6431736 c2audit needs to add support for auditing ZFS/NFS ACLs

author: tz204579 <none@none> 2007-10-26 13:06:58 -0700
committer: tz204579 <none@none> 2007-10-26 13:06:58 -0700
commit: a7746f662862b6ac0a85751d8adbc897743a83e1 (patch)
tree: 04185d177485f7fc40c00d4c136037d038c47a38 /usr/src
parent: 4d139e710100affa83409f3f4b39670b0694e28e (diff)
download: illumos-gate-a7746f662862b6ac0a85751d8adbc897743a83e1.tar.gz
17 files changed, 640 insertions, 143 deletions
diff --git a/usr/src/cmd/auditreduce/token.c b/usr/src/cmd/auditreduce/token.c
index ff11f2cd2d..1e3c37fbd2 100644
--- a/usr/src/cmd/auditreduce/token.c
+++ b/usr/src/cmd/auditreduce/token.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -177,7 +177,7 @@ trailer_token(adr_t *adr)
 	adrm_u_short(adr, (ushort_t *)&magic_number, 1);
 	if (magic_number != AUT_TRAILER_MAGIC) {
 		(void) fprintf(stderr, "%s\n",
-			gettext("auditreduce: Bad trailer token"));
+		    gettext("auditreduce: Bad trailer token"));
 		return (-2);
 	}
 	adrm_u_int32(adr, &bytes, 1);
@@ -265,9 +265,9 @@ return_value32_token(adr_t *adr)
 	adrm_char(adr, &errnum, 1);
 	adrm_u_int32(adr, &value, 1);
 	if ((flags & M_SORF) &&
-		((global_class & mask.am_success) && (errnum == 0)) ||
-		((global_class & mask.am_failure) && (errnum != 0))) {
-			checkflags |= M_SORF;
+	    ((global_class & mask.am_success) && (errnum == 0)) ||
+	    ((global_class & mask.am_failure) && (errnum != 0))) {
+		checkflags |= M_SORF;
 	}
 	return (-1);
 }
@@ -288,9 +288,9 @@ return_value64_token(adr_t *adr)
 	adrm_char(adr, &errnum, 1);
 	adrm_u_int64(adr, &value, 1);
 	if ((flags & M_SORF) &&
-		((global_class & mask.am_success) && (errnum == 0)) ||
-		((global_class & mask.am_failure) && (errnum != 0))) {
-			checkflags |= M_SORF;
+	    ((global_class & mask.am_success) && (errnum == 0)) ||
+	    ((global_class & mask.am_failure) && (errnum != 0))) {
+		checkflags |= M_SORF;
 	}
 	return (-1);
 }
@@ -515,6 +515,13 @@ argument64_token(adr_t *adr)
 	return (-1);
 }
 
+/*
+ * Format of acl token:
+ *	acl token id		adr_char
+ *	acl type		adr_u_int32
+ *	acl value		adr_u_int32 (depends on type)
+ *	file mode		adr_u_int (in octal)
+ */
 int
 acl_token(adr_t *adr)
 {
@@ -531,6 +538,29 @@ acl_token(adr_t *adr)
 }
 
 /*
+ * Format of ace token:
+ *	ace token id		adr_char
+ *	ace who			adr_u_int32 (uid/gid)
+ *	access mask		adr_u_int32
+ *	ace flags		adr_u_int16
+ *	ace type		adr_u_int16
+ */
+int
+ace_token(adr_t *adr)
+{
+	uid_t		who;
+	uint32_t	access_mask;
+	uint16_t	flags, type;
+
+	adrm_uid(adr, &who, 1);
+	adrm_u_int32(adr, &access_mask, 1);
+	adrm_u_short(adr, &flags, 1);
+	adrm_u_short(adr, &type, 1);
+
+	return (-1);
+}
+
+/*
  * Format of attribute token: (old pre SunOS 5.7 format)
  *	attribute token id	adr_char
  * 	mode			adr_int32 (printed in octal)
@@ -1704,7 +1734,8 @@ collapse_path(char *s)
 			is += 1;
 			if (id > 0)
 				id--;
-			while (id > 0 && s[--id] != '/');
+			while (id > 0 && s[--id] != '/')
+				;
 			id++;
 			continue;
 		}
@@ -1713,11 +1744,13 @@ collapse_path(char *s)
 			is += 2;
 			if (id > 0)
 				id--;
-			while (id > 0 && s[--id] != '/');
+			while (id > 0 && s[--id] != '/')
+				;
 			id++;
 			continue;
 		}
-		while (is < ls && (s[id++] = s[is++]) != '/');
+		while (is < ls && (s[id++] = s[is++]) != '/')
+			;
 		is--;
 	}
 	return (s);
diff --git a/usr/src/cmd/praudit/format.c b/usr/src/cmd/praudit/format.c
index 548611864d..d5a0cc819e 100644
--- a/usr/src/cmd/praudit/format.c
+++ b/usr/src/cmd/praudit/format.c
@@ -49,6 +49,7 @@
 #include <sys/inttypes.h>
 #include <sys/mkdev.h>
 #include <sys/types.h>
+#include <aclutils.h>
 
 #include "praudit.h"
 #include "toktable.h"
@@ -2017,32 +2018,16 @@ pa_mode(pr_context_t *context, int status, int flag)
 		return (status);
 }
 
-
-/*
- * -----------------------------------------------------------------------
- * pa_pw_uid()	: Issues pr_adr_u_int32 to reads uid from input stream
- *		pointed to by audit_adr, and displays it in either
- *		raw form or its ASCII representation, if status >= 0.
- * return codes : -1 - error
- * 		:  1 - warning, passwd entry not found
- *		:  0 - successful
- * -----------------------------------------------------------------------
- */
-int
-pa_pw_uid(pr_context_t *context, int status, int flag)
+static int
+pa_print_uid(pr_context_t *context, uid_t uid, int status, int flag)
 {
 	int	returnstat;
 	struct passwd *pw;
-	uint32_t uid;
 	uval_t	uval;
 
 	if (status < 0)
 		return (status);
 
