PERFORCE change 93581 for review
Robert Watson
rwatson at FreeBSD.org
Sun Mar 19 17:11:46 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=93581
Change 93581 by rwatson at rwatson_peppercorn on 2006/03/19 17:10:38
Mega-style patch.
Affected files ...
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#23 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#14 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_arg.c#15 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm.c#11 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_klib.c#5 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_ioctl.h#4 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#23 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_syscalls.c#12 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_worker.c#3 edit
Differences ...
==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#23 (text+ko) ====
@@ -76,43 +76,43 @@
MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
/*
- * Audit control settings that are set/read by system calls and are
+ * Audit control settings that are set/read by system calls and are
* hence non-static.
*/
-/*
+/*
* Define the audit control flags.
*/
-int audit_enabled;
-int audit_suspended;
+int audit_enabled;
+int audit_suspended;
/*
* Flags controlling behavior in low storage situations.
* Should we panic if a write fails? Should we fail stop
* if we're out of disk space?
*/
-int audit_panic_on_write_fail;
-int audit_fail_stop;
+int audit_panic_on_write_fail;
+int audit_fail_stop;
/*
* Are we currently "failing stop" due to out of disk space?
*/
-int audit_in_failure;
+int audit_in_failure;
/*
- * Global audit statistiscs.
+ * Global audit statistiscs.
*/
-struct audit_fstat audit_fstat;
+struct audit_fstat audit_fstat;
/*
* Preselection mask for non-attributable events.
*/
-struct au_mask audit_nae_mask;
+struct au_mask audit_nae_mask;
/*
* Mutex to protect global variables shared between various threads and
* processes.
*/
-struct mtx audit_mtx;
+struct mtx audit_mtx;
/*
* Queue of audit records ready for delivery to disk. We insert new
@@ -122,21 +122,21 @@
* not yet in the queue, which is needed to estimate the total
* size of the combined set of records outstanding in the system.
*/
-struct kaudit_queue audit_q;
-int audit_q_len;
-int audit_pre_q_len;
+struct kaudit_queue audit_q;
+int audit_q_len;
+int audit_pre_q_len;
/*
* Audit queue control settings (minimum free, low/high water marks, etc.)
*/
-struct au_qctrl audit_qctrl;
+struct au_qctrl audit_qctrl;
/*
* Condition variable to signal to the worker that it has work to do:
* either new records are in the queue, or a log replacement is taking
* place.
*/
-struct cv audit_cv;
+struct cv audit_cv;
/*
* Condition variable to signal to the worker that it has work to do:
@@ -145,14 +145,14 @@
*
* XXXRW: This description is incorrect.
*/
-struct cv audit_commit_cv;
+struct cv audit_commit_cv;
-/*
- * Condition variable for auditing threads wait on when in fail-stop mode.
- * Threads wait on this CV forever (and ever), never seeing the light of
+/*
+ * Condition variable for auditing threads wait on when in fail-stop mode.
+ * Threads wait on this CV forever (and ever), never seeing the light of
* day again.
*/
-static struct cv audit_fail_cv;
+static struct cv audit_fail_cv;
/*
* Construct an audit record for the passed thread.
@@ -228,7 +228,7 @@
audit_in_failure = 0;
audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */
- audit_fstat.af_currsz = 0;
+ audit_fstat.af_currsz = 0;
audit_nae_mask.am_success = AU_NULL;
audit_nae_mask.am_failure = AU_NULL;
@@ -353,7 +353,7 @@
aumask = &audit_nae_mask;
else
aumask = &ar->k_ar.ar_subj_amask;
-
+
if (error)
sorf = AU_PRS_FAILURE;
else
@@ -363,7 +363,7 @@
case AUE_OPEN_RWTC:
/* The open syscall always writes a AUE_OPEN_RWTC event; change
- * it to the proper type of event based on the flags and the
+ * it to the proper type of event based on the flags and the
* error value.
*/
ar->k_ar.ar_event = flags_and_error_to_openevent(
@@ -421,7 +421,7 @@
uma_zfree(audit_record_zone, ar);
return;
}
-
+
/*
* Constrain the number of committed audit records based on
* the configurable parameter.
