openbsm/libbsm/bsm_event.c

62587Sitojun/*-
78064Sume * Copyright (c) 2004 Apple Inc.
62587Sitojun * Copyright (c) 2006 Robert N. M. Watson
53541Sshin * All rights reserved.
53541Sshin *
53541Sshin * Redistribution and use in source and binary forms, with or without
53541Sshin * modification, are permitted provided that the following conditions
53541Sshin * are met:
53541Sshin * 1.  Redistributions of source code must retain the above copyright
53541Sshin *     notice, this list of conditions and the following disclaimer.
53541Sshin * 2.  Redistributions in binary form must reproduce the above copyright
53541Sshin *     notice, this list of conditions and the following disclaimer in the
53541Sshin *     documentation and/or other materials provided with the distribution.
53541Sshin * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
53541Sshin *     its contributors may be used to endorse or promote products derived
53541Sshin *     from this software without specific prior written permission.
53541Sshin *
53541Sshin * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
53541Sshin * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53541Sshin * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
53541Sshin * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
53541Sshin * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53541Sshin * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
53541Sshin * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
53541Sshin * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53541Sshin * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
53541Sshin * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
53541Sshin * POSSIBILITY OF SUCH DAMAGE.
53541Sshin *
53541Sshin * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_event.c#16 $
53541Sshin */
53541Sshin
53541Sshin#include <config/config.h>
53541Sshin
53541Sshin#include <bsm/libbsm.h>
53541Sshin
53541Sshin#include <string.h>
53541Sshin#include <pthread.h>
78064Sume#include <stdio.h>
53541Sshin#include <stdlib.h>
53541Sshin
53541Sshin#ifndef HAVE_STRLCPY
53541Sshin#include <compat/strlcpy.h>
53541Sshin#endif
53541Sshin
53541Sshin
53541Sshin/*
53541Sshin * Parse the contents of the audit_event file to return
53541Sshin * au_event_ent entries
81127Sume */
53541Sshinstatic FILE		*fp = NULL;
62587Sitojunstatic char		 linestr[AU_LINE_MAX];
53541Sshinstatic const char	*eventdelim = ":";
78064Sume
81127Sumestatic pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
53541Sshin
53541Sshin/*
53541Sshin * Parse one line from the audit_event file into the au_event_ent structure.
62587Sitojun */
53541Sshinstatic struct au_event_ent *
53541Sshineventfromstr(char *str, struct au_event_ent *e)
53541Sshin{
62587Sitojun	char *evno, *evname, *evdesc, *evclass;
53541Sshin	struct au_mask evmask;
78064Sume	char *last;
78064Sume
78064Sume	evno = strtok_r(str, eventdelim, &last);
78064Sume	evname = strtok_r(NULL, eventdelim, &last);
78064Sume	evdesc = strtok_r(NULL, eventdelim, &last);
78064Sume	evclass = strtok_r(NULL, eventdelim, &last);
78064Sume
78064Sume	if ((evno == NULL) || (evname == NULL))
81127Sume		return (NULL);
81127Sume
81127Sume	if (strlen(evname) >= AU_EVENT_NAME_MAX)
62587Sitojun		return (NULL);
78064Sume
62587Sitojun	strlcpy(e->ae_name, evname, AU_EVENT_NAME_MAX);
62587Sitojun	if (evdesc != NULL) {
62587Sitojun		if (strlen(evdesc) >= AU_EVENT_DESC_MAX)
62587Sitojun			return (NULL);
53541Sshin		strlcpy(e->ae_desc, evdesc, AU_EVENT_DESC_MAX);
62587Sitojun	} else
62587Sitojun		strlcpy(e->ae_desc, "", AU_EVENT_DESC_MAX);
62587Sitojun
62587Sitojun	e->ae_number = atoi(evno);
62587Sitojun
62587Sitojun	/*
62587Sitojun	 * Find out the mask that corresponds to the given list of classes.
53541Sshin	 */
62587Sitojun	if (evclass != NULL) {
62587Sitojun		if (getauditflagsbin(evclass, &evmask) != 0)
53541Sshin			e->ae_class = 0;
53541Sshin		else
53541Sshin			e->ae_class = evmask.am_success;
53541Sshin	} else
62587Sitojun		e->ae_class = 0;
62587Sitojun
62587Sitojun	return (e);
53541Sshin}
53541Sshin
62587Sitojun/*
62587Sitojun * Rewind the audit_event file.
