i;
450 short int number;
451
452 adrm_short(adr, &number, 1);
453
454 for (i = 0; i < number; i++) {
455 adrm_int32(adr, (int32_t *)&gid, 1);
456 if (flags & M_GROUPR) {
457 if (m_groupr == gid)
458 checkflags |= M_GROUPR;
459 }
460 }
461
462 return (-1);
463 }
464
465 /*
466 * Format of argument32 token:
467 * argument token id adr_char
468 * argument number adr_char
469 * argument value adr_int32
470 * argument description adr_string
471 */
472 int
473 argument32_token(adr_t *adr)
474 {
475 char arg_num;
476 int32_t arg_val;
477
478 adrm_char(adr, &arg_num, 1);
479 adrm_int32(adr, &arg_val, 1);
480 skip_string(adr);
481
482 return (-1);
483 }
484
485 /*
486 * Format of argument64 token:
487 * argument token id adr_char
488 * argument number adr_char
489 * argument value adr_int64
490 * argument description adr_string
491 */
492 int
493 argument64_token(adr_t *adr)
494 {
495 char arg_num;
496 int64_t arg_val;
497
498 adrm_char(adr, &arg_num, 1);
499 adrm_int64(adr, &arg_val, 1);
500 skip_string(adr);
501
502 return (-1);
503 }
504
505 /*
506 * Format of acl token:
507 * acl token id adr_char
508 * acl type adr_u_int32
509 * acl value adr_u_int32 (depends on type)
510 * file mode adr_u_int (in octal)
511 */
512 int
513 acl_token(adr_t *adr)
514 {
515
516 int32_t id;
517 int32_t mode;
518 int32_t type;
519
520 adrm_int32(adr, &type, 1);
521 adrm_int32(adr, &id, 1);
522 adrm_int32(adr, &mode, 1);
523
524 return (-1);
525 }
526
527 /*
528 * Format of ace token:
529 * ace token id adr_char
530 * ace who adr_u_int32 (uid/gid)
531 * access mask adr_u_int32
532 * ace flags adr_u_int16
533 * ace type adr_u_int16
534 */
535 int
536 ace_token(adr_t *adr)
537 {
538 uid_t who;
539 uint32_t access_mask;
540 uint16_t flags, type;
541
542 adrm_uid(adr, &who, 1);
543 adrm_u_int32(adr, &access_mask, 1);
544 adrm_u_short(adr, &flags, 1);
545 adrm_u_short(adr, &type, 1);
546
547 return (-1);
548 }
549
550 /*
551 * Format of attribute token: (old pre SunOS 5.7 format)
552 * attribute token id adr_char
553 * mode adr_int32 (printed in octal)
554 * uid adr_int32
555 * gid adr_int32
556 * file system id adr_int32
557 * node id adr_int32
558 * device adr_int32
559 */
560 int
561 attribute_token(adr_t *adr)
562 {
563 int32_t dev;
564 int32_t file_sysid;
565 int32_t gid;
566 int32_t mode;
567 int32_t nodeid;
568 int32_t uid;
569
570 adrm_int32(adr, &mode, 1);
571 adrm_int32(adr, &uid, 1);
572 adrm_int32(adr, &gid, 1);
573 adrm_int32(adr, &file_sysid, 1);
574 adrm_int32(adr, &nodeid, 1);
575 adrm_int32(adr, &dev, 1);
576
577 if (!new_mode && (flags & M_USERE)) {
578 if (m_usere == uid)
579 checkflags |= M_USERE;
580 }
581 if (!new_mode && (flags & M_GROUPE)) {
582 if (m_groupe == gid)
583 checkflags |= M_GROUPE;
584 }
585
586 if (flags & M_OBJECT) {
587 if ((obj_flag & OBJ_FGROUP) &&
588 (obj_group == gid))
589 checkflags |= M_OBJECT;
590 else if ((obj_flag & OBJ_FOWNER) &&
591 (obj_owner == uid))
592 checkflags |= M_OBJECT;
593 }
594 return (-1);
595 }
596
597 /*
598 * Format of attribute32 token:
599 * attribute token id adr_char
600 * mode adr_int32 (printed in octal)
601 * uid adr_int32
602 * gid adr_int32
603 * file system id adr_int32
604 * node id adr_int64
605 * device adr_int32
606 */
607 int
608 attribute32_token(adr_t *adr)
609 {
610 int32_t dev;
611 int32_t file_sysid;
612 int32_t gid;
613 int32_t mode;
614 int64_t nodeid;
615 int32_t uid;
616
617 adrm_int32(adr, &mode, 1);
618 adrm_int32(adr, &uid, 1);
619 adrm_int32(adr, &gid, 1);
620 adrm_int32(adr, &file_sysid, 1);
621 adrm_int64(adr, &nodeid, 1);
622 adrm_int32(adr, &dev, 1);
623
624 if (!new_mode && (flags & M_USERE)) {
625 if (m_usere == uid)
626 checkflags |= M_USERE;
627 }
628 if (!new_mode && (flags & M_GROUPE)) {
629 if (m_groupe == gid)
630 checkflags |= M_GROUPE;
631 }
632
633 if (flags & M_OBJECT) {
634 if ((obj_flag & OBJ_FGROUP) &&
635 (obj_group == gid))
636 checkflags |= M_OBJECT;
637 else if ((obj_flag & OBJ_FOWNER) &&
638 (obj_owner == uid))
639 checkflags |= M_OBJECT;
640 }
641 return (-1);
642 }
643
644 /*
645 * Format of attribute64 token:
646 * attribute token id adr_char
647 * mode adr_int32 (printed in octal)
648 * uid adr_int32
649 * gid adr_int32
650 * file system id adr_int32
651 * node id adr_int64
652 * device adr_int64
653 */
654 int
655 attribute64_token(adr_t *adr)
656 {
657 int64_t dev;
658 int32_t file_sysid;
659 int32_t gid;
660 int32_t mode;
661 int64_t nodeid;
662 int32_t uid;
663
664 adrm_int32(adr, &mode, 1);
665 adrm_int32(adr, &uid, 1);
666 adrm_int32(adr, &gid, 1);
667 adrm_int32(adr, &file_sysid, 1);
668 adrm_int64(adr, &nodeid, 1);
669 adrm_int64(adr, &dev, 1);
670
671 if (!new_mode && (flags & M_USERE)) {
672 if (m_usere == uid)
673 checkflags |= M_USERE;
674 }
675 if (!new_mode && (flags & M_GROUPE)) {
676 if (m_groupe == gid)
677 checkflags |= M_GROUPE;
678 }
679
680 if (flags & M_OBJECT) {
681 if ((obj_flag & OBJ_FGROUP) &&
682 (obj_group == gid))
683 checkflags |= M_OBJECT;
684 else if ((obj_flag & OBJ_FOWNER) &&
685 (obj_owner == uid))
686 checkflags |= M_OBJECT;
687 }
688 return (-1);
689 }
690
691
692 /*
693 * Format of command token:
694 * attribute token id adr_char
695 * argc adr_short
696 * argv len adr_short variable amount of argv len
697 * argv text argv len and text
698 * .