-	if (pr_adr_u_int32(context, &uid, 1) != 0)
-		/* cannot retrieve uid */
-		return (-1);
-
 	if (!(context->format & PRF_RAWM)) {
 		/* get password file entry */
 		if ((pw = getpwuid(uid)) == NULL) {
@@ -2066,29 +2051,39 @@ pa_pw_uid(pr_context_t *context, int status, int flag)
 
 /*
  * -----------------------------------------------------------------------
- * pa_gr_uid()	: Issues pr_adr_u_int32 to reads group uid from input stream
- *			pointed to by audit_adr, and displays it in either
- *			raw form or its ASCII representation, if status >= 0.
+ * pa_pw_uid()	: Issues pr_adr_u_int32 to reads uid from input stream
+ *		pointed to by audit_adr, and displays it in either
+ *		raw form or its ASCII representation, if status >= 0.
  * return codes : -1 - error
  * 		:  1 - warning, passwd entry not found
  *		:  0 - successful
  * -----------------------------------------------------------------------
  */
 int
-pa_gr_uid(pr_context_t *context, int status, int flag)
+pa_pw_uid(pr_context_t *context, int status, int flag)
+{
+	uint32_t uid;
+
+	if (status < 0)
+		return (status);
+
+	if (pr_adr_u_int32(context, &uid, 1) != 0)
+		/* cannot retrieve uid */
+		return (-1);
+
+	return (pa_print_uid(context, uid, status, flag));
+}
+
+static int
+pa_print_gid(pr_context_t *context, gid_t gid, int status, int flag)
 {
 	int	returnstat;
 	struct group *gr;
-	uint32_t gid;
 	uval_t	uval;
 
 	if (status < 0)
 		return (status);
 
-	if (pr_adr_u_int32(context, &gid, 1) != 0)
-		/* cannot retrieve gid */
-		return (-1);
-
 	if (!(context->format & PRF_RAWM)) {
 		/* get group file entry */
 		if ((gr = getgrgid(gid)) == NULL) {
@@ -2112,6 +2107,32 @@ pa_gr_uid(pr_context_t *context, int status, int flag)
 
 /*
  * -----------------------------------------------------------------------
+ * pa_gr_uid()	: Issues pr_adr_u_int32 to reads group uid from input stream
+ *			pointed to by audit_adr, and displays it in either
+ *			raw form or its ASCII representation, if status >= 0.
+ * return codes : -1 - error
+ * 		:  1 - warning, passwd entry not found
+ *		:  0 - successful
+ * -----------------------------------------------------------------------
+ */
+int
+pa_gr_uid(pr_context_t *context, int status, int flag)
+{
+	uint32_t gid;
+
+	if (status < 0)
+		return (status);
+
+	if (pr_adr_u_int32(context, &gid, 1) != 0)
+		/* cannot retrieve gid */
+		return (-1);
+
+	return (pa_print_gid(context, gid, status, flag));
+}
+
+
+/*
+ * -----------------------------------------------------------------------
  * pa_pw_uid_gr_gid()	: Issues pr_adr_u_int32 to reads uid or group uid
  *			from input stream
  *			pointed to by audit_adr, and displays it in either
@@ -2945,3 +2966,322 @@ pa_xid(pr_context_t *context, int status, int flag)
 
