freebsd-nq/contrib/openbsm/libbsm/bsm_event.c
Robert Watson 22ccb20de4 Vendor import of OpenBSM 1.0 alpha 9, with the following change history
notes since the last import:

OpenBSM 1.0 alpha 9

- Rename many OpenBSM-specific constants and API elements containing the
  strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is true
  for almost all existing constants and APIs.
- Instead of passing a per-instance cookie directly into all audit filter
  APIs, pass in the audit filter daemon state pointer, which is then used by
  the module using an audit_filter_{get,set}cookie() API.  This will allow
  future service APIs provided by the filter daemon to maintain their own
  state -- for example, per-module preselection state.

OpenBSM 1.0 alpha 8

- Correct typo in definition of AUR_INT.
- Adopt OpenSolaris constant values for AUDIT_* configuration flags.
- Arguments to au_to_exec_args() and au_to_exec_env() no longer const.
- Add kernel versions of au_to_exec_args() and au_to_exec_env().
- Fix exec argument type that is printed for env strings from 'arg' to 'env'.
- New OpenBSM token version number assigned, constants added for other
  commonly seen version numbers.
- OpenBSM-specific events assigned numbers in the 43xxx range to avoid future
  collisions with Solaris.  Darwin events renamed to AUE_DARWIN_foo, as they
  are now deprecated numberings.
- autoconf now detects clock_gettime(), which is not available on Darwin.
- praudit output fixes relating to arg32 and arg64 tokens.
- Maximum record size updated to 64k-1 to match Solaris record size limit.
- Various style and comment cleanups in include files.

This is an MFC candidate to RELENG_6.

