From owner-p4-projects@FreeBSD.ORG  Tue Dec 14 20:49:50 2010
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 108D310656C6; Tue, 14 Dec 2010 20:49:50 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C59A91065697
	for <perforce@freebsd.org>; Tue, 14 Dec 2010 20:49:49 +0000 (UTC)
	(envelope-from csjp@freebsd.org)
Received: from skunkworks.freebsd.org (skunkworks.freebsd.org
	[IPv6:2001:4f8:fff6::2d])
	by mx1.freebsd.org (Postfix) with ESMTP id B09FA8FC19
	for <perforce@freebsd.org>; Tue, 14 Dec 2010 20:49:49 +0000 (UTC)
Received: from skunkworks.freebsd.org (localhost [127.0.0.1])
	by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id oBEKnnfJ099203
	for <perforce@freebsd.org>; Tue, 14 Dec 2010 20:49:49 GMT
	(envelope-from csjp@freebsd.org)
Received: (from perforce@localhost)
	by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id oBEKnnDi099199
	for perforce@freebsd.org; Tue, 14 Dec 2010 20:49:49 GMT
	(envelope-from csjp@freebsd.org)
Date: Tue, 14 Dec 2010 20:49:49 GMT
Message-Id: <201012142049.oBEKnnDi099199@skunkworks.freebsd.org>
X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to
	csjp@freebsd.org using -f
From: "Christian S.J. Peron" <csjp@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Precedence: bulk
Cc: 
Subject: PERFORCE change 186939 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 20:49:50 -0000

http://p4web.freebsd.org/@@186939?ac=10

Change 186939 by csjp@csjp_hvm02 on 2010/12/14 20:49:04

	Add support for the Solaris privilege and privilege set tokens.  This
	fixes truncated record errors when processing Solaris created audit trails
	using openbsm.
	
	Sponsored by:	Seccuris Inc.
	Submitted by:	Dave Bertouille [1]
	
	[1] Dave added the support for the privilege set token.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#49 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#66 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#95 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#49 (text+ko) ====

@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#48 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#49 $
  */
 
 #ifndef _LIBBSM_H_
@@ -671,6 +671,31 @@
 } au_text_t;
 
 /*
+ * upriv status         1 byte
+ * privstr len          2 bytes
+ * privstr              N bytes + 1 (\0 byte)
+ */
+typedef struct {
+	u_int8_t	 sorf;
+	u_int16_t	 privstrlen;
+	char		*priv;
+} au_priv_t;
+
+/*
+* privset
+* privtstrlen		2 bytes
+* privtstr		N Bytes + 1
+* privstrlen		2 bytes
+* privstr		N Bytes + 1
+*/
+typedef struct {
+	u_int16_t	 privtstrlen;
+	char		*privtstr;
+	u_int16_t	 privstrlen;
+	char		*privstr;
+} au_privset_t;
+
+/*
  * zonename length	2 bytes
  * zonename text	N bytes + 1 NULL terminator
  */
@@ -748,6 +773,8 @@
 		au_invalid_t		invalid;
 		au_trailer_t		trail;
 		au_zonename_t		zonename;
+		au_priv_t		priv;
+		au_privset_t		privset;
 	} tt; /* The token is one of the above types */
 };
 

==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#66 (text+ko) ====

@@ -32,7 +32,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#65 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#66 $
  */
 
