From 3fc61fcaeb6c4f73a668795461e276064f449f38 Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Thu, 21 Sep 2006 07:07:33 +0000
Subject: Vendor import of OpenBSM 1.0 alpha 11, with the following change
 history notes since the last import:

OpenBSM 1.0 alpha 11

- Reclassify certain read/write operations as having no class rather than the
  fr/fw class; our default classes audit intent (open) not operations (read,
  write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
  and writes of sysctls as separate events.  Add additional kernel
  environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
  (issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
  by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
  a dropped request, the log file will otherwise grow indefinitely if the
  trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
  routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
  representations of audit_control policy flags and the flags passed to
  auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
  extension to the Solaris file format to allow specification of policy
  persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
  policy to match it when configuring/reconfiguring.  Remove the -s and -h
  arguments as these policies are now set via the configuration file.  If a
  policy line is not found in the configuration file, continue with the
  current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
  variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.

Obtained from:	TrustedBSD Project
---
 contrib/openbsm/bsm/audit.h         | 25 +++++++++++++------------
 contrib/openbsm/bsm/audit_kevents.h |  5 ++++-
 contrib/openbsm/bsm/libbsm.h        | 27 ++++++++++++++++++++-------
 3 files changed, 37 insertions(+), 20 deletions(-)

(limited to 'contrib/openbsm/bsm')

diff --git a/contrib/openbsm/bsm/audit.h b/contrib/openbsm/bsm/audit.h
index d67b853..ad61748 100644
--- a/contrib/openbsm/bsm/audit.h
+++ b/contrib/openbsm/bsm/audit.h
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#19 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#21 $
  */
 
 #ifndef _BSM_AUDIT_H
@@ -46,18 +46,19 @@
  * Triggers for the audit daemon.
  */
 #define	AUDIT_TRIGGER_MIN		1
-#define	AUDIT_TRIGGER_LOW_SPACE		1
-#define	AUDIT_TRIGGER_OPEN_NEW		2
-#define	AUDIT_TRIGGER_READ_FILE		3
-#define	AUDIT_TRIGGER_CLOSE_AND_DIE	4
-#define	AUDIT_TRIGGER_NO_SPACE		5
-#define	AUDIT_TRIGGER_MAX		5
+#define	AUDIT_TRIGGER_LOW_SPACE		1	/* Below low watermark. */
+#define	AUDIT_TRIGGER_ROTATE_KERNEL	2	/* Kernel requests rotate. */
+#define	AUDIT_TRIGGER_READ_FILE		3	/* Re-read config file. */
+#define	AUDIT_TRIGGER_CLOSE_AND_DIE	4	/* Terminate audit. */
+#define	AUDIT_TRIGGER_NO_SPACE		5	/* Below min free space. */
+#define	AUDIT_TRIGGER_ROTATE_USER	6	/* User requests roate. */
+#define	AUDIT_TRIGGER_MAX		6
 
 /*
- * Special file that will be read for trigger events from the kernel
- * (FreeBSD).
+ * The special device filename (FreeBSD).
  */
-#define	AUDIT_TRIGGER_FILE	"/dev/audit"
+#define	AUDITDEV_FILENAME	"audit"
+#define	AUDIT_TRIGGER_FILE	("/dev/" AUDITDEV_FILENAME)
 
 /*
  * Pre-defined audit IDs
@@ -164,12 +165,12 @@
 #define	AUDIT_PERZONE	0x2000
 
 /*
- * Audit queue control parameters.
+ * Default audit queue control parameters.
  */
 #define	AQ_HIWATER	100
 #define	AQ_MAXHIGH	10000
 #define	AQ_LOWATER	10
-#define	AQ_BUFSZ	1024
+#define	AQ_BUFSZ	MAXAUDITDATA
 #define	AQ_MAXBUFSZ	1048576
 
 /*
diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h
index cd55883..ef0f47b 100644
--- a/contrib/openbsm/bsm/audit_kevents.h
+++ b/contrib/openbsm/bsm/audit_kevents.h
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#40 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#42 $
  */
 
 #ifndef _BSM_AUDIT_KEVENTS_H_
@@ -467,6 +467,9 @@
 #define	AUE_EXTATTR_SET_LINK	43111	/* FreeBSD. */
 #define	AUE_EXTATTR_LIST_LINK	43112	/* FreeBSD. */
 #define	AUE_EXTATTR_DELETE_LINK	43113	/* FreeBSD. */
+#define	AUE_KENV		43114	/* FreeBSD. */
+#define	AUE_JAIL_ATTACH		43115	/* FreeBSD. */
+#define	AUE_SYSCTL_WRITE	43116	/* FreeBSD. */
 
 /*
  * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h
index 5fea48c..34d9dbc 100644
--- a/contrib/openbsm/bsm/libbsm.h
+++ b/contrib/openbsm/bsm/libbsm.h
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#27 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#29 $
  */
 
 #ifndef _LIBBSM_H_
@@ -37,9 +37,6 @@
  * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
  */
 
-#define	AUDIT_MAX_ARGS	10
-#define	AUDIT_MAX_ENV	10
-
 #include <sys/types.h>
 #include <sys/cdefs.h>
 
@@ -55,13 +52,25 @@
 #include <mach/mach.h>		/* audit_token_t */
 #endif
 
-#define	AU_PRS_SUCCESS	1
-#define	AU_PRS_FAILURE	2
-#define	AU_PRS_BOTH	(AU_PRS_SUCCESS|AU_PRS_FAILURE)
+/*
+ * Size parsed token vectors for execve(2) arguments and environmental
+ * variables.  Note: changing these sizes affects the ABI of the token
+ * structure, and as the token structure is often placed in the caller stack,
+ * this is undesirable.
+ */
+#define	AUDIT_MAX_ARGS	128
+#define	AUDIT_MAX_ENV	128
 
+/*
+ * Arguments to au_preselect(3).
+ */
 #define	AU_PRS_USECACHE	0
 #define	AU_PRS_REREAD	1
 
+#define	AU_PRS_SUCCESS	1
+#define	AU_PRS_FAILURE	2
+#define	AU_PRS_BOTH	(AU_PRS_SUCCESS|AU_PRS_FAILURE)
+
 #define	AUDIT_EVENT_FILE	"/etc/security/audit_event"
 #define	AUDIT_CLASS_FILE	"/etc/security/audit_class"
 #define	AUDIT_CONTROL_FILE	"/etc/security/audit_control"
@@ -71,6 +80,7 @@
 #define	MINFREE_CONTROL_ENTRY	"minfree"
 #define	FLAGS_CONTROL_ENTRY	"flags"
 #define	NA_CONTROL_ENTRY	"naflags"
+#define	POLICY_CONTROL_ENTRY	"policy"
 
 #define	AU_CLASS_NAME_MAX	8
 #define	AU_CLASS_DESC_MAX	72
@@ -711,11 +721,14 @@ int			 getacdir(char *name, int len);
 int			 getacmin(int *min_val);
 int			 getacflg(char *auditstr, int len);
 int			 getacna(char *auditstr, int len);
+int			 getacpol(char *auditstr, size_t len);
 int			 getauditflagsbin(char *auditstr, au_mask_t *masks);
 int			 getauditflagschar(char *auditstr, au_mask_t *masks,
 			    int verbose);
 int			 au_preselect(au_event_t event, au_mask_t *mask_p,
 			    int sorf, int flag);
+ssize_t			 au_poltostr(long policy, size_t maxsize, char *buf);
+int			 au_strtopol(const char *polstr, long *policy);
 
 /*
  * Functions relating to querying audit event information.
-- 
cgit v1.1