From owner-p4-projects@FreeBSD.ORG Fri Jul 30 02:00:25 2004 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 5B22316A4D0; Fri, 30 Jul 2004 02:00:24 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0531F16A4CE for ; Fri, 30 Jul 2004 02:00:24 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB16543D62 for ; Fri, 30 Jul 2004 02:00:23 +0000 (GMT) (envelope-from wsalamon@computer.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.11/8.12.11) with ESMTP id i6U20N10065123 for ; Fri, 30 Jul 2004 02:00:23 GMT (envelope-from wsalamon@computer.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.11/8.12.11/Submit) id i6U20NKC065120 for perforce@freebsd.org; Fri, 30 Jul 2004 02:00:23 GMT (envelope-from wsalamon@computer.org) Date: Fri, 30 Jul 2004 02:00:23 GMT Message-Id: <200407300200.i6U20NKC065120@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to wsalamon@computer.org using -f From: Wayne Salamon To: Perforce Change Reviews Subject: PERFORCE change 58510 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jul 2004 02:00:25 -0000 http://perforce.freebsd.org/chv.cgi?CH=58510 Change 58510 by wsalamon@wsalamon_epi on 2004/07/30 02:00:10 Fix up the audit daemon to run on FreeBSD; remove all references to Mach. The audit daemon needs to be completed once we decide on the kernel->auditd communication mechanism. However, this version of auditd can be used to populate the audit event -> audit class mapping within the kernel. Affected files ... .. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/Makefile#4 edit .. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/audit_warn.c#2 edit .. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#2 edit Differences ... ==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/Makefile#4 (text+ko) ==== @@ -2,11 +2,15 @@ # Makefile for the audit command. # -NAME = auditd +CC = gcc +CFILES = audit_warn.c auditd.c auditd.h +CFLAGS = -g -CFILES = auditd.c audit_warn.c auditd.h - -all: $(NAME) +all: audit_warn auditd +audit_warn: audit_warn.c + $(CC) -c audit_warn.c -o audit_warn +auditd: auditd.c + $(CC) -lbsm auditd.c audit_warn.o -o auditd install-man-page: install -d $(DSTROOT)/usr/share/man/man1 ==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/audit_warn.c#2 (text+ko) ==== @@ -26,7 +26,7 @@ #include #include -#include +#include "auditd.h" /* Write to the audit log. */ static int auditwarnlog(char *args[]) ==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#2 (text+ko) ==== @@ -22,16 +22,12 @@ * @APPLE_LICENSE_HEADER_END@ */ -#include -#include -#include -#include -#include - +#include #include #include #include #include +#include #include #include @@ -43,15 +39,12 @@ #include #include #include -#include #include #include #include -#include -#include "auditd_control_server.h" -#include "audit_triggers_server.h" +#include "auditd.h" #define NA_EVENT_STR_SIZE 25 static int ret, minval; @@ -59,11 +52,6 @@ static int allhardcount = 0; -mach_port_t bp = MACH_PORT_NULL; -mach_port_t control_port = MACH_PORT_NULL; -mach_port_t signal_port = MACH_PORT_NULL; -mach_port_t port_set = MACH_PORT_NULL; - #ifndef __BSM_INTERNAL_NOTIFY_KEY #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" #endif /* __BSM_INTERNAL_NOTIFY_KEY */ @@ -201,7 +189,8 @@ if (open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP) < 0) { perror("File open"); } - else if (auditctl(fn) != 0) { + /* else if (auditctl(fn) != 0) { */ + else if (syscall(SYS_auditctl, fn) != 0) { syslog(LOG_ERR, "auditctl failed! : %s\n", strerror(errno)); } @@ -228,7 +217,7 @@ */ int read_control_file() { - char cur_dir[MAX_DIR_SIZE]; + char cur_dir[MAXNAMLEN]; struct dir_ent *dirent; au_qctrl_t qctrl; @@ -236,19 +225,16 @@ free_dir_q(); endac(); // force a re-read of the file the next time - /* Post that the audit config changed */ - notify_post(__BSM_INTERNAL_NOTIFY_KEY); - /* Read the list of directories into a local linked list */ /* XXX We should use the reentrant interfaces once they are available */ - while(getacdir(cur_dir, MAX_DIR_SIZE) >= 0) { + while(getacdir(cur_dir, MAXNAMLEN) >= 0) { dirent = (struct dir_ent *) malloc (sizeof(struct dir_ent)); if(dirent == NULL) { return -1; } dirent->softlim = 0; - dirent->dirname = (char *) malloc (MAX_DIR_SIZE); + dirent->dirname = (char *) malloc (MAXNAMLEN); if(dirent->dirname == NULL) { free(dirent); return -1; @@ -279,13 +265,15 @@ syslog(LOG_INFO, "min free = %d\n", minval); - if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) { + /* if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) { */ + if (syscall(SYS_auditon, A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) { syslog(LOG_ERR, "could not get audit queue settings\n"); return -1; } qctrl.aq_minfree = minval; - if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) { + /* if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) { */ + if (syscall(SYS_auditon, A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) { syslog(LOG_ERR, "could not set audit queue settings\n"); return -1; @@ -320,7 +308,8 @@ } /* flush contents */ - err_ret = auditctl(NULL); + /* err_ret = auditctl(NULL); */ + err_ret = syscall(SYS_auditctl, NULL); if (err_ret != 0) { syslog(LOG_ERR, "auditctl failed! : %s\n", strerror(errno)); @@ -352,14 +341,6 @@ static void relay_signal(int signal) { - mach_msg_empty_send_t msg; - - msg.header.msgh_id = signal; - msg.header.msgh_remote_port = signal_port; - msg.header.msgh_local_port = MACH_PORT_NULL; - msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0); - mach_msg(&(msg.header), MACH_SEND_MSG|MACH_SEND_TIMEOUT, sizeof(msg), - 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); } /* registering the daemon */ @@ -404,9 +385,7 @@ /* * React to input from the audit tool */ -kern_return_t auditd_control(auditd_port, flags) - mach_port_t auditd_port; - int flags; +int auditd_control(int flags) { int err_ret = 0; @@ -434,9 +413,12 @@ break; } - return KERN_SUCCESS; + return 0; } - +/* + * XXX This routine will eventually handle kernel messages to rotate the + * audit log, etc. + */ /* * Suppress duplicate messages within a 30 second interval. * This should be enough to time to rotate log files without @@ -444,19 +426,15 @@ * actually rotated. */ #define DUPLICATE_INTERVAL 30 -/* - * Implementation of the audit_triggers() MIG routine. - */ -kern_return_t audit_triggers(audit_port, flags) - mach_port_t audit_port; - int flags; +int audit_triggers(int flags) { static int last_flags; static time_t last_time; struct dir_ent *dirent; /* - * Suppres duplicate messages from the kernel within the specified interval + * Suppres duplicate messages from the kernel within the specified + * interval. */ struct timeval ts; struct timezone tzp; @@ -465,7 +443,7 @@ if(gettimeofday(&ts, &tzp) == 0) { tt = (time_t)ts.tv_sec; if ((flags == last_flags) && (tt < (last_time + DUPLICATE_INTERVAL))) { - return KERN_SUCCESS; + return 0; } last_flags = flags; last_time = tt; @@ -524,7 +502,7 @@ audit_warn_allhard(++allhardcount); } } - return KERN_SUCCESS; + return 0; } /* @@ -550,49 +528,6 @@ } /* - * Handle an RPC call - */ -boolean_t auditd_combined_server( - mach_msg_header_t *InHeadP, - mach_msg_header_t *OutHeadP) -{ - mach_port_t local_port = InHeadP->msgh_local_port; - - if (local_port == signal_port) { - int signo = InHeadP->msgh_id; - int ret; - - if (SIGTERM == signo) { - ret = close_all(); - exit (ret); - } else if (SIGCHLD == signo) { - reap_children(); - return TRUE; - } else { - syslog(LOG_INFO, "Recevied signal %d.