adt_token.c revision 047f6e6f42a3d50d3e38a05c00bf7dd3fafac726
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
*
* Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
* This file does not provide any user callable functions. See adt.c
*/
#include <bsm/adt_event.h>
#include <adt_xlate.h>
#include <alloca.h>
#include <assert.h>
#include <netdb.h>
#include <priv.h>
#include <string.h>
#include <strings.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h>
#include <sys/priv_names.h>
#ifdef C2_DEBUG
/* 0x + Classification + Compartments + end of string */
static char *
{
return ("hex label failed");
}
return (hex);
}
#else /* !C2_DEBUG */
#define DPRINTF(x)
#define DFLUSH
#endif /* C2_DEBUG */
static adt_token_func_t adt_getTokenFunction(char);
static char *empty = "";
/*
* call adt_token_open() first and adt_token_close() last.
*
* au_open is sort of broken; it returns a -1 when out of memory that
* you're supposed to ignore; au_write and au_close return without
* doing anything when a -1 is passed. This code sort of follows the
* au_open model except that it calls syslog to indicate underlying
* brokenness. Other than that, -1 is ignored.
*/
void
{
static int have_syslogged = 0;
if (event->ae_event_handle < 0) {
if (!have_syslogged) {
have_syslogged = 1;
}
} else {
have_syslogged = 0;
}
}
/*
* call generate_token for each token in the order you want the tokens
* generated.
*/
void
struct adt_event_state *event)
{
DPRINTF(("p_entry=%p, p_data=%p, offset=%llu, msgFmt=%s\n",
p_entry->en_msg_format));
}
/* call this last */
int
{
int rc;
if (rc < 0)
return (rc);
}
/*
* one function per token -- see the jump table at the end of file
*/
/* ARGSUSED */
static void
{
#ifdef _LP64
#else
#endif
}
/*
* AUT_CMD
*
* the command line is described with argc and argv and the environment
* with envp. The envp list is NULL terminated and has no separate
* counter; envp will be a NULL list unless the AUDIT_ARGE policy is
* set.
*/
/* ARGSUSED */
static void
{
int argc;
char **argv;
}
/*
* special case of AUT_CMD with 1 argument that is
* a string showing the whole command and no envp
*/
/* ARGSUSED */
static void
{
char *string;
if (required) {
} else {
return;
}
}
/* argc is hardcoded as 1 */
NULL));
}
/*
* adt_to_tid -- generic address (ip is only one defined at present)
* input:
* terminal type: ADT_IPv4, ADT_IPv6...
* case: ADT_IPv4 or ADT_IPv6...
* ip type
* remote port
* local port
* address
* case: not defined...
*/
/* ARGSUSED */
static void
{
switch (type) {
case ADT_IPv4:
case ADT_IPv6:
sizeof (uint32_t));
sizeof (uint16_t));
/* arg3 is for the array element, not the array size */
sizeof (uint32_t));
break;
default:
return;
}
}
/*
* au_to_frmi takes a char * that is the fmri.
*/
/* ARGSUSED */
static void
{
char *fmri;
if (required) {
} else {
return;
}
}
}
/*
* au_to_label takes an m_label_t * that is the label.
*/
/* ARGSUSED */
static void
{
} else {
DPRINTF((" Null label\n"));
if (required)
adt_write_syslog("adt_to_label no required label", 0);
}
}
/*
* au_to_newgroups takes a length and an array of gids
* as input. The input to adt_to_newgroups is a length
* and a pointer to an array of gids.
