PERFORCE change 153916 for review
Robert Watson
rwatson at FreeBSD.org
Mon Dec 1 13:28:38 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=153916
Change 153916 by rwatson at rwatson_cinnamon_macosx on 2008/12/01 21:28:01
Add support for the AUT_SOCKET_EX token type, which contains
a socket domain, socket type, address type, and two IPv4/IPv6
port/address tuples. This required:
(1) Fixing the existing AUT_SOCKET_EX parsing and printing code
in libbsm.
(2) Add au_to_socket_ex() token generation function, which
accepts socket domain, socket type, and two
sockaddr_{in,in6}'s.
(3) Add test record generation and reference token/records to
the test tree.
(4) Remove prototypes for non-prsent au_to_socket_ex_{32,128}()
generation functions.
Affected files ...
.. //depot/projects/trustedbsd/openbsm/NEWS#15 edit
.. //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#36 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#58 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#81 edit
.. //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#5 edit
.. //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#11 edit
.. //depot/projects/trustedbsd/openbsm/test/reference/socketex_record#1 add
.. //depot/projects/trustedbsd/openbsm/test/reference/socketex_token#1 add
Differences ...
==== //depot/projects/trustedbsd/openbsm/NEWS#15 (text+ko) ====
@@ -10,6 +10,8 @@
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total
size for the token. This bug resulted in "unknown" tokens being printed
after the exec args/env tokens.
+- Support for AUT_SOCKET_EX extended socket tokens, which describe a socket
+ using a pair of IPv4/IPv6 and port tuples.
OpenBSM 1.1 alpha 2
@@ -359,4 +361,4 @@
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/openbsm/NEWS#14 $
+$P4: //depot/projects/trustedbsd/openbsm/NEWS#15 $
==== //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#36 (text+ko) ====
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2004 Apple Inc.
+ * Copyright (c) 2004-2008 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#35 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#36 $
*/
#ifndef _LIBBSM_H_
@@ -547,13 +547,13 @@
* remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
*/
typedef struct {
+ u_int16_t domain;
u_int16_t type;
+ u_int16_t atype;
u_int16_t l_port;
- u_int32_t l_ad_type;
- u_int32_t l_addr;
+ u_int32_t l_addr[4];
u_int32_t r_port;
- u_int32_t r_ad_type;
- u_int32_t r_addr;
+ u_int32_t r_addr[4];
} au_socket_ex32_t;
/*
==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#58 (text+ko) ====
@@ -32,7 +32,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#57 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#58 $
*/
#include <sys/types.h>
@@ -3753,53 +3753,71 @@
}
/*
+ * socket domain 2 bytes
* socket type 2 bytes
+ * address type 2 bytes
* local port 2 bytes
- * address type/length 4 bytes
- * local Internet address 4 bytes
- * remote port 4 bytes
- * address type/length 4 bytes
- * remote Internet address 4 bytes
+ * local Internet address 4/16 bytes
+ * remote port 2 bytes
+ * remote Internet address 4/16 bytes
*/
static int
fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
- READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
+ READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
err);
if (err)
return (-1);
- READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
- sizeof(uint16_t), tok->len, err);
+ READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
+ err);
if (err)
return (-1);
- READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
+ READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
err);
if (err)
return (-1);
- READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
- sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
- if (err)
+ if (tok->tt.socket_ex32.atype != AU_IPv4 &&
+ tok->tt.socket_ex32.atype != AU_IPv6)
return (-1);
- READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
+ READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
sizeof(uint16_t), tok->len, err);
if (err)
return (-1);
- READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
- err);
+ if (tok->tt.socket_ex32.atype == AU_IPv4) {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
+ sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ } else {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
+ sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
+ if (err)
+ return (-1);
+ }
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
+ sizeof(uint16_t), tok->len, err);
if (err)
return (-1);
- READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
- sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
- if (err)
- return (-1);
+ if (tok->tt.socket_ex32.atype == AU_IPv4) {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
+ sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ } else {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
+ sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
+ if (err)
+ return (-1);
+ }
return (0);
}
@@ -3811,6 +3829,9 @@
print_tok_type(fp, tok->id, "socket", raw, xml);
if (xml) {
+ open_attr(fp, "sock_dom");
+ print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
+ close_attr(fp);
open_attr(fp, "sock_type");
print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
close_attr(fp);
@@ -3818,10 +3839,12 @@
print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
close_attr(fp);
open_attr(fp, "laddr");
- print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+ print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
+ tok->tt.socket_ex32.l_addr);
close_attr(fp);
open_attr(fp, "faddr");
- print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+ print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
+ tok->tt.socket_ex32.r_addr);
close_attr(fp);
open_attr(fp, "fport");
print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
@@ -3829,15 +3852,19 @@
close_tag(fp, tok->id);
} else {
print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
+ print_delim(fp, del);
print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
print_delim(fp, del);
print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
print_delim(fp, del);
- print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+ print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