699 * .
700 * .
701 * envp count adr_short variable amount of envp len
702 * envp len adr_short and text
703 * envp text envp len
704 * .
705 * .
706 * .
707 */
708 int
709 cmd_token(adr_t *adr)
710 {
711 short cnt;
712 short i;
713
714 adrm_short(adr, &cnt, 1);
715
716 for (i = 0; i < cnt; i++)
717 skip_string(adr);
718
719 adrm_short(adr, &cnt, 1);
720
721 for (i = 0; i < cnt; i++)
722 skip_string(adr);
723
724 return (-1);
725 }
726
727
728 /*
729 * Format of exit token:
730 * attribute token id adr_char
731 * return value adr_int32
732 * errno adr_int32
733 */
734 int
735 exit_token(adr_t *adr)
736 {
737 int32_t retval;
738 int32_t errno;
739
740 adrm_int32(adr, &retval, 1);
741 adrm_int32(adr, &errno, 1);
742 return (-1);
743 }
744
745 /*
746 * Format of strings array token:
747 * token id adr_char
748 * count value adr_int32
749 * strings null terminated strings
750 */
751 static int
752 strings_common_token(adr_t *adr)
753 {
754 int count, i;
755 char c;
756
757 adrm_int32(adr, (int32_t *)&count, 1);
758 for (i = 1; i <= count; i++) {
759 adrm_char(adr, &c, 1);
760 while (c != (char)0)
761 adrm_char(adr, &c, 1);
762 }
763 /* no dump option here, since we will have variable length fields */
764 return (-1);
765 }
766
767 int
768 path_attr_token(adr_t *adr)
769 {
770 return (strings_common_token(adr));
771 }
772
773 int
774 exec_args_token(adr_t *adr)
775 {
776 return (strings_common_token(adr));
777 }
778
779 int
780 exec_env_token(adr_t *adr)
781 {
782 return (strings_common_token(adr));
783 }
784
785 /*
786 * Format of liaison token:
787 */
788 int
789 liaison_token(adr_t *adr)
790 {
791 int32_t li;
792
793 adrm_int32(adr, &li, 1);
794 return (-1);
795 }
796
797
798 /*
799 * Format of path token:
800 * path adr_string
801 */
802 int
803 path_token(adr_t *adr)
804 {
805 if ((flags & M_OBJECT) && (obj_flag == OBJ_PATH)) {
806 char *path;
807
808 get_string(adr, &path);
809 if (path[0] != '/')
810 /*
811 * anchor the path. user apps may not do it.
812 */
813 anchor_path(path);
814 /*
815 * match against the collapsed path. that is what user sees.
816 */
817 if (re_exec2(collapse_path(path)) == 1)
818 checkflags |= M_OBJECT;
819 free(path);
820 } else {
821 skip_string(adr);
822 }
823 return (-1);
824 }
825
826
827 /*
828 * Format of System V IPC permission token:
829 * System V IPC permission token id adr_char
830 * uid adr_int32
831 * gid adr_int32
832 * cuid adr_int32
833 * cgid adr_int32
834 * mode adr_int32
835 * seq adr_int32
836 * key adr_int32
837 */
838 int
839 s5_IPC_perm_token(adr_t *adr)
840 {
841 int32_t uid, gid, cuid, cgid, mode, seq;
842 int32_t key;
843
844 adrm_int32(adr, &uid, 1);
845 adrm_int32(adr, &gid, 1);
846 adrm_int32(adr, &cuid, 1);
847 adrm_int32(adr, &cgid, 1);
848 adrm_int32(adr, &mode, 1);
849 adrm_int32(adr, &seq, 1);
850 adrm_int32(adr, &key, 1);
851
852 if (!new_mode && (flags & M_USERE)) {
853 if (m_usere == uid)
854 checkflags |= M_USERE;
855 }
856
857 if (!new_mode && (flags & M_USERE)) {
858 if (m_usere == cuid)
859 checkflags |= M_USERE;
860 }
861
862 if (!new_mode && (flags & M_GROUPR)) {
863 if (m_groupr == gid)
864 checkflags |= M_GROUPR;
865 }
866
867 if (!new_mode && (flags & M_GROUPR)) {
868 if (m_groupr == cgid)
869 checkflags |= M_GROUPR;
870 }
871
872 if ((flags & M_OBJECT) &&
873 ((obj_owner == uid) ||
874 (obj_owner == cuid) ||
875 (obj_group == gid) ||
876 (obj_group == cgid))) {
877
878 switch (obj_flag) {
879 case OBJ_MSGGROUP:
880 case OBJ_MSGOWNER:
881 if (ipc_type_match(OBJ_MSG, ipc_type))
882 checkflags |= M_OBJECT;
883 break;
884 case OBJ_SEMGROUP:
885 case OBJ_SEMOWNER:
886 if (ipc_type_match(OBJ_SEM, ipc_type))
887 checkflags |= M_OBJECT;
888 break;
889 case OBJ_SHMGROUP:
890 case OBJ_SHMOWNER:
891 if (ipc_type_match(OBJ_SHM, ipc_type))
892 checkflags |= M_OBJECT;
893 break;
894 }
895 }
896 return (-1);
897 }
898
899
900 /*
901 * Format of process32 token:
902 * process token id adr_char
903 * auid adr_int32
904 * euid adr_int32
