PERFORCE change 153856 for review
Christian S.J. Peron
csjp at FreeBSD.org
Sun Nov 30 13:44:14 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=153856
Change 153856 by csjp at hvm02 on 2008/11/30 21:43:58
Re-factor audit_submit() so that it attempts to use getaudit_addr(2) before
falling back on to getaudit(2).
Affected files ...
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#27 edit
Differences ...
==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#27 (text+ko) ====
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#26 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#27 $
*/
#ifdef __APPLE__
@@ -69,6 +69,7 @@
int error, afd, subj_ex;
struct auditinfo ai;
struct auditinfo_addr aia;
+ au_tid_t atid;
if (auditon(A_GETCOND, &acond, sizeof(acond)) < 0) {
/*
@@ -85,7 +86,6 @@
}
if (acond == AUC_NOAUDIT)
return (0);
- /* XXXCSJP we should be doing a pre-select here */
afd = au_open();
if (afd < 0) {
error = errno;
@@ -95,30 +95,51 @@
return (-1);
}
/*
- * Some operating systems do not have getaudit_addr(2) implemented
- * yet. So we try to use getaudit(2) first, if the subject is
- * using IPv6, then we will have to try getaudit_addr(2). Failing
- * this, we return error.
+ * Try to use getaudit_addr(2) first. If this kernel does not support
+ * it, then fall back on to getaudit(2).
*/
subj_ex = 0;
- error = getaudit(&ai);
- if (error < 0 && errno == E2BIG) {
- error = getaudit_addr(&aia, sizeof(aia));
- if (error == 0)
- subj_ex = 1;
- }
- if (error < 0) {
+ error = getaudit_addr(&aia, sizeof(aia));
+ if (error < 0 && errno == ENOSYS) {
+ error = getaudit(&ai);
+ if (error < 0) {
+ error = errno;
+ syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
+ strerror(errno));
+ errno = error;
+ return (-1);
+ }
+ /*
+ * Convert this auditinfo_t to an auditinfo_addr_t to make the
+ * following code less complicated wrt to preselection and
+ * subject token generation.
+ */
+ aia.ai_auid = ai.ai_auid;
+ aia.ai_mask = ai.ai_mask;
+ aia.ai_asid = ai.ai_asid;
+ aia.ai_termid.at_type = AU_IPv4;
+ aia.ai_termid.at_addr[0] = ai.ai_termid.machine;
+ aia.ai_termid.at_port = ai.ai_termid.port;
+ } else if (error < 0) {
error = errno;
- syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
+ syslog(LOG_AUTH | LOG_ERR, "audit: getaudit_addr failed: %s",
strerror(errno));
errno = error;
return (-1);
}
+ /*
+ * NB: We should be performing pre-selection here now that we have the
+ * masks for this process.
+ */
+ if (aia.ai_termid.at_type == AU_IPv6)
+ subj_ex = 1;
pid = getpid();
- if (subj_ex == 0)
+ if (subj_ex == 0) {
+ atid.port = aia.ai_termid.at_port;
+ atid.machine = aia.ai_termid.at_addr[0];
token = au_to_subject32(auid, geteuid(), getegid(),
- getuid(), getgid(), pid, pid, &ai.ai_termid);
- else
+ getuid(), getgid(), pid, pid, &atid);
+ } else
token = au_to_subject_ex(auid, geteuid(), getegid(),
getuid(), getgid(), pid, pid, &aia.ai_termid);
if (token == NULL) {
More information about the p4-projects
mailing list