Merge OpenBSM 1.1 alpha 2 from the OpenBSM vendor branch to head, both

contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).

- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8).
- Merge support for new tokens, fixes to existing token generation to
  audit_bsm_token.c.
- Synchronize bsm includes and definitions.

OpenBSM history for imported revisions below for reference.

MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:  TrustedBSD Project

--

OpenBSM 1.1 alpha 2

- Include files in OpenBSM are now broken out into two parts: library builds
  required solely for user space, and system includes, which may also be
  required for use in the kernels of systems integrating OpenBSM.  Submitted
  by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
  include for system includes, rather than the versions bundled with OpenBSM.
  This is intended specifically for platforms that ship OpenBSM, have adapted
  versions of the system includes in a kernel source tree, and will use the
  OpenBSM build infrastructure with an unmodified OpenBSM distribution,
  allowing the customized system includes to be used with the OpenBSM build.
  Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
  or asprintf().  Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
  BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
  on the host generating the record.
- Add support for setting extended host information in the kernel, which is
  used for setting host information in extended header tokens.  The
  audit_control file now supports a "host" parameter which can be used by
  auditd to set the information; if not present, the kernel parameters won't
  be set and auditd uses unextended headers for records that it generates.

OpenBSM 1.1 alpha 1

- Add option to auditreduce(1) which allows users to invert sense of
  matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
  event there is an error writing the subject token.  This was submitted
  by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not being arguments so
  that const strings can be passed as arguments to tokens.  This patch was
  submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.

1 files changed, 137 insertions, 75 deletions

diff --git a/sys/security/audit/audit_bsm_token.c b/sys/security/audit/audit_bsm_token.c
index ad9ffcc..b1d977d 100644
--- a/sys/security/audit/audit_bsm_token.c
+++ b/sys/security/audit/audit_bsm_token.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004 Apple Inc.
+ * Copyright (c) 2004-2008 Apple Inc.
  * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
@@ -29,6 +29,8 @@
  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#72
  */
 
 #include <sys/cdefs.h>
@@ -71,7 +73,7 @@ __FBSDID("$FreeBSD$");
  * text                    N bytes + 1 terminating NULL byte
  */
 token_t *
-au_to_arg32(char n, char *text, u_int32_t v)
+au_to_arg32(char n, const char *text, u_int32_t v)
 {
 	token_t *t;
 	u_char *dptr = NULL;
@@ -90,11 +92,10 @@ au_to_arg32(char n, char *text, u_int32_t v)
 	ADD_STRING(dptr, text, textlen);
 
 	return (t);
-
 }
 
 token_t *
-au_to_arg64(char n, char *text, u_int64_t v)
+au_to_arg64(char n, const char *text, u_int64_t v)
 {
 	token_t *t;
 	u_char *dptr = NULL;
@@ -113,11 +114,10 @@ au_to_arg64(char n, char *text, u_int64_t v)
 	ADD_STRING(dptr, text, textlen);
 
 	return (t);
-
 }
 
 token_t *
-au_to_arg(char n, char *text, u_int32_t v)
+au_to_arg(char n, const char *text, u_int32_t v)
 {
 
 	return (au_to_arg32(n, text, v));
@@ -147,8 +147,8 @@ au_to_attr32(struct vnode_au_info *vni)
 	ADD_U_CHAR(dptr, AUT_ATTR32);
 
 	/*
-	 * Darwin defines the size for the file mode
-	 * as 2 bytes; BSM defines 4 so pad with 0
+	 * Darwin defines the size for the file mode as 2 bytes; BSM defines
+	 * 4 so pad with 0.
 	 */
 	ADD_U_INT16(dptr, pad0_16);
 	ADD_U_INT16(dptr, vni->vn_mode);
@@ -190,8 +190,8 @@ au_to_attr64(struct vnode_au_info *vni)
 	ADD_U_CHAR(dptr, AUT_ATTR64);
 
