From owner-p4-projects@FreeBSD.ORG  Sun Nov 30 21:44:13 2008
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id C8F741065675; Sun, 30 Nov 2008 21:44:13 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8D737106564A
	for <perforce@freebsd.org>; Sun, 30 Nov 2008 21:44:13 +0000 (UTC)
	(envelope-from csjp@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 4940F8FC12
	for <perforce@freebsd.org>; Sun, 30 Nov 2008 21:44:13 +0000 (UTC)
	(envelope-from csjp@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id mAULiCb1013761
	for <perforce@freebsd.org>; Sun, 30 Nov 2008 21:44:12 GMT
	(envelope-from csjp@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.3/8.14.3/Submit) id mAULiCVU013759
	for perforce@freebsd.org; Sun, 30 Nov 2008 21:44:12 GMT
	(envelope-from csjp@freebsd.org)
Date: Sun, 30 Nov 2008 21:44:12 GMT
Message-Id: <200811302144.mAULiCVU013759@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	csjp@freebsd.org using -f
From: "Christian S.J. Peron" <csjp@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 153856 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Nov 2008 21:44:14 -0000

http://perforce.freebsd.org/chv.cgi?CH=153856

Change 153856 by csjp@hvm02 on 2008/11/30 21:43:58

	Re-factor audit_submit() so that it attempts to use getaudit_addr(2) before
	falling back on to getaudit(2).

Affected files ...

.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#27 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#27 (text+ko) ====

@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#26 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#27 $
  */
 
 #ifdef __APPLE__
@@ -69,6 +69,7 @@
 	int error, afd, subj_ex;
 	struct auditinfo ai;
 	struct auditinfo_addr aia;
+	au_tid_t atid;
 
 	if (auditon(A_GETCOND, &acond, sizeof(acond)) < 0) {
 		/*
@@ -85,7 +86,6 @@
 	}
 	if (acond == AUC_NOAUDIT)
 		return (0);
-	/* XXXCSJP we should be doing a pre-select here */
 	afd = au_open();
 	if (afd < 0) {
 		error = errno;
@@ -95,30 +95,51 @@
 		return (-1);
 	}
 	/*
-	 * Some operating systems do not have getaudit_addr(2) implemented
-	 * yet.  So we try to use getaudit(2) first, if the subject is
-	 * using IPv6, then we will have to try getaudit_addr(2).  Failing
-	 * this, we return error.
+	 * Try to use getaudit_addr(2) first.  If this kernel does not support
+	 * it, then fall back on to getaudit(2).
 	 */
 	subj_ex = 0;
-	error = getaudit(&ai);
-	if (error < 0 && errno == E2BIG) {
-		error = getaudit_addr(&aia, sizeof(aia));
-		if (error == 0)
-			subj_ex = 1;
-	}
-	if (error < 0) {
+	error = getaudit_addr(&aia, sizeof(aia));
+	if (error < 0 && errno == ENOSYS) {
+		error = getaudit(&ai);
+		if (error < 0) {
+			error = errno;
+			syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
+			    strerror(errno));
+			errno = error;
+			return (-1);
+		}
+		/*
+		 * Convert this auditinfo_t to an auditinfo_addr_t to make the
+		 * following code less complicated wrt to preselection and
+		 * subject token generation.
+		 */
+		aia.ai_auid = ai.ai_auid;
+		aia.ai_mask = ai.ai_mask;
+		aia.ai_asid = ai.ai_asid;
+		aia.ai_termid.at_type = AU_IPv4;
+		aia.ai_termid.at_addr[0] = ai.ai_termid.machine;
+		aia.ai_termid.at_port = ai.ai_termid.port;
+	} else if (error < 0) {
 		error = errno;
-		syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
+		syslog(LOG_AUTH | LOG_ERR, "audit: getaudit_addr failed: %s",
 		    strerror(errno));
 		errno = error;
 		return (-1);
 	}
+	/*
+	 * NB: We should be performing pre-selection here now that we have the
+	 * masks for this process.
+	 */
+	if (aia.ai_termid.at_type == AU_IPv6)
+		subj_ex = 1;
 	pid = getpid();
-	if (subj_ex == 0)
+	if (subj_ex == 0) {
+		atid.port = aia.ai_termid.at_port;
+		atid.machine = aia.ai_termid.at_addr[0];
 		token = au_to_subject32(auid, geteuid(), getegid(),
-		    getuid(), getgid(), pid, pid, &ai.ai_termid);
-	else
+		    getuid(), getgid(), pid, pid, &atid);
+	} else
 		token = au_to_subject_ex(auid, geteuid(), getegid(),
 		    getuid(), getgid(), pid, pid, &aia.ai_termid);
 	if (token == NULL) {