 #include <sys/types.h>
@@ -3380,7 +3380,114 @@
 	}
 }
 
+static void
+print_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm, int xml)
+{
+
+	print_tok_type(fp, tok->id, "use of privilege", raw, xml);
+	if (xml) {
+		open_attr(fp, "status");
+		if (tok->tt.priv.sorf)  
+			(void) fprintf(fp, "successful use of priv");
+		else
+			(void) fprintf(fp, "failed use of priv");
+		close_attr(fp);
+		open_attr(fp, "name");
+		print_string(fp, tok->tt.priv.priv,
+		    tok->tt.priv.privstrlen);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		if (tok->tt.priv.sorf)
+			(void) fprintf(fp, "successful use of priv");
+		else
+			(void) fprintf(fp, "failed use of priv");
+		print_delim(fp, del);
+		print_string(fp, tok->tt.priv.priv,
+		    tok->tt.priv.privstrlen);
+	}
+}
+
+/*
+ * status                       1 byte
+ * privstrlen                   2 bytes
+ * priv                         N bytes + 1 (\0 byte)
+ */
+static int
+fetch_priv_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err);
+	if (err)
+		return (-1);
+	READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err);
+	if (err)
+		return (-1);
+	SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen,
+	    tok->len, err);
+	if (err)
+		return (-1);
+	return (0);
+}
+
 /*
+ * privtstrlen		1 byte
+ * privtstr		N bytes + 1
+ * privstrlen		1 byte
+ * privstr		N bytes + 1
+ */
+static int
+fetch_privset_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+	int	err = 0;
+	
+	READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen,
+	    tok->len, err);
+	if (err)
+		return (-1);
+	SET_PTR((char *)buf, len, tok->tt.privset.privtstr,
+	    tok->tt.privset.privtstrlen, tok->len, err);
+	if (err)
+		return (-1);
+	READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen,
+	    tok->len, err);
+	if (err)
+		return (-1);
+	SET_PTR((char *)buf, len, tok->tt.privset.privstr,
+	    tok->tt.privset.privstrlen, tok->len, err);
+	if (err)
+		return (-1);
+	return (0);
+}
+
+static void
+print_privset_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm, int xml)
+{
+	print_tok_type(fp, tok->id, "privilege", raw, xml);
+	if (xml) {
+		open_attr(fp, "type");
+		print_string(fp, tok->tt.privset.privtstr,
+	     	    tok->tt.privset.privtstrlen);
+		close_attr(fp);
+		open_attr(fp, "priv");
+		print_string(fp, tok->tt.privset.privstr,
+		    tok->tt.privset.privstrlen);
+		close_attr(fp);
+	} else {
+		print_delim(fp, del);
+		print_string(fp, tok->tt.privset.privtstr,
+		    tok->tt.privset.privtstrlen);
+		print_delim(fp, del);
+		print_string(fp, tok->tt.privset.privstr,
+			tok->tt.privset.privstrlen);	
+	}
+}
+
+/*
  * audit ID                     4 bytes
  * euid                         4 bytes
  * egid                         4 bytes
@@ -4110,6 +4217,12 @@
 	case AUT_ZONENAME:
 		return (fetch_zonename_tok(tok, buf, len));
 
+	case AUT_UPRIV:
+		return (fetch_priv_tok(tok, buf, len));
+
+	case AUT_PRIV:
+		return (fetch_privset_tok(tok, buf, len));
+
 	default:
 		return (fetch_invalid_tok(tok, buf, len));
 	}
@@ -4284,6 +4397,14 @@
 		print_zonename_tok(outfp, tok, del, oflags);
 		return;
 
+	case AUT_UPRIV:
+		print_upriv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+		return;
+
+	case  AUT_PRIV:
+		print_privset_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+		return;
+
 	default:
 		print_invalid_tok(outfp, tok, del, oflags);
 	}
@@ -4433,6 +4554,14 @@
 		}
 		break;
 
+	case AUT_UPRIV:
+		print_upriv_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case  AUT_PRIV:
+		print_privset_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
 	default:
 		errno = EINVAL;
 		return (-1);

==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#95 (text+ko) ====

@@ -30,7 +30,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#94 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#95 $
  */
 
 #include <sys/types.h>
@@ -92,6 +92,59 @@
 
 /*
  * token ID                1 byte
+ * success/failure         1 byte
+ * privstrlen              2 bytes
+ * privstr                 N bytes + 1 (\0 byte)
+ */
+token_t *
+au_to_upriv(char sorf, char *priv)
+{
+	u_int16_t textlen;
+	u_char *dptr;
+	token_t *t;
+
+	textlen = strlen(priv) + 1;
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) +
+	    sizeof(u_int16_t) + textlen);
+	if (t == NULL)
+		return (NULL);
+	ADD_U_CHAR(dptr, AUT_UPRIV);
+	ADD_U_CHAR(dptr, sorf);
+	ADD_U_INT16(dptr, textlen);
+	ADD_STRING(dptr, priv, textlen);
+	return (t);
+}
+
+/*
+ * token ID		1 byte
+ * privtstrlen		2 bytes
+ * privtstr		N bytes + 1
+ * privstrlen	 	2 bytes
+ * privstr		N bytes + 1
+ */
+token_t *
+au_to_privset(char *privtypestr, char *privstr)
+{
+	u_int16_t	 type_len, priv_len;
+	u_char		*dptr;
+	token_t		*t;
+
+	type_len = strlen(privtypestr) + 1;
+	priv_len = strlen(privstr) + 1;
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
+	    sizeof(u_int16_t) + type_len + priv_len);
+	if (t == NULL)
+		return (NULL);
+	ADD_U_CHAR(dptr, AUT_PRIV);
+	ADD_U_INT16(dptr, type_len);
+	ADD_STRING(dptr, privtypestr, type_len);
+	ADD_U_INT16(dptr, priv_len);
+	ADD_STRING(dptr, privstr, priv_len);
+	return (t);
+}
+
+/*
+ * token ID                1 byte
  * argument #              1 byte
  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
  * text length             2 bytes