From owner-p4-projects@FreeBSD.ORG  Thu Sep 30 01:54:30 2004
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 484AC16A4CF; Thu, 30 Sep 2004 01:54:26 +0000 (GMT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A71A816A4D2
	for <perforce@freebsd.org>; Thu, 30 Sep 2004 01:54:23 +0000 (GMT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 738EC43D1D
	for <perforce@freebsd.org>; Thu, 30 Sep 2004 01:54:23 +0000 (GMT)
	(envelope-from wsalamon@computer.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.11/8.12.11) with ESMTP id i8U1sNAQ016252
	for <perforce@freebsd.org>; Thu, 30 Sep 2004 01:54:23 GMT
	(envelope-from wsalamon@computer.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.11/8.12.11/Submit) id i8U1sN4T016249
	for perforce@freebsd.org; Thu, 30 Sep 2004 01:54:23 GMT
	(envelope-from wsalamon@computer.org)
Date: Thu, 30 Sep 2004 01:54:23 GMT
Message-Id: <200409300154.i8U1sN4T016249@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	wsalamon@computer.org using -f
From: Wayne Salamon <wsalamon@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 62424 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2004 01:54:30 -0000

http://perforce.freebsd.org/chv.cgi?CH=62424

Change 62424 by wsalamon@wsalamon_epi on 2004/09/30 01:53:35

	Implement the audit daemon trigger mechanism as a FIFO. Update 
	the audit command to use this mechanism.

Affected files ...

.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/audit/audit.c#3 edit
.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#4 edit
.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.h#3 edit
.. //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#5 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/audit/audit.c#3 (text+ko) ====

@@ -6,25 +6,14 @@
  *
  */
 
-#include <mach/mach.h>
-#include <servers/netname.h>
-#include <mach/message.h>
-#include <mach/port.h>
-#include <mach/mach_error.h>
-#include <mach/host_special_ports.h>
-#include <servers/bootstrap.h>
-
-#include <auditd_control.h>
-#include <auditd.h>
-
+#include <fcntl.h>
 #include <stdlib.h>
+#include <stdio.h>
 #include <unistd.h>
-#include <stdio.h>
+#include <bsm/audit.h>
+#include <sys/types.h>
+#include <sys/uio.h>
 
-mach_port_t     serverPort;
-mach_port_t     bootstrapPort;
-
-void init();
 void process(int flags);
 
 /*
@@ -38,15 +27,15 @@
 		switch(ch) {
 
 		case 'n':
-			flags = OPEN_NEW;
+			flags = AUDITD_TRIGGER_OPEN_NEW;
 			break;
 
 		case 's':   
-			flags = READ_FILE;
+			flags = AUDITD_TRIGGER_READ_FILE;
 			break;
 
 		case 't':
-			flags = CLOSE_AND_DIE;
+			flags = AUDITD_TRIGGER_CLOSE_AND_DIE;
 			break;
 
 		case '?':
@@ -56,36 +45,26 @@
 			exit(1);
 		}
 	}
-	init();
 	process(flags);
 	return 0;
 }
 
 /*
- * Program initialization:
- *   Look up the server port and store it away.
- */
-void init()
-{
-	if(host_get_audit_control_port(mach_host_self(), &serverPort) != KERN_SUCCESS) {
-		fprintf(stderr, "Cannot get auditd_control\n");
-		exit(1);
-	}
-
-	printf("Server port is %d\n", serverPort);
-}
-
-/*
  * Do all the real work.
  * Send a message to the audit daemon and check the return code.
  */
 void process(int flags)
 {
-	kern_return_t retcode;
-	retcode = auditd_control(serverPort, flags);
-	if(retcode != KERN_SUCCESS) {
-		mach_error("error doing IPC: ", retcode);
+	int fd;
+
+	fd = open(AUDITD_CTL_FILE, O_RDWR);
+	if (fd == -1) {
+		perror("error opening auditd control file");
 		exit(1);
 	}
+	if (write(fd, &flags, sizeof(flags)) == -1) {
+		perror("error doing write: ");
+		exit(-1);
+	}
 	printf("Client call successful\n");
 }

==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#4 (text+ko) ====

@@ -23,11 +23,11 @@
  */
 
 #include <sys/dirent.h>
-#include <sys/types.h>
 #include <sys/mman.h>
 #include <sys/queue.h>
 #include <sys/stat.h>
 #include <sys/syscall.h>
+#include <sys/types.h>
 #include <sys/wait.h>
 
 #include <fcntl.h>
@@ -51,6 +51,7 @@
 static char *lastfile = NULL;
 
 static int allhardcount = 0;
+static int controlfd = 0;
 
 TAILQ_HEAD(, dir_ent) dir_q;
 
