PERFORCE change 106293 for review
Robert Watson
rwatson at FreeBSD.org
Mon Sep 18 07:59:32 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=106293
Change 106293 by rwatson at rwatson_zoo on 2006/09/18 14:55:17
Integrate TrustedBSD audit3 branch from TrustedBSD OpenBSM branch
to bring in OpenBSM 1.0alpha11 changes of various sorts --
especially as relates to audit policy flags.
Affected files ...
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#13 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#10 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#13 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#8 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#4 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#14 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#4 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit.h#17 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_internal.h#12 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#27 branch
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#17 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#12 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#13 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#6 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#16 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#5 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#9 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#7 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/auditon.2#7 integrate
.. //depot/projects/trustedbsd/audit3/contrib/openbsm/tools/audump.c#8 integrate
Differences ...
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#13 (text+ko) ====
@@ -1,3 +1,31 @@
+OpenBSM 1.0 alpha 11
+
+- Reclassify certain read/write operations as having no class rather than the
+ fr/fw class; our default classes audit intent (open) not operations (read,
+ write).
+- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
+ and writes of sysctls as separate events. Add additional kernel
+ environment and jail events for FreeBSD.
+- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
+ (issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
+ by the kernel audit implementation) so that they can be distinguished.
+- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
+ a dropped request, the log file will otherwise grow indefinitely if the
+ trigger is dropped.
+- Improve auditd debugging output.
+- Fix a number of threading related bugs in audit_control file reading
+ routines.
+- Add APIs au_poltostr() and au_strtopol() to convert between text
+ representations of audit_control policy flags and the flags passed to
+ auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
+- Add API getacpol() to return the 'policy:' entry from audit_control, an
+ extension to the Solaris file format to allow specification of policy
+ persistent flags.
+- Update audump to print the audit_control policy field.
+- Update auditd to read the audit_control policy field and set the kernel
+ policy to match it when configuring/reconfiguring. Remove the -s and -h
+ arguments as these policies are now set via the configuration file.
+
OpenBSM 1.0 alpha 10
- auditd now generates complete audit records for its events, as required for
@@ -209,4 +237,4 @@
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#12 $
+$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#13 $
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#10 (text+ko) ====
@@ -17,5 +17,10 @@
just at the beginning of a record. This will make it easier to use
praudit in test suites processing single-token files without header and
trailer context.
+- Teach auditd how to notify a script when it is done with trail files so
+ that the script can archive them, compress them, delete them, whatever.
+ It should walk any trail files found at startup also, assuming it
+ successfully registers.
+- Put hostname in trail file name.
-$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#9 $
+$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#10 $
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#13 (text+ko) ====
@@ -1,1 +1,1 @@
-OPENBSM_1_0_ALPHA_9
+OPENBSM_1_0_ALPHA_11
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#8 (text+ko) ====
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#7 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.c#8 $
*/
/*
* Program to trigger the audit daemon with a message that is either:
@@ -75,7 +75,7 @@
switch(ch) {
case 'n':
- trigger = AUDIT_TRIGGER_OPEN_NEW;
+ trigger = AUDIT_TRIGGER_ROTATE_USER;
break;
case 's':
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#4 (text+ko) ====
@@ -29,7 +29,7 @@
.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
-.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#3 $
+.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#4 $
.\"
.Dd January 24, 2004
.Dt AUDITD 8
@@ -51,14 +51,20 @@
.Bl -tag -width Ds
.It Fl d
Starts the daemon in debug mode - it will not daemonize.
-.It Fl h
-Specifies that if auditing cannot be performed as specified, the system should
-halt (panic). Normally, the system will attempt to proceed - although individual
-processes may be stopped (see the -s option).
-.It Fl s
-Specifies that individual processes should stop rather than perform operations
-that may cause audit records to be lost due to log file full conditions
.El
+.Pp
+The historical
+.Fl h
+and
+.Fl s
+flags are now configured using
+.Xr audit_control 5
+policy flags
+.Dv ahlt
+and
+.Dv cnt ,
+and are no longer available as arguments to
+.Xr auditd 8 .
