aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Watson <rwatson@FreeBSD.org>2006-01-31 19:40:12 +0000
committerRobert Watson <rwatson@FreeBSD.org>2006-01-31 19:40:12 +0000
commitca0716f5714781ac39461f60647d795321921363 (patch)
treec4e450cb39e9c6a30103f365387470a9c9566bca
downloadsrc-ca0716f5714781ac39461f60647d795321921363.tar.gz
src-ca0716f5714781ac39461f60647d795321921363.zip
Initial vendor import of the TrustedBSD OpenBSM distribution, versionvendor/openbsm/1.0-ALPHA-1
1.0 alpha 1, an implementation of the documented Sun Basic Security Module (BSM) Audit API and file format, as well as local extensions to support the Mac OS X and FreeBSD operating systems. Also included are command line tools for audit trail reduction and conversion to text, as well as documentation of the commands, file format, and APIs. This distribution is the foundation for the TrustedBSD Audit implementation, and is a pre-release. This is the first in a series of commits to introduce support for Common Criteria CAPP security event audit support. This software has been made possible through the generous contributions of Apple Computer, Inc., SPARTA, Inc., as well as members of the TrustedBSD Project, including Wayne Salamon <wsalamon> and Tom Rhodes <trhodes>. The original OpenBSM implementation was created by McAfee Research under contract to Apple Computer, Inc., as part of their CC CAPP security evaluation. Many thanks to: wsalamon, trhodes Obtained from: TrustedBSD Project
Notes
Notes: svn path=/vendor/openbsm/dist/; revision=155131 svn path=/vendor/openbsm/1.0-ALPHA-1/; revision=155133; tag=vendor/openbsm/1.0-ALPHA-1
-rw-r--r--contrib/openbsm/CHANGELOG69
-rw-r--r--contrib/openbsm/LICENSE33
-rw-r--r--contrib/openbsm/Makefile9
-rw-r--r--contrib/openbsm/README86
-rw-r--r--contrib/openbsm/TODO12
-rw-r--r--contrib/openbsm/VERSION1
-rw-r--r--contrib/openbsm/bin/Makefile10
-rw-r--r--contrib/openbsm/bin/audit/Makefile12
-rw-r--r--contrib/openbsm/bin/audit/audit.886
-rw-r--r--contrib/openbsm/bin/audit/audit.c102
-rw-r--r--contrib/openbsm/bin/auditd/Makefile13
-rw-r--r--contrib/openbsm/bin/auditd/audit_warn.c230
-rw-r--r--contrib/openbsm/bin/auditd/auditd.894
-rw-r--r--contrib/openbsm/bin/auditd/auditd.c760
-rw-r--r--contrib/openbsm/bin/auditd/auditd.h80
-rw-r--r--contrib/openbsm/bin/auditreduce/Makefile12
-rw-r--r--contrib/openbsm/bin/auditreduce/auditreduce.1153
-rw-r--r--contrib/openbsm/bin/auditreduce/auditreduce.c699
-rw-r--r--contrib/openbsm/bin/auditreduce/auditreduce.h67
-rw-r--r--contrib/openbsm/bin/praudit/Makefile12
-rw-r--r--contrib/openbsm/bin/praudit/praudit.197
-rw-r--r--contrib/openbsm/bin/praudit/praudit.c157
-rw-r--r--contrib/openbsm/bsm/Makefile22
-rw-r--r--contrib/openbsm/bsm/audit.h327
-rw-r--r--contrib/openbsm/bsm/audit_internal.h99
-rw-r--r--contrib/openbsm/bsm/audit_kevents.h494
-rw-r--r--contrib/openbsm/bsm/audit_record.h325
-rw-r--r--contrib/openbsm/bsm/audit_uevents.h102
-rw-r--r--contrib/openbsm/bsm/libbsm.h1175
-rw-r--r--contrib/openbsm/compat/endian.h264
-rw-r--r--contrib/openbsm/etc/audit_class25
-rw-r--r--contrib/openbsm/etc/audit_control7
-rw-r--r--contrib/openbsm/etc/audit_event343
-rw-r--r--contrib/openbsm/etc/audit_user5
-rw-r--r--contrib/openbsm/etc/audit_warn5
-rw-r--r--contrib/openbsm/libbsm/Makefile119
-rw-r--r--contrib/openbsm/libbsm/au_class.3108
-rw-r--r--contrib/openbsm/libbsm/au_control.3136
-rw-r--r--contrib/openbsm/libbsm/au_event.3153
-rw-r--r--contrib/openbsm/libbsm/au_free_token.391
-rw-r--r--contrib/openbsm/libbsm/au_io.3119
-rw-r--r--contrib/openbsm/libbsm/au_mask.3140
-rw-r--r--contrib/openbsm/libbsm/au_token.3209
-rw-r--r--contrib/openbsm/libbsm/au_user.3136
-rw-r--r--contrib/openbsm/libbsm/bsm_audit.c354
-rw-r--r--contrib/openbsm/libbsm/bsm_class.c267
-rw-r--r--contrib/openbsm/libbsm/bsm_control.c275
-rw-r--r--contrib/openbsm/libbsm/bsm_event.c327
-rw-r--r--contrib/openbsm/libbsm/bsm_flags.c176
-rw-r--r--contrib/openbsm/libbsm/bsm_io.c2831
-rw-r--r--contrib/openbsm/libbsm/bsm_mask.c194
-rw-r--r--contrib/openbsm/libbsm/bsm_notify.c149
-rw-r--r--contrib/openbsm/libbsm/bsm_token.c1219
-rw-r--r--contrib/openbsm/libbsm/bsm_user.c268
-rw-r--r--contrib/openbsm/libbsm/bsm_wrappers.c322
-rw-r--r--contrib/openbsm/libbsm/libbsm.3220
-rw-r--r--contrib/openbsm/man/Makefile19
-rw-r--r--contrib/openbsm/man/audit.296
-rw-r--r--contrib/openbsm/man/audit.log.5622
-rw-r--r--contrib/openbsm/man/audit_class.570
-rw-r--r--contrib/openbsm/man/audit_control.5121
-rw-r--r--contrib/openbsm/man/audit_event.574
-rw-r--r--contrib/openbsm/man/audit_user.591
-rw-r--r--contrib/openbsm/man/audit_warn.569
-rw-r--r--contrib/openbsm/man/auditctl.278
-rw-r--r--contrib/openbsm/man/auditon.2288
-rw-r--r--contrib/openbsm/man/getaudit.280
-rw-r--r--contrib/openbsm/man/getauid.274
-rw-r--r--contrib/openbsm/man/setaudit.281
-rw-r--r--contrib/openbsm/man/setauid.274
-rw-r--r--contrib/openbsm/tools/Makefile13
-rw-r--r--contrib/openbsm/tools/audump.c234
72 files changed, 15884 insertions, 0 deletions
diff --git a/contrib/openbsm/CHANGELOG b/contrib/openbsm/CHANGELOG
new file mode 100644
index 000000000000..846cbf98c333
--- /dev/null
+++ b/contrib/openbsm/CHANGELOG
@@ -0,0 +1,69 @@
+OpenBSM 1.0
+
+- Import of Darwin74 BSM drop
+- Use 'syslog' for audit log warnings, rather than echoing to a file in
+ audit_warn.
+- Compile using BSD make infrastructure.
+- Integrate bsm/ include files from Darwin74 XNU drop into OpenBSM.
+- Narrow set of symbols and defines that are exposed in user space: don't
+ compile in code relying on kernel-only types such as 'struct socket'.
+- Add README, including basic build documentation.
+- Compilation of Apple-specific notify and Machroutines now #ifdef __APPLE__.
+- Staticize libbsm global variables to avoid leakage into application.
+- Add free_au_user_ent() so that au_user_ent's don't have to be leaked.
+- Clean up bogus nul-termination checks in libbsm.
+- Add libbsm API man pages: au_class.3 au_control.3 au_event.3
+ au_free_token.3 au_io.3 au_mask.3 au_token.3 au_user.3 libbsm.3.
+- Add man pages for BSM system calls: audit.2 auditctl.2 auditon.2 getaudit.2
+ getauid.2 setaudit.2 setauid.2
+- Modify various libbsm interfaces to more consistently return 'errno' values
+ on failure.
+- Break out au_close() into constituent parts, allowing records to be written
+ to memory as well as files.
+- Prefix various defines with 'BSM_' to reduce name space pollution.
+- Added audit_internal.h, which can be used by a kernel audit implementation
+ wanting to rely on libbsm components.
+- Build with warnings, and eliminate warnings.
+- Make libbsm endian-independent, storing and reading BSM are big endian
+ (network byte order) rather than native byte order. More consistently
+ print IP addresses using the IP address print routine. These changes
+ make use of sys/endian.h from *BSD; since this isn't present on Darwin,
+ add it to OpenBSM as compat/endian.h, which is used only on Darwin.
+- Import of Darwin80 BSM drop, including 64-bit file IDs, better
+ documentation of private APIs, and bug fixes.
+- White space cleanup.
+- Add audit.log.5, a first cut at a man page documenting the BSM file format.
+- Teach au_read_rec() to recognize stand-alone file tokens, which are present
+ at the beginning and end of Solaris audit trails. Technically, these
+ appear to violate the high level BSM spec, which suggests that all tokens
+ are present in records, but need to be supported.
+- Implement HEADER64, ATTR64, SUBJECT64 token types, which make it possible
+ to run praudit(1) on basic Solaris BSM streams.
+- Switched to Solaris spelling of token names; Darwin spellings are now
+ deprecated and will be removed in a future version of OpenBSM.
+- Adopt Solaris model for representing IPv4 and IPv6 addresses.
+- Prefer C99 types.
+- Attempt to universally adopt the BSD style(9) coding style for
+ consistency.
+- auditreduce(1) now has a usage message.
+- Update support for auditctl(2) system call to support FreeBSD.
+- Add support for /dev/audit as the trigger source on FreeBSD.
+- Add additional event types for Darwin, FreeBSD, and Solaris. Annotate
+ conflicts (there are a few, unfortunately). Correct spellings, comment,
+ sort, etc. These include {get,set}res[ug]id(), sendfile(), lchflags(),
+ eaccess(), kqueue(), kevent(), poll(), lchmod().
+- Relicensed under a BSD license, many thanks to Apple, Inc!
+- Many bug fixes, cleanups, thread safety in the class, control, event,
+ and user system audit databases. Annotate some persisting atomicity
+ bugs associated with the API and implementation.
+- Add audump test tool.
+- Adopt OpenSolaris BSM API memory semantics: caller allocates memory,
+ or static memory is returned for non-_r() versions of API calls.
+ _free() calls dropped as a result, and source code compatibility with
+ OpenSolaris improved significantly.
+- Annotate BSM events with origin OS and compatibility information.
+- auditd(8), audit(8) added to the OpenBSM distribution. auditd extended
+ to support reloading of kernel event table.
+- Allow comments in /etc/security configuration files.
+
+$P4: //depot/projects/trustedbsd/openbsm/CHANGELOG#6 $
diff --git a/contrib/openbsm/LICENSE b/contrib/openbsm/LICENSE
new file mode 100644
index 000000000000..3b5d8b86706a
--- /dev/null
+++ b/contrib/openbsm/LICENSE
@@ -0,0 +1,33 @@
+OpenBSM is covered by a number of copyrights, with licenses being either two
+or three clause BSD licenses. Individual file headers should be consulted
+for specific copyrights on specific components. The TrustedBSD Project would
+appreciate the contribution of fixes and enhancements under identical or
+substantially similar licenses:
+
+ * Copyright (c) <year> <copyright holder>
+ * All rights reserved.
+ *
+ * <any additional comments or credits>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+
+$P4: //depot/projects/trustedbsd/openbsm/LICENSE#4 $
diff --git a/contrib/openbsm/Makefile b/contrib/openbsm/Makefile
new file mode 100644
index 000000000000..b480723c19a8
--- /dev/null
+++ b/contrib/openbsm/Makefile
@@ -0,0 +1,9 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/Makefile#2 $
+#
+
+SUBDIR= bsm \
+ libbsm \
+ bin
+
+.include <bsd.subdir.mk>
diff --git a/contrib/openbsm/README b/contrib/openbsm/README
new file mode 100644
index 000000000000..60877a6fc59d
--- /dev/null
+++ b/contrib/openbsm/README
@@ -0,0 +1,86 @@
+OpenBSM 1.0
+
+ Introduction
+
+OpenBSM provides an open source implementation of Sun's BSM Audit API.
+Originally created under contract to Apple Computer by McAfee Research,
+this implementation is now maintained by volunteers and the generous
+contribution of several organizations. Coupled with a kernel audit
+implementation, OpenBSM can be used to maintain system audit streams, and
+is a foundation for an Audit-enabled system.
+
+ Contents
+
+OpenBSM consists of several directories:
+
+ bin/ Audit-related command line tools
+ bsm/ System include files for BSM
+ etc/ Sample /etc/security configuration files
+ libbsm/ Implementation of BSM library interfaces and man pages
+ man/ System call and configuration file man pages
+
+OpenBSM currently builds on FreeBSD and Darwin. With Makefile adjustment
+and minor tweaks, it should build without problems on a broad range of
+POSIX-like systems.
+
+ Building
+
+OpenBSM is currently built using a series of BSD make files which should
+work on both FreeBSD and Darwin. One known issue is that versions of
+Darwin prior to 10.3.8 have a nested include of "sys/audit.h" from
+"sys/proc.h", which can result in type definition conflicts. If running
+with include files from an earlier version of Darwin, the nested include
+must be manually removed in order that libbsm can be built, due to
+potentially conflicting types resulting from an include of "sys/sysctl.h"
+by that file. On Darwin, the use of BSD make must be specified explicitly
+by using "bsdmake" rather than "make", which on Darwin refers to GNU make.
+Typical invocations from the OpenBSM tree root:
+
+FreeBSD
+
+ % make
+ # make install
+
+Darwin
+
+ % bsdmake
+ # bsdmake install
+
+ Credits
+
+The following organizations and individuals have contributed substantially
+to the development of OpenBSM:
+
+ Apple Computer, Inc.
+ McAfee Research, McAfee, Inc.
+ SPARTA, Inc.
+ Robert Watson
+ Wayne Salamon
+ Suresh Krishnaswamy
+ Kevin Van Vechten
+ Tom Rhodes
+ Wojciech Koszek
+ Chunyang Yuan
+ Poul-Henning Kamp
+
+In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
+Software's FlexeLint tool were used to identify a number of bugs in the
+OpenBSM implementation.
+
+ Contributions
+
+The TrustedBSD Project would appreciate the contribution of bug fixes,
+enhancements, etc, under identically or substantially similar licenses to
+those present on the remainder of the OpenBSM source code.
+
+ Location
+
+Information on OpenBSM may be found on the OpenBSM home page:
+
+ http://www.OpenBSM.org/
+
+Information on TrustedBSD may be found on the TrustedBSD home page:
+
+ http://www.TrustedBSD.org/
+
+$P4: //depot/projects/trustedbsd/openbsm/README#11 $
diff --git a/contrib/openbsm/TODO b/contrib/openbsm/TODO
new file mode 100644
index 000000000000..135a26b4f7c3
--- /dev/null
+++ b/contrib/openbsm/TODO
@@ -0,0 +1,12 @@
+- Teach praudit how to general XML format BSM streams.
+- Teach libbsm about any additional 64-bit token types that are present
+ in more recent Solaris versions.
+- Build a regression test suite for libbsm that generates each token
+ type and then compares the results with known good data. Make sure to
+ test that things work properly with respect to endianness of the local
+ platform.
+- Document contents of libbsm "public" data structures in libbsm man pages.
+- The audit.log.5 man page is incomplete, as it does not describe all
+ token types.
+
+$P4: //depot/projects/trustedbsd/openbsm/TODO#4 $
diff --git a/contrib/openbsm/VERSION b/contrib/openbsm/VERSION
new file mode 100644
index 000000000000..d75e15753e1d
--- /dev/null
+++ b/contrib/openbsm/VERSION
@@ -0,0 +1 @@
+OPENBSM_1_0_ALPHA_1
diff --git a/contrib/openbsm/bin/Makefile b/contrib/openbsm/bin/Makefile
new file mode 100644
index 000000000000..3bc4a6c11567
--- /dev/null
+++ b/contrib/openbsm/bin/Makefile
@@ -0,0 +1,10 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile#4 $
+#
+
+SUBDIR= audit \
+ auditd \
+ auditreduce \
+ praudit
+
+.include <bsd.subdir.mk>
diff --git a/contrib/openbsm/bin/audit/Makefile b/contrib/openbsm/bin/audit/Makefile
new file mode 100644
index 000000000000..cec37ead6244
--- /dev/null
+++ b/contrib/openbsm/bin/audit/Makefile
@@ -0,0 +1,12 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile#2 $
+#
+
+CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
+PROG= audit
+MAN= audit.8
+DPADD= /usr/lib/libbsm.a
+LDADD= -lbsm
+BINDIR= /usr/sbin
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/bin/audit/audit.8 b/contrib/openbsm/bin/audit/audit.8
new file mode 100644
index 000000000000..419bcf12d80d
--- /dev/null
+++ b/contrib/openbsm/bin/audit/audit.8
@@ -0,0 +1,86 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" @APPLE_BSD_LICENSE_HEADER_START@
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" its contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" @APPLE_BSD_LICENSE_HEADER_END@
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#2 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT 8
+.Os
+.Sh NAME
+.Nm audit
+.Nd audit management utility
+.Sh SYNOPSIS
+.Nm audit
+.Op Fl nst
+.Op Ar file
+.Sh DESCRIPTION
+The
+.Nm
+utility controls the state of auditing system. The optional
+.Ar file
+operand specifies the location of the audit control input file (default
+/etc/security/audit_control).
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl n
+Forces the audit system to close the existing audit log file and rotate to
+a new log file in a location specified in the audit control file.
+.It Fl s
+Specifies that the audit system should [re]synchronize its
+configuration from the audit control file. A new log file will be
+created.
+.It Fl t
+Specifies that the audit system should terminate. Log files are closed
+and renamed to indicate the time of the shutdown.
+.El
+.Sh NOTES
+The auditd(8) daemon must already be running.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_control" -compact
+.It Pa /etc/security/audit_control
+Default audit policy file used to configure the auditing system.
+.El
+.Sh SEE ALSO
+.Xr auditd 8
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/audit/audit.c b/contrib/openbsm/bin/audit/audit.c
new file mode 100644
index 000000000000..7be9c8c4521b
--- /dev/null
+++ b/contrib/openbsm/bin/audit/audit.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#2 $
+ */
+/*
+ * Program to trigger the audit daemon with a message that is either:
+ * - Open a new audit log file
+ * - Read the audit control file and take action on it
+ * - Close the audit log file and exit
+ *
+ */
+
+#include <sys/queue.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+
+#include <bsm/audit.h>
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static void
+usage(void)
+{
+
+ (void)fprintf(stderr, "Usage: audit -n | -s | -t \n");
+ exit(-1);
+}
+
+/*
+ * Main routine to process command line options.
+ */
+int
+main(int argc, char **argv)
+{
+ char ch;
+ unsigned int trigger = 0;
+
+ if (argc != 2)
+ usage();
+
+ while ((ch = getopt(argc, argv, "nst")) != -1) {
+ switch(ch) {
+
+ case 'n':
+ trigger = AUDIT_TRIGGER_OPEN_NEW;
+ break;
+
+ case 's':
+ trigger = AUDIT_TRIGGER_READ_FILE;
+ break;
+
+ case 't':
+ trigger = AUDIT_TRIGGER_CLOSE_AND_DIE;
+ break;
+
+ case '?':
+ default:
+ usage();
+ break;
+ }
+ }
+ if (auditon(A_SENDTRIGGER, &trigger, sizeof(trigger)) < 0) {
+ perror("Error sending trigger");
+ exit(-1);
+ } else {
+ printf("Trigger sent.\n");
+ exit (0);
+ }
+}
diff --git a/contrib/openbsm/bin/auditd/Makefile b/contrib/openbsm/bin/auditd/Makefile
new file mode 100644
index 000000000000..fbbdc47985a4
--- /dev/null
+++ b/contrib/openbsm/bin/auditd/Makefile
@@ -0,0 +1,13 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile#2 $
+#
+
+CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
+PROG= auditd
+SRCS= audit_warn.c auditd.c
+MAN= auditd.8
+DPADD= /usr/lib/libbsm.a
+LDADD= -lbsm
+BINDIR= /usr/sbin
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c
new file mode 100644
index 000000000000..4a1998445703
--- /dev/null
+++ b/contrib/openbsm/bin/auditd/audit_warn.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#5 $
+ */
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdio.h>
+
+#include "auditd.h"
+
+/*
+ * Write an audit-related error to the system log via syslog(3).
+ */
+static int
+auditwarnlog(char *args[])
+{
+ char *loc_args[9];
+ pid_t pid;
+ int i;
+
+ loc_args[0] = AUDITWARN_SCRIPT;
+ for (i = 0; args[i] != NULL && i < 8; i++)
+ loc_args[i+1] = args[i];
+ loc_args[i+1] = NULL;
+
+ pid = fork();
+ if (pid == -1)
+ return (-1);
+ if (pid == 0) {
+ /*
+ * Child.
+ */
+ execv(AUDITWARN_SCRIPT, loc_args);
+ syslog(LOG_ERR, "Could not exec %s (%m)\n",
+ AUDITWARN_SCRIPT);
+ exit(1);
+ }
+ /*
+ * Parent.
+ */
+ return (0);
+}
+
+/*
+ * Indicates that the hard limit for all filesystems has been exceeded count
+ * times.
+ */
+int
+audit_warn_allhard(int count)
+{
+ char intstr[12];
+ char *args[3];
+
+ snprintf(intstr, 12, "%d", count);
+
+ args[0] = HARDLIM_ALL_WARN;
+ args[1] = intstr;
+ args[2] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that the soft limit for all filesystems has been exceeded.
+ */
+int
+audit_warn_allsoft(void)
+{
+ char *args[2];
+
+ args[0] = SOFTLIM_ALL_WARN;
+ args[1] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that someone other than the audit daemon turned off auditing.
+ * XXX Its not clear at this point how this function will be invoked.
+ *
+ * XXXRW: This function is not used.
+ */
+int
+audit_warn_auditoff(void)
+{
+ char *args[2];
+
+ args[0] = AUDITOFF_WARN;
+ args[1] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that the audit deammn is already running
+ */
+int
+audit_warn_ebusy(void)
+{
+ char *args[2];
+
+ args[0] = EBUSY_WARN;
+ args[1] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that there is a problem getting the directory from
+ * audit_control.
+ *
+ * XXX Note that we take the filename instead of a count as the argument here
+ * (different from BSM).
+ */
+int
+audit_warn_getacdir(char *filename)
+{
+ char *args[3];
+
+ args[0] = GETACDIR_WARN;
+ args[1] = filename;
+ args[2] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that the hard limit for this file has been exceeded.
+ */
+int
+audit_warn_hard(char *filename)
+{
+ char *args[3];
+
+ args[0] = HARDLIM_WARN;
+ args[1] = filename;
+ args[2] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that auditing could not be started.
+ */
+int
+audit_warn_nostart(void)
+{
+ char *args[2];
+
+ args[0] = NOSTART_WARN;
+ args[1] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
+ * Indicaes that an error occrred during the orderly shutdown of the audit
+ * daemon.
+ */
+int
+audit_warn_postsigterm(void)
+{
+ char *args[2];
+
+ args[0] = POSTSIGTERM_WARN;
+ args[1] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that the soft limit for this file has been exceeded.
+ */
+int
+audit_warn_soft(char *filename)
+{
+ char *args[3];
+
+ args[0] = SOFTLIM_WARN;
+ args[1] = filename;
+ args[2] = NULL;
+
+ return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that the temporary audit file already exists indicating a fatal
+ * error.
+ */
+int
+audit_warn_tmpfile(void)
+{
+ char *args[2];
+
+ args[0] = TMPFILE_WARN;
+ args[1] = NULL;
+
+ return (auditwarnlog(args));
+}
diff --git a/contrib/openbsm/bin/auditd/auditd.8 b/contrib/openbsm/bin/auditd/auditd.8
new file mode 100644
index 000000000000..18515da7a07d
--- /dev/null
+++ b/contrib/openbsm/bin/auditd/auditd.8
@@ -0,0 +1,94 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" @APPLE_BSD_LICENSE_HEADER_START@
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" its contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" @APPLE_BSD_LICENSE_HEADER_END@
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#6 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDITD 8
+.Os
+.Sh NAME
+.Nm auditd
+.Nd audit log management daemon
+.Sh SYNOPSIS
+.Nm auditd
+.Op Fl dhs
+.Sh DESCRIPTION
+The
+.Nm
+daemon responds to requests from the audit(1) utility and notifications
+from the kernel. It manages the resulting audit log files and specified
+log file locations.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl d
+Starts the daemon in debug mode - it will not daemonize.
+.It Fl h
+Specifies that if auditing cannot be performed as specified, the system should
+halt (panic). Normally, the system will attempt to proceed - although individual
+processes may be stopped (see the -s option).
+.It Fl s
+Specifies that individual processes should stop rather than perform operations
+that may cause audit records to be lost due to log file full conditions
+.El
+.Sh NOTE
+.Pp
+To assure uninterrupted audit support, the
+.Nm auditd
+daemon should not be started and stopped manually. Instead, the audit(1) command
+should be used to inform the daemon to change state/configuration after altering
+the audit_control file.
+.Pp
+.\" Sending a SIGHUP to a running
+.\" .Nm auditd
+.\" daemon will force it to exit.
+Sending a SIGTERM to a running
+.Nm auditd
+daemon will force it to exit.
+.Sh FILES
+.Bl -tag -width "/var/audit" -compact
+.It Pa /var/audit
+Default directory for storing audit log files.
+.El
+.Sh SEE ALSO
+.Xr audit 8
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c
new file mode 100644
index 000000000000..b25c9ecc2a44
--- /dev/null
+++ b/contrib/openbsm/bin/auditd/auditd.c
@@ -0,0 +1,760 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#8 $
+ */
+
+#include <sys/dirent.h>
+#include <sys/mman.h>
+#include <sys/queue.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <bsm/audit.h>
+#include <bsm/audit_uevents.h>
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+#include <syslog.h>
+
+#include "auditd.h"
+
+#define NA_EVENT_STR_SIZE 25
+
+static int ret, minval;
+static char *lastfile = NULL;
+static int allhardcount = 0;
+static int triggerfd = 0;
+static int sighups, sighups_handled;
+static int sigterms, sigterms_handled;
+static long global_flags;
+
+static TAILQ_HEAD(, dir_ent) dir_q;
+
+static int config_audit_controls(void);
+
+/*
+ * Error starting auditd
+ */
+static void
+fail_exit(void)
+{
+
+ audit_warn_nostart();
+ exit(1);
+}
+
+/*
+ * Free our local list of directory names.
+ */
+static void
+free_dir_q()
+{
+ struct dir_ent *dirent;
+
+ while ((dirent = TAILQ_FIRST(&dir_q))) {
+ TAILQ_REMOVE(&dir_q, dirent, dirs);
+ free(dirent->dirname);
+ free(dirent);
+ }
+}
+
+/*
+ * Generate the timestamp string.
+ */
+static int
+getTSstr(char *buf, int len)
+{
+ struct timeval ts;
+ struct timezone tzp;
+ time_t tt;
+
+ if (gettimeofday(&ts, &tzp) != 0)
+ return (-1);
+ tt = (time_t)ts.tv_sec;
+ if (!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt)))
+ return (-1);
+ return (0);
+}
+
+/*
+ * Concat the directory name to the given file name.
+ * XXX We should affix the hostname also
+ */
+static char *
+affixdir(char *name, struct dir_ent *dirent)
+{
+ char *fn;
+ char *curdir;
+ const char *sep = "/";
+
+ curdir = dirent->dirname;
+ syslog(LOG_INFO, "dir = %s\n", dirent->dirname);
+
+ fn = malloc(strlen(curdir) + strlen(sep) + (2 * POSTFIX_LEN) + 1);
+ if (fn == NULL)
+ return (NULL);
+ strcpy(fn, curdir);
+ strcat(fn, sep);
+ strcat(fn, name);
+ return (fn);
+}
+
+/*
+ * Close the previous audit trail file.
