PERFORCE change 104835 for review
Robert Watson
rwatson at FreeBSD.org
Wed Aug 23 07:50:21 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=104835
Change 104835 by rwatson at rwatson_sesame on 2006/08/23 07:49:54
Change the audit filter API to pass an immutable void * into module
APIs, which is then used via a cookie API, rather than being owned
by the module. This allows the audit filter daemon to offer
services that require per-instance state -- for example, per-module
preselection.
Further rename am_auditrecord to am_rawrecord to make the functional
distinction from am_record more clear.
Affected files ...
.. //depot/projects/trustedbsd/openbsm/HISTORY#25 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#9 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.h#5 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd_conf.c#5 edit
.. //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#4 edit
.. //depot/projects/trustedbsd/openbsm/modules/auditfilter_noop/auditfilter_noop.c#4 edit
Differences ...
==== //depot/projects/trustedbsd/openbsm/HISTORY#25 (text+ko) ====
@@ -1,8 +1,13 @@
OpenBSM 1.0 alpha 9
- Rename many OpenBSM-specific constants and API elements containing the
- strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is
- true for almost all existing constants and APIs.
+ strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is true
+ for almost all existing constants and APIs.
+- Instead of passing a per-instance cookie directly into all audit filter
+ APIs, pass in the audit filter daemon state pointer, which is then used by
+ the module using an audit_filter_{get,set}cookie() API. This will allow
+ future service APIs provided by the filter daemon to maintain their own
+ state -- for example, per-module preselection state.
OpenBSM 1.0 alpha 8
@@ -198,4 +203,4 @@
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/openbsm/HISTORY#24 $
+$P4: //depot/projects/trustedbsd/openbsm/HISTORY#25 $
==== //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#9 (text+ko) ====
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#8 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#9 $
*/
/*
@@ -115,13 +115,13 @@
* Present raw BSM to a set of registered and interested filters.
*/
static void
-present_auditrecord(struct timespec *ts, u_char *data, u_int len)
+present_rawrecord(struct timespec *ts, u_char *data, u_int len)
{
struct auditfilter_module *am;
TAILQ_FOREACH(am, &filter_list, am_list) {
- if (am->am_auditrecord != NULL)
- (am->am_auditrecord)(am->am_instance, ts, data, len);
+ if (am->am_rawrecord != NULL)
+ (am->am_rawrecord)(am, ts, data, len);
}
}
@@ -149,8 +149,7 @@
TAILQ_FOREACH(am, &filter_list, am_list) {
if (am->am_record != NULL)
- (am->am_record)(am->am_instance, ts, tokencount,
- tokens);
+ (am->am_record)(am, ts, tokencount, tokens);
}
}
@@ -200,7 +199,7 @@
continue;
if (clock_gettime(CLOCK_REALTIME, &ts) < 0)
err(-1, "clock_gettime");
- present_auditrecord(&ts, buf, reclen);
+ present_rawrecord(&ts, buf, reclen);
present_tokens(&ts, buf, reclen);
free(buf);
}
@@ -250,7 +249,7 @@
continue;
if (clock_gettime(CLOCK_REALTIME, &ts) < 0)
err(-1, "clock_gettime");
- present_auditrecord(&ts, record, reclen);
+ present_rawrecord(&ts, record, reclen);
present_tokens(&ts, record, reclen);
}
}
==== //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.h#5 (text+ko) ====
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.h#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.h#5 $
*/
#define AUDITFILTERD_CONFFILE "/etc/security/audit_filter"
@@ -53,11 +53,11 @@
/*
* Fields provided by or extracted from the module.
*/
- void *am_instance;
+ void *am_cookie;
audit_filter_attach_t am_attach;
audit_filter_reinit_t am_reinit;
audit_filter_record_t am_record;
- audit_filter_auditrecord_t am_auditrecord;
+ audit_filter_rawrecord_t am_rawrecord;
audit_filter_detach_t am_detach;
/*
==== //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd_conf.c#5 (text+ko) ====
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd_conf.c#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd_conf.c#5 $
*/
/*
@@ -38,6 +38,12 @@
* Modules are in one of two states: attached, or detached. If attach fails,
* detach is not called because it was not attached. If a module is attached
* and a call to its reinit method fails, we will detach it.
+ *
+ * Modules are passed a (void *) reference to their configuration state so
+ * that they may pass this into any common APIs we provide which may rely on
+ * that state. Currently, the only such API is the cookie API, which allows
+ * per-instance state to be maintained by a module. In the future, this will
+ * also be used to support per-instance preselection state.
