PERFORCE change 123117 for review

[Robert Watson]

http://perforce.freebsd.org/chv.cgi?CH=123117

Change 123117 by rwatson at rwatson_peppercorn on 2007/07/08 13:31:24

	Synchronize audit kernel event list to OpenSolaris, including
	picking up the *at(2) system call events.  Tidy up, correct,
	enhance comments.  In two cases where OpenBSM defines events that
	duplicate Solaris events, prefer the Solaris definition.  Flag a
	few more events as Solaris-specific.  Remove XXX comments that
	are no longer required.  Observer that we're getting really close
	to Solaris events colliding with older Darwin events.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/HISTORY#53 edit
.. //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#49 edit
.. //depot/projects/trustedbsd/openbsm/etc/audit_event#22 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/HISTORY#53 (text+ko) ====

@@ -3,6 +3,8 @@
 - Fix bug when processing in_addr_ex tokens.
 - Restore the behavior of printing the string/text specified while
   auditing arg32 tokens.
+- Synchronized audit event list to Solaris, picking up the *at(2) system call
+  definitions, now required for FreeBSD and Linux.
 
 OpenBSM 1.0 alpha 14
 
@@ -290,4 +292,4 @@
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/openbsm/HISTORY#52 $
+$P4: //depot/projects/trustedbsd/openbsm/HISTORY#53 $

==== //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#49 (text+ko) ====

@@ -26,7 +26,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#48 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#49 $
  */
 
