PERFORCE change 58510 for review
Wayne Salamon
wsalamon at FreeBSD.org
Fri Jul 30 02:00:23 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=58510
Change 58510 by wsalamon at wsalamon_epi on 2004/07/30 02:00:10
Fix up the audit daemon to run on FreeBSD; remove all references to
Mach. The audit daemon needs to be completed once we decide on the
kernel->auditd communication mechanism. However, this version of
auditd can be used to populate the audit event -> audit class
mapping within the kernel.
Affected files ...
.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/Makefile#4 edit
.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/audit_warn.c#2 edit
.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#2 edit
Differences ...
==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/Makefile#4 (text+ko) ====
@@ -2,11 +2,15 @@
# Makefile for the audit command.
#
-NAME = auditd
+CC = gcc
+CFILES = audit_warn.c auditd.c auditd.h
+CFLAGS = -g
-CFILES = auditd.c audit_warn.c auditd.h
-
-all: $(NAME)
+all: audit_warn auditd
+audit_warn: audit_warn.c
+ $(CC) -c audit_warn.c -o audit_warn
+auditd: auditd.c
+ $(CC) -lbsm auditd.c audit_warn.o -o auditd
install-man-page:
install -d $(DSTROOT)/usr/share/man/man1
==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/audit_warn.c#2 (text+ko) ====
@@ -26,7 +26,7 @@
#include <unistd.h>
#include <stdio.h>
-#include <auditd.h>
+#include "auditd.h"
/* Write to the audit log. */
static int auditwarnlog(char *args[])
==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#2 (text+ko) ====
@@ -22,16 +22,12 @@
* @APPLE_LICENSE_HEADER_END@
*/
-#include <mach/port.h>
-#include <mach/mach_error.h>
-#include <mach/mach_traps.h>
-#include <mach/mach.h>
-#include <mach/host_special_ports.h>
-
+#include <sys/dirent.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/queue.h>
#include <sys/stat.h>
+#include <sys/syscall.h>
#include <sys/wait.h>
#include <fcntl.h>
@@ -43,15 +39,12 @@
#include <syslog.h>
#include <signal.h>
#include <string.h>
-#include <notify.h>
#include <bsm/audit.h>
#include <bsm/audit_uevents.h>
#include <bsm/libbsm.h>
-#include <auditd.h>
-#include "auditd_control_server.h"
-#include "audit_triggers_server.h"
+#include "auditd.h"
#define NA_EVENT_STR_SIZE 25
static int ret, minval;
@@ -59,11 +52,6 @@
static int allhardcount = 0;
-mach_port_t bp = MACH_PORT_NULL;
-mach_port_t control_port = MACH_PORT_NULL;
-mach_port_t signal_port = MACH_PORT_NULL;
-mach_port_t port_set = MACH_PORT_NULL;
-
#ifndef __BSM_INTERNAL_NOTIFY_KEY
#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
#endif /* __BSM_INTERNAL_NOTIFY_KEY */
@@ -201,7 +189,8 @@
if (open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP) < 0) {
perror("File open");
}
- else if (auditctl(fn) != 0) {
+ /* else if (auditctl(fn) != 0) { */
+ else if (syscall(SYS_auditctl, fn) != 0) {
syslog(LOG_ERR, "auditctl failed! : %s\n",
strerror(errno));
}
@@ -228,7 +217,7 @@
*/
int read_control_file()
{
- char cur_dir[MAX_DIR_SIZE];
+ char cur_dir[MAXNAMLEN];
struct dir_ent *dirent;
au_qctrl_t qctrl;
@@ -236,19 +225,16 @@
free_dir_q();
endac(); // force a re-read of the file the next time
- /* Post that the audit config changed */
- notify_post(__BSM_INTERNAL_NOTIFY_KEY);
-
/* Read the list of directories into a local linked list */
/* XXX We should use the reentrant interfaces once they are available */
- while(getacdir(cur_dir, MAX_DIR_SIZE) >= 0) {
+ while(getacdir(cur_dir, MAXNAMLEN) >= 0) {
dirent = (struct dir_ent *) malloc (sizeof(struct dir_ent));
if(dirent == NULL) {
return -1;
}
dirent->softlim = 0;
- dirent->dirname = (char *) malloc (MAX_DIR_SIZE);
+ dirent->dirname = (char *) malloc (MAXNAMLEN);
if(dirent->dirname == NULL) {
free(dirent);
return -1;
@@ -279,13 +265,15 @@