905 * egid adr_int32
906 * ruid adr_int32
907 * rgid adr_int32
908 * pid adr_int32
909 * sid adr_int32
910 * termid adr_int32*2
911 */
912 int
913 process32_token(adr_t *adr)
914 {
915 int32_t auid, euid, egid, ruid, rgid, pid;
916 int32_t sid;
917 int32_t port, machine;
918
919 adrm_int32(adr, &auid, 1);
920 adrm_int32(adr, &euid, 1);
921 adrm_int32(adr, &egid, 1);
922 adrm_int32(adr, &ruid, 1);
923 adrm_int32(adr, &rgid, 1);
924 adrm_int32(adr, &pid, 1);
925 adrm_int32(adr, &sid, 1);
926 adrm_int32(adr, &port, 1);
927 adrm_int32(adr, &machine, 1);
928
929 if (!new_mode && (flags & M_USERA)) {
930 if (m_usera == auid)
931 checkflags |= M_USERA;
932 }
933 if (!new_mode && (flags & M_USERE)) {
934 if (m_usere == euid)
935 checkflags |= M_USERE;
936 }
937 if (!new_mode && (flags & M_USERR)) {
938 if (m_userr == ruid)
939 checkflags |= M_USERR;
940 }
941 if (!new_mode && (flags & M_GROUPR)) {
942 if (m_groupr == rgid)
943 checkflags |= M_GROUPR;
944 }
945 if (!new_mode && (flags & M_GROUPE)) {
946 if (m_groupe == egid)
947 checkflags |= M_GROUPE;
948 }
949
950 if (flags & M_OBJECT) {
951 if ((obj_flag & OBJ_PROC) &&
952 (obj_id == pid)) {
953 checkflags |= M_OBJECT;
954 } else if ((obj_flag & OBJ_PGROUP) &&
955 ((obj_group == egid) ||
956 (obj_group == rgid))) {
957 checkflags |= M_OBJECT;
958 } else if ((obj_flag & OBJ_POWNER) &&
959 ((obj_owner == euid) ||
960 (obj_group == ruid))) {
961 checkflags |= M_OBJECT;
962 }
963 }
964 return (-1);
965 }
966
967 /*
968 * Format of process32_ex token:
969 * process token id adr_char
970 * auid adr_int32
971 * euid adr_int32
972 * egid adr_int32
973 * ruid adr_int32
974 * rgid adr_int32
975 * pid adr_int32
976 * sid adr_int32
977 * termid
978 * port adr_int32
979 * type adr_int32
980 * ip address adr_u_char*type
981 */
982 int
983 process32_ex_token(adr_t *adr)
984 {
985 int32_t auid, euid, egid, ruid, rgid, pid;
986 int32_t sid;
987 int32_t port, type;
988 uchar_t addr[16];
989
990 adrm_int32(adr, &auid, 1);
991 adrm_int32(adr, &euid, 1);
992 adrm_int32(adr, &egid, 1);
993 adrm_int32(adr, &ruid, 1);
994 adrm_int32(adr, &rgid, 1);
995 adrm_int32(adr, &pid, 1);
996 adrm_int32(adr, &sid, 1);
997 adrm_int32(adr, &port, 1);
998 adrm_int32(adr, &type, 1);
999 adrm_u_char(adr, addr, type);
1000
1001 if (!new_mode && (flags & M_USERA)) {
1002 if (m_usera == auid)
1003 checkflags = checkflags | M_USERA;
1004 }
1005 if (!new_mode && (flags & M_USERE)) {
1006 if (m_usere == euid)
1007 checkflags = checkflags | M_USERE;
1008 }
1009 if (!new_mode && (flags & M_USERR)) {
1010 if (m_userr == ruid)
1011 checkflags = checkflags | M_USERR;
1012 }
1013 if (!new_mode && (flags & M_GROUPR)) {
1014 if (m_groupr == egid)
1015 checkflags = checkflags | M_GROUPR;
1016 }
1017 if (!new_mode && (flags & M_GROUPE)) {
1018 if (m_groupe == egid)
1019 checkflags = checkflags | M_GROUPE;
1020 }
1021
1022 if (flags & M_OBJECT) {
1023 if ((obj_flag & OBJ_PROC) &&
1024 (obj_id == pid)) {
1025 checkflags = checkflags | M_OBJECT;
1026 } else if ((obj_flag & OBJ_PGROUP) &&
1027 ((obj_group == egid) ||
1028 (obj_group == rgid))) {
1029 checkflags = checkflags | M_OBJECT;
1030 } else if ((obj_flag & OBJ_POWNER) &&
1031 ((obj_owner == euid) ||
1032 (obj_group == ruid))) {
1033 checkflags = checkflags | M_OBJECT;
1034 }
1035 }
1036 return (-1);
1037 }
1038
1039 /*
1040 * Format of process64 token:
1041 * process token id adr_char
1042 * auid adr_int32
1043 * euid adr_int32
1044 * egid adr_int32
1045 * ruid adr_int32
1046 * rgid adr_int32
1047 * pid adr_int32
1048 * sid adr_int32
1049 * termid adr_int64+adr_int32
1050 */
1051 int
1052 process64_token(adr_t *adr)
1053 {
1054 int32_t auid, euid, egid, ruid, rgid, pid;
1055 int32_t sid;
1056 int64_t port;
1057 int32_t machine;
1058
1059 adrm_int32(adr, &auid, 1);
1060 adrm_int32(adr, &euid, 1);
1061 adrm_int32(adr, &egid, 1);
1062 adrm_int32(adr, &ruid, 1);
1063 adrm_int32(adr, &rgid, 1);
1064 adrm_int32(adr, &pid, 1);
1065 adrm_int32(adr, &sid, 1);