 #ifndef _BSM_AUDIT_KEVENTS_H_
@@ -44,11 +44,12 @@
 #define	AUE_NULL		0
 #define	AUE_EXIT		1
 #define	AUE_FORK		2
+#define	AUE_FORKALL		AUE_FORK	/* Solaris-specific. */
 #define	AUE_OPEN		3
 #define	AUE_CREAT		4
 #define	AUE_LINK		5
 #define	AUE_UNLINK		6
-#define	AUE_DELETE		AUE_UNLINK
+#define	AUE_DELETE		AUE_UNLINK	/* Darwin-specific. */
 #define	AUE_EXEC		7
 #define	AUE_CHDIR		8
 #define	AUE_MKNOD		9
@@ -57,7 +58,7 @@
 #define	AUE_UMOUNT		12
 #define	AUE_JUNK		13	/* Solaris-specific. */
 #define	AUE_ACCESS		14
-#define	AUE_CHECKUSERACCESS	AUE_ACCESS
+#define	AUE_CHECKUSERACCESS	AUE_ACCESS	/* Darwin-specific. */
 #define	AUE_KILL		15
 #define	AUE_STAT		16
 #define	AUE_LSTAT		17
@@ -156,7 +157,7 @@
 #define	AUE_SEMOP		110
 #define	AUE_CORE		111	/* Solaris-specific, currently. */
 #define	AUE_CLOSE		112
-#define	AUE_SYSTEMBOOT		113
+#define	AUE_SYSTEMBOOT		113	/* Solaris-specific. */
 #define	AUE_ASYNC_DAEMON_EXIT	114	/* Solaris-specific. */
 #define	AUE_NFSSVC_EXIT		115	/* Solaris-specific. */
 #define	AUE_WRITEL		128	/* Solaris-specific. */
@@ -179,9 +180,14 @@
 #define	AUE_GETKERNSTATE	147	/* Solaris-specific. */
 #define	AUE_SETKERNSTATE	148	/* Solaris-specific. */
 #define	AUE_GETPORTAUDIT	149	/* Solaris-specific. */
-#define	AUE_AUDISTAT		150	/* Solaris-specific. */
+#define	AUE_AUDITSTAT		150	/* Solaris-specific. */
+#define	AUE_REVOKE		151
+#define	AUE_MAC			152	/* Solaris-specific. */
 #define	AUE_ENTERPROM		153	/* Solaris-specific. */
 #define	AUE_EXITPROM		154	/* Solaris-specific. */
+#define	AUE_IFLOAT		155	/* Solaris-specific. */
+#define	AUE_PFLOAT		156	/* Solaris-specific. */
+#define	AUE_UPRIV		157	/* Solaris-specific. */
 #define	AUE_IOCTL		158
 #define	AUE_SOCKET		183
 #define	AUE_SENDTO		184
@@ -193,28 +199,30 @@
 #define	AUE_RECVMSG		190
 #define	AUE_RECVFROM		191
 #define	AUE_READ		192
+#define	AUE_GETDENTS		193
 #define	AUE_LSEEK		194
 #define	AUE_WRITE		195
 #define	AUE_WRITEV		196
 #define	AUE_NFS			197	/* Solaris-specific. */
 #define	AUE_READV		198
-					/* XXXRW: XXX Solaris old stat()? */
+#define	AUE_OSTAT		199	/* Solaris-specific. */
 #define	AUE_SETUID		200	/* XXXRW: Solaris old setuid? */
 #define	AUE_STIME		201	/* XXXRW: Solaris old stime? */
 #define	AUE_UTIME		202	/* XXXRW: Solaris old utime? */
 #define	AUE_NICE		203	/* XXXRW: Solaris old nice? */
-					/* XXXRW: Solaris old setpgrp? */
-#define	AUE_SETGID		205	/* XXXRW: Solaris old setgid? */
-					/* XXXRW: Solaris readl? */
-					/* XXXRW: Solaris readvl()? */
+#define	AUE_OSETPGRP		204	/* Solaris-specific. */
+#define	AUE_SETGID		205
+#define	AUE_READL		206	/* Solaris-specific. */
+#define	AUE_READVL		207	/* Solaris-specific. */
+#define	AUE_FSTAT		208
 #define	AUE_DUP2		209
 #define	AUE_MMAP		210
 #define	AUE_AUDIT		211
-#define	AUE_PRIOCNTLSYS		212
+#define	AUE_PRIOCNTLSYS		212	/* Solaris-specific. */
 #define	AUE_MUNMAP		213
 #define	AUE_SETEGID		214
 #define	AUE_SETEUID		215
-#define	AUE_PUTMSG		216
+#define	AUE_PUTMSG		216	/* Solaris-specific. */
 #define	AUE_GETMSG		217	/* Solaris-specific. */
 #define	AUE_PUTPMSG		218	/* Solaris-specific. */
 #define	AUE_GETPMSG		219	/* Solaris-specific. */