Obtained from:	TrustedBSD Project
2006-08-26 08:04:15 +00:00

333 lines
7.7 KiB
C

/*
* Copyright (c) 2004 Apple Computer, Inc.
* Copyright (c) 2006 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_event.c#12 $
*/
#include <bsm/libbsm.h>
#include <string.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
/*
* Parse the contents of the audit_event file to return
* au_event_ent entries
*/
static FILE *fp = NULL;
static char linestr[AU_LINE_MAX];
static const char *eventdelim = ":";
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
/*
* Parse one line from the audit_event file into the au_event_ent structure.
*/
static struct au_event_ent *
eventfromstr(char *str, struct au_event_ent *e)
{
char *evno, *evname, *evdesc, *evclass;
struct au_mask evmask;
char *last;
evno = strtok_r(str, eventdelim, &last);
evname = strtok_r(NULL, eventdelim, &last);
evdesc = strtok_r(NULL, eventdelim, &last);
evclass = strtok_r(NULL, eventdelim, &last);
if ((evno == NULL) || (evname == NULL))
return (NULL);
if (strlen(evname) >= AU_EVENT_NAME_MAX)
return (NULL);
strcpy(e->ae_name, evname);
if (evdesc != NULL) {
if (strlen(evdesc) >= AU_EVENT_DESC_MAX)
return (NULL);
strcpy(e->ae_desc, evdesc);
} else
strcpy(e->ae_desc, "");
e->ae_number = atoi(evno);
/*
* Find out the mask that corresponds to the given list of classes.
*/
if (evclass != NULL) {
if (getauditflagsbin(evclass, &evmask) != 0)
e->ae_class = AU_NULL;
else
e->ae_class = evmask.am_success;
} else
e->ae_class = AU_NULL;
return (e);
}
/*
* Rewind the audit_event file.
*/
static void
setauevent_locked(void)
{
if (fp != NULL)
fseek(fp, 0, SEEK_SET);
}
void
setauevent(void)
{
pthread_mutex_lock(&mutex);
setauevent_locked();
pthread_mutex_unlock(&mutex);
}
/*
* Close the open file pointers.
*/
void
endauevent(void)
{
pthread_mutex_lock(&mutex);
if (fp != NULL) {
fclose(fp);
fp = NULL;
}
pthread_mutex_unlock(&mutex);
}
/*
* Enumerate the au_event_ent entries.
*/
static struct au_event_ent *
getauevent_r_locked(struct au_event_ent *e)
{
char *nl;
if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
return (NULL);
while (1) {
if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
return (NULL);
/* Remove new lines. */
if ((nl = strrchr(linestr, '\n')) != NULL)
*nl = '\0';
/* Skip comments. */
if (linestr[0] == '#')
continue;
/* Get the next event structure. */
if (eventfromstr(linestr, e) == NULL)
return (NULL);
break;
}
return (e);
}
struct au_event_ent *
getauevent_r(struct au_event_ent *e)
{
struct au_event_ent *ep;
pthread_mutex_lock(&mutex);
ep = getauevent_r_locked(e);
pthread_mutex_unlock(&mutex);
return (ep);
}
struct au_event_ent *
getauevent(void)
{
static char event_ent_name[AU_EVENT_NAME_MAX];
static char event_ent_desc[AU_EVENT_DESC_MAX];
static struct au_event_ent e;
bzero(&e, sizeof(e));
bzero(event_ent_name, sizeof(event_ent_name));
bzero(event_ent_desc, sizeof(event_ent_desc));
e.ae_name = event_ent_name;
e.ae_desc = event_ent_desc;
return (getauevent_r(&e));
}
/*
* Search for an audit event structure having the given event name.
*
* XXXRW: Why accept NULL name?
*/
static struct au_event_ent *
getauevnam_r_locked(struct au_event_ent *e, const char *name)
{
char *nl;
if (name == NULL)
return (NULL);
/* Rewind to beginning of the file. */
setauevent_locked();
if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
return (NULL);
while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
/* Remove new lines. */
if ((nl = strrchr(linestr, '\n')) != NULL)
*nl = '\0';
if (eventfromstr(linestr, e) != NULL) {
if (strcmp(name, e->ae_name) == 0)
return (e);
}
}
return (NULL);
}
struct au_event_ent *
getauevnam_r(struct au_event_ent *e, const char *name)
{
struct au_event_ent *ep;
pthread_mutex_lock(&mutex);
ep = getauevnam_r_locked(e, name);
pthread_mutex_unlock(&mutex);
return (ep);
}
struct au_event_ent *
getauevnam(const char *name)
{
static char event_ent_name[AU_EVENT_NAME_MAX];
static char event_ent_desc[AU_EVENT_DESC_MAX];
static struct au_event_ent e;
bzero(&e, sizeof(e));
bzero(event_ent_name, sizeof(event_ent_name));
bzero(event_ent_desc, sizeof(event_ent_desc));
e.ae_name = event_ent_name;
e.ae_desc = event_ent_desc;
return (getauevnam_r(&e, name));
}
/*
* Search for an audit event structure having the given event number.
*/
static struct au_event_ent *
getauevnum_r_locked(struct au_event_ent *e, au_event_t event_number)
{
char *nl;
/* Rewind to beginning of the file. */
setauevent_locked();
if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
return (NULL);
while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
/* Remove new lines. */
if ((nl = strrchr(linestr, '\n')) != NULL)
*nl = '\0';
if (eventfromstr(linestr, e) != NULL) {
if (event_number == e->ae_number)
return (e);
}
}
return (NULL);
}
struct au_event_ent *
getauevnum_r(struct au_event_ent *e, au_event_t event_number)
{
struct au_event_ent *ep;
pthread_mutex_lock(&mutex);
ep = getauevnum_r_locked(e, event_number);
pthread_mutex_unlock(&mutex);
return (ep);
}
struct au_event_ent *
getauevnum(au_event_t event_number)
{
static char event_ent_name[AU_EVENT_NAME_MAX];
static char event_ent_desc[AU_EVENT_DESC_MAX];
static struct au_event_ent e;
bzero(&e, sizeof(e));
bzero(event_ent_name, sizeof(event_ent_name));
bzero(event_ent_desc, sizeof(event_ent_desc));
e.ae_name = event_ent_name;
e.ae_desc = event_ent_desc;
return (getauevnum_r(&e, event_number));
}
/*
* Search for an audit_event entry with a given event_name and returns the
* corresponding event number.
*/
au_event_t *
getauevnonam_r(au_event_t *ev, const char *event_name)
{
static char event_ent_name[AU_EVENT_NAME_MAX];
static char event_ent_desc[AU_EVENT_DESC_MAX];
static struct au_event_ent e, *ep;
bzero(event_ent_name, sizeof(event_ent_name));
bzero(event_ent_desc, sizeof(event_ent_desc));
bzero(&e, sizeof(e));
e.ae_name = event_ent_name;
e.ae_desc = event_ent_desc;
ep = getauevnam_r(&e, event_name);
if (ep == NULL)
return (NULL);
*ev = e.ae_number;
return (ev);
}
au_event_t *
getauevnonam(const char *event_name)
{
static au_event_t event;
return (getauevnonam_r(&event, event_name));
}