+ */
+static int
+close_lastfile(char *TS)
+{
+ char *ptr;
+ char *oldname;
+
+ if (lastfile != NULL) {
+ oldname = (char *)malloc(strlen(lastfile) + 1);
+ if (oldname == NULL)
+ return (-1);
+ strcpy(oldname, lastfile);
+
+ /* Rename the last file -- append timestamp. */
+ if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
+ *ptr = '.';
+ strcpy(ptr+1, TS);
+ if (rename(oldname, lastfile) != 0)
+ syslog(LOG_ERR, "Could not rename %s to %s \n",
+ oldname, lastfile);
+ else
+ syslog(LOG_INFO, "renamed %s to %s \n",
+ oldname, lastfile);
+ }
+ free(lastfile);
+ free(oldname);
+ lastfile = NULL;
+ }
+ return (0);
+}
+
+/*
+ * Create the new file name, swap with existing audit file.
+ */
+static int
+swap_audit_file(void)
+{
+ char timestr[2 * POSTFIX_LEN];
+ char *fn;
+ char TS[POSTFIX_LEN];
+ struct dir_ent *dirent;
+ int fd;
+
+ if (getTSstr(TS, POSTFIX_LEN) != 0)
+ return (-1);
+
+ strcpy(timestr, TS);
+ strcat(timestr, NOT_TERMINATED);
+
+ /* Try until we succeed. */
+ while ((dirent = TAILQ_FIRST(&dir_q))) {
+ if ((fn = affixdir(timestr, dirent)) == NULL) {
+ syslog(LOG_INFO, "Failed to swap log at time %s\n",
+ timestr);
+ return (-1);
+ }
+
+ /*
+ * Create and open the file; then close and pass to the
+ * kernel if all went well.
+ */
+ syslog(LOG_INFO, "New audit file is %s\n", fn);
+ fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
+ if (fd < 0)
+ perror("File open");
+ else if (auditctl(fn) != 0) {
+ syslog(LOG_ERR,
+ "auditctl failed setting log file! : %s\n",
+ strerror(errno));
+ close(fd);
+ } else {
+ /* Success. */
+ close_lastfile(TS);
+ lastfile = fn;
+ close(fd);
+ return (0);
+ }
+
+ /*
+ * Tell the administrator about lack of permissions for dir.
+ */
+ audit_warn_getacdir(dirent->dirname);
+
+ /* Try again with a different directory. */
+ TAILQ_REMOVE(&dir_q, dirent, dirs);
+ free(dirent->dirname);
+ free(dirent);
+ }
+ syslog(LOG_INFO, "Log directories exhausted\n");
+ return (-1);
+}
+
+/*
+ * Read the audit_control file contents.
+ */
+static int
+read_control_file(void)
+{
+ char cur_dir[MAXNAMLEN];
+ struct dir_ent *dirent;
+ au_qctrl_t qctrl;
+
+ /*
+ * Clear old values. Force a re-read of the file the next time.
+ */
+ free_dir_q();
+ endac();
+
+ /*
+ * Read the list of directories into a local linked list.
+ *
+ * XXX We should use the reentrant interfaces once they are
+ * available.
+ */
+ while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
+ dirent = (struct dir_ent *) malloc(sizeof(struct dir_ent));
+ if (dirent == NULL)
+ return (-1);
+ dirent->softlim = 0;
+ dirent->dirname = (char *) malloc(MAXNAMLEN);
+ if (dirent->dirname == NULL) {
+ free(dirent);
+ return (-1);
+ }
+ strcpy(dirent->dirname, cur_dir);
+ TAILQ_INSERT_TAIL(&dir_q, dirent, dirs);
+ }
+
+ allhardcount = 0;
+ if (swap_audit_file() == -1) {
+ syslog(LOG_ERR, "Could not swap audit file\n");
+ /*
+ * XXX Faulty directory listing? - user should be given
+ * XXX an opportunity to change the audit_control file
+ * XXX switch to a reduced mode of auditing?
+ */
+ return (-1);
+ }
+
+ /*
+ * XXX There are synchronization problems here
+ * XXX what should we do if a trigger for the earlier limit
+ * XXX is generated here?
+ */
+ if (0 == (ret = getacmin(&minval))) {
+ syslog(LOG_INFO, "min free = %d\n", minval);
+ if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
+ syslog(LOG_ERR,
+ "could not get audit queue settings\n");
+ return (-1);
+ }
+ qctrl.aq_minfree = minval;
+ if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
+ syslog(LOG_ERR,
+ "could not set audit queue settings\n");
+ return (-1);
+ }
+ }
+
+ return (0);
+}
+
+/*
+ * Close all log files, control files, and tell the audit system.
+ */
+static int
+close_all(void)
+{
+ int err_ret = 0;
+ char TS[POSTFIX_LEN];
+ int aufd;
+ token_t *tok;
+ long cond;
+
+ /* Generate an audit record. */
+ if ((aufd = au_open()) == -1)
+ syslog(LOG_ERR, "Could not create audit shutdown event.\n");
+ else {
+ if ((tok = au_to_text("auditd::Audit shutdown")) != NULL)
+ au_write(aufd, tok);
+ if (au_close(aufd, 1, AUE_audit_shutdown) == -1)
+ syslog(LOG_ERR,
+ "Could not close audit shutdown event.\n");
+ }
+
+ /* Flush contents. */
+ cond = AUC_DISABLED;
+ err_ret = auditon(A_SETCOND, &cond, sizeof(cond));
+ if (err_ret != 0) {
+ syslog(LOG_ERR, "Disabling audit failed! : %s\n",
+ strerror(errno));
+ err_ret = 1;
+ }
+ if (getTSstr(TS, POSTFIX_LEN) == 0)
+ close_lastfile(TS);
+ if (lastfile != NULL)
+ free(lastfile);
+
+ free_dir_q();
+ if ((remove(AUDITD_PIDFILE) == -1) || err_ret) {
+ syslog(LOG_ERR, "Could not unregister\n");
+ audit_warn_postsigterm();
+ return (1);
+ }
+ endac();
+
+ if (close(triggerfd) != 0)
+ syslog(LOG_ERR, "Error closing control file\n");
+ syslog(LOG_INFO, "Finished.\n");
+ return (0);
+}
+
+/*
+ * When we get a signal, we are often not at a clean point. So, little can
+ * be done in the signal handler itself. Instead, we send a message to the
+ * main servicing loop to do proper handling from a non-signal-handler
+ * context.
+ */
+static void
+relay_signal(int signal)
+{
+
+ if (signal == SIGHUP)
+ sighups++;
+ if (signal == SIGTERM)
+ sigterms++;
+}
+
+/*
+ * Registering the daemon.
+ */
+static int
+register_daemon(void)
+{
+ FILE * pidfile;
+ int fd;
+ pid_t pid;
+
+ /* Set up the signal hander. */
+ if (signal(SIGTERM, relay_signal) == SIG_ERR) {
+ syslog(LOG_ERR,
+ "Could not set signal handler for SIGTERM\n");
+ fail_exit();
+ }
+ if (signal(SIGCHLD, relay_signal) == SIG_ERR) {
+ syslog(LOG_ERR,
+ "Could not set signal handler for SIGCHLD\n");
+ fail_exit();
+ }
+ if (signal(SIGHUP, relay_signal) == SIG_ERR) {
+ syslog(LOG_ERR,
+ "Could not set signal handler for SIGHUP\n");
+ fail_exit();
+ }
+
+ if ((pidfile = fopen(AUDITD_PIDFILE, "a")) == NULL) {
+ syslog(LOG_ERR,
+ "Could not open PID file\n");
+ audit_warn_tmpfile();
+ return (-1);
+ }
+
+ /* Attempt to lock the pid file; if a lock is present, exit. */
+ fd = fileno(pidfile);
+ if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
+ syslog(LOG_ERR,
+ "PID file is locked (is another auditd running?).\n");
+ audit_warn_ebusy();
+ return (-1);
+ }
+
+ pid = getpid();
+ ftruncate(fd, 0);
+ if (fprintf(pidfile, "%u\n", pid) < 0) {
+ /* Should not start the daemon. */
+ fail_exit();
+ }
+
+ fflush(pidfile);
+ return (0);
+}
+
+/*
+ * Suppress duplicate messages within a 30 second interval. This should be
+ * enough to time to rotate log files without thrashing from soft warnings
+ * generated before the log is actually rotated.
+ */
+#define DUPLICATE_INTERVAL 30
+static void
+handle_audit_trigger(int trigger)
+{
+ static int last_trigger;
+ static time_t last_time;
+ struct dir_ent *dirent;
+ int rc;
+
+ /*
+ * Suppres duplicate messages from the kernel within the specified
+ * interval.
+ */
+ struct timeval ts;
+ struct timezone tzp;
+ time_t tt;
+
+ if (gettimeofday(&ts, &tzp) == 0) {
+ tt = (time_t)ts.tv_sec;
+ if ((trigger == last_trigger) &&
+ (tt < (last_time + DUPLICATE_INTERVAL)))
+ return;
+ last_trigger = trigger;
+ last_time = tt;
+ }
+
+ /*
+ * Message processing is done here.
+ */
+ dirent = TAILQ_FIRST(&dir_q);
+ switch(trigger) {
+
+ case AUDIT_TRIGGER_LOW_SPACE:
+ syslog(LOG_INFO, "Got low space trigger\n");
+ if (dirent && (dirent->softlim != 1)) {
+ TAILQ_REMOVE(&dir_q, dirent, dirs);
+ /* Add this node to the end of the list. */
+ TAILQ_INSERT_TAIL(&dir_q, dirent, dirs);
+ audit_warn_soft(dirent->dirname);
+ dirent->softlim = 1;
+
+ if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL &&
+ swap_audit_file() == -1)
+ syslog(LOG_ERR, "Error swapping audit file\n");
+
+ /*
+ * Check if the next dir has already reached its soft
+ * limit.
+ */
+ dirent = TAILQ_FIRST(&dir_q);
+ if (dirent->softlim == 1) {
+ /* All dirs have reached their soft limit. */
+ audit_warn_allsoft();
+ }
+ } else {
+ /*
+ * Continue auditing to the current file. Also
+ * generate an allsoft warning.
+ * XXX do we want to do this ?
+ */
+ audit_warn_allsoft();
+ }
+ break;
+
+ case AUDIT_TRIGGER_NO_SPACE:
+ syslog(LOG_INFO, "Got no space trigger\n");
+
+ /* Delete current dir, go on to next. */
+ TAILQ_REMOVE(&dir_q, dirent, dirs);
+ audit_warn_hard(dirent->dirname);
+ free(dirent->dirname);
+ free(dirent);
+
+ if (swap_audit_file() == -1)
+ syslog(LOG_ERR, "Error swapping audit file\n");
+
+ /* We are out of log directories. */
+ audit_warn_allhard(++allhardcount);
+ break;
+
+ case AUDIT_TRIGGER_OPEN_NEW:
+ /*
+ * Create a new file and swap with the one being used in
+ * kernel
+ */
+ syslog(LOG_INFO, "Got open new trigger\n");
+ if (swap_audit_file() == -1)
+ syslog(LOG_ERR, "Error swapping audit file\n");
+ break;
+
+ case AUDIT_TRIGGER_READ_FILE:
+ syslog(LOG_INFO, "Got read file trigger\n");
+ if (read_control_file() == -1)
+ syslog(LOG_ERR, "Error in audit control file\n");
+ if (config_audit_controls() == -1)
+ syslog(LOG_ERR, "Error setting audit controls\n");
+ break;
+
+ default:
+ syslog(LOG_ERR, "Got unknown trigger %d\n", trigger);
+ break;
+ }
+}
+
+static void
+handle_sighup(void)
+{
+
+ sighups_handled = sighups;
+ config_audit_controls();
+}
+
+/*
+ * Read the control file for triggers and handle appropriately.
+ */
+static int
+wait_for_triggers(void)
+{
+ int num;
+ unsigned int trigger;
+
+ for (;;) {
+ num = read(triggerfd, &trigger, sizeof(trigger));
+ if ((num == -1) && (errno != EINTR)) {
+ syslog(LOG_ERR, "%s: error %d\n", __FUNCTION__, errno);
+ return (-1);
+ }
+ if (sigterms != sigterms_handled) {
+ syslog(LOG_INFO, "%s: SIGTERM", __FUNCTION__);
+ break;
+ }
+ if (sighups != sighups_handled) {
+ syslog(LOG_INFO, "%s: SIGHUP", __FUNCTION__);
+ handle_sighup();
+ }
+ if ((num == -1) && (errno == EINTR))
+ continue;
+ if (num == 0) {
+ syslog(LOG_INFO, "%s: read EOF\n", __FUNCTION__);
+ return (-1);
+ }
+ syslog(LOG_INFO, "%s: read %d\n", __FUNCTION__, trigger);
+ if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE)
+ break;
+ else
+ handle_audit_trigger(trigger);
+ }
+ return (close_all());
+}
+
+/*
+ * Reap our children.
+ */
+static void
+reap_children(void)
+{
+ pid_t child;
+ int wstatus;
+
+ while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) {
+ if (!wstatus)
+ continue;
+ syslog(LOG_INFO, "warn process [pid=%d] %s %d.\n", child,
+ ((WIFEXITED(wstatus)) ? "exited with non-zero status" :
+ "exited as a result of signal"),
+ ((WIFEXITED(wstatus)) ? WEXITSTATUS(wstatus) :
+ WTERMSIG(wstatus)));
+ }
+}
+
+/*
+ * Configure the audit controls in the kernel: the event to class mapping,
+ * kernel preselection mask, etc.
+ */
+static int
+config_audit_controls(void)
+{
+ au_event_ent_t ev, *evp;
+ au_evclass_map_t evc_map;
+ au_mask_t aumask;
+ int ctr = 0;
+ char naeventstr[NA_EVENT_STR_SIZE];
+
+ /*
+ * Process the audit event file, obtaining a class mapping for each
+ * event, and send that mapping into the kernel.
+ * XXX There's a risk here that the BSM library will return NULL
+ * for an event when it can't properly map it to a class. In that
+ * case, we will not process any events beyond the one that failed,
+ * but should. We need a way to get a count of the events.
+ */
+ ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX);
+ ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX);
+ if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) {
+ syslog(LOG_ERR,
+ "Memory allocation error when configuring audit controls.");
+ return (-1);
+ }
+ evp = &ev;
+ setauevent();
+ while ((evp = getauevent_r(evp)) != NULL) {
+ evc_map.ec_number = evp->ae_number;
+ evc_map.ec_class = evp->ae_class;
+ if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t))
+ != 0)
+ syslog(LOG_ERR,
+ "Failed to register class mapping for event %s",
+ evp->ae_name);
+ else
+ ctr++;
+ }
+ endauevent();
+ free(ev.ae_name);
+ free(ev.ae_desc);
+ if (ctr == 0)
+ syslog(LOG_ERR, "No events to class mappings registered.");
+ else
+ syslog(LOG_INFO, "Registered %d event to class mappings.",
+ ctr);
+
+ /*
+ * Get the non-attributable event string and set the kernel mask from
+ * that.
+ */
+ if ((getacna(naeventstr, NA_EVENT_STR_SIZE) == 0) &&
+ (getauditflagsbin(naeventstr, &aumask) == 0)) {
+ if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t)))
+ syslog(LOG_ERR,
+ "Failed to register non-attributable event mask.");
+ else
+ syslog(LOG_INFO,
+ "Registered non-attributable event mask.");
+ } else
+ syslog(LOG_ERR,
+ "Failed to obtain non-attributable event mask.");
+
+ /*
+ * Set the audit policy flags based on passed in parameter values.
+ */
+ if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags)))
+ syslog(LOG_ERR, "Failed to set audit policy.");
+
+ return (0);
+}
+
+static void
+setup(void)
+{
+ int aufd;
+ token_t *tok;
+
+ if ((triggerfd = open(AUDIT_TRIGGER_FILE, O_RDONLY, 0)) < 0) {
+ syslog(LOG_ERR, "Error opening trigger file\n");
+ fail_exit();
+ }
+
+ TAILQ_INIT(&dir_q);
+ if (read_control_file() == -1) {
+ syslog(LOG_ERR, "Error reading control file\n");
+ fail_exit();
+ }
+
+ /* Generate an audit record. */
+ if ((aufd = au_open()) == -1)
+ syslog(LOG_ERR, "Could not create audit startup event.\n");
+ else {
+ if ((tok = au_to_text("auditd::Audit startup")) != NULL)
+ au_write(aufd, tok);
+ if (au_close(aufd, 1, AUE_audit_startup) == -1)
+ syslog(LOG_ERR,
+ "Could not close audit startup event.\n");
+ }
+
+ if (config_audit_controls() == 0)
+ syslog(LOG_INFO, "Audit controls init successful\n");
+ else
+ syslog(LOG_INFO, "Audit controls init failed\n");
+}
+
+int
+main(int argc, char **argv)
+{
+ char ch;
+ int debug = 0;
+ int rc;
+
+ global_flags |= AUDIT_CNT;
+ while ((ch = getopt(argc, argv, "dhs")) != -1) {
+ switch(ch) {
+ case 'd':
+ /* Debug option. */
+ debug = 1;
+ break;
+
+ case 's':
+ /* Fail-stop option. */
+ global_flags &= ~(AUDIT_CNT);
+ break;
+
+ case 'h':
+ /* Halt-stop option. */
+ global_flags |= AUDIT_AHLT;
+ break;
+
+ case '?':
+ default:
+ (void)fprintf(stderr,
+ "usage: auditd [-h | -s] [-d] \n");
+ exit(1);
+ }
+ }
+
+ openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY);
+ syslog(LOG_INFO, "starting...\n");
+
+ if (debug == 0 && daemon(0, 0) == -1) {
+ syslog(LOG_ERR, "Failed to daemonize\n");
+ exit(1);
+ }
+
+ if (register_daemon() == -1) {
+ syslog(LOG_ERR, "Could not register as daemon\n");
+ exit(1);
+ }
+
+ setup();
+
+ rc = wait_for_triggers();
+ syslog(LOG_INFO, "auditd exiting.\n");
+
+ exit(rc);
+}
diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h
new file mode 100644
index 000000000000..e1731d96542a
--- /dev/null
+++ b/contrib/openbsm/bin/auditd/auditd.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#4 $
+ */
+
+#ifndef _AUDITD_H_
+#define _AUDITD_H_
+
+#include <sys/types.h>
+#include <sys/queue.h>
+#include <syslog.h>
+
+#define MAX_DIR_SIZE 255
+#define AUDITD_NAME "auditd"
+
+#define POSTFIX_LEN 16
+#define NOT_TERMINATED ".not_terminated"
+
+struct dir_ent {
+ char *dirname;
+ char softlim;
+ TAILQ_ENTRY(dir_ent) dirs;
+};
+
+#define HARDLIM_ALL_WARN "allhard"
+#define SOFTLIM_ALL_WARN "allsoft"
+#define AUDITOFF_WARN "aditoff"
+#define EBUSY_WARN "ebusy"
+#define GETACDIR_WARN "getacdir"
+#define HARDLIM_WARN "hard"
+#define NOSTART_WARN "nostart"
+#define POSTSIGTERM_WARN "postsigterm"
+#define SOFTLIM_WARN "soft"
+#define TMPFILE_WARN "tmpfile"
+
+#define AUDITWARN_SCRIPT "/etc/security/audit_warn"
+#define AUDITD_PIDFILE "/var/run/auditd.pid"
+
+int audit_warn_allhard(int count);
+int audit_warn_allsoft(void);
+int audit_warn_auditoff(void);
+int audit_warn_ebusy(void);
+int audit_warn_getacdir(char *filename);
+int audit_warn_hard(char *filename);
+int audit_warn_nostart(void);
+int audit_warn_postsigterm(void);
+int audit_warn_soft(char *filename);
+int audit_warn_tmpfile(void);
+
+#endif /* !_AUDITD_H_ */
diff --git a/contrib/openbsm/bin/auditreduce/Makefile b/contrib/openbsm/bin/auditreduce/Makefile
new file mode 100644
index 000000000000..f4c292a3c867
--- /dev/null
+++ b/contrib/openbsm/bin/auditreduce/Makefile
@@ -0,0 +1,12 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/Makefile#4 $
+#
+
+CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
+PROG= auditreduce
+MAN= auditreduce.1
+DPADD= /usr/lib/libbsm.a
+LDADD= -lbsm
+BINDIR= /usr/sbin
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1
new file mode 100644
index 000000000000..6374e5b91150
--- /dev/null
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@@ -0,0 +1,153 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" its contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#6 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDITREDUCE 1
+.Os
+.Sh NAME
+.Nm auditreduce
+.Nd "select records from audit trail files"
+.Sh SYNOPSIS
+.Nm auditreduce
+.Op Fl A
+.Op Fl a Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl c Ar flags
+.Op Fl d Ar YYYYMMDD
+.Op Fl e Ar euid
+.Op Fl f Ar egid
+.Op Fl g Ar rgid
+.Op Fl r Ar ruid
+.Op Fl u Ar auid
+.Op Fl j Ar id
+.Op Fl m Ar event
+.Op Fl o Ar object=value
+.Op Ar file ...
+.Sh DESCRIPTION
+The
+.Nm
+utility selects records from the audit trail files based on the specified
+criteria.
+Matching audit records are printed to the standard output in
+their raw binary form.
+If no filename is specified, the standard input is used
+by default.
+Use the
+.Nm praudit
+utility to print the selected audit records in human-readable form.
+See
+.Xr praudit 1
+for more information.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl A
+Select all records.
+.It Fl a Ar YYYYMMDD[HH[MM[SS]]]
+Select records that occurred after or on the given datetime.
+.It Fl b Ar YYYYMMDD[HH[MM[SS]]]
+Select records that occurred before the given datetime.
+.It Fl c Ar flags
+Select records matching the given audit classes specified as a comma
+separated list of audit flags.
+See
+.Xr audit_control 5
+for a description of audit flags.
+.It Fl d Ar YYYYMMDD
+Select records that occurred on a given date.
+This option cannot be used with
+.Fl a
+or
+.Fl b
+.It Fl e Ar euid
+Select records with the given effective user id or name.
+.It Fl f Ar egid
+Select records with the given effective group id or name.
+.It Fl g Ar rgid
+Select records with the given real group id or name.
+.It Fl r Ar ruid
+Select records with the given real user id or name.
+.It Fl u Ar auid
+Select records with the given audit id.
+.It Fl j Ar id
+Select records having a subject token with matching ID.
+.It Fl m Ar event
+Select records with the given event name or number.
+See
+.Xr audit_event 5
+for a description of audit event names and numbers.
+.It Fl o Ar object=value
+.Bl -tag -width Ds
+.It Nm file
+Select records containing the given path name.
+file="/usr" matches paths
+starting with
+.Pa usr .
+file="~/usr" matches paths not starting with
+.Pa usr .
+.It Nm msgqid
+Select records containing the given message queue id.
+.It Nm pid
+Select records containing the given process id.
+.It Nm semid
+Select records containing the given semaphore id.
+.It Nm shmid
+Select records containing the given shared memory id.
+.El
+.El
+.Sh Examples
+.Pp
+To select all records associated with effective user ID root from the audit
+log /var/audit/20031016184719.20031017122634:
+.Pp
+.Nm
+-e root /var/audit/20031016184719.20031017122634
+.Pp
+To select all
+.Xr setlogin 2
+events from that log:
+.Pp
+.Nm
+-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Sh SEE ALSO
+.Xr audit_control 5 ,
+.Xr audit_event 5 ,
+.Xr praudit 1
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.c b/contrib/openbsm/bin/auditreduce/auditreduce.c
new file mode 100644
index 000000000000..8e6f2452bc50
--- /dev/null
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.c
@@ -0,0 +1,699 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#11 $
+ */
+
+/*
+ * Tool used to merge and select audit records from audit trail files
+ */
+
+/*
+ * XXX Currently we do not support merging of records from multiple
+ * XXX audit trail files
+ * XXX We assume that records are sorted chronologically - both wrt to
+ * XXX the records present within the file and between the files themselves
+ */
+
+#include <bsm/libbsm.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sysexits.h>
+#include <grp.h>
+#include <pwd.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "auditreduce.h"
+
+extern char *optarg;
+extern int optind, optopt, opterr,optreset;
+
+static au_mask_t maskp; /* Class. */
+static time_t p_atime; /* Created after this time. */
+static time_t p_btime; /* Created before this time. */
+static uint16_t p_evtype; /* Event that we are searching for. */
+static int p_auid; /* Audit id. */
+static int p_euid; /* Effective user id. */
+static int p_egid; /* Effective group id. */
+static int p_rgid; /* Real group id. */
+static int p_ruid; /* Real user id. */
+static int p_subid; /* Subject id. */
+
+/*
+ * Following are the objects (-o option) that we can select upon.
+ */
+static char *p_fileobj = NULL;
+static char *p_msgqobj = NULL;
+static char *p_pidobj = NULL;
+static char *p_semobj = NULL;
+static char *p_shmobj = NULL;
+static char *p_sockobj = NULL;
+
+static uint32_t opttochk = 0;
+
+static void
+usage(const char *msg)
+{
+ fprintf(stderr, "%s\n", msg);
+ fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n");
+ fprintf(stderr, "\tOptions are : \n");
+ fprintf(stderr, "\t-A : all records\n");
+ fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n");
+ fprintf(stderr, "\t-b YYYYMMDD[HH[[MM[SS]]] : before date\n");
+ fprintf(stderr, "\t-c <flags> : matching class\n");
+ fprintf(stderr, "\t-d YYYYMMDD : on date\n");
+ fprintf(stderr, "\t-e <uid|name> : effective user\n");
+ fprintf(stderr, "\t-f <gid|group> : effective group\n");
+ fprintf(stderr, "\t-g <gid|group> : real group\n");
+ fprintf(stderr, "\t-j <pid> : subject id \n");
+ fprintf(stderr, "\t-m <evno|evname> : matching event\n");
+ fprintf(stderr, "\t-o objecttype=objectvalue\n");
+ fprintf(stderr, "\t\t file=<pathname>\n");
+ fprintf(stderr, "\t\t msgqid=<ID>\n");
+ fprintf(stderr, "\t\t pid=<ID>\n");
+ fprintf(stderr, "\t\t semid=<ID>\n");
+ fprintf(stderr, "\t\t shmid=<ID>\n");
+ fprintf(stderr, "\t-r <uid|name> : real user\n");
+ fprintf(stderr, "\t-u <uid|name> : audit user\n");
+ exit(EX_USAGE);
+}
+
+/*
+ * Check if the given auid matches the selection criteria.
+ */
+static int
+select_auid(int au)
+{
+
+ /* Check if we want to select on auid. */
+ if (ISOPTSET(opttochk, OPT_u)) {
+ if (au != p_auid)
+ return (0);
+ }
+ return (1);
+}
+
+/*
+ * Check if the given euid matches the selection criteria.
+ */
+static int
+select_euid(int euser)
+{
+
+ /* Check if we want to select on euid. */
+ if (ISOPTSET(opttochk, OPT_e)) {
+ if (euser != p_euid)
+ return (0);
+ }
+ return (1);
+}
+
+/*
+ * Check if the given egid matches the selection criteria.
+ */
+static int
+select_egid(int egrp)
+{
+
+ /* Check if we want to select on egid. */
+ if (ISOPTSET(opttochk, OPT_f)) {
+ if (egrp != p_egid)
+ return (0);
+ }
+ return (1);
+}
+
+/*
+ * Check if the given rgid matches the selection criteria.
+ */
+static int
+select_rgid(int grp)
+{
+
+ /* Check if we want to select on rgid. */
+ if (ISOPTSET(opttochk, OPT_g)) {
+ if (grp != p_rgid)
+ return (0);
+ }
+ return (1);
+}
+
+/*
+ * Check if the given ruid matches the selection criteria.
+ */
+static int
+select_ruid(int user)
+{
+
+ /* Check if we want to select on rgid. */
+ if (ISOPTSET(opttochk, OPT_r)) {
+ if (user != p_ruid)
+ return (0);
+ }
+ return (1);
+}
+
+/*
+ * Check if the given subject id (pid) matches the selection criteria.
+ */
+static int
+select_subid(int subid)
+{
+
+ /* Check if we want to select on subject uid. */
+ if (ISOPTSET(opttochk, OPT_j)) {
+ if (subid != p_subid)
+ return (0);
+ }
+ return (1);
+}
+
+
+/*
+ * Check if object's pid maches the given pid.
