Date: Sun, 19 Mar 2006 17:11:37 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 93581 for review Message-ID: <200603191711.k2JHBb3p016390@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=93581 Change 93581 by rwatson@rwatson_peppercorn on 2006/03/19 17:10:38 Mega-style patch. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#23 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#14 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_arg.c#15 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm.c#11 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_klib.c#5 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_ioctl.h#4 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#23 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_syscalls.c#12 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_worker.c#3 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#23 (text+ko) ==== @@ -76,43 +76,43 @@ MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); /* - * Audit control settings that are set/read by system calls and are + * Audit control settings that are set/read by system calls and are * hence non-static. */ -/* +/* * Define the audit control flags. */ -int audit_enabled; -int audit_suspended; +int audit_enabled; +int audit_suspended; /* * Flags controlling behavior in low storage situations. * Should we panic if a write fails? Should we fail stop * if we're out of disk space? */ -int audit_panic_on_write_fail; -int audit_fail_stop; +int audit_panic_on_write_fail; +int audit_fail_stop; /* * Are we currently "failing stop" due to out of disk space? */ -int audit_in_failure; +int audit_in_failure; /* - * Global audit statistiscs. + * Global audit statistiscs. */ -struct audit_fstat audit_fstat; +struct audit_fstat audit_fstat; /* * Preselection mask for non-attributable events. */ -struct au_mask audit_nae_mask; +struct au_mask audit_nae_mask; /* * Mutex to protect global variables shared between various threads and * processes. */ -struct mtx audit_mtx; +struct mtx audit_mtx; /* * Queue of audit records ready for delivery to disk. We insert new @@ -122,21 +122,21 @@ * not yet in the queue, which is needed to estimate the total * size of the combined set of records outstanding in the system. */ -struct kaudit_queue audit_q; -int audit_q_len; -int audit_pre_q_len; +struct kaudit_queue audit_q; +int audit_q_len; +int audit_pre_q_len; /* * Audit queue control settings (minimum free, low/high water marks, etc.) */ -struct au_qctrl audit_qctrl; +struct au_qctrl audit_qctrl; /* * Condition variable to signal to the worker that it has work to do: * either new records are in the queue, or a log replacement is taking * place. */ -struct cv audit_cv; +struct cv audit_cv; /* * Condition variable to signal to the worker that it has work to do: @@ -145,14 +145,14 @@ * * XXXRW: This description is incorrect. */ -struct cv audit_commit_cv; +struct cv audit_commit_cv; -/* - * Condition variable for auditing threads wait on when in fail-stop mode. - * Threads wait on this CV forever (and ever), never seeing the light of +/* + * Condition variable for auditing threads wait on when in fail-stop mode. + * Threads wait on this CV forever (and ever), never seeing the light of * day again. */ -static struct cv audit_fail_cv; +static struct cv audit_fail_cv; /* * Construct an audit record for the passed thread. @@ -228,7 +228,7 @@ audit_in_failure = 0; audit_fstat.af_filesz = 0; /* '0' means unset, unbounded */ - audit_fstat.af_currsz = 0; + audit_fstat.af_currsz = 0; audit_nae_mask.am_success = AU_NULL; audit_nae_mask.am_failure = AU_NULL; @@ -353,7 +353,7 @@ aumask = &audit_nae_mask; else aumask = &ar->k_ar.ar_subj_amask; - + if (error) sorf = AU_PRS_FAILURE; else @@ -363,7 +363,7 @@ case AUE_OPEN_RWTC: /* The open syscall always writes a AUE_OPEN_RWTC event; change - * it to the proper type of event based on the flags and the + * it to the proper type of event based on the flags and the * error value. */ ar->k_ar.ar_event = flags_and_error_to_openevent( @@ -421,7 +421,7 @@ uma_zfree(audit_record_zone, ar); return; } - + /* * Constrain the number of committed audit records based on * the configurable parameter. @@ -480,9 +480,9 @@ aumask = &audit_nae_mask; else aumask = &td->td_proc->p_au->ai_mask; - + /* - * Allocate an audit record, if preselection allows it, and store + * Allocate an audit record, if preselection allows it, and store * in the thread for later use. */ if (au_preselect(audit_event, aumask, @@ -533,7 +533,7 @@ audit_commit(td->td_ar, error, retval); if (td->td_ar != NULL) - AUDIT_PRINTF(("audit record committed by pid %d\n", + AUDIT_PRINTF(("audit record committed by pid %d\n", td->td_proc->p_pid)); td->td_ar = NULL; @@ -573,11 +573,11 @@ KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL")); } -/* - * Initialize the audit information for the a process, presumably the first +/* + * Initialize the audit information for the a process, presumably the first * process in the system. - * XXX It is not clear what the initial values should be for audit ID, - * session ID, etc. + * XXX It is not clear what the initial values should be for audit ID, + * session ID, etc. */ void audit_proc_kproc0(struct proc *p) @@ -600,7 +600,7 @@ p->p_au->ai_auid = AU_DEFAUDITID; } -/* +/* * Copy the audit info from the parent process to the child process when * a fork takes place. */ @@ -626,7 +626,7 @@ } /* - * Free the auditing structure for the process. + * Free the auditing structure for the process. */ void audit_proc_free(struct proc *p) ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#14 (text+ko) ==== @@ -76,7 +76,7 @@ #define ARG_AUID 0x0000000000000100ULL #define ARG_GID 0x0000000000000200ULL #define ARG_FD 0x0000000000000400ULL -#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL +#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL #define ARG_FFLAGS 0x0000000000001000ULL #define ARG_MODE 0x0000000000002000ULL #define ARG_DEV 0x0000000000004000ULL @@ -116,76 +116,67 @@ #define ARG_NONE 0x0000000000000000ULL #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL -void audit_syscall_enter(unsigned short code, - struct thread *td); -void audit_syscall_exit(int error, struct thread *td); +void audit_syscall_enter(unsigned short code, struct thread *td); +void audit_syscall_exit(int error, struct thread *td); /* * The remaining kernel functions are conditionally compiled in as they - * are wrapped by a macro, and the macro should be the only place in + * are wrapped by a macro, and the macro should be the only place in * the source tree where these functions are referenced. */ #ifdef AUDIT struct ipc_perm; struct sockaddr; union auditon_udata; -void audit_arg_addr(void * addr); -void audit_arg_exit(int status, int retval); -void audit_arg_len(int len); -void audit_arg_fd(int fd); -void audit_arg_fflags(int fflags); -void audit_arg_gid(gid_t gid); -void audit_arg_uid(uid_t uid); -void audit_arg_egid(gid_t egid); -void audit_arg_euid(uid_t