Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 12 Nov 2006 19:59:58 -0200
From:      "Diego Giagio" <dgiagio@gmail.com>
To:        trustedbsd-audit@freebsd.org
Subject:   Re: Additional 64-bit token types to libbsm
Message-ID:  <1b0798830611121359r877d4ces5182f1ec1eb2b646@mail.gmail.com>
In-Reply-To: <1b0798830611110806v788e8ffbp2a0b864256e36c55@mail.gmail.com>
References:  <1b0798830611110806v788e8ffbp2a0b864256e36c55@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On 11/11/06, Diego Giagio <dgiagio@gmail.com> wrote:
> Hi,
>
> I've been looking at OpenBSM 1.0a12 distribution's TODO list and would
> like to start contributing. The first item on the list appears to have
> already been commited (praudit with XML output) so I'm skipping it.
> The next one is for adding support for some newer 64-bit tokens to
> libbsm. Is there anyone already working on this one?

Well, since I received no answer I created myself a patch to implement
some 64-bit tokens that were ENOTSUP on the distribution. They are:

au_to_attr64
au_to_process64
au_to_process64_ex
au_to_subject64
au_to_subject64_ex
au_to_header64 (and newly created au_to_header64_tm)

The tokens were based on existing tokens (*32) and OpenSolaris BSM
implementation.
The patch  applies to OPENBSM_1_0_ALPHA_12. It's not yet fully tested,
so be warned.

$ cd openbsm
$ patch -p1 < tokens64.patch

There are some X11 and misc tokens we don't yet support. Are we going
to support them?

DG

[-- Attachment #2 --]
diff -u -r openbsm/bsm/audit_record.h openbsm-dgiagio/bsm/audit_record.h
--- openbsm/bsm/audit_record.h	2006-09-24 17:20:03.000000000 -0300
+++ openbsm-dgiagio/bsm/audit_record.h	2006-11-12 18:41:13.000000000 -0200
@@ -246,6 +246,8 @@
 
 token_t	*au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
 	    struct timeval tm);
+token_t	*au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+	    struct timeval tm);
 #if !defined(KERNEL) && !defined(_KERNEL)
 token_t	*au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
 token_t	*au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
diff -u -r openbsm/libbsm/bsm_token.c openbsm-dgiagio/libbsm/bsm_token.c
--- openbsm/libbsm/bsm_token.c	2006-09-24 17:20:11.000000000 -0300
+++ openbsm-dgiagio/libbsm/bsm_token.c	2006-11-12 18:49:33.000000000 -0200
@@ -212,9 +212,46 @@
 token_t *
 au_to_attr64(struct vnode_au_info *vni)
 {
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t pad0_16 = 0;
+	u_int16_t pad0_32 = 0;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
+	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_ATTR64);
+
+	/*
+	 * Darwin defines the size for the file mode
+	 * as 2 bytes; BSM defines 4 so pad with 0
+	 */
+	ADD_U_INT16(dptr, pad0_16);
+	ADD_U_INT16(dptr, vni->vn_mode);
+
+	ADD_U_INT32(dptr, vni->vn_uid);
+	ADD_U_INT32(dptr, vni->vn_gid);
+	ADD_U_INT32(dptr, vni->vn_fsid);
+
+	/*
+	 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
+	 * Attempt to handle both, and let the compiler sort it out.  If we
+	 * could pick this out at compile-time, it would be better, so as to
+	 * avoid the else case below.
+	 */
+	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
+		ADD_U_INT32(dptr, pad0_32);
+		ADD_U_INT32(dptr, vni->vn_fileid);
+	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
+		ADD_U_INT64(dptr, vni->vn_fileid);
+	else
+		ADD_U_INT64(dptr, 0LL);
 
-	errno = ENOTSUP;
-	return (NULL);
+	ADD_U_INT64(dptr, vni->vn_dev);
+
+	return (t);
 }
 
 token_t *
@@ -654,9 +691,26 @@
     __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
     __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
 {
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
+	    sizeof(u_int64_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_PROCESS64);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT64(dptr, tid->port);
+	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
 
-	errno = ENOTSUP;
-	return (NULL);
+	return (t);
 }
 
 token_t *
@@ -727,9 +781,42 @@
 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
 {
+	token_t *t;
+	u_char *dptr = NULL;
+
+	if (tid->at_type == AU_IPv4)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 
+		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+		    2 * sizeof(u_int32_t));
+	else if (tid->at_type == AU_IPv6)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+		    5 * sizeof(u_int32_t));
+	else {
+		errno = EINVAL;
+		return (NULL);
+	}
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT64(dptr, tid->at_port);
+	ADD_U_INT32(dptr, tid->at_type);
+	ADD_U_INT32(dptr, tid->at_addr[0]);
+	if (tid->at_type == AU_IPv6) {
+		ADD_U_INT32(dptr, tid->at_addr[1]);
+		ADD_U_INT32(dptr, tid->at_addr[2]);
+		ADD_U_INT32(dptr, tid->at_addr[3]);
+	}
 
-	errno = ENOTSUP;
-	return (NULL);
+	return (t);
 }
 
 token_t *
@@ -944,9 +1031,26 @@
 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
     pid_t pid, au_asid_t sid, au_tid_t *tid)
 {
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
+	    sizeof(u_int64_t) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
 
-	errno = ENOTSUP;
-	return (NULL);
+	ADD_U_CHAR(dptr, AUT_SUBJECT64);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT64(dptr, tid->port);
+	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
+
+	return (t);
 }
 
 token_t *
@@ -1016,9 +1120,42 @@
 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
 {
+	token_t *t;
+	u_char *dptr = NULL;
+
+	if (tid->at_type == AU_IPv4)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+		    2 * sizeof(u_int32_t));
+	else if (tid->at_type == AU_IPv6)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+		    5 * sizeof(u_int32_t));
+	else {
+		errno = EINVAL;
+		return (NULL);
+	}
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT64(dptr, tid->at_port);
+	ADD_U_INT32(dptr, tid->at_type);
+	ADD_U_INT32(dptr, tid->at_addr[0]);
+	if (tid->at_type == AU_IPv6) {
+		ADD_U_INT32(dptr, tid->at_addr[1]);
+		ADD_U_INT32(dptr, tid->at_addr[2]);
+		ADD_U_INT32(dptr, tid->at_addr[3]);
+	}
 
-	errno = ENOTSUP;
-	return (NULL);
+	return (t);
 }
 
 token_t *
@@ -1166,6 +1303,33 @@
 	return (t);
 }
 
+token_t *
+au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+    struct timeval tm)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int32_t timems;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
+	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_HEADER64);
+	ADD_U_INT32(dptr, rec_size);
+	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
+	ADD_U_INT16(dptr, e_type);
+	ADD_U_INT16(dptr, e_mod);
+
+	timems = tm.tv_usec/1000;
+	/* Add the timestamp */
+	ADD_U_INT64(dptr, tm.tv_sec);
+	ADD_U_INT64(dptr, timems);	/* We need time in ms. */
+
+	return (t);
+}
+
 #if !defined(KERNEL) && !defined(_KERNEL)
 token_t *
 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
@@ -1181,9 +1345,11 @@
 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
     __unused au_emod_t e_mod)
 {
+	struct timeval tm;
 
-	errno = ENOTSUP;
-	return (NULL);
+	if (gettimeofday(&tm, NULL) == -1)
+		return (NULL);
+	return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
 }
 
 token_t *

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1b0798830611121359r877d4ces5182f1ec1eb2b646>