+ */
+static int
+select_pidobj(uint32_t pid)
+{
+
+ if (ISOPTSET(opttochk, OPT_op)) {
+ if (pid != strtol(p_pidobj, (char **)NULL, 10))
+ return (0);
+ }
+ return (1);
+}
+
+/*
+ * Check if the given ipc object with the given type matches the selection
+ * criteria.
+ */
+static int
+select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd)
+{
+
+ if (type == AT_IPC_MSG) {
+ SETOPT((*optchkd), OPT_om);
+ if (ISOPTSET(opttochk, OPT_om)) {
+ if (id != strtol(p_msgqobj, (char **)NULL, 10))
+ return (0);
+ }
+ return (1);
+ } else if (type == AT_IPC_SEM) {
+ SETOPT((*optchkd), OPT_ose);
+ if (ISOPTSET(opttochk, OPT_ose)) {
+ if (id != strtol(p_semobj, (char **)NULL, 10))
+ return (0);
+ }
+ return (1);
+ } else if (type == AT_IPC_SHM) {
+ SETOPT((*optchkd), OPT_osh);
+ if (ISOPTSET(opttochk, OPT_osh)) {
+ if (id != strtol(p_shmobj, (char **)NULL, 10))
+ return (0);
+ }
+ return (1);
+ }
+
+ /* Unknown type -- filter if *any* ipc filtering is required. */
+ if (ISOPTSET(opttochk, OPT_om) || ISOPTSET(opttochk, OPT_ose)
+ || ISOPTSET(opttochk, OPT_osh))
+ return (0);
+
+ return (1);
+}
+
+
+/*
+ * Check if the file name matches selection criteria.
+ */
+static int
+select_filepath(char *path, uint32_t *optchkd)
+{
+ char *loc;
+
+ SETOPT((*optchkd), OPT_of);
+ if (ISOPTSET(opttochk, OPT_of)) {
+ if (p_fileobj[0] == '~') {
+ /* Object should not be in path. */
+ loc = strstr(path, p_fileobj + 1);
+ if ((loc != NULL) && (loc == path))
+ return (0);
+ } else {
+ /* Object should be in path. */
+ loc = strstr(path, p_fileobj);
+ if ((loc == NULL) || (loc != path))
+ return (0);
+ }
+ }
+ return (1);
+}
+
+/*
+ * Returns 1 if the following pass the selection rules:
+ *
+ * before-time,
+ * after time,
+ * date,
+ * class,
+ * event
+ */
+static int
+select_hdr32(tokenstr_t tok, uint32_t *optchkd)
+{
+
+ SETOPT((*optchkd), (OPT_A | OPT_a | OPT_b | OPT_c | OPT_m));
+
+ /* The A option overrides a, b and d. */
+ if (!ISOPTSET(opttochk, OPT_A)) {
+ if (ISOPTSET(opttochk, OPT_a)) {
+ if (difftime((time_t)tok.tt.hdr32.s, p_atime) < 0) {
+ /* Record was created before p_atime. */
+ return (0);
+ }
+ }
+
+ if (ISOPTSET(opttochk, OPT_b)) {
+ if (difftime(p_btime, (time_t)tok.tt.hdr32.s) < 0) {
+ /* Record was created after p_btime. */
+ return (0);
+ }
+ }
+ }
+
+ if (ISOPTSET(opttochk, OPT_c)) {
+ /*
+ * Check if the classes represented by the event matches
+ * given class.
+ */
+ if (au_preselect(tok.tt.hdr32.e_type, &maskp, AU_PRS_BOTH,
+ AU_PRS_USECACHE) != 1)
+ return (0);
+ }
+
+ /* Check if event matches. */
+ if (ISOPTSET(opttochk, OPT_m)) {
+ if (tok.tt.hdr32.e_type != p_evtype)
+ return (0);
+ }
+
+ return (1);
+}
+
+/*
+ * Return 1 if checks for the the following succeed
+ * auid,
+ * euid,
+ * egid,
+ * rgid,
+ * ruid,
+ * process id
+ */
+static int
+select_proc32(tokenstr_t tok, uint32_t *optchkd)
+{
+
+ SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_op));
+
+ if (!select_auid(tok.tt.proc32.auid))
+ return (0);
+ if (!select_euid(tok.tt.proc32.euid))
+ return (0);
+ if (!select_egid(tok.tt.proc32.egid))
+ return (0);
+ if (!select_rgid(tok.tt.proc32.rgid))
+ return (0);
+ if (!select_ruid(tok.tt.proc32.ruid))
+ return (0);
+ if (!select_pidobj(tok.tt.proc32.pid))
+ return (0);
+ return (1);
+}
+
+/*
+ * Return 1 if checks for the the following succeed
+ * auid,
+ * euid,
+ * egid,
+ * rgid,
+ * ruid,
+ * subject id
+ */
+static int
+select_subj32(tokenstr_t tok, uint32_t *optchkd)
+{
+
+ SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_j));
+
+ if (!select_auid(tok.tt.subj32.auid))
+ return (0);
+ if (!select_euid(tok.tt.subj32.euid))
+ return (0);
+ if (!select_egid(tok.tt.subj32.egid))
+ return (0);
+ if (!select_rgid(tok.tt.subj32.rgid))
+ return (0);
+ if (!select_ruid(tok.tt.subj32.ruid))
+ return (0);
+ if (!select_subid(tok.tt.subj32.pid))
+ return (0);
+ return (1);
+}
+
+/*
+ * Read each record from the audit trail. Check if it is selected after
+ * passing through each of the options
+ */
+static int
+select_records(FILE *fp)
+{
+ u_char *buf;
+ tokenstr_t tok;
+ int reclen;
+ int bytesread;
+ int selected;
+ uint32_t optchkd;
+
+ int err = 0;
+ while ((reclen = au_read_rec(fp, &buf)) != -1) {
+ optchkd = 0;
+ bytesread = 0;
+ selected = 1;
+ while ((selected == 1) && (bytesread < reclen)) {
+ if (-1 == au_fetch_tok(&tok, buf + bytesread,
+ reclen - bytesread)) {
+ /* Is this an incomplete record? */
+ err = 1;
+ break;
+ }
+
+ /*
+ * For each token type we have have different
+ * selection criteria.
+ */
+ switch(tok.id) {
+ case AU_HEADER_32_TOKEN:
+ selected = select_hdr32(tok,
+ &optchkd);
+ break;
+
+ case AU_PROCESS_32_TOKEN:
+ selected = select_proc32(tok,
+ &optchkd);
+ break;
+
+ case AU_SUBJECT_32_TOKEN:
+ selected = select_subj32(tok,
+ &optchkd);
+ break;
+
+ case AU_IPC_TOKEN:
+ selected = select_ipcobj(
+ tok.tt.ipc.type, tok.tt.ipc.id,
+ &optchkd);
+ break;
+
+ case AU_FILE_TOKEN:
+ selected = select_filepath(
+ tok.tt.file.name, &optchkd);
+ break;
+
+ case AU_PATH_TOKEN:
+ selected = select_filepath(
+ tok.tt.path.path, &optchkd);
+ break;
+
+ /*
+ * The following tokens dont have any relevant
+ * attributes that we can select upon.
+ */
+ case AU_TRAILER_TOKEN:
+ case AU_ARG32_TOKEN:
+ case AU_ATTR32_TOKEN:
+ case AU_EXIT_TOKEN:
+ case AU_NEWGROUPS_TOKEN:
+ case AU_IN_ADDR_TOKEN:
+ case AU_IP_TOKEN:
+ case AU_IPCPERM_TOKEN:
+ case AU_IPORT_TOKEN:
+ case AU_OPAQUE_TOKEN:
+ case AU_RETURN_32_TOKEN:
+ case AU_SEQ_TOKEN:
+ case AU_TEXT_TOKEN:
+ case AU_ARB_TOKEN:
+ case AU_SOCK_TOKEN:
+ default:
+ break;
+ }
+ bytesread += tok.len;
+ }
+ if ((selected == 1) && (!err)) {
+ /* Check if all the options were matched. */
+ if (!(opttochk & ~optchkd)) {
+ /* XXX Write this record to the output file. */
+ /* default to stdout */
+ fwrite(buf, 1, reclen, stdout);
+ }
+ }
+ free(buf);
+ }
+ return (0);
+}
+
+/*
+ * The -o option has the form object_type=object_value. Identify the object
+ * components.
+ */
+void
+parse_object_type(char *name, char *val)
+{
+ if (val == NULL)
+ return;
+
+ if (!strcmp(name, FILEOBJ)) {
+ p_fileobj = val;
+ SETOPT(opttochk, OPT_of);
+ } else if (!strcmp(name, MSGQIDOBJ)) {
+ p_msgqobj = val;
+ SETOPT(opttochk, OPT_om);
+ } else if (!strcmp(name, PIDOBJ)) {
+ p_pidobj = val;
+ SETOPT(opttochk, OPT_op);
+ } else if (!strcmp(name, SEMIDOBJ)) {
+ p_semobj = val;
+ SETOPT(opttochk, OPT_ose);
+ } else if (!strcmp(name, SHMIDOBJ)) {
+ p_shmobj = val;
+ SETOPT(opttochk, OPT_osh);
+ } else if (!strcmp(name, SOCKOBJ)) {
+ p_sockobj = val;
+ SETOPT(opttochk, OPT_oso);
+ } else
+ usage("unknown value for -o");
+}
+
+int
+main(int argc, char **argv)
+{
+ struct group *grp;
+ struct passwd *pw;
+ struct tm tm;
+ au_event_t *n;
+ FILE *fp;
+ int i;
+ char *objval, *converr;
+ char ch;
+ char timestr[128];
+ char *fname;
+
+ converr = NULL;
+
+ while ((ch = getopt(argc, argv, "Aa:b:c:d:e:f:g:j:m:o:r:u:")) != -1) {
+ switch(ch) {
+ case 'A':
+ SETOPT(opttochk, OPT_A);
+ break;
+
+ case 'a':
+ if (ISOPTSET(opttochk, OPT_a)) {
+ usage("d is exclusive with a and b");
+ }
+ SETOPT(opttochk, OPT_a);
+ strptime(optarg, "%Y%m%d%H%M%S", &tm);
+ strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S",
+ &tm);
+ /* fprintf(stderr, "Time converted = %s\n", timestr); */
+ p_atime = mktime(&tm);
+ break;
+
+ case 'b':
+ if (ISOPTSET(opttochk, OPT_b)) {
+ usage("d is exclusive with a and b");
+ }
+ SETOPT(opttochk, OPT_b);
+ strptime(optarg, "%Y%m%d%H%M%S", &tm);
+ strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S",
+ &tm);
+ /* fprintf(stderr, "Time converted = %s\n", timestr); */
+ p_btime = mktime(&tm);
+ break;
+
+ case 'c':
+ if (0 != getauditflagsbin(optarg, &maskp)) {
+ /* Incorrect class */
+ usage("Incorrect class");
+ }
+ SETOPT(opttochk, OPT_c);
+ break;
+
+ case 'd':
+ if (ISOPTSET(opttochk, OPT_b) || ISOPTSET(opttochk,
+ OPT_a))
+ usage("'d' is exclusive with 'a' and 'b'");
+ SETOPT(opttochk, OPT_d);
+ strptime(optarg, "%Y%m%d", &tm);
+ strftime(timestr, sizeof(timestr), "%Y%m%d", &tm);
+ /* fprintf(stderr, "Time converted = %s\n", timestr); */
+ p_atime = mktime(&tm);
+ tm.tm_hour = 23;
+ tm.tm_min = 59;
+ tm.tm_sec = 59;
+ strftime(timestr, sizeof(timestr), "%Y%m%d", &tm);
+ /* fprintf(stderr, "Time converted = %s\n", timestr); */
+ p_btime = mktime(&tm);
+ break;
+
+ case 'e':
+ p_euid = strtol(optarg, &converr, 10);
+ if (*converr != '\0') {
+ /* Try the actual name */
+ if ((pw = getpwnam(optarg)) == NULL)
+ break;
+ p_euid = pw->pw_uid;
+ }
+ SETOPT(opttochk, OPT_e);
+ break;
+
+ case 'f':
+ p_egid = strtol(optarg, &converr, 10);
+ if (*converr != '\0') {
+ /* Try actual group name. */
+ if ((grp = getgrnam(optarg)) == NULL)
+ break;
+ p_egid = grp->gr_gid;
+ }
+ SETOPT(opttochk, OPT_f);
+ break;
+
+ case 'g':
+ p_rgid = strtol(optarg, &converr, 10);
+ if (*converr != '\0') {
+ /* Try actual group name. */
+ if ((grp = getgrnam(optarg)) == NULL)
+ break;
+ p_rgid = grp->gr_gid;
+ }
+ SETOPT(opttochk, OPT_g);
+ break;
+
+ case 'j':
+ p_subid = strtol(optarg, (char **)NULL, 10);
+ SETOPT(opttochk, OPT_j);
+ break;
+
+ case 'm':
+ p_evtype = strtol(optarg, (char **)NULL, 10);
+ if (p_evtype == 0) {
+ /* Could be the string representation. */
+ n = getauevnonam(optarg);
+ if (n == NULL)
+ usage("Incorrect event name");
+ p_evtype = *n;
+ free(n);
+ }
+ SETOPT(opttochk, OPT_m);
+ break;
+
+ case 'o':
+ objval = strchr(optarg, '=');
+ if (objval != NULL) {
+ *objval = '\0';
+ objval += 1;
+ parse_object_type(optarg, objval);
+ }
+ break;
+
+ case 'r':
+ p_ruid = strtol(optarg, &converr, 10);
+ if (*converr != '\0') {
+ if ((pw = getpwnam(optarg)) == NULL)
+ break;
+ p_ruid = pw->pw_uid;
+ }
+ SETOPT(opttochk, OPT_r);
+ break;
+
+ case 'u':
+ p_auid = strtol(optarg, &converr, 10);
+ if (*converr != '\0') {
+ if ((pw = getpwnam(optarg)) == NULL)
+ break;
+ p_auid = pw->pw_uid;
+ }
+ SETOPT(opttochk, OPT_u);
+ break;
+
+ case '?':
+ default:
+ usage("Unknown option");
+ }
+ }
+ argv += optind;
+ argc -= optind;
+
+ if (argc == 0)
+ usage("Filename needed");
+
+ /*
+ * XXX: We should actually be merging records here.
+ */
+ for (i = 0; i < argc; i++) {
+ fname = argv[i];
+ fp = fopen(fname, "r");
+ if (fp == NULL)
+ errx(EXIT_FAILURE, "Couldn't open %s", fname);
+ if (select_records(fp) == -1) {
+ errx(EXIT_FAILURE, "Couldn't select records %s",
+ fname);
+ }
+ fclose(fp);
+ }
+ exit(EXIT_SUCCESS);
+}
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.h b/contrib/openbsm/bin/auditreduce/auditreduce.h
new file mode 100644
index 000000000000..698e27605b0f
--- /dev/null
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $
+ */
+
+#ifndef _AUDITREDUCE_H_
+#define _AUDITREDUCE_H_
+
+
+#define OPT_a 0x00000001
+#define OPT_b 0x00000002
+#define OPT_c 0x00000004
+#define OPT_d (OPT_a | OPT_b)
+#define OPT_e 0x00000010
+#define OPT_f 0x00000020
+#define OPT_g 0x00000040
+#define OPT_j 0x00000080
+#define OPT_m 0x00000100
+#define OPT_of 0x00000200
+#define OPT_om 0x00000400
+#define OPT_op 0x00000800
+#define OPT_ose 0x00001000
+#define OPT_osh 0x00002000
+#define OPT_oso 0x00004000
+#define OPT_r 0x00008000
+#define OPT_u 0x00010000
+#define OPT_A 0x00020000
+
+#define FILEOBJ "file"
+#define MSGQIDOBJ "msgqid"
+#define PIDOBJ "pid"
+#define SEMIDOBJ "semid"
+#define SHMIDOBJ "shmid"
+#define SOCKOBJ "sock"
+
+
+#define SETOPT(optmask, bit) (optmask |= bit)
+#define ISOPTSET(optmask, bit) (optmask & bit)
+
+
+#endif /* !_AUDITREDUCE_H_ */
diff --git a/contrib/openbsm/bin/praudit/Makefile b/contrib/openbsm/bin/praudit/Makefile
new file mode 100644
index 000000000000..34e136bd0ee7
--- /dev/null
+++ b/contrib/openbsm/bin/praudit/Makefile
@@ -0,0 +1,12 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/Makefile#4 $
+#
+
+CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
+PROG= praudit
+MAN= praudit.1
+DPADD= /usr/lib/libbsm.a
+LDADD= -lbsm
+BINDIR= /usr/sbin
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/bin/praudit/praudit.1 b/contrib/openbsm/bin/praudit/praudit.1
new file mode 100644
index 000000000000..e99463860407
--- /dev/null
+++ b/contrib/openbsm/bin/praudit/praudit.1
@@ -0,0 +1,97 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" its contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#7 $
+.\"
+.Dd Jan 24, 2004
+.Dt PRAUDIT 1
+.Os
+.Sh NAME
+.Nm praudit
+.Nd "print the contents of audit trail files"
+.Sh SYNOPSIS
+.Nm praudit
+.Op Fl lrs
+.Op Fl d Ar del
+.Op Ar file ...
+.Sh DESCRIPTION
+The
+.Nm
+utility prints the contents of the audit trail files to the standard output in
+human-readable form.
+If no filename is specified, the standard input is used
+by default.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl l
+Prints the entire record on the same line.
+If this option is not specified,
+every token is displayed on a different line.
+.It Fl r
+Prints the records in their raw, numeric form.
+This option is exclusive from
+.Fl s
+.It Fl s
+Prints the tokens in their short form.
+Short text representations for
+record and event type are displayed.
+This option is exclusive from
+.Fl r
+.It Fl d Ar del
+Specifies the delimiter.
+The default delimiter is the comma.
+.El
+.Pp
+If the raw or short forms are not specified, the default is to print the tokens
+in their long form.
+Events are displayed as per their descriptions given in
+.Pa /etc/security/audit_event ;
+uids and gids are expanded to their names;
+dates and times are displayed in human-readable format.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_control" -compact
+.It Pa /etc/security/audit_class
+Descriptions of audit event classes
+.It Pa /etc/security/audit_event
+Descriptions of audit events
+.El
+.Sh SEE ALSO
+.Xr audit_class 5 ,
+.Xr audit_event 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/praudit/praudit.c b/contrib/openbsm/bin/praudit/praudit.c
new file mode 100644
index 000000000000..920f6d46b589
--- /dev/null
+++ b/contrib/openbsm/bin/praudit/praudit.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#7 $
+ */
+
+/*
+ * Tool used to parse audit records conforming to the BSM structure.
+ */
+
+/*
+ * praudit [-lrs] [-ddel] [filenames]
+ */
+
+#include <bsm/libbsm.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+extern char *optarg;
+extern int optind, optopt, opterr,optreset;
+
+static char *del = ","; /* Default delimiter. */
+static int oneline = 0;
+static int raw = 0;
+static int shortfrm = 0;
+static int partial = 0;
+
+static void
+usage()
+{
+
+ fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n");
+ exit(1);
+}
+
+/*
+ * Token printing for each token type .
+ */
+static int
+print_tokens(FILE *fp)
+{
+ u_char *buf;
+ tokenstr_t tok;
+ int reclen;
+ int bytesread;
+
+ /* Allow tail -f | praudit to work. */
+ if (partial) {
+ u_char type = 0;
+ /* Record must begin with a header token. */
+ do {
+ type = fgetc(fp);
+ } while(type != AU_HEADER_32_TOKEN);
+ ungetc(type, fp);
+ }
+
+ while ((reclen = au_read_rec(fp, &buf)) != -1) {
+ bytesread = 0;
+ while (bytesread < reclen) {
+ /* Is this an incomplete record? */
+ if (-1 == au_fetch_tok(&tok, buf + bytesread,
+ reclen - bytesread))
+ break;
+ au_print_tok(stdout, &tok, del, raw, shortfrm);
+ bytesread += tok.len;
+ if (oneline)
+ printf("%s", del);
+ else
+ printf("\n");
+ }
+ free(buf);
+ if (oneline)
+ printf("\n");
+ }
+ return (0);
+}
+
+int
+main(int argc, char **argv)
+{
+ char ch;
+ int i;
+ FILE *fp;
+
+ while ((ch = getopt(argc, argv, "lprsd:")) != -1) {
+ switch(ch) {
+ case 'l':
+ oneline = 1;
+ break;
+
+ case 'r':
+ if (shortfrm)
+ usage(); /* Exclusive from shortfrm. */
+ raw = 1;
+ break;
+
+ case 's':
+ if (raw)
+ usage(); /* Exclusive from raw. */
+ shortfrm = 1;
+ break;
+
+ case 'd':
+ del = optarg;
+ break;
+
+ case 'p':
+ partial = 1;
+ break;
+
+ case '?':
+ default:
+ usage();
+ }
+ }
+
+ /* For each of the files passed as arguments dump the contents. */
+ if (optind == argc) {
+ print_tokens(stdin);
+ return (1);
+ }
+ for (i = optind; i < argc; i++) {
+ fp = fopen(argv[i], "r");
+ if ((fp == NULL) || (print_tokens(fp) == -1))
+ perror(argv[i]);
+ if (fp != NULL)
+ fclose(fp);
+ }
+ return (1);
+}
diff --git a/contrib/openbsm/bsm/Makefile b/contrib/openbsm/bsm/Makefile
new file mode 100644
index 000000000000..ba6370123110
--- /dev/null
+++ b/contrib/openbsm/bsm/Makefile
@@ -0,0 +1,22 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile#7 $
+#
+
+INCS= audit.h \
+ audit_internal.h \
+ audit_kevents.h \
+ audit_record.h \
+ audit_uevents.h \
+ libbsm.h
+
+TARGET= ${DESTDIR}/usr/include/bsm
+
+all:
+default:
+depend:
+clean:
+
+install:
+ mkdir -p -m 0755 ${TARGET}
+ install -o root -g wheel -m 0644 ${INCS} ${TARGET}
+
diff --git a/contrib/openbsm/bsm/audit.h b/contrib/openbsm/bsm/audit.h
new file mode 100644
index 000000000000..1d208c1347eb
--- /dev/null
+++ b/contrib/openbsm/bsm/audit.h
@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#14 $
+ */
+
+#ifndef _BSM_AUDIT_H
+#define _BSM_AUDIT_H
+
+#define AUDIT_RECORD_MAGIC 0x828a0f1b
+#define MAX_AUDIT_RECORDS 20
+#define MAX_AUDIT_RECORD_SIZE 4096
+#define MIN_AUDIT_FILE_SIZE (512 * 1024)
+
+/*
+ * Triggers for the audit daemon
+ */
+#define AUDIT_TRIGGER_MIN 1
+#define AUDIT_TRIGGER_LOW_SPACE 1
+#define AUDIT_TRIGGER_OPEN_NEW 2
+#define AUDIT_TRIGGER_READ_FILE 3
+#define AUDIT_TRIGGER_CLOSE_AND_DIE 4
+#define AUDIT_TRIGGER_NO_SPACE 5
+#define AUDIT_TRIGGER_MAX 5
+
+/*
+ * File that will be read for trigger events from the kernel
+ */
+#define AUDIT_TRIGGER_FILE "/dev/audit"
+
+/*
+ * Pre-defined audit IDs
+ */
+#define AU_DEFAUDITID -1
+
+/*
+ * Define the masks for the classes of audit events.
+ */
+#define AU_NULL 0x00000000
+#define AU_FREAD 0x00000001
+#define AU_FWRITE 0x00000002
+#define AU_FACCESS 0x00000004
+#define AU_FMODIFY 0x00000008
+#define AU_FCREATE 0x00000010
+#define AU_FDELETE 0x00000020
+#define AU_CLOSE 0x00000040
+#define AU_PROCESS 0x00000080
+#define AU_NET 0x00000100
+#define AU_IPC 0x00000200
+#define AU_NONAT 0x00000400
+#define AU_ADMIN 0x00000800
+#define AU_LOGIN 0x00001000
+#define AU_TFM 0x00002000
+#define AU_APPL 0x00004000
+#define AU_SETL 0x00008000
+#define AU_IFLOAT 0x00010000
+#define AU_PRIV 0x00020000
+#define AU_MAC_RW 0x00040000
+#define AU_XCONN 0x00080000
+#define AU_XCREATE 0x00100000
+#define AU_XDELETE 0x00200000
+#define AU_XIFLOAT 0x00400000
+#define AU_XPRIVS 0x00800000
+#define AU_XPRIVF 0x01000000
+#define AU_XMOVE 0x02000000
+#define AU_XDACF 0x04000000
+#define AU_XMACF 0x08000000
+#define AU_XSECATTR 0x10000000
+#define AU_IOCTL 0x20000000
+#define AU_EXEC 0x40000000
+#define AU_OTHER 0x80000000
+#define AU_ALL 0xffffffff
+
+/*
+ * IPC types
+ */
+#define AT_IPC_MSG ((u_char)1) /* Message IPC id. */
+#define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */
+#define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */
+
+/*
+ * Audit conditions.
+ */
+#define AUC_UNSET 0
+#define AUC_AUDITING 1
+#define AUC_NOAUDIT 2
+#define AUC_DISABLED -1
+
+/*
+ * auditon(2) commands.
+ */
+#define A_GETPOLICY 2
+#define A_SETPOLICY 3
+#define A_GETKMASK 4
+#define A_SETKMASK 5
+#define A_GETQCTRL 6
+#define A_SETQCTRL 7
+#define A_GETCWD 8
+#define A_GETCAR 9
+#define A_GETSTAT 12
+#define A_SETSTAT 13
+#define A_SETUMASK 14
+#define A_SETSMASK 15
+#define A_GETCOND 20
+#define A_SETCOND 21
+#define A_GETCLASS 22
+#define A_SETCLASS 23
+#define A_GETPINFO 24
+#define A_SETPMASK 25
+#define A_SETFSIZE 26
+#define A_GETFSIZE 27
+#define A_GETPINFO_ADDR 28
+#define A_GETKAUDIT 29
+#define A_SETKAUDIT 30
+#define A_SENDTRIGGER 31
+
+/*
+ * Audit policy controls.
+ */
+#define AUDIT_CNT 0x0001
+#define AUDIT_AHLT 0x0002
+#define AUDIT_ARGV 0x0004
+#define AUDIT_ARGE 0x0008
+#define AUDIT_PASSWD 0x0010
+#define AUDIT_SEQ 0x0020
+#define AUDIT_WINDATA 0x0040
+#define AUDIT_USER 0x0080
+#define AUDIT_GROUP 0x0100
+#define AUDIT_TRAIL 0x0200
+#define AUDIT_PATH 0x0400
+
+/*
+ * Audit queue control parameters
+ */
+#define AQ_HIWATER 100
+#define AQ_MAXHIGH 10000
+#define AQ_LOWATER 10
+#define AQ_BUFSZ 1024
+#define AQ_MAXBUFSZ 1048576
+
+/*
+ * Default minimum percentage free space on file system.
+ */
+#define AU_FS_MINFREE 20
+
+/*
+ * Type definitions used indicating the length of variable length addresses
+ * in tokens containing addresses, such as header fields.
