Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both

contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).

OpenBSM history for imported revision below for reference.

MFC after:      1 month
Sponsored by:   Apple, Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 beta 1

- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
  Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
  For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added.  It is configured in
  audit_control(5) with the expire-after parameter.  If there is no
  expire-after parameter in audit_control(5), the default, then the audit
  trail files are not expired and removed.  See audit_control(5) for
  more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
  partitions, rotate automatically at 2mb, and set the default policy to
  cnt,argv rather than cnt so that execve(2) arguments are captured if
  AUE_EXECVE events are audited.  These may provide more usable defaults for
  many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
  au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.

7 files changed, 299 insertions, 178 deletions

diff --git a/contrib/openbsm/libbsm/au_control.3 b/contrib/openbsm/libbsm/au_control.3
index e17ae16..8cad121 100644
--- a/contrib/openbsm/libbsm/au_control.3
+++ b/contrib/openbsm/libbsm/au_control.3
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#9 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#10 $
 .\"
 .Dd April 19, 2005
 .Dt AU_CONTROL 3
@@ -33,6 +33,7 @@
 .Nm endac ,
 .Nm getacdir ,
 .Nm getacmin ,
+.Nm getacexpire ,
 .Nm getacfilesz ,
 .Nm getacflg ,
 .Nm getacna ,
@@ -53,6 +54,8 @@
 .Ft int
 .Fn getacmin "int *min_val"
 .Ft int
+.Fn getacexpire "int *andflg, time_t *age, size_t *size"
+.Ft int
 .Fn getacfilesz "size_t *size_val"
 .Ft int
 .Fn getacflg "char *auditstr" "int len"
@@ -101,6 +104,24 @@ the passed
 variable.
 .Pp
 The
+.Fn getacexpire
+function 
+returns the audit trail file expiration parameters in the passed
+.Vt int
+buffer
+.Fa andflg ,
+.Vt time_t
+buffer
+.Fa age
+and 
+.Vt size_t
+buffer
+.Fa size .
+If the parameter is not specified in the
+.Xr audit_control 5
+file it is set to zero.
+.Pp
+The
 .Fn getacfilesz
 function
 returns the audit trail rotation size in the passed
@@ -153,6 +174,7 @@ to a numeric audit policy mask returned via
 The
 .Fn getacdir ,
 .Fn getacmin ,
+.Fn getacexpire ,
 .Fn getacflg ,
 .Fn getacna ,
 .Fn getacpol ,
diff --git a/contrib/openbsm/libbsm/au_domain.3 b/contrib/openbsm/libbsm/au_domain.3
index 14ac45a..6d57d2b 100644
--- a/contrib/openbsm/libbsm/au_domain.3
+++ b/contrib/openbsm/libbsm/au_domain.3
@@ -26,7 +26,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE. 
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_domain.3#1 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_domain.3#2 $
 .\"
 .Dd December 28, 2008
 .Dt AU_BSM_TO_DOMAIN 3
@@ -59,6 +59,7 @@ This call will fail if the BSM domain cannot be mapped into a local domain,
 which may occur if the socket token was generated on another operating
 system.
 .Pp
+The
 .Fn au_domain_to_bsm
 function accepts a local domain, and returns the BSM domain for it.
 This call cannot fail, and instead returns a BSM domain indicating to a later
diff --git a/contrib/openbsm/libbsm/au_errno.3 b/contrib/openbsm/libbsm/au_errno.3
index f7ff8a0..3680a4e 100644
--- a/contrib/openbsm/libbsm/au_errno.3
+++ b/contrib/openbsm/libbsm/au_errno.3
@@ -26,7 +26,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE. 
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_errno.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_errno.3#4 $
 .\"
 .Dd December 8, 2008
 .Dt AU_BSM_TO_ERRNO 3
@@ -64,6 +64,7 @@ This call will fail if the BSM error cannot be mapped into a local error
 number, which may occur if the return token was generated on another
 operating system.
 .Pp
+The
 .Fn au_errno_to_bsm
 function accepts a local
 .Xr errno 2
@@ -73,7 +74,7 @@ a later decoder that the error could not be encoded.
 .Pp
 The
 .Fn au_strerror
-converts a BSM error value to a string, generally by converting first to a
+function converts a BSM error value to a string, generally by converting first to a
 local error number and using the local
 .Xr strerror 3
 function, but will also work for errors that are not locally defined.
diff --git a/contrib/openbsm/libbsm/bsm_control.c b/contrib/openbsm/libbsm/bsm_control.c
index 4fed3ff..4b8a1d1 100644
--- a/contrib/openbsm/libbsm/bsm_control.c
+++ b/contrib/openbsm/libbsm/bsm_control.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004 Apple Inc.
+ * Copyright (c) 2004,2009 Apple Inc.
  * Copyright (c) 2006 Robert N. M. Watson
  * All rights reserved.
  *
@@ -27,13 +27,14 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#24 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#28 $
  */
 
