Vendor import of OpenBSM 1.0 alpha 9, with the following change history

notes since the last import:

OpenBSM 1.0 alpha 9

- Rename many OpenBSM-specific constants and API elements containing the
  strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is true
  for almost all existing constants and APIs.
- Instead of passing a per-instance cookie directly into all audit filter
  APIs, pass in the audit filter daemon state pointer, which is then used by
  the module using an audit_filter_{get,set}cookie() API.  This will allow
  future service APIs provided by the filter daemon to maintain their own
  state -- for example, per-module preselection state.

OpenBSM 1.0 alpha 8

- Correct typo in definition of AUR_INT.
- Adopt OpenSolaris constant values for AUDIT_* configuration flags.
- Arguments to au_to_exec_args() and au_to_exec_env() no longer const.
- Add kernel versions of au_to_exec_args() and au_to_exec_env().
- Fix exec argument type that is printed for env strings from 'arg' to 'env'.
- New OpenBSM token version number assigned, constants added for other
  commonly seen version numbers.
- OpenBSM-specific events assigned numbers in the 43xxx range to avoid future
  collisions with Solaris.  Darwin events renamed to AUE_DARWIN_foo, as they
  are now deprecated numberings.
- autoconf now detects clock_gettime(), which is not available on Darwin.
- praudit output fixes relating to arg32 and arg64 tokens.
- Maximum record size updated to 64k-1 to match Solaris record size limit.
- Various style and comment cleanups in include files.

This is an MFC candidate to RELENG_6.

Obtained from:	TrustedBSD Project

1 files changed, 16 insertions, 8 deletions

diff --git a/contrib/openbsm/bin/auditfilterd/auditfilterd.c b/contrib/openbsm/bin/auditfilterd/auditfilterd.c
index 5128af0..2723a97 100644
--- a/contrib/openbsm/bin/auditfilterd/auditfilterd.c
+++ b/contrib/openbsm/bin/auditfilterd/auditfilterd.c
@@ -25,7 +25,16 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#6 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#9 $
+ */
+
+/*
+ * Main file for the audit filter daemon, which presents audit records to a
+ * set of run-time registered loadable modules.  This is the main event loop
+ * of the daemon, which handles starting up, waiting for records, and
+ * presenting records to configured modules.  auditfilterd_conf.c handles the
+ * reading and management of the configuration, module list and module state,
+ * etc.
  */
 
 #include <sys/types.h>
@@ -106,13 +115,13 @@ signal_handler(int signum)
  * Present raw BSM to a set of registered and interested filters.
  */
 static void
-present_bsmrecord(struct timespec *ts, u_char *data, u_int len)
+present_rawrecord(struct timespec *ts, u_char *data, u_int len)
 {
 	struct auditfilter_module *am;
 
 	TAILQ_FOREACH(am, &filter_list, am_list) {
-		if (am->am_bsmrecord != NULL)
-			(am->am_bsmrecord)(am->am_instance, ts, data, len);
+		if (am->am_rawrecord != NULL)
+			(am->am_rawrecord)(am, ts, data, len);
 	}
 }
 
@@ -140,8 +149,7 @@ present_tokens(struct timespec *ts, u_char *data, u_int len)
 
 	TAILQ_FOREACH(am, &filter_list, am_list) {
 		if (am->am_record != NULL)
-			(am->am_record)(am->am_instance, ts, tokencount,
-			    tokens);
+			(am->am_record)(am, ts, tokencount, tokens);
 	}
 }
 
@@ -191,7 +199,7 @@ mainloop_file(const char *conffile, const char *trailfile, FILE *trail_fp)
 			continue;
 		if (clock_gettime(CLOCK_REALTIME, &ts) < 0)
 			err(-1, "clock_gettime");
-		present_bsmrecord(&ts, buf, reclen);
+		present_rawrecord(&ts, buf, reclen);
 		present_tokens(&ts, buf, reclen);
 		free(buf);
 	}
@@ -241,7 +249,7 @@ mainloop_pipe(const char *conffile, const char *pipefile, int pipe_fd)
 			continue;
 		if (clock_gettime(CLOCK_REALTIME, &ts) < 0)
 			err(-1, "clock_gettime");
-		present_bsmrecord(&ts, record, reclen);
+		present_rawrecord(&ts, record, reclen);
 		present_tokens(&ts, record, reclen);
 	}
 }