+ */
+#define AU_IPv4 4
+#define AU_IPv6 16
+
+__BEGIN_DECLS
+
+typedef uid_t au_id_t;
+typedef pid_t au_asid_t;
+typedef u_int16_t au_event_t;
+typedef u_int16_t au_emod_t;
+typedef u_int32_t au_class_t;
+
+struct au_tid {
+ dev_t port;
+ u_int32_t machine;
+};
+typedef struct au_tid au_tid_t;
+
+struct au_tid_addr {
+ dev_t at_port;
+ u_int32_t at_type;
+ u_int32_t at_addr[4];
+};
+typedef struct au_tid_addr au_tid_addr_t;
+
+struct au_mask {
+ unsigned int am_success; /* Success bits. */
+ unsigned int am_failure; /* Failure bits. */
+};
+typedef struct au_mask au_mask_t;
+
+struct auditinfo {
+ au_id_t ai_auid; /* Audit user ID. */
+ au_mask_t ai_mask; /* Audit masks. */
+ au_tid_t ai_termid; /* Terminal ID. */
+ au_asid_t ai_asid; /* Audit session ID. */
+};
+typedef struct auditinfo auditinfo_t;
+
+struct auditinfo_addr {
+ au_id_t ai_auid; /* Audit user ID. */
+ au_mask_t ai_mask; /* Audit masks. */
+ au_tid_addr_t ai_termid; /* Terminal ID. */
+ au_asid_t ai_asid; /* Audit session ID. */
+};
+typedef struct auditinfo_addr auditinfo_addr_t;
+
+struct auditpinfo {
+ pid_t ap_pid; /* ID of target process. */
+ au_id_t ap_auid; /* Audit user ID. */
+ au_mask_t ap_mask; /* Audit masks. */
+ au_tid_t ap_termid; /* Terminal ID. */
+ au_asid_t ap_asid; /* Audit session ID. */
+};
+typedef struct auditpinfo auditpinfo_t;
+
+struct auditpinfo_addr {
+ pid_t ap_pid; /* ID of target process. */
+ au_id_t ap_auid; /* Audit user ID. */
+ au_mask_t ap_mask; /* Audit masks. */
+ au_tid_addr_t ap_termid; /* Terminal ID. */
+ au_asid_t ap_asid; /* Audit session ID. */
+};
+typedef struct auditpinfo_addr auditpinfo_addr_t;
+
+/* Token and record structures. */
+
+struct au_token {
+ u_char *t_data;
+ size_t len;
+ TAILQ_ENTRY(au_token) tokens;
+};
+typedef struct au_token token_t;
+
+struct au_record {
+ char used; /* Record currently in use? */
+ int desc; /* Descriptor for record. */
+ TAILQ_HEAD(, au_token) token_q; /* Queue of BSM tokens. */
+ u_char *data;
+ size_t len;
+ LIST_ENTRY(au_record) au_rec_q;
+};
+typedef struct au_record au_record_t;
+
+/*
+ * Kernel audit queue control parameters.
+ */
+struct au_qctrl {
+ size_t aq_hiwater;
+ size_t aq_lowater;
+ size_t aq_bufsz;
+ clock_t aq_delay;
+ int aq_minfree; /* Minimum filesystem percent free space. */
+};
+typedef struct au_qctrl au_qctrl_t;
+
+/*
+ * Structure for the audit statistics.
+ */
+struct audit_stat {
+ unsigned int as_version;
+ unsigned int as_numevent;
+ int as_generated;
+ int as_nonattring;
+ int as_kernel;
+ int as_audit;
+ int as_auditctl;
+ int as_enqueu;
+ int as_written;
+ int as_wblocked;
+ int as_rblocked;
+ int as_dropped;
+ int as_totalsize;
+ unsigned int as_memused;
+};
+typedef struct audit_stat au_stat_t;
+
+/*
+ * Structure for the audit file statistics.
+ */
+struct audit_fstat {
+ u_quad_t af_filesz;
+ u_quad_t af_currsz;
+};
+typedef struct audit_fstat au_fstat_t;
+
+/*
+ * Audit to event class mapping.
+ */
+struct au_evclass_map {
+ au_event_t ec_number;
+ au_class_t ec_class;
+};
+typedef struct au_evclass_map au_evclass_map_t;
+
+#if !defined(_KERNEL) && !defined(KERNEL)
+int audit(const void *, int);
+int auditon(int, void *, int);
+int auditctl(const char *);
+int getauid(au_id_t *);
+int setauid(const au_id_t *);
+int getaudit(struct auditinfo *);
+int setaudit(const struct auditinfo *);
+int getaudit_addr(struct auditinfo_addr *, int);
+int setaudit_addr(const struct auditinfo_addr *, int);
+#endif /* defined(_KERNEL) || defined(KERNEL) */
+
+__END_DECLS
+
+#endif /* !_BSM_AUDIT_H */
diff --git a/contrib/openbsm/bsm/audit_internal.h b/contrib/openbsm/bsm/audit_internal.h
new file mode 100644
index 000000000000..2d98aae5c88f
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_internal.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#7 $
+ */
+
+#ifndef _LIBBSM_INTERNAL_H
+#define _LIBBSM_INTERNAL_H
+
+/*
+ * audit_internal.h contains private interfaces that are shared by user space
+ * and the kernel for the purposes of assembling audit records. Applications
+ * should not include this file or use the APIs found within, or it may be
+ * broken with future releases of OpenBSM, which may delete, modify, or
+ * otherwise break these interfaces or the assumptions they rely on.
+ */
+
+/* We could determined the header and trailer sizes by
+ * defining appropriate structures. We hold off that approach
+ * till we have a consistant way of using structures for all tokens.
+ * This is not straightforward since these token structures may
+ * contain pointers of whose contents we dont know the size
+ * (e.g text tokens)
+ */
+#define BSM_HEADER_SIZE 18
+#define BSM_TRAILER_SIZE 7
+
+/*
+ * BSM token streams store fields in big endian byte order, so as to be
+ * portable; when encoding and decoding, we must convert byte orders for
+ * typed values.
+ */
+#define ADD_U_CHAR(loc, val) \
+ do { \
+ *(loc) = (val); \
+ (loc) += sizeof(u_char); \
+ } while(0)
+
+
+#define ADD_U_INT16(loc, val) \
+ do { \
+ be16enc((loc), (val)); \
+ (loc) += sizeof(u_int16_t); \
+ } while(0)
+
+#define ADD_U_INT32(loc, val) \
+ do { \
+ be32enc((loc), (val)); \
+ (loc) += sizeof(u_int32_t); \
+ } while(0)
+
+#define ADD_U_INT64(loc, val) \
+ do { \
+ be64enc((loc), (val)); \
+ (loc) += sizeof(u_int64_t); \
+ } while(0)
+
+#define ADD_MEM(loc, data, size) \
+ do { \
+ memcpy((loc), (data), (size)); \
+ (loc) += size; \
+ } while(0)
+
+#define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size)
+
+#endif /* !_LIBBSM_INTERNAL_H_ */
diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h
new file mode 100644
index 000000000000..54cc308fc002
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_kevents.h
@@ -0,0 +1,494 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#29 $
+ */
+
+#ifndef _BSM_AUDIT_KEVENTS_H_
+#define _BSM_AUDIT_KEVENTS_H_
+
+/*
+ * Values marked as AUE_NULL are not required to be audited as per CAPP.
+ *
+ * Some conflicts exist in the assignment of name to event number mappings
+ * between BSM implementations. In general, we prefer the OpenSolaris
+ * definition as we consider Solaris BSM to be authoritative. _DARWIN_ has
+ * been inserted for the Darwin variants. If necessary, other tags will be
+ * added in the future.
+ */
+
+#define AUE_NULL 0
+#define AUE_EXIT 1
+#define AUE_FORK 2
+#define AUE_OPEN 3
+#define AUE_CREAT 4
+#define AUE_LINK 5
+#define AUE_UNLINK 6
+#define AUE_DELETE AUE_UNLINK
+#define AUE_EXEC 7
+#define AUE_CHDIR 8
+#define AUE_MKNOD 9
+#define AUE_CHMOD 10
+#define AUE_CHOWN 11
+#define AUE_UMOUNT 12
+#define AUE_JUNK 13 /* Solaris-specific. */
+#define AUE_ACCESS 14
+#define AUE_CHECKUSERACCESS AUE_ACCESS
+#define AUE_KILL 15
+#define AUE_STAT 16
+#define AUE_LSTAT 17
+#define AUE_ACCT 18
+#define AUE_MCTL 19 /* Solaris-specific. */
+#define AUE_REBOOT 20 /* XXX: Darwin conflict. */
+#define AUE_SYMLINK 21
+#define AUE_READLINK 22
+#define AUE_EXECVE 23
+#define AUE_CHROOT 24
+#define AUE_VFORK 25
+#define AUE_SETGROUPS 26
+#define AUE_SETPGRP 27
+#define AUE_SWAPON 28
+#define AUE_SETHOSTNAME 29 /* XXX: Darwin conflict. */
+#define AUE_FCNTL 30
+#define AUE_SETPRIORITY 31 /* XXX: Darwin conflict. */
+#define AUE_CONNECT 32
+#define AUE_ACCEPT 33
+#define AUE_BIND 34
+#define AUE_SETSOCKOPT 35
+#define AUE_VTRACE 36 /* Solaris-specific. */
+#define AUE_SETTIMEOFDAY 37 /* XXX: Darwin conflict. */
+#define AUE_FCHOWN 38
+#define AUE_FCHMOD 39
+#define AUE_SETREUID 40
+#define AUE_SETREGID 41
+#define AUE_RENAME 42
+#define AUE_TRUNCATE 43 /* XXX: Darwin conflict. */
+#define AUE_FTRUNCATE 44 /* XXX: Darwin conflict. */
+#define AUE_FLOCK 45 /* XXX: Darwin conflict. */
+#define AUE_SHUTDOWN 46
+#define AUE_MKDIR 47
+#define AUE_RMDIR 48
+#define AUE_UTIMES 49
+#define AUE_ADJTIME 50
+#define AUE_SETRLIMIT 51
+#define AUE_KILLPG 52
+#define AUE_NFS_SVC 53 /* XXX: Darwin conflict. */
+#define AUE_STATFS 54
+#define AUE_FSTATFS 55
+#define AUE_UNMOUNT 56 /* XXX: Darwin conflict. */
+#define AUE_ASYNC_DAEMON 57
+#define AUE_NFS_GETFH 58 /* XXX: Darwin conflict. */
+#define AUE_SETDOMAINNAME 59
+#define AUE_QUOTACTL 60 /* XXX: Darwin conflict. */
+#define AUE_EXPORTFS 61
+#define AUE_MOUNT 62
+#define AUE_SEMSYS 63
+#define AUE_MSGSYS 64
+#define AUE_SHMSYS 65
+#define AUE_BSMSYS 66 /* Solaris-specific. */
+#define AUE_RFSSYS 67 /* Solaris-specific. */
+#define AUE_FCHDIR 68
+#define AUE_FCHROOT 69
+#define AUE_VPIXSYS 70 /* Solaris-specific. */
+#define AUE_PATHCONF 71
+#define AUE_OPEN_R 72
+#define AUE_OPEN_RC 73
+#define AUE_OPEN_RT 74
+#define AUE_OPEN_RTC 75
+#define AUE_OPEN_W 76
+#define AUE_OPEN_WC 77
+#define AUE_OPEN_WT 78
+#define AUE_OPEN_WTC 79
+#define AUE_OPEN_RW 80
+#define AUE_OPEN_RWC 81
+#define AUE_OPEN_RWT 82
+#define AUE_OPEN_RWTC 83
+#define AUE_MSGCTL 84
+#define AUE_MSGCTL_RMID 85
+#define AUE_MSGCTL_SET 86
+#define AUE_MSGCTL_STAT 87
+#define AUE_MSGGET 88
+#define AUE_MSGRCV 89
+#define AUE_MSGSND 90
+#define AUE_SHMCTL 91
+#define AUE_SHMCTL_RMID 92
+#define AUE_SHMCTL_SET 93
+#define AUE_SHMCTL_STAT 94
+#define AUE_SHMGET 95
+#define AUE_SHMAT 96
+#define AUE_SHMDT 97
+#define AUE_SEMCTL 98
+#define AUE_SEMCTL_RMID 99
+#define AUE_SEMCTL_SET 100
+#define AUE_SEMCTL_STAT 101
+#define AUE_SEMCTL_GETNCNT 102
+#define AUE_SEMCTL_GETPID 103
+#define AUE_SEMCTL_GETVAL 104
+#define AUE_SEMCTL_GETALL 105
+#define AUE_SEMCTL_GETZCNT 106
+#define AUE_SEMCTL_SETVAL 107
+#define AUE_SEMCTL_SETALL 108
+#define AUE_SEMGET 109
+#define AUE_SEMOP 110
+#define AUE_CORE 111 /* Solaris-specific, currently. */
+#define AUE_CLOSE 112
+#define AUE_SYSTEMBOOT 113
+#define AUE_ASYNC_DAEMON_EXIT 114 /* Solaris-specific. */
+#define AUE_NFSSVC_EXIT 115 /* Solaris-specific. */
+#define AUE_WRITEL 128 /* Solaris-specific. */
+#define AUE_WRITEVL 129 /* Solaris-specific. */
+#define AUE_GETAUID 130
+#define AUE_SETAUID 131
+#define AUE_GETAUDIT 132
+#define AUE_SETAUDIT 133
+#define AUE_GETUSERAUDIT 134 /* Solaris-specific. */
+#define AUE_SETUSERAUDIT 135 /* Solaris-specific. */
+#define AUE_AUDITSVC 136 /* Solaris-specific. */
+#define AUE_AUDITUSER 137 /* Solaris-specific. */
+#define AUE_AUDITON 138
+#define AUE_AUDITON_GTERMID 139 /* Solaris-specific. */
+#define AUE_AUDITON_STERMID 140 /* Solaris-specific. */
+#define AUE_AUDITON_GPOLICY 141
+#define AUE_AUDITON_SPOLICY 142
+#define AUE_AUDITON_GQCTRL 145
+#define AUE_AUDITON_SQCTRL 146
+#define AUE_GETKERNSTATE 147 /* Solaris-specific. */
+#define AUE_SETKERNSTATE 148 /* Solaris-specific. */
+#define AUE_GETPORTAUDIT 149 /* Solaris-specific. */
+#define AUE_AUDISTAT 150 /* Solaris-specific. */
+#define AUE_ENTERPROM 153 /* Solaris-specific. */
+#define AUE_EXITPROM 154 /* Solaris-specific. */
+#define AUE_IOCTL 158
+#define AUE_SOCKET 183
+#define AUE_SENDTO 184
+#define AUE_PIPE 185
+#define AUE_SOCKETPAIR 186 /* XXX: Darwin conflict. */
+#define AUE_SEND 187
+#define AUE_SENDMSG 188
+#define AUE_RECV 189
+#define AUE_RECVMSG 190
+#define AUE_RECVFROM 191
+#define AUE_READ 192
+#define AUE_LSEEK 194
+#define AUE_WRITE 195
+#define AUE_WRITEV 196
+#define AUE_NFS 197 /* Solaris-specific. */
+#define AUE_READV 198
+ /* XXXRW: XXX Solaris old stat()? */
+#define AUE_SETUID 200 /* XXXRW: Solaris old setuid? */
+#define AUE_STIME 201 /* XXXRW: Solaris old stime? */
+#define AUE_UTIME 202 /* XXXRW: Solaris old utime? */
+#define AUE_NICE 203 /* XXXRW: Solaris old nice? */
+ /* XXXRW: Solaris old setpgrp? */
+#define AUE_SETGID 205 /* XXXRW: Solaris old setgid? */
+ /* XXXRW: Solaris readl? */
+ /* XXXRW: Solaris readvl()? */
+#define AUE_DUP2 209
+#define AUE_MMAP 210
+#define AUE_AUDIT 211
+#define AUE_PRIOCNTLSYS 212
+#define AUE_MUNMAP 213
+#define AUE_SETEGID 214
+#define AUE_SETEUID 215
+#define AUE_PUTMSG 216
+#define AUE_GETMSG 217 /* Solaris-specific. */
+#define AUE_PUTPMSG 218 /* Solaris-specific. */
+#define AUE_GETPMSG 219 /* Solaris-specific. */
+#define AUE_AUDITSYS 220 /* Solaris-specific. */
+#define AUE_AUDITON_GETKMASK 221
+#define AUE_AUDITON_SETKMASK 222
+#define AUE_AUDITON_GETCWD 223
+#define AUE_AUDITON_GETCAR 224
+#define AUE_AUDITON_GETSTAT 225
+#define AUE_AUDITON_SETSTAT 226
+#define AUE_AUDITON_SETUMASK 227
+#define AUE_AUDITON_SETSMASK 228
+#define AUE_AUDITON_GETCOND 229
+#define AUE_AUDITON_SETCOND 230
+#define AUE_AUDITON_GETCLASS 231
+#define AUE_AUDITON_SETCLASS 232
+#define AUE_UTSSYS 233 /* Solaris-specific. */
+#define AUE_STATVFS 234
+#define AUE_XSTAT 235
+#define AUE_LXSTAT 236
+#define AUE_LCHOWN 237
+#define AUE_MEMCNTL 238 /* Solaris-specific. */
+#define AUE_SYSINFO 239 /* Solaris-specific. */
+#define AUE_XMKNOD 240 /* Solaris-specific. */
+#define AUE_FORK1 241
+ /* XXXRW: Solaris modctl()? */
+#define AUE_MODLOAD 243
+#define AUE_MODUNLOAD 244
+#define AUE_MODCONFIG 245 /* Solaris-specific. */
+#define AUE_MODADDMAJ 246 /* Solaris-specific. */
+#define AUE_SOCKACCEPT 247
+#define AUE_SOCKCONNECT 248
+#define AUE_SOCKSEND 249
+#define AUE_SOCKRECEIVE 250
+#define AUE_ACLSET 251
+#define AUE_FACLSET 252
+#define AUE_DOORFS_DOOR_CALL 254 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_RETURN 255 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_CREATE 256 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_REVOKE 257 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_INFO 258 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_CRED 259 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_BIND 260 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_UNBIND 261 /* Solaris-specific. */
+#define AUE_P_ONLINE 262 /* Solaris-specific. */
+#define AUE_PROCESSOR_BIND 263 /* Solaris-specific. */
+#define AUE_INST_SYNC 264 /* Solaris-specific. */
+#define AUE_SOCK_CONFIG 265 /* Solaris-specific. */
+#define AUE_SETAUDIT_ADDR 266
+#define AUE_GETAUDIT_ADDR 267
+#define AUE_CLOCK_SETTIME 287
+#define AUE_NTP_ADJTIME 288
+
+/*
+ * Events not present in OpenSolaris BSM, generally derived from Apple Darwin
+ * BSM or added in OpenBSM. This start a little too close to the top end of
+ * the OpenSolaris event list for my comfort.
+ */
+#define AUE_GETFSSTAT 301
+#define AUE_PTRACE 302
+#define AUE_CHFLAGS 303
+#define AUE_FCHFLAGS 304
+#define AUE_PROFILE 305
+#define AUE_KTRACE 306
+#define AUE_SETLOGIN 307
+#define AUE_DARWIN_REBOOT 308 /* XXX: See AUE_REBOOT. */
+#define AUE_REVOKE 309
+#define AUE_UMASK 310
+#define AUE_MPROTECT 311
+#define AUE_DARWIN_SETPRIORITY 312 /* XXX: See AUE_SETPRIORITY. */
+#define AUE_DARWIN_SETTIMEOFDAY 313 /* XXX: See AUE_SETTIMEOFDAY. */
+#define AUE_DARWIN_FLOCK 314 /* XXX: See AUE_FLOCK. */
+#define AUE_MKFIFO 315
+#define AUE_POLL 316
+#define AUE_DARWIN_SOCKETPAIR 317 /* XXXRW: See AUE_SOCKETPAIR. */
+#define AUE_FUTIMES 318
+#define AUE_SETSID 319
+#define AUE_SETPRIVEXEC 320 /* Darwin-specific. */
+#define AUE_DARWIN_NFSSVC 321 /* XXX: See AUE_NFS_SVC. */
+#define AUE_DARWIN_GETFH 322 /* XXX: See AUE_NFS_GETFH. */
+#define AUE_DARWIN_QUOTACTL 323 /* XXX: See AUE_QUOTACTL. */
+#define AUE_ADDPROFILE 324 /* Darwin-specific. */
+#define AUE_KDEBUGTRACE 325 /* Darwin-specific. */
+#define AUE_KDBUGTRACE AUE_KDEBUGTRACE
+#define AUE_FSTAT 326
+#define AUE_FPATHCONF 327
+#define AUE_GETDIRENTRIES 328
+#define AUE_DARWIN_TRUNCATE 329 /* XXX: See AUE_TRUNCATE. */
+#define AUE_DARWIN_FTRUNCATE 330 /* XXX: See AUE_FTRUNCATE. */
+#define AUE_SYSCTL 331
+#define AUE_MLOCK 332
+#define AUE_MUNLOCK 333
+#define AUE_UNDELETE 334
+#define AUE_GETATTRLIST 335 /* Darwin-specific. */
+#define AUE_SETATTRLIST 336 /* Darwin-specific. */
+#define AUE_GETDIRENTRIESATTR 337 /* Darwin-specific. */
+#define AUE_EXCHANGEDATA 338 /* Darwin-specific. */
+#define AUE_SEARCHFS 339 /* Darwin-specific. */
+#define AUE_MINHERIT 340
+#define AUE_SEMCONFIG 341
+#define AUE_SEMOPEN 342
+#define AUE_SEMCLOSE 343
+#define AUE_SEMUNLINK 344
+#define AUE_SHMOPEN 345
+#define AUE_SHMUNLINK 346
+#define AUE_LOADSHFILE 347 /* Darwin-specific. */
+#define AUE_RESETSHFILE 348 /* Darwin-specific. */
+#define AUE_NEWSYSTEMSHREG 349 /* Darwin-specific. */
+#define AUE_PTHREADKILL 350 /* Darwin-specific. */
+#define AUE_PTHREADSIGMASK 351 /* Darwin-specific. */
+#define AUE_AUDITCTL 352
+#define AUE_RFORK 353
+#define AUE_LCHMOD 354
+#define AUE_SWAPOFF 355
+#define AUE_INITPROCESS 356 /* Darwin-specific. */
+#define AUE_MAPFD 357 /* Darwin-specific. */
+#define AUE_TASKFORPID 358 /* Darwin-specific. */
+#define AUE_PIDFORTASK 359 /* Darwin-specific. */
+#define AUE_SYSCTL_NONADMIN 360
+#define AUE_COPYFILE 361 /* Darwin-specific. */
+#define AUE_LUTIMES 362
+#define AUE_LCHFLAGS 363 /* FreeBSD-specific. */
+#define AUE_SENDFILE 364 /* BSD/Linux-specific. */
+#define AUE_USELIB 365 /* Linux-specific. */
+#define AUE_GETRESUID 366
+#define AUE_SETRESUID 367
+#define AUE_GETRESGID 368
+#define AUE_SETRESGID 369
+#define AUE_WAIT4 370 /* FreeBSD-specific. */
+#define AUE_LGETFH 371 /* FreeBSD-specific. */
+#define AUE_FHSTATFS 372 /* FreeBSD-specific. */
+#define AUE_FHOPEN 373 /* FreeBSD-specific. */
+#define AUE_FHSTAT 374 /* FreeBSD-specific. */
+#define AUE_JAIL 375 /* FreeBSD-specific. */
+#define AUE_EACCESS 376 /* FreeBSD-specific. */
+#define AUE_KQUEUE 377 /* FreeBSD-specific. */
+#define AUE_KEVENT 378 /* FreeBSD-specific. */
+#define AUE_FSYNC 379
+#define AUE_NMOUNT 380 /* FreeBSD-specific. */
+
+/*
+ * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
+ * normal Solaris BSM identifiers. _O_ refers to it being an old, or compat
+ * interface. In most cases, Darwin has never implemented these system calls
+ * but picked up the fields in their system call table from their FreeBSD
+ * import. Happily, these have different names than the AUE_O* definitions
+ * in Solaris BSM.
+ */
+#define AUE_O_CREAT AUE_OPEN_RWTC /* Darwin */
+#define AUE_O_EXECVE AUE_NULL /* Darwin */
+#define AUE_O_SBREAK AUE_NULL /* Darwin */
+#define AUE_O_LSEEK AUE_NULL /* Darwin */
+#define AUE_O_MOUNT AUE_NULL /* Darwin */
+#define AUE_O_UMOUNT AUE_NULL /* Darwin */
+#define AUE_O_STAT AUE_STAT /* Darwin */
+#define AUE_O_LSTAT AUE_LSTAT /* Darwin */
+#define AUE_O_FSTAT AUE_FSTAT /* Darwin */
+#define AUE_O_GETPAGESIZE AUE_NULL /* Darwin */
+#define AUE_O_VREAD AUE_NULL /* Darwin */
+#define AUE_O_VWRITE AUE_NULL /* Darwin */
+#define AUE_O_MMAP AUE_MMAP /* Darwin */
+#define AUE_O_VADVISE AUE_NULL /* Darwin */
+#define AUE_O_VHANGUP AUE_NULL /* Darwin */
+#define AUE_O_VLIMIT AUE_NULL /* Darwin */
+#define AUE_O_WAIT AUE_NULL /* Darwin */
+#define AUE_O_GETHOSTNAME AUE_NULL /* Darwin */
+#define AUE_O_SETHOSTNAME AUE_SYSCTL /* Darwin */
+#define AUE_O_GETDOPT AUE_NULL /* Darwin */
+#define AUE_O_SETDOPT AUE_NULL /* Darwin */
+#define AUE_O_ACCEPT AUE_NULL /* Darwin */
+#define AUE_O_SEND AUE_SENDMSG /* Darwin */
+#define AUE_O_RECV AUE_RECVMSG /* Darwin */
+#define AUE_O_VTIMES AUE_NULL /* Darwin */
+#define AUE_O_SIGVEC AUE_NULL /* Darwin */
+#define AUE_O_SIGBLOCK AUE_NULL /* Darwin */
+#define AUE_O_SIGSETMASK AUE_NULL /* Darwin */
+#define AUE_O_SIGSTACK AUE_NULL /* Darwin */
+#define AUE_O_RECVMSG AUE_RECVMSG /* Darwin */
+#define AUE_O_SENDMSG AUE_SENDMSG /* Darwin */
+#define AUE_O_VTRACE AUE_NULL /* Darwin */
+#define AUE_O_RESUBA AUE_NULL /* Darwin */
+#define AUE_O_RECVFROM AUE_RECVFROM /* Darwin */
+#define AUE_O_SETREUID AUE_SETREUID /* Darwin */
+#define AUE_O_SETREGID AUE_SETREGID /* Darwin */
+#define AUE_O_TRUNCATE AUE_TRUNCATE /* Darwin */
+#define AUE_O_FTRUNCATE AUE_FTRUNCATE /* Darwin */
+#define AUE_O_GETPEERNAME AUE_NULL /* Darwin */
+#define AUE_O_GETHOSTID AUE_NULL /* Darwin */
+#define AUE_O_SETHOSTID AUE_NULL /* Darwin */
+#define AUE_O_GETRLIMIT AUE_NULL /* Darwin */
+#define AUE_O_SETRLIMIT AUE_SETRLIMIT /* Darwin */
+#define AUE_O_KILLPG AUE_KILL /* Darwin */
+#define AUE_O_SETQUOTA AUE_NULL /* Darwin */
+#define AUE_O_QUOTA AUE_NULL /* Darwin */
+#define AUE_O_GETSOCKNAME AUE_NULL /* Darwin */
+#define AUE_O_GETDIREENTRIES AUE_GETDIREENTRIES /* Darwin */
+#define AUE_O_ASYNCDAEMON AUE_NULL /* Darwin */
+#define AUE_O_GETDOMAINNAME AUE_NULL /* Darwin */
+#define AUE_O_SETDOMAINNAME AUE_SYSCTL /* Darwin */
+#define AUE_O_PCFS_MOUNT AUE_NULL /* Darwin */
+#define AUE_O_EXPORTFS AUE_NULL /* Darwin */
+#define AUE_O_USTATE AUE_NULL /* Darwin */
+#define AUE_O_WAIT3 AUE_NULL /* Darwin */
+#define AUE_O_RPAUSE AUE_NULL /* Darwin */
+#define AUE_O_GETDENTS AUE_NULL /* Darwin */
+
+/*
+ * Possible desired future values based on review of BSD/Darwin system calls.