@@ -380,54 +381,39 @@
 }
 
 /*
- * React to input from the audit tool
+ * Signal handler for the SIGIO signal for events on the auditd control file.
  */
-int auditd_control(int flags)
+static void sigio_handler(int sig)
 {
-	int err_ret = 0;
+	int num;
+	int trigger;
 
-	switch(flags) {
-
-		case OPEN_NEW :
-			/* create a new file and swap with the one being used in kernel */
-			if(swap_audit_file() == -1) {
-				syslog(LOG_ERR, "Error swapping audit file\n");				
-			}
-			break;
-
-		case READ_FILE :
-			if(read_control_file() == -1) {
-				syslog(LOG_ERR, "Error in audit control file\n");				
-			}
-			break;
-
-		case CLOSE_AND_DIE : 
-			err_ret = close_all();
-			exit (err_ret);
-			break;
-
-		default :
-			break;
+	num = read(controlfd, &trigger, sizeof(trigger));
+	if ((num == -1) && (errno != EINTR)) {
+		syslog(LOG_ERR, "sigio_handler(): error %d\n", errno);
+			return;
+	}
+	if (num == 0) {
+		syslog(LOG_INFO, "sigio_handler(): read EOF\n");
+		return;
 	}
+	syslog(LOG_INFO, "sigio_handler(): read %d\n", trigger);
+	handle_auditd_trigger(trigger);
+}
 
-	return 0;
-}
 /*
- * XXX This routine will eventually handle kernel messages to rotate the 
- * audit log, etc.
- */
-/*
  * Suppress duplicate messages within a 30 second interval.
  * This should be enough to time to rotate log files without
  * thrashing from soft warnings generated before the log is
  * actually rotated.
  */
 #define DUPLICATE_INTERVAL 30
-int audit_triggers(int flags)
+int handle_auditd_trigger(int flags)
 {
 	static int last_flags;
 	static time_t last_time;
 	struct dir_ent *dirent;
+	int rc;
 
 	/*
 	 * Suppres duplicate messages from the kernel within the specified 
@@ -447,13 +433,15 @@
 	}
 
 		syslog(LOG_INFO, 
-		  "audit_triggers() called within auditd with flags = %d\n",
+		  "handle_audit_trigger() called within auditd with flags = %d\n",
 			flags);
 	/* 
 	 * XXX Message processing is done here 
  	 */
 	dirent = TAILQ_FIRST(&dir_q); 
-	if(flags == AUDIT_TRIGGER_LOW_SPACE) {
+	switch(flags) {
+
+	case AUDITD_TRIGGER_LOW_SPACE:
 		if(dirent && (dirent->softlim != 1)) {
 			TAILQ_REMOVE(&dir_q, dirent, dirs);
 				/* add this node to the end of the list */
@@ -483,8 +471,8 @@
 			 */
 			audit_warn_allsoft();
 		}
-	}
-	else if (flags == AUDIT_TRIGGER_FILE_FULL) {
+		break;
+	case AUDITD_TRIGGER_FILE_FULL:
 
 		/* delete current dir, go on to next */
 		TAILQ_REMOVE(&dir_q, dirent, dirs);
@@ -493,11 +481,34 @@
         	free(dirent);
 
 		if(swap_audit_file() == -1) {
-			syslog(LOG_ERR, "Error swapping audit file in response to AUDIT_TRIGGER_FILE_FULL message\n");	
+			syslog(LOG_ERR, "Error swapping audit file in "
+		 	    "response to AUDITD_TRIGGER_FILE_FULL message\n");	
 	
 			/* Nowhere to write to */
 			audit_warn_allhard(++allhardcount);
 		}
+		break;
+	case AUDITD_TRIGGER_OPEN_NEW :
+		/* create a new file and swap with the one being 
+		 * used in kernel */
+		if(swap_audit_file() == -1) {
+			syslog(LOG_ERR, "Error swapping audit file\n");	
+		}
+		break;
+
+	case AUDITD_TRIGGER_READ_FILE :
+		if(read_control_file() == -1) {
+			syslog(LOG_ERR, "Error in audit control file\n");				
+		}
+		break;
+
+	case AUDITD_TRIGGER_CLOSE_AND_DIE : 
+		rc = close_all();
+		exit (rc);
+		break;
+
+	default :
+		break;
 	}
 	return 0;
 }
@@ -596,10 +607,63 @@
 	return 0;
 }
 