@@ -480,9 +480,9 @@
aumask = &audit_nae_mask;
else
aumask = &td->td_proc->p_au->ai_mask;
-
+
/*
- * Allocate an audit record, if preselection allows it, and store
+ * Allocate an audit record, if preselection allows it, and store
* in the thread for later use.
*/
if (au_preselect(audit_event, aumask,
@@ -533,7 +533,7 @@
audit_commit(td->td_ar, error, retval);
if (td->td_ar != NULL)
- AUDIT_PRINTF(("audit record committed by pid %d\n",
+ AUDIT_PRINTF(("audit record committed by pid %d\n",
td->td_proc->p_pid));
td->td_ar = NULL;
@@ -573,11 +573,11 @@
KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
}
-/*
- * Initialize the audit information for the a process, presumably the first
+/*
+ * Initialize the audit information for the a process, presumably the first
* process in the system.
- * XXX It is not clear what the initial values should be for audit ID,
- * session ID, etc.
+ * XXX It is not clear what the initial values should be for audit ID,
+ * session ID, etc.
*/
void
audit_proc_kproc0(struct proc *p)
@@ -600,7 +600,7 @@
p->p_au->ai_auid = AU_DEFAUDITID;
}
-/*
+/*
* Copy the audit info from the parent process to the child process when
* a fork takes place.
*/
@@ -626,7 +626,7 @@
}
/*
- * Free the auditing structure for the process.
+ * Free the auditing structure for the process.
*/
void
audit_proc_free(struct proc *p)
==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#14 (text+ko) ====
@@ -76,7 +76,7 @@
#define ARG_AUID 0x0000000000000100ULL
#define ARG_GID 0x0000000000000200ULL
#define ARG_FD 0x0000000000000400ULL
-#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
+#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
#define ARG_FFLAGS 0x0000000000001000ULL
#define ARG_MODE 0x0000000000002000ULL
#define ARG_DEV 0x0000000000004000ULL
@@ -116,76 +116,67 @@
#define ARG_NONE 0x0000000000000000ULL
#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
-void audit_syscall_enter(unsigned short code,
- struct thread *td);
-void audit_syscall_exit(int error, struct thread *td);
+void audit_syscall_enter(unsigned short code, struct thread *td);
+void audit_syscall_exit(int error, struct thread *td);
/*
* The remaining kernel functions are conditionally compiled in as they
- * are wrapped by a macro, and the macro should be the only place in
+ * are wrapped by a macro, and the macro should be the only place in
* the source tree where these functions are referenced.
*/
#ifdef AUDIT
struct ipc_perm;
struct sockaddr;
union auditon_udata;
-void audit_arg_addr(void * addr);
-void audit_arg_exit(int status, int retval);
-void audit_arg_len(int len);
-void audit_arg_fd(int fd);
-void audit_arg_fflags(int fflags);
-void audit_arg_gid(gid_t gid);
-void audit_arg_uid(uid_t uid);
-void audit_arg_egid(gid_t egid);
-void audit_arg_euid(uid_t euid);
-void audit_arg_rgid(gid_t rgid);
-void audit_arg_ruid(uid_t ruid);
-void audit_arg_sgid(gid_t sgid);
-void audit_arg_suid(uid_t suid);
-void audit_arg_groupset(gid_t *gidset, u_int gidset_size);
-void audit_arg_login(char *login);
-void audit_arg_ctlname(int *name, int namelen);
-void audit_arg_mask(int mask);
-void audit_arg_mode(mode_t mode);
-void audit_arg_dev(int dev);
-void audit_arg_value(long value);
-void audit_arg_owner(uid_t uid, gid_t gid);
-void audit_arg_pid(pid_t pid);
-void audit_arg_process(struct proc *p);
-void audit_arg_signum(u_int signum);
-void audit_arg_socket(int sodomain, int sotype,
- int soprotocol);
-void audit_arg_sockaddr(struct thread *td,
- struct sockaddr *so);
-void audit_arg_auid(uid_t auid);
-void audit_arg_auditinfo(struct auditinfo *au_info);
-void audit_arg_upath(struct thread *td, char *upath,
