Date: Fri, 17 Jul 2009 14:02:20 +0000 (UTC) From: Robert Watson <rwatson@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r195740 - in head: contrib/openbsm contrib/openbsm/config contrib/openbsm/etc contrib/openbsm/libauditd contrib/openbsm/libbsm contrib/openbsm/man contrib/openbsm/sys/bsm sys/bsm sys/se... Message-ID: <200907171402.n6HE2Lwh070925@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rwatson Date: Fri Jul 17 14:02:20 2009 New Revision: 195740 URL: http://svn.freebsd.org/changeset/base/195740 Log: Import OpenBSM 1.1p1 from vendor branch to 8-CURRENT, populating contrib/openbsm and a subset also imported into sys/security/audit. This patch release addresses several minor issues: - Fixes to AUT_SOCKUNIX token parsing. - IPv6 support for au_to_me(3). - Improved robustness in the parsing of audit_control, especially long flags/naflags strings and whitespace in all fields. - Add missing conversion of a number of FreeBSD/Mac OS X errnos to/from BSM error number space. MFC after: 3 weeks Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. Approved by: re (kib) Modified: head/contrib/openbsm/ (props changed) head/contrib/openbsm/NEWS head/contrib/openbsm/VERSION head/contrib/openbsm/config/config.h head/contrib/openbsm/configure head/contrib/openbsm/configure.ac head/contrib/openbsm/etc/audit_event head/contrib/openbsm/libauditd/auditd_lib.c head/contrib/openbsm/libbsm/bsm_control.c head/contrib/openbsm/libbsm/bsm_errno.c head/contrib/openbsm/libbsm/bsm_io.c head/contrib/openbsm/libbsm/bsm_token.c head/contrib/openbsm/man/audit_control.5 head/contrib/openbsm/sys/bsm/audit.h head/contrib/openbsm/sys/bsm/audit_kevents.h head/sys/bsm/audit.h head/sys/bsm/audit_kevents.h head/sys/security/audit/audit_bsm_errno.c head/sys/security/audit/audit_bsm_token.c Modified: head/contrib/openbsm/NEWS ============================================================================== --- head/contrib/openbsm/NEWS Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/NEWS Fri Jul 17 14:02:20 2009 (r195740) @@ -1,5 +1,14 @@ OpenBSM Version History +OpenBSM 1.1p1 + +- Fixes to AUT_SOCKUNIX token parsing. +- IPv6 support for au_to_me(3). +- Improved robustness in the parsing of audit_control, especially long + flags/naflags strings and whitespace in all fields. +- Add missing conversion of a number of FreeBSD/Mac OS X errnos to/from BSM + error number space. + OpenBSM 1.1 - Change auditon(2) parameters and data structures to be 32/64-bit architecture @@ -449,4 +458,4 @@ OpenBSM 1.0 alpha 1 to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/NEWS#40 $ +$P4: //depot/projects/trustedbsd/openbsm/NEWS#42 $ Modified: head/contrib/openbsm/VERSION ============================================================================== --- head/contrib/openbsm/VERSION Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/VERSION Fri Jul 17 14:02:20 2009 (r195740) @@ -1 +1 @@ -OPENBSM_1_1 +OPENBSM_1_1p1 Modified: head/contrib/openbsm/config/config.h ============================================================================== --- head/contrib/openbsm/config/config.h Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/config/config.h Fri Jul 17 14:02:20 2009 (r195740) @@ -1,15 +1,14 @@ /* config/config.h. Generated from config.h.in by configure. */ /* config/config.h.in. Generated from configure.ac by autoheader. */ -/* $FreeBSD$ */ /* Define to 1 if you have the `alarm' function. */ #define HAVE_ALARM 1 /* Define if audit system calls present */ -#define HAVE_AUDIT_SYSCALLS +#define HAVE_AUDIT_SYSCALLS /**/ /* Define if be32enc is present */ -#define HAVE_BE32ENC +#define HAVE_BE32ENC /**/ /* Define to 1 if you have the `bzero' function. */ #define HAVE_BZERO 1 @@ -33,7 +32,7 @@ #define HAVE_FTRUNCATE 1 /* Define if queue.h includes LIST_FIRST */ -#define HAVE_FULL_QUEUE_H +#define HAVE_FULL_QUEUE_H /**/ /* Define to 1 if you have the `gettimeofday' function. */ #define HAVE_GETTIMEOFDAY 1 @@ -153,7 +152,7 @@ /* Define to 1 if `lstat' dereferences a symlink specified with a trailing slash. */ -/* #undef LSTAT_FOLLOWS_SLASHED_SYMLINK */ +#define LSTAT_FOLLOWS_SLASHED_SYMLINK 1 /* Name of package */ #define PACKAGE "OpenBSM" @@ -165,13 +164,13 @@ #define PACKAGE_NAME "OpenBSM" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "OpenBSM 