euid); -void audit_arg_rgid(gid_t rgid); -void audit_arg_ruid(uid_t ruid); -void audit_arg_sgid(gid_t sgid); -void audit_arg_suid(uid_t suid); -void audit_arg_groupset(gid_t *gidset, u_int gidset_size); -void audit_arg_login(char *login); -void audit_arg_ctlname(int *name, int namelen); -void audit_arg_mask(int mask); -void audit_arg_mode(mode_t mode); -void audit_arg_dev(int dev); -void audit_arg_value(long value); -void audit_arg_owner(uid_t uid, gid_t gid); -void audit_arg_pid(pid_t pid); -void audit_arg_process(struct proc *p); -void audit_arg_signum(u_int signum); -void audit_arg_socket(int sodomain, int sotype, - int soprotocol); -void audit_arg_sockaddr(struct thread *td, - struct sockaddr *so); -void audit_arg_auid(uid_t auid); -void audit_arg_auditinfo(struct auditinfo *au_info); -void audit_arg_upath(struct thread *td, char *upath, - u_int64_t flags); -void audit_arg_vnode(struct vnode *vp, u_int64_t flags); -void audit_arg_text(char *text); -void audit_arg_iovec(struct iovec *iov, - unsigned int iovcnt); -void audit_arg_cmd(int cmd); -void audit_arg_svipc_cmd(int cmd); -void audit_arg_svipc_perm(struct ipc_perm *perm); -void audit_arg_svipc_id(int id); -void audit_arg_svipc_addr(void *addr); -void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, - mode_t mode); -void audit_arg_auditon(union auditon_udata *udata); -void audit_arg_file(struct proc *p, struct file *fp); - -void audit_sysclose(struct thread *td, int fd); +void audit_arg_addr(void * addr); +void audit_arg_exit(int status, int retval); +void audit_arg_len(int len); +void audit_arg_fd(int fd); +void audit_arg_fflags(int fflags); +void audit_arg_gid(gid_t gid); +void audit_arg_uid(uid_t uid); +void audit_arg_egid(gid_t egid); +void audit_arg_euid(uid_t euid); +void audit_arg_rgid(gid_t rgid); +void audit_arg_ruid(uid_t ruid); +void audit_arg_sgid(gid_t sgid); +void audit_arg_suid(uid_t suid); +void audit_arg_groupset(gid_t *gidset, u_int gidset_size); +void audit_arg_login(char *login); +void audit_arg_ctlname(int *name, int namelen); +void audit_arg_mask(int mask); +void audit_arg_mode(mode_t mode); +void audit_arg_dev(int dev); +void audit_arg_value(long value); +void audit_arg_owner(uid_t uid, gid_t gid); +void audit_arg_pid(pid_t pid); +void audit_arg_process(struct proc *p); +void audit_arg_signum(u_int signum); +void audit_arg_socket(int sodomain, int sotype, int soprotocol); +void audit_arg_sockaddr(struct thread *td, struct sockaddr *so); +void audit_arg_auid(uid_t auid); +void audit_arg_auditinfo(struct auditinfo *au_info); +void audit_arg_upath(struct thread *td, char *upath, u_int64_t flags); +void audit_arg_vnode(struct vnode *vp, u_int64_t flags); +void audit_arg_text(char *text); +void audit_arg_iovec(struct iovec *iov, unsigned int iovcnt); +void audit_arg_cmd(int cmd); +void audit_arg_svipc_cmd(int cmd); +void audit_arg_svipc_perm(struct ipc_perm *perm); +void audit_arg_svipc_id(int id); +void audit_arg_svipc_addr(void *addr); +void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode); +void audit_arg_auditon(union auditon_udata *udata); +void audit_arg_file(struct proc *p, struct file *fp); +void audit_sysclose(struct thread *td, int fd); +void audit_proc_alloc(struct proc *p); +void audit_proc_kproc0(struct proc *p); +void audit_proc_init(struct proc *p); +void audit_proc_fork(struct proc *parent, struct proc *child); +void audit_proc_free(struct proc *p); +void audit_thread_alloc(struct thread *td); +void audit_thread_free(struct