@@ -231,26 +239,27 @@
 #define	AUE_AUDITON_SETCOND	230
 #define	AUE_AUDITON_GETCLASS	231
 #define	AUE_AUDITON_SETCLASS	232
-#define	AUE_UTSSYS		233	/* Solaris-specific. */
+#define	AUE_FUSERS		233	/* Solaris-specific; also UTSSYS? */
 #define	AUE_STATVFS		234
-#define	AUE_XSTAT		235
-#define	AUE_LXSTAT		236
+#define	AUE_XSTAT		235	/* Solaris-specific. */
+#define	AUE_LXSTAT		236	/* Solaris-specific. */
 #define	AUE_LCHOWN		237
 #define	AUE_MEMCNTL		238	/* Solaris-specific. */
 #define	AUE_SYSINFO		239	/* Solaris-specific. */
 #define	AUE_XMKNOD		240	/* Solaris-specific. */
 #define	AUE_FORK1		241
-					/* XXXRW: Solaris modctl()? */
+#define	AUE_MODCTL		242	/* Solaris-specific. */
 #define	AUE_MODLOAD		243
 #define	AUE_MODUNLOAD		244
 #define	AUE_MODCONFIG		245	/* Solaris-specific. */
 #define	AUE_MODADDMAJ		246	/* Solaris-specific. */
-#define	AUE_SOCKACCEPT		247
-#define	AUE_SOCKCONNECT		248
-#define	AUE_SOCKSEND		249
-#define	AUE_SOCKRECEIVE		250
+#define	AUE_SOCKACCEPT		247	/* Solaris-specific. */
+#define	AUE_SOCKCONNECT		248	/* Solaris-specific. */
+#define	AUE_SOCKSEND		249	/* Solaris-specific. */
+#define	AUE_SOCKRECEIVE		250	/* Solaris-specific. */
 #define	AUE_ACLSET		251
 #define	AUE_FACLSET		252
+#define	AUE_DOORFS		253	/* Solaris-specific. */
 #define	AUE_DOORFS_DOOR_CALL	254	/* Solaris-specific. */
 #define	AUE_DOORFS_DOOR_RETURN	255	/* Solaris-specific. */
 #define	AUE_DOORFS_DOOR_CREATE	256	/* Solaris-specific. */
@@ -262,11 +271,42 @@
 #define	AUE_P_ONLINE		262	/* Solaris-specific. */
 #define	AUE_PROCESSOR_BIND	263	/* Solaris-specific. */
 #define	AUE_INST_SYNC		264	/* Solaris-specific. */
-#define	AUE_SOCK_CONFIG		265	/* Solaris-specific. */
+#define	AUE_SOCKCONFIG		265	/* Solaris-specific. */
 #define	AUE_SETAUDIT_ADDR	266
 #define	AUE_GETAUDIT_ADDR	267
+#define	AUE_UMOUNT2		268	/* Solaris-specific. */
+#define	AUE_FSAT		269	/* Solaris-specific. */
+#define	AUE_OPENAT_R		270
+#define	AUE_OPENAT_RC		271
+#define	AUE_OPENAT_RT		272
+#define	AUE_OPENAT_RTC		273
+#define	AUE_OPENAT_W		274
+#define	AUE_OPENAT_WC		275
+#define	AUE_OPENAT_WT		276
+#define	AUE_OPENAT_WTC		277
+#define	AUE_OPENAT_RW		278
+#define	AUE_OPENAT_RWC		279
+#define	AUE_OPENAT_RWT		280
+#define	AUE_OPENAT_RWTC		281
+#define	AUE_RENAMEAT		282
+#define	AUE_FSTATAT		283
+#define	AUE_FCHOWNAT		284
+#define	AUE_FUTIMESAT		285
+#define	AUE_UNLINKAT		286
 #define	AUE_CLOCK_SETTIME	287
 #define	AUE_NTP_ADJTIME		288
+#define	AUE_SETPPRIV		289	/* Solaris-specific. */
+#define	AUE_MODDEVPLCY		290	/* Solaris-specific. */
+#define	AUE_MODADDPRIV		291	/* Solaris-specific. */
+#define	AUE_CRYPTOADM		292	/* Solaris-specific. */
+#define	AUE_CONFIGKSSL		293	/* Solaris-specific. */
+#define	AUE_BRANDSYS		294	/* Solaris-specific. */
+#define	AUE_PF_POLICY_ADDRULE	295	/* Solaris-specific. */
+#define	AUE_PF_POLICY_DELRULE	296	/* Solaris-specific. */
+#define	AUE_PF_POLICY_CLONE	297	/* Solaris-specific. */
+#define	AUE_PF_POLICY_FLIP	298	/* Solaris-specific. */
+#define	AUE_PF_POLICY_FLUSH	299	/* Solaris-specific. */
+#define	AUE_PF_POLICY_ALGS	300	/* Solaris-specific. */
 
