3dabba580b
notes since the last import: OpenBSM 1.0 alpha 9 - Rename many OpenBSM-specific constants and API elements containing the strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is true for almost all existing constants and APIs. - Instead of passing a per-instance cookie directly into all audit filter APIs, pass in the audit filter daemon state pointer, which is then used by the module using an audit_filter_{get,set}cookie() API. This will allow future service APIs provided by the filter daemon to maintain their own state -- for example, per-module preselection state. OpenBSM 1.0 alpha 8 - Correct typo in definition of AUR_INT. - Adopt OpenSolaris constant values for AUDIT_* configuration flags. - Arguments to au_to_exec_args() and au_to_exec_env() no longer const. - Add kernel versions of au_to_exec_args() and au_to_exec_env(). - Fix exec argument type that is printed for env strings from 'arg' to 'env'. - New OpenBSM token version number assigned, constants added for other commonly seen version numbers. - OpenBSM-specific events assigned numbers in the 43xxx range to avoid future collisions with Solaris. Darwin events renamed to AUE_DARWIN_foo, as they are now deprecated numberings. - autoconf now detects clock_gettime(), which is not available on Darwin. - praudit output fixes relating to arg32 and arg64 tokens. - Maximum record size updated to 64k-1 to match Solaris record size limit. - Various style and comment cleanups in include files. This is an MFC candidate to RELENG_6. Obtained from: TrustedBSD Project
333 lines
7.7 KiB
C
333 lines
7.7 KiB
C
/*
|
|
* Copyright (c) 2004 Apple Computer, Inc.
|
|
* Copyright (c) 2006 Robert N. M. Watson
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
|
|
* its contributors may be used to endorse or promote products derived
|
|
* from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
|
|
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*
|
|
* $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_event.c#12 $
|
|
*/
|
|
|
|
#include <bsm/libbsm.h>
|
|
|
|
#include <string.h>
|
|
#include <pthread.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
|
|
/*
|
|
* Parse the contents of the audit_event file to return
|
|
* au_event_ent entries
|
|
*/
|
|
static FILE *fp = NULL;
|
|
static char linestr[AU_LINE_MAX];
|
|
static const char *eventdelim = ":";
|
|
|
|
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
|
|
|
|
/*
|
|
* Parse one line from the audit_event file into the au_event_ent structure.
|
|
*/
|
|
static struct au_event_ent *
|
|
eventfromstr(char *str, struct au_event_ent *e)
|
|
{
|
|
char *evno, *evname, *evdesc, *evclass;
|
|
struct au_mask evmask;
|
|
char *last;
|
|
|
|
evno = strtok_r(str, eventdelim, &last);
|
|
evname = strtok_r(NULL, eventdelim, &last);
|
|
evdesc = strtok_r(NULL, eventdelim, &last);
|
|
evclass = strtok_r(NULL, eventdelim, &last);
|
|
|
|
if ((evno == NULL) || (evname == NULL))
|
|
return (NULL);
|
|
|
|
if (strlen(evname) >= AU_EVENT_NAME_MAX)
|
|
return (NULL);
|
|
|
|
strcpy(e->ae_name, evname);
|
|
if (evdesc != NULL) {
|
|
if (strlen(evdesc) >= AU_EVENT_DESC_MAX)
|
|
return (NULL);
|
|
strcpy(e->ae_desc, evdesc);
|
|
} else
|
|
strcpy(e->ae_desc, "");
|
|
|
|
e->ae_number = atoi(evno);
|
|
|
|
/*
|
|
* Find out the mask that corresponds to the given list of classes.
|
|
*/
|
|
if (evclass != NULL) {
|
|
if (getauditflagsbin(evclass, &evmask) != 0)
|
|
e->ae_class = AU_NULL;
|
|
else
|
|
e->ae_class = evmask.am_success;
|
|
} else
|
|
e->ae_class = AU_NULL;
|
|
|
|
return (e);
|
|
}
|
|
|
|
/*
|
|
* Rewind the audit_event file.