+ */
+#define AUE_DUP AUE_NULL
+#define AUE_FSCTL AUE_NULL
+#define AUE_FSTATV AUE_NULL
+#define AUE_GCCONTROL AUE_NULL
+#define AUE_GETDTABLESIZE AUE_NULL
+#define AUE_GETEGID AUE_NULL
+#define AUE_GETEUID AUE_NULL
+#define AUE_GETGID AUE_NULL
+#define AUE_GETGROUPS AUE_NULL
+#define AUE_GETITIMER AUE_NULL
+#define AUE_GETLOGIN AUE_NULL
+#define AUE_GETPEERNAME AUE_NULL
+#define AUE_GETPGID AUE_NULL
+#define AUE_GETPGRP AUE_NULL
+#define AUE_GETPID AUE_NULL
+#define AUE_GETPPID AUE_NULL
+#define AUE_GETPRIORITY AUE_NULL
+#define AUE_GETRLIMIT AUE_NULL
+#define AUE_GETRUSAGE AUE_NULL
+#define AUE_GETSID AUE_NULL
+#define AUE_GETSOCKNAME AUE_NULL
+#define AUE_GETTIMEOFDAY AUE_NULL
+#define AUE_GETUID AUE_NULL
+#define AUE_GETSOCKOPT AUE_NULL
+#define AUE_GTSOCKOPT AUE_GETSOCKOPT /* XXX: Typo in Darwin. */
+#define AUE_ISSETUGID AUE_NULL
+#define AUE_LISTEN AUE_NULL
+#define AUE_LSTATV AUE_NULL
+#define AUE_MADVISE AUE_NULL
+#define AUE_MINCORE AUE_NULL
+#define AUE_MKCOMPLEX AUE_NULL
+#define AUE_MLOCKALL AUE_NULL
+#define AUE_MODWATCH AUE_NULL
+#define AUE_MSGCL AUE_NULL
+#define AUE_MSYNC AUE_NULL
+#define AUE_MUNLOCKALL AUE_NULL
+#define AUE_PREAD AUE_NULL
+#define AUE_PWRITE AUE_NULL
+#define AUE_SBRK AUE_NULL
+#define AUE_SELECT AUE_NULL
+#define AUE_SEMDESTROY AUE_NULL
+#define AUE_SEMGETVALUE AUE_NULL
+#define AUE_SEMINIT AUE_NULL
+#define AUE_SEMPOST AUE_NULL
+#define AUE_SEMTRYWAIT AUE_NULL
+#define AUE_SEMWAIT AUE_NULL
+#define AUE_SETITIMER AUE_NULL
+#define AUE_SIGACTION AUE_NULL
+#define AUE_SIGALTSTACK AUE_NULL
+#define AUE_SIGPENDING AUE_NULL
+#define AUE_SIGPROCMASK AUE_NULL
+#define AUE_SIGRETURN AUE_NULL
+#define AUE_SIGSUSPEND AUE_NULL
+#define AUE_SIGWAIT AUE_NULL
+#define AUE_SSTK AUE_NULL
+#define AUE_STATV AUE_NULL
+#define AUE_SYNC AUE_NULL
+#define AUE_SYSCALL AUE_NULL
+#define AUE_TABLE AUE_NULL
+#define AUE_WAITEVENT AUE_NULL
+#define AUE_WATCHEVENT AUE_NULL
+
+#endif /* !_BSM_AUDIT_KEVENTS_H_ */
diff --git a/contrib/openbsm/bsm/audit_record.h b/contrib/openbsm/bsm/audit_record.h
new file mode 100644
index 000000000000..af9ba4d4e76c
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_record.h
@@ -0,0 +1,325 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#14 $
+ */
+
+#ifndef _BSM_AUDIT_RECORD_H_
+#define _BSM_AUDIT_RECORD_H_
+
+/* Various token id types */
+
+/*
+ * Values inside the comments are not documented in the BSM pages and
+ * have been picked up from the header files
+ */
+
+/*
+ * Values marked as XXX do not have a value defined in the BSM header files
+ */
+
+#define AUT_INVALID 0x00
+#define AUT_OTHER_FILE32 0x11
+#define AUT_OHEADER 0x12
+#define AUT_TRAILER 0x13
+#define AUT_HEADER32 0x14
+#define AUT_HEADER32_EX 0x15
+#define AUT_DATA 0x21
+#define AUT_IPC 0x22
+#define AUT_PATH 0x23
+#define AUT_SUBJECT32 0x24
+#define AUT_SERVER32 0x25
+#define AUT_PROCESS32 0x26
+#define AUT_RETURN32 0x27
+#define AUT_TEXT 0x28
+#define AUT_OPAQUE 0x29
+#define AUT_IN_ADDR 0x2a
+#define AUT_IP 0x2b
+#define AUT_IPORT 0x2c
+#define AUT_ARG32 0x2d
+#define AUT_SOCKET 0x2e
+#define AUT_SEQ 0x2f
+#define AUT_ACL 0x30
+#define AUT_ATTR 0x31
+#define AUT_IPC_PERM 0x32
+#define AUT_LABEL 0x33
+#define AUT_GROUPS 0x34
+#define AUT_ILABEL 0x35
+#define AUT_SLABEL 0x36
+#define AUT_CLEAR 0x37
+#define AUT_PRIV 0x38
+#define AUT_UPRIV 0x39
+#define AUT_LIAISON 0x3a
+#define AUT_NEWGROUPS 0x3b
+#define AUT_EXEC_ARGS 0x3c
+#define AUT_EXEC_ENV 0x3d
+#define AUT_ATTR32 0x3e
+/* #define AUT_???? 0x3f */
+#define AUT_XATOM 0x40
+#define AUT_XOBJ 0x41
+#define AUT_XPROTO 0x42
+#define AUT_XSELECT 0x43
+/* XXXRW: Additional X11 tokens not defined? */
+#define AUT_CMD 0x51
+#define AUT_EXIT 0x52
+/* XXXRW: OpenBSM AUT_HOST 0x70? */
+#define AUT_ARG64 0x71
+#define AUT_RETURN64 0x72
+#define AUT_ATTR64 0x73
+#define AUT_HEADER64 0x74
+#define AUT_SUBJECT64 0x75
+#define AUT_SERVER64 0x76
+#define AUT_PROCESS64 0x77
+#define AUT_OTHER_FILE64 0x78
+#define AUT_HEADER64_EX 0x79
+#define AUT_SUBJECT32_EX 0x7a
+#define AUT_PROCESS32_EX 0x7b
+#define AUT_SUBJECT64_EX 0x7c
+#define AUT_PROCESS64_EX 0x7d
+#define AUT_IN_ADDR_EX 0x7e
+#define AUT_SOCKET_EX 0x7f
+
+/*
+ * Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'. We have
+ * compatibility defines.
+ */
+#define AUT_HEADER AUT_HEADER32
+#define AUT_ARG AUT_ARG32
+#define AUT_RETURN AUT_RETURN32
+#define AUT_SUBJECT AUT_SUBJECT32
+#define AUT_SERVER AUT_SERVER32
+#define AUT_PROCESS AUT_PROCESS32
+#define AUT_OTHER_FILE AUT_OTHER_FILE32
+
+/*
+ * Darwin's bsm distribution uses the following non-BSM token name defines.
+ * We provide them for a single OpenBSM release for compatibility reasons.
+ */
+#define AU_FILE_TOKEN AUT_OTHER_FILE32
+#define AU_TRAILER_TOKEN AUT_TRAILER
+#define AU_HEADER_32_TOKEN AUT_HEADER32
+#define AU_DATA_TOKEN AUT_DATA
+#define AU_ARB_TOKEN AUT_DATA
+#define AU_IPC_TOKEN AUT_IPC
+#define AU_PATH_TOKEN AUT_PATH
+#define AU_SUBJECT_32_TOKEN AUT_SUBJECT32
+#define AU_PROCESS_32_TOKEN AUT_PROCESS32
+#define AU_RETURN_32_TOKEN AUT_RETURN32
+#define AU_TEXT_TOKEN AUT_TEXT
+#define AU_OPAQUE_TOKEN AUT_OPAQUE
+#define AU_IN_ADDR_TOKEN AUT_IN_ADDR
+#define AU_IP_TOKEN AUT_IP
+#define AU_IPORT_TOKEN AUT_IPORT
+#define AU_ARG32_TOKEN AUT_ARG32
+#define AU_SOCK_TOKEN AUT_SOCKET
+#define AU_SEQ_TOKEN AUT_SEQ
+#define AU_ATTR_TOKEN AUT_ATTR
+#define AU_IPCPERM_TOKEN AUT_IPC_PERM
+#define AU_NEWGROUPS_TOKEN AUT_NEWGROUPS
+#define AU_EXEC_ARG_TOKEN AUT_EXEC_ARGS
+#define AU_EXEC_ENV_TOKEN AUT_EXEC_ENV
+#define AU_ATTR32_TOKEN AUT_ATTR32
+#define AU_CMD_TOKEN AUT_CMD
+#define AU_EXIT_TOKEN AUT_EXIT
+#define AU_ARG64_TOKEN AUT_ARG64
+#define AU_RETURN_64_TOKEN AUT_RETURN64
+#define AU_ATTR64_TOKEN AUT_ATTR64
+#define AU_HEADER_64_TOKEN AUT_HEADER64
+#define AU_SUBJECT_64_TOKEN AUT_SUBJECT64
+#define AU_PROCESS_64_TOKEN AUT_PROCESS64
+#define AU_HEADER_64_EX_TOKEN AUT_HEADER64_EX
+#define AU_SUBJECT_32_EX_TOKEN AUT_SUBJECT32_EX
+#define AU_PROCESS_32_EX_TOKEN AUT_PROCESS32_EX
+#define AU_SUBJECT_64_EX_TOKEN AUT_SUBJECT64_EX
+#define AU_PROCESS_64_EX_TOKEN AUT_PROCESS64_EX
+#define AU_IN_ADDR_EX_TOKEN AUT_IN_ADDR_EX
+#define AU_SOCK_32_EX_TOKEN AUT_SOCKET_EX
+
+/*
+ * The values for the following token ids are not defined by BSM.
+ *
+ * XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them
+ * names more consistent with Sun's BSM. These originally came from Apple's
+ * BSM.
+ */
+#define AUT_SOCKINET32 0x80 /* XXX */
+#define AUT_SOCKINET128 0x81 /* XXX */
+#define AUT_SOCKUNIX 0x82 /* XXX */
+#define AU_SOCK_INET_32_TOKEN AUT_SOCKINET32
+#define AU_SOCK_INET_128_TOKEN AUT_SOCKINET128
+#define AU_SOCK_UNIX_TOKEN AUT_SOCKUNIX
+
+/* print values for the arbitrary token */
+#define AUP_BINARY 0
+#define AUP_OCTAL 1
+#define AUP_DECIMAL 2
+#define AUP_HEX 3
+#define AUP_STRING 4
+
+/* data-types for the arbitrary token */
+#define AUR_BYTE 0
+#define AUR_SHORT 1
+#define AUR_LONG 2
+
+/* ... and their sizes */
+#define AUR_BYTE_SIZE sizeof(u_char)
+#define AUR_SHORT_SIZE sizeof(uint16_t)
+#define AUR_LONG_SIZE sizeof(uint32_t)
+
+/* Modifiers for the header token */
+#define PAD_NOTATTR 0x4000 /* nonattributable event */
+#define PAD_FAILURE 0x8000 /* fail audit event */
+
+
+#define BSM_MAX_GROUPS 16
+#define HEADER_VERSION 1
+
+/*
+ * BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we
+ * split the difference, will remove the Apple define for the next release.
+ */
+#define AUT_TRAILER_MAGIC 0xb105
+#define TRAILER_PAD_MAGIC AUT_TRAILER_MAGIC
+
+/* BSM library calls */
+
+__BEGIN_DECLS
+
+struct in_addr;
+struct in6_addr;
+struct ip;
+struct ipc_perm;
+struct kevent;
+struct sockaddr_in;
+struct sockaddr_in6;
+struct sockaddr_un;
+#if defined(_KERNEL) || defined(KERNEL)
+struct vnode_au_info;
+#endif
+
+int au_open(void);
+int au_write(int d, token_t *m);
+int au_close(int d, int keep, short event);
+int au_close_buffer(int d, short event, u_char *buffer, size_t *buflen);
+
+#if defined(KERNEL) || defined(_KERNEL)
+token_t *au_to_file(char *file, struct timeval tm);
+#else
+token_t *au_to_file(char *file);
+#endif
+
+#if defined(KERNEL) || defined(_KERNEL)
+token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm);
+token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm);
+#else
+token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
+#endif
+
+token_t *au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t *au_to_me(void);
+token_t *au_to_arg(char n, char *text, uint32_t v);
+token_t *au_to_arg32(char n, char *text, uint32_t v);
+token_t *au_to_arg64(char n, char *text, uint64_t v);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t *au_to_attr(struct vnode_au_info *vni);
+token_t *au_to_attr32(struct vnode_au_info *vni);
+token_t *au_to_attr64(struct vnode_au_info *vni);
+#endif
+
+token_t *au_to_data(char unit_print, char unit_type, char unit_count,
+ char *p);
+token_t *au_to_exit(int retval, int err);
+token_t *au_to_groups(int *groups);
+token_t *au_to_newgroups(uint16_t n, gid_t *groups);
+token_t *au_to_in_addr(struct in_addr *internet_addr);
+token_t *au_to_in_addr_ex(struct in6_addr *internet_addr);
+token_t *au_to_ip(struct ip *ip);
+token_t *au_to_ipc(char type, int id);
+token_t *au_to_ipc_perm(struct ipc_perm *perm);
+token_t *au_to_iport(uint16_t iport);
+token_t *au_to_opaque(char *data, uint16_t bytes);
+token_t *au_to_path(char *path);
+token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
+ uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+ au_tid_addr_t *tid);
+token_t *au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_return(char status, uint32_t ret);
+token_t *au_to_return32(char status, uint32_t ret);
+token_t *au_to_return64(char status, uint64_t ret);
+token_t *au_to_seq(long audit_count);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t *au_to_socket(struct socket *so);
+token_t *au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la,
+ struct sockaddr *ta);
+token_t *au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la,
+ struct sockaddr *ta);
+#endif
+
+token_t *au_to_sock_inet(struct sockaddr_in *so);
+token_t *au_to_sock_inet32(struct sockaddr_in *so);
+token_t *au_to_sock_inet128(struct sockaddr_in6 *so);
+token_t *au_to_sock_unix(struct sockaddr_un *so);
+token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_exec_args(const char **);
+token_t *au_to_exec_env(const char **);
+token_t *au_to_text(char *text);
+token_t *au_to_kevent(struct kevent *kev);
+token_t *au_to_trailer(int rec_size);
+
+__END_DECLS
+
+#endif /* ! _BSM_AUDIT_RECORD_H_ */
diff --git a/contrib/openbsm/bsm/audit_uevents.h b/contrib/openbsm/bsm/audit_uevents.h
new file mode 100644
index 000000000000..0493e31272b2
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_uevents.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#7 $
+ */
+
+#ifndef _BSM_AUDIT_UEVENTS_H_
+#define _BSM_AUDIT_UEVENTS_H_
+
+/*-
+ * User level audit event numbers
+ *
+ * Range of audit event numbers:
+ * 0 Reserved, invalid
+ * 1 - 2047 Reserved for kernel events
+ * 2048 - 32767 Defined by BSM for user events
+ * 32768 - 36864 Reserved for Mac OS-X applications
+ * 36865 - 65535 Reserved for applications
+ *
+ */
+#define AUE_at_create 6144
+#define AUE_at_delete 6145
+#define AUE_at_perm 6146
+#define AUE_cron_invoke 6147
+#define AUE_crontab_create 6148
+#define AUE_crontab_delete 6149
+#define AUE_crontab_perm 6150
+#define AUE_inetd_connect 6151
+#define AUE_login 6152
+#define AUE_logout 6153
+#define AUE_telnet 6154
+#define AUE_rlogin 6155
+#define AUE_mountd_mount 6156
+#define AUE_mountd_umount 6157
+#define AUE_rshd 6158
+#define AUE_su 6159
+#define AUE_halt 6160
+#define AUE_reboot 6161
+#define AUE_rexecd 6162
+#define AUE_passwd 6163
+#define AUE_rexd 6164
+#define AUE_ftpd 6165
+#define AUE_init 6166
+#define AUE_uadmin 6167
+#define AUE_shutdown 6168
+#define AUE_poweroff 6169
+#define AUE_crontab_mod 6170
+#define AUE_audit_startup 6171
+#define AUE_audit_shutdown 6172
+#define AUE_allocate_succ 6200
+#define AUE_allocate_fail 6201
+#define AUE_deallocate_succ 6202
+#define AUE_deallocate_fail 6203
+#define AUE_listdevice_succ 6205
+#define AUE_listdevice_fail 6206
+#define AUE_create_user 6207
+#define AUE_modify_user 6208
+#define AUE_delete_user 6209
+#define AUE_disable_user 6210
+#define AUE_enable_user 6211
+#define AUE_sudo 6300
+#define AUE_modify_password 6501 /* Not assigned by Sun. */
+#define AUE_create_group 6511 /* Not assigned by Sun. */
+#define AUE_delete_group 6512 /* Not assigned by Sun. */
+#define AUE_modify_group 6513 /* Not assigned by Sun. */
+#define AUE_add_to_group 6514 /* Not assigned by Sun. */
+#define AUE_remove_from_group 6515 /* Not assigned by Sun. */
+#define AUE_revoke_obj 6521 /* Not assigned by Sun; not used. */
+#define AUE_lw_login 6600 /* Not assigned by Sun; tentative. */
+#define AUE_lw_logout 6601 /* Not assigned by Sun; tentative. */
+#define AUE_auth_user 7000 /* Not assigned by Sun. */
+#define AUE_ssconn 7001 /* Not assigned by Sun. */
+#define AUE_ssauthorize 7002 /* Not assigned by Sun. */
+#define AUE_ssauthint 7003 /* Not assigned by Sun. */
+#define AUE_openssh 32800
+
+#endif /* !_BSM_AUDIT_UEVENTS_H_ */
diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h
new file mode 100644
index 000000000000..baf9f1479d07
--- /dev/null
+++ b/contrib/openbsm/bsm/libbsm.h
@@ -0,0 +1,1175 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#14 $
+ */
+
+#ifndef _LIBBSM_H_
+#define _LIBBSM_H_
+
+/*
+ * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
+ * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
+ */
+
+#define MAX_ARGS 10
+#define MAX_ENV 10
+
+#include <sys/types.h>
+#include <sys/cdefs.h>
+#include <sys/queue.h>
+
+#include <bsm/audit.h>
+#include <bsm/audit_record.h>
+
+#include <stdio.h>
+#include <stdint.h>
+
+#ifdef __APPLE__
+#include <mach/mach.h> /* audit_token_t */
+#endif
+
+#define AU_PRS_SUCCESS 1
+#define AU_PRS_FAILURE 2
+#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
+
+#define AU_PRS_USECACHE 0
+#define AU_PRS_REREAD 1
+
+#define AUDIT_EVENT_FILE "/etc/security/audit_event"
+#define AUDIT_CLASS_FILE "/etc/security/audit_class"
+#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
+#define AUDIT_USER_FILE "/etc/security/audit_user"
+
+#define DIR_CONTROL_ENTRY "dir"
+#define MINFREE_CONTROL_ENTRY "minfree"
+#define FLAGS_CONTROL_ENTRY "flags"
+#define NA_CONTROL_ENTRY "naflags"
+
+#define AU_CLASS_NAME_MAX 8
+#define AU_CLASS_DESC_MAX 72
+#define AU_EVENT_NAME_MAX 30
+#define AU_EVENT_DESC_MAX 50
+#define AU_USER_NAME_MAX 50
+#define AU_LINE_MAX 256
+#define MAX_AUDITSTRING_LEN 256
+#define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */
+
+/*
+ * These are referenced in Solaris 9 au_open(3BSM); values are guesses.
+ * Provided for OpenSSH compatibility.
+ */
+#define AU_TO_NO_WRITE 0
+#define AU_TO_WRITE 1
+
+__BEGIN_DECLS
+struct au_event_ent {
+ au_event_t ae_number;
+ char *ae_name;
+ char *ae_desc;
+ au_class_t ae_class;
+};
+typedef struct au_event_ent au_event_ent_t;
+
+struct au_class_ent {
+ char *ac_name;
+ au_class_t ac_class;
+ char *ac_desc;
+};
+typedef struct au_class_ent au_class_ent_t;
+
+struct au_user_ent {
+ char *au_name;
+ au_mask_t au_always;
+ au_mask_t au_never;
+};
+typedef struct au_user_ent au_user_ent_t;
+__END_DECLS
+
+#define ADD_TO_MASK(m, c, sel) do { \
+ if (sel & AU_PRS_SUCCESS) \
+ (m)->am_success |= c; \
+ if (sel & AU_PRS_FAILURE) \
+ (m)->am_failure |= c; \
+} while (0)
+
+#define SUB_FROM_MASK(m, c, sel) do { \
+ if (sel & AU_PRS_SUCCESS) \
+ (m)->am_success &= ((m)->am_success ^ c); \
+ if (sel & AU_PRS_FAILURE) \
+ (m)->am_failure &= ((m)->am_failure ^ c); \
+} while (0)
+
+#define ADDMASK(m, v) do { \
+ (m)->am_success |= (v)->am_success; \
+ (m)->am_failure |= (v)->am_failure; \
+} while(0)
+
+#define SUBMASK(m, v) do { \
+ (m)->am_success &= ((m)->am_success ^ (v)->am_success); \
+ (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \
+} while(0)
+
+__BEGIN_DECLS
+
+/*
+ * Internal representation of audit user in libnsl.
+ */
+typedef struct au_user_str_s {
+ char *au_name;
+ char *au_always;
+ char *au_never;
+} au_user_str_t;
+
+typedef struct au_tid32 {
+ u_int32_t port;
+ u_int32_t addr;
+} au_tid32_t;
+
+typedef struct au_tid64 {
+ u_int64_t port;
+ u_int32_t addr;
+} au_tid64_t;
+
+typedef struct au_tidaddr32 {
+ u_int32_t port;
+ u_int32_t type;
+ u_int32_t addr[4];
+} au_tidaddr32_t;
+
+/*
+ * argument # 1 byte
+ * argument value 4 bytes/8 bytes (32-bit/64-bit value)
+ * text length 2 bytes
+ * text N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+ u_char no;
+ u_int32_t val;
+ u_int16_t len;
+ char *text;
+} au_arg32_t;
+
+typedef struct {
+ u_char no;
+ u_int64_t val;
+ u_int16_t len;
+ char *text;
+} au_arg64_t;
+
+/*
+ * how to print 1 byte
+ * basic unit 1 byte
+ * unit count 1 byte
+ * data items (depends on basic unit)
+ */
+typedef struct {
+ u_char howtopr;
+ u_char bu;
+ u_char uc;
+ u_char *data;
+} au_arb_t;
+
+/*
+ * file access mode 4 bytes
+ * owner user ID 4 bytes
+ * owner group ID 4 bytes
+ * file system ID 4 bytes
+ * node ID 8 bytes
+ * device 4 bytes/8 bytes (32-bit/64-bit)
+ */
+typedef struct {
+ u_int32_t mode;
+ u_int32_t uid;
+ u_int32_t gid;
+ u_int32_t fsid;
+ u_int64_t nid;
+ u_int32_t dev;
+} au_attr32_t;
+
+typedef struct {
+ u_int32_t mode;
+ u_int32_t uid;
+ u_int32_t gid;
+ u_int32_t fsid;
+ u_int64_t nid;
+ u_int64_t dev;
+} au_attr64_t;
+
+/*
+ * count 4 bytes
+ * text count null-terminated string(s)
+ */
+typedef struct {
+ u_int32_t count;
+ char *text[MAX_ARGS];
+} au_execarg_t;
+
+/*
+ * count 4 bytes
+ * text count null-terminated string(s)
+ */
+typedef struct {
+ u_int32_t count;
+ char *text[MAX_ENV];
+} au_execenv_t;
+
+/*
+ * status 4 bytes
+ * return value 4 bytes
+ */
+typedef struct {
+ u_int32_t status;
+ u_int32_t ret;
+} au_exit_t;
+
+/*
+ * seconds of time 4 bytes
+ * milliseconds of time 4 bytes
+ * file name length 2 bytes
+ * file pathname N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+ u_int32_t s;
+ u_int32_t ms;
+ u_int16_t len;
+ char *name;
+} au_file_t;
+
+
+/*
+ * number groups 2 bytes
+ * group list N * 4 bytes
+ */
+typedef struct {
+ u_int16_t no;
+ u_int32_t list[BSM_MAX_GROUPS];
+} au_groups_t;
+
+/*
+ * record byte count 4 bytes
+ * version # 1 byte [2]
+ * event type 2 bytes
+ * event modifier 2 bytes
+ * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+ */
+typedef struct {
+ u_int32_t size;
+ u_char version;
+ u_int16_t e_type;
+ u_int16_t e_mod;
+ u_int32_t s;
+ u_int32_t ms;
+} au_header32_t;
+
+/*
+ * record byte count 4 bytes
+ * version # 1 byte [2]
+ * event type 2 bytes
+ * event modifier 2 bytes
+ * address type/length 1 byte (XXX: actually, 4 bytes)
+ * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time 4 bytes/8 bytes (32/64-bits)
+ * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
+ */
+typedef struct {
+ u_int32_t size;
+ u_char version;
+ u_int16_t e_type;
+ u_int16_t e_mod;
+ u_int32_t ad_type;
+ u_int32_t addr[4];
+ u_int32_t s;
+ u_int32_t ms;
+} au_header32_ex_t;
+
+typedef struct {
+ u_int32_t size;
+ u_char version;
+ u_int16_t e_type;
+ u_int16_t e_mod;
+ u_int64_t s;
+ u_int64_t ms;
+} au_header64_t;
+
+typedef struct {
+ u_int32_t size;
+ u_char version;
+ u_int16_t e_type;
+ u_int16_t e_mod;
+ u_int32_t ad_type;
+ u_int32_t addr[4];
+ u_int64_t s;
+ u_int64_t ms;
+} au_header64_ex_t;
+
+/*
+ * internet address 4 bytes
+ */
+typedef struct {
+ u_int32_t addr;
+} au_inaddr_t;
+
+/*
+ * type 4 bytes
+ * internet address 16 bytes
+ */
+typedef struct {
+ u_int32_t type;
+ u_int32_t addr[4];
+} au_inaddr_ex_t;
+
+/*
+ * version and ihl 1 byte
+ * type of service 1 byte
+ * length 2 bytes
+ * id 2 bytes
+ * offset 2 bytes
+ * ttl 1 byte
+ * protocol 1 byte
+ * checksum 2 bytes
+ * source address 4 bytes
+ * destination address 4 bytes
+ */
+typedef struct {
+ u_char version;
+ u_char tos;
+ u_int16_t len;
+ u_int16_t id;
+ u_int16_t offset;
+ u_char ttl;
+ u_char prot;
+ u_int16_t chksm;
+ u_int32_t src;
+ u_int32_t dest;
+} au_ip_t;
+
+/*
+ * object ID type 1 byte
+ * object ID 4 bytes
+ */
+typedef struct {
+ u_char type;
+ u_int32_t id;
+} au_ipc_t;
+
+/*
+ * owner user ID 4 bytes
+ * owner group ID 4 bytes
+ * creator user ID 4 bytes
+ * creator group ID 4 bytes
+ * access mode 4 bytes
+ * slot sequence # 4 bytes
+ * key 4 bytes
+ */
+typedef struct {
+ u_int32_t uid;
+ u_int32_t gid;
+ u_int32_t puid;
+ u_int32_t pgid;
+ u_int32_t mode;
+ u_int32_t seq;
+ u_int32_t key;
+} au_ipcperm_t;
+
+/*
+ * port IP address 2 bytes
+ */
+typedef struct {
+ u_int16_t port;
+} au_iport_t;
+
+/*
+ * length 2 bytes
+ * data length bytes
+ */
+typedef struct {
+ u_int16_t size;
+ char *data;
+} au_opaque_t;
+
+/*
+ * path length 2 bytes
+ * path N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+ u_int16_t len;
+ char *path;
+} au_path_t;
+
+/*
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * machine address 4 bytes
+ */
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tid32_t tid;
+} au_proc32_t;
+
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tid64_t tid;
+} au_proc64_t;
+
+/*
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * type 4 bytes
+ * machine address 16 bytes
+ */
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tidaddr32_t tid;
+} au_proc32ex_t;
+
+/*
+ * error status 1 byte
+ * return value 4 bytes/8 bytes (32-bit/64-bit value)
+ */
+typedef struct {
+ u_char status;
+ u_int32_t ret;
+} au_ret32_t;
+
+typedef struct {
+ u_char err;
+ u_int64_t val;
+} au_ret64_t;
+
+/*
+ * sequence number 4 bytes
+ */
+typedef struct {
+ u_int32_t seqno;
+} au_seq_t;
+
+/*
+ * socket type 2 bytes
+ * local port 2 bytes
+ * local Internet address 4 bytes
+ * remote port 2 bytes
+ * remote Internet address 4 bytes
+ */
+typedef struct {
+ u_int16_t type;
+ u_int16_t l_port;
+ u_int32_t l_addr;
+ u_int16_t r_port;
+ u_int32_t r_addr;
+} au_socket_t;
+
+/*
+ * socket type 2 bytes
+ * local port 2 bytes
+ * address type/length 4 bytes
+ * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+ * remote port 4 bytes
+ * address type/length 4 bytes
+ * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+typedef struct {
+ u_int16_t type;
+ u_int16_t l_port;
+ u_int32_t l_ad_type;
+ u_int32_t l_addr;
+ u_int32_t r_port;
+ u_int32_t r_ad_type;
+ u_int32_t r_addr;
+} au_socket_ex32_t;
+
+/*
+ * socket family 2 bytes
+ * local port 2 bytes
+ * socket address 4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+typedef struct {
+ u_int16_t family;
+ u_int16_t port;
+ u_int32_t addr;
+} au_socketinet32_t;
+
+/*
+ * socket family 2 bytes
+ * path 104 bytes
+ */
+typedef struct {
+ u_int16_t family;
+ char path[104];
+} au_socketunix_t;
+
+/*
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * machine address 4 bytes
+ */
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tid32_t tid;
+} au_subject32_t;
+
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tid64_t tid;
+} au_subject64_t;
+
+/*
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * type 4 bytes
+ * machine address 16 bytes
+ */
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tidaddr32_t tid;
+} au_subject32ex_t;
+
+/*
+ * text length 2 bytes
+ * text N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+ u_int16_t len;
+ char *text;
+} au_text_t;
+
+typedef struct {
+ u_int32_t ident;
+ u_int16_t filter;
+ u_int16_t flags;
+ u_int32_t fflags;
+ u_int32_t data;
+} au_kevent_t;
+
+typedef struct {
+ u_int16_t length;
+ char *data;
+} au_invalid_t;
+
+/*
+ * trailer magic number 2 bytes
+ * record byte count 4 bytes
+ */
+typedef struct {
+ u_int16_t magic;
+ u_int32_t count;
+} au_trailer_t;
+
+struct tokenstr {
+ u_char id;
+ u_char *data;
+ size_t len;
+ union {
+ au_arg32_t arg32;
+ au_arg64_t arg64;
+ au_arb_t arb;
+ au_attr32_t attr32;
+ au_attr64_t attr64;
+ au_execarg_t execarg;
+ au_execenv_t execenv;
+ au_exit_t exit;
+ au_file_t file;
+ au_groups_t grps;
+ au_header32_t hdr32;
+ au_header32_ex_t hdr32_ex;
+ au_header64_t hdr64;
+ au_header64_ex_t hdr64_ex;
+ au_inaddr_t inaddr;
+ au_inaddr_ex_t inaddr_ex;
+ au_ip_t ip;
+ au_ipc_t ipc;
+ au_ipcperm_t ipcperm;
+ au_iport_t iport;
+ au_opaque_t opaque;
+ au_path_t path;
+ au_proc32_t proc32;
+ au_proc64_t proc64;
+ au_proc32ex_t proc32_ex;
+ au_ret32_t ret32;
+ au_ret64_t ret64;
+ au_seq_t seq;
+ au_socket_t socket;
+ au_socket_ex32_t socket_ex32;
+ au_socketinet32_t sockinet32;
+ au_socketunix_t sockunix;
+ au_subject32_t subj32;
+ au_subject64_t subj64;
+ au_subject32ex_t subj32_ex;
+ au_text_t text;
+ au_kevent_t kevent;
+ au_invalid_t invalid;
+ au_trailer_t trail;
+ } tt; /* The token is one of the above types */
+};
+
+typedef struct tokenstr tokenstr_t;
+
+/*
+ * Functions relating to querying audit class information.