*/
#include <sys/types.h>
@@ -105,8 +111,8 @@
{
if (am->am_detach != NULL)
- am->am_detach(am->am_instance);
- am->am_instance = NULL;
+ am->am_detach(am);
+ am->am_cookie = NULL;
(void)dlclose(am->am_dlhandle);
am->am_dlhandle = NULL;
}
@@ -149,21 +155,22 @@
am->am_attach = dlsym(am->am_dlhandle, AUDIT_FILTER_ATTACH_STRING);
am->am_reinit = dlsym(am->am_dlhandle, AUDIT_FILTER_REINIT_STRING);
am->am_record = dlsym(am->am_dlhandle, AUDIT_FILTER_RECORD_STRING);
- am->am_auditrecord = dlsym(am->am_dlhandle,
- AUDIT_FILTER_AUDITRECORD_STRING);
+ am->am_rawrecord = dlsym(am->am_dlhandle,
+ AUDIT_FILTER_RAWRECORD_STRING);
am->am_detach = dlsym(am->am_dlhandle, AUDIT_FILTER_DETACH_STRING);
if (am->am_attach != NULL) {
- if (am->am_attach(&am->am_instance, am->am_argc, am->am_argv)
+ if (am->am_attach(am, am->am_argc, am->am_argv)
!= AUDIT_FILTER_SUCCESS) {
warnx("auditfilter_module_attach: %s: failed",
am->am_modulename);
dlclose(am->am_dlhandle);
am->am_dlhandle = NULL;
+ am->am_cookie = NULL;
am->am_attach = NULL;
am->am_reinit = NULL;
am->am_record = NULL;
- am->am_auditrecord = NULL;
+ am->am_rawrecord = NULL;
am->am_detach = NULL;
return (-1);
}
@@ -184,7 +191,7 @@
if (am->am_reinit == NULL)
return (0);
- if (am->am_reinit(&am->am_instance, am->am_argc, am->am_argv) !=
+ if (am->am_reinit(am, am->am_argc, am->am_argv) !=
AUDIT_FILTER_SUCCESS) {
warnx("auditfilter_module_reinit: %s: failed",
am->am_modulename);
@@ -483,3 +490,24 @@
auditfilter_module_list_detach(&filter_list);
auditfilter_module_list_free(&filter_list);
}
+
+/*
+ * APIs to allow modules to query and set their per-instance cookie.
+ */
+void
+audit_filter_getcookie(void *instance, void **cookie)
+{
+ struct auditfilter_module *am;
+
+ am = (struct auditfilter_module *)instance;
+ *cookie = am->am_cookie;
+}
+
+void
+audit_filter_setcookie(void *instance, void *cookie)
+{
+ struct auditfilter_module *am;
+
+ am = (struct auditfilter_module *)instance;
+ am->am_cookie = cookie;
+}
==== //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#4 (text+ko) ====
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#3 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#4 $
*/
#ifndef _BSM_AUDIT_FILTER_H_
@@ -38,22 +38,28 @@
* audit_filter_reinit_t - arguments to module have changed
* audit_filter_record_t - present parsed record to filter module, with
* receipt time
- * audit_filter_auditrecord_t - present BSM format record to filter module,
+ * audit_filter_rawrecord_t - present BSM format record to filter module,
* with receipt time
* audit_filter_destach_t - filter module is being detached
*
* There may be many instances of the same filter, identified by the instance
* void pointer maintained by the filter instance.
*/
-typedef int (*audit_filter_attach_t)(void **instance, int argc, char *argv[]);
+typedef int (*audit_filter_attach_t)(void *instance, int argc, char *argv[]);
typedef int (*audit_filter_reinit_t)(void *instance, int argc, char *argv[]);
typedef void (*audit_filter_record_t)(void *instance, struct timespec *ts,
int token_count, const tokenstr_t tok[]);
-typedef void (*audit_filter_auditrecord_t)(void *instance, struct timespec *ts,
+typedef void (*audit_filter_rawrecord_t)(void *instance, struct timespec *ts,
void *data, u_int len);
typedef void (*audit_filter_detach_t)(void *instance);
/*
+ * APIs that may be called by audit filters.
+ */
+void audit_filter_getcookie(void *instance, void **cookie);
+void audit_filter_setcookie(void *instance, void *cookie);
+
+/*
* Values to be returned by audit_filter_init_t.
*/
#define AUDIT_FILTER_SUCCESS (0)
@@ -66,12 +72,12 @@
#define AUDIT_FILTER_ATTACH audit_filter_attach
#define AUDIT_FILTER_REINIT audit_filter_reinit
#define AUDIT_FILTER_RECORD audit_filter_record
-#define AUDIT_FILTER_AUDITRECORD audit_filter_auditrecord
+#define AUDIT_FILTER_RAWRECORD audit_filter_rawrecord
#define AUDIT_FILTER_DETACH audit_filter_detach
#define AUDIT_FILTER_ATTACH_STRING "audit_filter_attach"
#define AUDIT_FILTER_REINIT_STRING "audit_filter_reinit"
#define AUDIT_FILTER_RECORD_STRING "audit_filter_record"
-#define AUDIT_FILTER_AUDITRECORD_STRING "audit_filter_auditrecord"
+#define AUDIT_FILTER_RAWRECORD_STRING "audit_filter_rawrecord"
#define AUDIT_FILTER_DETACH_STRING "audit_filter_detach"
#endif /* !_BSM_AUDIT_FILTER_H_ */
==== //depot/projects/trustedbsd/openbsm/modules/auditfilter_noop/auditfilter_noop.c#4 (text+ko) ====
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/modules/auditfilter_noop/auditfilter_noop.c#3 $
+ * $P4: //depot/projects/trustedbsd/openbsm/modules/auditfilter_noop/auditfilter_noop.c#4 $
*/
/*
@@ -39,7 +39,7 @@
#include <bsm/audit_filter.h>
int
-AUDIT_FILTER_ATTACH(void **instance, int argc, char *argv[])
+AUDIT_FILTER_ATTACH(void *instance, int argc, char *argv[])
{
return (0);
@@ -60,7 +60,7 @@
}
void
-AUDIT_FILTER_AUDITRECORD(void *instance, struct timespec *ts, u_char *data,
+AUDIT_FILTER_RAWRECORD(void *instance, struct timespec *ts, u_char *data,
u_int len)
{
More information about the trustedbsd-cvs
mailing list