|
|
*/
|
|
static void
|
|
setauevent_locked(void)
|
|
{
|
|
|
|
if (fp != NULL)
|
|
fseek(fp, 0, SEEK_SET);
|
|
}
|
|
|
|
void
|
|
setauevent(void)
|
|
{
|
|
|
|
pthread_mutex_lock(&mutex);
|
|
setauevent_locked();
|
|
pthread_mutex_unlock(&mutex);
|
|
}
|
|
|
|
/*
|
|
* Close the open file pointers.
|
|
*/
|
|
void
|
|
endauevent(void)
|
|
{
|
|
|
|
pthread_mutex_lock(&mutex);
|
|
if (fp != NULL) {
|
|
fclose(fp);
|
|
fp = NULL;
|
|
}
|
|
pthread_mutex_unlock(&mutex);
|
|
}
|
|
|
|
/*
|
|
* Enumerate the au_event_ent entries.
|
|
*/
|
|
static struct au_event_ent *
|
|
getauevent_r_locked(struct au_event_ent *e)
|
|
{
|
|
char *nl;
|
|
|
|
if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
|
|
return (NULL);
|
|
|
|
while (1) {
|
|
if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
|
|
return (NULL);
|
|
|
|
/* Remove new lines. */
|
|
if ((nl = strrchr(linestr, '\n')) != NULL)
|
|
*nl = '\0';
|
|
|
|
/* Skip comments. */
|
|
if (linestr[0] == '#')
|
|
continue;
|
|
|
|
/* Get the next event structure. */
|
|
if (eventfromstr(linestr, e) == NULL)
|
|
return (NULL);
|
|
break;
|
|
}
|
|
|
|
return (e);
|
|
}
|
|
|
|
struct au_event_ent *
|
|
getauevent_r(struct au_event_ent *e)
|
|
{
|
|
struct au_event_ent *ep;
|
|
|
|
pthread_mutex_lock(&mutex);
|
|
ep = getauevent_r_locked(e);
|
|
pthread_mutex_unlock(&mutex);
|
|
return (ep);
|
|
}
|
|
|
|
struct au_event_ent *
|
|
getauevent(void)
|
|
{
|
|
static char event_ent_name[AU_EVENT_NAME_MAX];
|
|
static char event_ent_desc[AU_EVENT_DESC_MAX];
|
|
static struct au_event_ent e;
|
|
|
|
bzero(&e, sizeof(e));
|
|
bzero(event_ent_name, sizeof(event_ent_name));
|
|
bzero(event_ent_desc, sizeof(event_ent_desc));
|
|
e.ae_name = event_ent_name;
|
|
e.ae_desc = event_ent_desc;
|
|
return (getauevent_r(&e));
|
|
}
|
|
|
|
/*
|
|
* Search for an audit event structure having the given event name.
|
|
*
|
|
* XXXRW: Why accept NULL name?
|
|
*/
|
|
static struct au_event_ent *
|
|
getauevnam_r_locked(struct au_event_ent *e, const char *name)
|
|
{
|
|
char *nl;
|
|
|
|
if (name == NULL)
|
|
return (NULL);
|
|
|
|
/* Rewind to beginning of the file. */
|
|
setauevent_locked();
|
|
|
|
if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
|
|
return (NULL);
|
|
|
|
while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
|
|
/* Remove new lines. */
|
|
if ((nl = strrchr(linestr, '\n')) != NULL)
|
|
*nl = '\0';
|
|
|
|
if (eventfromstr(linestr, e) != NULL) {
|
|
if (strcmp(name, e->ae_name) == 0)
|
|
return (e);
|
|
}
|
|
}
|
|
|
|
return (NULL);
|
|
}
|
|
|
|
struct au_event_ent *
|
|
getauevnam_r(struct au_event_ent *e, const char *name)
|
|
{
|
|
struct au_event_ent *ep;
|
|
|
|
pthread_mutex_lock(&mutex);
|
|
ep = getauevnam_r_locked(e, name);
|
|
pthread_mutex_unlock(&mutex);
|
|
return (ep);
|
|
}
|
|
|
|
struct au_event_ent *
|
|
getauevnam(const char *name)
|
|
{
|
|
static char event_ent_name[AU_EVENT_NAME_MAX];
|
|
static char event_ent_desc[AU_EVENT_DESC_MAX];
|
|
static struct au_event_ent e;
|
|
|
|
bzero(&e, sizeof(e));
|
|
bzero(event_ent_name, sizeof(event_ent_name));
|
|
bzero(event_ent_desc, sizeof(event_ent_desc));
|
|
e.ae_name = event_ent_name;
|
|
e.ae_desc = event_ent_desc;
|
|
return (getauevnam_r(&e, name));
|
|
}
|
|
|
|
/*
|
|
* Search for an audit event structure having the given event number.