.Sh NOTE
.Pp
To assure uninterrupted audit support, the
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#14 (text+ko) ====
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#13 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#14 $
*/
#include <sys/types.h>
@@ -59,6 +59,7 @@
#include "auditd.h"
#define NA_EVENT_STR_SIZE 25
+#define POL_STR_SIZE 128
static int ret, minval;
static char *lastfile = NULL;
@@ -67,7 +68,6 @@
static int sigchlds, sigchlds_handled;
static int sighups, sighups_handled;
static int sigterms, sigterms_handled;
-static long global_flags;
static TAILQ_HEAD(, dir_ent) dir_q;
@@ -160,8 +160,9 @@
*ptr = '.';
strcpy(ptr+1, TS);
if (rename(oldname, lastfile) != 0)
- syslog(LOG_ERR, "Could not rename %s to %s",
- oldname, lastfile);
+ syslog(LOG_ERR,
+ "Could not rename %s to %s: %m", oldname,
+ lastfile);
else
syslog(LOG_INFO, "renamed %s to %s",
oldname, lastfile);
@@ -286,7 +287,7 @@
free(dirent->dirname);
free(dirent);
}
- syslog(LOG_ERR, "Log directories exhausted\n");
+ syslog(LOG_ERR, "Log directories exhausted");
return (-1);
}
@@ -343,7 +344,7 @@
* XXX is generated here?
*/
if (0 == (ret = getacmin(&minval))) {
- syslog(LOG_DEBUG, "min free = %d\n", minval);
+ syslog(LOG_DEBUG, "min free = %d", minval);
if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
syslog(LOG_ERR,
"could not get audit queue settings");
@@ -494,31 +495,65 @@
}
/*
- * Suppress duplicate messages within a 30 second interval. This should be
- * enough to time to rotate log files without thrashing from soft warnings
- * generated before the log is actually rotated.
+ * Handle the audit trigger event.
+ *
+ * We suppress (ignore) duplicated triggers in close succession in order to
+ * try to avoid thrashing-like behavior. However, not all triggers can be
+ * ignored, as triggers generally represent edge triggers, not level
+ * triggers, and won't be retransmitted if the condition persists. Of
+ * specific concern is the rotate trigger -- if one is dropped, then it will
+ * not be retransmitted, and the log file will grow in an unbounded fashion.
*/
#define DUPLICATE_INTERVAL 30
static void
handle_audit_trigger(int trigger)
{
- static int last_trigger;
+ static int last_trigger, last_warning;
static time_t last_time;
struct dir_ent *dirent;
+ struct timeval ts;
+ struct timezone tzp;
+ time_t tt;
/*
- * Suppres duplicate messages from the kernel within the specified
+ * Suppress duplicate messages from the kernel within the specified
* interval.
*/
- struct timeval ts;
- struct timezone tzp;
- time_t tt;
-
if (gettimeofday(&ts, &tzp) == 0) {
tt = (time_t)ts.tv_sec;
- if ((trigger == last_trigger) &&
- (tt < (last_time + DUPLICATE_INTERVAL)))
- return;
+ switch (trigger) {
+ case AUDIT_TRIGGER_LOW_SPACE:
+ case AUDIT_TRIGGER_NO_SPACE:
+ /*
+ * Triggers we can suppress. Of course, we also need
+ * to rate limit the warnings, so apply the same
+ * interval limit on syslog messages.
+ */
+ if ((trigger == last_trigger) &&
+ (tt < (last_time + DUPLICATE_INTERVAL))) {
+ if (tt >= (last_warning + DUPLICATE_INTERVAL))
+ syslog(LOG_INFO,
+ "Suppressing duplicate trigger %d",
+ trigger);
+ return;
+ }
+ last_warning = tt;
+ break;
+
+ case AUDIT_TRIGGER_ROTATE_KERNEL:
+ case AUDIT_TRIGGER_ROTATE_USER:
+ case AUDIT_TRIGGER_READ_FILE:
+ /*
+ * Triggers that we cannot suppress.
+ */
+ break;
+ }
+
+ /*
+ * Only update last_trigger after aborting due to a duplicate
+ * trigger, not before, or we will never allow that trigger
+ * again.
+ */
last_trigger = trigger;
last_time = tt;
}
@@ -528,7 +563,6 @@
*/
dirent = TAILQ_FIRST(&dir_q);
switch(trigger) {
-
case AUDIT_TRIGGER_LOW_SPACE:
syslog(LOG_INFO, "Got low space trigger");
if (dirent && (dirent->softlim != 1)) {
@@ -554,7 +588,8 @@
} else {
/*
* Continue auditing to the current file. Also
- * generate an allsoft warning.
+ * generate an allsoft warning.
+ *
* XXX do we want to do this ?
