diff options
Diffstat (limited to 'libauditd/auditd_lib.c')
| -rw-r--r-- | libauditd/auditd_lib.c | 384 |
1 files changed, 222 insertions, 162 deletions
diff --git a/libauditd/auditd_lib.c b/libauditd/auditd_lib.c index bf57155cd8ef..3c033487fafd 100644 --- a/libauditd/auditd_lib.c +++ b/libauditd/auditd_lib.c @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#11 $ + * $P4: //depot/projects/trustedbsd/openbsm/libauditd/auditd_lib.c#18 $ */ #include <sys/param.h> @@ -52,6 +52,7 @@ #include <bsm/auditd_lib.h> #include <bsm/libbsm.h> +#include <assert.h> #include <dirent.h> #include <err.h> #include <errno.h> @@ -66,7 +67,7 @@ #ifdef __APPLE__ #include <notify.h> #ifndef __BSM_INTERNAL_NOTIFY_KEY -#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" +#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" #endif /* __BSM_INTERNAL_NOTIFY_KEY */ #endif /* __APPLE__ */ @@ -101,37 +102,38 @@ struct audit_trail { }; static int auditd_minval = -1; +static int auditd_dist = 0; static char auditd_host[MAXHOSTNAMELEN]; static int auditd_hostlen = -1; static char *auditd_errmsg[] = { - "no error", /* ADE_NOERR ( 0) */ - "could not parse audit_control(5) file", /* ADE_PARSE ( 1) */ - "auditon(2) failed", /* ADE_AUDITON ( 2) */ - "malloc(3) failed", /* ADE_NOMEM ( 3) */ - "all audit log directories over soft limit", /* ADE_SOFTLIM ( 4) */ - "all audit log directories over hard limit", /* ADE_HARDLIM ( 5) */ - "could not create file name string", /* ADE_STRERR ( 6) */ - "could not open audit record", /* ADE_AU_OPEN ( 7) */ - "could not close audit record", /* ADE_AU_CLOSE ( 8) */ - "could not set active audit session state", /* ADE_SETAUDIT ( 9) */ - "auditctl(2) failed (trail still swapped)", /* ADE_ACTL (10) */ - "auditctl(2) failed (trail not swapped)", /* ADE_ACTLERR (11) */ - "could not swap audit trail file", /* ADE_SWAPERR (12) */ + "no error", /* ADE_NOERR ( 0) */ + "could not parse audit_control(5) file", /* ADE_PARSE ( 1) */ + "auditon(2) failed", /* ADE_AUDITON ( 2) */ + "malloc(3) failed", /* ADE_NOMEM ( 3) */ + "all audit log directories over soft limit", /* ADE_SOFTLIM ( 4) */ + "all audit log directories over hard limit", /* ADE_HARDLIM ( 5) */ + "could not create file name string", /* ADE_STRERR ( 6) */ + "could not open audit record", /* ADE_AU_OPEN ( 7) */ + "could not close audit record", /* ADE_AU_CLOSE ( 8) */ + "could not set active audit session state", /* ADE_SETAUDIT ( 9) */ + "auditctl(2) failed (trail still swapped)", /* ADE_ACTL (10) */ + "auditctl(2) failed (trail not swapped)", /* ADE_ACTLERR (11) */ + "could not swap audit trail file", /* ADE_SWAPERR (12) */ "could not rename crash recovery file", /* ADE_RENAME (13) */ "could not read 'current' link file", /* ADE_READLINK (14) */ - "could not create 'current' link file", /* ADE_SYMLINK (15) */ + "could not create 'current' link file", /* ADE_SYMLINK (15) */ "invalid argument", /* ADE_INVAL (16) */ "could not resolve hostname to address", /* ADE_GETADDR (17) */ "address family not supported", /* ADE_ADDRFAM (18) */ "error expiring audit trail files", /* ADE_EXPIRE (19) */ }; -#define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0])) +#define MAXERRCODE (sizeof(auditd_errmsg) / sizeof(auditd_errmsg[0])) -#define NA_EVENT_STR_SIZE 128 -#define POL_STR_SIZE 128 +#define NA_EVENT_STR_SIZE 128 +#define POL_STR_SIZE 128 /* @@ -144,19 +146,19 @@ auditd_strerror(int errcode) if (idx < 0 || idx > (int)MAXERRCODE) return ("Invalid auditd error code"); - + return (auditd_errmsg[idx]); } /* - * Free our local list of directory names and init list + * Free our local list of directory names and init list. */ static void free_dir_q(void) { struct dir_ent *d1, *d2; - + d1 = TAILQ_FIRST(&dir_q); while (d1 != NULL) { d2 = TAILQ_NEXT(d1, dirs); @@ -179,9 +181,9 @@ affixdir(char *name, struct dir_ent *dirent) /* * Sanity check on file name. */ - if (strlen(name) != (FILENAME_LEN - 1)) { + if (strlen(name) != FILENAME_LEN) { errno = EINVAL; - return (NULL); + return (NULL); } /* @@ -203,11 +205,11 @@ static void insert_orderly(struct dir_ent *denew) { struct dir_ent *dep; - + TAILQ_FOREACH(dep, &dir_q, dirs) { if (dep->softlim == 1 && denew->softlim == 0) { TAILQ_INSERT_BEFORE(dep, denew, dirs); - return; + return; } if (dep->hardlim == 1 && denew->hardlim == 0) { TAILQ_INSERT_BEFORE(dep, denew, dirs); @@ -218,13 +220,33 @@ insert_orderly(struct dir_ent *denew) } /* + * Get the min percentage of free blocks from audit_control(5) and that + * value in the kernel. Return: + * ADE_NOERR on success, + * ADE_PARSE error parsing audit_control(5), + */ +int +auditd_set_dist(void) +{ + int ret; + + ret = getacdist(); + if (ret < 0) + return (ADE_PARSE); + + auditd_dist = ret; + + return (ADE_NOERR); +} + +/* * Get the host from audit_control(5) and set it in the audit kernel * information. Return: * ADE_NOERR on success. * ADE_PARSE error parsing audit_control(5). * ADE_AUDITON error getting/setting auditon(2) value. - * ADE_GETADDR error getting address info for host. - * ADE_ADDRFAM un-supported address family. + * ADE_GETADDR error getting address info for host. + * ADE_ADDRFAM un-supported address family. */ int auditd_set_host(void) @@ -236,8 +258,8 @@ auditd_set_host(void) int error, ret = ADE_NOERR; if (getachost(auditd_host, sizeof(auditd_host)) != 0) { - ret = ADE_PARSE; - + ret = ADE_PARSE; + /* * To maintain reverse compatability with older audit_control * files, simply drop a warning if the host parameter has not @@ -283,11 +305,11 @@ auditd_set_host(void) return (ret); } -/* +/* * Get the min percentage of free blocks from audit_control(5) and that * value in the kernel. Return: * ADE_NOERR on success, - * ADE_PARSE error parsing audit_control(5), + * ADE_PARSE error parsing audit_control(5), * ADE_AUDITON error getting/setting auditon(2) value. */ int @@ -297,7 +319,7 @@ auditd_set_minfree(void) if (getacmin(&auditd_minval) != 0) return (ADE_PARSE); - + if (audit_get_qctrl(&qctrl, sizeof(qctrl)) != 0) return (ADE_AUDITON); @@ -318,7 +340,7 @@ static int trailname_to_tstamp(char *fn, time_t *tstamp) { struct tm tm; - char ts[TIMESTAMP_LEN]; + char ts[TIMESTAMP_LEN + 1]; char *p; *tstamp = 0; @@ -328,7 +350,7 @@ trailname_to_tstamp(char *fn, time_t *tstamp) */ if ((p = strchr(fn, '.')) == NULL) return (1); - strlcpy(ts, ++p, TIMESTAMP_LEN); + strlcpy(ts, ++p, sizeof(ts)); if (strlen(ts) != POSTFIX_LEN) return (1); @@ -340,7 +362,7 @@ trailname_to_tstamp(char *fn, time_t *tstamp) if (tm.tm_sec < 0 || tm.tm_sec > 60) return (1); - /* minutes (0-59) */ + /* minutes (0-59) */ *p = '\0'; p -= 2; tm.tm_min = atol(p); if (tm.tm_min < 0 || tm.tm_min > 59) @@ -377,10 +399,10 @@ trailname_to_tstamp(char *fn, time_t *tstamp) /* * Remove audit trails files according to the expiration conditions. Returns: - * ADE_NOERR on success or there is nothing to do. - * ADE_PARSE if error parsing audit_control(5). - * ADE_NOMEM if could