Mercurial > illumos > illumos-gate

changeset 3769:7bc24ea07b91

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6526159 Provide ON support for 6484744 setflabel uses auditwrite 6530654 bsmrecord(1M) is confused about privilege and authorization
author gww
date Tue, 06 Mar 2007 17:10:18 -0800
parents 3648e0773d4b
children c224b976a34b
files usr/src/cmd/bsmrecord/audit_record_attr.txt usr/src/lib/libbsm/audit_event.txt usr/src/lib/libbsm/common/adt_event.h usr/src/lib/libbsm/common/adt_xlate.c usr/src/lib/libbsm/common/adt_xml.txt
diffstat 5 files changed, 206 insertions(+), 33 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/cmd/bsmrecord/audit_record_attr.txt	Tue Mar 06 11:02:13 2007 -0800
+++ b/usr/src/cmd/bsmrecord/audit_record_attr.txt	Tue Mar 06 17:10:18 2007 -0800
@@ -2,7 +2,7 @@
 # Two "#" are comments that are copied to audit_record_attr
 # other comments are removed.
 ##
-## Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+## Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 ## Use is subject to license terms.
 ##
 ## CDDL HEADER START
@@ -55,9 +55,11 @@
 token=proc:process
 token=text:text
 token=tid:terminal_adr
-token=uauth:use_of_privilege
+token=uauth:use_of_authorization
+token=upriv:use_of_privilege
 token=zone:zonename
 token=fmri:service_instance
+token=label:mandatory_label
 
 token=head:header
 token=subj:subject
@@ -73,7 +75,7 @@
 # basic record pattern ("insert" is where event-specific tokens
 # are listed.)
 
-kernel=head:insert:subj:[uauth]:ret
+kernel=head:insert:subj:[upriv]:ret
 user=head:subj:insert:ret
 
 # Second Section
@@ -2101,30 +2103,33 @@
   program=SMC server
   see=
   title=SMC: filesystem add
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=initial values
 
 label=AUE_filesystem_modify
   program=SMC server
   see=
   title=SMC: filesystem modify
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=changed values
 
 label=AUE_filesystem_delete
   program=SMC server
   see=
   title=SMC: filesystem delete
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=deleted values
 
 label=AUE_halt_solaris
@@ -2253,7 +2258,7 @@
 label=AUE_mountd_mount
   title=mountd: NFS mount
   program=/usr/lib/nfs/mountd
-  see:mountd(1M)
+  see=mountd(1M)
   format=text1:path2
     comment=remote client hostname:mount dir
 # See audit_mountd.c; old BSM manual is way off
@@ -2269,30 +2274,33 @@
   program=SMC server
   see=
   title=SMC: network add
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=initial values
 
 label=AUE_network_modify
   program=SMC server
   see=
   title=SMC: network modify
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=changed values
 
 label=AUE_network_delete
   program=SMC server
   see=
   title=SMC: network delete
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=deleted values
 
 label=AUE_newgrp_login
@@ -2311,30 +2319,33 @@
   see=
   program=SMC server
   title=SMC: printer add
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=initial values
 
 label=AUE_printer_modify
   see=
   program=SMC server
   title=SMC: printer modify
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=changed values
 
 label=AUE_printer_delete
   program=SMC server
   see=
   title=SMC: printer delete
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=deleted values
 
 label=AUE_poweroff_solaris
@@ -2425,30 +2436,33 @@
   program=SMC server
   see=
   title=SMC: scheduled job add
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=initial values
 
 label=AUE_scheduledjob_modify
   see=
   program=SMC server
   title=SMC: scheduled job modify
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=changed values
 
 label=AUE_scheduledjob_delete
   program=SMC server
   see=
   title=SMC: scheduled job delete
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=deleted values
 
 label=AUE_screenlock
@@ -2463,30 +2477,33 @@
   program=SMC server
   see=
   title=SMC: serial port add
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=initial values
 
 label=AUE_serialport_modify
   program=SMC server
   see=
   title=SMC: serial port modify
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=changed values
 
 label=AUE_serialport_delete
   program=SMC server
   see=
   title=SMC: serial port add
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=deleted values
 
 label=AUE_shutdown_solaris
@@ -2542,7 +2559,7 @@
   program=SMC server
   see=
   title=SMC:  Use of Authorization
-  format=text1:text2
+  format=uauth1:text2
   comment=authorization used:
   comment=object name
 
