5 files changed, 203 insertions, 36 deletions

diff --git a/contrib/openbsm/bsm/Makefile.am b/contrib/openbsm/bsm/Makefile.am
index cad4115..b92f9cd 100644
--- a/contrib/openbsm/bsm/Makefile.am
+++ b/contrib/openbsm/bsm/Makefile.am
@@ -1,5 +1,5 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile.am#3 $
+# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile.am#4 $
 #
 
 openbsmdir = $(includedir)/bsm
@@ -7,5 +7,6 @@ openbsmdir = $(includedir)/bsm
 openbsm_HEADERS =		\
 	audit_filter.h		\
 	audit_uevents.h		\
+	auditd_lib.h		\
 	libbsm.h
 
diff --git a/contrib/openbsm/bsm/Makefile.in b/contrib/openbsm/bsm/Makefile.in
index ed82a3b..5ea5ee2 100644
--- a/contrib/openbsm/bsm/Makefile.in
+++ b/contrib/openbsm/bsm/Makefile.in
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 #
-# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile.in#8 $
+# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile.in#9 $
 #
 
 VPATH = @srcdir@
@@ -172,6 +172,7 @@ openbsmdir = $(includedir)/bsm
 openbsm_HEADERS = \
 	audit_filter.h		\
 	audit_uevents.h		\
+	auditd_lib.h		\
 	libbsm.h
 
 all: all-am
diff --git a/contrib/openbsm/bsm/audit_uevents.h b/contrib/openbsm/bsm/audit_uevents.h
index 03d0f9b..53c5616 100644
--- a/contrib/openbsm/bsm/audit_uevents.h
+++ b/contrib/openbsm/bsm/audit_uevents.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004 Apple Inc.
+ * Copyright (c) 2004-2008 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,22 +26,14 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#8 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#10 $
  */
 
 #ifndef _BSM_AUDIT_UEVENTS_H_
 #define	_BSM_AUDIT_UEVENTS_H_
 
-/*-
- * User level audit event numbers
- *
- * Range of audit event numbers:
- * 0			Reserved, invalid
- * 1     - 2047		Reserved for kernel events
- * 2048  - 32767	Defined by BSM for user events
- * 32768 - 36864	Reserved for Mac OS-X applications
- * 36865 - 65535	Reserved for applications
- *
+/*
+ * Solaris userspace events.
  */
 #define	AUE_at_create		6144
 #define	AUE_at_delete		6145
@@ -70,8 +62,13 @@
 #define	AUE_shutdown		6168
 #define	AUE_poweroff		6169
 #define	AUE_crontab_mod		6170
-#define	AUE_audit_startup	6171
-#define	AUE_audit_shutdown	6172
+#define	AUE_ftpd_logout		6171
+#define	AUE_ssh			6172
+#define	AUE_role_login		6173
+#define	AUE_prof_cmd		6180
+#define	AUE_filesystem_add	6181
+#define	AUE_filesystem_delete	6182
+#define	AUE_filesystem_modify	6183
 #define	AUE_allocate_succ	6200
 #define	AUE_allocate_fail	6201
 #define	AUE_deallocate_succ	6202
@@ -83,20 +80,63 @@
 #define	AUE_delete_user		6209
 #define	AUE_disable_user	6210
 #define	AUE_enable_user		6211
-#define	AUE_sudo		6300
-#define	AUE_modify_password	6501	/* Not assigned by Sun. */
-#define	AUE_create_group	6511	/* Not assigned by Sun. */
-#define	AUE_delete_group	6512	/* Not assigned by Sun. */
-#define	AUE_modify_group	6513	/* Not assigned by Sun. */
-#define	AUE_add_to_group	6514	/* Not assigned by Sun. */
-#define	AUE_remove_from_group	6515	/* Not assigned by Sun. */
-#define	AUE_revoke_obj		6521	/* Not assigned by Sun; not used. */
-#define	AUE_lw_login		6600	/* Not assigned by Sun; tentative. */
-#define	AUE_lw_logout		6601	/* Not assigned by Sun; tentative. */
-#define	AUE_auth_user		7000	/* Not assigned by Sun. */
-#define	AUE_ssconn		7001	/* Not assigned by Sun. */
-#define	AUE_ssauthorize		7002	/* Not assigned by Sun. */
-#define	AUE_ssauthint		7003	/* Not assigned by Sun. */
+#define	AUE_newgrp_login	6212
+#define	AUE_admin_authentication	6213
+#define	AUE_kadmind_auth	6214
+#define	AUE_kadmind_unauth	6215
+#define	AUE_krb5kdc_as_req	6216
+#define	AUE_krb5kdc_tgs_req	6217
+#define	AUE_krb5kdc_tgs_req_2ndtktmm	6218
+#define	AUE_krb5kdc_tgs_req_alt_tgt	6219
+
+/*
+ * Historic Darwin use of the low event numbering space, which collided with
+ * the Solaris event space.  Now obsoleted and new, higher, event numbers
+ * assigned to make it easier to interpret Solaris events using the OpenBSM
+ * tools.
+ */
+#define	AUE_DARWIN_audit_startup	6171
+#define	AUE_DARWIN_audit_shutdown	6172
+#define	AUE_DARWIN_sudo			6300
+#define	AUE_DARWIN_modify_password	6501
+#define	AUE_DARWIN_create_group		6511
+#define	AUE_DARWIN_delete_group		6512
+#define	AUE_DARWIN_modify_group		6513
+#define	AUE_DARWIN_add_to_group		6514
+#define	AUE_DARWIN_remove_from_group	6515
+#define	AUE_DARWIN_revoke_obj		6521
+#define	AUE_DARWIN_lw_login		6600
+#define	AUE_DARWIN_lw_logout		6601
+#define	AUE_DARWIN_auth_user		7000
+#define	AUE_DARWIN_ssconn		7001
+#define	AUE_DARWIN_ssauthorize		7002
+#define	AUE_DARWIN_ssauthint		7003
+
+/*
+ * Historic/third-party appliation allocations of event idenfiers.
+ */
 #define	AUE_openssh		32800
 