1066 adrm_int64(adr, &port, 1);
1067 adrm_int32(adr, &machine, 1);
1068
1069 if (!new_mode && (flags & M_USERA)) {
1070 if (m_usera == auid)
1071 checkflags |= M_USERA;
1072 }
1073 if (!new_mode && (flags & M_USERE)) {
1074 if (m_usere == euid)
1075 checkflags |= M_USERE;
1076 }
1077 if (!new_mode && (flags & M_USERR)) {
1078 if (m_userr == ruid)
1079 checkflags |= M_USERR;
1080 }
1081 if (!new_mode && (flags & M_GROUPR)) {
1082 if (m_groupr == rgid)
1083 checkflags |= M_GROUPR;
1084 }
1085 if (!new_mode && (flags & M_GROUPE)) {
1086 if (m_groupe == egid)
1087 checkflags |= M_GROUPE;
1088 }
1089
1090 if (flags & M_OBJECT) {
1091 if ((obj_flag & OBJ_PROC) &&
1092 (obj_id == pid)) {
1093 checkflags |= M_OBJECT;
1094 } else if ((obj_flag & OBJ_PGROUP) &&
1095 ((obj_group == egid) ||
1096 (obj_group == rgid))) {
1097 checkflags |= M_OBJECT;
1098 } else if ((obj_flag & OBJ_POWNER) &&
1099 ((obj_owner == euid) ||
1100 (obj_group == ruid))) {
1101 checkflags |= M_OBJECT;
1102 }
1103 }
1104 return (-1);
1105 }
1106
1107 /*
1108 * Format of process64_ex token:
1109 * process token id adr_char
1110 * auid adr_int32
1111 * euid adr_int32
1112 * egid adr_int32
1113 * ruid adr_int32
1114 * rgid adr_int32
1115 * pid adr_int32
1116 * sid adr_int32
1117 * termid
1118 * port adr_int64
1119 * type adr_int32
1120 * ip address adr_u_char*type
1121 */
1122 int
1123 process64_ex_token(adr_t *adr)
1124 {
1125 int32_t auid, euid, egid, ruid, rgid, pid;
1126 int32_t sid;
1127 int64_t port;
1128 int32_t type;
1129 uchar_t addr[16];
1130
1131 adrm_int32(adr, &auid, 1);
1132 adrm_int32(adr, &euid, 1);
1133 adrm_int32(adr, &egid, 1);
1134 adrm_int32(adr, &ruid, 1);
1135 adrm_int32(adr, &rgid, 1);
1136 adrm_int32(adr, &pid, 1);
1137 adrm_int32(adr, &sid, 1);
1138 adrm_int64(adr, &port, 1);
1139 adrm_int32(adr, &type, 1);
1140 adrm_u_char(adr, addr, type);
1141
1142 if (!new_mode && (flags & M_USERA)) {
1143 if (m_usera == auid)
1144 checkflags = checkflags | M_USERA;
1145 }
1146 if (!new_mode && (flags & M_USERE)) {
1147 if (m_usere == euid)
1148 checkflags = checkflags | M_USERE;
1149 }
1150 if (!new_mode && (flags & M_USERR)) {
1151 if (m_userr == ruid)
1152 checkflags = checkflags | M_USERR;
1153 }
1154 if (!new_mode && (flags & M_GROUPR)) {
1155 if (m_groupr == egid)
1156 checkflags = checkflags | M_GROUPR;
1157 }
1158 if (!new_mode && (flags & M_GROUPE)) {
1159 if (m_groupe == egid)
1160 checkflags = checkflags | M_GROUPE;
1161 }
1162
1163 if (flags & M_OBJECT) {
1164 if ((obj_flag & OBJ_PROC) &&
1165 (obj_id == pid)) {
1166 checkflags = checkflags | M_OBJECT;
1167 } else if ((obj_flag & OBJ_PGROUP) &&
1168 ((obj_group == egid) ||
1169 (obj_group == rgid))) {
1170 checkflags = checkflags | M_OBJECT;
1171 } else if ((obj_flag & OBJ_POWNER) &&
1172 ((obj_owner == euid) ||
1173 (obj_group == ruid))) {
1174 checkflags = checkflags | M_OBJECT;
1175 }
1176 }
1177 return (-1);
1178 }
1179
1180 /*
1181 * Format of System V IPC token:
1182 * System V IPC token id adr_char
1183 * object id adr_int32
1184 */
1185 int
1186 s5_IPC_token(adr_t *adr)
1187 {
1188 int32_t ipc_id;
1189
1190 adrm_char(adr, &ipc_type, 1); /* Global */
1191 adrm_int32(adr, &ipc_id, 1);
1192
1193 if ((flags & M_OBJECT) &&
1194 ipc_type_match(obj_flag, ipc_type) &&
1195 (obj_id == ipc_id))
1196 checkflags |= M_OBJECT;
1197
1198 return (-1);
1199 }
1200
1201
1202 /*
1203 * Format of socket token:
1204 * socket_type adrm_short
1205 * remote_port adrm_short
1206 * remote_inaddr adrm_int32
1207 */
1208 int
1209 socket_token(adr_t *adr)
1210 {
1211 short socket_type;
1212 short remote_port;
1213 int32_t remote_inaddr;
1214
1215 adrm_short(adr, &socket_type, 1);
1216 adrm_short(adr, &remote_port, 1);
1217 adrm_char(adr, (char *)&remote_inaddr, 4);
1218
1219 if ((flags & M_OBJECT) && (obj_flag == OBJ_SOCK)) {
1220 if (socket_flag == SOCKFLG_MACHINE) {
1221 if (remote_inaddr == obj_id)
1222 checkflags |= M_OBJECT;
1223 } else if (socket_flag == SOCKFLG_PORT) {