not allocate memory. - * ADE_EXPIRE if there was an unespected error. + * ADE_NOERR on success or there is nothing to do. + * ADE_PARSE if error parsing audit_control(5). + * ADE_NOMEM if could not allocate memory. + * ADE_EXPIRE if there was an unespected error. */ int auditd_expire_trails(int (*warn_expired)(char *)) @@ -410,7 +432,7 @@ auditd_expire_trails(int (*warn_expired)(char *)) */ activefn[0] = '\0'; readlink(AUDIT_CURRENT_LINK, activefn, MAXPATHLEN - 1); - if ((afnp = strrchr(activefn, '/')) != NULL) + if ((afnp = strrchr(activefn, '/')) != NULL) afnp++; @@ -429,15 +451,12 @@ auditd_expire_trails(int (*warn_expired)(char *)) /* * Quickly filter non-trail files. */ - if (dp->d_namlen != (FILENAME_LEN - 1) || -#ifdef DT_REG - dp->d_type != DT_REG || -#endif + if (dp->d_namlen < FILENAME_LEN || dp->d_name[POSTFIX_LEN] != '.') continue; if (asprintf(&pn, "%s/%s", traildir->dirname, - dp->d_name) < 0) { + dp->d_name) < 0) { ret = ADE_NOMEM; break; } @@ -453,8 +472,7 @@ auditd_expire_trails(int (*warn_expired)(char *)) * If this is the 'current' audit trail then * don't add it to the tail queue. */ - if (NULL != afnp && - strncmp(dp->d_name, afnp, FILENAME_LEN) == 0) { + if (NULL != afnp && strcmp(dp->d_name, afnp) == 0) { free(pn); continue; } @@ -481,9 +499,9 @@ auditd_expire_trails(int (*warn_expired)(char *)) struct timeval tv[2]; tstamp = stbuf.st_mtime = current_time; - TIMESPEC_TO_TIMEVAL(&tv[0], + TIMESPEC_TO_TIMEVAL(&tv[0], &stbuf.st_atimespec); - TIMESPEC_TO_TIMEVAL(&tv[1], + TIMESPEC_TO_TIMEVAL(&tv[1], &stbuf.st_mtimespec); utimes(pn, tv); } @@ -507,7 +525,7 @@ auditd_expire_trails(int (*warn_expired)(char *)) * insertion sort. */ if (TAILQ_EMPTY(&head) || - (new->at_time <= TAILQ_FIRST(&head)->at_time)) { + new->at_time <= TAILQ_FIRST(&head)->at_time) { TAILQ_INSERT_HEAD(&head, new, at_trls); continue; } @@ -520,11 +538,12 @@ auditd_expire_trails(int (*warn_expired)(char *)) } } + closedir(dirp); } oldest_time = current_time - expire_age; - /* + /* * Expire trail files, oldest (mtime) first, if the given * conditions are met. */ @@ -536,7 +555,7 @@ auditd_expire_trails(int (*warn_expired)(char *)) if ((expire_size && total_size > expire_size) && (expire_age && at->at_time < oldest_time)) { if (warn_expired) - (*warn_expired)(at->at_path); + (*warn_expired)(at->at_path); if (unlink(at->at_path) < 0) ret = ADE_EXPIRE; total_size -= at->at_size; @@ -545,7 +564,7 @@ auditd_expire_trails(int (*warn_expired)(char *)) if ((expire_size && total_size > expire_size) || (expire_age && at->at_time < oldest_time)) { if (warn_expired) - (*warn_expired)(at->at_path); + (*warn_expired)(at->at_path); if (unlink(at->at_path) < 0) ret = ADE_EXPIRE; total_size -= at->at_size; @@ -589,9 +608,9 @@ auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *)) if (auditd_hostlen == -1) auditd_set_host(); - /* - * Init directory q. Force a re-read of the file the next time. - */ + /* + * Init directory q. Force a re-read of the file the next time. + */ free_dir_q(); endac(); @@ -600,17 +619,17 @@ auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *)) * admin's preference, then those over soft limit and, finally, * those over the hard limit. * - * XXX We should use the reentrant interfaces once they are - * available. - */ + * XXX We should use the reentrant interfaces once they are + * available. + */ while (getacdir(cur_dir, MAXNAMLEN) >= 0) { if (statfs(cur_dir, &sfs) < 0) continue; /* XXX should warn */ - soft = (sfs.f_bfree < (sfs.f_blocks / (100 / auditd_minval))) ? + soft = (sfs.f_bfree < (sfs.f_blocks * auditd_minval / 100 )) ? 