 	return (returnstat);
 }
+
+static int
+pa_ace_flags(pr_context_t *context, ace_t *ace, int status, int flag)
+{
+	int	returnstat;
+	uval_t	uval;
+
+	if (status < 0)
+		return (status);
+
+	/*
+	 * TRANSLATION_NOTE
+	 * ace->a_flags refers to access flags of ZFS/NFSv4 ACL entry.
+	 */
+	if ((returnstat = open_tag(context, TAG_ACEFLAGS)) != 0)
+		return (returnstat);
+	if (!(context->format & PRF_RAWM)) {
+		uval.uvaltype = PRA_STRING;
+		switch (ace->a_flags & ACE_TYPE_FLAGS) {
+		case ACE_OWNER:
+			uval.string_val = gettext(OWNERAT_TXT);
+			break;
+		case ACE_GROUP | ACE_IDENTIFIER_GROUP:
+			uval.string_val = gettext(GROUPAT_TXT);
+			break;
+		case ACE_IDENTIFIER_GROUP:
+			uval.string_val = gettext(GROUP_TXT);
+			break;
+		case ACE_EVERYONE:
+			uval.string_val = gettext(EVERYONEAT_TXT);
+			break;
+		case 0:
+			uval.string_val = gettext(USER_TXT);
+			break;
+		default:
+			uval.uvaltype = PRA_USHORT;
+			uval.uint32_val = ace->a_flags;
+		}
+	} else {
+		uval.uvaltype = PRA_USHORT;
+		uval.uint32_val = ace->a_flags;
+	}
+	if ((returnstat = pa_print(context, &uval, flag)) != 0)
+		return (returnstat);
+	return (close_tag(context, TAG_ACEFLAGS));
+}
+
+static int
+pa_ace_who(pr_context_t *context, ace_t *ace, int status, int flag)
+{
+	int		returnstat;
+
+	if (status < 0)
+		return (status);
+
+	/*
+	 * TRANSLATION_NOTE
+	 * ace->a_who refers to user id or group id of ZFS/NFSv4 ACL entry.
+	 */
+	if ((returnstat = open_tag(context, TAG_ACEID)) != 0)
+		return (returnstat);
+	switch (ace->a_flags & ACE_TYPE_FLAGS) {
+	case ACE_IDENTIFIER_GROUP:	/* group id */
+		returnstat = pa_print_gid(context, ace->a_who, returnstat,
+		    flag);
+		break;
+	default:			/* user id */
+		returnstat = pa_print_uid(context, ace->a_who, returnstat,
+		    flag);
+		break;
+	}
+	if (returnstat < 0)
+		return (returnstat);
+	return (close_tag(context, TAG_ACEID));
+}
+
+/*
+ * Appends what to str, (re)allocating str if necessary.
+ */
+#define	INITIAL_ALLOC	256
+static int
+strappend(char **str, char *what, size_t *alloc)
+{
+	char	*s, *newstr;
+	size_t	needed;
+
+	s = *str;
+
+	if (s == NULL) {
+		s = malloc(INITIAL_ALLOC);
+		if (s == NULL) {
+			*alloc = 0;
+			return (-1);
+		}
+		*alloc = INITIAL_ALLOC;
+		s[0] = '\0';
+		*str = s;
+	}
+
+	needed = strlen(s) + strlen(what) + 1;
+	if (*alloc < needed) {
+		newstr = realloc(s, needed);
+		if (newstr == NULL)
+			return (-1);
+		s = newstr;
+		*alloc = needed;
+		*str = s;
+	}
+	(void) strlcat(s, what, *alloc);
+
+	return (0);
+}
+
+static int
+pa_ace_access_mask(pr_context_t *context, ace_t *ace, int status, int flag)
+{
+	int	returnstat, i;
+	uval_t	uval;
+	char	*permstr = NULL;
+	size_t	permstr_alloc = 0;
+
+	if (status < 0)
+		return (status);
+
+	/*
+	 * TRANSLATION_NOTE
+	 * ace->a_access_mask refers to access mask of ZFS/NFSv4 ACL entry.
+	 */
+	if ((returnstat = open_tag(context, TAG_ACEMASK)) != 0)
+		return (returnstat);
+	if (context->format & PRF_SHORTM &&
+	    ((permstr = malloc(15)) != NULL)) {
+		for (i = 0; i < 14; i++)
+			permstr[i] = '-';
+
+		if (ace->a_access_mask & ACE_READ_DATA)
+			permstr[0] = 'r';
+		if (ace->a_access_mask & ACE_WRITE_DATA)
+			permstr[1] = 'w';
+		if (ace->a_access_mask & ACE_EXECUTE)
+			permstr[2] = 'x';
+		if (ace->a_access_mask & ACE_APPEND_DATA)
+			permstr[3] = 'p';
+		if (ace->a_access_mask & ACE_DELETE)
+			permstr[4] = 'd';
+		if (ace->a_access_mask & ACE_DELETE_CHILD)
+			permstr[5] = 'D';
+		if (ace->a_access_mask & ACE_READ_ATTRIBUTES)
+			permstr[6] = 'a';
+		if (ace->a_access_mask & ACE_WRITE_ATTRIBUTES)
+			permstr[7] = 'A';
+		if (ace->a_access_mask & ACE_READ_NAMED_ATTRS)
+			permstr[8] = 'R';
+		if (ace->a_access_mask & ACE_WRITE_NAMED_ATTRS)
+			permstr[9] = 'W';
+		if (ace->a_access_mask & ACE_READ_ACL)
+			permstr[10] = 'c';
+		if (ace->a_access_mask & ACE_WRITE_ACL)
+			permstr[11] = 'C';
+		if (ace->a_access_mask & ACE_WRITE_OWNER)
+			permstr[12] = 'o';
+		if (ace->a_access_mask & ACE_SYNCHRONIZE)
+			permstr[13] = 's';
+		permstr[14] = '\0';
+		uval.uvaltype = PRA_STRING;
+		uval.string_val = permstr;
+	} else if (!(context->format & PRF_RAWM)) {
+
+		/*
+		 * Note this differs from acltext.c:ace_perm_txt()
+		 * because we don't know if the acl belongs to a file
+		 * or directory. ace mask value are the same
+		 * nonetheless, see sys/acl.h
+		 */
+		if (ace->a_access_mask & ACE_LIST_DIRECTORY) {
+			returnstat = strappend(&permstr, gettext(READ_DIR_TXT),
+			    &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_ADD_FILE) {
+			returnstat = strappend(&permstr, gettext(ADD_FILE_TXT),
+			    &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_ADD_SUBDIRECTORY) {
+			returnstat = strappend(&permstr, gettext(ADD_DIR_TXT),
+			    &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_READ_NAMED_ATTRS) {
+			returnstat = strappend(&permstr,
+			    gettext(READ_XATTR_TXT), &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_WRITE_NAMED_ATTRS) {
+			returnstat = strappend(&permstr,
+			    gettext(WRITE_XATTR_TXT), &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_EXECUTE) {
+			returnstat = strappend(&permstr,
+			    gettext(EXECUTE_TXT), &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_DELETE_CHILD) {
+			returnstat = strappend(&permstr,
+			    gettext(DELETE_CHILD_TXT), &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_READ_ATTRIBUTES) {
+			returnstat = strappend(&permstr,
+			    gettext(READ_ATTRIBUTES_TXT), &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_WRITE_ATTRIBUTES) {
+			returnstat = strappend(&permstr,
+			    gettext(WRITE_ATTRIBUTES_TXT), &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_DELETE) {