@@ -2550,10 +2567,11 @@
   see=
   program=SMC server
   title=SMC: User Manager add
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=initial values
 #	header,137,2,add user/user attributes,,Tue Oct 23 12:45:26 2001, + 725 msec
 #	subject,tuser1,tuser1,emacs,tuser1,emacs,23404,2926062642,0 0 0.0.0.0
@@ -2567,20 +2585,22 @@
   program=SMC server
   see=
   title=SMC: User Manager modify
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=changed values
 
 label=AUE_usermgr_delete
   program=SMC server
   see=
   title=SMC: User Manager delete
-  format=text1:[text]2:text3:uauth:text4
+  format=text1:[text]2:text3:uauth4:text5
   comment=object name:
   comment=domain:
   comment=name_service:
+  comment=authorization used:
   comment=deleted values
 
 label=AUE_zone_state
@@ -2610,7 +2630,7 @@
 
 label=AUE_dladm_create_secobj
   program=/usr/sbin/dladm
-  title:create wifi security object
+  title=create wifi security object
   see=dladm(1M)
   format=uauth1:text2:text3
   comment=authorization used:
@@ -2619,9 +2639,30 @@
 
 label=AUE_dladm_delete_secobj
   program=/usr/sbin/dladm
-  title:delete wifi security object
+  title=delete wifi security object
   see=dladm(1M)
   format=uauth1:text2:text3
   comment=authorization used:
   comment=object class name:
   comment=object name
+
+label=AUE_file_relabel
+  title=relabel file from one zone to another
+  program=setlabel(1)
+  see=setflabel(3TSOL)
+  format=uauth1:text2:label3:label4
+  comment=authorization used:
+  comment=file relabeled:
+  comment=original label:
+  comment=new label
+
+label=AUE_file_copy
+  title=copy file to another zone
+  program=dtfile(1X)
+  see=
+  format=uauth1:text2:label3:text4:label5
+  comment=authorization used:
+  comment=source file:
+  comment=source label:
+  comment=destination directory:
+  comment=destination label
--- a/usr/src/lib/libbsm/audit_event.txt	Tue Mar 06 11:02:13 2007 -0800
+++ b/usr/src/lib/libbsm/audit_event.txt	Tue Mar 06 17:10:18 2007 -0800
@@ -1,5 +1,5 @@
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #
@@ -434,8 +434,9 @@
 # Trusted Extensions events:
 #
 9035:AUE_sl_change:Workspace label change:ap
+9036:AUE_file_relabel:relabel file:fm
 9037:AUE_file_copy:file copy:fm
-9038:AUE_file_move:file move:fm
+9038:AUE_file_move:file move:no
 9039:AUE_sel_mgr_xfer:selection manager transfer:fm
 9101:AUE_ClientConnect:client connection to x server:lo
 9102:AUE_ClientDisconnect:client disconn. from x server:lo
--- a/usr/src/lib/libbsm/common/adt_event.h	Tue Mar 06 11:02:13 2007 -0800
+++ b/usr/src/lib/libbsm/common/adt_event.h	Tue Mar 06 17:10:18 2007 -0800
@@ -21,7 +21,7 @@
 /*
  * adt_event.h
  *
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
  * AUTOMATICALLY GENERATED CODE; DO NOT EDIT; CONTACT AUDIT PROJECT
@@ -97,6 +97,8 @@
 #define	ADT_detach		43
 #define	ADT_dladm_create_secobj	47
 #define	ADT_dladm_delete_secobj	48
+#define	ADT_file_copy		50
+#define	ADT_file_relabel	49
 #define	ADT_filesystem_add	4
 #define	ADT_filesystem_delete	5
 #define	ADT_filesystem_modify	6
@@ -177,6 +179,23 @@
 };
 typedef struct adt_dladm_delete_secobj adt_dladm_delete_secobj_t;
 