- u_int64_t flags);
-void audit_arg_vnode(struct vnode *vp, u_int64_t flags);
-void audit_arg_text(char *text);
-void audit_arg_iovec(struct iovec *iov,
- unsigned int iovcnt);
-void audit_arg_cmd(int cmd);
-void audit_arg_svipc_cmd(int cmd);
-void audit_arg_svipc_perm(struct ipc_perm *perm);
-void audit_arg_svipc_id(int id);
-void audit_arg_svipc_addr(void *addr);
-void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid,
- mode_t mode);
-void audit_arg_auditon(union auditon_udata *udata);
-void audit_arg_file(struct proc *p, struct file *fp);
-
-void audit_sysclose(struct thread *td, int fd);
+void audit_arg_addr(void * addr);
+void audit_arg_exit(int status, int retval);
+void audit_arg_len(int len);
+void audit_arg_fd(int fd);
+void audit_arg_fflags(int fflags);
+void audit_arg_gid(gid_t gid);
+void audit_arg_uid(uid_t uid);
+void audit_arg_egid(gid_t egid);
+void audit_arg_euid(uid_t euid);
+void audit_arg_rgid(gid_t rgid);
+void audit_arg_ruid(uid_t ruid);
+void audit_arg_sgid(gid_t sgid);
+void audit_arg_suid(uid_t suid);
+void audit_arg_groupset(gid_t *gidset, u_int gidset_size);
+void audit_arg_login(char *login);
+void audit_arg_ctlname(int *name, int namelen);
+void audit_arg_mask(int mask);
+void audit_arg_mode(mode_t mode);
+void audit_arg_dev(int dev);
+void audit_arg_value(long value);
+void audit_arg_owner(uid_t uid, gid_t gid);
+void audit_arg_pid(pid_t pid);
+void audit_arg_process(struct proc *p);
+void audit_arg_signum(u_int signum);
+void audit_arg_socket(int sodomain, int sotype, int soprotocol);
+void audit_arg_sockaddr(struct thread *td, struct sockaddr *so);
+void audit_arg_auid(uid_t auid);
+void audit_arg_auditinfo(struct auditinfo *au_info);
+void audit_arg_upath(struct thread *td, char *upath, u_int64_t flags);
+void audit_arg_vnode(struct vnode *vp, u_int64_t flags);
+void audit_arg_text(char *text);
+void audit_arg_iovec(struct iovec *iov, unsigned int iovcnt);
+void audit_arg_cmd(int cmd);
+void audit_arg_svipc_cmd(int cmd);
+void audit_arg_svipc_perm(struct ipc_perm *perm);
+void audit_arg_svipc_id(int id);
+void audit_arg_svipc_addr(void *addr);
+void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode);
+void audit_arg_auditon(union auditon_udata *udata);
+void audit_arg_file(struct proc *p, struct file *fp);
+void audit_sysclose(struct thread *td, int fd);
+void audit_proc_alloc(struct proc *p);
+void audit_proc_kproc0(struct proc *p);
+void audit_proc_init(struct proc *p);
+void audit_proc_fork(struct proc *parent, struct proc *child);
+void audit_proc_free(struct proc *p);
+void audit_thread_alloc(struct thread *td);
+void audit_thread_free(struct thread *td);
-void audit_proc_alloc(struct proc *p);
-void audit_proc_kproc0(struct proc *p);
-void audit_proc_init(struct proc *p);
-void audit_proc_fork(struct proc *parent,
- struct proc *child);
-void audit_proc_free(struct proc *p);
-void audit_thread_alloc(struct thread *td);
-void audit_thread_free(struct thread *td);
-
/*
* Define a macro to wrap the audit_arg_* calls by checking the global
* audit_enabled flag before performing the actual call.
@@ -193,23 +184,23 @@
#define AUDIT_ARG(op, args...) do { \
if (audit_enabled) \
audit_arg_ ## op (args); \
- } while (0)
+} while (0)
#define AUDIT_SYSCALL_ENTER(code, td) do { \
if (audit_enabled) { \
audit_syscall_enter(code, td); \
} \
- } while (0)
+} while (0)
/*
* Wrap the audit_syscall_exit() function so that it is called only when
- * auditing is enabled, or we have a audit record on the thread. It is
+ * auditing is enabled, or we have a audit record on the thread. It is
* possible that an audit record was begun before auditing was turned off.