+/*
+ * OpenBSM-managed application event space.
+ */
+#define	AUE_audit_startup	45000		/* Darwin-specific. */
+#define	AUE_audit_shutdown	45001		/* Darwin-specific. */
+#define	AUE_modify_password	45014		/* Darwin-specific. */
+#define	AUE_create_group	45015		/* Darwin-specific. */
+#define	AUE_delete_group	45016		/* Darwin-specific. */
+#define	AUE_modify_group	45017		/* Darwin-specific. */
+#define	AUE_add_to_group	45018		/* Darwin-specific. */
+#define	AUE_remove_from_group	45019		/* Darwin-specific. */
+#define	AUE_revoke_obj		45020		/* Darwin-specific. */
+#define	AUE_lw_login		45021		/* Darwin-specific. */
+#define	AUE_lw_logout		45022		/* Darwin-specific. */
+#define	AUE_auth_user		45023		/* Darwin-specific. */
+#define	AUE_ssconn		45024		/* Darwin-specific. */
+#define	AUE_ssauthorize		45025		/* Darwin-specific. */
+#define	AUE_ssauthint		45026		/* Darwin-specific. */
+#define	AUE_calife		45027		/* OpenBSM-allocated. */
+#define	AUE_sudo		45028		/* OpenBSM-allocated. */
+#define	AUE_audit_recovery	45029		/* OpenBSM-allocated. */
+
 #endif /* !_BSM_AUDIT_UEVENTS_H_ */
diff --git a/contrib/openbsm/bsm/auditd_lib.h b/contrib/openbsm/bsm/auditd_lib.h
new file mode 100644
index 0000000..77acff7
--- /dev/null
+++ b/contrib/openbsm/bsm/auditd_lib.h
@@ -0,0 +1,105 @@
+/*-
+ * Copyright (c) 2008 Apple Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#2 $
+ */
+
+#ifndef _BSM_AUDITD_LIB_H_
+#define	_BSM_AUDITD_LIB_H_
+
+/*
+ * Lengths for audit trail file components.
+ */
+#define	NOT_TERMINATED		"not_terminated"
+#define	CRASH_RECOVERY		"crash_recovery"
+#define	POSTFIX_LEN	(sizeof("YYYYMMDDhhmmss") - 1)
+#define	FILENAME_LEN	((2 * POSTFIX_LEN) + 2)
+#define	TIMESTAMP_LEN	(POSTFIX_LEN + 1)
+
+/*
+ * Macro to generate the timestamp string for trail file.
+ */
+#define	getTSstr(t, b, l)						\
+	( (((t) = time(0)) == (time_t)-1 ) ||				\
+	    !strftime((b), (l), "%Y%m%d%H%M%S", gmtime(&(t)) ) ) ? -1 : 0
+
+/*
+ * The symbolic link to the currently active audit trail file.
+ */
+#define	AUDIT_CURRENT_LINK	"/var/audit/current"
+
+/*
+ * Path of auditd plist file for launchd.
+ */ 
+#define	AUDITD_PLIST_FILE 	\
+	    "/System/Library/LaunchDaemons/org.trustedbsd.auditd.plist"
+
+/*
+ * Error return codes for auditd_lib functions.
+ */
+#define	ADE_NOERR	  0	/* No Error or Success. */
+#define	ADE_PARSE	 -1	/* Error parsing audit_control(5). */
+#define	ADE_AUDITON	 -2	/* auditon(2) call failed. */
+#define	ADE_NOMEM	 -3	/* Error allocating memory. */
+#define	ADE_SOFTLIM	 -4	/* All audit log directories over soft limit. */
+#define	ADE_HARDLIM	 -5	/* All audit log directories over hard limit. */
+#define	ADE_STRERR	 -6	/* Error creating file name string. */
+#define	ADE_AU_OPEN	 -7	/* au_open(3) failed. */
+#define	ADE_AU_CLOSE	 -8	/* au_close(3) failed. */
+#define	ADE_SETAUDIT	 -9	/* setaudit(2) or setaudit_addr(2) failed. */
+#define	ADE_ACTL	-10	/* "Soft" error with auditctl(2). */ 
+#define	ADE_ACTLERR	-11	/* "Hard" error with auditctl(2). */
+#define	ADE_SWAPERR	-12	/* The audit trail file could not be swap. */ 
+#define	ADE_RENAME	-13	/* Error renaming crash recovery file. */
+#define	ADE_READLINK	-14	/* Error reading 'current' link. */	
+#define	ADE_SYMLINK	-15	/* Error creating 'current' link. */
+#define	ADE_INVAL	-16	/* Invalid argument. */
+#define	ADE_GETADDR	-17	/* Error resolving address from hostname. */
+#define	ADE_ADDRFAM	-18	/* Address family not supported. */
+
+/*
+ * auditd_lib functions.
+ */
+const char *auditd_strerror(int errcode);
+int auditd_set_minfree(void);
+int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *));
+void auditd_close_dirs(void);
+int auditd_set_evcmap(void);
+int auditd_set_namask(void);
+int auditd_set_policy(void);
+int auditd_set_fsize(void);
+int auditd_set_host(void);
+int auditd_swap_trail(char *TS, char **newfile, gid_t gid,
+    int (*warn_getacdir)(char *));
+int auditd_prevent_audit(void);
+int auditd_gen_record(int event, char *path);
+int auditd_new_curlink(char *curfile);
+int audit_quick_start(void);
+int audit_quick_stop(void);
+
+#endif /* !_BSM_AUDITD_LIB_H_ */
diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h
index 97b9530..ba96e9d 100644
--- a/contrib/openbsm/bsm/libbsm.h
+++ b/contrib/openbsm/bsm/libbsm.h
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2004 Apple Inc.
+ * Copyright (c) 2004-2008 Apple Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#35 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#40 $
  */
 
