PERFORCE change 153916 for review

Robert Watson rwatson at FreeBSD.org
Mon Dec 1 13:28:38 PST 2008


http://perforce.freebsd.org/chv.cgi?CH=153916

Change 153916 by rwatson at rwatson_cinnamon_macosx on 2008/12/01 21:28:01

	Add support for the AUT_SOCKET_EX token type, which contains
	a socket domain, socket type, address type, and two IPv4/IPv6
	port/address tuples.  This required:
	
	(1) Fixing the existing AUT_SOCKET_EX parsing and printing code
	    in libbsm.
	
	(2) Add au_to_socket_ex() token generation function, which
	    accepts socket domain, socket type, and two
	    sockaddr_{in,in6}'s.
	
	(3) Add test record generation and reference token/records to
	    the test tree.
	
	(4) Remove prototypes for non-prsent au_to_socket_ex_{32,128}()
	    generation functions.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/NEWS#15 edit
.. //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#36 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#58 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#81 edit
.. //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#5 edit
.. //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#11 edit
.. //depot/projects/trustedbsd/openbsm/test/reference/socketex_record#1 add
.. //depot/projects/trustedbsd/openbsm/test/reference/socketex_token#1 add

Differences ...

==== //depot/projects/trustedbsd/openbsm/NEWS#15 (text+ko) ====

@@ -10,6 +10,8 @@
 - Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total
   size for the token.  This bug resulted in "unknown" tokens being printed
   after the exec args/env tokens.
+- Support for AUT_SOCKET_EX extended socket tokens, which describe a socket
+  using a pair of IPv4/IPv6 and port tuples.
 
 OpenBSM 1.1 alpha 2
 
@@ -359,4 +361,4 @@
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/openbsm/NEWS#14 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#15 $

==== //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#36 (text+ko) ====

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004 Apple Inc.
+ * Copyright (c) 2004-2008 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#35 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#36 $
  */
 
 #ifndef _LIBBSM_H_
@@ -547,13 +547,13 @@
  * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
  */
 typedef struct {
+	u_int16_t	domain;
 	u_int16_t	type;
+	u_int16_t	atype;
 	u_int16_t	l_port;
-	u_int32_t	l_ad_type;
-	u_int32_t	l_addr;
+	u_int32_t	l_addr[4];
 	u_int32_t	r_port;
-	u_int32_t	r_ad_type;
-	u_int32_t	r_addr;
+	u_int32_t	r_addr[4];
 } au_socket_ex32_t;
 
 /*

==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#58 (text+ko) ====

@@ -32,7 +32,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#57 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#58 $
  */
 
 #include <sys/types.h>
@@ -3753,53 +3753,71 @@
 }
 
 /*
+ * socket domain           2 bytes
  * socket type             2 bytes
+ * address type            2 bytes
  * local port              2 bytes
- * address type/length     4 bytes
- * local Internet address  4 bytes
- * remote port             4 bytes
- * address type/length     4 bytes
- * remote Internet address 4 bytes
+ * local Internet address  4/16 bytes
+ * remote port             2 bytes
+ * remote Internet address 4/16 bytes
  */
 static int
 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
-	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
 	    err);
 	if (err)
 		return (-1);
 
-	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
-	    sizeof(uint16_t), tok->len, err);
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
+	    err);
 	if (err)
 		return (-1);
 
-	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
 	    err);
 	if (err)
 		return (-1);
 
-	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
-	    sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
-	if (err)
+	if (tok->tt.socket_ex32.atype != AU_IPv4 &&
+	    tok->tt.socket_ex32.atype != AU_IPv6)
 		return (-1);
 
-	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
+	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
 	    sizeof(uint16_t), tok->len, err);
 	if (err)
 		return (-1);
 
-	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
-	    err);
+	if (tok->tt.socket_ex32.atype == AU_IPv4) {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
+		    sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+	} else {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
+		    sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
+		if (err)
+			return (-1);
+	}
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
+	    sizeof(uint16_t), tok->len, err);
 	if (err)
 		return (-1);
 