1.1beta1" +#define PACKAGE_STRING "OpenBSM 1.1p1" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "openbsm" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.1beta1" +#define PACKAGE_VERSION "1.1p1" /* Define as the return type of signal handlers (`int' or `void'). */ #define RETSIGTYPE void @@ -189,10 +188,13 @@ /* #undef USE_MACH_IPC */ /* Define to use native include files */ -#define USE_NATIVE_INCLUDES +#define USE_NATIVE_INCLUDES /**/ /* Version number of package */ -#define VERSION "1.1beta1" +#define VERSION "1.1p1" + +/* Use extended API on platforms that require it */ +#define _GNU_SOURCE /**/ /* Define to empty if `const' does not conform to ANSI C. */ /* #undef const */ Modified: head/contrib/openbsm/configure ============================================================================== --- head/contrib/openbsm/configure Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/configure Fri Jul 17 14:02:20 2009 (r195740) @@ -1,7 +1,7 @@ #! /bin/sh -# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#51 . +# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#52 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.62 for OpenBSM 1.1. +# Generated by GNU Autoconf 2.62 for OpenBSM 1.1p1. # # Report bugs to <trustedbsd-audit@TrustesdBSD.org>. # @@ -751,8 +751,8 @@ SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='OpenBSM' PACKAGE_TARNAME='openbsm' -PACKAGE_VERSION='1.1' -PACKAGE_STRING='OpenBSM 1.1' +PACKAGE_VERSION='1.1p1' +PACKAGE_STRING='OpenBSM 1.1p1' PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org' ac_unique_file="bin/auditreduce/auditreduce.c" @@ -1492,7 +1492,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenBSM 1.1 to adapt to many kinds of systems. +\`configure' configures OpenBSM 1.1p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1562,7 +1562,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenBSM 1.1:";; + short | recursive ) echo "Configuration of OpenBSM 1.1p1:";; esac cat <<\_ACEOF @@ -1671,7 +1671,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenBSM configure 1.1 +OpenBSM configure 1.1p1 generated by GNU Autoconf 2.62 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -1685,7 +1685,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenBSM $as_me 1.1, which was +It was created by OpenBSM $as_me 1.1p1, which was generated by GNU Autoconf 2.62. Invocation command line was $ $0 $@ @@ -19662,7 +19662,7 @@ fi # Define the identity of the package. PACKAGE=OpenBSM - VERSION=1.1 + VERSION=1.1p1 cat >>confdefs.h <<_ACEOF @@ -24400,7 +24400,7 @@ exec 6>&1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenBSM $as_me 1.1, which was +This file was extended by OpenBSM $as_me 1.1p1, which was generated by GNU Autoconf 2.62. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -24453,7 +24453,7 @@ Report bugs to <bug-autoconf@gnu.org>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_version="\\ -OpenBSM config.status 1.1 +OpenBSM config.status 1.1p1 configured by $0, generated by GNU Autoconf 2.62, with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" Modified: head/contrib/openbsm/configure.ac ============================================================================== --- head/contrib/openbsm/configure.ac Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/configure.ac Fri Jul 17 14:02:20 2009 (r195740) @@ -2,8 +2,8 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) -AC_INIT([OpenBSM], [1.1], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) -AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#52 $]) +AC_INIT([OpenBSM], [1.1p1], [trustedbsd-audit@TrustesdBSD.org],[openbsm]) +AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#53 $]) AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c]) AC_CONFIG_AUX_DIR(config) AC_CONFIG_HEADER([config/config.h]) Modified: head/contrib/openbsm/etc/audit_event ============================================================================== --- head/contrib/openbsm/etc/audit_event Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/etc/audit_event Fri Jul 17 14:02:20 2009 (r195740) @@ -1,5 +1,5 @@ # -# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#39 $ +# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#40 $ # $FreeBSD$ # # The