Mercurial > illumos > illumos-gate
changeset 3769:7bc24ea07b91
6526159 Provide ON support for 6484744 setflabel uses auditwrite
6530654 bsmrecord(1M) is confused about privilege and authorization
author | gww |
---|---|
date | Tue, 06 Mar 2007 17:10:18 -0800 |
parents | 3648e0773d4b |
children | c224b976a34b |
files | usr/src/cmd/bsmrecord/audit_record_attr.txt usr/src/lib/libbsm/audit_event.txt usr/src/lib/libbsm/common/adt_event.h usr/src/lib/libbsm/common/adt_xlate.c usr/src/lib/libbsm/common/adt_xml.txt |
diffstat | 5 files changed, 206 insertions(+), 33 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/bsmrecord/audit_record_attr.txt Tue Mar 06 11:02:13 2007 -0800 +++ b/usr/src/cmd/bsmrecord/audit_record_attr.txt Tue Mar 06 17:10:18 2007 -0800 @@ -2,7 +2,7 @@ # Two "#" are comments that are copied to audit_record_attr # other comments are removed. ## -## Copyright 2006 Sun Microsystems, Inc. All rights reserved. +## Copyright 2007 Sun Microsystems, Inc. All rights reserved. ## Use is subject to license terms. ## ## CDDL HEADER START @@ -55,9 +55,11 @@ token=proc:process token=text:text token=tid:terminal_adr -token=uauth:use_of_privilege +token=uauth:use_of_authorization +token=upriv:use_of_privilege token=zone:zonename token=fmri:service_instance +token=label:mandatory_label token=head:header token=subj:subject @@ -73,7 +75,7 @@ # basic record pattern ("insert" is where event-specific tokens # are listed.) -kernel=head:insert:subj:[uauth]:ret +kernel=head:insert:subj:[upriv]:ret user=head:subj:insert:ret # Second Section @@ -2101,30 +2103,33 @@ program=SMC server see= title=SMC: filesystem add - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=initial values label=AUE_filesystem_modify program=SMC server see= title=SMC: filesystem modify - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=changed values label=AUE_filesystem_delete program=SMC server see= title=SMC: filesystem delete - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=deleted values label=AUE_halt_solaris @@ -2253,7 +2258,7 @@ label=AUE_mountd_mount title=mountd: NFS mount program=/usr/lib/nfs/mountd - see:mountd(1M) + see=mountd(1M) format=text1:path2 comment=remote client hostname:mount dir # See audit_mountd.c; old BSM manual is way off @@ -2269,30 +2274,33 @@ program=SMC server see= title=SMC: network add - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=initial values label=AUE_network_modify program=SMC server see= title=SMC: network modify - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=changed values label=AUE_network_delete program=SMC server see= title=SMC: network delete - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=deleted values label=AUE_newgrp_login @@ -2311,30 +2319,33 @@ see= program=SMC server title=SMC: printer add - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=initial values label=AUE_printer_modify see= program=SMC server title=SMC: printer modify - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=changed values label=AUE_printer_delete program=SMC server see= title=SMC: printer delete - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=deleted values label=AUE_poweroff_solaris @@ -2425,30 +2436,33 @@ program=SMC server see= title=SMC: scheduled job add - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=initial values label=AUE_scheduledjob_modify see= program=SMC server title=SMC: scheduled job modify - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=changed values label=AUE_scheduledjob_delete program=SMC server see= title=SMC: scheduled job delete - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=deleted values label=AUE_screenlock @@ -2463,30 +2477,33 @@ program=SMC server see= title=SMC: serial port add - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=initial values label=AUE_serialport_modify program=SMC server see= title=SMC: serial port modify - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=changed values label=AUE_serialport_delete program=SMC server see= title=SMC: serial port add - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=deleted values label=AUE_shutdown_solaris @@ -2542,7 +2559,7 @@ program=SMC server see= title=SMC: Use of Authorization - format=text1:text2 + format=uauth1:text2 comment=authorization