 	/*
-	 * Darwin defines the size for the file mode
-	 * as 2 bytes; BSM defines 4 so pad with 0
+	 * Darwin defines the size for the file mode as 2 bytes; BSM defines
+	 * 4 so pad with 0.
 	 */
 	ADD_U_INT16(dptr, pad0_16);
 	ADD_U_INT16(dptr, vni->vn_mode);
@@ -235,7 +235,7 @@ au_to_attr(struct vnode_au_info *vni)
  * data items              (depends on basic unit)
  */
 token_t *
-au_to_data(char unit_print, char unit_type, char unit_count, char *p)
+au_to_data(char unit_print, char unit_type, char unit_count, const char *p)
 {
 	token_t *t;
 	u_char *dptr = NULL;
@@ -305,7 +305,7 @@ token_t *
 au_to_groups(int *groups)
 {
 
-	return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t*)groups));
+	return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t *)groups));
 }
 
 /*
@@ -352,7 +352,7 @@ au_to_in_addr(struct in_addr *internet_addr)
 /*
  * token ID                1 byte
  * address type/length     4 bytes
- * Address                16 bytes
+ * address                16 bytes
  */
 token_t *
 au_to_in_addr_ex(struct in6_addr *internet_addr)
@@ -432,8 +432,8 @@ au_to_ipc_perm(struct ipc_perm *perm)
 	ADD_U_CHAR(dptr, AUT_IPC_PERM);
 
 	/*
-	 * Darwin defines the sizes for ipc_perm members
-	 * as 2 bytes; BSM defines 4 so pad with 0
+	 * Darwin defines the sizes for ipc_perm members as 2 bytes; BSM
+	 * defines 4 so pad with 0.
 	 */
 	ADD_U_INT16(dptr, pad0);
 	ADD_U_INT16(dptr, perm->uid);
@@ -482,7 +482,7 @@ au_to_iport(u_int16_t iport)
  * data                    size bytes
  */
 token_t *
-au_to_opaque(char *data, u_int16_t bytes)
+au_to_opaque(const char *data, u_int16_t bytes)
 {
 	token_t *t;
 	u_char *dptr = NULL;
@@ -504,7 +504,7 @@ au_to_opaque(char *data, u_int16_t bytes)
  * file pathname           N bytes + 1 terminating NULL byte
  */
 token_t *
-au_to_file(char *file, struct timeval tm)
+au_to_file(const char *file, struct timeval tm)
 {
 	token_t *t;
 	u_char *dptr = NULL;
@@ -534,7 +534,7 @@ au_to_file(char *file, struct timeval tm)
  * text                    N bytes + 1 terminating NULL byte
  */
 token_t *
-au_to_text(char *text)
+au_to_text(const char *text)
 {
 	token_t *t;
 	u_char *dptr = NULL;
@@ -558,7 +558,7 @@ au_to_text(char *text)
  * path                    N bytes + 1 terminating NULL byte
  */
 token_t *
-au_to_path(char *text)
+au_to_path(const char *text)
 {
 	token_t *t;
 	u_char *dptr = NULL;
@@ -657,7 +657,7 @@ au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
  * terminal ID
  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
  *   address type-len      4 bytes
- *   machine address    4/16 bytes
+ *   machine address      16 bytes
  */
 token_t *
 au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
@@ -668,12 +668,12 @@ au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 
 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
 	    ("au_to_process32_ex: type %u", (unsigned int)tid->at_type));
-	if (tid->at_type == AU_IPv6)
-		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
-		    sizeof(u_int32_t));
+	if (tid->at_type == AU_IPv4)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    10 * sizeof(u_int32_t));
 	else
-		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
-		    sizeof(u_int32_t));
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    13 * sizeof(u_int32_t));
 
 	ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
 	ADD_U_INT32(dptr, auid);
@@ -685,10 +685,12 @@ au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 	ADD_U_INT32(dptr, sid);
 	ADD_U_INT32(dptr, tid->at_port);
 	ADD_U_INT32(dptr, tid->at_type);
-        if (tid->at_type == AU_IPv6)
-                ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
-        else
-                ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
+	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
+	if (tid->at_type == AU_IPv6) {
+		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
+		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
+		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
+	}
 
 	return (t);
 }
@@ -831,7 +833,7 @@ kau_to_socket(struct socket_au_info *soi)
 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
 	    sizeof(u_int32_t) + sizeof(u_int16_t) + sizeof(u_int32_t));
 						 
-	ADD_U_CHAR(dptr, AU_SOCK_TOKEN);
+	ADD_U_CHAR(dptr, AUT_SOCKET);
 	/* Coerce the socket type into a short value */
 	so_type = soi->so_type;
 	ADD_U_INT16(dptr, so_type);
@@ -883,7 +885,7 @@ au_to_sock_unix(struct sockaddr_un *so)
 
