From owner-p4-projects@FreeBSD.ORG Wed Jun 18 11:40:55 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 006BF1065671; Wed, 18 Jun 2008 11:40:55 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5D0B106566B for ; Wed, 18 Jun 2008 11:40:54 +0000 (UTC) (envelope-from snagg@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 9FBCB8FC16 for ; Wed, 18 Jun 2008 11:40:54 +0000 (UTC) (envelope-from snagg@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m5IBesQ6032989 for ; Wed, 18 Jun 2008 11:40:54 GMT (envelope-from snagg@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m5IBer35032987 for perforce@freebsd.org; Wed, 18 Jun 2008 11:40:53 GMT (envelope-from snagg@FreeBSD.org) Date: Wed, 18 Jun 2008 11:40:53 GMT Message-Id: <200806181140.m5IBer35032987@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to snagg@FreeBSD.org using -f From: Vincenzo Iozzo To: Perforce Change Reviews Cc: Subject: PERFORCE change 143689 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jun 2008 11:40:55 -0000 http://perforce.freebsd.org/chv.cgi?CH=143689 Change 143689 by snagg@snagg_macosx on 2008/06/18 11:40:21 Finished the first event-specific framework part, added also a testing program. Some other bugs were corrected in the utils. Still need some testing Affected files ... .. //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/audit_pipe_ioctl_events.c#2 delete .. //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/audit_pipe_regression_test_utils.c#3 edit .. //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/audit_pipe_regression_test_utils.h#2 edit .. //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/specific-event/audit_pipe_event_open.c#1 add .. //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/tests/open_test.c#1 add Differences ... ==== //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/audit_pipe_regression_test_utils.c#3 (text+ko) ==== @@ -1,47 +1,6 @@ #include "audit_pipe_regression_test_utils.h" -struct audit_record *del_record_au(struct audit_record *head, int index) -{ - struct audit_record *tmp; - struct audit_record *p; - - tmp = head; - if(tmp == NULL) - return NULL; - for(; tmp->next != NULL; tmp = tmp->next) - { - if(tmp->next->index == index) { - p = tmp->next; - tmp->next = tmp->next->next; - free(p); - return head; - } - } - - return NULL; -} - -struct audit_record -*add_field_au(struct audit_record *head, struct audit_record *new) -{ - struct audit_record *tmp; - - tmp = head; - if(tmp == NULL) { - new->next = NULL; - return new; - } - - for(; tmp->next != NULL;tmp = tmp->next); - new->index = tmp->index +1; - tmp->next= new; - new->next = NULL; - - return head; -} - - void init_channel() { key_t key; @@ -101,7 +60,7 @@ /* * Every string in the shared-memory channel is of the form - * value:!!audit-field:**type. + * value\\!!audit-field:**type. * Here we parse the audit-field part */ char *get_descr(char *string) @@ -110,7 +69,7 @@ str = string; - if((string = strsep(&str, ":!!")) != NULL) + if((string = strsep(&str, "\\!!")) != NULL) { str +=2; return str; @@ -119,7 +78,7 @@ /* * Every string in the shared-memory channel is of the form - * value:!!audit-field:**type. + * value\!!audit-field:**type. * Here we parse the type part */ int parse_string(char *string) @@ -179,47 +138,49 @@ * We fetch every token from auditpipe and eventually dump them to a file * Modified version of praudit function. */ -struct audit_record -*audit_print_record(FILE *st, FILE *in) + +int +audit_print_record(FILE *st, char *buffer, int buflen, struct audit_record rec) { - u_char *buf; - tokenstr_t