+			returnstat = strappend(&permstr, gettext(DELETE_TXT),
+			    &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_READ_ACL) {
+			returnstat = strappend(&permstr, gettext(READ_ACL_TXT),
+			    &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_WRITE_ACL) {
+			returnstat = strappend(&permstr, gettext(WRITE_ACL_TXT),
+			    &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_WRITE_OWNER) {
+			returnstat = strappend(&permstr,
+			    gettext(WRITE_OWNER_TXT), &permstr_alloc);
+		}
+		if (ace->a_access_mask & ACE_SYNCHRONIZE) {
+			returnstat = strappend(&permstr,
+			    gettext(SYNCHRONIZE_TXT), &permstr_alloc);
+		}
+		if (permstr[strlen(permstr) - 1] == '/')
+			permstr[strlen(permstr) - 1] = '\0';
+		uval.uvaltype = PRA_STRING;
+		uval.string_val = permstr;
+	}
+	if ((permstr == NULL) || (returnstat != 0) ||
+	    (context->format & PRF_RAWM)) {
+		uval.uvaltype = PRA_UINT32;
+		uval.uint32_val = ace->a_access_mask;
+	}
+	returnstat = pa_print(context, &uval, flag);
+
+	if (permstr != NULL)
+		free(permstr);
+	if (returnstat != 0)
+		return (returnstat);
+	return (close_tag(context, TAG_ACEMASK));
+}
+
+static int
+pa_ace_type(pr_context_t *context, ace_t *ace, int status, int flag)
+{
+	int	returnstat;
+	uval_t	uval;
+
+	if (status < 0)
+		return (status);
+
+	/*
+	 * TRANSLATION_NOTE
+	 * ace->a_type refers to access type of ZFS/NFSv4 ACL entry.
+	 */
+	if ((returnstat = open_tag(context, TAG_ACETYPE)) != 0)
+		return (returnstat);
+	if (!(context->format & PRF_RAWM)) {
+		uval.uvaltype = PRA_STRING;
+		switch (ace->a_type) {
+		case ACE_ACCESS_ALLOWED_ACE_TYPE:
+			uval.string_val = gettext(ALLOW_TXT);
+			break;
+		case ACE_ACCESS_DENIED_ACE_TYPE:
+			uval.string_val = gettext(DENY_TXT);
+			break;
+		case ACE_SYSTEM_AUDIT_ACE_TYPE:
+			uval.string_val = gettext(AUDIT_TXT);
+			break;
+		case ACE_SYSTEM_ALARM_ACE_TYPE:
+			uval.string_val = gettext(ALARM_TXT);
+			break;
+		default:
+			uval.string_val = gettext(UNKNOWN_TXT);
+		}
+	} else {
+		uval.uvaltype = PRA_USHORT;
+		uval.uint32_val = ace->a_type;
+	}
+	if ((returnstat = pa_print(context, &uval, flag)) != 0)
+		return (returnstat);
+	return (close_tag(context, TAG_ACETYPE));
+}
+
+int
+pa_ace(pr_context_t *context, int status, int flag)
+{
+	int		returnstat;
+	ace_t		ace;
+
+	if (status < 0)
+		return (status);
+
+	if ((returnstat = pr_adr_u_int32(context, &ace.a_who, 1)) != 0)
+		return (returnstat);
+	if ((returnstat = pr_adr_u_int32(context, &ace.a_access_mask, 1)) != 0)
+		return (returnstat);
+	if ((returnstat = pr_adr_u_short(context, &ace.a_flags, 1)) != 0)
+		return (returnstat);
+	if ((returnstat = pr_adr_u_short(context, &ace.a_type, 1)) != 0)
+		return (returnstat);
+
+	if ((returnstat = pa_ace_flags(context, &ace, returnstat, 0)) != 0)
+		return (returnstat);
+	/* pa_ace_who can returns 1 if uid/gid is not found */
+	if ((returnstat = pa_ace_who(context, &ace, returnstat, 0)) < 0)
+		return (returnstat);
+	if ((returnstat = pa_ace_access_mask(context, &ace,
+	    returnstat, 0)) != 0)
+		return (returnstat);
+	return (pa_ace_type(context, &ace, returnstat, flag));
+}
diff --git a/usr/src/cmd/praudit/praudit.h b/usr/src/cmd/praudit/praudit.h
index 6588152a12..4f6ada3154 100644
--- a/usr/src/cmd/praudit/praudit.h
+++ b/usr/src/cmd/praudit/praudit.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -209,6 +208,7 @@ extern int	pa_adr_int64hex(pr_context_t *context, int status, int flag);
 extern int	pa_pw_uid(pr_context_t *context, int status, int flag);
 extern int	pa_gr_uid(pr_context_t *context, int status, int flag);
 extern int	pa_pw_uid_gr_gid(pr_context_t *context, int status, int flag);
+extern int	pa_ace(pr_context_t *context, int status, int flag);
 extern int	pa_hostname(pr_context_t *context, int status, int flag);
 extern int	pa_hostname_ex(pr_context_t *context, int status, int flag);
 extern int	pa_hostname_so(pr_context_t *context, int status, int flag);
diff --git a/usr/src/cmd/praudit/token.c b/usr/src/cmd/praudit/token.c
index 87a054c2cb..d2a0125d84 100644
--- a/usr/src/cmd/praudit/token.c
+++ b/usr/src/cmd/praudit/token.c
@@ -462,7 +462,7 @@ arbitrary_data_token(pr_context_t *context)
 		case AUR_CHAR:
 			if (pr_adr_char(context, &c1, 1) == 0)
 				(void) convert_char_to_string(how_to_print,
-					c1, p);
+				    c1, p);
 			else {
 				free(p);
 				return (-1);
@@ -471,7 +471,7 @@ arbitrary_data_token(pr_context_t *context)
 		case AUR_SHORT:
 			if (pr_adr_short(context, &c2, 1) == 0)
 				(void) convert_short_to_string(how_to_print,
-					c2, p);
+				    c2, p);
 			else {
 				free(p);
 				return (-1);
@@ -480,7 +480,7 @@ arbitrary_data_token(pr_context_t *context)
 		case AUR_INT32:
 			if (pr_adr_int32(context, &c3, 1) == 0)
 				(void) convert_int32_to_string(how_to_print,
-					c3, p);
+				    c3, p);
 			else {
 				free(p);
 				return (-1);
@@ -489,7 +489,7 @@ arbitrary_data_token(pr_context_t *context)
 		case AUR_INT64:
 			if (pr_adr_int64(context, &c4, 1) == 0)
 				(void) convert_int64_to_string(how_to_print,
-					c4, p);
+				    c4, p);
 			else {
 				free(p);
 				return (-1);
@@ -716,7 +716,8 @@ collapse_path(char *s)
 			is += 1;
 			if (id > 0)
 				id--;
-			while (id > 0 && s[--id] != '/');
+			while (id > 0 && s[--id] != '/')
+				;
 			id++;
 			continue;
 		}
@@ -725,11 +726,13 @@ collapse_path(char *s)
 			is += 2;
 			if (id > 0)
 				id--;
-			while (id > 0 && s[--id] != '/');
+			while (id > 0 && s[--id] != '/')
+				;
 			id++;
 			continue;
 		}
-		while (is < ls && (s[id++] = s[is++]) != '/');
+		while (is < ls && (s[id++] = s[is++]) != '/')
+			;
 		is--;
 	}
 	return (s);
@@ -1712,6 +1715,26 @@ acl_token(pr_context_t *context)
 