*/
audit_warn_allsoft();
@@ -577,12 +612,14 @@
audit_warn_allhard(++allhardcount);
break;
- case AUDIT_TRIGGER_OPEN_NEW:
+ case AUDIT_TRIGGER_ROTATE_KERNEL:
+ case AUDIT_TRIGGER_ROTATE_USER:
/*
* Create a new file and swap with the one being used in
* kernel
*/
- syslog(LOG_INFO, "Got open new trigger");
+ syslog(LOG_INFO, "Got open new trigger from %s", trigger ==
+ AUDIT_TRIGGER_ROTATE_KERNEL ? "kernel" : "user");
if (swap_audit_file() == -1)
syslog(LOG_ERR, "Error swapping audit file");
break;
@@ -656,10 +693,8 @@
syslog(LOG_DEBUG, "%s: SIGTERM", __FUNCTION__);
break;
}
- if (sigchlds != sigchlds_handled) {
- syslog(LOG_DEBUG, "%s: SIGCHLD", __FUNCTION__);
+ if (sigchlds != sigchlds_handled)
handle_sigchld();
- }
if (sighups != sighups_handled) {
syslog(LOG_DEBUG, "%s: SIGHUP", __FUNCTION__);
handle_sighup();
@@ -670,7 +705,6 @@
syslog(LOG_ERR, "%s: read EOF", __FUNCTION__);
return (-1);
}
- syslog(LOG_DEBUG, "%s: read %d", __FUNCTION__, trigger);
if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE)
break;
else
@@ -691,10 +725,13 @@
au_mask_t aumask;
int ctr = 0;
char naeventstr[NA_EVENT_STR_SIZE];
+ char polstr[POL_STR_SIZE];
+ long policy;
/*
* Process the audit event file, obtaining a class mapping for each
* event, and send that mapping into the kernel.
+ *
* XXX There's a risk here that the BSM library will return NULL
* for an event when it can't properly map it to a class. In that
* case, we will not process any events beyond the one that failed,
@@ -703,10 +740,17 @@
ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX);
ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX);
if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) {
+ if (ev.ae_name != NULL)
+ free(ev.ae_name);
syslog(LOG_ERR,
"Memory allocation error when configuring audit controls.");
return (-1);
}
+
+ /*
+ * XXXRW: Currently we have no way to remove mappings from the kernel
+ * when they are removed from the file-based mappings.
+ */
evp = &ev;
setauevent();
while ((evp = getauevent_r(evp)) != NULL) {
@@ -745,11 +789,12 @@
syslog(LOG_ERR,
"Failed to obtain non-attributable event mask.");
- /*
- * Set the audit policy flags based on passed in parameter values.
- */
- if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags)))
- syslog(LOG_ERR, "Failed to set audit policy.");
+ if ((getacpol(polstr, POL_STR_SIZE) == 0) &&
+ (au_strtopol(polstr, &policy) == 0)) {
+ if (auditon(A_SETPOLICY, &policy, sizeof(policy)))
+ syslog(LOG_ERR, "Failed to set audit policy.");
+ } else
+ syslog(LOG_ERR, "Failed to obtain policy flags.");
return (0);
}
@@ -826,7 +871,6 @@
int debug = 0;
int rc;
- global_flags |= AUDIT_CNT;
while ((ch = getopt(argc, argv, "dhs")) != -1) {
switch(ch) {
case 'd':
@@ -834,20 +878,10 @@
debug = 1;
break;
- case 's':
- /* Fail-stop option. */
- global_flags &= ~(AUDIT_CNT);
- break;
-
- case 'h':
- /* Halt-stop option. */
- global_flags |= AUDIT_AHLT;
- break;
-
case '?':
default:
(void)fprintf(stderr,
- "usage: auditd [-h | -s] [-d] \n");
+ "usage: auditd [-d] \n");
exit(1);
}
}
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#4 (text+ko) ====
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#3 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.h#4 $
*/
#ifndef _AUDITD_H_
@@ -61,7 +61,7 @@
#define HARDLIM_ALL_WARN "allhard"
#define SOFTLIM_ALL_WARN "allsoft"
-#define AUDITOFF_WARN "aditoff"
+#define AUDITOFF_WARN "auditoff"
#define EBUSY_WARN "ebusy"
#define GETACDIR_WARN "getacdir"
#define HARDLIM_WARN "hard"
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#17 (text+ko) ====
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#16 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#17 $
*/
#ifndef _LIBBSM_H_
@@ -71,6 +71,7 @@
#define MINFREE_CONTROL_ENTRY "minfree"
#define FLAGS_CONTROL_ENTRY "flags"
#define NA_CONTROL_ENTRY "naflags"
+#define POLICY_CONTROL_ENTRY "policy"
#define AU_CLASS_NAME_MAX 8
#define AU_CLASS_DESC_MAX 72
@@ -711,11 +712,14 @@
int getacmin(int *min_val);
int getacflg(char *auditstr, int len);
int getacna(char *auditstr, int len);
+int getacpol(char *auditstr, size_t len);
int getauditflagsbin(char *auditstr, au_mask_t *masks);
int getauditflagschar(char *auditstr, au_mask_t *masks,
int verbose);
int au_preselect(au_event_t event, au_mask_t *mask_p,
int sorf, int flag);
+ssize_t au_poltostr(long policy, size_t maxsize, char *buf);
+int au_strtopol(const char *polstr, long *policy);
/*
* Functions relating to querying audit event information.