+struct adt_file_copy {	/* ADT_file_copy */
+	char 	*auth_used;	/* required */
+	char 	*src_file;	/* required */
+	m_label_t 	*src_label;	/* required */
+	char 	*dst_file;	/* required */
+	m_label_t 	*dst_label;	/* required */
+};
+typedef struct adt_file_copy adt_file_copy_t;
+
+struct adt_file_relabel {	/* ADT_file_relabel */
+	char 	*auth_used;	/* required */
+	char 	*file;	/* required */
+	m_label_t 	*src_label;	/* required */
+	m_label_t 	*dst_label;	/* required */
+};
+typedef struct adt_file_relabel adt_file_relabel_t;
+
 struct adt_filesystem_add {	/* ADT_filesystem_add */
 	char 	*object_name;	/* required */
 	char 	*domain;	/* optional */
@@ -501,6 +520,8 @@
 		adt_detach_t	adt_detach;
 		adt_dladm_create_secobj_t	adt_dladm_create_secobj;
 		adt_dladm_delete_secobj_t	adt_dladm_delete_secobj;
+		adt_file_copy_t	adt_file_copy;
+		adt_file_relabel_t	adt_file_relabel;
 		adt_filesystem_add_t	adt_filesystem_add;
 		adt_filesystem_delete_t	adt_filesystem_delete;
 		adt_filesystem_modify_t	adt_filesystem_modify;
--- a/usr/src/lib/libbsm/common/adt_xlate.c	Tue Mar 06 11:02:13 2007 -0800
+++ b/usr/src/lib/libbsm/common/adt_xlate.c	Tue Mar 06 17:10:18 2007 -0800
@@ -21,7 +21,7 @@
 /*
  * adt_xlate.c
  *
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
  * AUTOMATICALLY GENERATED CODE; DO NOT EDIT; CONTACT AUDIT PROJECT
@@ -54,6 +54,7 @@
 				{ADT_UINT16, sizeof (uint16_t)},
 				{ADT_UINT16, sizeof (uint16_t)},
 				{ADT_UINT32ARRAY, 4 * sizeof (uint32_t)}};
+static datadef	adr6[1] =	{{ADT_MLABELSTAR, sizeof (m_label_t *)}};
 