 /*
  * -----------------------------------------------------------------------
+ * ace_token()	: Process ZFS/NFSv4 access control list term
+ * return codes	: -1 - error
+ *		:  0 - successful
+ *
+ * Format of ace token:
+ *	token id	adr_char
+ *	term who	adr_u_int32 (uid/gid)
+ *	term mask	adr_u_int32
+ *	term flags	adr_u_int16
+ *	term type	adr_u_int16
+ * -----------------------------------------------------------------------
+ */
+int
+ace_token(pr_context_t *context)
+{
+	return (pa_ace(context, 0, 1));
+}
+
+/*
+ * -----------------------------------------------------------------------
  * attribute_token()	: Process attribute token and display contents
  * return codes 	: -1 - error
  *			:  0 - successful
diff --git a/usr/src/cmd/praudit/toktable.c b/usr/src/cmd/praudit/toktable.c
index 7a7fe2088c..cefd302891 100644
--- a/usr/src/cmd/praudit/toktable.c
+++ b/usr/src/cmd/praudit/toktable.c
@@ -115,6 +115,7 @@ init_tokens(void)
 	 */
 
 	table_init(AUT_ACL, "acl", acl_token, T_ENCLOSED);
+	table_init(AUT_ACE, "acl", ace_token, T_ENCLOSED);
 	table_init(AUT_ATTR, "attribute", attribute_token, T_ENCLOSED);
 	table_init(AUT_IPC_PERM, "IPC_perm", s5_IPC_perm_token, T_ENCLOSED);
 	table_init(AUT_GROUPS, "group", group_token, T_ELEMENT);
@@ -281,6 +282,10 @@ init_tokens(void)
 
 	table_init(TAG_ACLTYPE, "type", NOFUNC, T_ATTRIBUTE);
 	table_init(TAG_ACLVAL, "value", NOFUNC, T_ATTRIBUTE);
+	table_init(TAG_ACEMASK, "access_mask", NOFUNC, T_ATTRIBUTE);
+	table_init(TAG_ACEFLAGS, "flags", NOFUNC, T_ATTRIBUTE);
+	table_init(TAG_ACETYPE, "type", NOFUNC, T_ATTRIBUTE);
+	table_init(TAG_ACEID, "id", NOFUNC, T_ATTRIBUTE);
 	table_init(TAG_SOCKTYPE, "type", pa_adr_shorthex, T_ATTRIBUTE);
 	table_init(TAG_SOCKPORT, "port", pa_adr_shorthex, T_ATTRIBUTE);
 	table_init(TAG_SOCKADDR, "addr", NOFUNC, T_ATTRIBUTE);
diff --git a/usr/src/cmd/praudit/toktable.h b/usr/src/cmd/praudit/toktable.h
index e97582e96f..3ce65c3fdf 100644
--- a/usr/src/cmd/praudit/toktable.h
+++ b/usr/src/cmd/praudit/toktable.h
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -153,6 +153,10 @@ enum tagnum_t { TAG_INVALID = MAXTOKEN,
 	TAG_IP_LOCAL,			/* with tid token, type=ip */
 	TAG_IP_REMOTE,			/* with tid token, type=ip */
 	TAG_IP_ADR,			/* with tid token, type=ip */
+	TAG_ACEMASK,			/* with ace token */
+	TAG_ACEFLAGS,			/* with ace token */
+	TAG_ACETYPE,			/* with ace token */
+	TAG_ACEID,			/* with ace token */
 	MAXTAG
 };
 
@@ -197,6 +201,7 @@ extern int	zonename_token();
  */
 
 extern int	acl_token();
+extern int	ace_token();
 extern int	attribute_token();
 extern int	s5_IPC_perm_token();
 extern int	group_token();
diff --git a/usr/src/lib/auditd_plugins/syslog/systoken.c b/usr/src/lib/auditd_plugins/syslog/systoken.c
index d524b91995..f5c6117728 100644
--- a/usr/src/lib/auditd_plugins/syslog/systoken.c
+++ b/usr/src/lib/auditd_plugins/syslog/systoken.c
@@ -533,10 +533,33 @@ argument64_token(parse_context_t *ctx)
 	return (0);
 }
 
+/*
+ * Format of acl token:
+ * 	acl token id		adr_char
+ *	type			adr_u_int32
+ *	value			adr_u_int32
+ *	mode			adr_u_int32
+ */
 int
 acl_token(parse_context_t *ctx)
 {
-	ctx->adr.adr_now += 3 * sizeof (int32_t);
+	ctx->adr.adr_now += 3 * sizeof (uint32_t);
+
+	return (0);
+}
+
+/*
+ * Format of ace token:
+ * 	ace token id		adr_char
+ *	id			adr_u_int32
+ *	access_mask		adr_u_int32
+ *	flags			adr_u_short
+ *	type			adr_u_short
+ */
+int
+ace_token(parse_context_t *ctx)
+{
+	ctx->adr.adr_now += 2 * sizeof (uint32_t) + 2 * sizeof (ushort_t);
 
 	return (0);
 }
diff --git a/usr/src/lib/libbsm/adt_record.dtd.1 b/usr/src/lib/libbsm/adt_record.dtd.1
index 6ca00c0a81..271388b3ae 100644
--- a/usr/src/lib/libbsm/adt_record.dtd.1
+++ b/usr/src/lib/libbsm/adt_record.dtd.1
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 
 <!--
- Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  Use is subject to license terms.
 