syslog(LOG_INFO, "min free = %d\n", minval);
- if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
+ /* if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) { */
+ if (syscall(SYS_auditon, A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
syslog(LOG_ERR,
"could not get audit queue settings\n");
return -1;
}
qctrl.aq_minfree = minval;
- if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
+ /* if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) { */
+ if (syscall(SYS_auditon, A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
syslog(LOG_ERR,
"could not set audit queue settings\n");
return -1;
@@ -320,7 +308,8 @@
}
/* flush contents */
- err_ret = auditctl(NULL);
+ /* err_ret = auditctl(NULL); */
+ err_ret = syscall(SYS_auditctl, NULL);
if (err_ret != 0) {
syslog(LOG_ERR, "auditctl failed! : %s\n",
strerror(errno));
@@ -352,14 +341,6 @@
static void
relay_signal(int signal)
{
- mach_msg_empty_send_t msg;
-
- msg.header.msgh_id = signal;
- msg.header.msgh_remote_port = signal_port;
- msg.header.msgh_local_port = MACH_PORT_NULL;
- msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
- mach_msg(&(msg.header), MACH_SEND_MSG|MACH_SEND_TIMEOUT, sizeof(msg),
- 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
}
/* registering the daemon */
@@ -404,9 +385,7 @@
/*
* React to input from the audit tool
*/
-kern_return_t auditd_control(auditd_port, flags)
- mach_port_t auditd_port;
- int flags;
+int auditd_control(int flags)
{
int err_ret = 0;
@@ -434,9 +413,12 @@
break;
}
- return KERN_SUCCESS;
+ return 0;
}
-
+/*
+ * XXX This routine will eventually handle kernel messages to rotate the
+ * audit log, etc.
+ */
/*
* Suppress duplicate messages within a 30 second interval.
* This should be enough to time to rotate log files without
@@ -444,19 +426,15 @@
* actually rotated.
*/
#define DUPLICATE_INTERVAL 30
-/*
- * Implementation of the audit_triggers() MIG routine.
- */
-kern_return_t audit_triggers(audit_port, flags)
- mach_port_t audit_port;
- int flags;
+int audit_triggers(int flags)
{
static int last_flags;
static time_t last_time;
struct dir_ent *dirent;
/*
- * Suppres duplicate messages from the kernel within the specified interval
+ * Suppres duplicate messages from the kernel within the specified
+ * interval.
*/
struct timeval ts;
struct timezone tzp;
@@ -465,7 +443,7 @@
if(gettimeofday(&ts, &tzp) == 0) {
tt = (time_t)ts.tv_sec;
if ((flags == last_flags) && (tt < (last_time + DUPLICATE_INTERVAL))) {
- return KERN_SUCCESS;
+ return 0;
}
last_flags = flags;
last_time = tt;
@@ -524,7 +502,7 @@
audit_warn_allhard(++allhardcount);
}
}
- return KERN_SUCCESS;
+ return 0;
}
/*
@@ -550,49 +528,6 @@
}
/*
- * Handle an RPC call
- */
-boolean_t auditd_combined_server(
- mach_msg_header_t *InHeadP,
- mach_msg_header_t *OutHeadP)
-{
- mach_port_t local_port = InHeadP->msgh_local_port;
-
- if (local_port == signal_port) {
- int signo = InHeadP->msgh_id;
- int ret;
-
- if (SIGTERM == signo) {
- ret = close_all();
- exit (ret);
- } else if (SIGCHLD == signo) {
- reap_children();
- return TRUE;
- } else {
- syslog(LOG_INFO, "Recevied signal %d.\n", signo);
- return TRUE;
- }
- } else if (local_port == control_port) {
- boolean_t result;
-
- result = audit_triggers_server(InHeadP, OutHeadP);
- if (!result)
- result = auditd_control_server(InHeadP, OutHeadP);
- return result;
- }
- syslog(LOG_INFO, "Recevied msg on bad port 0x%x.\n", local_port);
- return FALSE;
-}
-
-void wait_on_audit_trigger(port_set)
- mach_port_t port_set;
-{
- kern_return_t result;
- result = mach_msg_server(auditd_combined_server, 4096, port_set, MACH_MSG_OPTION_NONE);
- syslog(LOG_ERR, "abnormal exit\n");
-}
-
-/*
* Configure the audit controls in the kernel: the event to class mapping,
* kernel preselection mask, etc.