 #include <config/config.h>
 
 #include <bsm/libbsm.h>
 
+#include <ctype.h>
 #include <errno.h>
 #include <string.h>
 #ifdef HAVE_PTHREAD_MUTEX_LOCK
@@ -65,6 +66,32 @@ static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
 #endif
 
 /*
+ * Audit policy string token table for au_poltostr() and au_strtopol().
+ */
+struct audit_polstr {
+	long 		 ap_policy;
+	const char 	*ap_str;	
+};
+
+static struct audit_polstr au_polstr[] = {
+	{ AUDIT_CNT,		"cnt"		},
+	{ AUDIT_AHLT,		"ahlt"		},
+	{ AUDIT_ARGV,		"argv"		},
+	{ AUDIT_ARGE,		"arge"		},
+	{ AUDIT_SEQ,		"seq"		},
+	{ AUDIT_WINDATA,	"windata"	},
+	{ AUDIT_USER,		"user"		},
+	{ AUDIT_GROUP,		"group"		},
+	{ AUDIT_TRAIL,		"trail"		},
+	{ AUDIT_PATH,		"path"		},
+	{ AUDIT_SCNT,		"scnt"		},
+	{ AUDIT_PUBLIC,		"public"	},
+	{ AUDIT_ZONENAME,	"zonename"	},
+	{ AUDIT_PERZONE,	"perzone"	},
+	{ -1,			NULL		}
+};
+
+/*
  * Returns the string value corresponding to the given label from the
  * configuration file.
  *
@@ -112,6 +139,82 @@ getstrfromtype_locked(char *name, char **str)
 }
 
 /*
+ * Convert a given time value with a multiplier (seconds, hours, days, years) to
+ * seconds.  Return 0 on success.
+ */
+static int
+au_timetosec(time_t *seconds, u_long value, char mult)
+{
+	if (NULL == seconds)
+		return (-1);
+
+	switch(mult) {
+	case 's':
+		/* seconds */
+		*seconds = (time_t)value;
+		break;
+
+	case 'h':
+		/* hours */
+		*seconds = (time_t)value * 60 * 60;
+		break;
+
+	case 'd':
+		/* days */
+		*seconds = (time_t)value * 60 * 60 * 24;
+		break;
+
+	case 'y':
+		/* years.  Add a day for each 4th (leap) year. */
+		*seconds = (time_t)value * 60 * 60 * 24 * 364 +
+		    ((time_t)value / 4) * 60 * 60 * 24;
+		break;
+
+	default:
+		return (-1);
+	}
+	return (0);
+}
+
+/*
+ * Convert a given disk space value with a multiplier (bytes, kilobytes, 
+ * megabytes, gigabytes) to bytes.  Return 0 on success.
+ */
+static int
+au_spacetobytes(size_t *bytes, u_long value, char mult)
+{
+	if (NULL == bytes)
+		return (-1);
+
+	switch(mult) {
+	case 'B':
+	case ' ':
+		/* Bytes */
+		*bytes = (size_t)value;
+		break;
+
+	case 'K':
+		/* Kilobytes */
+		*bytes = (size_t)value * 1024;
+		break;
+
+	case 'M':
+		/* Megabytes */
+		*bytes = (size_t)value * 1024 * 1024;
+		break;
+
+	case 'G':
+		/* Gigabytes */
+		*bytes = (size_t)value * 1024 * 1024 * 1024;
+		break;
+
+	default:
+		return (-1);
+	}
+	return (0);
+}
+
+/*
  * Convert a policy to a string.  Return -1 on failure, or >= 0 representing
  * the actual size of the string placed in the buffer (excluding terminating
  * nul).
@@ -119,135 +222,24 @@ getstrfromtype_locked(char *name, char **str)
 ssize_t
 au_poltostr(long policy, size_t maxsize, char *buf)
 {
-	int first;
+	int first = 1;
+	int i = 0;
 
 	if (maxsize < 1)
 		return (-1);
-	first = 1;
 	buf[0] = '\0';
 