used: comment=object name @@ -2550,10 +2567,11 @@ see= program=SMC server title=SMC: User Manager add - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=initial values # header,137,2,add user/user attributes,,Tue Oct 23 12:45:26 2001, + 725 msec # subject,tuser1,tuser1,emacs,tuser1,emacs,23404,2926062642,0 0 0.0.0.0 @@ -2567,20 +2585,22 @@ program=SMC server see= title=SMC: User Manager modify - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=changed values label=AUE_usermgr_delete program=SMC server see= title=SMC: User Manager delete - format=text1:[text]2:text3:uauth:text4 + format=text1:[text]2:text3:uauth4:text5 comment=object name: comment=domain: comment=name_service: + comment=authorization used: comment=deleted values label=AUE_zone_state @@ -2610,7 +2630,7 @@ label=AUE_dladm_create_secobj program=/usr/sbin/dladm - title:create wifi security object + title=create wifi security object see=dladm(1M) format=uauth1:text2:text3 comment=authorization used: @@ -2619,9 +2639,30 @@ label=AUE_dladm_delete_secobj program=/usr/sbin/dladm - title:delete wifi security object + title=delete wifi security object see=dladm(1M) format=uauth1:text2:text3 comment=authorization used: comment=object class name: comment=object name + +label=AUE_file_relabel + title=relabel file from one zone to another + program=setlabel(1) + see=setflabel(3TSOL) + format=uauth1:text2:label3:label4 + comment=authorization used: + comment=file relabeled: + comment=original label: + comment=new label + +label=AUE_file_copy + title=copy file to another zone + program=dtfile(1X) + see= + format=uauth1:text2:label3:text4:label5 + comment=authorization used: + comment=source file: + comment=source label: + comment=destination directory: + comment=destination label
--- a/usr/src/lib/libbsm/audit_event.txt Tue Mar 06 11:02:13 2007 -0800 +++ b/usr/src/lib/libbsm/audit_event.txt Tue Mar 06 17:10:18 2007 -0800 @@ -1,5 +1,5 @@ # -# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # @@ -434,8 +434,9 @@ # Trusted Extensions events: # 9035:AUE_sl_change:Workspace label change:ap +9036:AUE_file_relabel:relabel file:fm 9037:AUE_file_copy:file copy:fm -9038:AUE_file_move:file move:fm +9038:AUE_file_move:file move:no 9039:AUE_sel_mgr_xfer:selection manager transfer:fm 9101:AUE_ClientConnect:client connection to x server:lo 9102:AUE_ClientDisconnect:client disconn. from x server:lo
--- a/usr/src/lib/libbsm/common/adt_event.h Tue Mar 06 11:02:13 2007 -0800 +++ b/usr/src/lib/libbsm/common/adt_event.h Tue Mar 06 17:10:18 2007 -0800 @@ -21,7 +21,7 @@ /* * adt_event.h * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * * AUTOMATICALLY GENERATED CODE; DO NOT EDIT; CONTACT AUDIT PROJECT @@ -97,6 +97,8 @@ #define ADT_detach 43 #define ADT_dladm_create_secobj 47 #define ADT_dladm_delete_secobj 48 +#define ADT_file_copy 50 +#define ADT_file_relabel 49 #define ADT_filesystem_add 4 #define ADT_filesystem_delete 5 #define ADT_filesystem_modify 6 @@ -177,6 +179,23 @@ }; typedef struct adt_dladm_delete_secobj adt_dladm_delete_secobj_t; +struct adt_file_copy { /* ADT_file_copy */ + char *auth_used; /* required */ + char *src_file; /* required */ + m_label_t *src_label; /* required */ + char *dst_file; /* required */ + m_label_t *dst_label; /* required */ +}; +typedef struct adt_file_copy adt_file_copy_t; + +struct adt_file_relabel { /* ADT_file_relabel */ + char *auth_used; /* required */ + char *file; /* required */ + m_label_t *src_label; /* required */ + m_label_t *dst_label; /* required */ +}; +typedef struct adt_file_relabel adt_file_relabel_t; + struct adt_filesystem_add { /* ADT_filesystem_add */ char *object_name; /* required */ char *domain; /* optional */ @@ -501,6 +520,8 @@ adt_detach_t adt_detach; adt_dladm_create_secobj_t adt_dladm_create_secobj; adt_dladm_delete_secobj_t adt_dladm_delete_secobj; + adt_file_copy_t adt_file_copy; + adt_file_relabel_t adt_file_relabel; adt_filesystem_add_t adt_filesystem_add; adt_filesystem_delete_t adt_filesystem_delete; adt_filesystem_modify_t adt_filesystem_modify;
