PERFORCE change 186939 for review
Christian S.J. Peron
csjp at FreeBSD.org
Tue Dec 14 20:49:50 UTC 2010
http://p4web.freebsd.org/@@186939?ac=10
Change 186939 by csjp at csjp_hvm02 on 2010/12/14 20:49:04
Add support for the Solaris privilege and privilege set tokens. This
fixes truncated record errors when processing Solaris created audit trails
using openbsm.
Sponsored by: Seccuris Inc.
Submitted by: Dave Bertouille [1]
[1] Dave added the support for the privilege set token.
Affected files ...
.. //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#49 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#66 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#95 edit
Differences ...
==== //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#49 (text+ko) ====
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#48 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#49 $
*/
#ifndef _LIBBSM_H_
@@ -671,6 +671,31 @@
} au_text_t;
/*
+ * upriv status 1 byte
+ * privstr len 2 bytes
+ * privstr N bytes + 1 (\0 byte)
+ */
+typedef struct {
+ u_int8_t sorf;
+ u_int16_t privstrlen;
+ char *priv;
+} au_priv_t;
+
+/*
+* privset
+* privtstrlen 2 bytes
+* privtstr N Bytes + 1
+* privstrlen 2 bytes
+* privstr N Bytes + 1
+*/
+typedef struct {
+ u_int16_t privtstrlen;
+ char *privtstr;
+ u_int16_t privstrlen;
+ char *privstr;
+} au_privset_t;
+
+/*
* zonename length 2 bytes
* zonename text N bytes + 1 NULL terminator
*/
@@ -748,6 +773,8 @@
au_invalid_t invalid;
au_trailer_t trail;
au_zonename_t zonename;
+ au_priv_t priv;
+ au_privset_t privset;
} tt; /* The token is one of the above types */
};
==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#66 (text+ko) ====
@@ -32,7 +32,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#65 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#66 $
*/
#include <sys/types.h>
@@ -3380,7 +3380,114 @@
}
}
+static void
+print_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm, int xml)
+{
+
+ print_tok_type(fp, tok->id, "use of privilege", raw, xml);
+ if (xml) {
+ open_attr(fp, "status");
+ if (tok->tt.priv.sorf)
+ (void) fprintf(fp, "successful use of priv");
+ else
+ (void) fprintf(fp, "failed use of priv");
+ close_attr(fp);
+ open_attr(fp, "name");
+ print_string(fp, tok->tt.priv.priv,
+ tok->tt.priv.privstrlen);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ if (tok->tt.priv.sorf)
+ (void) fprintf(fp, "successful use of priv");
+ else
+ (void) fprintf(fp, "failed use of priv");
+ print_delim(fp, del);
+ print_string(fp, tok->tt.priv.priv,
+ tok->tt.priv.privstrlen);
+ }
+}
+
+/*
+ * status 1 byte
+ * privstrlen 2 bytes
+ * priv N bytes + 1 (\0 byte)
+ */
+static int
+fetch_priv_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err);
+ if (err)
+ return (-1);
+ READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err);
+ if (err)
+ return (-1);
+ SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen,
+ tok->len, err);
+ if (err)
+ return (-1);
+ return (0);
+}
+
/*
+ * privtstrlen 1 byte
+ * privtstr N bytes + 1
+ * privstrlen 1 byte
+ * privstr N bytes + 1
+ */
+static int
+fetch_privset_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen,
+ tok->len, err);
+ if (err)
+ return (-1);
+ SET_PTR((char *)buf, len, tok->tt.privset.privtstr,
+ tok->tt.privset.privtstrlen, tok->len, err);
+ if (err)
+ return (-1);
+ READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen,
+ tok->len, err);
+ if (err)
+ return (-1);
+ SET_PTR((char *)buf, len, tok->tt.privset.privstr,
+ tok->tt.privset.privstrlen, tok->len, err);
+ if (err)
+ return (-1);
+ return (0);
+}
+
+static void
+print_privset_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm, int xml)
+{
+ print_tok_type(fp, tok->id, "privilege", raw, xml);
+ if (xml) {
+ open_attr(fp, "type");
+ print_string(fp, tok->tt.privset.privtstr,
+ tok->tt.privset.privtstrlen);
+ close_attr(fp);
+ open_attr(fp, "priv");
+ print_string(fp, tok->tt.privset.privstr,
+ tok->tt.privset.privstrlen);
+ close_attr(fp);
+ } else {
+ print_delim(fp, del);
+ print_string(fp, tok->tt.privset.privtstr,
+ tok->tt.privset.privtstrlen);
+ print_delim(fp, del);
+ print_string(fp, tok->tt.privset.privstr,
+ tok->tt.privset.privstrlen);
+ }
+}
+
+/*
* audit ID 4 bytes
* euid 4 bytes
* egid 4 bytes
@@ -4110,6 +4217,12 @@
case AUT_ZONENAME:
return (fetch_zonename_tok(tok, buf, len));
+ case AUT_UPRIV:
+ return (fetch_priv_tok(tok, buf, len));
+
+ case AUT_PRIV:
+ return (fetch_privset_tok(tok, buf, len));
+
default:
return (fetch_invalid_tok(tok, buf, len));
}
@@ -4284,6 +4397,14 @@
print_zonename_tok(outfp, tok, del, oflags);
return;
+ case AUT_UPRIV:
+ print_upriv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+ return;
+
+ case AUT_PRIV:
+ print_privset_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+ return;
+
default:
print_invalid_tok(outfp, tok, del, oflags);
}
@@ -4433,6 +4554,14 @@
}
break;
+ case AUT_UPRIV:
+ print_upriv_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_PRIV:
+ print_privset_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
default:
errno = EINVAL;
return (-1);
==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#95 (text+ko) ====
@@ -30,7 +30,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#94 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#95 $
*/
#include <sys/types.h>
@@ -92,6 +92,59 @@
/*
* token ID 1 byte
+ * success/failure 1 byte
+ * privstrlen 2 bytes
+ * privstr N bytes + 1 (\0 byte)
+ */
+token_t *
+au_to_upriv(char sorf, char *priv)
+{
+ u_int16_t textlen;
+ u_char *dptr;
+ token_t *t;
+
+ textlen = strlen(priv) + 1;
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_char) +
+ sizeof(u_int16_t) + textlen);
+ if (t == NULL)
+ return (NULL);
+ ADD_U_CHAR(dptr, AUT_UPRIV);
+ ADD_U_CHAR(dptr, sorf);
+ ADD_U_INT16(dptr, textlen);
+ ADD_STRING(dptr, priv, textlen);
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * privtstrlen 2 bytes
+ * privtstr N bytes + 1
+ * privstrlen 2 bytes
+ * privstr N bytes + 1
+ */
+token_t *
+au_to_privset(char *privtypestr, char *privstr)
+{
+ u_int16_t type_len, priv_len;
+ u_char *dptr;
+ token_t *t;
+
+ type_len = strlen(privtypestr) + 1;
+ priv_len = strlen(privstr) + 1;
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
+ sizeof(u_int16_t) + type_len + priv_len);
+ if (t == NULL)
+ return (NULL);
+ ADD_U_CHAR(dptr, AUT_PRIV);
+ ADD_U_INT16(dptr, type_len);
+ ADD_STRING(dptr, privtypestr, type_len);
+ ADD_U_INT16(dptr, priv_len);
+ ADD_STRING(dptr, privstr, priv_len);
+ return (t);
+}
+
+/*
+ * token ID 1 byte
* argument # 1 byte
* argument value 4 bytes/8 bytes (32-bit/64-bit value)
* text length 2 bytes
More information about the p4-projects
mailing list