thread *td); -void audit_proc_alloc(struct proc *p); -void audit_proc_kproc0(struct proc *p); -void audit_proc_init(struct proc *p); -void audit_proc_fork(struct proc *parent, - struct proc *child); -void audit_proc_free(struct proc *p); -void audit_thread_alloc(struct thread *td); -void audit_thread_free(struct thread *td); - /* * Define a macro to wrap the audit_arg_* calls by checking the global * audit_enabled flag before performing the actual call. @@ -193,23 +184,23 @@ #define AUDIT_ARG(op, args...) do { \ if (audit_enabled) \ audit_arg_ ## op (args); \ - } while (0) +} while (0) #define AUDIT_SYSCALL_ENTER(code, td) do { \ if (audit_enabled) { \ audit_syscall_enter(code, td); \ } \ - } while (0) +} while (0) /* * Wrap the audit_syscall_exit() function so that it is called only when - * auditing is enabled, or we have a audit record on the thread. It is + * auditing is enabled, or we have a audit record on the thread. It is * possible that an audit record was begun before auditing was turned off. */ #define AUDIT_SYSCALL_EXIT(error, td) do { \ if (audit_enabled | (td->td_ar != NULL)) \ audit_syscall_exit(error, td); \ - } while (0) +} while (0) /* * A Macro to wrap the audit_sysclose() function. @@ -217,26 +208,25 @@ #define AUDIT_SYSCLOSE(td, fd) do { \ if (audit_enabled) \ audit_sysclose(td, fd); \ - } while (0) +} while (0) #else /* !AUDIT */ -void audit_proc_init(struct proc *p); -void audit_proc_fork(struct proc *parent, - struct proc *child); -void audit_proc_free(struct proc *p); +void audit_proc_init(struct proc *p); +void audit_proc_fork(struct proc *parent, struct proc *child); +void audit_proc_free(struct proc *p); #define AUDIT_ARG(op, args...) do { \ - } while (0) +} while (0) #define AUDIT_SYSCALL_ENTER(code, td) do { \ - } while (0) +} while (0) #define AUDIT_SYSCALL_EXIT(error, td) do { \ - } while (0) +} while (0) #define AUDIT_SYSCLOSE(p, fd) do { \ - } while (0) +} while (0) #endif /* AUDIT */ ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_arg.c#15 (text+ko) ==== @@ -393,7 +393,7 @@ audit_arg_socket(int sodomain, int sotype, int soprotocol) { struct kaudit_record *ar; - + ar = currecord(); if (ar == NULL) return; @@ -428,7 +428,7 @@ break; case AF_UNIX: - audit_arg_upath(td, ((struct sockaddr_un *)so)->sun_path, + audit_arg_upath(td, ((struct sockaddr_un *)so)->sun_path, ARG_UPATH1); ARG_SET_VALID(ar, ARG_SADDRUNIX); break; @@ -482,7 +482,7 @@ /* Invalidate the text string */ ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT); if (text == NULL) - return; + return; if (ar->k_ar.ar_arg_text == NULL) ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT, @@ -513,13 +513,11 @@ for (i = 0; i < iovcnt; i++) { if (!is_auditable_string(iov[i].iov_base, iov[i].iov_len)) continue; - if (first) { - ret = sbuf_printf(&sb, "%s", (char *)iov[i].iov_base); + ret = sbuf_printf(&sb, "%s", (char *)iov[i].iov_base); first = 0; - } else { + } else ret = sbuf_printf(&sb, ":%s", (char *)iov[i].iov_base); - } if (ret != 0) break; } @@ -564,8 +562,8 @@ if (ar == NULL) return; - bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, - sizeof(ar->k_ar.ar_arg_svipc_perm)); + bcopy(perm, &ar->k_ar.ar_arg_svipc_perm, + sizeof(ar->k_ar.ar_arg_svipc_perm)); ARG_SET_VALID(ar, ARG_SVIPC_PERM); } @@ -619,8 +617,8 @@ if (ar == NULL) return; - bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, - sizeof(ar->k_ar.ar_arg_auditon)); + bcopy((void *)udata, &ar->k_ar.ar_arg_auditon, + sizeof(ar->k_ar.ar_arg_auditon)); ARG_SET_VALID(ar, ARG_AUDITON); } @@ -667,20 +665,20 @@ if (so->so_pcb == NULL) return; ar->k_ar.ar_arg_sockinfo.so_type = - so->so_type; + so->so_type; ar->k_ar.ar_arg_sockinfo.so_domain = - INP_SOCKAF(so); + INP_SOCKAF(so); ar->k_ar.ar_arg_sockinfo.so_protocol = - so->so_proto->pr_protocol; + so->so_proto->pr_protocol; pcb = (struct inpcb *)so->so_pcb; ar->k_ar.ar_arg_sockinfo.so_raddr = - pcb->inp_faddr.s_addr; + pcb->inp_faddr.s_addr; ar->k_ar.ar_arg_sockinfo.so_laddr = - pcb->inp_laddr.s_addr; + pcb->inp_laddr.s_addr; ar->k_ar.ar_arg_sockinfo.so_rport = - pcb->inp_fport; + pcb->inp_fport; ar->k_ar.ar_arg_sockinfo.so_lport = - pcb->inp_lport; + pcb->inp_lport; ARG_SET_VALID(ar, ARG_SOCKINFO); } break; @@ -692,11 +690,11 @@ } -/* - * Store a path as given by the user process for auditing into the audit - * record stored on the user thread. This function will allocate the memory to - * store the path info if not already available. This memory will be - * freed when the audit record is freed. +/* + * Store a path as given by the user process for auditing into the audit + * record stored on the user thread. This function will allocate the memory + * to store the path info if not already available. This memory will be freed + * when the audit record is freed. * * XXXAUDIT: Possibly assert that the memory isn't already allocated? */ @@ -706,7 +704,7 @@ struct kaudit_record *ar; char **pathp; - if (td == NULL || upath == NULL) + if (td == NULL || upath == NULL) return; /* nothing to do! */ /* @@ -735,8 +733,8 @@ } /* - * Function to save the path and vnode attr information into the audit - * record. + * Function to save the path and vnode attr information into the audit + * record. * * It is assumed that the caller will hold any vnode locks necessary to * perform a VOP_GETATTR() on the passed vnode. @@ -773,7 +771,7 @@ ASSERT_VOP_LOCKED(vp, "audit_arg_vnode"); ar = currecord(); - if (ar == NULL) /* This will be the case for unaudited system calls */ + if (ar == NULL) return; /* @@ -816,9 +814,9 @@ } /* - * The close() system call uses it's own audit call to capture the - * path/vnode information because those pieces are not easily obtained - * within the system call itself. + * The close() system call uses it's own audit call to capture the path/vnode + * information because those pieces are not easily obtained within the system + * call itself. */ void audit_sysclose(struct thread *td, int fd) @@ -839,4 +837,4 @@ VOP_UNLOCK(vp, 0, td); VFS_UNLOCK_GIANT(vfslocked); fdrop(fp, td); -} +} ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm.c#11 (text+ko) ==== @@ -54,7 +54,7 @@ MALLOC_DEFINE(M_AUDITBSM, "audit_bsm", "Audit BSM data"); -/* +/* * Forward declares. */ static void audit_sys_auditon(struct audit_record *ar, @@ -72,18 +72,16 @@ } /* - * This call reserves memory for the audit record. - * Memory must be guaranteed before any auditable event can be - * generated. - * The au_record structure maintains a reference to the - * memory allocated above and also the list of tokens associated - * with this record - */ -static struct au_record * + * This call reserves memory for the audit record. Memory must be guaranteed + * before any auditable event can be generated. The au_record structure + * maintains a reference to the memory allocated above and also the list of + * tokens associated with this record + */ +static struct au_record * kau_open(void) -{ +{ struct au_record *rec; - + rec = malloc(sizeof(*rec), M_AUDITBSM, M_WAITOK); rec->data = malloc(MAX_AUDIT_RECORD_SIZE * sizeof(u_char), M_AUDITBSM, M_WAITOK | M_ZERO); @@ -96,7 +94,7 @@ /* * Store the token with the record descriptor. - */ + */ static void kau_write(struct au_record *rec, struct au_token *tok) { @@ -118,7 +116,7 @@ size_t tot_rec_size; token_t *cur, *hdr, *trail; struct timeval tm; - + tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE; if (tot_rec_size <= MAX_AUDIT_RECORD_SIZE) { /* Create the header token */ @@ -131,34 +129,33 @@ TAILQ_INSERT_TAIL(&rec->token_q, trail, tokens); /* Serialize token data to the record. */ - rec->len = tot_rec_size; dptr = rec->data; TAILQ_FOREACH(cur, &rec->token_q, tokens) { - memcpy(dptr, cur->t_data, cur->len); + memcpy(dptr, cur->t_data, cur->len); dptr += cur->len; } } } /* - * Free a BSM audit record by releasing all the tokens and clearing the - * audit record information. + * Free a BSM audit record by releasing all the tokens and clearing the audit + * record information. */ void kau_free(struct au_record *rec) { struct au_token *tok; - /* Free the token list */ + /* Free the token list. */ while ((tok = TAILQ_FIRST(&rec->token_q))) { TAILQ_REMOVE(&rec->token_q, tok, tokens); free(tok->t_data, M_AUDITBSM); free(tok, M_AUDITBSM); - } + } rec->used = 0; - rec->len = 0; + rec->len = 0; free(rec->data, M_AUDITBSM); free(rec, M_AUDITBSM); } @@ -218,7 +215,8 @@ kau_write(rec, tok); \ } else { \ if (ARG_IS_VALID(kar, ARG_FD)) { \ - tok = au_to_arg32(1, "non-file: fd", ar->ar_arg_fd);\ + tok = au_to_arg32(1, "non-file: fd", \ + ar->ar_arg_fd); \ kau_write(rec, tok); \ } \ } \ @@ -250,92 +248,92 @@ struct au_token *tok; switch (ar->ar_arg_cmd) { - case A_SETPOLICY: + case A_SETPOLICY: if (sizeof(ar->ar_arg_auditon.au_flags) > 4) - tok = au_to_arg64(1, "policy", - ar->ar_arg_auditon.au_flags); + tok = au_to_arg64(1, "policy", + ar->ar_arg_auditon.au_flags); else - tok = au_to_arg32(1, "policy", - ar->ar_arg_auditon.au_flags); + tok = au_to_arg32(1, "policy", + ar->ar_arg_auditon.au_flags); kau_write(rec, tok); break; - case A_SETKMASK: - tok = au_to_arg32(2, "setkmask:as_success", - ar->ar_arg_auditon.au_mask.am_success); + case A_SETKMASK: + tok = au_to_arg32(2, "setkmask:as_success", + ar->ar_arg_auditon.au_mask.am_success); kau_write(rec, tok); - tok = au_to_arg32(2, "setkmask:as_failure", - ar->ar_arg_auditon.au_mask.am_failure); + tok = au_to_arg32(2, "setkmask:as_failure", + ar->ar_arg_auditon.au_mask.am_failure); kau_write(rec, tok); break; - case A_SETQCTRL: - tok = au_to_arg32(3, "setqctrl:aq_hiwater", - ar->ar_arg_auditon.au_qctrl.aq_hiwater); + case A_SETQCTRL: + tok = au_to_arg32(3, "setqctrl:aq_hiwater", + ar->ar_arg_auditon.au_qctrl.aq_hiwater); kau_write(rec, tok); - tok = au_to_arg32(3, "setqctrl:aq_lowater", - ar->ar_arg_auditon.au_qctrl.aq_lowater); + tok = au_to_arg32(3, "setqctrl:aq_lowater", + ar->ar_arg_auditon.au_qctrl.aq_lowater); kau_write(rec, tok); - tok = au_to_arg32(3, "setqctrl:aq_bufsz", - ar->ar_arg_auditon.au_qctrl.aq_bufsz); + tok = au_to_arg32(3, "setqctrl:aq_bufsz", + ar->ar_arg_auditon.au_qctrl.aq_bufsz); kau_write(rec, tok); - tok = au_to_arg32(3, "setqctrl:aq_delay", - ar->ar_arg_auditon.au_qctrl.aq_delay); + tok = au_to_arg32(3, "setqctrl:aq_delay", + ar->ar_arg_auditon.au_qctrl.aq_delay); kau_write(rec, tok); - tok = au_to_arg32(3, "setqctrl:aq_minfree", - ar->ar_arg_auditon.au_qctrl.aq_minfree); + tok = au_to_arg32(3, "setqctrl:aq_minfree", + ar->ar_arg_auditon.au_qctrl.aq_minfree); kau_write(rec, tok); break; - case A_SETUMASK: - tok = au_to_arg32(3, "setumask:as_success", - ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); + case A_SETUMASK: + tok = au_to_arg32(3, "setumask:as_success", + ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); kau_write(rec, tok); - tok = au_to_arg32(3, "setumask:as_failure", - ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); + tok = au_to_arg32(3, "setumask:as_failure", + ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); kau_write(rec, tok); break; - case A_SETSMASK: - tok = au_to_arg32(3, "setsmask:as_success", - ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); + case A_SETSMASK: + tok = au_to_arg32(3, "setsmask:as_success", + ar->ar_arg_auditon.au_auinfo.ai_mask.am_success); kau_write(rec, tok); - tok = au_to_arg32(3, "setsmask:as_failure", - ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); + tok = au_to_arg32(3, "setsmask:as_failure", + ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure); kau_write(rec, tok); break; - case A_SETCOND: + case A_SETCOND: if (sizeof(ar->ar_arg_auditon.au_cond) > 4) - tok = au_to_arg64(3, "setcond", - ar->ar_arg_auditon.au_cond); + tok = au_to_arg64(3, "setcond", + ar->ar_arg_auditon.au_cond); else - tok = au_to_arg32(3, "setcond", - ar->ar_arg_auditon.au_cond); + tok = au_to_arg32(3, "setcond", + ar->ar_arg_auditon.au_cond); kau_write(rec, tok); break; - case A_SETCLASS: + case A_SETCLASS: tok = au_to_arg32(2, "setclass:ec_event", - ar->ar_arg_auditon.au_evclass.ec_number); + ar->ar_arg_auditon.au_evclass.ec_number); kau_write(rec, tok); tok = au_to_arg32(3, "setclass:ec_class", - ar->ar_arg_auditon.au_evclass.ec_class); + ar->ar_arg_auditon.au_evclass.ec_class); kau_write(rec, tok); break; - case A_SETPMASK: - tok = au_to_arg32(2, "setpmask:as_success", - ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); + case A_SETPMASK: + tok = au_to_arg32(2, "setpmask:as_success", + ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success); kau_write(rec, tok); - tok = au_to_arg32(2, "setpmask:as_failure", - ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); + tok = au_to_arg32(2, "setpmask:as_failure", + ar->ar_arg_auditon.au_aupinfo.ap_mask.am_failure); kau_write(rec, tok); break; - case A_SETFSIZE: - tok = au_to_arg32(2, "setfsize:filesize", - ar->ar_arg_auditon.au_fstat.af_filesz); + case A_SETFSIZE: + tok = au_to_arg32(2, "setfsize:filesize", + ar->ar_arg_auditon.au_fstat.af_filesz); kau_write(rec, tok); break; @@ -345,13 +343,14 @@ } /* - * Convert an internal kernel audit record to a BSM record and return - * a success/failure indicator. The BSM record is passed as an out - * parameter to this function. + * Convert an internal kernel audit record to a BSM record and return a + * success/failure indicator. The BSM record is passed as an out parameter to + * this function. + * * Return conditions: * BSM_SUCCESS: The BSM record is valid * BSM_FAILURE: Failure; the BSM record is NULL. - * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. + * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL. */ int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) @@ -380,35 +379,35 @@ ar->ar_subj_asid, /* session ID */ &tid); - /* The logic inside each case fills in the tokens required for the - * event, except for the header, trailer, and return tokens. The + /* + * The logic inside each case fills in the tokens required for the + * event, except for the header, trailer, and return tokens. The * header and trailer tokens are added by the