95023Ssuz */
53541Sshinstatic void
53541Sshinsetauevent_locked(void)
53541Sshin{
53541Sshin
53541Sshin	if (fp != NULL)
62587Sitojun		fseek(fp, 0, SEEK_SET);
62587Sitojun}
62587Sitojun
62587Sitojunvoid
62587Sitojunsetauevent(void)
62587Sitojun{
62587Sitojun
53541Sshin	pthread_mutex_lock(&mutex);
53541Sshin	setauevent_locked();
53541Sshin	pthread_mutex_unlock(&mutex);
53541Sshin}
53541Sshin
62587Sitojun/*
62587Sitojun * Close the open file pointers.
53541Sshin */
53541Sshinvoid
62587Sitojunendauevent(void)
62587Sitojun{
53541Sshin
62587Sitojun	pthread_mutex_lock(&mutex);
62587Sitojun	if (fp != NULL) {
62587Sitojun		fclose(fp);
53541Sshin		fp = NULL;
53541Sshin	}
53541Sshin	pthread_mutex_unlock(&mutex);
78064Sume}
78064Sume
78064Sume/*
78064Sume * Enumerate the au_event_ent entries.
78064Sume */
78064Sumestatic struct au_event_ent *
78064Sumegetauevent_r_locked(struct au_event_ent *e)
78064Sume{
78064Sume	char *nl;
78064Sume
78064Sume	if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
78064Sume		return (NULL);
78064Sume
78064Sume	while (1) {
78064Sume		if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
78064Sume			return (NULL);
78064Sume
78064Sume		/* Remove new lines. */
78064Sume		if ((nl = strrchr(linestr, '\n')) != NULL)
78064Sume			*nl = '\0';
120913Sume
78064Sume		/* Skip comments. */
78064Sume		if (linestr[0] == '#')
78064Sume			continue;
78064Sume
78064Sume		/* Get the next event structure. */
78064Sume		if (eventfromstr(linestr, e) == NULL)
78064Sume			return (NULL);
78064Sume		break;
78064Sume	}
78064Sume
78064Sume	return (e);
78064Sume}
78064Sume
78064Sumestruct au_event_ent *
78064Sumegetauevent_r(struct au_event_ent *e)
78064Sume{
78064Sume	struct au_event_ent *ep;
78064Sume
78064Sume	pthread_mutex_lock(&mutex);
78064Sume	ep = getauevent_r_locked(e);
78064Sume	pthread_mutex_unlock(&mutex);
78064Sume	return (ep);
78064Sume}
78064Sume
78064Sumestruct au_event_ent *
78064Sumegetauevent(void)
78064Sume{
78064Sume	static char event_ent_name[AU_EVENT_NAME_MAX];
78064Sume	static char event_ent_desc[AU_EVENT_DESC_MAX];
78064Sume	static struct au_event_ent e;
78064Sume
78064Sume	bzero(&e, sizeof(e));
78064Sume	bzero(event_ent_name, sizeof(event_ent_name));
78064Sume	bzero(event_ent_desc, sizeof(event_ent_desc));
78064Sume	e.ae_name = event_ent_name;
78064Sume	e.ae_desc = event_ent_desc;
78064Sume	return (getauevent_r(&e));
78064Sume}
78064Sume
78064Sume/*
78064Sume * Search for an audit event structure having the given event name.
78064Sume *
78064Sume * XXXRW: Why accept NULL name?
78064Sume */
78064Sumestatic struct au_event_ent *
78064Sumegetauevnam_r_locked(struct au_event_ent *e, const char *name)
78064Sume{
120913Sume	char *nl;
78064Sume
78064Sume	if (name == NULL)
78064Sume		return (NULL);
78064Sume
78064Sume	/* Rewind to beginning of the file. */
78064Sume	setauevent_locked();
78064Sume
78064Sume	if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
78064Sume		return (NULL);
78064Sume
78064Sume	while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
78064Sume		/* Remove new lines. */
78064Sume		if ((nl = strrchr(linestr, '\n')) != NULL)
78064Sume			*nl = '\0';
78064Sume
53541Sshin		if (eventfromstr(linestr, e) != NULL) {
62587Sitojun			if (strcmp(name, e->ae_name) == 0)
62587Sitojun				return (e);
53541Sshin		}
62587Sitojun	}
62587Sitojun
62587Sitojun	return (NULL);
95023Ssuz}
53541Sshin
53541Sshinstruct au_event_ent *
53541Sshingetauevnam_r(struct au_event_ent *e, const char *name)
62587Sitojun{
62587Sitojun	struct au_event_ent *ep;
62587Sitojun
62587Sitojun	pthread_mutex_lock(&mutex);
62587Sitojun	ep = getauevnam_r_locked(e, name);
53541Sshin	pthread_mutex_unlock(&mutex);
62587Sitojun	return (ep);
62587Sitojun}
120913Sume
62587Sitojunstruct au_event_ent *
53541Sshingetauevnam(const char *name)
62587Sitojun{
62587Sitojun	static char event_ent_name[AU_EVENT_NAME_MAX];
62587Sitojun	static char event_ent_desc[AU_EVENT_DESC_MAX];
62587Sitojun	static struct au_event_ent e;
62587Sitojun
62587Sitojun	bzero(&e, sizeof(e));
62587Sitojun	bzero(event_ent_name, sizeof(event_ent_name));
53541Sshin	bzero(event_ent_desc, sizeof(event_ent_desc));
53541Sshin	e.ae_name = event_ent_name;
62587Sitojun	e.ae_desc = event_ent_desc;
62587Sitojun	return (getauevnam_r(&e, name));
53541Sshin}
62587Sitojun
62587Sitojun/*
53541Sshin * Search for an audit event structure having the given event number.