-	if (policy & AUDIT_CNT) {
-		if (strlcat(buf, "cnt", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_AHLT) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
+	do {
+		if (policy & au_polstr[i].ap_policy) {
+			if (!first && strlcat(buf, ",", maxsize) >= maxsize)
 				return (-1);
-		}
-		if (strlcat(buf, "ahlt", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_ARGV) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "argv", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_ARGE) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "arge", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_SEQ) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
+			if (strlcat(buf, au_polstr[i].ap_str, maxsize) >=
+			    maxsize)
 				return (-1);
+			first = 0;
 		}
-		if (strlcat(buf, "seq", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_WINDATA) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "windata", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_USER) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "user", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_GROUP) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "group", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_TRAIL) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "trail", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_PATH) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "path", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_SCNT) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "scnt", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_PUBLIC) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "public", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_ZONENAME) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "zonename", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
-	if (policy & AUDIT_PERZONE) {
-		if (!first) {
-			if (strlcat(buf, ",", maxsize) >= maxsize)
-				return (-1);
-		}
-		if (strlcat(buf, "perzone", maxsize) >= maxsize)
-			return (-1);
-		first = 0;
-	}
+	} while (NULL != au_polstr[++i].ap_str);
+
 	return (strlen(buf));
 }
 
@@ -260,6 +252,7 @@ au_strtopol(const char *polstr, long *policy)
 {
 	char *bufp, *string;
 	char *buffer;
+	int i, matched;
 
 	*policy = 0;
 	buffer = strdup(polstr);
@@ -268,35 +261,17 @@ au_strtopol(const char *polstr, long *policy)
 
 	bufp = buffer;
 	while ((string = strsep(&bufp, ",")) != NULL) {
-		if (strcmp(string, "cnt") == 0)
-			*policy |= AUDIT_CNT;
-		else if (strcmp(string, "ahlt") == 0)
-			*policy |= AUDIT_AHLT;
-		else if (strcmp(string, "argv") == 0)
-			*policy |= AUDIT_ARGV;
-		else if (strcmp(string, "arge") == 0)
-			*policy |= AUDIT_ARGE;
-		else if (strcmp(string, "seq") == 0)
-			*policy |= AUDIT_SEQ;
-		else if (strcmp(string, "winau_fstat") == 0)
-			*policy |= AUDIT_WINDATA;
-		else if (strcmp(string, "user") == 0)
-			*policy |= AUDIT_USER;
-		else if (strcmp(string, "group") == 0)
-			*policy |= AUDIT_GROUP;
-		else if (strcmp(string, "trail") == 0)
-			*policy |= AUDIT_TRAIL;
-		else if (strcmp(string, "path") == 0)
-			*policy |= AUDIT_PATH;
-		else if (strcmp(string, "scnt") == 0)
-			*policy |= AUDIT_SCNT;
-		else if (strcmp(string, "public") == 0)
-			*policy |= AUDIT_PUBLIC;
-		else if (strcmp(string, "zonename") == 0)
-			*policy |= AUDIT_ZONENAME;
-		else if (strcmp(string, "perzone") == 0)
-			*policy |= AUDIT_PERZONE;
-		else {
+		matched = i = 0;
+
+		do {
+			if (strcmp(string, au_polstr[i].ap_str) == 0) {
+				*policy |= au_polstr[i].ap_policy;
+				matched = 1;
+				break;
+			}
+		} while (NULL != au_polstr[++i].ap_str);
+
+		if (!matched) {
 			free(buffer);
 			errno = EINVAL;
 			return (-1);
@@ -435,46 +410,65 @@ getacmin(int *min_val)
 int
 getacfilesz(size_t *filesz_val)
 {
-	char *filesz, *dummy;
-	long long ll;
+	char *str;
+	size_t val;
+	char mult;
+	int nparsed;
 