kau_close() function. * The return token is added outside of the switch statement. - */ + */ switch(ar->ar_event) { - - /* - * Socket-related events. - */ case AUE_ACCEPT: case AUE_BIND: case AUE_CONNECT: case AUE_RECVFROM: - case AUE_RECVMSG: + case AUE_RECVMSG: case AUE_SENDMSG: case AUE_SENDTO: + /* + * Socket-related events. + */ if (ARG_IS_VALID(kar, ARG_FD)) { tok = au_to_arg32(1, "fd", ar->ar_arg_fd); kau_write(rec, tok); } if (ARG_IS_VALID(kar, ARG_SADDRINET)) { - tok = au_to_sock_inet( - (struct sockaddr_in *)&ar->ar_arg_sockaddr); + tok = au_to_sock_inet((struct sockaddr_in *) + &ar->ar_arg_sockaddr); kau_write(rec, tok); } if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { - tok = au_to_sock_unix( - (struct sockaddr_un *)&ar->ar_arg_sockaddr); + tok = au_to_sock_unix((struct sockaddr_un *) + &ar->ar_arg_sockaddr); kau_write(rec, tok); UPATH1_TOKENS; } @@ -469,21 +468,23 @@ case AUE_SETAUDIT: if (ARG_IS_VALID(kar, ARG_AUID)) { - tok = au_to_arg32(1, "setaudit:auid", ar->ar_arg_auid); + tok = au_to_arg32(1, "setaudit:auid", + ar->ar_arg_auid); kau_write(rec, tok); - tok = au_to_arg32(1, "setaudit:port", - ar->ar_arg_termid.port); + tok = au_to_arg32(1, "setaudit:port", + ar->ar_arg_termid.port); kau_write(rec, tok); - tok = au_to_arg32(1, "setaudit:machine", - ar->ar_arg_termid.machine); + tok = au_to_arg32(1, "setaudit:machine", + ar->ar_arg_termid.machine); kau_write(rec, tok); - tok = au_to_arg32(1, "setaudit:as_success", - ar->ar_arg_amask.am_success); + tok = au_to_arg32(1, "setaudit:as_success", + ar->ar_arg_amask.am_success); kau_write(rec, tok); - tok = au_to_arg32(1, "setaudit:as_failure", - ar->ar_arg_amask.am_failure); + tok = au_to_arg32(1, "setaudit:as_failure", + ar->ar_arg_amask.am_failure); kau_write(rec, tok); - tok = au_to_arg32(1, "setaudit:asid", ar->ar_arg_asid); + tok = au_to_arg32(1, "setaudit:asid", + ar->ar_arg_asid); kau_write(rec, tok); } break; @@ -492,7 +493,9 @@ break; /* XXX need to add arguments */ case AUE_AUDITON: - /* For AUDITON commands without own event, audit the cmd */ + /* + * For AUDITON commands without own event, audit the cmd. + */ if (ARG_IS_VALID(kar, ARG_CMD)) { tok = au_to_arg32(1, "cmd", ar->ar_arg_cmd); kau_write(rec, tok); @@ -515,11 +518,10 @@ case AUE_AUDITON_SETUMASK: case AUE_AUDITON_SPOLICY: case AUE_AUDITON_SQCTRL: - if (ARG_IS_VALID(kar, ARG_AUDITON)) { + if (ARG_IS_VALID(kar, ARG_AUDITON)) audit_sys_auditon(ar, rec); - } break; - + case AUE_AUDITCTL: UPATH1_VNODE1_TOKENS; break; @@ -544,7 +546,9 @@ case AUE_SETSID: case AUE_SETTIMEOFDAY: case AUE_NEWSYSTEMSHREG: - /* Header, subject, and return tokens added at end */ + /* + * Header, subject, and return tokens added at end. + */ break; case AUE_MKFIFO: @@ -584,16 +588,17 @@ } UPATH1_VNODE1_TOKENS; break; - + case AUE_CHMOD: case AUE_LCHMOD: if (ARG_IS_VALID(kar, ARG_MODE)) { - tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode); + tok = au_to_arg32(2, "new file mode", + ar->ar_arg_mode); kau_write(rec, tok); } UPATH1_VNODE1_TOKENS; break; - + case AUE_CHOWN: case AUE_LCHOWN: if (ARG_IS_VALID(kar, ARG_UID)) { @@ -606,7 +611,7 @@ } UPATH1_VNODE1_TOKENS; break; - + case AUE_EXCHANGEDATA: UPATH1_VNODE1_TOKENS; UPATH2_TOKENS; @@ -622,12 +627,13 @@ case AUE_FCHMOD: if (ARG_IS_VALID(kar, ARG_MODE)) { - tok = au_to_arg32(2, "new file mode", ar->ar_arg_mode); + tok = au_to_arg32(2, "new file mode", + ar->ar_arg_mode); kau_write(rec, tok); >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603191711.k2JHBb3p016390>