+ */
+void setauclass(void);
+void endauclass(void);
+struct au_class_ent *getauclassent(void);
+struct au_class_ent *getauclassent_r(au_class_ent_t *class_int);
+struct au_class_ent *getauclassnam(const char *name);
+struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int,
+ const char *name);
+struct au_class_ent *getauclassnum(au_class_t class_number);
+struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int,
+ au_class_t class_number);
+
+/*
+ * Functions relating to querying audit control information.
+ */
+void setac(void);
+void endac(void);
+int getacdir(char *name, int len);
+int getacmin(int *min_val);
+int getacflg(char *auditstr, int len);
+int getacna(char *auditstr, int len);
+int getauditflagsbin(char *auditstr, au_mask_t *masks);
+int getauditflagschar(char *auditstr, au_mask_t *masks,
+ int verbose);
+int au_preselect(au_event_t event, au_mask_t *mask_p,
+ int sorf, int flag);
+
+/*
+ * Functions relating to querying audit event information.
+ *
+ * XXXRW: getauevnonam() has no _r version?
+ */
+void setauevent(void);
+void endauevent(void);
+struct au_event_ent *getauevent(void);
+struct au_event_ent *getauevent_r(struct au_event_ent *e);
+struct au_event_ent *getauevnam(const char *name);
+struct au_event_ent *getauevnam_r(struct au_event_ent *e,
+ const char *name);
+struct au_event_ent *getauevnum(au_event_t event_number);
+struct au_event_ent *getauevnum_r(struct au_event_ent *e,
+ au_event_t event_number);
+au_event_t *getauevnonam(const char *event_name);
+au_event_t *getauevnonam_r(au_event_t *ev,
+ const char *event_name);
+
+/*
+ * Functions relating to querying audit user information.
+ */
+void setauuser(void);
+void endauuser(void);
+struct au_user_ent *getauuserent(void);
+struct au_user_ent *getauuserent_r(struct au_user_ent *u);
+struct au_user_ent *getauusernam(const char *name);
+struct au_user_ent *getauusernam_r(struct au_user_ent *u,
+ const char *name);
+int au_user_mask(char *username, au_mask_t *mask_p);
+int getfauditflags(au_mask_t *usremask,
+ au_mask_t *usrdmask, au_mask_t *lastmask);
+
+/*
+ * Functions for reading and printing records and tokens from audit trails.
+ */
+int au_read_rec(FILE *fp, u_char **buf);
+int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
+//XXX The following interface has different prototype from BSM
+void au_print_tok(FILE *outfp, tokenstr_t *tok,
+ char *del, char raw, char sfrm);
+__END_DECLS
+
+#ifdef __APPLE__
+#include <sys/appleapiopts.h>
+
+/**************************************************************************
+ **************************************************************************
+ ** The following definitions, functions, etc., are NOT officially
+ ** supported: they may be changed or removed in the future. Do not use
+ ** them unless you are prepared to cope with that eventuality.
+ **************************************************************************
+ **************************************************************************/
+
+#ifdef __APPLE_API_PRIVATE
+#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
+#endif /* __APPLE_API_PRIVATE */
+
+/*
+ * au_get_state() return values
+ * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
+ * AUDIT_ON are deprecated and WILL be removed.
+ */
+#ifdef __APPLE_API_PRIVATE
+#define AUDIT_OFF AUC_NOAUDIT
+#define AUDIT_ON AUC_AUDITING
+#endif /* __APPLE_API_PRIVATE */
+#endif /* !__APPLE__ */
+
+/*
+ * Error return codes for audit_set_terminal_id(), audit_write() and its
+ * brethren. We have 255 (not including kAUNoErr) to play with.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+enum {
+ kAUNoErr = 0,
+ kAUBadParamErr = -66049,
+ kAUStatErr,
+ kAUSysctlErr,
+ kAUOpenErr,
+ kAUMakeSubjectTokErr,
+ kAUWriteSubjectTokErr,
+ kAUWriteCallerTokErr,
+ kAUMakeReturnTokErr,
+ kAUWriteReturnTokErr,
+ kAUCloseErr,
+ kAUMakeTextTokErr,
+ kAULastErr
+};
+
+#ifdef __APPLE__
+/*
+ * Error return codes for au_get_state() and/or its private support
+ * functions. These codes are designed to be compatible with the
+ * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
+ * Any changes to notify(3) may cause these values to change in future.
+ *
+ * AU_UNIMPL should never happen unless you've changed your system software
+ * without rebooting. Shame on you.
+ */
+#ifdef __APPLE_API_PRIVATE
+#define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */
+#endif /* __APPLE_API_PRIVATE */
+#endif /* !__APPLE__ */
+
+__BEGIN_DECLS
+/*
+ * XXX This prototype should be in audit_record.h
+ *
+ * au_free_token()
+ *
+ * @summary - au_free_token() deallocates a token_t created by any of
+ * the au_to_*() BSM API functions.
+ *
+ * The BSM API generally manages deallocation of token_t objects. However,
+ * if au_write() is passed a bad audit descriptor, the token_t * parameter
+ * will be left untouched. In that case, the caller can deallocate the
+ * token_t using au_free_token() if desired. This is, in fact, what
+ * audit_write() does, in keeping with the existing memory management model
+ * of the BSM API.
+ *
+ * @param tok - A token_t * generated by one of the au_to_*() BSM API
+ * calls. For convenience, tok may be NULL, in which case
+ * au_free_token() returns immediately.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+void au_free_token(token_t *tok);
+
+/*
+ * Lightweight check to determine if auditing is enabled. If a client
+ * wants to use this to govern whether an entire series of audit calls
+ * should be made--as in the common case of a caller building a set of
+ * tokens, then writing them--it should cache the audit status in a local
+ * variable. This call always returns the current state of auditing.
+ *
+ * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
+ * Otherwise the function can return any of the errno values defined for
+ * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
+ * the system.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int au_get_state(void);
+__END_DECLS
+
+/* OpenSSH compatibility */
+#define cannot_audit(x) (!(au_get_state() == AUC_AUDITING))
+
+__BEGIN_DECLS
+/*
+ * audit_set_terminal_id()
+ *
+ * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
+ * used in audit session initialization by processes like /usr/bin/login.
+ *
+ * @param tid - A pointer to an au_tid_t struct.
+ *
+ * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
+ * or kAUSysctlErr if one of the underlying system calls fails (a message
+ * is sent to the system log in those cases).
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_set_terminal_id(au_tid_t *tid);
+
+/*
+ * BEGIN au_write() WRAPPERS
+ *
+ * The following calls all wrap the existing BSM API. They use the
+ * provided subject information, if any, to construct the subject token
+ * required for every log message. They use the provided return/error
+ * value(s), if any, to construct the success/failure indication required
+ * for every log message. They only permit one "miscellaneous" token,
+ * which should contain the event-specific logging information mandated by
+ * CAPP.
+ *
+ * All these calls assume the caller has previously determined that
+ * auditing is enabled by calling au_get_state().
+ */
+
+/*
+ * audit_write()
+ *
+ * @summary - audit_write() is the basis for the other audit_write_*()
+ * calls. Performs a basic write of an audit record (subject, additional
+ * info, success/failure). Note that this call only permits logging one
+ * caller-specified token; clients needing to log more flexibly must use
+ * the existing BSM API (au_open(), et al.) directly.
+ *
+ * Note on memory management: audit_write() guarantees that the token_t *s
+ * passed to it will be deallocated whether or not the underlying write to
+ * the audit log succeeded. This addresses an inconsistency in the
+ * underlying BSM API in which token_t *s are usually but not always
+ * deallocated.
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param subject - A token_t * generated by au_to_subject(),
+ * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is
+ * required, subject should be NULL.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls. This should correspond to the additional information required by
+ * CAPP for the event being audited. If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @param retval - The return value to be logged for this event. This
+ * should be 0 (zero) for success, otherwise the value is event-specific.
+ *
+ * @param errcode - Any error code associated with the return value (e.g.,
+ * errno or h_errno). If there was no error, errcode should be 0 (zero).
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write(short event_code, token_t *subject, token_t *misctok,
+ char retval, int errcode);
+
+/*
+ * audit_write_success()
+ *
+ * @summary - audit_write_success() records an auditable event that did not
+ * encounter an error. The interface is designed to require as little
+ * direct use of the au_to_*() API as possible. It builds a subject token
+ * from the information passed in and uses that to invoke audit_write().
+ * A subject, as defined by CAPP, is a process acting on the user's behalf.
+ *
+ * If the subject information is the same as the current process, use
+ * au_write_success_self().
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls. This should correspond to the additional information required by
+ * CAPP for the event being audited. If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @param auid - The subject's audit ID.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param ruid - The subject's real user ID.
+ *
+ * @param rgid - The subject's real group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param sid - The subject's session ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write_success(short event_code, token_t *misctok, au_id_t auid,
+ uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
+ au_asid_t sid, au_tid_t *tid);
+
+/*
+ * audit_write_success_self()
+ *
+ * @summary - Similar to audit_write_success(), but used when the subject
+ * (process) is owned and operated by the auditable user him/herself.
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls. This should correspond to the additional information required by
+ * CAPP for the event being audited. If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write_success_self(short event_code, token_t *misctok);
+
+/*
+ * audit_write_failure()
+ *
+ * @summary - audit_write_failure() records an auditable event that
+ * encountered an error. The interface is designed to require as little
+ * direct use of the au_to_*() API as possible. It builds a subject token
+ * from the information passed in and uses that to invoke audit_write().
+ * A subject, as defined by CAPP, is a process acting on the user's behalf.
+ *
+ * If the subject information is the same as the current process, use
+ * au_write_failure_self().
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error. This is intended to store the value of errno or h_errno if
+ * it's relevant. This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @param auid - The subject's audit ID.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param ruid - The subject's real user ID.
+ *
+ * @param rgid - The subject's real group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param sid - The subject's session ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write_failure(short event_code, char *errmsg, int errret,
+ au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+ pid_t pid, au_asid_t sid, au_tid_t *tid);
+
+/*
+ * audit_write_failure_self()
+ *
+ * @summary - Similar to audit_write_failure(), but used when the subject
+ * (process) is owned and operated by the auditable user him/herself.
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error. This is intended to store the value of errno or h_errno if
+ * it's relevant. This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write_failure_self(short event_code, char *errmsg, int errret);
+
+/*
+ * audit_write_failure_na()
+ *
+ * @summary - audit_write_failure_na() records errors during login. Such
+ * errors are implicitly non-attributable (i.e., not ascribable to any user).
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error. This is intended to store the value of errno or h_errno if
+ * it's relevant. This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write_failure_na(short event_code, char *errmsg, int errret,
+ uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
+
+/* END au_write() WRAPPERS */
+
+#ifdef __APPLE__
+/*
+ * audit_token_to_au32()
+ *
+ * @summary - Extract information from an audit_token_t, used to identify
+ * Mach tasks and senders of Mach messages as subjects to the audit system.
+ * audit_tokent_to_au32() is the only method that should be used to parse
+ * an audit_token_t, since its internal representation may change over
+ * time. A pointer parameter may be NULL if that information is not
+ * needed.
+ *
+ * @param atoken - the audit token containing the desired information
+ *
+ * @param auidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's audit user ID
+ *
+ * @param euidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's effective user ID
+ *
+ * @param egidp - Pointer to a gid_t; on return will be set to the task or
+ * sender's effective group ID
+ *
+ * @param ruidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's real user ID
+ *
+ * @param rgidp - Pointer to a gid_t; on return will be set to the task or
+ * sender's real group ID
+ *
+ * @param pidp - Pointer to a pid_t; on return will be set to the task or
+ * sender's process ID
+ *
+ * @param asidp - Pointer to an au_asid_t; on return will be set to the
+ * task or sender's audit session ID
+ *
+ * @param tidp - Pointer to an au_tid_t; on return will be set to the task
+ * or sender's terminal ID
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+void audit_token_to_au32(
+ audit_token_t atoken,
+ uid_t *auidp,
+ uid_t *euidp,
+ gid_t *egidp,
+ uid_t *ruidp,
+ gid_t *rgidp,
+ pid_t *pidp,
+ au_asid_t *asidp,
+ au_tid_t *tidp);
+#endif /* !__APPLE__ */
+
+__END_DECLS
+
+#endif /* !_LIBBSM_H_ */
diff --git a/contrib/openbsm/compat/endian.h b/contrib/openbsm/compat/endian.h
new file mode 100644
index 000000000000..2517a41adc63
--- /dev/null
+++ b/contrib/openbsm/compat/endian.h
@@ -0,0 +1,264 @@
+/*-
+ * Copyright (c) 2002 Thomas Moestl <tmm@FreeBSD.org>
+ * Copyright (c) 2005 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * Derived from FreeBSD src/sys/sys/endian.h:1.6.
+ * $P4: //depot/projects/trustedbsd/openbsm/compat/endian.h#5 $
+ */
+
+#ifndef _COMPAT_ENDIAN_H_
+#define _COMPAT_ENDIAN_H_
+
+/*
+ * Pick up value of BYTE_ORDER/_BYTE_ORDER if not yet included.
+ */
+#include <machine/endian.h>
+
+/*
+ * Some systems will have the uint/int types defined here already, others
+ * will need stdint.h.
+ */
+#include <stdint.h>
+
+/*
+ * Some operating systems do not yet have the more recent endian APIs that
+ * permit encoding to and decoding from byte streams. For those systems, we
+ * implement local non-optimized versions.
+ */
+
+static __inline uint16_t
+bswap16(uint16_t int16)
+{
+ const unsigned char *from;
+ unsigned char *to;
+ uint16_t t;
+
+ from = (const unsigned char *) &int16;
+ to = (unsigned char *) &t;
+
+ to[0] = from[1];
+ to[1] = from[0];
+
+ return (t);
+}
+
+static __inline uint32_t
+bswap32(uint32_t int32)
+{
+ const unsigned char *from;
+ unsigned char *to;
+ uint32_t t;
+
+ from = (const unsigned char *) &int32;
+ to = (unsigned char *) &t;
+
+ to[0] = from[3];
+ to[1] = from[2];
+ to[2] = from[1];
+ to[3] = from[0];
+
+ return (t);
+}
+
+static __inline uint64_t
+bswap64(uint64_t int64)
+{
+ const unsigned char *from;
+ unsigned char *to;
+ uint64_t t;
+
+ from = (const unsigned char *) &int64;
+ to = (unsigned char *) &t;
+
+ to[0] = from[7];
+ to[1] = from[6];
+ to[2] = from[5];
+ to[3] = from[4];
+ to[4] = from[3];
+ to[5] = from[2];
+ to[6] = from[1];
+ to[7] = from[0];
+
+ return (t);
+}
+
+#if defined(BYTE_ORDER) && !defined(_BYTE_ORDER)
+#define _BYTE_ORDER BYTE_ORDER
+#endif
+#if !defined(_BYTE_ORDER)
+#error "Neither BYTE_ORDER nor _BYTE_ORDER defined"
+#endif
+
+#if defined(BIG_ENDIAN) && !defined(_BIG_ENDIAN)
+#define _BIG_ENDIAN BIG_ENDIAN
+#endif
+
+#if defined(LITTLE_ENDIAN) && !defined(_LITTLE_ENDIAN)
+#define _LITTLE_ENDIAN LITTLE_ENDIAN
+#endif
+
+/*
+ * Host to big endian, host to little endian, big endian to host, and little
+ * endian to host byte order functions as detailed in byteorder(9).
+ */
+#if _BYTE_ORDER == _LITTLE_ENDIAN
+#define htobe16(x) bswap16((x))
+#define htobe32(x) bswap32((x))
+#define htobe64(x) bswap64((x))
+#define htole16(x) ((uint16_t)(x))
+#define htole32(x) ((uint32_t)(x))
+#define htole64(x) ((uint64_t)(x))
+
+#define be16toh(x) bswap16((x))
+#define be32toh(x) bswap32((x))
+#define be64toh(x) bswap64((x))
+#define le16toh(x) ((uint16_t)(x))
+#define le32toh(x) ((uint32_t)(x))
+#define le64toh(x) ((uint64_t)(x))
+#else /* _BYTE_ORDER != _LITTLE_ENDIAN */
+#define htobe16(x) ((uint16_t)(x))
+#define htobe32(x) ((uint32_t)(x))
+#define htobe64(x) ((uint64_t)(x))
+#define htole16(x) bswap16((x))
+#define htole32(x) bswap32((x))
+#define htole64(x) bswap64((x))
+
+#define be16toh(x) ((uint16_t)(x))
+#define be32toh(x) ((uint32_t)(x))
+#define be64toh(x) ((uint64_t)(x))
+#define le16toh(x) bswap16((x))
+#define le32toh(x) bswap32((x))
+#define le64toh(x) bswap64((x))
+#endif /* _BYTE_ORDER == _LITTLE_ENDIAN */
+
+/* Alignment-agnostic encode/decode bytestream to/from little/big endian. */
+
+static __inline uint16_t
+be16dec(const void *pp)
+{
+ unsigned char const *p = (unsigned char const *)pp;
+
+ return ((p[0] << 8) | p[1]);
+}
+
+static __inline uint32_t
+be32dec(const void *pp)
+{
+ unsigned char const *p = (unsigned char const *)pp;
+
+ return ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+}
+
+static __inline uint64_t
+be64dec(const void *pp)
+{
+ unsigned char const *p = (unsigned char const *)pp;
+
+ return (((uint64_t)be32dec(p) << 32) | be32dec(p + 4));
+}
+
+static __inline uint16_t
+le16dec(const void *pp)
+{
+ unsigned char const *p = (unsigned char const *)pp;
+
+ return ((p[1] << 8) | p[0]);
+}
+
+static __inline uint32_t
+le32dec(const void *pp)
+{
+ unsigned char const *p = (unsigned char const *)pp;
+
+ return ((p[3] << 24) | (p[2] << 16) | (p[1] << 8) | p[0]);
+}
+
+static __inline uint64_t
+le64dec(const void *pp)
+{
+ unsigned char const *p = (unsigned char const *)pp;
+
+ return (((uint64_t)le32dec(p + 4) << 32) | le32dec(p));
+}
+
+static __inline void
+be16enc(void *pp, uint16_t u)
+{
+ unsigned char *p = (unsigned char *)pp;
+
+ p[0] = (u >> 8) & 0xff;
+ p[1] = u & 0xff;
+}
+
+static __inline void
+be32enc(void *pp, uint32_t u)
+{
+ unsigned char *p = (unsigned char *)pp;
+
+ p[0] = (u >> 24) & 0xff;
+ p[1] = (u >> 16) & 0xff;
+ p[2] = (u >> 8) & 0xff;
+ p[3] = u & 0xff;
+}
+
+static __inline void
+be64enc(void *pp, uint64_t u)
+{
+ unsigned char *p = (unsigned char *)pp;
+
+ be32enc(p, u >> 32);
+ be32enc(p + 4, u & 0xffffffff);
+}
+
+static __inline void
+le16enc(void *pp, uint16_t u)
+{
+ unsigned char *p = (unsigned char *)pp;
+
+ p[0] = u & 0xff;
+ p[1] = (u >> 8) & 0xff;
+}
+
+static __inline void
+le32enc(void *pp, uint32_t u)
+{
+ unsigned char *p = (unsigned char *)pp;
+
+ p[0] = u & 0xff;
+ p[1] = (u >> 8) & 0xff;
+ p[2] = (u >> 16) & 0xff;
+ p[3] = (u >> 24) & 0xff;
+}
+
+static __inline void
+le64enc(void *pp, uint64_t u)
+{
+ unsigned char *p = (unsigned char *)pp;
+
+ le32enc(p, u & 0xffffffff);
+ le32enc(p + 4, u >> 32);
+}
+
+#endif /* _COMPAT_ENDIAN_H_ */
diff --git a/contrib/openbsm/etc/audit_class b/contrib/openbsm/etc/audit_class
new file mode 100644
index 000000000000..9f596a276b9d
--- /dev/null
+++ b/contrib/openbsm/etc/audit_class
@@ -0,0 +1,25 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_class#3 $
+#
+# This file must match audit.h
+#
+0x00000000:no:invalid class
+0x00000001:fr:file read
+0x00000002:fw:file write
+0x00000004:fa:file attribute access
+0x00000008:fm:file attribute modify
+0x00000010:fc:file create
+0x00000020:fd:file delete
+0x00000040:cl:file close
+0x00000080:pc:process
+0x00000100:nt:network
+0x00000200:ip:ipc
+0x00000400:na:non attributable
+0x00000800:ad:administrative
+0x00001000:lo:login_logout
+0x00002000:tf:tfm
+0x00004000:ap:application
+0x20000000:io:ioctl
+0x40000000:ex:exec
+0x80000000:ot:miscellaneous
+0xffffffff:all:all flags set
diff --git a/contrib/openbsm/etc/audit_control b/contrib/openbsm/etc/audit_control
new file mode 100644
index 000000000000..f6ca774e6cbd
--- /dev/null
+++ b/contrib/openbsm/etc/audit_control
@@ -0,0 +1,7 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#2 $
+#
+dir:/var/audit
+flags:lo,ad,-all,^-fa,^-fc,^-cl