 #ifdef HAVE_PTHREAD_MUTEX_LOCK
 	pthread_mutex_lock(&mutex);
 #endif
 	setac_locked();
-	if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &filesz) < 0) {
+	if (getstrfromtype_locked(FILESZ_CONTROL_ENTRY, &str) < 0) {
 #ifdef HAVE_PTHREAD_MUTEX_LOCK
 		pthread_mutex_unlock(&mutex);
 #endif
 		return (-2);
 	}
-	if (filesz == NULL) {
+	if (str == NULL) {
 #ifdef HAVE_PTHREAD_MUTEX_LOCK
 		pthread_mutex_unlock(&mutex);
 #endif
 		errno = EINVAL;
 		return (1);
 	}
-	ll = strtoll(filesz, &dummy, 10);
-	if (*dummy != '\0') {
+
+	/* Trim off any leading white space. */
+	while (*str == ' ' || *str == '\t')
+		str++;
+
+	nparsed = sscanf(str, "%ju%c", (uintmax_t *)&val, &mult);
+
+	switch (nparsed) {
+	case 1:
+		/* If no multiplier then assume 'B' (bytes). */
+		mult = 'B';
+		/* fall through */
+	case 2:
+		if (au_spacetobytes(filesz_val, val, mult) == 0)
+			break;
+		/* fall through */
+	default:
+		errno = EINVAL;
 #ifdef HAVE_PTHREAD_MUTEX_LOCK
 		pthread_mutex_unlock(&mutex);
 #endif
-		errno = EINVAL;
 		return (-1);
 	}
+
 	/*
 	 * The file size must either be 0 or >= MIN_AUDIT_FILE_SIZE.  0
 	 * indicates no rotation size.
 	 */
-	if (ll < 0 || (ll > 0 && ll < MIN_AUDIT_FILE_SIZE)) {
+	if (*filesz_val < 0 || (*filesz_val > 0 &&
+		*filesz_val < MIN_AUDIT_FILE_SIZE)) {
 #ifdef HAVE_PTHREAD_MUTEX_LOCK
 		pthread_mutex_unlock(&mutex);
 #endif
+		filesz_val = 0L;
 		errno = EINVAL;
 		return (-1);
 	}
-	*filesz_val = ll;
 #ifdef HAVE_PTHREAD_MUTEX_LOCK
 	pthread_mutex_unlock(&mutex);
 #endif
@@ -619,7 +613,109 @@ getachost(char *auditstr, size_t len)
 #endif
 		return (-3);
 	}
-	strcpy(auditstr, str);
+	strlcpy(auditstr, str, len);
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+	pthread_mutex_unlock(&mutex);
+#endif
+	return (0);
+}
+
+/*
+ * Set expiration conditions.
+ */
+static int
+setexpirecond(time_t *age, size_t *size, u_long value, char mult)
+{
+
+	if (isupper(mult) || ' ' == mult)
+		return (au_spacetobytes(size, value, mult));
+	else
+		return (au_timetosec(age, value, mult));
+}
+
+/*
+ * Return the expire-after field from the audit control file.
+ */
+int
+getacexpire(int *andflg, time_t *age, size_t *size)
+{
+	char *str;
+	int nparsed;
+	u_long val1, val2;
+	char mult1, mult2;
+	char andor[AU_LINE_MAX];
+
+	*age = 0L;
+	*size = 0LL;
+	*andflg = 0;
+
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+	pthread_mutex_lock(&mutex);
+#endif
+	setac_locked();
+	if (getstrfromtype_locked(EXPIRE_AFTER_CONTROL_ENTRY, &str) < 0) {
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+		pthread_mutex_unlock(&mutex);
+#endif
+		return (-2);
+	}
+	if (str == NULL) {
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+		pthread_mutex_unlock(&mutex);
+#endif
+		return (1);
+	}
+
+	/* First, trim off any leading white space. */
+	while (*str == ' ' || *str == '\t')
+		str++;				 
+
+	nparsed = sscanf(str, "%lu%c%[ \tadnorADNOR]%lu%c", &val1, &mult1,
+	    andor, &val2, &mult2);
+
+	switch (nparsed) {
+	case 1:
+		/* If no multiplier then assume 'B' (Bytes). */
+		mult1 = 'B';
+		/* fall through */
+	case 2:
+		/* One expiration condition. */
+		if (setexpirecond(age, size, val1, mult1) != 0) {
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+			pthread_mutex_unlock(&mutex);
+#endif
+			return (-1);
+		}
+		break;
+
+	case 5:
+		/* Two expiration conditions. */
+		if (setexpirecond(age, size, val1, mult1) != 0 || 
+		    setexpirecond(age, size, val2, mult2) != 0) {
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+			pthread_mutex_unlock(&mutex);
+#endif
+			return (-1);
+		}
+		if (strcasestr(andor, "and") != NULL)
+			*andflg = 1;
+		else if (strcasestr(andor, "or") != NULL)
+			*andflg = 0;
+		else {
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+			pthread_mutex_unlock(&mutex);
+#endif
+			return (-1);
+		}
+		break;
+
+	default:
+#ifdef HAVE_PTHREAD_MUTEX_LOCK
+		pthread_mutex_unlock(&mutex);
+#endif
+		return (-1);
+	}
+
 #ifdef HAVE_PTHREAD_MUTEX_LOCK
 	pthread_mutex_unlock(&mutex);
 #endif
diff --git a/contrib/openbsm/libbsm/bsm_errno.c b/contrib/openbsm/libbsm/bsm_errno.c
index 78aad97..b750341 100644
--- a/contrib/openbsm/libbsm/bsm_errno.c
+++ b/contrib/openbsm/libbsm/bsm_errno.c
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE. 
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#16 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_errno.c#17 $
  */
 