  CDDL HEADER START
@@ -350,9 +350,12 @@ first token (which is the record token):
 <!-- acl token -->
 <!ELEMENT acl			EMPTY>
 <!ATTLIST acl
-		type		CDATA #REQUIRED
-		value		CDATA #REQUIRED
-		mode		CDATA #REQUIRED
+		type		CDATA #IMPLIED
+		value		CDATA #IMPLIED
+		mode		CDATA #IMPLIED
+		flags		CDATA #IMPLIED
+		id		CDATA #IMPLIED
+		access_mask	CDATA #IMPLIED
 >
 
 <!-- tid token -->
diff --git a/usr/src/lib/libbsm/adt_record.xsl.1 b/usr/src/lib/libbsm/adt_record.xsl.1
index 6e4d2c98e7..122f1f2173 100644
--- a/usr/src/lib/libbsm/adt_record.xsl.1
+++ b/usr/src/lib/libbsm/adt_record.xsl.1
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 
 <!--
- Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  Use is subject to license terms.
 
  CDDL HEADER START
@@ -354,9 +354,19 @@
 <xsl:template match="acl">
 	<BR/>
 	<I>ACL </I>
-	<I> type: </I><xsl:value-of select="@type"/>
-	<I> value: </I><xsl:value-of select="@value"/>
-	<I> mode: </I><xsl:value-of select="@mode"/>
+	<xsl:choose>
+		<xsl:when test="@mode">	<!-- old ACL entry -->
+			<I> type: </I><xsl:value-of select="@type"/>
+			<I> value: </I><xsl:value-of select="@value"/>
+			<I> mode: </I><xsl:value-of select="@mode"/>
+		</xsl:when>
+		<xsl:otherwise>
+			<I> flags: </I><xsl:value-of select="@flags"/>
+			<I> id: </I><xsl:value-of select="@id"/>
+			<I> access_mask: </I><xsl:value-of select="@access_mask"/>
+			<I> type: </I><xsl:value-of select="@type"/>
+		</xsl:otherwise>
+	</xsl:choose>
 </xsl:template>
 
 <xsl:template match="tid">
diff --git a/usr/src/lib/libbsm/common/adrm.c b/usr/src/lib/libbsm/common/adrm.c
index e86f188d4b..ef65719699 100644
--- a/usr/src/lib/libbsm/common/adrm.c
+++ b/usr/src/lib/libbsm/common/adrm.c
@@ -86,6 +86,20 @@ adrm_int32(adr_t *adr, int32_t *lp, int count)
 }
 
 void
+adrm_uid(adr_t *adr, uid_t *up, int count)
+{
+	int i;
+
+	for (; count-- > 0; up++) {
+		*up = 0;
+		for (i = 0; i < 4; i++) {
+			*up <<= 8;
+			*up += ((uid_t)*adr->adr_now++) & 0x000000ff;
+		}
+	}
+}
+
+void
 adrm_int64(adr_t *adr, int64_t *lp, int count)
 {
 	int i;
@@ -142,7 +156,7 @@ adrm_putint32(adr_t *adr, int32_t *lp, int count)
 	for (; count-- > 0; lp++) {
 		for (i = 0, l = *lp; i < 4; i++) {
 			*adr->adr_now++ = (char)((l & (int32_t)0xff000000) >>
-				(int)24);
+			    (int)24);
 			l <<= (int)8;
 		}
 	}
diff --git a/usr/src/lib/libbsm/common/libbsm.h b/usr/src/lib/libbsm/common/libbsm.h
index 8b11a0d018..0322ec4cbe 100644
--- a/usr/src/lib/libbsm/common/libbsm.h
+++ b/usr/src/lib/libbsm/common/libbsm.h
@@ -129,6 +129,7 @@ extern void	adrm_char(adr_t *, char *, int);
 extern void	adrm_short(adr_t *, short *, int);
 extern void	adrm_int64(adr_t *, int64_t *, int);
 extern void	adrm_int32(adr_t *, int32_t *, int);
+extern void	adrm_uid(adr_t *, uid_t *, int);
 extern void	adrm_u_int32(adr_t *, uint32_t *, int);
 extern void	adrm_u_char(adr_t *, uchar_t *, int);
 extern void	adrm_u_int64(adr_t *, uint64_t *, int);
diff --git a/usr/src/lib/libbsm/common/mapfile-vers b/usr/src/lib/libbsm/common/mapfile-vers
index ad387a10dc..1efd828b2c 100644
--- a/usr/src/lib/libbsm/common/mapfile-vers
+++ b/usr/src/lib/libbsm/common/mapfile-vers
@@ -139,6 +139,7 @@ SUNWprivate_1.1 {
 	adrm_u_int32;
 	adrm_u_int64;
 	adrm_u_short;
+	adrm_uid;
 	adr_short;
 	adr_start;
 	adt_alloc_event;
diff --git a/usr/src/lib/libsec/common/acltext.c b/usr/src/lib/libsec/common/acltext.c
index c0e1bb1e58..5060d81f8c 100644
--- a/usr/src/lib/libsec/common/acltext.c
+++ b/usr/src/lib/libsec/common/acltext.c
@@ -234,12 +234,6 @@ split_line(char *str, int cols)
 	}
 }
 