+minfree:20
+naflags:lo
diff --git a/contrib/openbsm/etc/audit_event b/contrib/openbsm/etc/audit_event
new file mode 100644
index 000000000000..01a3a5b6cbd2
--- /dev/null
+++ b/contrib/openbsm/etc/audit_event
@@ -0,0 +1,343 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#10 $
+#
+0:AUE_NULL:indir system call:no
+1:AUE_EXIT:exit(2):pc
+2:AUE_FORK:fork(2):pc
+3:AUE_OPEN:open(2) - attr only:fa
+4:AUE_CREAT:creat(2):fc
+5:AUE_LINK:link(2):fc
+6:AUE_UNLINK:unlink(2):fd
+7:AUE_EXEC:exec(2):pc,ex
+8:AUE_CHDIR:chdir(2):pc
+9:AUE_MKNOD:mknod(2):fc
+10:AUE_CHMOD:chmod(2):fm
+11:AUE_CHOWN:chown(2):fm
+12:AUE_UMOUNT:umount(2) - old version:ad
+13:AUE_JUNK:junk:no
+14:AUE_ACCESS:access(2):fa
+15:AUE_KILL:kill(2):pc
+16:AUE_STAT:stat(2):fa
+17:AUE_LSTAT:lstat(2):fa
+18:AUE_ACCT:acct(2):ad
+19:AUE_MCTL:mctl(2):no
+20:AUE_REBOOT:reboot(2):ad
+21:AUE_SYMLINK:symlink(2):fc
+22:AUE_READLINK:readlink(2):fr
+23:AUE_EXECVE:execve(2):pc,ex
+24:AUE_CHROOT:chroot(2):pc
+25:AUE_VFORK:vfork(2):pc
+26:AUE_SETGROUPS:setgroups(2):pc
+27:AUE_SETPGRP:setpgrp(2):pc
+28:AUE_SWAPON:swapon(2):ad
+29:AUE_SETHOSTNAME:sethostname(2):ad
+30:AUE_FCNTL:fcntl(2):fm
+31:AUE_SETPRIORITY:setpriority(2):pc
+32:AUE_CONNECT:connect(2):nt
+33:AUE_ACCEPT:accept(2):nt
+34:AUE_BIND:bind(2):nt
+35:AUE_SETSOCKOPT:setsockopt(2):nt
+36:AUE_VTRACE:vtrace(2):pc
+37:AUE_SETTIMEOFDAY:settimeofday(2):ad
+38:AUE_FCHOWN:fchown(2):fm
+39:AUE_FCHMOD:fchmod(2):fm
+40:AUE_SETREUID:setreuid(2):pc
+41:AUE_SETREGID:setregid(2):pc
+42:AUE_RENAME:rename(2):fc,fd
+43:AUE_TRUNCATE:truncate(2):fw
+44:AUE_FTRUNCATE:ftruncate(2):fw
+45:AUE_FLOCK:flock(2):fm
+46:AUE_SHUTDOWN:shutdown(2):nt
+47:AUE_MKDIR:mkdir(2):fc
+48:AUE_RMDIR:rmdir(2):fd
+49:AUE_UTIMES:utimes(2):fm
+50:AUE_ADJTIME:adjtime(2):ad
+51:AUE_SETRLIMIT:setrlimit(2):pc
+52:AUE_KILLPG:killpg(2):pc
+53:AUE_NFS_SVC:nfs_svc(2):ad
+54:AUE_STATFS:statfs(2):fa
+55:AUE_FSTATFS:fstatfs(2):fa
+56:AUE_UNMOUNT:unmount(2):ad
+57:AUE_ASYNC_DAEMON:async_daemon(2):ad
+58:AUE_NFS_GETFH:nfs_getfh(2):ad
+59:AUE_SETDOMAINNAME:setdomainname(2):ad
+60:AUE_QUOTACTL:quotactl(2):ad
+61:AUE_EXPORTFS:exportfs(2):ad
+62:AUE_MOUNT:mount(2):ad
+63:AUE_SEMSYS:semsys(2):ip
+64:AUE_MSGSYS:msgsys(2):ip
+65:AUE_SHMSYS:shmsys(2):ip
+66:AUE_BSMSYS:bsmsys(2):ad
+67:AUE_RFSSYS:rfssys(2):ad
+68:AUE_FCHDIR:fchdir(2):pc
+69:AUE_FCHROOT:fchroot(2):pc
+70:AUE_VPIXSYS:vpixsys(2):no
+71:AUE_PATHCONF:pathconf(2):fa
+72:AUE_OPEN_R:open(2) - read:fr
+73:AUE_OPEN_RC:open(2) - read,creat:fc,fr,fa,fm
+74:AUE_OPEN_RT:open(2) - read,trunc:fd,fr,fa,fm
+75:AUE_OPEN_RTC:open(2) - read,creat,trunc:fc,fd,fr,fa,fm
+76:AUE_OPEN_W:open(2) - write:fw
+77:AUE_OPEN_WC:open(2) - write,creat:fc,fw,fa,fm
+78:AUE_OPEN_WT:open(2) - write,trunc:fd,fw,fa,fm
+79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw,fa,fm
+80:AUE_OPEN_RW:open(2) - read,write:fr,fw
+81:AUE_OPEN_RWC:open(2) - read,write,creat:fc,fw,fr,fa,fm
+82:AUE_OPEN_RWT:open(2) - read,write,trunc:fd,fr,fw,fa,fm
+83:AUE_OPEN_RWTC:open(2) - read,write,creat,trunc:fc,fd,fw,fr,fa,fm
+84:AUE_MSGCTL:msgctl(2) - illegal command:ip
+85:AUE_MSGCTL_RMID:msgctl(2) - IPC_RMID command:ip
+86:AUE_MSGCTL_SET:msgctl(2) - IPC_SET command:ip
+87:AUE_MSGCTL_STAT:msgctl(2) - IPC_STAT command:ip
+88:AUE_MSGGET:msgget(2):ip
+89:AUE_MSGRCV:msgrcv(2):ip
+90:AUE_MSGSND:msgsnd(2):ip
+91:AUE_SHMCTL:shmctl(2) - illegal command:ip
+92:AUE_SHMCTL_RMID:shmctl(2) - IPC_RMID command:ip
+93:AUE_SHMCTL_SET:shmctl(2) - IPC_SET command:ip
+94:AUE_SHMCTL_STAT:shmctl(2) - IPC_STAT command:ip
+95:AUE_SHMGET:shmget(2):ip
+96:AUE_SHMAT:shmat(2):ip
+97:AUE_SHMDT:shmdt(2):ip
+98:AUE_SEMCTL:semctl(2) - illegal command:ip
+99:AUE_SEMCTL_RMID:semctl(2) - IPC_RMID command:ip
+100:AUE_SEMCTL_SET:semctl(2) - IPC_SET command:ip
+101:AUE_SEMCTL_STAT:semctl(2) - IPC_STAT command:ip
+102:AUE_SEMCTL_GETNCNT:semctl(2) - GETNCNT command:ip
+103:AUE_SEMCTL_GETPID:semctl(2) - GETPID command:ip
+104:AUE_SEMCTL_GETVAL:semctl(2) - GETVAL command:ip
+105:AUE_SEMCTL_GETALL:semctl(2) - GETALL command:ip
+106:AUE_SEMCTL_GETZCNT:semctl(2) - GETZCNT command:ip
+107:AUE_SEMCTL_SETVAL:semctl(2) - SETVAL command:ip
+108:AUE_SEMCTL_SETALL:semctl(2) - SETALL command:ip
+109:AUE_SEMGET:semget(2):ip
+110:AUE_SEMOP:semop(2):ip
+111:AUE_CORE:process dumped core:fc
+112:AUE_CLOSE:close(2):cl
+113:AUE_SYSTEMBOOT:system booted:na
+114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:ad
+115:AUE_NFSSVC_EXIT:nfssvc(2) exited:ad
+128:AUE_WRITEL:writel(2):fw
+129:AUE_WRITEVL:writevl(2):fw
+130:AUE_GETAUID:getauid(2):ad
+131:AUE_SETAUID:setauid(2):ad
+132:AUE_GETAUDIT:getaudit(2):ad
+133:AUE_SETAUDIT:setaudit(2):ad
+134:AUE_GETUSERAUDIT:getuseraudit(2):ad
+135:AUE_SETUSERAUDIT:setuseraudit(2):ad
+136:AUE_AUDITSVC:auditsvc(2):ad
+137:AUE_AUDITUSER:audituser(2):ad
+138:AUE_AUDITON:auditon(2):ad
+139:AUE_AUDITON_GTERMID:auditon(2) - GETTERMID command:ad
+140:AUE_AUDITON_STERMID:auditon(2) - SETTERMID command:ad
+141:AUE_AUDITON_GPOLICY:auditon(2) - GPOLICY command:ad
+142:AUE_AUDITON_SPOLICY:auditon(2) - SPOLICY command:ad
+143:AUE_AUDITON_GESTATE:auditon(2) - GESTATE command:ad
+144:AUE_AUDITON_SESTATE:auditon(2) - SESTATE command:ad
+145:AUE_AUDITON_GQCTRL:auditon(2) - GQCTRL command:ad
+146:AUE_AUDITON_SQCTRL:auditon(2) - SQCTRL command:ad
+147:AUE_GETKERNSTATE:getkernstate(2):ad
+148:AUE_SETKERNSTATE:setkernstate(2):ad
+149:AUE_GETPORTAUDIT:getportaudit(2):ad
+150:AUE_AUDITSTAT:auditstat(2):ad
+153:AUE_ENTERPROM:enter prom:ad
+154:AUE_EXITPROM:exit prom:ad
+158:AUE_IOCTL:ioctl(2):io
+173:AUE_ONESIDE:one-sided session record:nt
+174:AUE_MSGGETL:msggetl(2):ip
+175:AUE_MSGRCVL:msgrcvl(2):ip
+176:AUE_MSGSNDL:msgsndl(2):ip
+177:AUE_SEMGETL:semgetl(2):ip
+178:AUE_SHMGETL:shmgetl(2):ip
+183:AUE_SOCKET:socket(2):nt
+184:AUE_SENDTO:sendto(2):nt
+185:AUE_PIPE:pipe(2):ip
+186:AUE_SOCKETPAIR:socketpair(2):nt
+187:AUE_SEND:send(2):nt
+188:AUE_SENDMSG:sendmsg(2):nt
+189:AUE_RECV:recv(2):nt
+190:AUE_RECVMSG:recvmsg(2):nt
+191:AUE_RECVFROM:recvfrom(2):nt
+192:AUE_READ:read(2):no
+193:AUE_GETDENTS:getdents(2):no
+194:AUE_LSEEK:lseek(2):no
+195:AUE_WRITE:write(2):no
+196:AUE_WRITEV:writev(2):no
+197:AUE_NFS:nfs server:ad
+198:AUE_READV:readv(2):no
+199:AUE_OSTAT:old stat(2):fa
+200:AUE_SETUID:setuid(2):pc
+201:AUE_STIME:old stime(2):ad
+202:AUE_UTIME:old utime(2):fm
+203:AUE_NICE:old nice(2):pc
+204:AUE_OSETPGRP:old setpgrp(2):pc
+205:AUE_SETGID:setgid(2):pc
+206:AUE_READL:readl(2):no
+207:AUE_READVL:readvl(2):no
+209:AUE_DUP2:dup2(2):no
+210:AUE_MMAP:mmap(2):no
+211:AUE_AUDIT:audit(2):ot
+212:AUE_PRIOCNTLSYS:priocntlsys(2):pc
+213:AUE_MUNMAP:munmap(2):cl
+214:AUE_SETEGID:setegid(2):pc
+215:AUE_SETEUID:seteuid(2):pc
+216:AUE_PUTMSG:putmsg(2):nt
+217:AUE_GETMSG:getmsg(2):nt
+218:AUE_PUTPMSG:putpmsg(2):nt
+219:AUE_GETPMSG:getpmsg(2):nt
+220:AUE_AUDITSYS:audit system calls place holder:no
+221:AUE_AUDITON_GETKMASK:auditon(2) - get kernel mask:ad
+222:AUE_AUDITON_SETKMASK:auditon(2) - set kernel mask:ad
+223:AUE_AUDITON_GETCWD:auditon(2) - get cwd:ad
+224:AUE_AUDITON_GETCAR:auditon(2) - get car:ad
+225:AUE_AUDITON_GETSTAT:auditon(2) - get audit statistics:ad
+226:AUE_AUDITON_SETSTAT:auditon(2) - reset audit statistics:ad
+227:AUE_AUDITON_SETUMASK:auditon(2) - set mask per uid:ad
+228:AUE_AUDITON_SETSMASK:auditon(2) - set mask per session ID:ad
+229:AUE_AUDITON_GETCOND:auditon(2) - get audit state:ad
+230:AUE_AUDITON_SETCOND:auditon(2) - set audit state:ad
+231:AUE_AUDITON_GETCLASS:auditon(2) - get event class:ad
+232:AUE_AUDITON_SETCLASS:auditon(2) - set event class:ad
+233:AUE_UTSSYS:utssys(2) - fusers:ad
+234:AUE_STATVFS:statvfs(2):fa
+235:AUE_XSTAT:xstat(2):fa
+236:AUE_LXSTAT:lx6stat(2):fa
+237:AUE_LCHOWN:lchown(2):fm
+238:AUE_MEMCNTL:memcntl(2):ot
+239:AUE_SYSINFO:sysinfo(2):ad
+240:AUE_XMKNOD:xmknod(2):fc
+241:AUE_FORK1:fork1(2):pc
+242:AUE_MODCTL:modctl(2) system call place holder:no
+243:AUE_MODLOAD:modctl(2) - load module:ad
+244:AUE_MODUNLOAD:modctl(2) - unload module:ad
+245:AUE_MODCONFIG:modctl(2) - configure module:ad
+246:AUE_MODADDMAJ:modctl(2) - bind module:ad
+247:AUE_SOCKACCEPT:getmsg-accept:nt
+248:AUE_SOCKCONNECT:putmsg-connect:nt
+249:AUE_SOCKSEND:putmsg-send:nt
+250:AUE_SOCKRECEIVE:getmsg-receive:nt
+251:AUE_ACLSET:acl(2) - SETACL comand:fm
+252:AUE_FACLSET:facl(2) - SETACL command:fm
+253:AUE_DOORFS:doorfs(2) - system call place holder:no
+254:AUE_DOORFS_DOOR_CALL:doorfs(2) - DOOR_CALL:ip
+255:AUE_DOORFS_DOOR_RETURN:doorfs(2) - DOOR_RETURN:ip
+256:AUE_DOORFS_DOOR_CREATE:doorfs(2) - DOOR_CREATE:ip
+257:AUE_DOORFS_DOOR_REVOKE:doorfs(2) - DOOR_REVOKE:ip
+258:AUE_DOORFS_DOOR_INFO:doorfs(2) - DOOR_INFO:ip
+259:AUE_DOORFS_DOOR_CRED:doorfs(2) - DOOR_CRED:ip
+260:AUE_DOORFS_DOOR_BIND:doorfs(2) - DOOR_BIND:ip
+261:AUE_DOORFS_DOOR_UNBIND:doorfs(2) - DOOR_UNBIND:ip
+262:AUE_P_ONLINE:p_online(2):ad
+263:AUE_PROCESSOR_BIND:processor_bind(2):ad
+264:AUE_INST_SYNC:inst_sync(2):ad
+266:AUE_SETAUDIT_ADDR:setaudit_addr(2):ad
+267:AUE_GETAUDIT_ADDR:getaudit_addr(2):ad
+268:AUE_CLOCK_SETTIME:clock_settime(2):ad
+269:AUE_NTP_ADJTIME:ntp_adjtime(2):ad
+301:AUE_GETFSSTAT:getfsstat(2):fa
+302:AUE_PTRACE:ptrace(2):pc
+303:AUE_CHFLAGS:chflags(2):fm
+304:AUE_FCHFLAGS:fchflags(2):fm
+305:AUE_PROFILE:profil(2):pc
+306:AUE_KTRACE:ktrace(2):pc
+307:AUE_SETLOGIN:setlogin(2):pc
+308:AUE_DARWIN_REBOOT:reboot(2):ad
+309:AUE_REVOKE:revoke(2):cl
+310:AUE_UMASK:umask(2):pc
+311:AUE_MPROTECT:mprotect(2):fm
+312:AUE_DARWIN_SETPRIORITY:setpriority(2):pc,ot
+313:AUE_DARWIN_SETTIMEOFDAY:settimeofday(2):ad
+314:AUE_DARWIN_FLOCK:flock(2):fm
+315:AUE_MKFIFO:mkfifo(2):fc
+316:AUE_POLL:poll(2):no
+317:AUE_DARWIN_SOCKETPAIR:socketpair(2):nt
+318:AUE_FUTIMES:futimes(2):fm
+319:AUE_SETSID:setsid(2):pc
+320:AUE_SETPRIVEXEC:setprivexec(2):pc
+321:AUE_DARWIN_NFSSVC:nfssvc(2):ad
+322:AUE_DARWIN_GETFH:getfh(2):fa
+323:AUE_DARWIN_QUOTACTL:quotactl(2):ad
+324:AUE_ADDPROFILE:system call:pc
+325:AUE_KDEBUGTRACE:system call:pc
+326:AUE_FSTAT:fstat(2):fa
+327:AUE_FPATHCONF:fpathconf(2):fa
+328:AUE_GETDIRENTRIES:getdirentries(2):fr
+329:AUE_DARWIN_TRUNCATE:truncate(2):fw
+330:AUE_DARWIN_FTRUNCATE:ftruncate(2):fw
+331:AUE_SYSCTL:sysctl(3):ad
+332:AUE_MLOCK:mlock(2):pc
+333:AUE_MUNLOCK:munlock(2):pc
+334:AUE_UNDELETE:undelete(2):fm
+335:AUE_GETATTRLIST:getattrlist():fa
+336:AUE_SETATTRLIST:setattrlist():fm
+337:AUE_GETDIRENTRIESATTR:getdirentriesattr():fa
+338:AUE_EXCHANGEDATA:exchangedata():fw
+339:AUE_SEARCHFS:searchfs():fa
+340:AUE_MINHERIT:minherit(2):pc
+341:AUE_SEMCONFIG:semconfig():ip
+342:AUE_SEMOPEN:sem_open(2):ip
+343:AUE_SEMCLOSE:sem_close(2):ip
+344:AUE_SEMUNLINK:sem_unlink(2):ip
+345:AUE_SHMOPEN:shm_open(2):ip
+346:AUE_SHMUNLINK:shm_unlink(2):ip
+347:AUE_LOADSHFILE:load_shared_file():fr
+348:AUE_RESETSHFILE:reset_shared_file():ot
+349:AUE_NEWSYSTEMSHREG:new_system_share_regions():ot
+350:AUE_PTHREADKILL:pthread_kill(2):pc
+351:AUE_PTHREADSIGMASK:pthread_sigmask(2):pc
+352:AUE_AUDITCTL:auditctl(2):ad
+353:AUE_RFORK:rfork(2):pc
+354:AUE_LCHMOD:lchmod(2):fm
+355:AUE_SWAPOFF:swapoff():ad
+356:AUE_INITPROCESS:init_process():pc
+357:AUE_MAPFD:map_fd():fa
+358:AUE_TASKFORPID:task_for_pid():pc
+359:AUE_PIDFORTASK:pid_for_task():pc
+360:AUE_SYSCTL_NONADMIN:sysctl() - non-admin:ot
+361:AUE_COPYFILE:copyfile():fr,fw
+362:AUE_LUTIMES:lutimes(2):fm
+363:AUE_LCHFLAGS:lchflags(2):fm
+364:AUE_SENDFILE:sendfile(2):nt
+365:AUE_USELIB:uselib(2):fa
+366:AUE_GETRESUID:getresuid(2):pc
+367:AUE_SETRESUID:setresuid(2):pc
+368:AUE_GETRESGID:getresgid(2):pc
+369:AUE_SETRESGID:setresgid(2):pc
+370:AUE_WAIT4:wait4(2):pc
+371:AUE_LGETFH:lgetfh(2):fa
+372:AUE_FHSTATFS:fhstatfs(2):fa
+373:AUE_FHOPEN:fhopen(2):fa
+374:AUE_FHSTAT:fhstat(2):fa
+375:AUE_JAIL:jail(2):pc
+376:AUE_EACCESS:eaccess(2):fa
+377:AUE_KQUEUE:kqueue(2):no
+378:AUE_KEVENT:kevent(2):no
+379:AUE_FSYNC:fsync(2):fm
+380:AUE_NMOUNT:nmount(2):ad
+6152:AUE_login:login - local:lo
+6153:AUE_logout:logout - local:lo
+6159:AUE_su:su(1):lo
+6160:AUE_halt:system halt:ad
+6168:AUE_shutdown:system shutdown:ad
+6171:AUE_audit_startup:audit startup:ad
+6172:AUE_audit_shutdown:audit shutdown:ad
+6207:AUE_create_user:create user:ad
+6208:AUE_modify_user:modify user:ad
+6209:AUE_delete_user:delete user:ad
+6210:AUE_disable_user:disable user:ad
+6211:AUE_enable_user::ad
+6300:AUE_sudo:sudo(1):ad
+6501:AUE_modify_password:modify password:ad
+6511:AUE_create_group:create group:ad
+6512:AUE_delete_group:delete group:ad
+6513:AUE_modify_group:modify group:ad
+6514:AUE_add_to_group:add to group:ad
+6515:AUE_remove_from_group:remove from group:ad
+6521:AUE_revoke_obj:revoke object priv:fm
+6600:AUE_lw_login:loginwindow login:lo
+6601:AUE_lw_logout:loginwindow logout:lo
+7000:AUE_auth_user:user authentication:ad
+7001:AUE_ssconn:SecSrvr connection setup:ad
+7002:AUE_ssauthorize:SecSrvr AuthEngine:ad
+7003:AUE_ssauthint:SecSrvr authinternal mech:ad
+32800:AUE_openssh:OpenSSH login:lo
diff --git a/contrib/openbsm/etc/audit_user b/contrib/openbsm/etc/audit_user
new file mode 100644
index 000000000000..925729c12c66
--- /dev/null
+++ b/contrib/openbsm/etc/audit_user
@@ -0,0 +1,5 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#2 $
+#
+root:lo:no
+audit:fc:no
diff --git a/contrib/openbsm/etc/audit_warn b/contrib/openbsm/etc/audit_warn
new file mode 100644
index 000000000000..3612fc9227e2
--- /dev/null
+++ b/contrib/openbsm/etc/audit_warn
@@ -0,0 +1,5 @@
+#!/bin/sh
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_warn#3 $
+#
+logger -p security.warning "audit warning: $@"
diff --git a/contrib/openbsm/libbsm/Makefile b/contrib/openbsm/libbsm/Makefile
new file mode 100644
index 000000000000..4137f4a3da6b
--- /dev/null
+++ b/contrib/openbsm/libbsm/Makefile
@@ -0,0 +1,119 @@
+#
+# OpenBSM libbsm
+#
+# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#11 $
+#
+
+LIB= bsm
+SHLIB_MAJOR= 1
+
+CFLAGS+=-I- \
+ -I .. \
+ -Wall
+
+SRCS= bsm_audit.c \
+ bsm_class.c \
+ bsm_control.c \
+ bsm_event.c \
+ bsm_flags.c \
+ bsm_io.c \
+ bsm_mask.c \
+ bsm_notify.c \
+ bsm_token.c \
+ bsm_user.c \
+ bsm_wrappers.c
+
+MAN= libbsm.3 \
+ au_class.3 \
+ au_control.3 \
+ au_event.3 \
+ au_free_token.3 \
+ au_io.3 \
+ au_mask.3 \
+ au_token.3 \
+ au_user.3
+
+MLINKS= libbsm.3 bsm.3 \
+ au_class.3 getauclassent.3 \
+ au_class.3 getauclassnam.3 \
+ au_class.3 setauclass.3 \
+ au_class.3 endauclass.3 \
+ au_control.3 setac.3 \
+ au_control.3 endac.3 \
+ au_control.3 getacdir.3 \
+ au_control.3 getacmin.3 \
+ au_control.3 getacflg.3 \
+ au_control.3 getacna.3 \
+ au_event.3 setauevent.3 \
+ au_event.3 endauevent.3 \
+ au_event.3 getauevent.3 \
+ au_event.3 getauevnam.3 \
+ au_event.3 getauevnum.3 \
+ au_event.3 getauevnonam.3 \
+ au_io.3 au_fetch_tok.3 \
+ au_io.3 au_print_tok.3 \
+ au_io.3 au_read_rec.3 \
+ au_mask.3 au_preselect.3 \
+ au_mask.3 getauditflagsbin.3 \
+ au_mask.3 getauditflagschar.3 \
+ au_user.3 setauuser.3 \
+ au_user.3 endauuser.3 \
+ au_user.3 getauuserent.3 \
+ au_user.3 getauusernam.3 \
+ au_user.3 au_user_mask.3 \
+ au_user.3 getfauditflags.3 \
+ au_token.3 au_to_arg32.3 \
+ au_token.3 au_to_arg64.3 \
+ au_token.3 au_to_arg.3 \
+ au_token.3 au_to_attr64.3 \
+ au_token.3 au_to_data.3 \
+ au_token.3 au_to_exit.3 \
+ au_token.3 au_to_groups.3 \
+ au_token.3 au_to_newgroups.3 \
+ au_token.3 au_to_in_addr.3 \
+ au_token.3 au_to_in_addr_ex.3 \
+ au_token.3 au_to_ip.3 \
+ au_token.3 au_to_ipc.3 \
+ au_token.3 au_to_ipc_perm.3 \
+ au_token.3 au_to_iport.3 \
+ au_token.3 au_to_opaque.3 \
+ au_token.3 au_to_file.3 \
+ au_token.3 au_to_text.3 \
+ au_token.3 au_to_path.3 \
+ au_token.3 au_to_process32.3 \
+ au_token.3 au_to_process64.3 \
+ au_token.3 au_to_process.3 \
+ au_token.3 au_to_process32_ex.3 \
+ au_token.3 au_to_process64_ex.3 \
+ au_token.3 au_to_process_ex.3 \
+ au_token.3 au_to_return32.3 \
+ au_token.3 au_to_return64.3 \
+ au_token.3 au_to_return.3 \
+ au_token.3 au_to_seq.3 \
+ au_token.3 au_to_socket.3 \
+ au_token.3 au_to_socket_ex_32.3 \
+ au_token.3 au_to_socket_ex_128.3 \
+ au_token.3 au_to_sock_inet32.3 \
+ au_token.3 au_to_sock_inet128.3 \
+ au_token.3 au_to_sock_inet.3 \
+ au_token.3 au_to_subject32.3 \
+ au_token.3 au_to_subject64.3 \
+ au_token.3 au_to_subject.3 \
+ au_token.3 au_to_subject32_ex.3 \
+ au_token.3 au_to_subject64_ex.3 \
+ au_token.3 au_to_subject_ex.3 \
+ au_token.3 au_to_me.3 \
+ au_token.3 au_to_exec_args.3 \
+ au_token.3 au_to_exec_env.3 \
+ au_token.3 au_to_header.3 \
+ au_token.3 au_to_header32.3 \
+ au_token.3 au_to_header64.3 \
+ au_token.3 au_to_trailer.3
+
+beforeinstall:
+ if test -d ${INCSDIR}; then \
+ else \
+ mkdir ${INCSDIR}; \
+ fi;
+
+.include <bsd.lib.mk>
diff --git a/contrib/openbsm/libbsm/au_class.3 b/contrib/openbsm/libbsm/au_class.3
new file mode 100644
index 000000000000..f1cd9e9637f3
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_class.3
@@ -0,0 +1,108 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt AU_CLASS 3
+.Os
+.Sh NAME
+.Nm getauclassent ,
+.Nm getauclassent_r ,
+.Nm getauclassnam ,
+.Nm getauclassnam_r ,
+.Nm setauclass ,
+.Nm endauclass
+.Nd "Look up information from the audit_class database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft struct au_class_ent *
+.Fn getauclassent "void"
+.Ft struct au_class_ent *
+.Fn getauclassent_r "struct au_class_ent *e"
+.Ft struct au_class_ent *
+.Fn getauclassnam "const char *name"
+.Ft struct au_class_ent *
+.Fn getauclassnam_r "struct au_class_ent *e" "const char *name"
+.Ft void
+.Fn setauclass "void"
+.Ft void
+.Fn endauclass "void"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_class 5
+database, which describes audit event classes.
+Audit event classes are described by
+.Vt struct au_class_ent .
+.Pp
+.Pp
+.Fn getauclassent
+will return the next class found in the
+.Xr audit_class 5
+database, or the first if the function has not yet been called.
+.Dv NULL
+will be returned if no further records are available.
+.Pp
+.Fn getauclassnam
+looks up a class by name.
+.Dv NULL
+will be returned if no matching class can be found.
+.Pp
+.Fn setauclass
+resets the iterator through the
+.Xr audit_class 5
+database, causing the next call to
+.Fn getauclassent
+to start again from the beginning of the file.
+.Pp
+.Fn endauclass
+closes the
+.Xr audit_class 5
+database, if open.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_class 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+These routines cannot currently distinguish between an entry not being found
+and an error accessing the database.
+The implementation should be changed to return an error via
+.Va errno
+when
+.Dv NULL
+is returned.
diff --git a/contrib/openbsm/libbsm/au_control.3 b/contrib/openbsm/libbsm/au_control.3
new file mode 100644
index 000000000000..915c5211f2d1
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_control.3
@@ -0,0 +1,136 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_CONTROL 3
+.Os
+.Sh NAME
+.Nm setac ,
+.Nm endac ,
+.Nm getacdir ,
+.Nm getacmin ,
+.Nm getacflg ,
+.Nm getacna
+.Nd "Look up information from the audit_control database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn setac "void"
+.Ft void
+.Fn endac "void"
+.Ft int
+.Fn getacdir "char *name" "int len"
+.Ft int
+.Fn getacmin "int *min_val"
+.Ft int
+.Fn getacflg "char *auditstr" "int len"
+.Ft int
+.Fn getacna "char *auditstr" "int len"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_control 5
+database, which contains various audit-related administrative parameters.
+.Pp
+.Fn setac
+resets the database iterator to the beginning of the database; see the
+BUGS section for more information.
+.Pp
+.Fn sendac
+closes the
+.Xr audit_control 5
+database.
+.Pp
+.Fn getacdir
+Return the name of the directory where log data is stored via the passed
+character buffer
+.Va name
+of length
+.Va len .
+.Pp
+.Fn getacmin
+returns the minimum free disk space for the audit log target file system via
+the passed
+.Va min_val
+variable.
+.Pp
+.Fn getacflg
+returns the audit system flags via the the passed character buffer
+.Va auditstr
+of length
+.Va len .
+.Pp
+.Fn getacna
+returns the non-attributable flags via the passed character buffer
+.Va auditstr
+of length
+.Va len .
+.Sh RETURN VALULES
+.Fn getacdir ,
+.Fn getacmin ,
+.Fn getacflg ,
+and
+.Fn getacna
+return 0 on success, or a negative value on failure, along with error
+information in
+.Va errno .
+Functions that return a string value will return a failure if there is
+insufficient room in the passed character buffer for the full string.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+These routines cannot currently distinguish between an entry not being found
+and an error accessing the database.
+The implementation should be changed to return an error via
+.Va errno
+when
+.Dv NULL
+is returned.
+.Sh BUGS
+There is no reason for the
+.Fn setac
+interface to be exposed as part of the public API, as it is called implicitly
+by other access functions and iteration is not supported.