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#12 (xtext) ====
@@ -1,7 +1,7 @@
#! /bin/sh
-# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#28 .
+# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#29 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a10.
+# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a11.
#
# Report bugs to <trustedbsd-audit at TrustesdBSD.org>.
#
@@ -424,8 +424,8 @@
# Identity of this package.
PACKAGE_NAME='OpenBSM'
PACKAGE_TARNAME='openbsm'
-PACKAGE_VERSION='1.0a10'
-PACKAGE_STRING='OpenBSM 1.0a10'
+PACKAGE_VERSION='1.0a11'
+PACKAGE_STRING='OpenBSM 1.0a11'
PACKAGE_BUGREPORT='trustedbsd-audit at TrustesdBSD.org'
ac_unique_file="bin/auditreduce/auditreduce.c"
@@ -955,7 +955,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures OpenBSM 1.0a10 to adapt to many kinds of systems.
+\`configure' configures OpenBSM 1.0a11 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1021,7 +1021,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of OpenBSM 1.0a10:";;
+ short | recursive ) echo "Configuration of OpenBSM 1.0a11:";;
esac
cat <<\_ACEOF
@@ -1162,7 +1162,7 @@
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
-OpenBSM configure 1.0a10
+OpenBSM configure 1.0a11
generated by GNU Autoconf 2.59
Copyright (C) 2003 Free Software Foundation, Inc.
@@ -1176,7 +1176,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by OpenBSM $as_me 1.0a10, which was
+It was created by OpenBSM $as_me 1.0a11, which was
generated by GNU Autoconf 2.59. Invocation command line was
$ $0 $@
@@ -19278,7 +19278,7 @@
# Define the identity of the package.
PACKAGE=OpenBSM
- VERSION=1.0a10
+ VERSION=1.0a11
cat >>confdefs.h <<_ACEOF
@@ -23478,7 +23478,7 @@
} >&5
cat >&5 <<_CSEOF
-This file was extended by OpenBSM $as_me 1.0a10, which was
+This file was extended by OpenBSM $as_me 1.0a11, which was
generated by GNU Autoconf 2.59. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -23541,7 +23541,7 @@
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-OpenBSM config.status 1.0a10
+OpenBSM config.status 1.0a11
configured by $0, generated by GNU Autoconf 2.59,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#13 (text+ko) ====
@@ -2,8 +2,8 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
-AC_INIT([OpenBSM], [1.0a10], [trustedbsd-audit at TrustesdBSD.org],[openbsm])
-AC_REVISION([$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#12 $])
+AC_INIT([OpenBSM], [1.0a11], [trustedbsd-audit at TrustesdBSD.org],[openbsm])
+AC_REVISION([$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#13 $])
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_HEADER([config/config.h])
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#6 (text+ko) ====
@@ -1,8 +1,9 @@
#
-# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#5 $
+# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#6 $
# $FreeBSD: src/contrib/openbsm/etc/audit_control,v 1.2 2006/03/26 01:44:35 rwatson Exp $
#
dir:/var/audit
flags:lo
minfree:20
naflags:lo
+policy:cnt
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#16 (text+ko) ====
@@ -1,5 +1,5 @@
#
-# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#15 $
+# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#16 $
# $FreeBSD: src/contrib/openbsm/etc/audit_event,v 1.3 2006/06/27 18:09:54 rwatson Exp $
#
0:AUE_NULL:indir system call:no
@@ -118,8 +118,8 @@
113:AUE_SYSTEMBOOT:system booted:na
114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:ad
115:AUE_NFSSVC_EXIT:nfssvc(2) exited:ad