-#define	OWNERAT_TXT	"owner@"
-#define	GROUPAT_TXT	"group@"
-#define	EVERYONEAT_TXT	"everyone@"
-#define	GROUP_TXT	"group:"
-#define	USER_TXT	"user:"
-
 char *
 ace_type_txt(char *buf, char **endp, ace_t *acep, int flags)
 {
@@ -283,24 +277,6 @@ ace_type_txt(char *buf, char **endp, ace_t *acep, int flags)
 	return (buf);
 }
 
-#define	READ_DATA_TXT	"read_data/"
-#define	WRITE_DATA_TXT	"write_data/"
-#define	EXECUTE_TXT	"execute/"
-#define	READ_XATTR_TXT	"read_xattr/"
-#define	WRITE_XATTR_TXT	"write_xattr/"
-#define	READ_ATTRIBUTES_TXT "read_attributes/"
-#define	WRITE_ATTRIBUTES_TXT "write_attributes/"
-#define	DELETE_TXT	"delete/"
-#define	DELETE_CHILD_TXT "delete_child/"
-#define	WRITE_OWNER_TXT "write_owner/"
-#define	READ_ACL_TXT	"read_acl/"
-#define	WRITE_ACL_TXT	"write_acl/"
-#define	APPEND_DATA_TXT "append_data/"
-#define	READ_DIR_TXT	"list_directory/read_data/"
-#define	ADD_DIR_TXT	"add_subdirectory/append_data/"
-#define	ADD_FILE_TXT	"add_file/write_data/"
-#define	SYNCHRONIZE_TXT "synchronize"	/* not slash on this one */
-
 char *
 ace_perm_txt(char *buf, char **endp, uint32_t mask,
     uint32_t iflags, int isdir, int flags)
@@ -473,11 +449,6 @@ ace_perm_txt(char *buf, char **endp, uint32_t mask,
 	return (buf);
 }
 
-#define	ALLOW_TXT	"allow"
-#define	DENY_TXT	"deny"
-#define	ALARM_TXT	"alarm"
-#define	AUDIT_TXT	"audit"
-#define	UNKNOWN_TXT	"unknown"
 char *
 ace_access_txt(char *buf, char **endp, int type)
 {
diff --git a/usr/src/lib/libsec/common/aclutils.h b/usr/src/lib/libsec/common/aclutils.h
index 1db0aa4752..55c60a5dda 100644
--- a/usr/src/lib/libsec/common/aclutils.h
+++ b/usr/src/lib/libsec/common/aclutils.h
@@ -62,6 +62,46 @@ struct acl_perm_type {
 	uint32_t	perm_val;	/* numeric value being returned */
 };
 
+
+/*
+ * Textual representation of ace_t's access mask
+ */
+#define	READ_DATA_TXT	"read_data/"
+#define	WRITE_DATA_TXT	"write_data/"
+#define	EXECUTE_TXT	"execute/"
+#define	READ_XATTR_TXT	"read_xattr/"
+#define	WRITE_XATTR_TXT	"write_xattr/"
+#define	READ_ATTRIBUTES_TXT "read_attributes/"
+#define	WRITE_ATTRIBUTES_TXT "write_attributes/"
+#define	DELETE_TXT	"delete/"
+#define	DELETE_CHILD_TXT "delete_child/"
+#define	WRITE_OWNER_TXT "write_owner/"
+#define	READ_ACL_TXT	"read_acl/"
+#define	WRITE_ACL_TXT	"write_acl/"
+#define	APPEND_DATA_TXT "append_data/"
+#define	READ_DIR_TXT	"list_directory/read_data/"
+#define	ADD_DIR_TXT	"add_subdirectory/append_data/"
+#define	ADD_FILE_TXT	"add_file/write_data/"
+#define	SYNCHRONIZE_TXT "synchronize"	/* not slash on this one */
+
+/*
+ * ace_t's flags
+ */
+#define	OWNERAT_TXT	"owner@"
+#define	GROUPAT_TXT	"group@"
+#define	EVERYONEAT_TXT	"everyone@"
+#define	GROUP_TXT	"group:"
+#define	USER_TXT	"user:"
+
+/*
+ * ace_t's access types
+ */
+#define	ALLOW_TXT	"allow"
+#define	DENY_TXT	"deny"
+#define	ALARM_TXT	"alarm"
+#define	AUDIT_TXT	"audit"
+#define	UNKNOWN_TXT	"unknown"
+
 extern char *yybuf;
 extern acl_t *yyacl;
 
diff --git a/usr/src/uts/common/c2/audit_event.c b/usr/src/uts/common/c2/audit_event.c
index e1ffc61c81..25340134c9 100644
--- a/usr/src/uts/common/c2/audit_event.c
+++ b/usr/src/uts/common/c2/audit_event.c
@@ -5031,10 +5031,15 @@ aui_acl(au_event_t e)
 
 	switch (uap->cmd) {
 	case SETACL:
-		/* ok, acl(SETACL, ...) and facl(SETACL, ...)  are expected. */
+	case ACE_SETACL:
+		/*
+		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
+		 * are expected.
+		 */
 		break;
 	case GETACL:
 	case GETACLCNT:
+	case ACE_GETACLCNT:
 		/* do nothing for these two values. */
 		e = AUE_NULL;
 		break;
@@ -5046,44 +5051,52 @@ aui_acl(au_event_t e)
 	return (e);
 }
 
-
-/*ARGSUSED*/
 static void
-aus_acl(struct t_audit_data *tad)
+au_acl(int cmd, int nentries, caddr_t bufp)
 {
-	struct a {
-		long	fname;
-		long	cmd;
-		long	nentries;
-		long	aclbufp;
-	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
-	struct acl *aclbufp;
-
-	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
-	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
+	size_t		a_size;
+	aclent_t	*aclbufp;
+	ace_t		*acebufp;
+	int		i;
 
