Date: Mon, 1 Dec 2008 21:28:37 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 153916 for review Message-ID: <200812012128.mB1LSbwb025030@repoman.freebsd.org>
index | next in thread | raw e-mail
http://perforce.freebsd.org/chv.cgi?CH=153916 Change 153916 by rwatson@rwatson_cinnamon_macosx on 2008/12/01 21:28:01 Add support for the AUT_SOCKET_EX token type, which contains a socket domain, socket type, address type, and two IPv4/IPv6 port/address tuples. This required: (1) Fixing the existing AUT_SOCKET_EX parsing and printing code in libbsm. (2) Add au_to_socket_ex() token generation function, which accepts socket domain, socket type, and two sockaddr_{in,in6}'s. (3) Add test record generation and reference token/records to the test tree. (4) Remove prototypes for non-prsent au_to_socket_ex_{32,128}() generation functions. Affected files ... .. //depot/projects/trustedbsd/openbsm/NEWS#15 edit .. //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#36 edit .. //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#58 edit .. //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#81 edit .. //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#5 edit .. //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#11 edit .. //depot/projects/trustedbsd/openbsm/test/reference/socketex_record#1 add .. //depot/projects/trustedbsd/openbsm/test/reference/socketex_token#1 add Differences ... ==== //depot/projects/trustedbsd/openbsm/NEWS#15 (text+ko) ==== @@ -10,6 +10,8 @@ - Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total size for the token. This bug resulted in "unknown" tokens being printed after the exec args/env tokens. +- Support for AUT_SOCKET_EX extended socket tokens, which describe a socket + using a pair of IPv4/IPv6 and port tuples. OpenBSM 1.1 alpha 2 @@ -359,4 +361,4 @@ to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/NEWS#14 $ +$P4: //depot/projects/trustedbsd/openbsm/NEWS#15 $ ==== //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#36 (text+ko) ==== @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2004 Apple Inc. + * Copyright (c) 2004-2008 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#35 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#36 $ */ #ifndef _LIBBSM_H_ @@ -547,13 +547,13 @@ * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) */ typedef struct { + u_int16_t domain; u_int16_t type; + u_int16_t atype; u_int16_t l_port; - u_int32_t l_ad_type; - u_int32_t l_addr; + u_int32_t l_addr[4]; u_int32_t r_port; - u_int32_t r_ad_type; - u_int32_t r_addr; + u_int32_t r_addr[4]; } au_socket_ex32_t; /* ==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#58 (text+ko) ==== @@ -32,7 +32,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#57 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#58 $ */ #include <sys/types.h> @@ -3753,53 +3753,71 @@ } /* + * socket domain 2 bytes * socket type 2 bytes + * address type 2 bytes * local port 2 bytes - * address type/length 4 bytes - * local Internet address 4 bytes - * remote port 4 bytes - * address type/length 4 bytes - * remote Internet address 4 bytes + * local Internet address 4/16 bytes + * remote port 2 bytes + * remote Internet address 4/16 bytes */ static int fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) { int err = 0; - READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, + READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len, err); if (err) return (-1); - READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, - sizeof(uint16_t), tok->len, err); + READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, + err); if (err) return (-1); - READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, + READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len, err); if (err) return (-1); - READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, - sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); - if (err) + if (tok->tt.socket_ex32.atype != AU_IPv4 && + tok->tt.socket_ex32.atype != AU_IPv6) return (-1); - READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, + READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, sizeof(uint16_t), tok->len, err); if (err) return (-1); - READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, - err); + if (tok->tt.socket_ex32.atype == AU_IPv4) { + READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, + sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err); + if (err) + return (-1); + } else { + READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, + sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); + if (err) + return (-1); + } + + READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, + sizeof(uint16_t), tok->len, err); if (err) return (-1); - READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, - sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); - if (err) - return (-1); + if (tok->tt.socket_ex32.atype == AU_IPv4) { + READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, + sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err); + if (err) + return (-1); + } else { + READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, + sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); + if (err) + return (-1); + } return (0); } @@ -3811,6 +3829,9 @@ print_tok_type(fp, tok->id, "socket", raw, xml); if (xml) { + open_attr(fp, "sock_dom"); + print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); + close_attr(fp); open_attr(fp, "sock_type"); print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); close_attr(fp); @@ -3818,10 +3839,12 @@ print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); close_attr(fp); open_attr(fp, "laddr"); - print_ip_address(fp, tok->tt.socket_ex32.l_addr); + print_ip_ex_address(fp, tok->tt.socket_ex32.atype, + tok->tt.socket_ex32.l_addr); close_attr(fp); open_attr(fp, "faddr"); - print_ip_address(fp, tok->tt.socket_ex32.r_addr); + print_ip_ex_address(fp, tok->tt.socket_ex32.atype, + tok->tt.socket_ex32.r_addr); close_attr(fp); open_attr(fp, "fport"); print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); @@ -3829,15 +3852,19 @@ close_tag(fp, tok->id); } else { print_delim(fp, del); + print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); + print_delim(fp, del); print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); print_delim(fp, del); print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); print_delim(fp, del); - print_ip_address(fp, tok->tt.socket_ex32.l_addr); + print_ip_ex_address(fp, tok->tt.socket_ex32.atype, + tok->tt.socket_ex32.l_addr); print_delim(fp, del); print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); print_delim(fp, del); - print_ip_address(fp, tok->tt.socket_ex32.r_addr); + print_ip_ex_address(fp, tok->tt.socket_ex32.atype, + tok->tt.socket_ex32.r_addr); } } ==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#81 (text+ko) ==== @@ -30,7 +30,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#80 $ + * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#81 $ */ #include <sys/types.h> @@ -899,6 +899,60 @@ /* * token ID 1 byte + * socket domain 2 bytes + * socket type 2 bytes + * address type 2 byte + * local port 2 bytes + * local address 4 bytes/16 bytes (IPv4/IPv6 address) + * remote port 2 bytes + * remote address 4 bytes/16 bytes (IPv4/IPv6 address) + */ +token_t * +au_to_socket_ex(u_short so_domain, u_short so_type, + struct sockaddr *sa_local, struct sockaddr *sa_remote) +{ + token_t *t; + u_char *dptr = NULL; + struct sockaddr_in *sin; + struct sockaddr_in6 *sin6; + + if (so_domain == AF_INET) + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + + 5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t)); + else if (so_domain == AF_INET6) + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + + 5 * sizeof(u_int16_t) + 16 * sizeof(u_int32_t)); + else { + errno = EINVAL; + return (NULL); + } + + ADD_U_CHAR(dptr, AUT_SOCKET_EX); + ADD_U_INT16(dptr, so_domain); /* XXXRW: explicitly convert? */ + ADD_U_INT16(dptr, so_type); /* XXXRW: explicitly convert? */ + if (so_domain == AF_INET) { + ADD_U_INT16(dptr, AU_IPv4); + sin = (struct sockaddr_in *)sa_local; + ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); + ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); + sin = (struct sockaddr_in *)sa_remote; + ADD_MEM(dptr, &sin->sin_port, sizeof(uint16_t)); + ADD_MEM(dptr, &sin->sin_addr.s_addr, sizeof(uint32_t)); + } else { + ADD_U_INT16(dptr, AU_IPv6); + sin6 = (struct sockaddr_in6 *)sa_local; + ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); + ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); + sin6 = (struct sockaddr_in6 *)sa_remote; + ADD_MEM(dptr, &sin6->sin6_port, sizeof(uint16_t)); + ADD_MEM(dptr, &sin6->sin6_addr, 4 * sizeof(uint32_t)); + } + + return (t); +} + +/* + * token ID 1 byte * socket family 2 bytes * path 104 bytes */ ==== //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#5 (text+ko) ==== @@ -26,7 +26,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#4 $ + * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#5 $ */ #ifndef _BSM_AUDIT_RECORD_H_ @@ -182,6 +182,7 @@ struct ip; struct ipc_perm; struct kevent; +struct sockaddr; struct sockaddr_in; struct sockaddr_in6; struct sockaddr_un; @@ -251,15 +252,8 @@ token_t *au_to_return32(char status, uint32_t ret); token_t *au_to_return64(char status, uint64_t ret); token_t *au_to_seq(long audit_count); - -#if defined(_KERNEL) || defined(KERNEL) -token_t *au_to_socket(struct socket *so); -token_t *au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la, - struct sockaddr *ta); -token_t *au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la, - struct sockaddr *ta); -#endif - +token_t *au_to_socket_ex(u_short so_domain, u_short so_type, + struct sockaddr *sa_local, struct sockaddr *sa_remote); token_t *au_to_sock_inet(struct sockaddr_in *so); token_t *au_to_sock_inet32(struct sockaddr_in *so); token_t *au_to_sock_inet128(struct sockaddr_in6 *so); ==== //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#11 (text+ko) ==== @@ -1,5 +1,6 @@ /*- * Copyright (c) 2006-2007 Robert N. M. Watson + * Copyright (c) 2008 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -23,7 +24,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#10 $ + * $P4: //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#11 $ */ /* @@ -915,6 +916,56 @@ write_record(directory, record_filename, zonename_token, AUE_NULL); } +static u_short socketex_domain = AF_INET; +static u_short socketex_type = SOCK_STREAM; +static struct sockaddr_in socketex_laddr, socketex_raddr; + +static void +generate_socketex_token(const char *directory, const char *token_filename) +{ + token_t *socketex_token; + + bzero(&socketex_laddr, sizeof(socketex_laddr)); + socketex_laddr.sin_family = AF_INET; + socketex_laddr.sin_len = sizeof(socketex_laddr); + socketex_laddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + + bzero(&socketex_raddr, sizeof(socketex_raddr)); + socketex_raddr.sin_family = AF_INET; + socketex_raddr.sin_len = sizeof(socketex_raddr); + socketex_raddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + + socketex_token = au_to_socket_ex(socketex_domain, socketex_type, + (struct sockaddr *)&socketex_laddr, + (struct sockaddr *)&socketex_raddr); + if (socketex_token == NULL) + err(EX_UNAVAILABLE, "au_to_socket_ex"); + write_token(directory, token_filename, socketex_token); +} + +static void +generate_socketex_record(const char *directory, const char *record_filename) +{ + token_t *socketex_token; + + bzero(&socketex_laddr, sizeof(socketex_laddr)); + socketex_laddr.sin_family = AF_INET; + socketex_laddr.sin_len = sizeof(socketex_laddr); + socketex_laddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + + bzero(&socketex_raddr, sizeof(socketex_raddr)); + socketex_raddr.sin_family = AF_INET; + socketex_raddr.sin_len = sizeof(socketex_raddr); + socketex_raddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + + socketex_token = au_to_socket_ex(socketex_domain, socketex_type, + (struct sockaddr *)&socketex_laddr, + (struct sockaddr *)&socketex_raddr); + if (socketex_token == NULL) + err(EX_UNAVAILABLE, "au_to_socket_ex"); + write_record(directory, record_filename, socketex_token, AUE_NULL); +} + int main(int argc, char *argv[]) { @@ -982,6 +1033,7 @@ generate_groups_token(directory, "groups_token"); generate_attr32_token(directory, "attr32_token"); generate_zonename_token(directory, "zonename_token"); + generate_socketex_token(directory, "socketex_token"); } if (do_records) { @@ -1017,6 +1069,7 @@ generate_groups_record(directory, "groups_record"); generate_attr32_record(directory, "attr32_record"); generate_zonename_record(directory, "zonename_record"); + generate_socketex_record(directory, "socketex_record"); } return (0);help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812012128.mB1LSbwb025030>