PERFORCE change 143689 for review

Wed Jun 18 11:40:55 UTC 2008

http://perforce.freebsd.org/chv.cgi?CH=143689

Change 143689 by snagg at snagg_macosx on 2008/06/18 11:40:21

	Finished the first event-specific framework part, added also a 		testing program. Some other bugs were corrected in the utils. Still 	need some testing

Affected files ...

.. //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/audit_pipe_ioctl_events.c#2 delete
.. //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/audit_pipe_regression_test_utils.c#3 edit
.. //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/audit_pipe_regression_test_utils.h#2 edit
.. //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/specific-event/audit_pipe_event_open.c#1 add
.. //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/tests/open_test.c#1 add

Differences ...

==== //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/audit_pipe_regression_test_utils.c#3 (text+ko) ====

@@ -1,47 +1,6 @@
 #include "audit_pipe_regression_test_utils.h"
 
-struct audit_record *del_record_au(struct audit_record *head, int index)
-{
-	struct audit_record *tmp;
-	struct audit_record *p;
-	
-	tmp = head;
-	if(tmp == NULL)
-		return NULL;
-	for(; tmp->next != NULL; tmp = tmp->next)
-	{
-		if(tmp->next->index == index) {
-			p = tmp->next;
-			tmp->next = tmp->next->next;
-			free(p);
-			return head;
-		}
-	}
-		
-	return NULL;
-}				
-				
-struct audit_record 
-*add_field_au(struct audit_record *head, struct audit_record *new)
-{
-	struct audit_record *tmp;
-	
-	tmp = head;
-	if(tmp == NULL) {
-		new->next = NULL;
-		return new;
-	}
-	
-	for(; tmp->next != NULL;tmp = tmp->next);
 	
-	new->index = tmp->index +1;
-	tmp->next= new;
-	new->next = NULL;
-	
-	return head;
-}
-
-	
 void init_channel()
 {
 	key_t key;
@@ -101,7 +60,7 @@
 
 /*
  * Every string in the shared-memory channel is of the form 
- * value:!!audit-field:**type.
+ * value\\!!audit-field:**type.
  * Here we parse the audit-field part
  */
 char *get_descr(char *string)
@@ -110,7 +69,7 @@
 
 	str = string;
 
-	if((string = strsep(&str, ":!!")) != NULL)
+	if((string = strsep(&str, "\\!!")) != NULL)
 	{
 		str +=2;
 		return str;
@@ -119,7 +78,7 @@
 
 /*
  * Every string in the shared-memory channel is of the form 
- * value:!!audit-field:**type.
+ * value\!!audit-field:**type.
  * Here we parse the type part
  */
 int parse_string(char *string)
@@ -179,47 +138,49 @@
  * We fetch every token from auditpipe and eventually dump them to a file
  * Modified version of praudit function.
  */
-struct audit_record
-*audit_print_record(FILE *st, FILE *in)
+
+int 
+audit_print_record(FILE *st, char *buffer, int buflen, struct audit_record rec)
 {
-	u_char *buf;
-	tokenstr_t tok;
-	int reclen;
-	int bytesread;
 	int count;
 	u_char type;
-	struct audit_record *rec;
-
+	int i, exit;
+	
 	type = 0;
 	count = 0;
-	rec = malloc(sizeof(struct audit_record));
-	if(rec == NULL)
-		err(-1, "MALLOC");
-
+	exit = 0;
+	
 	/* Record must begin with a header token. */
-	do {
-		type = fgetc(in);
-	} while(type != AU_HEADER_32_TOKEN);
-	ungetc(type, in);
+	for( i = 0; i< buflen; i++) {
+		type = buffer[i];
+		if(type == AU_HEADER_32_TOKEN) {
+			buffer +=i;
+			buflen -=i;
+			break;
+		}
+	}		
+	while (buflen > 0) {
 