 /* External event structure to internal event structure */
 
@@ -157,6 +158,52 @@
 	&XX_dladm_delete_secobj[0],
 	&XX_dladm_delete_secobj[0]
 };
+static struct entry XX_file_copy[7] = {
+	{AUT_SUBJECT,	1,	NULL,	&(XX_file_copy[1]),
+		0,	0,	0,	NULL},
+	{AUT_UAUTH,	1,	&adr1[0],	&(XX_file_copy[2]),
+		0,	1,	0,	NULL},
+	{AUT_PATH,	1,	&adr1[0],	&(XX_file_copy[3]),
+		0,	1,	0,	NULL},
+	{AUT_LABEL,	1,	&adr6[0],	&(XX_file_copy[4]),
+		0,	1,	0,	NULL},
+	{AUT_PATH,	1,	&adr1[0],	&(XX_file_copy[5]),
+		0,	1,	0,	NULL},
+	{AUT_LABEL,	1,	&adr6[0],	&(XX_file_copy[6]),
+		0,	1,	0,	NULL},
+	{AUT_RETURN,	1,	NULL,	NULL,
+		0,	0,	0,	NULL}
+};
+static struct translation X_file_copy = {
+	0,
+	ADT_file_copy,
+	AUE_file_copy,
+	7,
+	&XX_file_copy[0],
+	&XX_file_copy[0]
+};
+static struct entry XX_file_relabel[6] = {
+	{AUT_SUBJECT,	1,	NULL,	&(XX_file_relabel[1]),
+		0,	0,	0,	NULL},
+	{AUT_UAUTH,	1,	&adr1[0],	&(XX_file_relabel[2]),
+		0,	1,	0,	NULL},
+	{AUT_PATH,	1,	&adr1[0],	&(XX_file_relabel[3]),
+		0,	1,	0,	NULL},
+	{AUT_LABEL,	1,	&adr6[0],	&(XX_file_relabel[4]),
+		0,	1,	0,	NULL},
+	{AUT_LABEL,	1,	&adr6[0],	&(XX_file_relabel[5]),
+		0,	1,	0,	NULL},
+	{AUT_RETURN,	1,	NULL,	NULL,
+		0,	0,	0,	NULL}
+};
+static struct translation X_file_relabel = {
+	0,
+	ADT_file_relabel,
+	AUE_file_relabel,
+	6,
+	&XX_file_relabel[0],
+	&XX_file_relabel[0]
+};
 static struct entry XX_filesystem_add[7] = {
 	{AUT_SUBJECT,	1,	NULL,	&(XX_filesystem_add[1]),
 		0,	0,	0,	NULL},
@@ -1019,12 +1066,14 @@
 	&XX_zone_state[0],
 	&XX_zone_state[0]
 };
-struct translation *xlate_table[49] = {
+struct translation *xlate_table[51] = {
 	&X_admin_authenticate,
 	&X_attach,
 	&X_detach,
 	&X_dladm_create_secobj,
 	&X_dladm_delete_secobj,
+	&X_file_copy,
+	&X_file_relabel,
 	&X_filesystem_add,
 	&X_filesystem_delete,
 	&X_filesystem_modify,
--- a/usr/src/lib/libbsm/common/adt_xml.txt	Tue Mar 06 11:02:13 2007 -0800
+++ b/usr/src/lib/libbsm/common/adt_xml.txt	Tue Mar 06 17:10:18 2007 -0800
@@ -20,7 +20,7 @@
 
  CDDL HEADER END
 
-Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 Use is subject to license terms.
 
   ident	"%Z%%M%	%I%	%E% SMI"
@@ -883,8 +883,69 @@
 	header="0" idNo="48" omit="JNI">
     </event>
 
-<!-- add new everts here with the next higher idNo -->
-<!-- Highest idNo is 48, so next is 49, then fix this comment -->
+<!-- Trusted eXtensions (TX) events -->
+
+    <!-- labeld events -->
+    <event id="AUE_file_relabel" header="0" idNo="49" omit="JNI">
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="auth_used">
+	    <internal token="uauth"/>
+	    <external opt="required" type="char *"/>
+	</entry>
+	<entry id="file">
+	    <internal token="path"/>
+	    <external opt="required" type="char *"/>
+	</entry>
+	<entry id="src_label">
+	    <internal token="label"/>
+	    <external opt="required" type="m_label_t *"/>
+	</entry>
+	<entry id="dst_label">
+	    <internal token="label"/>
+	    <external opt="required" type="m_label_t *"/>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+
+    <event id="AUE_file_copy" header="0" idNo="50" omit="JNI">
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="auth_used">
+	    <internal token="uauth"/>
+	    <external opt="required" type="char *"/>
+	</entry>
+	<entry id="src_file">
+	    <internal token="path"/>
+	    <external opt="required" type="char *"/>
+	</entry>
+	<entry id="src_label">
+	    <internal token="label"/>
+	    <external opt="required" type="m_label_t *"/>
+	</entry>
+	<entry id="dst_file">
+	    <internal token="path"/>
+	    <external opt="required" type="char *"/>
+	</entry>
+	<entry id="dst_label">
+	    <internal token="label"/>
+	    <external opt="required" type="m_label_t *"/>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+
+<!-- add new events here with the next higher idNo -->
+<!-- Highest idNo is 50, so next is 51, then fix this comment -->
 <!-- end of C Only events -->