-128:AUE_WRITEL:writel(2):fw
-129:AUE_WRITEVL:writevl(2):fw
+128:AUE_WRITEL:writel(2):no
+129:AUE_WRITEVL:writevl(2):no
130:AUE_GETAUID:getauid(2):ad
131:AUE_SETAUID:setauid(2):ad
132:AUE_GETAUDIT:getaudit(2):ad
@@ -266,7 +266,7 @@
325:AUE_DARWIN_KDEBUGTRACE:system call:pc
326:AUE_DARWIN_FSTAT:fstat(2):fa
327:AUE_DARWIN_FPATHCONF:fpathconf(2):fa
-328:AUE_DARWIN_GETDIRENTRIES:getdirentries(2):fr
+328:AUE_DARWIN_GETDIRENTRIES:getdirentries(2):no
329:AUE_DARWIN_TRUNCATE:truncate(2):fw
330:AUE_DARWIN_FTRUNCATE:ftruncate(2):fw
331:AUE_DARWIN_SYSCTL:sysctl(3):ad
@@ -322,8 +322,8 @@
43017:AUE_KDEBUGTRACE:system call:pc
43018:AUE_FSTAT:fstat(2):fa
43019:AUE_FPATHCONF:fpathconf(2):fa
-43020:AUE_GETDIRENTRIES:getdirentries(2):fr
-43021:AUE_SYSCTL:sysctl(3):ad
+43020:AUE_GETDIRENTRIES:getdirentries(2):no
+43021:AUE_SYSCTL:sysctl(3):ot
43022:AUE_MLOCK:mlock(2):pc
43023:AUE_MUNLOCK:munlock(2):pc
43024:AUE_UNDELETE:undelete(2):fm
@@ -416,6 +416,9 @@
43111:AUE_EXTATTR_SET_LINK:extattr_set_link(2):fm
43112:AUE_EXTATTR_LIST_LINK:extattr_list_link(2):fa
43113:AUE_EXTATTR_DELETE_LINK:extattr_delete_link(2):fm
+43114:AUE_KENV:kenv(8):ad
+43115:AUE_JAIL_ATTACH:jail_attach(2):ad
+43116:AUE_SYSCTL_WRITE:sysctl(3):ad
#
# User space system events.
#
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#5 (text+ko) ====
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#4 $
+.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#5 $
.\"
.Dd April 19, 2005
.Dt AU_CONTROL 3
@@ -34,7 +34,10 @@
.Nm getacdir ,
.Nm getacmin ,
.Nm getacflg ,
-.Nm getacna
+.Nm getacna ,
+.Nm getacpol ,
+.Nm au_poltostr
+.Nm au_strtopol
.Nd "Look up information from the audit_control database"
.Sh LIBRARY
.Lb libbsm
@@ -52,6 +55,12 @@
.Fn getacflg "char *auditstr" "int len"
.Ft int
.Fn getacna "char *auditstr" "int len"
+.Ft int
+.Fn getacpol "char *auditstr" "size_t len"
+.Ft ssize_t
+.Fn au_poltostr "long policy" "size_t maxsize" "char *buf"
+.Ft int
+.Fn au_strtopol "const char *polstr" "long *policy"
.Sh DESCRIPTION
These interfaces may be used to look up information from the
.Xr audit_control 5
@@ -90,15 +99,42 @@
.Va auditstr
of length
.Va len .
+.Pp
+.Fn getacpol
+returns the audit policy flags via the passed character buffer
+.Va auditstr
+of length
+.Va len .
+.Pp
+.Fn au_poltostr
+converts a numeric audit policy mask,
+.Va policy ,
+value to a string in the passed character buffer
+.Va buf
+of lenth
+.Va maxsize .
+.Pp
+.Fn au_strtopol
+converts an audit policy flags string,
+.Va polstr ,
+to a numeric audit policy mask returned via
+.Va policy .
.Sh RETURN VALULES
.Fn getacdir ,
.Fn getacmin ,
.Fn getacflg ,
+.Fn getacna ,
+.Fn getacpol ,
and
-.Fn getacna
+.Fn au_strtopol
return 0 on success, or a negative value on failure, along with error
information in
.Va errno .
+.Pp
+.Fn au_poltostr
+returns a string length of 0 or more on success, or a negative value on
+if there is a failure.
+.Pp
Functions that return a string value will return a failure if there is
insufficient room in the passed character buffer for the full string.
.Sh SEE ALSO
==== //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#9 (text+ko) ====
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +27,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#8 $
+ * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#9 $
*/
#include <bsm/libbsm.h>
@@ -39,7 +40,7 @@
/*
* Parse the contents of the audit_control file to return the audit control
- * parameters.