*/
/* ARGSUSED */
static void
{
int n;
if (n < 1) {
if (required) {
n = 0; /* in case negative n was passed */
} else {
return;
}
}
}
/* ARGSUSED */
static void
{
char *path;
} else {
DPRINTF((" Null path\n"));
if (required) {
au_to_path(empty));
}
}
}
/*
* dummy token id: AUT_PATHLIST
*/
/* ARGSUSED */
static void
{
char *path;
char *working_buf;
char *pathlist;
char *last_str;
if (working_buf == NULL) {
if (required) {
au_to_path(empty));
}
return;
}
au_to_path(path));
}
} else {
DPRINTF((" Null path list\n"));
if (required)
au_to_path(empty));
}
}
/*
* AUT_PRIV
*/
/* ARGSUSED */
static void
{
} else {
if (required) {
DPRINTF((" Null privilege\n"));
}
}
}
/*
* -AUT_PRIV_L AUT_PRIV for a limit set
*/
/* ARGSUSED */
static void
{
}
/*
* -AUT_PRIV_I AUT_PRIV for an inherit set
*/
/* ARGSUSED */
static void
{
}
/* ARGSUSED */
static void
{
}
static void
{
int rc;
if (*pid == 0) { /* getpinfo for this pid */
} else {
}
sizeof (struct auditpinfo_addr));
if (rc == -1) {
sizeof (au_tid_addr_t));
}
}
/*
* AUT_PROCESS
*
*/
/* ARGSUSED */
static void
{
struct auditpinfo_addr info;
sizeof (au_tid_addr_t *));
if (auid == AU_NOAUDITID)
if (euid == AU_NOAUDITID)
if (egid == AU_NOAUDITID)
if (ruid == AU_NOAUDITID)
if (rgid == AU_NOAUDITID)
if (sid == 0)
if (pid == 0)
}
/*
* Generate subject information.
* If labels are present, generate the subject label token.
* If the group audit policy is set, generate the subject group token.
*
* The required flag does not apply here.
*
* Non-attributable records are indicated by an auid of AU_NOAUDITID;
* no subject token or group token is generated for a non-attributable
* record.
*/
/* ARGSUSED */
static void
{
return;
if (is_system_labeled()) {
}
/*
* Add optional tokens if in the process model.
* In a session model, the groups list is undefined and label
* is in the state.
*/
int group_count;
}
}
}
}
/*
* adt_to_text()
*
* The format string, normally null, is sort of a wrapper around
* the input. adt_write_text() is a wrapper around au_write that
* handles the format string
*
*/
#define TEXT_LENGTH 49
static void
{
} else {
}
}
static void
{
static int have_syslogged = 0;
char *string;
char **string_list;
int i, arrayCount;
int list_index;
switch (def->dd_datatype) {
case ADT_DATE:
/*
* Consider creating a separate token type for dates
* -- store as longs and format them in praudit.
* For now, a date is input as a time_t and output as
* a text token. If we do this, we need to consider
* carrying timezone info so that praudit can
* represent times in an unambiguous manner.
*/
if (required) {
} else {
break;
}
}
break;
/*
* The "input size" is overloaded to mean the list number
* and the msg_selector indexes the desired string in
* that list
*/
case ADT_MSG:
string = "Invalid message index";
} else {
}
if (required) {
} else {
break;
}
}
break;
case ADT_UID:
case ADT_GID:
case ADT_UINT:
case ADT_UINT32:
break;
case ADT_INT:
case ADT_INT32:
break;
case ADT_LONG:
break;
case ADT_UIDSTAR:
case ADT_GIDSTAR:
case ADT_UINT32STAR:
sizeof (int));
if (arrayCount < 0)
arrayCount = 0;
for (; arrayCount > 0; arrayCount--) {
"%d ", *int_list++);
if (written < 1)
break;
}
} else if (required) {
} else {
break;
}
break;
case ADT_ULONG:
break;
case ADT_UINT64:
break;
case ADT_CHARSTAR:
if (required) {
} else {
break;
}
}
break;
case ADT_CHAR2STAR:
sizeof (int));
if (arrayCount < 0)
arrayCount = 0;
for (i = 0; i < arrayCount; i++) {
string = string_list[i];
}
} else if (required) {
} else {
break;
}
break;
default:
if (!have_syslogged) { /* don't flood the log */
adt_write_syslog("unsupported data conversion",
ENOTSUP);
have_syslogged = 1;
}
break;
}
}
/*
* AUT_UAUTH
*/
/* ARGSUSED */
static void
{
char *string;
if (required) {
} else {
return;
}
}
}
/*
* AUT_USER
*/
/* ARGSUSED */
static void
{
char *username;
if (required) {
} else {
return;
}
}
}
/*
* AUT_ZONENAME
*/
/* ARGSUSED */
static void
{
char *name;
} else {
DPRINTF((" Null name\n"));
if (required) {
}
}
}
/*
* ADT_IN_PEER dummy token
*/
/* ARGSUSED */
static void
{
int sock;
struct sockaddr_in6 peer;
if (sock < 0) {
if (required) {
adt_write_syslog("adt_to_in_peer no required socket",
0);
}
return;
}
< 0) {
return;
}
} else {
}
}
/*
* ADT_IN_REMOTE dummy token
*
* Similar to ADT_IN_PEER except the input is
*/
/* ARGSUSED */
static void
{
if (type == 0) {
if (required == 0) {
return;
}
/* required and not specified */
adt_write_syslog("adt_to_in_remote required address not "
"specified", 0);
}
sizeof (uint32_t));
switch (type) {
case ADT_IPv4:
break;
case ADT_IPv6:
break;
default:
return;
}
}
/*
* adt_to_iport takes a uint16_t IP port.