mapping between event identifiers and values is also hard-coded in @@ -556,6 +556,7 @@ 43193:AUE_PWRITE:pwrite(2):no 43194:AUE_FSCTL:fsctl():fm 43195:AUE_FFSCTL:ffsctl():fm +43196:AUE_LPATHCONF:lpathconf(2):fa # # Solaris userspace events. # Modified: head/contrib/openbsm/libauditd/auditd_lib.c ============================================================================== --- head/contrib/openbsm/libauditd/auditd_lib.c Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/libauditd/auditd_lib.c Fri Jul 17 14:02:20 2009 (r195740) @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#10 $ + * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#11 $ */ #include <sys/param.h> @@ -130,7 +130,7 @@ static char *auditd_errmsg[] = { #define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0])) -#define NA_EVENT_STR_SIZE 25 +#define NA_EVENT_STR_SIZE 128 #define POL_STR_SIZE 128 Modified: head/contrib/openbsm/libbsm/bsm_control.c ============================================================================== --- head/contrib/openbsm/libbsm/bsm_control.c Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/libbsm/bsm_control.c Fri Jul 17 14:02:20 2009 (r195740) @@ -27,7 +27,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#33 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#34 $ */ #include <config/config.h> @@ -121,9 +121,13 @@ getstrfromtype_locked(char *name, char * if (linestr[0] == '#') continue; - /* Remove trailing new line character. */ - if ((nl = strrchr(linestr, '\n')) != NULL) + /* Remove trailing new line character and white space. */ + nl = strchr(linestr, '\0') - 1; + while (nl >= linestr && ('\n' == *nl || ' ' == *nl || + '\t' == *nl)) { *nl = '\0'; + nl--; + } tokptr = linestr; if ((type = strtok_r(tokptr, delim, &last)) != NULL) { Modified: head/contrib/openbsm/libbsm/bsm_errno.c ============================================================================== --- head/contrib/openbsm/libbsm/bsm_errno.c Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/libbsm/bsm_errno.c Fri Jul 17 14:02:20 2009 (r195740) @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#17 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#19 $ */ #include <sys/types.h> @@ -453,6 +453,104 @@ static const struct bsm_errno bsm_errnos { BSM_ERRNO_EINPROGRESS, EINPROGRESS, ES("Operation now in progress") }, { BSM_ERRNO_ESTALE, ESTALE, ES("Stale NFS file handle") }, + { BSM_ERRNO_EPROCLIM, +#ifdef EPROCLIM + EPROCLIM, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Too many processes") }, + { BSM_ERRNO_EBADRPC, +#ifdef EBADRPC + EBADRPC, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("RPC struct is bad") }, + { BSM_ERRNO_ERPCMISMATCH, +#ifdef ERPCMISMATCH + ERPCMISMATCH, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("RPC version wrong") }, + { BSM_ERRNO_EPROGUNAVAIL, +#ifdef EPROGUNAVAIL + EPROGUNAVAIL, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("RPC prog. not avail") }, + { BSM_ERRNO_EPROGMISMATCH, +#ifdef EPROGMISMATCH + EPROGMISMATCH, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("RPC version wrong") }, + { BSM_ERRNO_EPROCUNAVAIL, +#ifdef EPROCUNAVAIL + EPROCUNAVAIL, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Bad procedure for program") }, + { BSM_ERRNO_EFTYPE, +#ifdef EFTYPE + EFTYPE, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Inappropriate file type or format") }, + { BSM_ERRNO_EAUTH, +#ifdef EAUTH + EAUTH, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Authenticateion error") }, + { BSM_ERRNO_ENEEDAUTH, +#ifdef ENEEDAUTH + ENEEDAUTH, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Need authenticator") }, + { BSM_ERRNO_ENOATTR, +#ifdef ENOATTR + ENOATTR, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Attribute not found") }, + { BSM_ERRNO_EDOOFUS, +#ifdef EDOOFUS + EDOOFUS, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Programming error") }, + { BSM_ERRNO_EJUSTRETURN, +#ifdef EJUSTRETURN + EJUSTRETURN, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Just return") }, + { BSM_ERRNO_ENOIOCTL, +#ifdef ENOIOCTL + ENOIOCTL, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("ioctl not handled by this layer") }, + { BSM_ERRNO_EDIRIOCTL, +#ifdef EDIRIOCTL + EDIRIOCTL, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("do