 	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
 
-	ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
+	ADD_U_CHAR(dptr, AUT_SOCKUNIX);
 	/* BSM token has two bytes for family */
 	ADD_U_CHAR(dptr, 0);
 	ADD_U_CHAR(dptr, so->sun_family);
@@ -925,7 +927,6 @@ au_to_sock_inet32(struct sockaddr_in *so)
 	ADD_MEM(dptr, &so->sin_addr.s_addr, sizeof(uint32_t));
 
 	return (t);
-
 }
 
 token_t *
@@ -949,7 +950,6 @@ au_to_sock_inet128(struct sockaddr_in6 *so)
 	ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t));
 
 	return (t);
-
 }
 
 token_t *
@@ -1040,7 +1040,7 @@ au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
  * terminal ID
  *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
  *   address type/length   4 bytes
- *   machine address    4/16 bytes
+ *   machine address      16 bytes
  */
 token_t *
 au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
@@ -1051,11 +1051,12 @@ au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 
 	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
 	    ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type));
-	if (tid->at_type == AU_IPv6)
-		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
+
+	if (tid->at_type == AU_IPv4)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
 		    sizeof(u_int32_t));
 	else
-		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 *
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 *
 		    sizeof(u_int32_t));
 
 	ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
@@ -1068,9 +1069,9 @@ au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 	ADD_U_INT32(dptr, sid);
 	ADD_U_INT32(dptr, tid->at_port);
 	ADD_U_INT32(dptr, tid->at_type);
-	if (tid->at_type == AU_IPv6)  
+	if (tid->at_type == AU_IPv6)
 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
-	else    
+	else
 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
 
 	return (t);
@@ -1083,17 +1084,17 @@ au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 	token_t *t;
 	u_char *dptr = NULL;
 
+	KASSERT((tid->at_type == AU_IPv4) || (tid->at_type == AU_IPv6),
+	    ("au_to_subject64_ex: type %u", (unsigned int)tid->at_type));
+
 	if (tid->at_type == AU_IPv4)
 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
 		    2 * sizeof(u_int32_t));
-	else if (tid->at_type == AU_IPv6)
+	else
 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
 		    5 * sizeof(u_int32_t));
-	else
-		panic("au_to_subject64_ex: invalid at_type (%d)",
-		    tid->at_type);
 
 	ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
 	ADD_U_INT32(dptr, auid);
@@ -1124,8 +1125,8 @@ au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 
 #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS)
 /*
- * Collects audit information for the current process
- * and creates a subject token from it
+ * Collects audit information for the current process and creates a subject
+ * token from it.
  */
 token_t *
 au_to_me(void)
@@ -1227,6 +1228,7 @@ au_to_exec_args(char **argv)
 
 	return (t);
 }
+#endif
 
 /*
  * token ID                1 byte
@@ -1234,7 +1236,7 @@ au_to_exec_args(char **argv)
  * zonename                N bytes + 1 terminating NULL byte
  */
 token_t *
-au_to_zonename(char *zonename)
+au_to_zonename(const char *zonename)
 {
 	u_char *dptr = NULL;
 	u_int16_t textlen;
@@ -1249,6 +1251,7 @@ au_to_zonename(char *zonename)
 	return (t);
 }
 
+#if !defined(_KERNEL) && !defined(KERNEL)
 /*
  * token ID				1 byte
  * count				4 bytes
@@ -1292,45 +1295,34 @@ au_to_exec_env(char **envp)
 /*
  * token ID                1 byte
  * record byte count       4 bytes
- * version #               1 byte
+ * version #               1 byte    [2]
  * event type              2 bytes
  * event modifier          2 bytes
- * address type/length     4 bytes
- * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
- * seconds of time         4 bytes/8 bytes  (32/64-bits)
- * milliseconds of time    4 bytes/8 bytes  (32/64-bits) 
+ * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
  */
 token_t *
-au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
-    struct timeval tm, struct auditinfo_addr *aia)
+au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+    struct timeval tm)
 {
-	token_t *t;  
+	token_t *t;
 	u_char *dptr = NULL;
 	u_int32_t timems;
-	struct au_tid_addr *tid;
-
-	tid = &aia->ai_termid;
-	KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6,
-	    ("au_to_header32_ex_tm: invalid address family"));
 