+/*
+ * Configure the IPC mechanism for receiving messages from the kernel
+ * concerning audit control events.
+ */
 int config_auditd_ipc() 
 {
-	int fd;
+	int rc;
+	struct stat sb;
+
+	rc = mkfifo(AUDITD_CTL_FILE, S_IRUSR | S_IWUSR);
+	if ((rc != 0) && (errno != EEXIST)) {
+		syslog(LOG_ERR, 
+		    "config_auditd_ipc() : error creating FIFO\n");
+		return rc;
+	}
+
+	rc = stat(AUDITD_CTL_FILE, &sb);
+	if ((rc != 0) || ((sb.st_mode & S_IFIFO) == 0)) {
+		syslog(LOG_ERR, 
+		    "config_auditd_ipc() : error stat of FIFO\n");
+		return rc;
+	}
+
+	/* Tell the kernel the name of the auditd control file */
+	/*else if (auditctl(AC_SETCTLFILE, fn, strlen(fn)) != 0) { */
+	if (syscall(SYS_auditctl, AC_SETCTLFILE, AUDITD_CTL_FILE, 
+		strlen(AUDITD_CTL_FILE)) != 0) {
+		syslog(LOG_ERR, 
+			"config_auditd_ipc() :  failed sending control file "
+			" name to the kernel: %s\n", 
+				strerror(errno));
+	}
+	/* Set up the signal hander */
+	if (signal(SIGIO, sigio_handler) == SIG_ERR) {
+		syslog(LOG_ERR, 
+		    "config_auditd_ipc() : error setting up signal handler\n");
+		return -1;
+	}
+
+	controlfd = open(AUDITD_CTL_FILE, O_RDONLY);
+	if (controlfd < 0) {
+		syslog(LOG_ERR, 
+		    "config_auditd_ipc() : error opening control file\n");
+		return -1;
+	}
+	if (fcntl(controlfd, F_SETOWN, getpid())) {
+		syslog(LOG_ERR, 
+		    "config_auditd_ipc() : error setting file ownership\n");
+		return -1;
+	} 
 
+	if (fcntl(controlfd, F_SETFL, O_ASYNC)) {
+		syslog(LOG_ERR, 
+		    "config_auditd_ipc() : error setting file ASYNC\n");
+		return -1;
+	} 
+	return 0;
 }
 
 void setup(long flags)
@@ -634,12 +698,11 @@
 		syslog(LOG_INFO, "Audit controls init failed\n");
 
 	if (config_auditd_ipc() == 0)
-		syslog(LOG_INFO, "auditd control socket created\n");
+		syslog(LOG_INFO, "auditd control created\n");
 	else
-		syslog(LOG_INFO, "auditd control socket not created\n");
+		syslog(LOG_ERR, "auditd control not created\n");
 }
 
-
 int main(int argc, char **argv)
 {
 	char ch;
@@ -686,6 +749,9 @@
 	}
 
 	setup(flags);
+	while(1)
+		sleep(32768);
+
 	syslog(LOG_INFO, "exiting.\n");
 	
 	exit(1);

==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.h#3 (text+ko) ====

@@ -7,7 +7,6 @@
 
 #define MAX_DIR_SIZE 255
 #define AUDITD_NAME    "auditd"
-#define AUDITD_SOCK_FILE	"/etc/security/auditd_control"
 
 #define POSTFIX_LEN		16
 #define NOT_TERMINATED	".not_terminated" 
@@ -18,11 +17,6 @@
 	TAILQ_ENTRY(dir_ent) dirs;
 };
 
-/* audit utility flags */
-#define OPEN_NEW		0x1
-#define READ_FILE		0x2
-#define CLOSE_AND_DIE 	0x4
-
 #define HARDLIM_ALL_WARN        "allhard"
 #define SOFTLIM_ALL_WARN        "allsoft"
 #define AUDITOFF_WARN           "aditoff"

==== //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#5 (text+ko) ====

@@ -36,11 +36,19 @@
 #define MAX_AUDIT_RECORD_SIZE	4096	
 #define MIN_AUDIT_FILE_SIZE	512 * 1024
 
+/*
+ * Control FIFO for the audit daemon
+ */
+#define AUDITD_CTL_FILE	"/etc/security/auditd_control"
+
 /* 
  * Triggers for the audit daemon
  */
-#define AUDIT_TRIGGER_LOW_SPACE	1
-#define AUDIT_TRIGGER_FILE_FULL	2
+#define AUDITD_TRIGGER_LOW_SPACE	1
+#define AUDITD_TRIGGER_FILE_FULL	2
+#define AUDITD_TRIGGER_OPEN_NEW 	3
+#define AUDITD_TRIGGER_READ_FILE 	4
+#define AUDITD_TRIGGER_CLOSE_AND_DIE 	5
 
 /*
  * Pre-defined audit IDs
@@ -157,7 +165,7 @@
  * auditctl(2) commands
  */
 #define AC_SETLOGFILE	1
-#define AC_SETCTLFD	2
+#define AC_SETCTLFILE	2
 
 __BEGIN_DECLS