+ * parameters. These static fields are protected by 'mutex'.
*/
static FILE *fp = NULL;
static char linestr[AU_LINE_MAX];
@@ -98,21 +99,223 @@
}
/*
+ * Convert a policy to a string. Return -1 on failure, or >= 0 representing
+ * the actual size of the string placed in the buffer (excluding terminating
+ * nul).
+ */
+ssize_t
+au_poltostr(long policy, size_t maxsize, char *buf)
+{
+ int first;
+
+ if (maxsize < 1)
+ return (-1);
+ first = 1;
+ buf[0] = '\0';
+
+ if (policy & AUDIT_CNT) {
+ if (strlcat(buf, "cnt", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_AHLT) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "ahlt", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_ARGV) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "argv", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_ARGE) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "arge", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_SEQ) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "seq", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_WINDATA) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "windata", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_USER) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "user", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_GROUP) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "group", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_TRAIL) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "trail", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_PATH) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "path", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_SCNT) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "scnt", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_PUBLIC) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "public", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_ZONENAME) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "zonename", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ if (policy & AUDIT_PERZONE) {
+ if (!first) {
+ if (strlcat(buf, ",", maxsize) >= maxsize)
+ return (-1);
+ }
+ if (strlcat(buf, "perzone", maxsize) >= maxsize)
+ return (-1);
+ first = 0;
+ }
+ return (strlen(buf));
+}
+
+/*
+ * Convert a string to a policy. Return -1 on failure (with errno EINVAL,
+ * ENOMEM) or 0 on success.
+ */
+int
+au_strtopol(const char *polstr, long *policy)
+{
+ char *bufp, *string;
+ char *buffer;
+
+ *policy = 0;
+ buffer = strdup(polstr);
+ if (buffer == NULL)
+ return (-1);
+
+ bufp = buffer;
+ while ((string = strsep(&bufp, ",")) != NULL) {
+ if (strcmp(string, "cnt") == 0)
+ *policy |= AUDIT_CNT;
+ else if (strcmp(string, "ahlt") == 0)
+ *policy |= AUDIT_AHLT;
+ else if (strcmp(string, "argv") == 0)
+ *policy |= AUDIT_ARGV;
+ else if (strcmp(string, "arge") == 0)
+ *policy |= AUDIT_ARGE;
+ else if (strcmp(string, "seq") == 0)
+ *policy |= AUDIT_SEQ;
+ else if (strcmp(string, "winau_fstat") == 0)
+ *policy |= AUDIT_WINDATA;
+ else if (strcmp(string, "user") == 0)
+ *policy |= AUDIT_USER;
+ else if (strcmp(string, "group") == 0)
+ *policy |= AUDIT_GROUP;
+ else if (strcmp(string, "trail") == 0)
+ *policy |= AUDIT_TRAIL;
+ else if (strcmp(string, "path") == 0)
+ *policy |= AUDIT_PATH;
+ else if (strcmp(string, "scnt") == 0)
+ *policy |= AUDIT_SCNT;
+ else if (strcmp(string, "public") == 0)
+ *policy |= AUDIT_PUBLIC;
+ else if (strcmp(string, "zonename") == 0)
+ *policy |= AUDIT_ZONENAME;
+ else if (strcmp(string, "perzone") == 0)
+ *policy |= AUDIT_PERZONE;
+ else {
+ free(buffer);
+ errno = EINVAL;
+ return (-1);
+ }
+ }
+ free(buffer);
+ return (0);
+}
+
+/*
* Rewind the file pointer to beginning.
*/
+static void
+setac_locked(void)
+{
+
+ ptrmoved = 1;
+ if (fp != NULL)
+ fseek(fp, 0, SEEK_SET);
+}
+
void
setac(void)
{
pthread_mutex_lock(&mutex);
- ptrmoved = 1;
- if (fp != NULL)
- fseek(fp, 0, SEEK_SET);
+ setac_locked();
pthread_mutex_unlock(&mutex);
}
/*
- * Close the audit_control file
+ * Close the audit_control file.
*/
void
endac(void)
@@ -136,72 +339,54 @@
char *dir;
int ret = 0;
- if (name == NULL) {
- errno = EINVAL;
- return (-2);
- }
-
- pthread_mutex_lock(&mutex);
-
/*
- * Check if another function was called between
- * successive calls to getacdir
+ * Check if another function was called between successive calls to
+ * getacdir.
*/
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list