1 : 0; hard = (sfs.f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) ? 1 : 0; if (soft) { - if (warn_soft) + if (warn_soft) (*warn_soft)(cur_dir); scnt++; } @@ -623,7 +642,7 @@ auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *)) if (dirent == NULL) return (ADE_NOMEM); dirent->softlim = soft; - dirent->hardlim = hard; + dirent->hardlim = hard; dirent->dirname = (char *) malloc(MAXNAMLEN); if (dirent->dirname == NULL) { free(dirent); @@ -653,8 +672,8 @@ auditd_close_dirs(void) /* * Process the audit event file, obtaining a class mapping for each event, and * set that mapping into the kernel. Return: - * n number of event mappings that were successfully processed, - * ADE_NOMEM if there was an error allocating memory. + * n number of event mappings that were successfully processed, + * ADE_NOMEM if there was an error allocating memory. */ int auditd_set_evcmap(void) @@ -663,7 +682,6 @@ auditd_set_evcmap(void) au_evclass_map_t evc_map; int ctr = 0; - /* * XXX There's a risk here that the BSM library will return NULL * for an event when it can't properly map it to a class. In that @@ -672,12 +690,12 @@ auditd_set_evcmap(void) */ ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX); ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX); - if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) { + if (ev.ae_name == NULL || ev.ae_desc == NULL) { if (ev.ae_name != NULL) free(ev.ae_name); return (ADE_NOMEM); } - + /* * XXXRW: Currently we have no way to remove mappings from the kernel * when they are removed from the file-based mappings. @@ -699,7 +717,7 @@ auditd_set_evcmap(void) /* * Get the non-attributable event string and set the kernel mask. Return: - * ADE_NOERR on success, + * ADE_NOERR on success, * ADE_PARSE error parsing audit_control(5), * ADE_AUDITON error setting the mask using auditon(2). */ @@ -708,9 +726,9 @@ auditd_set_namask(void) { au_mask_t aumask; char naeventstr[NA_EVENT_STR_SIZE]; - - if ((getacna(naeventstr, NA_EVENT_STR_SIZE) != 0) || - (getauditflagsbin(naeventstr, &aumask) != 0)) + + if (getacna(naeventstr, NA_EVENT_STR_SIZE) != 0 || + getauditflagsbin(naeventstr, &aumask) != 0) return (ADE_PARSE); if (audit_set_kmask(&aumask, sizeof(aumask)) != 0) @@ -724,7 +742,7 @@ auditd_set_namask(void) * implement the policy. However, if one isn't defined or if there is an error * parsing the control file, set AUDIT_CNT to avoid leaving the system in a * fragile state. Return: - * ADE_NOERR on success, + * ADE_NOERR on success, * ADE_PARSE error parsing audit_control(5), * ADE_AUDITON error setting policy using auditon(2). */ @@ -734,13 +752,13 @@ auditd_set_policy(void) int policy; char polstr[POL_STR_SIZE]; - if ((getacpol(polstr, POL_STR_SIZE) != 0) || - (au_strtopol(polstr, &policy) != 0)) { + if (getacpol(polstr, POL_STR_SIZE) != 0 || + au_strtopol(polstr, &policy) != 0) { policy = AUDIT_CNT; if (audit_set_policy(&policy) != 0) return (ADE_AUDITON); return (ADE_PARSE); - } + } if (audit_set_policy(&policy) != 0) return (ADE_AUDITON); @@ -748,9 +766,9 @@ auditd_set_policy(void) return (ADE_NOERR); } -/* +/* * Set trail rotation size. Return: - * ADE_NOERR on success, + * ADE_NOERR on success, * ADE_PARSE error parsing audit_control(5), * ADE_AUDITON error setting file size using auditon(2). */ @@ -771,101 +789,137 @@ auditd_set_fsize(void) if (audit_set_fsize(&au_fstat, sizeof(au_fstat)) != 0) return (ADE_AUDITON); - return (ADE_NOERR); + return (ADE_NOERR); +} + +static void +inject_dist(const char *fromname, char *toname, size_t tonamesize) +{ + char *ptr; + + ptr = strrchr(fromname, '/'); + assert(ptr != NULL); + assert(ptr - fromname < (ssize_t)tonamesize); + strlcpy(toname, fromname, ptr - fromname + 1); + strlcat(toname, "/dist/", tonamesize); + strlcat(toname, ptr + 1, tonamesize); +} + +static int +auditdist_link(const char *filename) +{ + char fname[MAXPATHLEN]; + + if (auditd_dist) { + inject_dist(filename, fname, sizeof(fname)); + /* Ignore errors. */ + (void) link(filename, fname); + } + + return (0); +} + +int +auditd_rename(const char *fromname, const char *toname) +{ + char fname[MAXPATHLEN], tname[MAXPATHLEN]; + + if (auditd_dist) { + inject_dist(fromname, fname, sizeof(fname)); + inject_dist(toname, tname, sizeof(tname)); + /* Ignore errors. */ + (void) rename(fname, tname); + } + + return (rename(fromname, toname)); } /* - * Create the new audit file with appropriate permissions and ownership. Try - * to clean up if something goes wrong. + * Create the new audit file with appropriate permissions and ownership. + * Call auditctl(2) for this file. + * Try to clean up if something goes wrong. + * *errorp is modified only on auditctl(2) failure. */ static int -open_trail(char *fname, gid_t gid) +open_trail(char *fname, gid_t gid, int *errorp) { - int error, fd; - - fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP); + int fd; + + /* XXXPJD: What should we do if the file already exists? */ + fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR); if (fd < 0) return (-1); - if (fchown(fd, -1, gid) < 0) { - error = errno; - close(fd); - (void)unlink(fname); - errno = error; + if (fchown(fd, -1, gid) < 0 || fchmod(fd, S_IRUSR | S_IRGRP) < 0) { + (void) close(fd); + (void) unlink(fname); return (-1); } - return (fd); + (void) close(fd); + if (auditctl(fname) < 0) { + *errorp = errno; + (void) unlink(fname); + return (-1); + } + (void) auditdist_link(fname); + return (0); } /* * Create the new audit trail file, swap with existing audit file. Arguments * include timestamp for the filename, a pointer to a string for returning the - * new file name, GID for trail file, and audit_warn function pointer for + * new file name, GID for trail file, and audit_warn function pointer for * 'getacdir()' errors. Returns: - * ADE_NOERR on success, - * ADE_STRERR if the file name string could not be created, - * ADE_SWAPERR if the audit trail file could not be swapped, - * ADE_ACTL if the auditctl(2) call failed but file swap still + * ADE_NOERR on success, + * ADE_STRERR if the file name string could not be created, + * ADE_SWAPERR if the audit trail file could not be swapped, + * ADE_ACTL if the auditctl(2) call failed but file swap still * successful. * ADE_ACTLERR if the auditctl(2) call failed and file swap failed. * ADE_SYMLINK if symlink(2) failed updating the current link. */ int -auditd_swap_trail(char *TS, char **newfile, gid_t gid, +auditd_swap_trail(char *TS, char **newfile, gid_t gid, int (*warn_getacdir)(char *)) { - char timestr[FILENAME_LEN]; + char timestr[FILENAME_LEN + 1]; char *fn; struct dir_ent *dirent; - int fd; - int error; int saverrno = 0; - - if (strlen(TS) != (TIMESTAMP_LEN - 1) || - snprintf(timestr, FILENAME_LEN, "%s.%s", TS, NOT_TERMINATED) < 0) { + + if (strlen(TS) != TIMESTAMP_LEN || + snprintf(timestr, sizeof(timestr), "%s.