1224 if (remote_port == obj_id)
1225 checkflags |= M_OBJECT;
1226 }
1227 }
1228 return (-1);
1229 }
1230
1231
1232 /*
1233 * Format of socket_ex token:
1234 * socket_domain adrm_short
1235 * socket_type adrm_short
1236 * address_type adrm_short
1237 * local_port adrm_short
1238 * local_inaddr adrm_u_char*address_type
1239 * remote_port adrm_short
1240 * remote_inaddr adrm_u_char*address_type
1241 */
1242 int
1243 socket_ex_token(adr_t *adr)
1244 {
1245 short socket_domain;
1246 short socket_type;
1247 short ip_size;
1248 short local_port;
1249 uchar_t local_inaddr[16];
1250 short remote_port;
1251 uchar_t remote_inaddr[16];
1252 uchar_t *caddr = (uchar_t *)&obj_id;
1253
1254 adrm_short(adr, &socket_domain, 1);
1255 adrm_short(adr, &socket_type, 1);
1256 adrm_short(adr, &ip_size, 1);
1257
1258 /* validate ip size */
1259 if ((ip_size != AU_IPv6) && (ip_size != AU_IPv4))
1260 return (0);
1261
1262 adrm_short(adr, &local_port, 1);
1263 adrm_char(adr, (char *)local_inaddr, ip_size);
1264
1265 adrm_short(adr, &remote_port, 1);
1266 adrm_char(adr, (char *)remote_inaddr, ip_size);
1267
1268 /* if IP type mis-match, then nothing to do */
1269 if (ip_size != ip_type)
1270 return (-1);
1271
1272 if ((flags & M_OBJECT) && (obj_flag == OBJ_SOCK)) {
1273 if (socket_flag == SOCKFLG_MACHINE) {
1274 if (ip_type == AU_IPv6) {
1275 caddr = (uchar_t *)ip_ipv6;
1276 }
1277 if ((memcmp(local_inaddr, caddr, ip_type) == 0) ||
1278 (memcmp(remote_inaddr, caddr, ip_type) == 0)) {
1279 checkflags |= M_OBJECT;
1280 }
1281 } else if (socket_flag == SOCKFLG_PORT) {
1282 if ((local_port == obj_id) || (remote_port == obj_id)) {
1283 checkflags |= M_OBJECT;
1284 }
1285 }
1286 }
1287 return (-1);
1288 }
1289
1290
1291 /*
1292 * Format of subject32 token:
1293 * subject token id adr_char
1294 * auid adr_int32
1295 * euid adr_int32
1296 * egid adr_int32
1297 * ruid adr_int32
1298 * rgid adr_int32
1299 * pid adr_int32
1300 * sid adr_int32
1301 * termid adr_int32*2
1302 */
1303 int
1304 subject32_token(adr_t *adr)
1305 {
1306 int32_t auid, euid, egid, ruid, rgid, pid;
1307 int32_t sid;
1308 int32_t port, machine;
1309
1310 adrm_int32(adr, &auid, 1);
1311 adrm_int32(adr, &euid, 1);
1312 adrm_int32(adr, &egid, 1);
1313 adrm_int32(adr, &ruid, 1);
1314 adrm_int32(adr, &rgid, 1);
1315 adrm_int32(adr, &pid, 1);
1316 adrm_int32(adr, &sid, 1);
1317 adrm_int32(adr, &port, 1);
1318 adrm_int32(adr, &machine, 1);
1319
1320 if (flags & M_SUBJECT) {
1321 if (subj_id == pid)
1322 checkflags |= M_SUBJECT;
1323 }
1324 if (flags & M_USERA) {
1325 if (m_usera == auid)
1326 checkflags |= M_USERA;
1327 }
1328 if (flags & M_USERE) {
1329 if (m_usere == euid)
1330 checkflags |= M_USERE;
1331 }
1332 if (flags & M_USERR) {
1333 if (m_userr == ruid)
1334 checkflags |= M_USERR;
1335 }
1336 if (flags & M_GROUPR) {
1337 if (m_groupr == rgid)
1338 checkflags |= M_GROUPR;
1339 }
1340 if (flags & M_GROUPE) {
1341 if (m_groupe == egid)
1342 checkflags |= M_GROUPE;
1343 }
1344 if (flags & M_SID) {
1345 if (m_sid == (au_asid_t)sid)
1346 checkflags |= M_SID;
1347 }
1348 return (-1);
1349 }
1350
1351 /*
1352 * Format of subject32_ex token:
1353 * subject token id adr_char
1354 * auid adr_int32
1355 * euid adr_int32
1356 * egid adr_int32
1357 * ruid adr_int32
1358 * rgid adr_int32
1359 * pid adr_int32
1360 * sid adr_int32
1361 * termid
1362 * port adr_int32
1363 * type adr_int32
1364 * ip address adr_u_char*type
1365 */
1366 int
1367 subject32_ex_token(adr_t *adr)
1368 {
1369 int32_t auid, euid, egid, ruid, rgid, pid;
1370 int32_t sid;
1371 int32_t port, type;
1372 uchar_t addr[16];
1373
1374 adrm_int32(adr, &auid, 1);
1375 adrm_int32(adr, &euid, 1);
1376 adrm_int32(adr, &egid, 1);
1377 adrm_int32(adr, &ruid, 1);
1378 adrm_int32(adr, &rgid, 1);
1379 adrm_int32(adr, &pid, 1);
1380 adrm_int32(adr, &sid, 1);
1381 adrm_int32(adr, &port, 1);
1382 adrm_int32(adr, &type, 1);
1383 adrm_u_char(adr, addr, type);
1384
1385 if (flags & M_SUBJECT) {
1386 if (subj_id == pid)