*/
#define AUDIT_SYSCALL_EXIT(error, td) do { \
if (audit_enabled | (td->td_ar != NULL)) \
audit_syscall_exit(error, td); \
- } while (0)
+} while (0)
/*
* A Macro to wrap the audit_sysclose() function.
@@ -217,26 +208,25 @@
#define AUDIT_SYSCLOSE(td, fd) do { \
if (audit_enabled) \
audit_sysclose(td, fd); \
- } while (0)
+} while (0)
#else /* !AUDIT */
-void audit_proc_init(struct proc *p);
-void audit_proc_fork(struct proc *parent,
- struct proc *child);
-void audit_proc_free(struct proc *p);
+void audit_proc_init(struct proc *p);
+void audit_proc_fork(struct proc *parent, struct proc *child);
+void audit_proc_free(struct proc *p);
#define AUDIT_ARG(op, args...) do { \
- } while (0)
+} while (0)
#define AUDIT_SYSCALL_ENTER(code, td) do { \
- } while (0)
+} while (0)
#define AUDIT_SYSCALL_EXIT(error, td) do { \
- } while (0)
+} while (0)
#define AUDIT_SYSCLOSE(p, fd) do { \
- } while (0)
+} while (0)
#endif /* AUDIT */
==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_arg.c#15 (text+ko) ====
@@ -393,7 +393,7 @@
audit_arg_socket(int sodomain, int sotype, int soprotocol)
{
struct kaudit_record *ar;
-
+
ar = currecord();
if (ar == NULL)
return;
@@ -428,7 +428,7 @@
break;
case AF_UNIX:
- audit_arg_upath(td, ((struct sockaddr_un *)so)->sun_path,
+ audit_arg_upath(td, ((struct sockaddr_un *)so)->sun_path,
ARG_UPATH1);
ARG_SET_VALID(ar, ARG_SADDRUNIX);
break;
@@ -482,7 +482,7 @@
/* Invalidate the text string */
ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
if (text == NULL)
- return;
+ return;
if (ar->k_ar.ar_arg_text == NULL)
ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
@@ -513,13 +513,11 @@
for (i = 0; i < iovcnt; i++) {
if (!is_auditable_string(iov[i].iov_base, iov[i].iov_len))
continue;
-
if (first) {
- ret = sbuf_printf(&sb, "%s", (char *)iov[i].iov_base);
+ ret = sbuf_printf(&sb, "%s", (char *)iov[i].iov_base);
first = 0;
- } else {
+ } else
ret = sbuf_printf(&sb, ":%s", (char *)iov[i].iov_base);
- }
if (ret != 0)
break;
}
@@ -564,8 +562,8 @@
if (ar == NULL)
return;
- bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
- sizeof(ar->k_ar.ar_arg_svipc_perm));
+ bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
+ sizeof(ar->k_ar.ar_arg_svipc_perm));
ARG_SET_VALID(ar, ARG_SVIPC_PERM);
}
@@ -619,8 +617,8 @@
if (ar == NULL)
return;
- bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
- sizeof(ar->k_ar.ar_arg_auditon));
+ bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
+ sizeof(ar->k_ar.ar_arg_auditon));
ARG_SET_VALID(ar, ARG_AUDITON);
}
@@ -667,20 +665,20 @@
if (so->so_pcb == NULL)
return;
ar->k_ar.ar_arg_sockinfo.so_type =
- so->so_type;
+ so->so_type;
ar->k_ar.ar_arg_sockinfo.so_domain =
- INP_SOCKAF(so);
+ INP_SOCKAF(so);
ar->k_ar.ar_arg_sockinfo.so_protocol =
- so->so_proto->pr_protocol;
+ so->so_proto->pr_protocol;
pcb = (struct inpcb *)so->so_pcb;
ar->k_ar.ar_arg_sockinfo.so_raddr =
- pcb->inp_faddr.s_addr;
+ pcb->inp_faddr.s_addr;
ar->k_ar.ar_arg_sockinfo.so_laddr =
- pcb->inp_laddr.s_addr;
+ pcb->inp_laddr.s_addr;
ar->k_ar.ar_arg_sockinfo.so_rport =
- pcb->inp_fport;
+ pcb->inp_fport;
ar->k_ar.ar_arg_sockinfo.so_lport =
- pcb->inp_lport;
+ pcb->inp_lport;
ARG_SET_VALID(ar, ARG_SOCKINFO);
}
break;
@@ -692,11 +690,11 @@
}
-/*
- * Store a path as given by the user process for auditing into the audit
- * record stored on the user thread. This function will allocate the memory to
- * store the path info if not already available. This memory will be
- * freed when the audit record is freed.