-	switch (uap->cmd) {
+	switch (cmd) {
 	case GETACL:
 	case GETACLCNT:
 		break;
 	case SETACL:
-		if (uap->nentries < 3)
+		if (nentries < 3)
 			break;
-		else {
-			size_t a_size = uap->nentries * sizeof (struct acl);
-			int i;
 
-			aclbufp = kmem_alloc(a_size, KM_SLEEP);
-			if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
-				kmem_free(aclbufp, a_size);
-				break;
-			}
-			for (i = 0; i < uap->nentries; i++) {
-				au_uwrite(au_to_acl(aclbufp + i));
-			}
+		a_size = nentries * sizeof (aclent_t);
+
+		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
+			break;
+		if (copyin(bufp, aclbufp, a_size)) {
 			kmem_free(aclbufp, a_size);
 			break;
 		}
+		for (i = 0; i < nentries; i++) {
+			au_uwrite(au_to_acl(aclbufp + i));
+		}
+		kmem_free(aclbufp, a_size);
+		break;
+
+	case ACE_SETACL:
+		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
+			break;
+
+		a_size = nentries * sizeof (ace_t);
+		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
+			break;
+		if (copyin(bufp, acebufp, a_size)) {
+			kmem_free(acebufp, a_size);
+			break;
+		}
+		for (i = 0; i < nentries; i++) {
+			au_uwrite(au_to_ace(acebufp + i));
+		}
+		kmem_free(acebufp, a_size);
+		break;
 	default:
 		break;
 	}
@@ -5091,6 +5104,23 @@ aus_acl(struct t_audit_data *tad)
 
 /*ARGSUSED*/
 static void
+aus_acl(struct t_audit_data *tad)
+{
+	struct a {
+		long	fname;
+		long	cmd;
+		long	nentries;
+		long	aclbufp;
+	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
+
+	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
+	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
+
+	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
+}
+
+/*ARGSUSED*/
+static void
 aus_facl(struct t_audit_data *tad)
 {
 	struct a {
@@ -5102,7 +5132,6 @@ aus_facl(struct t_audit_data *tad)
 	struct file  *fp;
 	struct vnode *vp;
 	struct f_audit_data *fad;
-	struct acl *aclbufp;
 	int fd;
 
 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
@@ -5127,31 +5156,7 @@ aus_facl(struct t_audit_data *tad)
 	/* decrement file descriptor reference count */
 	releasef(fd);
 
-	switch (uap->cmd) {
-	case GETACL:
-	case GETACLCNT:
-		break;
-	case SETACL:
-		if (uap->nentries < 3)
-			break;
-		else {
-			size_t a_size = uap->nentries * sizeof (struct acl);
-			int i;
-
-			aclbufp = kmem_alloc(a_size, KM_SLEEP);
-			if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
-				kmem_free(aclbufp, a_size);
-				break;
-			}
-			for (i = 0; i < uap->nentries; i++) {
-				au_uwrite(au_to_acl(aclbufp + i));
-			}
-			kmem_free(aclbufp, a_size);
-			break;
-		}
-	default:
-		break;
-	}
+	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
 }
 
 /*ARGSUSED*/
diff --git a/usr/src/uts/common/c2/audit_record.h b/usr/src/uts/common/c2/audit_record.h
index b195869c96..a6f0c77a5c 100644
--- a/usr/src/uts/common/c2/audit_record.h
+++ b/usr/src/uts/common/c2/audit_record.h
@@ -110,8 +110,9 @@ extern "C" {
 #define	AUT_IPC_PERM		((char)0x32)
 #define	AUT_LABEL		((char)0x33)
 #define	AUT_GROUPS		((char)0x34)
+#define	AUT_ACE			((char)0x35)
 /*
- * 0x35, 0x36, 0x37 unused
+ * 0x36, 0x37 unused
  */
 #define	AUT_PRIV		((char)0x38)
 #define	AUT_UPRIV		((char)0x39)
@@ -265,6 +266,7 @@ void au_free_rec(au_buff_t *);
 #define	au_toss_token(tok)	(au_free_rec((au_buff_t *)(tok)))
 
 token_t *au_to_acl();
+token_t *au_to_ace();
 token_t *au_to_attr(struct vattr *);
 token_t *au_to_data(char, char, char, char *);
 token_t *au_to_header(int, au_event_t, au_emod_t);
diff --git a/usr/src/uts/common/c2/audit_token.c b/usr/src/uts/common/c2/audit_token.c
index 05457111ec..e28d6e4414 100644
--- a/usr/src/uts/common/c2/audit_token.c
+++ b/usr/src/uts/common/c2/audit_token.c
@@ -895,6 +895,27 @@ au_to_acl(struct acl *aclp)
 	return (m);
 }
 
+token_t *
+au_to_ace(ace_t *acep)
+{
+	token_t *m;				/* local au_membuf */
+	adr_t adr;				/* adr memory stream header */
+	char data_header = AUT_ACE;		/* header for this token */
+
+	m = au_getclr();
+
+	adr_start(&adr, memtod(m, char *));
+	adr_char(&adr, &data_header, 1);
+
+	adr_uint32(&adr, &(acep->a_who), 1);
+	adr_uint32(&adr, &(acep->a_access_mask), 1);
+	adr_ushort(&adr, &(acep->a_flags), 1);
+	adr_ushort(&adr, &(acep->a_type), 1);
+
+	m->len = adr_count(&adr);
+	return (m);
+}
+
 /*
  * au_to_ipc_perm
  * returns:
author	tz204579 <none@none>	2007-10-26 13:06:58 -0700
committer	tz204579 <none@none>	2007-10-26 13:06:58 -0700
commit	a7746f662862b6ac0a85751d8adbc897743a83e1 (patch)
tree	04185d177485f7fc40c00d4c136037d038c47a38 /usr/src
parent	4d139e710100affa83409f3f4b39670b0694e28e (diff)
download	illumos-gate-a7746f662862b6ac0a85751d8adbc897743a83e1.tar.gz