|
|
*/
|
|
static struct au_event_ent *
|
|
getauevnum_r_locked(struct au_event_ent *e, au_event_t event_number)
|
|
{
|
|
char *nl;
|
|
|
|
/* Rewind to beginning of the file. */
|
|
setauevent_locked();
|
|
|
|
if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
|
|
return (NULL);
|
|
|
|
while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
|
|
/* Remove new lines. */
|
|
if ((nl = strrchr(linestr, '\n')) != NULL)
|
|
*nl = '\0';
|
|
|
|
if (eventfromstr(linestr, e) != NULL) {
|
|
if (event_number == e->ae_number)
|
|
return (e);
|
|
}
|
|
}
|
|
|
|
return (NULL);
|
|
}
|
|
|
|
struct au_event_ent *
|
|
getauevnum_r(struct au_event_ent *e, au_event_t event_number)
|
|
{
|
|
struct au_event_ent *ep;
|
|
|
|
pthread_mutex_lock(&mutex);
|
|
ep = getauevnum_r_locked(e, event_number);
|
|
pthread_mutex_unlock(&mutex);
|
|
return (ep);
|
|
}
|
|
|
|
struct au_event_ent *
|
|
getauevnum(au_event_t event_number)
|
|
{
|
|
static char event_ent_name[AU_EVENT_NAME_MAX];
|
|
static char event_ent_desc[AU_EVENT_DESC_MAX];
|
|
static struct au_event_ent e;
|
|
|
|
bzero(&e, sizeof(e));
|
|
bzero(event_ent_name, sizeof(event_ent_name));
|
|
bzero(event_ent_desc, sizeof(event_ent_desc));
|
|
e.ae_name = event_ent_name;
|
|
e.ae_desc = event_ent_desc;
|
|
return (getauevnum_r(&e, event_number));
|
|
}
|
|
|
|
/*
|
|
* Search for an audit_event entry with a given event_name and returns the
|
|
* corresponding event number.
|
|
*/
|
|
au_event_t *
|
|
getauevnonam_r(au_event_t *ev, const char *event_name)
|
|
{
|
|
static char event_ent_name[AU_EVENT_NAME_MAX];
|
|
static char event_ent_desc[AU_EVENT_DESC_MAX];
|
|
static struct au_event_ent e, *ep;
|
|
|
|
bzero(event_ent_name, sizeof(event_ent_name));
|
|
bzero(event_ent_desc, sizeof(event_ent_desc));
|
|
bzero(&e, sizeof(e));
|
|
e.ae_name = event_ent_name;
|
|
e.ae_desc = event_ent_desc;
|
|
|
|
ep = getauevnam_r(&e, event_name);
|
|
if (ep == NULL)
|
|
return (NULL);
|
|
|
|
*ev = e.ae_number;
|
|
return (ev);
|
|
}
|
|
|
|
au_event_t *
|
|
getauevnonam(const char *event_name)
|
|
{
|
|
static au_event_t event;
|
|
|
|
return (getauevnonam_r(&event, event_name));
|
|
}
|