*/
@@ -616,7 +551,8 @@
while((ev = getauevent()) != NULL) {
evc_map.ec_number = ev->ae_number;
evc_map.ec_class = ev->ae_class;
- if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t)) != 0) {
+ /* if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t)) != 0) { */
+ if (syscall(SYS_auditon,A_SETCLASS, &evc_map, sizeof(au_evclass_map_t)) != 0) {
syslog(LOG_ERR,
"Failed to register class mapping for event %s",
ev->ae_name);
@@ -639,7 +575,8 @@
if ((getacna(naeventstr, NA_EVENT_STR_SIZE) == 0)
&& ( getauditflagsbin(naeventstr, &aumask) == 0)) {
- if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t))){
+ /* if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t))){ */
+ if (syscall(SYS_auditon,A_SETKMASK, &aumask, sizeof(au_mask_t))){
syslog(LOG_ERR,
"Failed to register non-attributable event mask.");
} else {
@@ -653,7 +590,8 @@
/*
* Set the audit policy flags based on passed in parameter values.
*/
- if (auditon(A_SETPOLICY, &flags, sizeof(flags))) {
+ /* if (auditon(A_SETPOLICY, &flags, sizeof(flags))) { */
+ if (syscall(SYS_auditon,A_SETPOLICY, &flags, sizeof(flags))) {
syslog(LOG_ERR,
"Failed to set audit policy.");
}
@@ -663,55 +601,11 @@
void setup(long flags)
{
- mach_msg_type_name_t poly;
int aufd;
token_t *tok;
- /* Allocate a port set */
- if (mach_port_allocate(mach_task_self(),
- MACH_PORT_RIGHT_PORT_SET,
- &port_set) != KERN_SUCCESS) {
- syslog(LOG_ERR, "allocation of port set failed\n");
- fail_exit();
- }
-
- /* Allocate a signal reflection port */
- if (mach_port_allocate(mach_task_self(),
- MACH_PORT_RIGHT_RECEIVE,
- &signal_port) != KERN_SUCCESS ||
- mach_port_move_member(mach_task_self(),
- signal_port,
- port_set) != KERN_SUCCESS) {
- syslog(LOG_ERR, "allocation of signal port failed\n");
- fail_exit();
- }
-
- /* Allocate a trigger port */
- if (mach_port_allocate(mach_task_self(),
- MACH_PORT_RIGHT_RECEIVE,
- &control_port) != KERN_SUCCESS ||
- mach_port_move_member(mach_task_self(),
- control_port,
- port_set) != KERN_SUCCESS) {
- syslog(LOG_ERR, "allocation of trigger port failed\n");
- fail_exit();
- }
-
- /* create a send right on our trigger port */
- mach_port_extract_right(mach_task_self(), control_port,
- MACH_MSG_TYPE_MAKE_SEND, &control_port, &poly);
-
TAILQ_INIT(&dir_q);
- /* register the trigger port with the kernel */
- if(host_set_audit_control_port(mach_host_self(), control_port) != KERN_SUCCESS) {
- syslog(LOG_ERR, "Cannot set Mach control port\n");
- fail_exit();
- }
- else {
- syslog(LOG_ERR, "Mach control port registered\n");
- }
-
if(read_control_file() == -1) {
syslog(LOG_ERR, "Error reading control file\n");
fail_exit();
@@ -765,7 +659,7 @@
case '?':
default:
(void)fprintf(stderr,
- "usage: auditd [-h | -s]\n");
+ "usage: auditd [-h | -s] [-d] \n");
exit(1);
}
}
@@ -784,7 +678,6 @@
}
setup(flags);
- wait_on_audit_trigger(port_set);
syslog(LOG_INFO, "exiting.\n");
exit(1);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list