direct ioctl in GEOM") }, { BSM_ERRNO_EPWROFF, #ifdef EPWROFF EPWROFF, Modified: head/contrib/openbsm/libbsm/bsm_io.c ============================================================================== --- head/contrib/openbsm/libbsm/bsm_io.c Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/libbsm/bsm_io.c Fri Jul 17 14:02:20 2009 (r195740) @@ -32,7 +32,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#62 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#63 $ */ #include <sys/types.h> @@ -3176,19 +3176,25 @@ print_sock_inet128_tok(FILE *fp, tokenst /* * socket family 2 bytes - * path 104 bytes + * path (up to) 104 bytes + NULL (NULL terminated string). */ static int fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) { int err = 0; + u_char *p; + int slen; + READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); if (err) return (-1); - READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, - err); + /* slen = strnlen((buf + tok->len), 104) + 1; */ + p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104); + slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1; + + READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err); if (err) return (-1); Modified: head/contrib/openbsm/libbsm/bsm_token.c ============================================================================== --- head/contrib/openbsm/libbsm/bsm_token.c Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/libbsm/bsm_token.c Fri Jul 17 14:02:20 2009 (r195740) @@ -30,7 +30,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#91 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#93 $ */ #include <sys/types.h> @@ -996,7 +996,7 @@ au_to_socket_ex(u_short so_domain, u_sho /* * token ID 1 byte * socket family 2 bytes - * path 104 bytes + * path (up to) 104 bytes + NULL (NULL terminated string) */ token_t * au_to_sock_unix(struct sockaddr_un *so) @@ -1270,12 +1270,27 @@ token_t * au_to_me(void) { auditinfo_t auinfo; + auditinfo_addr_t aia; - if (getaudit(&auinfo) != 0) - return (NULL); + /* + * Try to use getaudit_addr(2) first. If this kernel does not support + * it, then fall back on to getaudit(2). + */ + if (getaudit_addr(&aia, sizeof(aia)) != 0) { + if (errno == ENOSYS) { + if (getaudit(&auinfo) != 0) + return (NULL); + return (au_to_subject32(auinfo.ai_auid, geteuid(), + getegid(), getuid(), getgid(), getpid(), + auinfo.ai_asid, &auinfo.ai_termid)); + } else { + /* getaudit_addr(2) failed for some other reason. */ + return (NULL); + } + } - return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(), - getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid)); + return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), + getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); } #endif Modified: head/contrib/openbsm/man/audit_control.5 ============================================================================== --- head/contrib/openbsm/man/audit_control.5 Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/man/audit_control.5 Fri Jul 17 14:02:20 2009 (r195740) @@ -26,9 +26,9 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#22 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#23 $ .\" -.Dd January 29, 2009 +.Dd May 14, 2009 .Dt AUDIT_CONTROL 5 .Os .Sh NAME @@ -94,7 +94,7 @@ Specifies when audit log files will expi This may be after a time period has passed since the file was last written to or when the aggregate of all the trail files have reached a specified size or a combination of both. -If no expire-after parameter is given then audit log files with not +If no expire-after parameter is given then audit log files will not expire and be removed by the audit control system. See the information below for the format of the expiration specification. @@ -217,7 +217,7 @@ The suffixes on the values are case sens If both an age and disk space value are used they are seperated by AND or OR and both values are used to determine when audit log files expire. -In the case of AND, both the age and disk space conditions must be meet +In the case of AND, both the age and disk space conditions must be met before the log file is removed. In the case of OR, either condition may expire the log file. For example: @@ -233,17 +233,18 @@ The following settings appear in the def file: .Bd -literal -offset indent dir:/var/audit -flags:lo +flags:lo,aa minfree:5 -naflags:lo +naflags:lo,aa policy:cnt,argv -filesz:2097152 +filesz:2M +expire-after:10M .Ed .Pp The .Va flags parameter above specifies the system-wide mask corresponding to login/logout -events. +as well as authentication and authorization events. The .Va policy parameter specifies that the system should neither fail stop nor suspend @@ -253,6 +254,7 @@ be audited for events. The trail file will be automatically rotated by the audit daemon when the file size reaches approximately 2MB. +Trail files will expire when their aggregate size exceeds 10MB. .Sh FILES .Bl -tag -width ".Pa /etc/security/audit_control" -compact .It Pa /etc/security/audit_control Modified: head/contrib/openbsm/sys/bsm/audit.h ============================================================================== --- head/contrib/openbsm/sys/bsm/audit.h Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/sys/bsm/audit.h Fri Jul 17 14:02:20 2009 (r195740) @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#9 $ + * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#10 $ */ #ifndef _BSM_AUDIT_H @@ -172,6 +172,7 @@ typedef pid_t au_asid_t; typedef u_int16_t au_event_t; typedef u_int16_t au_emod_t; typedef u_int32_t au_class_t; +typedef u_int64_t au_asflgs_t __attribute__ ((aligned (8))); struct au_tid { dev_t port; @@ -205,7 +206,7 @@ struct auditinfo_addr { au_mask_t ai_mask; /* Audit masks. */ au_tid_addr_t ai_termid; /* Terminal ID. */ au_asid_t ai_asid; /* Audit session ID. */ - u_int64_t ai_flags; /* Audit session flags. */ + au_asflgs_t ai_flags; /* Audit session flags. */ }; typedef struct auditinfo_addr auditinfo_addr_t; @@ -224,7 +225,7 @@ struct auditpinfo_addr { au_mask_t ap_mask; /* Audit masks. */ au_tid_addr_t ap_termid; /* Terminal ID. */ au_asid_t ap_asid; /* Audit session ID. */ - u_int64_t ap_flags; /* Audit session flags. */ + au_asflgs_t ap_flags; /* Audit session flags. */ }; typedef struct auditpinfo_addr auditpinfo_addr_t; Modified: head/contrib/openbsm/sys/bsm/audit_kevents.h ============================================================================== --- head/contrib/openbsm/sys/bsm/audit_kevents.h Fri Jul 17 12:36:29 2009 (r195739) +++ head/contrib/openbsm/sys/bsm/audit_kevents.h Fri Jul 17 14:02:20 2009 (r195740) @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#6 $ + * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#8 $ */ #ifndef _BSM_AUDIT_KEVENTS_H_ @@ -596,6 +596,7 @@ #define AUE_PWRITE 43193 /* Darwin/FreeBSD. */ #define AUE_FSCTL 43194 /* Darwin. */ #define AUE_FFSCTL 43195 /* Darwin. */ +#define AUE_LPATHCONF 43196 /* FreeBSD. */ /* * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the Modified: head/sys/bsm/audit.h ============================================================================== --- head/sys/bsm/audit.h Fri Jul 17 12:36:29 2009 (r195739) +++ head/sys/bsm/audit.h Fri Jul 17 14:02:20 2009 (r195740) @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#9 + * P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#10 * $FreeBSD$ */ @@ -173,6 +173,7 @@ typedef pid_t au_asid_t; typedef u_int16_t au_event_t; typedef u_int16_t au_emod_t; typedef u_int32_t au_class_t; +typedef u_int64_t au_asflgs_t __attribute__ ((aligned (8))); struct au_tid { dev_t port; @@ -206,7 +207,7 @@ struct auditinfo_addr { au_mask_t ai_mask; /* Audit masks. */ au_tid_addr_t ai_termid; /* Terminal ID. */ au_asid_t ai_asid; /* Audit session ID. */ - u_int64_t ai_flags; /* Audit session flags. */ + au_asflgs_t ai_flags; /* Audit session flags. */ }; typedef struct auditinfo_addr auditinfo_addr_t; @@ -225,7 +226,7 @@ struct auditpinfo_addr { au_mask_t ap_mask; /* Audit masks. */ au_tid_addr_t ap_termid; /* Terminal ID. */ au_asid_t ap_asid; /* Audit session ID. */ - u_int64_t ap_flags; /* Audit session flags. */ + au_asflgs_t ap_flags; /* Audit session flags. */ }; typedef struct auditpinfo_addr auditpinfo_addr_t; Modified: head/sys/bsm/audit_kevents.h ============================================================================== --- head/sys/bsm/audit_kevents.h Fri Jul 17 12:36:29 2009 (r195739) +++ head/sys/bsm/audit_kevents.h Fri Jul 17 14:02:20 2009 (r195740) @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#6 + * P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#7 * $FreeBSD$ */ Modified: head/sys/security/audit/audit_bsm_errno.c ============================================================================== --- head/sys/security/audit/audit_bsm_errno.c Fri Jul 17 12:36:29 2009 (r195739) +++ head/sys/security/audit/audit_bsm_errno.c Fri Jul 17 14:02:20 2009 (r195740) @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#17 + * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#18 */ #include <sys/cdefs.h> @@ -455,6 +455,104 @@ static const struct bsm_errno bsm_errnos { BSM_ERRNO_EINPROGRESS, EINPROGRESS, ES("Operation now in progress") }, { BSM_ERRNO_ESTALE, ESTALE, ES("Stale NFS file handle") }, + { BSM_ERRNO_EPROCLIM, +#ifdef EPROCLIM + EPROCLIM, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Too many processes") }, + { BSM_ERRNO_EBADRPC, +#ifdef EBADRPC + EBADRPC, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("RPC struct is bad") }, + { BSM_ERRNO_ERPCMISMATCH, +#ifdef ERPCMISMATCH + ERPCMISMATCH, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("RPC version wrong") }, + { BSM_ERRNO_EPROGUNAVAIL, +#ifdef EPROGUNAVAIL + EPROGUNAVAIL, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("RPC prog. not avail") }, + { BSM_ERRNO_EPROGMISMATCH, +#ifdef EPROGMISMATCH + EPROGMISMATCH, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("RPC version wrong") }, + { BSM_ERRNO_EPROCUNAVAIL, +#ifdef EPROCUNAVAIL + EPROCUNAVAIL, +#else + ERRNO_NO_LOCAL_MAPPING +#endif + ES("Bad procedure for program") }, + { BSM_ERRNO_EFTYPE, +#ifdef EFTYPE + EFTYPE, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Inappropriate file type or format") }, + { BSM_ERRNO_EAUTH, +#ifdef EAUTH + EAUTH, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Authenticateion error") }, + { BSM_ERRNO_ENEEDAUTH, +#ifdef ENEEDAUTH + ENEEDAUTH, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Need authenticator") }, + { BSM_ERRNO_ENOATTR, +#ifdef ENOATTR + ENOATTR, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Attribute not found") }, + { BSM_ERRNO_EDOOFUS, +#ifdef EDOOFUS + EDOOFUS, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Programming error") }, + { BSM_ERRNO_EJUSTRETURN, +#ifdef EJUSTRETURN + EJUSTRETURN, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("Just return") }, + { BSM_ERRNO_ENOIOCTL, +#ifdef ENOIOCTL + ENOIOCTL, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("ioctl not handled by this layer") }, + { BSM_ERRNO_EDIRIOCTL, +#ifdef EDIRIOCTL + EDIRIOCTL, +#else + ERRNO_NO_LOCAL_MAPPING, +#endif + ES("do direct ioctl in GEOM") }, { BSM_ERRNO_EPWROFF, #ifdef EPWROFF EPWROFF, Modified: head/sys/security/audit/audit_bsm_token.c ============================================================================== --- head/sys/security/audit/audit_bsm_token.c Fri Jul 17 12:36:29 2009 (r195739) +++ head/sys/security/audit/audit_bsm_token.c Fri Jul 17 14:02:20 2009 (r195740) @@ -30,7 +30,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#91 + * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#93 */ #include <sys/cdefs.h> @@ -930,7 +930,7 @@ kau_to_socket(struct socket_au_info *soi /* * token ID 1 byte * socket family 2 bytes - * path 104 bytes + * path (up to) 104 bytes + NULL (NULL terminated string) */ token_t * au_to_sock_unix(struct sockaddr_un *so) @@ -1188,12 +1188,27 @@ token_t * au_to_me(void) { auditinfo_t auinfo; + auditinfo_addr_t aia; - if (getaudit(&auinfo) != 0) - return (NULL); + /* + * Try to use getaudit_addr(2) first. If this kernel does not support + * it, then fall back on to getaudit(2). + */ + if (getaudit_addr(&aia, sizeof(aia)) != 0) { + if (errno == ENOSYS) { + if (getaudit(&auinfo) != 0) + return (NULL); + return (au_to_subject32(auinfo.ai_auid, geteuid(), + getegid(), getuid(), getgid(), getpid(), + auinfo.ai_asid, &auinfo.ai_termid)); + } else { + /* getaudit_addr(2) failed for some other reason. */ + return (NULL); + } + } - return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(), - getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid)); + return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), + getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); } #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200907171402.n6HE2Lwh070925>