 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
-	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 * sizeof(u_int32_t) +
-	    tid->at_type);
+	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
 
-	ADD_U_CHAR(dptr, AUT_HEADER32_EX);
+	ADD_U_CHAR(dptr, AUT_HEADER32);
 	ADD_U_INT32(dptr, rec_size);
 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
 	ADD_U_INT16(dptr, e_type);
 	ADD_U_INT16(dptr, e_mod);
-	ADD_U_INT32(dptr, tid->at_type);
-	if (tid->at_type == AU_IPv6)
-		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
-	else
-		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
-	timems = tm.tv_usec / 1000;
+
+	timems = tm.tv_usec/1000;
 	/* Add the timestamp */
 	ADD_U_INT32(dptr, tm.tv_sec);
-	ADD_U_INT32(dptr, timems);      /* We need time in ms. */
+	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
+
 	return (t);
 }
 
@@ -1340,32 +1332,45 @@ au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
  * version #               1 byte    [2]
  * event type              2 bytes
  * event modifier          2 bytes
+ * address type/length     4 bytes
+ * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
  */
 token_t *
-au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
-    struct timeval tm)
+au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+    struct timeval tm, struct auditinfo_addr *aia)
 {
 	token_t *t;
 	u_char *dptr = NULL;
 	u_int32_t timems;
+	au_tid_addr_t *tid;
+
+	tid = &aia->ai_termid;
+	KASSERT(tid->at_type == AU_IPv4 || tid->at_type == AU_IPv6,
+	    ("au_to_header32_ex_tm: invalid address family"));
 
 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
-	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
+	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 3 *
+	    sizeof(u_int32_t) + tid->at_type);
 
-	ADD_U_CHAR(dptr, AUT_HEADER32);
+	ADD_U_CHAR(dptr, AUT_HEADER32_EX);
 	ADD_U_INT32(dptr, rec_size);
 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
 	ADD_U_INT16(dptr, e_type);
 	ADD_U_INT16(dptr, e_mod);
 
+	ADD_U_INT32(dptr, tid->at_type);
+	if (tid->at_type == AU_IPv6)
+		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
+	else
+		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
 	timems = tm.tv_usec/1000;
 	/* Add the timestamp */
 	ADD_U_INT32(dptr, tm.tv_sec);
-	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
+	ADD_U_INT32(dptr, timems);      /* We need time in ms. */
 
-	return (t);
+	return (t);   
 }
 
 token_t *
@@ -1393,6 +1398,63 @@ au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
 	return (t);
 }
 
+#if !defined(KERNEL) && !defined(_KERNEL)
+#ifdef HAVE_AUDIT_SYSCALLS
+token_t *
+au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
+{
+	struct timeval tm;
+	struct auditinfo_addr aia;
+
+	if (gettimeofday(&tm, NULL) == -1)
+		return (NULL);
+	if (auditon(A_GETKAUDIT, &aia, sizeof(aia)) < 0) {
+		if (errno != ENOSYS)
+			return (NULL);
+		return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
+	}
+	return (au_to_header32_ex_tm(rec_size, e_type, e_mod, tm, &aia));
+}
+#endif /* HAVE_AUDIT_SYSCALLS */
+
+token_t *
+au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
+{
+	struct timeval tm;
+
+	if (gettimeofday(&tm, NULL) == -1)
+		return (NULL);
+	return (au_to_header32_tm(rec_size, e_type, e_mod, tm));
+}
+
+token_t *
+au_to_header64(__unused int rec_size, __unused au_event_t e_type,
+    __unused au_emod_t e_mod)
+{
+	struct timeval tm;
+
+	if (gettimeofday(&tm, NULL) == -1)
+		return (NULL);
+	return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
+}
+
+token_t *
+au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
+{
+
+	return (au_to_header32(rec_size, e_type, e_mod));
+}
+
+#ifdef HAVE_AUDIT_SYSCALLS
+token_t *
+au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod)
+{
+
+	return (au_to_header32_ex(rec_size, e_type, e_mod));
+}
+#endif /* HAVE_AUDIT_SYSCALLS */
+#endif /* !defined(KERNEL) && !defined(_KERNEL) */
+
 /*
  * token ID                1 byte
  * trailer magic number    2 bytes