 /*
  * Events added for Apple Darwin that potentially collide with future Solaris
@@ -281,30 +321,30 @@
 #define	AUE_DARWIN_PROFILE	305
 #define	AUE_DARWIN_KTRACE	306
 #define	AUE_DARWIN_SETLOGIN	307
-#define	AUE_DARWIN_REBOOT	308	/* XXX: See AUE_REBOOT. */
+#define	AUE_DARWIN_REBOOT	308
 #define	AUE_DARWIN_REVOKE	309
 #define	AUE_DARWIN_UMASK	310
 #define	AUE_DARWIN_MPROTECT	311
-#define	AUE_DARWIN_SETPRIORITY	312	/* XXX: See AUE_SETPRIORITY. */
-#define	AUE_DARWIN_SETTIMEOFDAY	313	/* XXX: See AUE_SETTIMEOFDAY. */
-#define	AUE_DARWIN_FLOCK	314	/* XXX: See AUE_FLOCK. */
+#define	AUE_DARWIN_SETPRIORITY	312
+#define	AUE_DARWIN_SETTIMEOFDAY	313
+#define	AUE_DARWIN_FLOCK	314
 #define	AUE_DARWIN_MKFIFO	315
 #define	AUE_DARWIN_POLL		316
-#define	AUE_DARWIN_SOCKETPAIR	317	/* XXXRW: See AUE_SOCKETPAIR. */
+#define	AUE_DARWIN_SOCKETPAIR	317
 #define	AUE_DARWIN_FUTIMES	318
 #define	AUE_DARWIN_SETSID	319
 #define	AUE_DARWIN_SETPRIVEXEC	320	/* Darwin-specific. */
-#define	AUE_DARWIN_NFSSVC	321	/* XXX: See AUE_NFS_SVC. */
-#define	AUE_DARWIN_GETFH	322	/* XXX: See AUE_NFS_GETFH. */
-#define	AUE_DARWIN_QUOTACTL	323	/* XXX: See AUE_QUOTACTL. */
+#define	AUE_DARWIN_NFSSVC	321
+#define	AUE_DARWIN_GETFH	322
+#define	AUE_DARWIN_QUOTACTL	323
 #define	AUE_DARWIN_ADDPROFILE	324	/* Darwin-specific. */
 #define	AUE_DARWIN_KDEBUGTRACE	325	/* Darwin-specific. */
 #define	AUE_DARWIN_KDBUGTRACE	AUE_KDEBUGTRACE
 #define	AUE_DARWIN_FSTAT	326
 #define	AUE_DARWIN_FPATHCONF	327
 #define	AUE_DARWIN_GETDIRENTRIES	328
-#define	AUE_DARWIN_TRUNCATE	329	/* XXX: See AUE_TRUNCATE. */
-#define	AUE_DARWIN_FTRUNCATE	330	/* XXX: See AUE_FTRUNCATE. */
+#define	AUE_DARWIN_TRUNCATE	329
+#define	AUE_DARWIN_FTRUNCATE	330
 #define	AUE_DARWIN_SYSCTL	331
 #define	AUE_DARWIN_MLOCK	332
 #define	AUE_DARWIN_MUNLOCK	333
@@ -343,6 +383,11 @@
  * These often duplicate events added to the Solaris set by Darwin, but use
  * event identifiers in a higher range in order to avoid colliding with
  * future Solaris additions.
+ *
+ * If an event in this section is later added to Solaris, we prefer the
+ * Solaris event identifier, and add _OPENBSM_ to the OpenBSM-specific
+ * identifier so that old trails can still be processed, but new trails use
+ * the Solaris identifier.
  */
 #define	AUE_GETFSSTAT		43001
 #define	AUE_PTRACE		43002
@@ -351,7 +396,7 @@
 #define	AUE_PROFILE		43005
 #define	AUE_KTRACE		43006
 #define	AUE_SETLOGIN		43007
-#define	AUE_REVOKE		43008
+#define	AUE_OPENBSM_REVOKE	43008	/* Solaris event now preferred. */
 #define	AUE_UMASK		43009
 #define	AUE_MPROTECT		43010
 #define	AUE_MKFIFO		43011
@@ -362,7 +407,7 @@
 #define	AUE_ADDPROFILE		43016	/* Darwin-specific. */
 #define	AUE_KDEBUGTRACE		43017	/* Darwin-specific. */
 #define	AUE_KDBUGTRACE		AUE_KDEBUGTRACE
-#define	AUE_FSTAT		43018
+#define	AUE_OPENBSM_FSTAT	43018	/* Solaris event now preferred. */
 #define	AUE_FPATHCONF		43019
 #define	AUE_GETDIRENTRIES	43020
 #define	AUE_SYSCTL		43021