+ tok->tt.socket_ex32.l_addr);
print_delim(fp, del);
print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
print_delim(fp, del);
- print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+ print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
+ tok->tt.socket_ex32.r_addr);
}
}
==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#81 (text+ko) ====
@@ -30,7 +30,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#80 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#81 $
*/
#include <sys/types.h>
@@ -899,6 +899,60 @@
/*
* token ID 1 byte
+ * socket domain 2 bytes
+ * socket type 2 bytes
+ * address type 2 byte
+ * local port 2 bytes
+ * local address 4 bytes/16 bytes (IPv4/IPv6 address)
+ * remote port 2 bytes
+ * remote address 4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+token_t *
+au_to_socket_ex(u_short so_domain, u_short so_type,
+ struct sockaddr *sa_local, struct sockaddr *sa_remote)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ struct sockaddr_in *sin;
+ struct sockaddr_in6 *sin6;
+
+ if (so_domain == AF_INET)
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+ 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
+ else if (so_domain == AF_INET6)
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+ 5 * sizeof(u_int16_t) + 16 * sizeof(u_int32_t));
+ else {
+ errno = EINVAL;
+ return (NULL);
+ }
+
+ ADD_U_CHAR(dptr, AUT_SOCKET_EX);
+ ADD_U_INT16(dptr, so_domain); /* XXXRW: explicitly convert? */
+ ADD_U_INT16(dptr, so_type); /* XXXRW: explicitly convert? */
+ if (so_domain == AF_INET) {
+ ADD_U_INT16(dptr, AU_IPv4);
+ sin = (struct sockaddr_in *)sa_local;
+ ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
+ ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
+ sin = (struct sockaddr_in *)sa_remote;
+ ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t));
+ ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t));
+ } else {
+ ADD_U_INT16(dptr, AU_IPv6);
+ sin6 = (struct sockaddr_in6 *)sa_local;
+ ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
+ ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
+ sin6 = (struct sockaddr_in6 *)sa_remote;
+ ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t));
+ ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t));
+ }
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
* socket family 2 bytes
* path 104 bytes
*/
==== //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#5 (text+ko) ====
@@ -26,7 +26,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#5 $
*/
#ifndef _BSM_AUDIT_RECORD_H_
@@ -182,6 +182,7 @@
struct ip;
struct ipc_perm;
struct kevent;
+struct sockaddr;
struct sockaddr_in;
struct sockaddr_in6;
struct sockaddr_un;
@@ -251,15 +252,8 @@
token_t *au_to_return32(char status, uint32_t ret);
token_t *au_to_return64(char status, uint64_t ret);
token_t *au_to_seq(long audit_count);
-
-#if defined(_KERNEL) || defined(KERNEL)
-token_t *au_to_socket(struct socket *so);
-token_t *au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la,
- struct sockaddr *ta);
-token_t *au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la,
- struct sockaddr *ta);
-#endif
-
+token_t *au_to_socket_ex(u_short so_domain, u_short so_type,
+ struct sockaddr *sa_local, struct sockaddr *sa_remote);
token_t *au_to_sock_inet(struct sockaddr_in *so);
token_t *au_to_sock_inet32(struct sockaddr_in *so);
token_t *au_to_sock_inet128(struct sockaddr_in6 *so);
==== //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#11 (text+ko) ====
@@ -1,5 +1,6 @@
/*-
* Copyright (c) 2006-2007 Robert N. M. Watson
+ * Copyright (c) 2008 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -23,7 +24,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#10 $
+ * $P4: //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#11 $
*/
/*
@@ -915,6 +916,56 @@
write_record(directory, record_filename, zonename_token, AUE_NULL);
}
+static u_short socketex_domain = AF_INET;
+static u_short socketex_type = SOCK_STREAM;
+static struct sockaddr_in socketex_laddr, socketex_raddr;
+
+static void
+generate_socketex_token(const char *directory, const char *token_filename)
+{
+ token_t *socketex_token;
+
+ bzero(&socketex_laddr, sizeof(socketex_laddr));
+ socketex_laddr.sin_family = AF_INET;
+ socketex_laddr.sin_len = sizeof(socketex_laddr);
+ socketex_laddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+ bzero(&socketex_raddr, sizeof(socketex_raddr));
+ socketex_raddr.sin_family = AF_INET;
+ socketex_raddr.sin_len = sizeof(socketex_raddr);
+ socketex_raddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+ socketex_token = au_to_socket_ex(socketex_domain, socketex_type,
+ (struct sockaddr *)&socketex_laddr,
+ (struct sockaddr *)&socketex_raddr);
+ if (socketex_token == NULL)
+ err(EX_UNAVAILABLE, "au_to_socket_ex");
+ write_token(directory, token_filename, socketex_token);
+}
+
+static void
+generate_socketex_record(const char *directory, const char *record_filename)
+{
+ token_t *socketex_token;
+
+ bzero(&socketex_laddr, sizeof(socketex_laddr));
+ socketex_laddr.sin_family = AF_INET;
+ socketex_laddr.sin_len = sizeof(socketex_laddr);
+ socketex_laddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+ bzero(&socketex_raddr, sizeof(socketex_raddr));
+ socketex_raddr.sin_family = AF_INET;
+ socketex_raddr.sin_len = sizeof(socketex_raddr);
+ socketex_raddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+ socketex_token = au_to_socket_ex(socketex_domain, socketex_type,
+ (struct sockaddr *)&socketex_laddr,
+ (struct sockaddr *)&socketex_raddr);
+ if (socketex_token == NULL)
+ err(EX_UNAVAILABLE, "au_to_socket_ex");
+ write_record(directory, record_filename, socketex_token, AUE_NULL);
+}
+
int
main(int argc, char *argv[])
{
@@ -982,6 +1033,7 @@
generate_groups_token(directory, "groups_token");
generate_attr32_token(directory, "attr32_token");
generate_zonename_token(directory, "zonename_token");
+ generate_socketex_token(directory, "socketex_token");
}
if (do_records) {
@@ -1017,6 +1069,7 @@
generate_groups_record(directory, "groups_record");
generate_attr32_record(directory, "attr32_record");
generate_zonename_record(directory, "zonename_record");
+ generate_socketex_record(directory, "socketex_record");
}
return (0);
More information about the p4-projects
mailing list