 #ifndef _LIBBSM_H_
@@ -547,13 +547,13 @@ typedef struct {
  * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
  */
 typedef struct {
+	u_int16_t	domain;
 	u_int16_t	type;
+	u_int16_t	atype;
 	u_int16_t	l_port;
-	u_int32_t	l_ad_type;
-	u_int32_t	l_addr;
+	u_int32_t	l_addr[4];
 	u_int32_t	r_port;
-	u_int32_t	r_ad_type;
-	u_int32_t	r_addr;
+	u_int32_t	r_addr[4];
 } au_socket_ex32_t;
 
 /*
@@ -824,6 +824,13 @@ void			 au_print_xml_footer(FILE *outfp);
 __END_DECLS
 
 /*
+ * Functions relating to BSM<->errno conversion.
+ */
+int			 au_bsm_to_errno(u_char bsm_error, int *errorp);
+u_char			 au_errno_to_bsm(int error);
+const char		*au_strerror(u_char bsm_error);
+
+/*
  * The remaining APIs are associated with Apple's BSM implementation, in
  * particular as relates to Mach IPC auditing and triggers passed via Mach
  * IPC.
@@ -930,6 +937,19 @@ void	au_free_token(token_t *tok);
  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
  */
 int	au_get_state(void);
+
+/*
+ * Initialize the audit notification.  If it has not already been initialized
+ * it will automatically on the first call of au_get_state().
+ */
+uint32_t	au_notify_initialize(void);
+
+/*
+ * Cancel audit notification and free the resources associated with it.
+ * Responsible code that no longer needs to use au_get_state() should call
+ * this.
+ */
+int		au_notify_terminate(void);
 __END_DECLS
 
 /* OpenSSH compatibility */