tok; - int reclen; - int bytesread; int count; u_char type; - struct audit_record *rec; - + int i, exit; + type = 0; count = 0; - rec = malloc(sizeof(struct audit_record)); - if(rec == NULL) - err(-1, "MALLOC"); - + exit = 0; + /* Record must begin with a header token. */ - do { - type = fgetc(in); - } while(type != AU_HEADER_32_TOKEN); - ungetc(type, in); + for( i = 0; i< buflen; i++) { + type = buffer[i]; + if(type == AU_HEADER_32_TOKEN) { + buffer +=i; + buflen -=i; + break; + } + } + while (buflen > 0) { - while ((reclen = au_read_rec(in, &buf)) != -1) { - bytesread = 0; - while (bytesread < reclen) { - - /* Is this an incomplete record? */ - if (-1 == au_fetch_tok(&tok, buf + bytesread, - reclen - bytesread)) - break; - rec->toks[count] = tok; - rec->count = count; - au_print_tok_xml(st, &tok, ",", 0, 0); - fprintf(st, "\n"); - bytesread += tok.len; - } - free(buf); - fflush(st); + /* XXX: Is this an incomplete record? */ + if (au_fetch_tok(&(rec.toks[count]), buffer, buflen) == -1) + break; + + rec.count = count; + au_print_tok_xml(st, &(rec.toks[count]), ",", 0, 0); + buflen -= rec.toks[count].len; + buffer += rec.toks[count].len; + fprintf(st, "\n"); + count++; + if(count == 20) + return -1; + if(exit) + break; + if(*buffer == AU_TRAILER_TOKEN) + exit = 1; } - return rec; + + fflush(st); + return 0; } /* @@ -239,25 +200,19 @@ return f; } -void report_error(tokenstr_t tok, struct audit_record *rec, FILE *f) +void report_error(tokenstr_t tok, FILE *f) { - int i; - if(rec == NULL) - return; - for(i = 0; i <= rec->count; i++) { - au_print_tok_xml(f, &(rec->toks[i]), ",", 0, 0); - fprintf(f, "\n"); - } - fprintf(f, "ERROR:***"); + fprintf(f, "ERROR:***\n"); au_print_tok_xml(f, &tok, ",", 0, 0); fprintf(f, "\n"); + } /* * Check the return value of a bsm-token */ -int check_ret(au_exit_t ret, int r, char *val) +int check_ret(au_ret32_t ret, int r, char *val) { if(ret.ret == r) //if(!strncmp(ret.status, val, strlen(ret.status) > strlen(val)? ==== //depot/projects/soc2008/snagg-audit/tools/regression/audit/audit_pipe/audit_pipe_regression_test_utils.h#2 (text+ko) ==== @@ -46,6 +46,9 @@ #include #include +#define AUDIT_BUFFER_LEN 65536 +#define AUDIT_RECORD_MAX 256 + #define SHMSZ 512 #define SEM_NAME "/audit-test" #define SEM_CLIENT_NAME "/client" @@ -59,17 +62,27 @@ CHAR_TYPE }; +/* + * NOT = do not validate anything + * GOT_READLINK = we took the last function (a readlink) of the standard + * "prologue" of every process + * VALID = we need to validate stuff + * WAITING = this is not the right syscall to parse + */ +enum VALIDATE { + NOT, + GOT_READLINK, + VALID, + WAITING +}; + struct audit_record { tokenstr_t toks[20]; int count; int index; - struct audit_record *next; }; -struct audit_record *del_record_au(struct audit_record *head, int index); -struct audit_record *add_field_au(struct audit_record *head, - struct audit_record *new); void init_channel(); void end_channel(); char *read_string(); @@ -77,11 +90,11 @@ int parse_string(char *string); long get_int(char *string); char get_c(char *string); -struct audit_record *audit_print_record(FILE *st, FILE *in); +int audit_print_record(FILE *st, char *buffer, int buflen, + struct audit_record rec); FILE *init_log(pid_t pid); -void report_error(tokenstr_t tok, struct audit_record *rec, - FILE *f); -int check_ret(au_exit_t ret, int r, char *val); +void report_error(tokenstr_t tok, FILE *f); +int check_ret(au_ret32_t ret, int r, char *val); int check_path(au_path_t path, char *val); int check_arg(au_arg32_t arg, long val); int check_priv(au_proc32ex_t priv, pid_t pid);