1387 checkflags = checkflags | M_SUBJECT;
1388 }
1389 if (flags & M_USERA) {
1390 if (m_usera == auid)
1391 checkflags = checkflags | M_USERA;
1392 }
1393 if (flags & M_USERE) {
1394 if (m_usere == euid)
1395 checkflags = checkflags | M_USERE;
1396 }
1397 if (flags & M_USERR) {
1398 if (m_userr == ruid)
1399 checkflags = checkflags | M_USERR;
1400 }
1401 if (flags & M_GROUPR) {
1402 if (m_groupr == egid)
1403 checkflags = checkflags | M_GROUPR;
1404 }
1405 if (flags & M_GROUPE) {
1406 if (m_groupe == egid)
1407 checkflags = checkflags | M_GROUPE;
1408 }
1409 if (flags & M_SID) {
1410 if (m_sid == (au_asid_t)sid)
1411 checkflags = checkflags | M_SID;
1412 }
1413 return (-1);
1414 }
1415
1416 /*
1417 * Format of subject64 token:
1418 * subject token id adr_char
1419 * auid adr_int32
1420 * euid adr_int32
1421 * egid adr_int32
1422 * ruid adr_int32
1423 * rgid adr_int32
1424 * pid adr_int32
1425 * sid adr_int32
1426 * termid adr_int64+adr_int32
1427 */
1428 int
1429 subject64_token(adr_t *adr)
1430 {
1431 int32_t auid, euid, egid, ruid, rgid, pid;
1432 int32_t sid;
1433 int64_t port;
1434 int32_t machine;
1435
1436 adrm_int32(adr, &auid, 1);
1437 adrm_int32(adr, &euid, 1);
1438 adrm_int32(adr, &egid, 1);
1439 adrm_int32(adr, &ruid, 1);
1440 adrm_int32(adr, &rgid, 1);
1441 adrm_int32(adr, &pid, 1);
1442 adrm_int32(adr, &sid, 1);
1443 adrm_int64(adr, &port, 1);
1444 adrm_int32(adr, &machine, 1);
1445
1446 if (flags & M_SUBJECT) {
1447 if (subj_id == pid)
1448 checkflags |= M_SUBJECT;
1449 }
1450 if (flags & M_USERA) {
1451 if (m_usera == auid)
1452 checkflags |= M_USERA;
1453 }
1454 if (flags & M_USERE) {
1455 if (m_usere == euid)
1456 checkflags |= M_USERE;
1457 }
1458 if (flags & M_USERR) {
1459 if (m_userr == ruid)
1460 checkflags |= M_USERR;
1461 }
1462 if (flags & M_GROUPR) {
1463 if (m_groupr == rgid)
1464 checkflags |= M_GROUPR;
1465 }
1466 if (flags & M_GROUPE) {
1467 if (m_groupe == egid)
1468 checkflags |= M_GROUPE;
1469 }
1470 if (flags & M_SID) {
1471 if (m_sid == (au_asid_t)sid)
1472 checkflags |= M_SID;
1473 }
1474 return (-1);
1475 }
1476
1477 /*
1478 * Format of subject64_ex token:
1479 * subject token id adr_char
1480 * auid adr_int32
1481 * euid adr_int32
1482 * egid adr_int32
1483 * ruid adr_int32
1484 * rgid adr_int32
1485 * pid adr_int32
1486 * sid adr_int32
1487 * termid
1488 * port adr_int64
1489 * type adr_int32
1490 * ip address adr_u_char*type
1491 */
1492 int
1493 subject64_ex_token(adr_t *adr)
1494 {
1495 int32_t auid, euid, egid, ruid, rgid, pid;
1496 int32_t sid;
1497 int64_t port;
1498 int32_t type;
1499 uchar_t addr[16];
1500
1501 adrm_int32(adr, &auid, 1);
1502 adrm_int32(adr, &euid, 1);
1503 adrm_int32(adr, &egid, 1);
1504 adrm_int32(adr, &ruid, 1);
1505 adrm_int32(adr, &rgid, 1);
1506 adrm_int32(adr, &pid, 1);
1507 adrm_int32(adr, &sid, 1);
1508 adrm_int64(adr, &port, 1);
1509 adrm_int32(adr, &type, 1);
1510 adrm_u_char(adr, addr, type);
1511
1512 if (flags & M_SUBJECT) {
1513 if (subj_id == pid)
1514 checkflags = checkflags | M_SUBJECT;
1515 }
1516 if (flags & M_USERA) {
1517 if (m_usera == auid)
1518 checkflags = checkflags | M_USERA;
1519 }
1520 if (flags & M_USERE) {
1521 if (m_usere == euid)
1522 checkflags = checkflags | M_USERE;
1523 }
1524 if (flags & M_USERR) {
1525 if (m_userr == ruid)
1526 checkflags = checkflags | M_USERR;
1527 }
1528 if (flags & M_GROUPR) {
1529 if (m_groupr == egid)
1530 checkflags = checkflags | M_GROUPR;
1531 }
1532 if (flags & M_GROUPE) {
1533 if (m_groupe == egid)
1534 checkflags = checkflags | M_GROUPE;
1535 }
1536 if (flags & M_SID) {
1537 if (m_sid == (au_asid_t)sid)
1538 checkflags = checkflags | M_SID;
1539 }
1540 return (-1);
1541 }
1542
1543 /*
1544 * -----------------------------------------------------------------------
1545 * tid_token(): Process tid token and display contents
1546 *
1547 * Format of tid token:
1548 * tid token id adr_char
1549 * address type adr_char
1550 * For address type of AU_IPADR...