-	while ((reclen = au_read_rec(in, &buf)) != -1) {
-		bytesread = 0;
-		while (bytesread < reclen) {
-			
-			/* Is this an incomplete record? */
-			if (-1 == au_fetch_tok(&tok, buf + bytesread,
-			    reclen - bytesread))
-				break;
-			rec->toks[count] = tok;
-			rec->count = count;	
-			au_print_tok_xml(st, &tok, ",", 0, 0);
-			fprintf(st, "\n");
-			bytesread += tok.len;
-		}
-		free(buf);
-		fflush(st);
+		/* XXX: Is this an incomplete record? */
+		if (au_fetch_tok(&(rec.toks[count]), buffer, buflen) == -1)
+			break;
+		
+		rec.count = count;
+		au_print_tok_xml(st, &(rec.toks[count]), ",", 0, 0);
+		buflen -= rec.toks[count].len;
+		buffer += rec.toks[count].len;
+		fprintf(st, "\n");
+		count++;
+		if(count == 20)
+			return -1;
+		if(exit)
+			break;
+		if(*buffer ==  AU_TRAILER_TOKEN)
+			exit = 1;
 	}
-	return rec;
+		
+	fflush(st);
+	return 0;
 }
 
 /*
@@ -239,25 +200,19 @@
 	return f;
 }
 
-void report_error(tokenstr_t tok, struct audit_record *rec, FILE *f)
+void report_error(tokenstr_t tok, FILE *f)
 {
-	int i;
 	
-	if(rec == NULL)
-		return;
-	for(i = 0; i <= rec->count; i++) {
-		au_print_tok_xml(f, &(rec->toks[i]), ",", 0, 0);
-		fprintf(f, "\n");
-	}
-	fprintf(f, "ERROR:***");
+	fprintf(f, "ERROR:***\n");
 	au_print_tok_xml(f, &tok, ",", 0, 0);
 	fprintf(f, "\n");
+
 }	
 		
 /*
  * Check the return value of a bsm-token
  */
-int check_ret(au_exit_t ret, int r, char *val)
+int check_ret(au_ret32_t ret, int r, char *val)
 {
 	if(ret.ret == r)
 		//if(!strncmp(ret.status, val, strlen(ret.status) > strlen(val)? 

==== //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/audit_pipe_regression_test_utils.h#2 (text+ko) ====

@@ -46,6 +46,9 @@
 #include <semaphore.h>
 #include <string.h>
 
+#define	AUDIT_BUFFER_LEN	65536
+#define AUDIT_RECORD_MAX	256
+
 #define SHMSZ	512
 #define SEM_NAME	"/audit-test"
 #define SEM_CLIENT_NAME	"/client"
@@ -59,17 +62,27 @@
 	CHAR_TYPE
 };
 
+/*
+ * NOT = do not validate anything
+ * GOT_READLINK = we took the last function (a readlink) of the standard 
+ * "prologue" of every process
+ * VALID = we need to validate stuff
+ * WAITING = this is not the right syscall to parse
+ */
+enum VALIDATE {
+	NOT,
+	GOT_READLINK, 
+	VALID,
+	WAITING
+};
+	
 struct audit_record
 {
 	tokenstr_t toks[20];
 	int count;
 	int index;
-	struct audit_record *next;
 };
 
-struct audit_record *del_record_au(struct audit_record *head, int index);
-struct audit_record *add_field_au(struct audit_record *head, 
-					    struct audit_record *new);
 void init_channel();
 void end_channel();
 char *read_string();
@@ -77,11 +90,11 @@
 int parse_string(char *string);
 long get_int(char *string);
 char get_c(char *string);
-struct audit_record *audit_print_record(FILE *st, FILE *in);
+int audit_print_record(FILE *st, char *buffer, int buflen,
+	    struct audit_record rec);
 FILE *init_log(pid_t pid);
-void report_error(tokenstr_t tok, struct audit_record *rec, 
-	    FILE *f);
-int check_ret(au_exit_t ret, int r, char *val);
+void report_error(tokenstr_t tok, FILE *f);
+int check_ret(au_ret32_t ret, int r, char *val);
 int check_path(au_path_t path, char *val);
 int check_arg(au_arg32_t arg, long val);
 int check_priv(au_proc32ex_t priv, pid_t pid);