+/*
+ * Store a path as given by the user process for auditing into the audit
+ * record stored on the user thread. This function will allocate the memory
+ * to store the path info if not already available. This memory will be freed
+ * when the audit record is freed.
*
* XXXAUDIT: Possibly assert that the memory isn't already allocated?
*/
@@ -706,7 +704,7 @@
struct kaudit_record *ar;
char **pathp;
- if (td == NULL || upath == NULL)
+ if (td == NULL || upath == NULL)
return; /* nothing to do! */
/*
@@ -735,8 +733,8 @@
}
/*
- * Function to save the path and vnode attr information into the audit
- * record.
+ * Function to save the path and vnode attr information into the audit
+ * record.
*
* It is assumed that the caller will hold any vnode locks necessary to
* perform a VOP_GETATTR() on the passed vnode.
@@ -773,7 +771,7 @@
ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
ar = currecord();
- if (ar == NULL) /* This will be the case for unaudited system calls */
+ if (ar == NULL)
return;
/*
@@ -816,9 +814,9 @@
}
/*
- * The close() system call uses it's own audit call to capture the
- * path/vnode information because those pieces are not easily obtained
- * within the system call itself.
+ * The close() system call uses it's own audit call to capture the path/vnode
+ * information because those pieces are not easily obtained within the system
+ * call itself.
*/
void
audit_sysclose(struct thread *td, int fd)
@@ -839,4 +837,4 @@
VOP_UNLOCK(vp, 0, td);
VFS_UNLOCK_GIANT(vfslocked);
fdrop(fp, td);
-}
+}
==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm.c#11 (text+ko) ====
@@ -54,7 +54,7 @@
MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data");
-/*
+/*
* Forward declares.
*/
static void audit_sys_auditon(struct audit_record *ar,
@@ -72,18 +72,16 @@
}
/*
- * This call reserves memory for the audit record.
- * Memory must be guaranteed before any auditable event can be
- * generated.
- * The au_record structure maintains a reference to the
- * memory allocated above and also the list of tokens associated
- * with this record
- */
-static struct au_record *
+ * This call reserves memory for the audit record. Memory must be guaranteed
+ * before any auditable event can be generated. The au_record structure
+ * maintains a reference to the memory allocated above and also the list of
+ * tokens associated with this record
+ */
+static struct au_record *
kau_open(void)
-{
+{
struct au_record *rec;
-
+
rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK);
rec->data = malloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char),
M_AUDITBSM, M_WAITOK | M_ZERO);
@@ -96,7 +94,7 @@
/*
* Store the token with the record descriptor.
- */
+ */
static void
kau_write(struct au_record *rec, struct au_token *tok)
{
@@ -118,7 +116,7 @@
size_t tot_rec_size;
token_t *cur, *hdr, *trail;
struct timeval tm;
-
+
tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
if (tot_rec_size <= MAX_AUDIT_RECORD_SIZE) {
/* Create the header token */
@@ -131,34 +129,33 @@
TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens);
/* Serialize token data to the record. */
-
rec->len = tot_rec_size;
dptr = rec->data;
TAILQ_FOREACH(cur, &rec->token_q, tokens) {
- memcpy(dptr, cur->t_data, cur->len);
+ memcpy(dptr, cur->t_data, cur->len);
dptr += cur->len;
}
}
}
/*
- * Free a BSM audit record by releasing all the tokens and clearing the
- * audit record information.
+ * Free a BSM audit record by releasing all the tokens and clearing the audit
+ * record information.