 #include <sys/types.h>
@@ -494,7 +494,7 @@ static const struct bsm_errno bsm_errnos[] = {
 #else
 	ERRNO_NO_LOCAL_MAPPING,
 #endif
-	ES("Malfored Macho file") },
+	ES("Malformed Macho file") },
 	{ BSM_ERRNO_EPOLICY,
 #ifdef EPOLICY
 	EPOLICY,
diff --git a/contrib/openbsm/libbsm/bsm_io.c b/contrib/openbsm/libbsm/bsm_io.c
index eb56827..ce07a66 100644
--- a/contrib/openbsm/libbsm/bsm_io.c
+++ b/contrib/openbsm/libbsm/bsm_io.c
@@ -32,7 +32,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#60 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#61 $
  */
 
 #include <sys/types.h>
@@ -193,7 +193,7 @@ print_mem(FILE *fp, u_char *data, size_t len)
 	if (len > 0) {
 		fprintf(fp, "0x");
 		for (i = 0; i < len; i++)
-			fprintf(fp, "%x", data[i]);
+			fprintf(fp, "%02x", data[i]);
 	}
 }
 
diff --git a/contrib/openbsm/libbsm/bsm_token.c b/contrib/openbsm/libbsm/bsm_token.c
index 430e09b..b33d8d7 100644
--- a/contrib/openbsm/libbsm/bsm_token.c
+++ b/contrib/openbsm/libbsm/bsm_token.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004-2008 Apple Inc.
+ * Copyright (c) 2004-2009 Apple Inc.
  * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
@@ -30,7 +30,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#86 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#90 $
  */
 
 #include <sys/types.h>
@@ -168,7 +168,7 @@ au_to_attr32(struct vnode_au_info *vni)
 	token_t *t;
 	u_char *dptr = NULL;
 	u_int16_t pad0_16 = 0;
-	u_int16_t pad0_32 = 0;
+	u_int32_t pad0_32 = 0;
 
 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
 	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
@@ -217,7 +217,7 @@ au_to_attr64(struct vnode_au_info *vni)
 	token_t *t;
 	u_char *dptr = NULL;
 	u_int16_t pad0_16 = 0;
-	u_int16_t pad0_32 = 0;
+	u_int32_t pad0_32 = 0;
 
 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
 	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
@@ -487,7 +487,8 @@ au_to_ipc_perm(struct ipc_perm *perm)
 	u_char *dptr = NULL;
 	u_int16_t pad0 = 0;
 
-	GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 12 * sizeof(u_int16_t) +
+	    sizeof(u_int32_t));
 	if (t == NULL)
 		return (NULL);
 
@@ -962,15 +963,15 @@ au_to_socket_ex(u_short so_domain, u_short so_type,
 		    5 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
 	else if (so_domain == AF_INET6)
 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
-		    5 * sizeof(u_int16_t) + 16 * sizeof(u_int32_t));
+		    5 * sizeof(u_int16_t) + 8 * sizeof(u_int32_t));
 	else {
 		errno = EINVAL;
 		return (NULL);
 	}
 
 	ADD_U_CHAR(dptr, AUT_SOCKET_EX);
-	ADD_U_INT16(dptr, so_domain);	/* XXXRW: explicitly convert? */
-	ADD_U_INT16(dptr, so_type);	/* XXXRW: explicitly convert? */
+	ADD_U_INT16(dptr, au_domain_to_bsm(so_domain));
+	ADD_U_INT16(dptr, au_socket_type_to_bsm(so_type));
 	if (so_domain == AF_INET) {
 		ADD_U_INT16(dptr, AU_IPv4);
 		sin = (struct sockaddr_in *)sa_local;