%s", TS, + NOT_TERMINATED) < 0) { errno = EINVAL; return (ADE_STRERR); } - + /* Try until we succeed. */ TAILQ_FOREACH(dirent, &dir_q, dirs) { - if (dirent->hardlim) + if (dirent->hardlim) continue; if ((fn = affixdir(timestr, dirent)) == NULL) return (ADE_STRERR); /* - * Create and open the file; then close and pass to the - * kernel if all went well. + * Create the file and pass to the kernel if all went well. */ - fd = open_trail(fn, gid); - if (fd >= 0) { - error = auditctl(fn); - if (error) { - /* - * auditctl failed setting log file. - * Try again. + if (open_trail(fn, gid, &saverrno) == 0) { + /* Success. */ + *newfile = fn; + if (saverrno) { + /* + * auditctl() failed but still + * successful. Return errno and "soft" + * error. */ - saverrno = errno; - close(fd); - } else { - /* Success. */ - *newfile = fn; - close(fd); - if (error) - return (error); - if (saverrno) { - /* - * auditctl() failed but still - * successful. Return errno and "soft" - * error. - */ - errno = saverrno; - return (ADE_ACTL); - } - return (ADE_NOERR); - } - } - + errno = saverrno; + return (ADE_ACTL); + } + return (ADE_NOERR); + } + /* + * auditctl failed setting log file. Try again. + */ /* * Tell the administrator about lack of permissions for dir. */ @@ -890,11 +944,11 @@ auditd_prevent_audit(void) { auditinfo_addr_t aia; - /* + /* * To prevent event feedback cycles and avoid audit becoming stalled if * auditing is suspended we mask this processes events from being * audited. We allow the uid, tid, and mask fields to be implicitly - * set to zero, but do set the audit session ID to the PID. + * set to zero, but do set the audit session ID to the PID. * * XXXRW: Is there more to it than this? */ @@ -902,7 +956,7 @@ auditd_prevent_audit(void) aia.ai_asid = AU_ASSIGN_ASID; aia.ai_termid.at_type = AU_IPv4; if (setaudit_addr(&aia, sizeof(aia)) != 0) - return (ADE_SETAUDIT); + return (ADE_SETAUDIT); return (ADE_NOERR); } #else @@ -911,21 +965,21 @@ auditd_prevent_audit(void) { auditinfo_t ai; - /* + /* * To prevent event feedback cycles and avoid audit becoming stalled if * auditing is suspended we mask this processes events from being * audited. We allow the uid, tid, and mask fields to be implicitly - * set to zero, but do set the audit session ID to the PID. + * set to zero, but do set the audit session ID to the PID. * * XXXRW: Is there more to it than this? */ bzero(&ai, sizeof(ai)); ai.ai_asid = getpid(); if (setaudit(&ai) != 0) - return (ADE_SETAUDIT); + return (ADE_SETAUDIT); return (ADE_NOERR); } -#endif /* __APPLE__ */ +#endif /* !__APPLE__ */ /* * Generate and submit audit record for audit startup or shutdown. The event @@ -934,7 +988,7 @@ auditd_prevent_audit(void) * Returns: * AUE_NOERR on success, * ADE_NOMEM if memory allocation fails, - * ADE_AU_OPEN if au_open(3) fails, + * ADE_AU_OPEN if au_open(3) fails, * ADE_AU_CLOSE if au_close(3) fails. */ int @@ -953,7 +1007,7 @@ auditd_gen_record(int event, char *path) asprintf(&autext, "%s::Audit shutdown", getprogname()); else if (event == AUE_audit_recovery) asprintf(&autext, "%s::Audit recovery", getprogname()); - else + else return (ADE_INVAL); if (autext == NULL) return (ADE_NOMEM); @@ -965,7 +1019,7 @@ auditd_gen_record(int event, char *path) bzero(&aia, sizeof(aia)); uid = getuid(); pid = getpid(); if ((tok = au_to_subject32_ex(uid, geteuid(), getegid(), uid, getgid(), - pid, pid, &aia.ai_termid)) != NULL) + pid, pid, &aia.ai_termid)) != NULL) au_write(aufd, tok); if ((tok = au_to_text(autext)) != NULL) au_write(aufd, tok); @@ -985,8 +1039,8 @@ auditd_gen_record(int event, char *path) * 'current' symlink. The argument 'curfile' is the file the 'current' symlink * should point to. Returns: * ADE_NOERR on success, - * ADE_AU_OPEN if au_open(3) fails, - * ADE_AU_CLOSE if au_close(3) fails. + * ADE_AU_OPEN if au_open(3) fails, + * ADE_AU_CLOSE if au_close(3) fails. * ADE_RENAME if error renaming audit trail file, * ADE_READLINK if error reading the 'current' link, * ADE_SYMLINK if error creating 'current' link. @@ -1005,17 +1059,18 @@ auditd_new_curlink(char *curfile) * Check to see if audit was shutdown properly. If not, clean up, * recover previous audit trail file, and generate audit record. */ - len = readlink(AUDIT_CURRENT_LINK, recoveredname, MAXPATHLEN - 1); + len = readlink(AUDIT_CURRENT_LINK, recoveredname, + sizeof(recoveredname) - 1); if (len > 0) { /* 'current' exist but is it pointing at a valid file? */ recoveredname[len++] = '\0'; - if (stat(recoveredname, &sb) == 0) { + if (stat(recoveredname, &sb) == 0) { /* Yes, rename it to a crash recovery file. */ - strlcpy(newname, recoveredname, MAXPATHLEN); + strlcpy(newname, recoveredname, sizeof(newname)); if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) { memcpy(ptr, CRASH_RECOVERY, POSTFIX_LEN); - if (rename(recoveredname, newname) != 0) + if (auditd_rename(recoveredname, newname) != 0) return (ADE_RENAME); } else return (ADE_STRERR); @@ -1053,10 +1108,10 @@ audit_quick_start(void) int err; char *newfile = NULL; time_t tt; - char TS[TIMESTAMP_LEN]; + char TS[TIMESTAMP_LEN + 1]; int ret = 0; - /* + /* * Mask auditing of this process. */ if (auditd_prevent_audit() != 0) @@ -1065,14 +1120,19 @@ audit_quick_start(void) /* * Read audit_control and get log directories. */ - err = auditd_read_dirs(NULL, NULL); + err = auditd_read_dirs(NULL, NULL); if (err != ADE_NOERR && err != ADE_SOFTLIM) return (-1); /* + * Setup trail file distribution. + */ + (void) auditd_set_dist(); + + /* * Create a new audit trail log. */ - if (getTSstr(tt, TS, TIMESTAMP_LEN) != 0) + if (getTSstr(tt, TS, sizeof(TS)) != 0) return (-1); err = auditd_swap_trail(TS, &newfile, getgid(), NULL); if (err != ADE_NOERR && err != ADE_ACTL) { @@ -1081,7 +1141,7 @@ audit_quick_start(void) } /* - * Add the current symlink and recover from crash, if needed. + * Add the current symlink and recover from crash, if needed. */ if (auditd_new_curlink(newfile) != 0) { ret = -1; @@ -1128,7 +1188,7 @@ audit_quick_stop(void) time_t tt; char oldname[MAXPATHLEN]; char newname[MAXPATHLEN]; - char TS[TIMESTAMP_LEN]; + char TS[TIMESTAMP_LEN + 1]; /* * Auditing already disabled? @@ -1156,23 +1216,23 @@ audit_quick_stop(void) /* * Rename last audit trail and remove 'current' link. */ - len = readlink(AUDIT_CURRENT_LINK, oldname, MAXPATHLEN - 1); + len = readlink(AUDIT_CURRENT_LINK, oldname, sizeof(oldname) - 1); if (len < 0) return (-1); oldname[len++] = '\0'; - if (getTSstr(tt, TS, TIMESTAMP_LEN) != 0) + if (getTSstr(tt, TS, sizeof(TS)) != 0) return (-1); - strlcpy(newname, oldname, len); + strlcpy(newname, oldname, sizeof(newname)); if ((ptr = strstr(newname, NOT_TERMINATED)) != NULL) { memcpy(ptr, TS, POSTFIX_LEN); - if (rename(oldname, newname) != 0) + if (auditd_rename(oldname, newname) != 0) return (-1); } else return (-1); - + (void) unlink(AUDIT_CURRENT_LINK); return (0); |