*/
void
kau_free(struct au_record *rec)
{
struct au_token *tok;
- /* Free the token list */
+ /* Free the token list. */
while ((tok = TAILQ_FIRST(&rec->token_q))) {
TAILQ_REMOVE(&rec->token_q, tok, tokens);
free(tok->t_data, M_AUDITBSM);
free(tok, M_AUDITBSM);
- }
+ }
rec->used = 0;
- rec->len = 0;
+ rec->len = 0;
free(rec->data, M_AUDITBSM);
free(rec, M_AUDITBSM);
}
@@ -218,7 +215,8 @@
kau_write(rec, tok); \
} else { \
if (ARG_IS_VALID(kar, ARG_FD)) { \
- tok = au_to_arg32(1, "non-file: fd", ar->ar_arg_fd);\
+ tok = au_to_arg32(1, "non-file: fd", \
+ ar->ar_arg_fd); \
kau_write(rec, tok); \
} \
} \
@@ -250,92 +248,92 @@
struct au_token *tok;
switch (ar->ar_arg_cmd) {
- case A_SETPOLICY:
+ case A_SETPOLICY:
if (sizeof(ar->ar_arg_auditon.au_flags) > 4)
- tok = au_to_arg64(1, "policy",
- ar->ar_arg_auditon.au_flags);
+ tok = au_to_arg64(1, "policy",
+ ar->ar_arg_auditon.au_flags);
else
- tok = au_to_arg32(1, "policy",
- ar->ar_arg_auditon.au_flags);
+ tok = au_to_arg32(1, "policy",
+ ar->ar_arg_auditon.au_flags);
kau_write(rec, tok);
break;
- case A_SETKMASK:
- tok = au_to_arg32(2, "setkmask:as_success",
- ar->ar_arg_auditon.au_mask.am_success);
+ case A_SETKMASK:
+ tok = au_to_arg32(2, "setkmask:as_success",
+ ar->ar_arg_auditon.au_mask.am_success);
kau_write(rec, tok);
- tok = au_to_arg32(2, "setkmask:as_failure",
- ar->ar_arg_auditon.au_mask.am_failure);
+ tok = au_to_arg32(2, "setkmask:as_failure",
+ ar->ar_arg_auditon.au_mask.am_failure);
kau_write(rec, tok);
break;
- case A_SETQCTRL:
- tok = au_to_arg32(3, "setqctrl:aq_hiwater",
- ar->ar_arg_auditon.au_qctrl.aq_hiwater);
+ case A_SETQCTRL:
+ tok = au_to_arg32(3, "setqctrl:aq_hiwater",
+ ar->ar_arg_auditon.au_qctrl.aq_hiwater);
kau_write(rec, tok);
- tok = au_to_arg32(3, "setqctrl:aq_lowater",
- ar->ar_arg_auditon.au_qctrl.aq_lowater);
+ tok = au_to_arg32(3, "setqctrl:aq_lowater",
+ ar->ar_arg_auditon.au_qctrl.aq_lowater);
kau_write(rec, tok);
- tok = au_to_arg32(3, "setqctrl:aq_bufsz",
- ar->ar_arg_auditon.au_qctrl.aq_bufsz);
+ tok = au_to_arg32(3, "setqctrl:aq_bufsz",
+ ar->ar_arg_auditon.au_qctrl.aq_bufsz);
kau_write(rec, tok);
- tok = au_to_arg32(3, "setqctrl:aq_delay",
- ar->ar_arg_auditon.au_qctrl.aq_delay);
+ tok = au_to_arg32(3, "setqctrl:aq_delay",
+ ar->ar_arg_auditon.au_qctrl.aq_delay);
kau_write(rec, tok);
- tok = au_to_arg32(3, "setqctrl:aq_minfree",
- ar->ar_arg_auditon.au_qctrl.aq_minfree);
+ tok = au_to_arg32(3, "setqctrl:aq_minfree",
+ ar->ar_arg_auditon.au_qctrl.aq_minfree);
kau_write(rec, tok);
break;
- case A_SETUMASK:
- tok = au_to_arg32(3, "setumask:as_success",
- ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
+ case A_SETUMASK:
+ tok = au_to_arg32(3, "setumask:as_success",
+ ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
kau_write(rec, tok);
- tok = au_to_arg32(3, "setumask:as_failure",
- ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
+ tok = au_to_arg32(3, "setumask:as_failure",
+ ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
kau_write(rec, tok);
break;
- case A_SETSMASK:
- tok = au_to_arg32(3, "setsmask:as_success",
- ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
+ case A_SETSMASK:
+ tok = au_to_arg32(3, "setsmask:as_success",
+ ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
kau_write(rec, tok);
- tok = au_to_arg32(3, "setsmask:as_failure",
- ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
+ tok = au_to_arg32(3, "setsmask:as_failure",
+ ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
kau_write(rec, tok);
break;
- case A_SETCOND:
+ case A_SETCOND:
if (sizeof(ar->ar_arg_auditon.au_cond) > 4)
- tok = au_to_arg64(3, "setcond",
- ar->ar_arg_auditon.au_cond);
+ tok = au_to_arg64(3, "setcond",
+ ar->ar_arg_auditon.au_cond);
else
- tok = au_to_arg32(3, "setcond",
- ar->ar_arg_auditon.au_cond);
+ tok = au_to_arg32(3, "setcond",
+ ar->ar_arg_auditon.au_cond);
kau_write(rec, tok);
break;
- case A_SETCLASS:
+ case A_SETCLASS:
tok = au_to_arg32(2, "setclass:ec_event",
- ar->ar_arg_auditon.au_evclass.ec_number);
+ ar->ar_arg_auditon.au_evclass.ec_number);
kau_write(rec, tok);
tok = au_to_arg32(3, "setclass:ec_class",
- ar->ar_arg_auditon.au_evclass.ec_class);
+ ar->ar_arg_auditon.au_evclass.ec_class);
kau_write(rec, tok);
break;
- case A_SETPMASK:
- tok = au_to_arg32(2, "setpmask:as_success",
- ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
+ case A_SETPMASK:
+ tok = au_to_arg32(2, "setpmask:as_success",
+ ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
kau_write(rec, tok);
- tok = au_to_arg32(2, "setpmask:as_failure",
- ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
+ tok = au_to_arg32(2, "setpmask:as_failure",
+ ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure);
kau_write(rec, tok);
break;
- case A_SETFSIZE:
- tok = au_to_arg32(2, "setfsize:filesize",
- ar->ar_arg_auditon.au_fstat.af_filesz);
+ case A_SETFSIZE:
+ tok = au_to_arg32(2, "setfsize:filesize",
+ ar->ar_arg_auditon.au_fstat.af_filesz);
kau_write(rec, tok);
break;
@@ -345,13 +343,14 @@
}
/*
- * Convert an internal kernel audit record to a BSM record and return
- * a success/failure indicator. The BSM record is passed as an out
- * parameter to this function.
+ * Convert an internal kernel audit record to a BSM record and return a
+ * success/failure indicator. The BSM record is passed as an out parameter to
+ * this function.
+ *
* Return conditions:
* BSM_SUCCESS: The BSM record is valid
* BSM_FAILURE: Failure; the BSM record is NULL.
- * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
+ * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
*/
int
kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
@@ -380,35 +379,35 @@
ar->ar_subj_asid, /* session ID */
&tid);
- /* The logic inside each case fills in the tokens required for the
- * event, except for the header, trailer, and return tokens. The
+ /*
+ * The logic inside each case fills in the tokens required for the
+ * event, except for the header, trailer, and return tokens. The
* header and trailer tokens are added by the kau_close() function.
* The return token is added outside of the switch statement.
- */
+ */
switch(ar->ar_event) {
-
- /*
- * Socket-related events.
- */
case AUE_ACCEPT:
case AUE_BIND:
case AUE_CONNECT:
case AUE_RECVFROM:
- case AUE_RECVMSG:
+ case AUE_RECVMSG:
case AUE_SENDMSG:
case AUE_SENDTO:
+ /*
+ * Socket-related events.