==== //depot/projects/trustedbsd/openbsm/etc/audit_event#22 (text+ko) ====

@@ -1,5 +1,5 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#21 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#22 $
 #
 0:AUE_NULL:indir system call:no
 1:AUE_EXIT:exit(2):pc
@@ -140,8 +140,13 @@
 148:AUE_SETKERNSTATE:setkernstate(2):ad
 149:AUE_GETPORTAUDIT:getportaudit(2):ad
 150:AUE_AUDITSTAT:auditstat(2):ad
+151:AUE_REVOKE:revoke(2):cl
+152:AUE_MAC:Solaris AUE_MAC:no
 153:AUE_ENTERPROM:enter prom:ad
 154:AUE_EXITPROM:exit prom:ad
+155:AUE_IFLOAT:Solaris AUE_IFLOAT:no
+156:AUE_PFLOAT:Solaris AUE_PFLOAT:no
+157:AUE_UPRIV:Solaris AUE_UPRIV:no
 158:AUE_IOCTL:ioctl(2):io
 173:AUE_ONESIDE:one-sided session record:nt
 174:AUE_MSGGETL:msggetl(2):ip
@@ -165,19 +170,19 @@
 196:AUE_WRITEV:writev(2):no
 197:AUE_NFS:nfs server:ad
 198:AUE_READV:readv(2):no
-199:AUE_OSTAT:old stat(2):fa
+199:AUE_OSTAT:Solaris old stat(2):fa
 200:AUE_SETUID:setuid(2):pc
 201:AUE_STIME:old stime(2):ad
 202:AUE_UTIME:old utime(2):fm
 203:AUE_NICE:old nice(2):pc
-204:AUE_OSETPGRP:old setpgrp(2):pc
+204:AUE_OSETPGRP:Solaris old setpgrp(2):pc
 205:AUE_SETGID:setgid(2):pc
 206:AUE_READL:readl(2):no
 207:AUE_READVL:readvl(2):no
 209:AUE_DUP2:dup2(2):no
 210:AUE_MMAP:mmap(2):no
 211:AUE_AUDIT:audit(2):ot
-212:AUE_PRIOCNTLSYS:priocntlsys(2):pc
+212:AUE_PRIOCNTLSYS:Solaris priocntlsys(2):pc
 213:AUE_MUNMAP:munmap(2):cl
 214:AUE_SETEGID:setegid(2):pc
 215:AUE_SETEUID:seteuid(2):pc
@@ -201,7 +206,7 @@
 233:AUE_UTSSYS:utssys(2) - fusers:ad
 234:AUE_STATVFS:statvfs(2):fa
 235:AUE_XSTAT:xstat(2):fa
-236:AUE_LXSTAT:lx6stat(2):fa
+236:AUE_LXSTAT:lxstat(2):fa
 237:AUE_LCHOWN:lchown(2):fm
 238:AUE_MEMCNTL:memcntl(2):ot
 239:AUE_SYSINFO:sysinfo(2):ad
@@ -230,12 +235,43 @@
 262:AUE_P_ONLINE:p_online(2):ad
 263:AUE_PROCESSOR_BIND:processor_bind(2):ad
 264:AUE_INST_SYNC:inst_sync(2):ad
+265:AUE_SOCKCONFIG:configure socket:nt
 266:AUE_SETAUDIT_ADDR:setaudit_addr(2):ad
 267:AUE_GETAUDIT_ADDR:getaudit_addr(2):ad
-268:AUE_CLOCK_SETTIME:clock_settime(2):ad
-269:AUE_NTP_ADJTIME:ntp_adjtime(2):ad
+268:AUE_UMOUNT2:Solaris umount(2):ad
+269:AUE_FSAT:fsat(2) - place holder:no
+270:AUE_OPENAT_R:openat(2) - read:fr
+271:AUE_OPENAT_RC:openat(2) - read,creat:fc,fr,fa,fm