-	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
-	    sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
-	if (err)
-		return (-1);
+	if (tok->tt.socket_ex32.atype == AU_IPv4) {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
+		    sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+	} else {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
+		    sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
+		if (err)
+			return (-1);
+	}
 
 	return (0);
 }
@@ -3811,6 +3829,9 @@
 
 	print_tok_type(fp, tok->id, "socket", raw, xml);
 	if (xml) {
+		open_attr(fp, "sock_dom");
+		print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
+		close_attr(fp);
 		open_attr(fp, "sock_type");
 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
 		close_attr(fp);
@@ -3818,10 +3839,12 @@
 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
 		close_attr(fp);
 		open_attr(fp, "laddr");
-		print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
+		    tok->tt.socket_ex32.l_addr);
 		close_attr(fp);
 		open_attr(fp, "faddr");
-		print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
+		    tok->tt.socket_ex32.r_addr);
 		close_attr(fp);
 		open_attr(fp, "fport");
 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
@@ -3829,15 +3852,19 @@
 		close_tag(fp, tok->id);
 	} else {
 		print_delim(fp, del);
+		print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
+		print_delim(fp, del);
 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
 		print_delim(fp, del);
 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
 		print_delim(fp, del);
-		print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
+		    tok->tt.socket_ex32.l_addr);
 		print_delim(fp, del);
 		print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
 		print_delim(fp, del);
-		print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
+		    tok->tt.socket_ex32.r_addr);
 	}
 }
 

==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#81 (text+ko) ====

@@ -30,7 +30,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#80 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#81 $
  */
 
 #include <sys/types.h>
@@ -899,6 +899,60 @@
 
 /*
  * token ID                1 byte
+ * socket domain           2 bytes
+ * socket type             2 bytes
+ * address type            2 byte
+ * local port              2 bytes
+ * local address           4 bytes/16 bytes (IPv4/IPv6 address)
+ * remote port             2 bytes
+ * remote address          4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+token_t *
+au_to_socket_ex(u_short so_domain, u_short so_type,
+    struct sockaddr *sa_local, struct sockaddr *sa_remote)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	struct sockaddr_in *sin;
+	struct sockaddr_in6 *sin6;
+
+	if (so_domain == AF_INET)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
+	else if (so_domain == AF_INET6)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    5 * sizeof(u_int16_t) + 16 * sizeof(u_int32_t));
+	else {
+		errno = EINVAL;
+		return (NULL);
+	}
+
+	ADD_U_CHAR(dptr, AUT_SOCKET_EX);
+	ADD_U_INT16(dptr, so_domain);	/* XXXRW: explicitly convert? */
+	ADD_U_INT16(dptr, so_type);	/* XXXRW: explicitly convert? */
+	if (so_domain == AF_INET) {
+		ADD_U_INT16(dptr, AU_IPv4);
+		sin = (struct sockaddr_in *)sa_local;
+		ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
+		ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
+		sin = (struct sockaddr_in *)sa_remote;
+		ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
+		ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
+	} else {
+		ADD_U_INT16(dptr, AU_IPv6);
+		sin6 = (struct sockaddr_in6 *)sa_local;
+		ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
+		ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
+		sin6 = (struct sockaddr_in6 *)sa_remote;
+		ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
+		ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
+	}
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
  * socket family           2 bytes
  * path                    104 bytes
  */