--- a/usr/src/lib/libbsm/common/adt_xlate.c Tue Mar 06 11:02:13 2007 -0800 +++ b/usr/src/lib/libbsm/common/adt_xlate.c Tue Mar 06 17:10:18 2007 -0800 @@ -21,7 +21,7 @@ /* * adt_xlate.c * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * * AUTOMATICALLY GENERATED CODE; DO NOT EDIT; CONTACT AUDIT PROJECT @@ -54,6 +54,7 @@ {ADT_UINT16, sizeof (uint16_t)}, {ADT_UINT16, sizeof (uint16_t)}, {ADT_UINT32ARRAY, 4 * sizeof (uint32_t)}}; +static datadef adr6[1] = {{ADT_MLABELSTAR, sizeof (m_label_t *)}}; /* External event structure to internal event structure */ @@ -157,6 +158,52 @@ &XX_dladm_delete_secobj[0], &XX_dladm_delete_secobj[0] }; +static struct entry XX_file_copy[7] = { + {AUT_SUBJECT, 1, NULL, &(XX_file_copy[1]), + 0, 0, 0, NULL}, + {AUT_UAUTH, 1, &adr1[0], &(XX_file_copy[2]), + 0, 1, 0, NULL}, + {AUT_PATH, 1, &adr1[0], &(XX_file_copy[3]), + 0, 1, 0, NULL}, + {AUT_LABEL, 1, &adr6[0], &(XX_file_copy[4]), + 0, 1, 0, NULL}, + {AUT_PATH, 1, &adr1[0], &(XX_file_copy[5]), + 0, 1, 0, NULL}, + {AUT_LABEL, 1, &adr6[0], &(XX_file_copy[6]), + 0, 1, 0, NULL}, + {AUT_RETURN, 1, NULL, NULL, + 0, 0, 0, NULL} +}; +static struct translation X_file_copy = { + 0, + ADT_file_copy, + AUE_file_copy, + 7, + &XX_file_copy[0], + &XX_file_copy[0] +}; +static struct entry XX_file_relabel[6] = { + {AUT_SUBJECT, 1, NULL, &(XX_file_relabel[1]), + 0, 0, 0, NULL}, + {AUT_UAUTH, 1, &adr1[0], &(XX_file_relabel[2]), + 0, 1, 0, NULL}, + {AUT_PATH, 1, &adr1[0], &(XX_file_relabel[3]), + 0, 1, 0, NULL}, + {AUT_LABEL, 1, &adr6[0], &(XX_file_relabel[4]), + 0, 1, 0, NULL}, + {AUT_LABEL, 1, &adr6[0], &(XX_file_relabel[5]), + 0, 1, 0, NULL}, + {AUT_RETURN, 1, NULL, NULL, + 0, 0, 0, NULL} +}; +static struct translation X_file_relabel = { + 0, + ADT_file_relabel, + AUE_file_relabel, + 6, + &XX_file_relabel[0], + &XX_file_relabel[0] +}; static struct entry XX_filesystem_add[7] = { {AUT_SUBJECT, 1, NULL, &(XX_filesystem_add[1]), 0, 0, 0, NULL}, @@ -1019,12 +1066,14 @@ &XX_zone_state[0], &XX_zone_state[0] }; -struct translation *xlate_table[49] = { +struct translation *xlate_table[51] = { &X_admin_authenticate, &X_attach, &X_detach, &X_dladm_create_secobj, &X_dladm_delete_secobj, + &X_file_copy, + &X_file_relabel, &X_filesystem_add, &X_filesystem_delete, &X_filesystem_modify,
--- a/usr/src/lib/libbsm/common/adt_xml.txt Tue Mar 06 11:02:13 2007 -0800 +++ b/usr/src/lib/libbsm/common/adt_xml.txt Tue Mar 06 17:10:18 2007 -0800 @@ -20,7 +20,7 @@ CDDL HEADER END -Copyright 2006 Sun Microsystems, Inc. All rights reserved. +Copyright 2007 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. ident "%Z%%M% %I% %E% SMI" @@ -883,8 +883,69 @@ header="0" idNo="48" omit="JNI"> </event> -<!-- add new everts here with the next higher idNo --> -<!-- Highest idNo is 48, so next is 49, then fix this comment --> +<!-- Trusted eXtensions (TX) events --> + + <!-- labeld events --> + <event id="AUE_file_relabel" header="0" idNo="49" omit="JNI"> + <entry id="subject"> + <internal token="subject"/> + <external opt="none"/> + </entry> + <entry id="auth_used"> + <internal token="uauth"/> + <external opt="required" type="char *"/> + </entry> + <entry id="file"> + <internal token="path"/> + <external opt="required" type="char *"/> + </entry> + <entry id="src_label"> + <internal token="label"/> + <external opt="required" type="m_label_t *"/> + </entry> + <entry id="dst_label"> + <internal token="label"/> + <external opt="required" type="m_label_t *"/> + </entry> + <entry id="return"> + <internal token="return"/> + <external opt="none"/> + </entry> + </event> + + <event id="AUE_file_copy" header="0" idNo="50" omit="JNI"> + <entry id="subject"> + <internal token="subject"/> + <external opt="none"/> + </entry> + <entry id="auth_used"> + <internal token="uauth"/> + <external opt="required" type="char *"/> + </entry> + <entry id="src_file"> + <internal token="path"/> + <external opt="required" type="char *"/> + </entry> + <entry id="src_label"> + <internal token="label"/> + <external opt="required" type="m_label_t *"/> + </entry> + <entry id="dst_file"> + <internal token="path"/> + <external opt="required" type="char *"/> + </entry> + <entry id="dst_label"> + <internal token="label"/> + <external opt="required" type="m_label_t *"/> + </entry> + <entry id="return"> + <internal token="return"/> + <external opt="none"/> + </entry> + </event> + +<!-- add new events here with the next higher idNo --> +<!-- Highest idNo is 50, so next is 51, then fix this comment --> <!-- end of C Only events -->