62587Sitojun */
62587Sitojunstatic struct au_event_ent *
62587Sitojungetauevnum_r_locked(struct au_event_ent *e, au_event_t event_number)
62587Sitojun{
120049Smdodd	char *nl;
62587Sitojun
78064Sume	/* Rewind to beginning of the file. */
78064Sume	setauevent_locked();
78064Sume
78064Sume	if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
62587Sitojun		return (NULL);
78064Sume
78064Sume	while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
78064Sume		/* Remove new lines. */
53541Sshin		if ((nl = strrchr(linestr, '\n')) != NULL)
62587Sitojun			*nl = '\0';
62587Sitojun
62587Sitojun		if (eventfromstr(linestr, e) != NULL) {
53541Sshin			if (event_number == e->ae_number)
62587Sitojun				return (e);
62587Sitojun		}
62587Sitojun	}
62587Sitojun
62587Sitojun	return (NULL);
62587Sitojun}
62587Sitojun
62587Sitojunstruct au_event_ent *
62587Sitojungetauevnum_r(struct au_event_ent *e, au_event_t event_number)
62587Sitojun{
62587Sitojun	struct au_event_ent *ep;
62587Sitojun
62587Sitojun	pthread_mutex_lock(&mutex);
62587Sitojun	ep = getauevnum_r_locked(e, event_number);
62587Sitojun	pthread_mutex_unlock(&mutex);
62587Sitojun	return (ep);
62587Sitojun}
62587Sitojun
62587Sitojunstruct au_event_ent *
62587Sitojungetauevnum(au_event_t event_number)
62587Sitojun{
62587Sitojun	static char event_ent_name[AU_EVENT_NAME_MAX];
62587Sitojun	static char event_ent_desc[AU_EVENT_DESC_MAX];
62587Sitojun	static struct au_event_ent e;
62587Sitojun
62587Sitojun	bzero(&e, sizeof(e));
62587Sitojun	bzero(event_ent_name, sizeof(event_ent_name));
62587Sitojun	bzero(event_ent_desc, sizeof(event_ent_desc));
62587Sitojun	e.ae_name = event_ent_name;
62587Sitojun	e.ae_desc = event_ent_desc;
62587Sitojun	return (getauevnum_r(&e, event_number));
62587Sitojun}
62587Sitojun
62587Sitojun/*
62587Sitojun * Search for an audit_event entry with a given event_name and returns the
62587Sitojun * corresponding event number.
62587Sitojun */
62587Sitojunau_event_t *
62587Sitojungetauevnonam_r(au_event_t *ev, const char *event_name)
62587Sitojun{
62587Sitojun	static char event_ent_name[AU_EVENT_NAME_MAX];
62587Sitojun	static char event_ent_desc[AU_EVENT_DESC_MAX];
62587Sitojun	static struct au_event_ent e, *ep;
62587Sitojun
53541Sshin	bzero(event_ent_name, sizeof(event_ent_name));
62587Sitojun	bzero(event_ent_desc, sizeof(event_ent_desc));
78064Sume	bzero(&e, sizeof(e));
62587Sitojun	e.ae_name = event_ent_name;
62587Sitojun	e.ae_desc = event_ent_desc;
62587Sitojun
62587Sitojun	ep = getauevnam_r(&e, event_name);
62587Sitojun	if (ep == NULL)
62587Sitojun		return (NULL);
62587Sitojun
62587Sitojun	*ev = e.ae_number;
53541Sshin	return (ev);
62587Sitojun}
62587Sitojun
62587Sitojunau_event_t *
62587Sitojungetauevnonam(const char *event_name)
62587Sitojun{
62587Sitojun	static au_event_t event;
62587Sitojun
62587Sitojun	return (getauevnonam_r(&event, event_name));
62587Sitojun}
62587Sitojun