*/
/* ARGSUSED */
static void
{
if (port == 0) {
if (required == 0) {
return;
}
/* required and not specified */
adt_write_syslog("adt_to_iport no required port", 0);
}
}
/*
* This is a compact table that defines only the tokens that are
* actually generated in the adt.xml file. It can't be a pure
* indexed table because the adt.xml language defines internal extension
* tokens for some processing. VIZ. ADT_CMD_ALT, ADT_AUT_PRIV_* (see
* adt_xlate.h), and the -AUT_PATH value.
*/
#define MAX_TOKEN_JMP 21
{
{AUT_CMD, adt_to_cmd},
{AUT_FMRI, adt_to_frmi},
{AUT_PATH, adt_to_path},
{AUT_TEXT, adt_to_text},
{AUT_TID, adt_to_tid},
{AUT_USER, adt_to_user},
};
/*
* {AUT_ACL, adt_to_acl}, not used
* {AUT_ARBITRARY, adt_to_arbitrary}, AUT_ARBITRARY is undefined
* {AUT_ARG, adt_to_arg}, not used
* {AUT_ATTR, adt_to_attr}, not used in mountd
* {AUT_XATOM, adt_to_atom}, not used
* {AUT_EXEC_ARGS, adt_to_exec_args}, not used
* {AUT_EXEC_ENV, adt_to_exec_env}, not used
* {AUT_EXIT, adt_to_exit}, obsolete
* {AUT_FILE, adt_to_file}, AUT_FILE is undefined
* {AUT_XCOLORMAP, adt_to_colormap}, not used
* {AUT_XCURSOR, adt_to_cursor}, not used
* {AUT_XFONT, adt_to_font}, not used
* {AUT_XGC, adt_to_gc}, not used
* {AUT_GROUPS, adt_to_groups}, obsolete
* {AUT_HEADER, adt_to_header}, generated by au_close
* {AUT_IP, adt_to_ip}, not used
* {AUT_IPC, adt_to_ipc}, not used
* {AUT_IPC_PERM, adt_to_ipc_perm}, not used
* {AUT_OPAQUE, adt_to_opaque}, not used
* {AUT_XPIXMAP, adt_to_pixmap}, not used
* {AUT_XPROPERTY, adt_to_property}, not used
* {AUT_SEQ, adt_to_seq}, not used
* {AUT_SOCKET, adt_to_socket}, not used
* {AUT_SOCKET_INET, adt_to_socket_inet}, AUT_SOCKET_INET is undefined
* {AUT_TRAILER, adt_to_trailer}, generated by au_close
* {AUT_XCLIENT, adt_to_xclient} not used
*/
/* find function to generate token */
static adt_token_func_t
adt_getTokenFunction(char token_id)
{
int i;
for (i = 0; i < MAX_TOKEN_JMP; i++) {
}
p_jmp++;
}
return (NULL);
}
/*
* adjustAddress -- given the address of data, its size, and the type of
* the next data field, calculate the offset to the next piece of data.
* Depending on the caller, "current" and "next" mean the current pointer
* and the next pointer or the last pointer and the current pointer.
*/
void *
{
if (next_size) {
if (remainder != 0)
}
return ((char *)adjustment);
}