1551 * remote port adr_short
1552 * local port adr_short
1553 * IP type adr_int32
1554 * IP addr adr_int32 if IPv4
1555 * IP addr 4 x adr_int32 if IPv6
1556 * address types other than AU_IPADR are not yet defined
1557 * -----------------------------------------------------------------------
1558 */
1559 int
1560 tid_token(adr_t *adr)
1561 {
1562 int32_t address[4];
1563 int32_t ip_type;
1564 char tid_type;
1565 short rport;
1566 short lport;
1567
1568 adrm_char(adr, &tid_type, 1);
1569 switch (tid_type) {
1570 case AU_IPADR:
1571 adrm_short(adr, &rport, 1);
1572 adrm_short(adr, &lport, 1);
1573 adrm_int32(adr, &ip_type, 1);
1574 adrm_char(adr, (char *)&address, ip_type);
1575 break;
1576 default:
1577 return (0);
1578 }
1579 return (-1);
1580 }
1581
1582 /*
1583 * -----------------------------------------------------------------------
1584 * zonename_token(): Process zonename token and display contents
1585 *
1586 * Format of zonename token:
1587 * zonename token id adr_char
1588 * zone name adr_string
1589 * -----------------------------------------------------------------------
1590 */
1591 int
1592 zonename_token(adr_t *adr)
1593 {
1594 char *name;
1595
1596 if (flags & M_ZONENAME) {
1597 get_string(adr, &name);
1598 if (strncmp(zonename, name, ZONENAME_MAX) == 0)
1599 checkflags |= M_ZONENAME;
1600 free(name);
1601 } else {
1602 skip_string(adr);
1603 }
1604 return (-1);
1605 }
1606
1607 /*
1608 * fmri_token():
1609 *
1610 * Format of fmri token:
1611 * fmri adr_string
1612 */
1613 int
1614 fmri_token(adr_t *adr)
1615 {
1616 if ((flags & M_OBJECT) && (obj_flag == OBJ_FMRI)) {
1617 char *fmri_name;
1618
1619 get_string(adr, &fmri_name);
1620
1621 /* match token against service instance */
1622 if (scf_cmp_pattern(fmri_name, &fmri) == 1) {
1623 checkflags |= M_OBJECT;
1624 }
1625 free(fmri_name);
1626 } else {
1627 skip_string(adr);
1628 }
1629 return (-1);
1630 }
1631
1632 /*
1633 * Format of xatom token:
1634 */
1635 int
1636 xatom_token(adr_t *adr)
1637 {
1638 skip_string(adr);
1639
1640 return (-1);
1641 }
1642
1643 /*
1644 * Format of xselect token:
1645 */
1646 int
1647 xselect_token(adr_t *adr)
1648 {
1649 skip_string(adr);
1650 skip_string(adr);
1651 skip_string(adr);
1652
1653 return (-1);
1654 }
1655
1656 /*
1657 * anchor a path name with a slash
1658 * assume we have enough space
1659 */
1660 void
1661 anchor_path(char *path)
1662 {
1663 (void) memmove((void *)(path + 1), (void *)path, strlen(path) + 1);
1664 *path = '/';
1665 }
1666
1667
1668 /*
1669 * copy path to collapsed path.
1670 * collapsed path does not contain:
1671 * successive slashes
1672 * instances of dot-slash
1673 * instances of dot-dot-slash
1674 * passed path must be anchored with a '/'
1675 */
1676 char *
1677 collapse_path(char *s)
1678 {
1679 int id; /* index of where we are in destination string */
1680 int is; /* index of where we are in source string */
1681 int slashseen; /* have we seen a slash */
1682 int ls; /* length of source string */
1683
1684 ls = strlen(s) + 1;
1685
1686 slashseen = 0;
1687 for (is = 0, id = 0; is < ls; is++) {
1688 /* thats all folks, we've reached the end of input */
1689 if (s[is] == '\0') {
1690 if (id > 1 && s[id-1] == '/') {
1691 --id;
1692 }
1693 s[id++] = '\0';
1694 break;
1695 }
1696 /* previous character was a / */
1697 if (slashseen) {
1698 if (s[is] == '/')
1699 continue; /* another slash, ignore it */
1700 } else if (s[is] == '/') {
1701 /* we see a /, just copy it and try again */
1702 slashseen = 1;
1703 s[id++] = '/';
1704 continue;
1705 }
1706 /* /./ seen */
1707 if (s[is] == '.' && s[is+1] == '/') {
1708 is += 1;
1709 continue;
1710 }
1711 /* XXX/. seen */
1712 if (s[is] == '.' && s[is+1] == '\0') {
1713 if (id > 1)
1714 id--;
1715 continue;
1716 }
1717 /* XXX/.. seen */
1718 if (s[is] == '.' && s[is+1] == '.' && s[is+2] == '\0') {
1719 is += 1;
1720 if (id > 0)
1721 id--;
1722 while (id > 0 && s[--id] != '/')
1723 ;
1724 id++;
1725 continue;
1726 }
1727 /* XXX/../ seen */
1728 if (s[is] == '.' && s[is+1] == '.' && s[is+2] == '/') {
1729 is += 2;
1730 if (id > 0)
1731 id--;
1732 while (id > 0 && s[--id] != '/')
1733 ;
1734 id++;
1735 continue;
1736 }
1737 while (is < ls && (s[id++] = s[is++]) != '/')
1738 ;
1739 is--;
1740 }
1741 return (s);
1742 }
1743
1744
1745 int
1746 ipc_type_match(int flag, char type)
1747 {
1748 if (flag == OBJ_SEM && type == AT_IPC_SEM)
1749 return (1);
1750
1751 if (flag == OBJ_MSG && type == AT_IPC_MSG)
1752 return (1);
1753
1754 if (flag == OBJ_SHM && type == AT_IPC_SHM)
1755 return (1);
1756
1757 return (0);
1758 }
1759
1760
1761 void
1762 skip_string(adr_t *adr)
1763 {
1764 ushort_t c;
1765
1766 adrm_u_short(adr, &c, 1);
1767 adr->adr_now += c;
1768 }
1769
1770
1771 void
1772 get_string(adr_t *adr, char **p)
1773 {
1774 ushort_t c;
1775
1776 adrm_u_short(adr, &c, 1);
1777 *p = a_calloc(1, (size_t)c);
1778 adrm_char(adr, *p, c);
1779 }
1780
1781
1782 /*
1783 * Format of host token:
1784 * host ard_uint32
1785 */
1786 int
1787 host_token(adr_t *adr)
1788 {
1789 uint32_t host;
1790
1791 adrm_u_int32(adr, &host, 1);
1792
1793 return (-1);
1794 }
1795
1796 /*
1797 * Format of useofauth token:
1798 * uauth token id adr_char
1799 * uauth adr_string
1800 */
1801 int
1802 useofauth_token(adr_t *adr)
1803 {
1804 skip_string(adr);
1805 return (-1);
1806 }
1807
1808 /*
1809 * Format of user token:
1810 * user token id adr_char
1811 * uid adr_uid
1812 * username adr_string
1813 */
1814 int
1815 user_token(adr_t *adr)
1816 {
1817 uid_t uid;
1818
1819 adrm_uid(adr, &uid, 1);
1820 skip_string(adr);
1821
1822 if ((flags & M_OBJECT) && (obj_flag == OBJ_USER) &&
1823 (uid == obj_user)) {
1824 checkflags |= M_OBJECT;
1825 }
1826
1827 return (-1);
1828 }
1829
1830 int
1831 xcolormap_token(adr_t *adr)
1832 {
1833 return (xgeneric(adr));
1834 }
1835
1836 int
1837 xcursor_token(adr_t *adr)
1838 {
1839 return (xgeneric(adr));
1840 }
1841
1842 int
1843 xfont_token(adr_t *adr)
1844 {
1845 return (xgeneric(adr));
1846 }
1847
1848 int
1849 xgc_token(adr_t *adr)
1850 {
1851 return (xgeneric(adr));
1852 }
1853
1854 int
1855 xpixmap_token(adr_t *adr)
1856 {
1857 return (xgeneric(adr));
1858 }
1859
1860 int
1861 xwindow_token(adr_t *adr)
1862 {
1863 return (xgeneric(adr));
1864 }
1865
1866
1867 /*
1868 * Format of xgeneric token:
1869 * XID adr_int32
1870 * creator UID adr_int32
1871 *
1872 * Includes: xcolormap, xcursor, xfont, xgc, xpixmap, and xwindow
1873 */
1874 int
1875 xgeneric(adr_t *adr)
1876 {
1877 int32_t xid;
1878 int32_t uid;
1879
1880 adrm_int32(adr, &xid, 1);
1881 adrm_int32(adr, &uid, 1);
1882
1883 if (flags & M_USERE) {
1884 if (m_usere == uid)
1885 checkflags = checkflags | M_USERE;
1886 }
1887
1888 return (-1);
1889 }
1890
1891
1892 /*
1893 * Format of xproperty token:
1894 * XID adr_int32
1895 * creator UID adr_int32
1896 * atom string adr_string
1897 */
1898 int
1899 xproperty_token(adr_t *adr)
1900 {
1901 int32_t xid;
1902 int32_t uid;
1903
1904 adrm_int32(adr, &xid, 1);
1905 adrm_int32(adr, &uid, 1);
1906 skip_string(adr);
1907
1908 if (flags & M_USERE) {
1909 if (m_usere == uid)
1910 checkflags = checkflags | M_USERE;
1911 }
1912
1913 return (-1);
1914 }
1915
1916
1917 /*
1918 * Format of xclient token:
1919 * xclient id adr_int32
1920 */
1921 int
1922 xclient_token(adr_t *adr)
1923 {
1924 int32_t client_id;
1925
1926 adrm_int32(adr, &client_id, 1);
1927
1928 return (-1);
1929 }
1930
1931 /*
1932 * Format of privilege set token:
1933 * priv_set type string
1934 * priv_set string
1935 */
1936
1937 int
1938 privilege_token(adr_t *adr)
1939 {
1940 skip_string(adr); /* set type name */
1941 skip_string(adr); /* privilege set */
1942 return (-1);
1943 }
1944
1945 /*
1946 * Format of security flags token:
1947 * security flag set string
1948 * security flags string
1949 */
1950
1951 int
1952 secflags_token(adr_t *adr)
1953 {
1954 skip_string(adr); /* set name */
1955 skip_string(adr); /* security flags */
1956 return (-1);
1957 }
1958
1959 /*
1960 * Format of label token:
1961 * label ID 1 byte
1962 * compartment length 1 byte
1963 * classification 2 bytes
1964 * compartment words <compartment length> * 4 bytes
1965 */
1966 int
1967 label_token(adr_t *adr)
1968 {
1969 static m_label_t *label = NULL;
1970 static size32_t l_size;
1971 int len;
1972
1973 if (label == NULL) {
1974 label = m_label_alloc(MAC_LABEL);
1975 l_size = blabel_size() - 4;
1976 }
1977
1978 if (label == NULL) {
1979 /* out of memory, should never happen; skip label */
1980 char l; /* length */
1981
1982 adr->adr_now += sizeof (char);
1983 adrm_char(adr, (char *)&l, 1);
1984 adr->adr_now += sizeof (short) + (4 * l);
1985 return (-1);
1986 }
1987
1988 adrm_char(adr, (char *)label, 4);
1989 len = (int)(((char *)label)[1] * 4);
1990 if (len > l_size) {
1991 return (-1);
1992 }
1993 adrm_char(adr, &((char *)label)[4], len);
1994
1995 if (flags & M_LABEL) {
1996 if (blinrange(label, m_label))
1997 checkflags = checkflags | M_LABEL;
1998 }
1999
2000 return (-1);
2001 }
2002
2003
2004 /*
2005 * Format of useofpriv token:
2006 * success/failure adr_char
2007 * privilege(s) adr_string
2008 */
2009 /* ARGSUSED */
2010 int
2011 useofpriv_token(adr_t *adr)
2012 {
2013 char flag;
2014
2015 adrm_char(adr, &flag, 1);
2016 skip_string(adr);
2017 return (-1);
2018 }
2019
2020 /*
2021 * Format of access_mask token:
2022 * access_mask adr_u_int32
2023 */
2024 int
2025 access_mask_token(adr_t *adr)
2026 {
2027 uint32_t access;
2028
2029 adrm_u_int32(adr, &access, 1);
2030 return (-1);
2031 }
2032
2033 /*
2034 * Format of wsid token:
2035 * wsid adr_string
2036 */
2037 int
2038 wsid_token(adr_t *adr)
2039 {
2040 if ((flags & M_OBJECT) != 0 && (obj_flag == OBJ_WSID)) {
2041 char *sid;
2042
2043 get_string(adr, &sid);
2044 if (strncmp(wsid, sid, 256) == 0) /* SMB_SID_STRSZ */
2045 checkflags |= M_OBJECT;
2046 free(sid);
2047 } else {
2048 skip_string(adr);
2049 }
2050 return (-1);
2051 }