\n", signo); - return TRUE; - } - } else if (local_port == control_port) { - boolean_t result; - - result = audit_triggers_server(InHeadP, OutHeadP); - if (!result) - result = auditd_control_server(InHeadP, OutHeadP); - return result; - } - syslog(LOG_INFO, "Recevied msg on bad port 0x%x.\n", local_port); - return FALSE; -} - -void wait_on_audit_trigger(port_set) - mach_port_t port_set; -{ - kern_return_t result; - result = mach_msg_server(auditd_combined_server, 4096, port_set, MACH_MSG_OPTION_NONE); - syslog(LOG_ERR, "abnormal exit\n"); -} - -/* * Configure the audit controls in the kernel: the event to class mapping, * kernel preselection mask, etc. */ @@ -616,7 +551,8 @@ while((ev = getauevent()) != NULL) { evc_map.ec_number = ev->ae_number; evc_map.ec_class = ev->ae_class; - if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t)) != 0) { + /* if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t)) != 0) { */ + if (syscall(SYS_auditon,A_SETCLASS, &evc_map, sizeof(au_evclass_map_t)) != 0) { syslog(LOG_ERR, "Failed to register class mapping for event %s", ev->ae_name); @@ -639,7 +575,8 @@ if ((getacna(naeventstr, NA_EVENT_STR_SIZE) == 0) && ( getauditflagsbin(naeventstr, &aumask) == 0)) { - if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t))){ + /* if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t))){ */ + if (syscall(SYS_auditon,A_SETKMASK, &aumask, sizeof(au_mask_t))){ syslog(LOG_ERR, "Failed to register non-attributable event mask."); } else { @@ -653,7 +590,8 @@ /* * Set the audit policy flags based on passed in parameter values. */ - if (auditon(A_SETPOLICY, &flags, sizeof(flags))) { + /* if (auditon(A_SETPOLICY, &flags, sizeof(flags))) { */ + if (syscall(SYS_auditon,A_SETPOLICY, &flags, sizeof(flags))) { syslog(LOG_ERR, "Failed to set audit policy."); } @@ -663,55 +601,11 @@ void setup(long flags) { - mach_msg_type_name_t poly; int aufd; token_t *tok; - /* Allocate a port set */ - if (mach_port_allocate(mach_task_self(), - MACH_PORT_RIGHT_PORT_SET, - &port_set) != KERN_SUCCESS) { - syslog(LOG_ERR, "allocation of port set failed\n"); - fail_exit(); - } - - /* Allocate a signal reflection port */ - if (mach_port_allocate(mach_task_self(), - MACH_PORT_RIGHT_RECEIVE, - &signal_port) != KERN_SUCCESS || - mach_port_move_member(mach_task_self(), - signal_port, - port_set) != KERN_SUCCESS) { - syslog(LOG_ERR, "allocation of signal port failed\n"); - fail_exit(); - } - - /* Allocate a trigger port */ - if (mach_port_allocate(mach_task_self(), - MACH_PORT_RIGHT_RECEIVE, - &control_port) != KERN_SUCCESS || - mach_port_move_member(mach_task_self(), - control_port, - port_set) != KERN_SUCCESS) { - syslog(LOG_ERR, "allocation of trigger port failed\n"); - fail_exit(); - } - - /* create a send right on our trigger port */ - mach_port_extract_right(mach_task_self(), control_port, - MACH_MSG_TYPE_MAKE_SEND, &control_port, &poly); - TAILQ_INIT(&dir_q); - /* register the trigger port with the kernel */ - if(host_set_audit_control_port(mach_host_self(), control_port) != KERN_SUCCESS) { - syslog(LOG_ERR, "Cannot set Mach control port\n"); - fail_exit(); - } - else { - syslog(LOG_ERR, "Mach control port registered\n"); - } - if(read_control_file() == -1) { syslog(LOG_ERR, "Error reading control file\n"); fail_exit(); @@ -765,7 +659,7 @@ case '?': default: (void)fprintf(stderr, - "usage: auditd [-h | -s]\n"); + "usage: auditd [-h | -s] [-d] \n"); exit(1); } } @@ -784,7 +678,6 @@ } setup(flags); - wait_on_audit_trigger(port_set); syslog(LOG_INFO, "exiting.\n"); exit(1);