+ */
if (ARG_IS_VALID(kar, ARG_FD)) {
tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
kau_write(rec, tok);
}
if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
- tok = au_to_sock_inet(
- (struct sockaddr_in *)&ar->ar_arg_sockaddr);
+ tok = au_to_sock_inet((struct sockaddr_in *)
+ &ar->ar_arg_sockaddr);
kau_write(rec, tok);
}
if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
- tok = au_to_sock_unix(
- (struct sockaddr_un *)&ar->ar_arg_sockaddr);
+ tok = au_to_sock_unix((struct sockaddr_un *)
+ &ar->ar_arg_sockaddr);
kau_write(rec, tok);
UPATH1_TOKENS;
}
@@ -469,21 +468,23 @@
case AUE_SETAUDIT:
if (ARG_IS_VALID(kar, ARG_AUID)) {
- tok = au_to_arg32(1, "setaudit:auid", ar->ar_arg_auid);
+ tok = au_to_arg32(1, "setaudit:auid",
+ ar->ar_arg_auid);
kau_write(rec, tok);
- tok = au_to_arg32(1, "setaudit:port",
- ar->ar_arg_termid.port);
+ tok = au_to_arg32(1, "setaudit:port",
+ ar->ar_arg_termid.port);
kau_write(rec, tok);
- tok = au_to_arg32(1, "setaudit:machine",
- ar->ar_arg_termid.machine);
+ tok = au_to_arg32(1, "setaudit:machine",
+ ar->ar_arg_termid.machine);
kau_write(rec, tok);
- tok = au_to_arg32(1, "setaudit:as_success",
- ar->ar_arg_amask.am_success);
+ tok = au_to_arg32(1, "setaudit:as_success",
+ ar->ar_arg_amask.am_success);
kau_write(rec, tok);
- tok = au_to_arg32(1, "setaudit:as_failure",
- ar->ar_arg_amask.am_failure);
+ tok = au_to_arg32(1, "setaudit:as_failure",
+ ar->ar_arg_amask.am_failure);
kau_write(rec, tok);
- tok = au_to_arg32(1, "setaudit:asid", ar->ar_arg_asid);
+ tok = au_to_arg32(1, "setaudit:asid",
+ ar->ar_arg_asid);
kau_write(rec, tok);
}
break;
@@ -492,7 +493,9 @@
break; /* XXX need to add arguments */
case AUE_AUDITON:
- /* For AUDITON commands without own event, audit the cmd */
+ /*
+ * For AUDITON commands without own event, audit the cmd.
+ */
if (ARG_IS_VALID(kar, ARG_CMD)) {
tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd);
kau_write(rec, tok);
@@ -515,11 +518,10 @@
case AUE_AUDITON_SETUMASK:
case AUE_AUDITON_SPOLICY:
case AUE_AUDITON_SQCTRL:
- if (ARG_IS_VALID(kar, ARG_AUDITON)) {
+ if (ARG_IS_VALID(kar, ARG_AUDITON))
audit_sys_auditon(ar, rec);
- }
break;
-
+
case AUE_AUDITCTL:
UPATH1_VNODE1_TOKENS;
break;
@@ -544,7 +546,9 @@
case AUE_SETSID:
case AUE_SETTIMEOFDAY:
case AUE_NEWSYSTEMSHREG:
- /* Header, subject, and return tokens added at end */
+ /*
+ * Header, subject, and return tokens added at end.
+ */
break;
case AUE_MKFIFO:
@@ -584,16 +588,17 @@
}
UPATH1_VNODE1_TOKENS;
break;
-
+
case AUE_CHMOD:
case AUE_LCHMOD:
if (ARG_IS_VALID(kar, ARG_MODE)) {
- tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode);
+ tok = au_to_arg32(2, "new file mode",
+ ar->ar_arg_mode);
kau_write(rec, tok);
}
UPATH1_VNODE1_TOKENS;
break;
-
+
case AUE_CHOWN:
case AUE_LCHOWN:
if (ARG_IS_VALID(kar, ARG_UID)) {
@@ -606,7 +611,7 @@
}
UPATH1_VNODE1_TOKENS;
break;
-
+
case AUE_EXCHANGEDATA:
UPATH1_VNODE1_TOKENS;
UPATH2_TOKENS;
@@ -622,12 +627,13 @@
case AUE_FCHMOD:
if (ARG_IS_VALID(kar, ARG_MODE)) {
- tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode);
+ tok = au_to_arg32(2, "new file mode",
+ ar->ar_arg_mode);
kau_write(rec, tok);
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list