+272:AUE_OPENAT_RT:openat(2) - read,trunc:fd,fr,fa,fm
+273:AUE_OPENAT_RTC:openat(2) - read,creat,trunc:fc,fd,fr,fa,fm
+274:AUE_OPENAT_W:openat(2) - write:fw
+275:AUE_OPENAT_WC:openat(2) - write,creat:fc,fw,fa,fm
+276:AUE_OPENAT_WT:openat(2) - write,trunc:fd,fw,fa,fm
+277:AUE_OPENAT_WTC:openat(2) - write,creat,trunc:fc,fd,fw,fa,fm
+278:AUE_OPENAT_RW:openat(2) - read,write:fr,fw
+279:AUE_OPENAT_RWC:openat(2) - read,write,create:fc,fw,fr,fa,fm
+280:AUE_OPENAT_RWTC:openat(2) - read,write,creat,trunc:fc,fd,fw,fr,fa,fm
+282:AUE_RENAMEAT:renameat(2):fc,fd
+283:AUE_FSTATAT:fstatat(2):fa
+284:AUE_FCHOWNAT:fchownat(2):fm
+285:AUE_FUTIMESAT:futimesat(2):fm
+286:AUE_UNLINKAT:unlinkat(2):fd
+287:AUE_CLOCK_SETTIME:clock_settime(2):ad
+288:AUE_NTP_ADJTIME:ntp_adjtime(2):ad
+289:AUE_SETPPRIV:setppriv(2):pc
+290:AUE_MODDEVPLCY:modctl(2) - configure device policy:ad
+291:AUE_MODADDPRIV:modctl(2) - configure additional privilege:ad
+292:AUE_CRYPTOADM:kernel cryptographic framework:ad
+293:AUE_CONFIGKSSL:configure kernel SSL:ad
+294:AUE_BRANDSYS:brandsys(2):ot
+295:AUE_PF_POLICY_ADDRULE:Add IPsec policy rule:ad
+296:AUE_PF_POLICY_DELRULE:Delete IPsec policy rule:ad
+297:AUE_PF_POLICY_CLONE:Clone IPsec policy:ad
+298:AUE_PF_POLICY_FLIP:Flip IPsec policy:ad
+299:AUE_PF_POLICY_FLUSH:Flush IPsec policy rules:ad
+300:AUE_PF_POLICY_ALGS:Update IPsec algorithms:ad
 #
-# What follows are deprecated Darwin event numbers that may someday conflict
+# What follows are deprecated Darwin event numbers that may soon conflict
 # with Solaris events.
 #
 301:AUE_DARWIN_GETFSSTAT:getfsstat(2):fa
@@ -309,7 +345,7 @@
 43005:AUE_PROFILE:profil(2):pc
 43006:AUE_KTRACE:ktrace(2):pc
 43007:AUE_SETLOGIN:setlogin(2):pc
-43008:AUE_REVOKE:revoke(2):cl
+43008:AUE_OPENBSM_REVOKE:revoke(2):cl
 43009:AUE_UMASK:umask(2):pc
 43010:AUE_MPROTECT:mprotect(2):fm
 43011:AUE_MKFIFO:mkfifo(2):fc
@@ -319,7 +355,7 @@
 43015:AUE_SETPRIVEXEC:setprivexec(2):pc
 43016:AUE_ADDPROFILE:system call:pc
 43017:AUE_KDEBUGTRACE:system call:pc
-43018:AUE_FSTAT:fstat(2):fa
+43018:AUE_OPENBSM_FSTAT:fstat(2):fa
 43019:AUE_FPATHCONF:fpathconf(2):fa
 43020:AUE_GETDIRENTRIES:getdirentries(2):no
 43021:AUE_SYSCTL:sysctl(3):ot