==== //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#5 (text+ko) ====

@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#5 $
  */
 
 #ifndef _BSM_AUDIT_RECORD_H_
@@ -182,6 +182,7 @@
 struct ip;
 struct ipc_perm;
 struct kevent;
+struct sockaddr;
 struct sockaddr_in;
 struct sockaddr_in6;
 struct sockaddr_un;
@@ -251,15 +252,8 @@
 token_t	*au_to_return32(char status, uint32_t ret);
 token_t	*au_to_return64(char status, uint64_t ret);
 token_t	*au_to_seq(long audit_count);
-
-#if defined(_KERNEL) || defined(KERNEL)
-token_t	*au_to_socket(struct socket *so);
-token_t	*au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la,
-	    struct sockaddr *ta);
-token_t	*au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la,
-	    struct sockaddr *ta);
-#endif
-
+token_t	*au_to_socket_ex(u_short so_domain, u_short so_type,
+	    struct sockaddr *sa_local, struct sockaddr *sa_remote);
 token_t	*au_to_sock_inet(struct sockaddr_in *so);
 token_t	*au_to_sock_inet32(struct sockaddr_in *so);
 token_t	*au_to_sock_inet128(struct sockaddr_in6 *so);

==== //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#11 (text+ko) ====

@@ -1,5 +1,6 @@
 /*-
  * Copyright (c) 2006-2007 Robert N. M. Watson
+ * Copyright (c) 2008 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -23,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#10 $
+ * $P4: //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#11 $
  */
 
 /*
@@ -915,6 +916,56 @@
 	write_record(directory, record_filename, zonename_token, AUE_NULL);
 }
 
+static u_short socketex_domain = AF_INET;
+static u_short socketex_type = SOCK_STREAM;
+static struct sockaddr_in socketex_laddr, socketex_raddr;
+
+static void
+generate_socketex_token(const char *directory, const char *token_filename)
+{
+	token_t *socketex_token;
+
+	bzero(&socketex_laddr, sizeof(socketex_laddr));
+	socketex_laddr.sin_family = AF_INET;
+	socketex_laddr.sin_len = sizeof(socketex_laddr);
+	socketex_laddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+	bzero(&socketex_raddr, sizeof(socketex_raddr));
+	socketex_raddr.sin_family = AF_INET;
+	socketex_raddr.sin_len = sizeof(socketex_raddr);
+	socketex_raddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+	socketex_token = au_to_socket_ex(socketex_domain, socketex_type,
+	    (struct sockaddr *)&socketex_laddr,
+	    (struct sockaddr *)&socketex_raddr);
+	if (socketex_token == NULL)
+		err(EX_UNAVAILABLE, "au_to_socket_ex");
+	write_token(directory, token_filename, socketex_token);
+}
+
+static void
+generate_socketex_record(const char *directory, const char *record_filename)
+{
+	token_t *socketex_token;
+
+	bzero(&socketex_laddr, sizeof(socketex_laddr));
+	socketex_laddr.sin_family = AF_INET;
+	socketex_laddr.sin_len = sizeof(socketex_laddr);
+	socketex_laddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+	bzero(&socketex_raddr, sizeof(socketex_raddr));
+	socketex_raddr.sin_family = AF_INET;
+	socketex_raddr.sin_len = sizeof(socketex_raddr);
+	socketex_raddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+	socketex_token = au_to_socket_ex(socketex_domain, socketex_type,
+	    (struct sockaddr *)&socketex_laddr,
+	    (struct sockaddr *)&socketex_raddr);
+	if (socketex_token == NULL)
+		err(EX_UNAVAILABLE, "au_to_socket_ex");
+	write_record(directory, record_filename, socketex_token, AUE_NULL);
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -982,6 +1033,7 @@
 		generate_groups_token(directory, "groups_token");
 		generate_attr32_token(directory, "attr32_token");
 		generate_zonename_token(directory, "zonename_token");
+		generate_socketex_token(directory, "socketex_token");
 	}
 
 	if (do_records) {
@@ -1017,6 +1069,7 @@
 		generate_groups_record(directory, "groups_record");
 		generate_attr32_record(directory, "attr32_record");
 		generate_zonename_record(directory, "zonename_record");
+		generate_socketex_record(directory, "socketex_record");
 	}
 
 	return (0);


More information about the p4-projects mailing list