+.Pp
+These interfaces inconsistently return various negative values depending on
+the failure mode, and do not always set
+.Va errno
+on failure.
diff --git a/contrib/openbsm/libbsm/au_event.3 b/contrib/openbsm/libbsm/au_event.3
new file mode 100644
index 000000000000..bd021decc2eb
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_event.3
@@ -0,0 +1,153 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt AU_EVENT 3
+.Os
+.Sh NAME
+.Nm free_au_event_ent ,
+.Nm setauevent ,
+.Nm endauevent ,
+.Nm getauevent ,
+.Nm getauevent_r ,
+.Nm getauevnam ,
+.Nm getauevnam_r ,
+.Nm getauevnum ,
+.Nm getauevnum_r ,
+.Nm getauevnonam ,
+.Nm getauevnonam_r ,
+.Nd "Look up information from the audit_event database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn setauevent "void"
+.Ft void
+.Fn endauevent "void"
+.Ft "struct au_event_ent *"
+.Fn getauevent "void"
+.Ft "struct au_event_ent *"
+.Fn getauevent_r "struct au_event_ent *e"
+.Ft "struct au_event_ent *"
+.Fn getauevnam "char *name"
+.Ft "struct au_event_ent *"
+.Fn getauevnam_r "struct au_event_ent *e" "char *name"
+.Ft "struct au_event_ent *"
+.Fn getauevnum "au_event_t event_number"
+.Ft "struct au_event_ent *"
+.Fn getauevnum_r "struct au_event_ent *e" "au_event_t event_number"
+.Ft "au_event_t *"
+.Fn getauevnonam "char *event_name"
+.Ft "au_event_t *"
+.Fn getauevnonam_r "au_event_t *ev" "char *event_name"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_event 5
+database, which describes audit events.
+Entries in the database are described by
+.Vt struct au_event_ent
+entries, which are returned by calls to
+.Fn getauevent ,
+.Fn getauevnam ,
+or
+.Fn getauevnum .
+It is also possible look up an event number via a call to
+.Nm getauevnonam .
+.Pp
+.Fn setauevent
+resets the database access session for
+.Xr audit_event 5 ,
+so that the next call to
+.Fn getauevent
+will start with the first entry in the database.
+.Pp
+.Fn endauevent
+closes the
+.Xr audit_event 5
+database session.
+.Pp
+.Fn getauevent
+returns a reference to the next entry in the
+.Xr audit_event 5
+database.
+.Pp
+.Fn getauevnam
+returns a reference to the entry in the
+.Xr audit_event 5
+database with a name of
+.Va name .
+.Pp
+.Fn getauevnum
+returns a reference to the entry in the
+.Xr audit_event 5
+database with an event number of
+.Va event_number .
+.Pp
+.Fn getauevnonam
+returns a reference to an audit event number using the
+.Xr audit_event 5
+database.
+.Sh RETURN VALUES
+Functions
+.Fn getauevent ,
+.Fn getauevent_r ,
+.Fn getauevnam ,
+.Fn getauevnam_r ,
+.Fn getauevnum ,
+.Fn getauevnum_r ,
+and
+.Fn getauevnuam
+will return a reference to a
+.Dt struct au_event_ent
+or
+.Dt au_event_t
+on success, or
+.Dv NULL on failure, with
+.Va errno
+set to provide further error information.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_event 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+.Va errno
+is not always properly set following a failure.
+.Pp
+These routines are thread-safe, but not re-entrant, so simultaneous or
+interleaved use of these functions will affect the iterator.
diff --git a/contrib/openbsm/libbsm/au_free_token.3 b/contrib/openbsm/libbsm/au_free_token.3
new file mode 100644
index 000000000000..fc4ab0bde6c4
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_free_token.3
@@ -0,0 +1,91 @@
+.\"-
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" its contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRING LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_FREE_TOKEN 3
+.Os
+.Sh NAME
+.Nm au_free_token
+.Nd "Deallocate a token_t created by any of the au_to_*() BSM API functions"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn au_free_tokenen "token_t *tok"
+.Sh DESCRIPTION
+The BSM API generally manages deallocation of
+.Vt token_t
+objects.
+However, if
+.Xr au_write 3
+is passed a bad audit descriptor, the
+.Vt token_t *
+parameter will be left untouched.
+In that case, the caller can deallocate the
+.Vt token_t
+using
+.Nm
+if desired.
+.Pp
+The
+.Va tok
+argument is a
+.Vt token_t *
+generated by one of the au_to_*() BSM API calls.
+For convenience,
+.Va tok
+may be
+.Dv NULL ,
+in which case
+.Nm
+returns immediately.
+.Sh IMPLEMENTATION NOTES
+This is, in fact, what
+.Xr audit_write 3
+does, in keeping with the existing memory management model of the BSM API.
+.Sh SEE ALSO
+.Xr au_write 3 ,
+.Xr audit_write 3 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+
diff --git a/contrib/openbsm/libbsm/au_io.3 b/contrib/openbsm/libbsm/au_io.3
new file mode 100644
index 000000000000..0c520a1f6eff
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_io.3
@@ -0,0 +1,119 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_IO 3
+.Os
+.Sh NAME
+.Nm au_fetch_tok ,
+.Nm au_print_tok ,
+.Nm au_read_rec
+.Nd "Perform I/O involving an audit record"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft int
+.Fn au_fetch_tok "tokenstr_t *tok" "u_char *buf" "int len"
+.Ft void
+.Fn au_print_tok "FILE outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm"
+.Ft int
+.Fn au_read_rec "FILE *fp" "u_char **buf"
+.Sh DESCRIPTION
+These interfaces support input and output (I/O) involving audit records,
+internalizing an audit record from a byte stream, converting a token to
+either a raw or default string, and reading a single record from a file.
+.Pp
+.Fn au_fetch_tok
+reads a token from the passed buffer
+.Va buf
+of length
+.Va len
+bytes, and returns a pointer to the token via
+.Va tok .
+.Pp
+.Fn au_print_tok
+prints a string form of the token
+.Va tok
+to the file output stream
+.Va outfp,
+either in default mode, or raw mode if
+.Va raw
+is set non-zero.
+The delimiter
+.Va del
+is used when printing.
+.Pp
+.Fn au_read_rec
+reads an audit record from the file stream
+.Va fp ,
+and returns an allocated memory buffer containing the record via
+.Va *buf ,
+which must be freed by the caller using
+.Xr free 3 .
+.Pp
+A typical use of these routines might open a file with
+.Xr fopen 3 ,
+then read records from the file sequentially by calling
+.Fn au_read_rec .
+Each record would be broken down into components tokens through sequential
+calls to
+.Fn au_fetch_tok
+on the buffer, and then invoking
+.Fn au_print_tok
+to print each token to an output stream such as
+.Dv stdout .
+On completion of the processing of each record, a call to
+.Xr free 3
+would be used to free the record buffer.
+Finally, the source stream would be closed by a call to
+.Xr fclose 3 .
+.Sh RETURN VALUES
+.Fn au_fetch_tok
+and
+.Fn au_read_rec
+return 0 on success, or -1 on failure along with additional error information
+returned via
+.Va errno .
+.Sh SEE ALSO
+.Xr free 3 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+.Va errno
+may not always be properly set in the event of an error.
diff --git a/contrib/openbsm/libbsm/au_mask.3 b/contrib/openbsm/libbsm/au_mask.3
new file mode 100644
index 000000000000..67bb187a8fae
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_mask.3
@@ -0,0 +1,140 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_MASK 3
+.Os
+.Sh NAME
+.Nm au_preselect ,
+.Nm getauditflagsbin ,
+.Nm getauditflagschar
+.Nd "Convert between string and numeric values of audit masks"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft int
+.Fn au_preselect "au_event_t event" "au_mask_t *mask_p" "int sorf" "int flag"
+.Ft int
+.Fn getauditflagsbin "char *auditstr" "au_mask_t *masks"
+.Ft int
+.Fn getauditflagschar "char *auditstr" "au_mask_t *masks" "int verbose"
+.Sh DESCRIPTION
+These interfaces support processing of an audit mask represented by type
+.Vt au_mask_t ,
+including conversion between numeric and text formats, and computing whether
+or not an event is matched by a mask.
+.Pp
+.Fn au_preselect
+calculates whether or not the audit event passed via
+.Va event
+is matched by the audit mask passed via
+.Va au_mask_t .
+The
+.Va sorf
+argument indicates whether or not to consider the event as a success,
+if the
+.Dv AU_PRS_SUCCESS
+flag is set, or failure, if the
+.Dv AU_PRS_FAILURE
+flag is set.
+The
+.Va flag
+argument accepts additional arguments influencing the behavior of
+.Fn au_preselect ,
+including
+.Dv AU_PRS_REREAD ,
+which causes the event to be re-looked up rather than read from the cache,
+or
+.Dv AU_PRS_USECACHE
+which forces use of the cache.
+.Pp
+.Fn getauditflagsbin
+converts a string representation of an audit mask passed via a character
+string pointed to by
+.Va auditstr ,
+returning the resulting mask, if valid, via
+.Va *masks .
+.Pp
+.Fn getauditflagschar
+converts the audit event mask passed via
+.Va *masks
+and converts it to a character string in a buffer pointed to by
+.Va auditstr .
+See the BUGS section for more information on how to provide a buffer of
+sufficient size.
+If the
+.Va verbose
+flag is set, the class description string retrieved from
+.Xr audit_class 5
+will be used; otherwise, the two-character class name.
+.Sh RETURN VALUES
+.Fn au_preselect
+returns 0 on success, or returns -1 if there is a failure looking up the
+event type or other database access, in which case
+.Va errno
+will be set to indicate the error.
+It returns 1 if the event is matched; 0 if not.
+.Pp
+.Fn getauditflagsbin
+and
+.Fn getauditflagschar
+returns 0 on success, or -1 if there is a failure, in which case
+.Va errno
+will be set to indicate the error.
+.Sh IMPLEMENTATION NOTES
+.Fn au_preselect
+makes implicit use of various audit database routines, and may influence
+the behavior of simultaenous or interleaved processing of those databases by
+other code.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_class 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+.Va errno
+may not always be properly set in the event of an error.
+.Pp
+.Fn getauditflagschar
+does not provide a way to indicate how long the character buffer is, in order
+to detect overflow.
+As a result, the caller must always provide a buffer of sufficient length for
+any possible mask, which may be calculated as three times the number of
+non-zero bits in the mask argument in the event non-verbose class names are
+used, and is not trivially predictable for verbose class names.
+This API should be replaced with a more robust one.
diff --git a/contrib/openbsm/libbsm/au_token.3 b/contrib/openbsm/libbsm/au_token.3
new file mode 100644
index 000000000000..dd0ce2762238
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_token.3
@@ -0,0 +1,209 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#4 $
+.\"
+.Dd April 19, 2005
+.Dt AU_TOKEN 3
+.Os
+.Sh NAME
+.Nm au_to_arg32 ,
+.Nm au_to_arg64 ,
+.Nm au_to_arg ,
+.Nm au_to_attr64 ,
+.Nm au_to_data ,
+.Nm au_to_exit ,
+.Nm au_to_groups ,
+.Nm au_to_newgroups ,
+.Nm au_to_in_addr ,
+.Nm au_to_in_addr_ex ,
+.Nm au_to_ip ,
+.Nm au_to_ipc ,
+.Nm au_to_ipc_perm ,
+.Nm au_to_iport ,
+.Nm au_to_opaque ,
+.Nm au_to_file ,
+.Nm au_to_text ,
+.Nm au_to_path ,
+.Nm au_to_process32 ,
+.Nm au_to_process64 ,
+.Nm au_to_process ,
+.Nm au_to_process32_ex ,
+.Nm au_to_process64_ex ,
+.Nm au_to_process_ex ,
+.Nm au_to_return32 ,
+.Nm au_to_return64 ,
+.Nm au_to_return ,
+.Nm au_to_seq ,
+.Nm au_to_socket ,
+.Nm au_to_socket_ex_32 ,
+.Nm au_to_socket_ex_128 ,
+.Nm au_to_sock_inet32 ,
+.Nm au_to_sock_inet128 ,
+.Nm au_to_sock_inet ,
+.Nm au_to_subject32 ,
+.Nm au_to_subject64 ,
+.Nm au_to_subject ,
+.Nm au_to_subject32_ex ,
+.Nm au_to_subject64_ex ,
+.Nm au_to_subject_ex ,
+.Nm au_to_me ,
+.Nm au_to_exec_args ,
+.Nm au_to_exec_env ,
+.Nm au_to_header ,
+.Nm au_to_header32 ,
+.Nm au_to_header64 ,
+.Nm au_to_trailer .
+.Nd "Routines for generating BSM audit tokens"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft token_t *
+.Fn au_to_arg32 "char n" "char *text" "u_int32_t v"
+.Ft token_t *
+.Fn au_to_arg64 "char n" "char *text" "u_int64_t v"
+.Ft token_t *
+.Fn au_to_arg "char n" "char *text" "u_int32_t v"
+.Ft token_t *
+.Fn au_to_attr32 "struct vattr *attr"
+.Ft token_t *
+.Fn au_to_attr64 "struct vattr *attr"
+.Ft token_t *
+.Fn au_to_attr "struct vattr *attr"
+.Ft token_t *
+.Fn au_to_data "char unit_print" "char unit_type" "char unit_count" "char *p"
+.Ft token_t *
+.Fn au_to_exit "int retval" "int err"
+.Ft token_t *
+.Fn au_to_groups "int *groups"
+.Ft token_t *
+.Fn au_to_newgroups "u_int16_t n" "gid_t *groups"
+.Ft token_t *
+.Fn au_to_in_addr "struct in_addr *internet_addr"
+.Ft token_t *
+.Fn au_to_in_addr_ex "struct in6_addr *internet_addr"
+.Ft token_t *
+.Fn au_to_ip "struct ip *ip"
+.Ft token_t *
+.Fn au_to_ipc "char type" "int id"
+.Ft token_t *
+.Fn au_to_ipc_perm "struct ipc_perm *perm"
+.Ft token_t *
+.Fn au_to_iport "u_int16_t iport"
+.Ft token_t *
+.Fn au_to_opaque "char *data" "u_int64_t bytes"
+.Ft token_t *
+.Fn au_to_file "char *file"
+.Ft token_t *
+.Fn au_to_file "char *file"
+.Ft token_t *
+.Fn au_to_text "char *text"
+.Ft token_t *
+.Fn au_to_path "char *text"
+.Ft token_t *
+.Fn au_to_process32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_process64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_process32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_process64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_return32 "char status" "u_int32_t ret"
+.Ft token_t *
+.Fn au_to_return64 "char status" "u_int64_t ret"
+.Ft token_t *
+.Fn au_to_return "char status" "u_int32_t ret"
+.Ft token_t *
+.Fn au_to_seq "long audit_count"
+.Ft token_t *
+.Fn au_to_socket "struct socket *so"
+.Ft token_t *
+.Fn au_to_socket_ex_32 "struct socket *so"
+.Ft token_t *
+.Fn au_to_socket_ex_128 "struct socket *so"
+.Ft token_t *
+.Fn au_to_sock_inet32 "struct sockaddr_in *so"
+.Ft token_t *
+.Fn au_to_sock_inet128 "struct sockaddr_in6 *so"
+.Ft token_t *
+.Fn au_to_sock_int "struct sockaddr_in *so"
+.Ft token_t *
+.Fn au_to_subject32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_subject_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_me "void"
+.Ft token_t *
+.Fn au_to_exec_args "const char **args"
+.Ft token_t *
+.Fn au_to_exec_env "const char **env"
+.Ft token_t *
+.Fn au_to_header "int rec_size" "au_event_t e_type" "au_emod_t emod"
+.Ft token_t *
+.Fn au_to_header32 "int rec_size" "au_event_t e_type" "au_emod_t emod"
+.Ft token_t *
+.Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod"
+.Ft token_t *
+.Fn au_to_trailer "int rec_size"
+.Sh DESCRIPTION
+These interfaces support the allocation of BSM audit tokens, represented by
+.Dt token_t ,
+for various data types.
+.Sh RETURN VALUES
+On sucess, a pointer to a
+.Vt token_t
+will be returned; the allocated
+.Vt token_t
+can be freed via a call to
+.Xr au_free_token 3 .
+On failure,
+.Dv NULL
+will be returned, and an error condition returned via
+.Va errno .
+.Sh SEE ALSO
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
diff --git a/contrib/openbsm/libbsm/au_user.3 b/contrib/openbsm/libbsm/au_user.3
new file mode 100644
index 000000000000..e71deae6c7e2
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_user.3
@@ -0,0 +1,136 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt AU_USER 3
+.Os
+.Sh NAME
+.Nm setauuser ,
+.Nm endauuser ,
+.Nm getauuserent ,
+.Nm getauuserent_r ,
+.Nm getauusernam ,
+.Nm getauusernam_r ,
+.Nm au_user_mask ,
+.Nm getfauditflags
+.Nd "Look up information from the audit_user database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn setauuser "void"
+.Ft void
+.Fn endauuser "void"
+.Ft struct au_user_ent *
+.Fn getauuserent "void"
+.Ft struct au_user_ent *
+.Fn getauuserent_r "struct au_user_ent *u" "void"
+.Ft struct au_user_ent *
+.Fn getauusernam "const char *name"
+.Ft struct au_user_ent *
+.Fn getauusernam_r "struct au_user_ent *u" "const char *name"
+.Ft int
+.Fn au_user_mask "char *username" "au_mask_t *mask_p"
+.Ft int
+.Fn getfauditflags "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_user 5
+database, which describes per-user audit configuration.
+Audit user entries are described by a
+.Vt au_user_ent ,
+which stores the user's name in
+.Dv au_name ,
+events to always audit in
+.Dv au_always ,
+and events never to audit
+.Dv au_never .
+.Pp
+.Fn getauuserent
+return the next user found in the
+.Xr audit_user 5
+database, or the first if the function has not yet been called.
+.Dv NULL
+will be returned if no further records are available.
+.Pp
+.Fn getauusernam
+looks up a user by name.
+.Dv NULL
+will be returned if no matching class can be found.
+.Pp
+.Fn setauuser
+resets the iterator through the
+.Xr audit_user 5
+database, causing the next call to
+.Fn getauuserent
+to start again from the beginning of the file.
+.Pp
+.Fn endauuser
+closes the
+.Xr audit_user 5
+database, if open.
+.Pp
+.Nm au_user_mask
+calculate a new session audit mask to be returned via
+.Dv mask_p
+for the user identified by
+.Dv username .
+If the user audit configuration is not found, the default system audit
+properties returned by
+.Xr getacflg 3 .
+The resulting mask may be set via a call to
+.Xr setaudit 3
+or related variants.
+.Pp
+.Nm getfauditflags
+XXXXXXXXXXXXXXXXX
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr getacflg 3 ,
+.Xr setaudit 3 ,
+.Xr audit_user 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+These routines cannot currently distinguish between an entry not being found
+and an error accessing the database.
+The implementation should be changed to return an error via
+.Va errno
+when
+.Dv NULL
+is returned.
diff --git a/contrib/openbsm/libbsm/bsm_audit.c b/contrib/openbsm/libbsm/bsm_audit.c
new file mode 100644
index 000000000000..c4374cd64eb0
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_audit.c
@@ -0,0 +1,354 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_audit.c#18 $
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+
+#include <bsm/audit_internal.h>
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <pthread.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* array of used descriptors */
+static au_record_t *open_desc_table[MAX_AUDIT_RECORDS];
+
+/* The current number of active record descriptors */
+static int bsm_rec_count = 0;
+
+/*
+ * Records that can be recycled are maintained in the list given below. The
+ * maximum number of elements that can be present in this list is bounded by
+ * MAX_AUDIT_RECORDS. Memory allocated for these records are never freed.
+ */
+static LIST_HEAD(, au_record) bsm_free_q;
+
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * This call frees a token_t and its internal data.
+ */
+void
+au_free_token(token_t *tok)
+{
+
+ if (tok != NULL) {
+ if (tok->t_data)
+ free(tok->t_data);
+ free(tok);
+ }
+}
+
+/*
+ * This call reserves memory for the audit record. Memory must be guaranteed
+ * before any auditable event can be generated. The au_record_t structure
+ * maintains a reference to the memory allocated above and also the list of
+ * tokens associated with this record. Descriptors are recyled once the
+ * records are added to the audit trail following au_close().
+ */
+int
+au_open(void)
+{
+ au_record_t *rec = NULL;
+
+ pthread_mutex_lock(&mutex);
+
+ if (bsm_rec_count == 0)
+ LIST_INIT(&bsm_free_q);
+
+ /*
+ * Find an unused descriptor, remove it from the free list, mark as
+ * used.
+ */
+ if (!LIST_EMPTY(&bsm_free_q)) {
+ rec = LIST_FIRST(&bsm_free_q);
+ rec->used = 1;
+ LIST_REMOVE(rec, au_rec_q);
+ }
+
+ pthread_mutex_unlock(&mutex);
+
+ if (rec == NULL) {
+ /*
+ * Create a new au_record_t if no descriptors are available.
+ */
+ rec = malloc (sizeof(au_record_t));
+ if (rec == NULL)
+ return (-1);
+
+ rec->data = malloc (MAX_AUDIT_RECORD_SIZE * sizeof(u_char));
+ if (rec->data == NULL) {
+ free(rec);
+ errno = ENOMEM;
+ return (-1);
+ }
+
+ pthread_mutex_lock(&mutex);
+
+ if (bsm_rec_count == MAX_AUDIT_RECORDS) {
+ pthread_mutex_unlock(&mutex);
+ free(rec->data);
+ free(rec);
+
+ /* XXX We need to increase size of MAX_AUDIT_RECORDS */
+ errno = ENOMEM;
+ return (-1);
+ }
+ rec->desc = bsm_rec_count;
+ open_desc_table[bsm_rec_count] = rec;
+ bsm_rec_count++;
+
+ pthread_mutex_unlock(&mutex);
+
+ }
+
+ memset(rec->data, 0, MAX_AUDIT_RECORD_SIZE);
+
+ TAILQ_INIT(&rec->token_q);
+ rec->len = 0;
+ rec->used = 1;
+
+ return (rec->desc);
+}
+
+/*
+ * Store the token with the record descriptor.
+ *
+ * Don't permit writing more to the buffer than would let the trailer be
+ * appended later.
+ */
+int
+au_write(int d, token_t *tok)
+{
+ au_record_t *rec;
+
+ if (tok == NULL) {
+ errno = EINVAL;
+ return (-1); /* Invalid Token */
+ }
+
+ /* Write the token to the record descriptor */
+ rec = open_desc_table[d];
+ if ((rec == NULL) || (rec->used == 0)) {
+ errno = EINVAL;
+ return (-1); /* Invalid descriptor */
+ }
+
+ if (rec->len + tok->len + BSM_TRAILER_SIZE > MAX_AUDIT_RECORD_SIZE) {
+ errno = ENOMEM;
+ return (-1);
+ }
+
+ /* Add the token to the tail */
+ /*
+ * XXX Not locking here -- we should not be writing to
+ * XXX the same descriptor from different threads
+ */
+ TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
+
+ rec->len += tok->len; /* grow record length by token size bytes */
+
+ /* Token should not be available after this call */
+ tok = NULL;
+ return (0); /* Success */
+}
+
+/*
+ * Assemble an audit record out of its tokens, including allocating header and
+ * trailer tokens. Does not free the token chain, which must be done by the
+ * caller if desirable.
+ *
+ * XXX: Assumes there is sufficient space for the header and trailer.
+ */
+static int
+au_assemble(au_record_t *rec, short event)
+{
+ token_t *header, *tok, *trailer;
+ size_t tot_rec_size;
+ u_char *dptr;
+ int error;
+
+ tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
+ header = au_to_header32(tot_rec_size, event, 0);
+ if (header == NULL)
+ return (-1);
+
+ trailer = au_to_trailer(tot_rec_size);
+ if (trailer == NULL) {
+ error = errno;
+ au_free_token(header);
+ errno = error;
+ return (-1);
+ }
+
+ TAILQ_INSERT_HEAD(&rec->token_q, header, tokens);
+ TAILQ_INSERT_TAIL(&rec->token_q, trailer, tokens);
+
+ rec->len = tot_rec_size;
+ dptr = rec->data;
+
+ TAILQ_FOREACH(tok, &rec->token_q, tokens) {
+ memcpy(dptr, tok->t_data, tok->len);
+ dptr += tok->len;
+ }
+
+ return (0);
+}
+
+/*
+ * Given a record that is no longer of interest, tear it down and convert to a
+ * free record.
+ */
+static void
+au_teardown(au_record_t *rec)
+{
+ token_t *tok;
+
+ /* Free the token list */
+ while ((tok = TAILQ_FIRST(&rec->token_q)) != NULL) {
+ TAILQ_REMOVE(&rec->token_q, tok, tokens);
+ free(tok->t_data);
+ free(tok);
+ }
+
+ rec->used = 0;
+ rec->len = 0;
+
+ pthread_mutex_lock(&mutex);
+
+ /* Add the record to the freelist tail */
+ LIST_INSERT_HEAD(&bsm_free_q, rec, au_rec_q);
+
+ pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Add the header token, identify any missing tokens. Write out the tokens to
+ * the record memory and finally, call audit.
+ */
+int au_close(int d, int keep, short event)
+{
+ au_record_t *rec;
+ size_t tot_rec_size;
+ int retval = 0;
+
+ rec = open_desc_table[d];
+ if ((rec == NULL) || (rec->used == 0)) {
+ errno = EINVAL;
+ return (-1); /* Invalid descriptor */
+ }
+
+ if (!keep) {
+ retval = 0;
+ goto cleanup;
+ }
+
+
+ tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
+
+ if (tot_rec_size > MAX_AUDIT_RECORD_SIZE) {
+ /*
+ * XXXRW: Since au_write() is supposed to prevent this, spew
+ * an error here.
+ */
+ fprintf(stderr, "au_close failed");
+ errno = ENOMEM;
+ retval = -1;
+ goto cleanup;
+ }
+
+ if (au_assemble(rec, event) < 0) {
+ /*
+ * XXXRW: This is also not supposed to happen, but might if we
+ * are unable to allocate header and trailer memory.
+ */
+ retval = -1;
+ goto cleanup;
+ }
+
+ /* Call the kernel interface to audit */
+ retval = audit(rec->data, rec->len);
+
+cleanup:
+ /* CLEANUP */
+ au_teardown(rec);
+ return (retval);
+}
+
+/*
+ * au_close(), except onto an in-memory buffer. Buffer size as an argument,
+ * record size returned via same argument on success.
+ */
+int
+au_close_buffer(int d, short event, u_char *buffer, size_t *buflen)
+{
+ size_t tot_rec_size;
+ au_record_t *rec;
+ int retval;
+
+ rec = open_desc_table[d];
+ if ((rec == NULL) || (rec->used == 0)) {
+ errno = EINVAL;
+ return (-1);
+ }
+
+ retval = 0;
+ tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
+ if ((tot_rec_size > MAX_AUDIT_RECORD_SIZE) ||
+ (tot_rec_size > *buflen)) {
+ /*
+ * XXXRW: See au_close() comment.
+ */
+ fprintf(stderr, "au_close_buffer failed %zd", tot_rec_size);
+ errno = ENOMEM;
+ retval = -1;
+ goto cleanup;
+ }
+
+ if (au_assemble(rec, event) < 0) {
+ /* XXXRW: See au_close() comment. */
+ retval = -1;
+ goto cleanup;
+ }
+
+ memcpy(buffer, rec->data, rec->len);
+ *buflen = rec->len;
+
+cleanup:
+ au_teardown(rec);
+ return (retval);
+}
diff --git a/contrib/openbsm/libbsm/bsm_class.c b/contrib/openbsm/libbsm/bsm_class.c
new file mode 100644
index 000000000000..5982d7e7c177
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_class.c
@@ -0,0 +1,267 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_class.c#11 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_class file to return struct au_class_ent
+ * entries.
+ */
+static FILE *fp = NULL;
+static char linestr[AU_LINE_MAX];
+static const char *classdelim = ":";
+
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Parse a single line from the audit_class file passed in str to the struct
+ * au_class_ent elements; store the result in c.
+ */
+static struct au_class_ent *
+classfromstr(char *str, struct au_class_ent *c)
+{
+ char *classname, *classdesc, *classflag;
+ char *last;
+
+ /* Each line contains flag:name:desc. */
+ classflag = strtok_r(str, classdelim, &last);
+ classname = strtok_r(NULL, classdelim, &last);
+ classdesc = strtok_r(NULL, classdelim, &last);
+
+ if ((classflag == NULL) || (classname == NULL) || (classdesc == NULL))
+ return (NULL);
+
+ /*
+ * Check for very large classnames.
+ */
+ if (strlen(classname) >= AU_CLASS_NAME_MAX)
+ return (NULL);
+
+ strcpy(c->ac_name, classname);
+
+ /*
+ * Check for very large class description.
+ */
+ if (strlen(classdesc) >= AU_CLASS_DESC_MAX)
+ return (NULL);
+ strcpy(c->ac_desc, classdesc);
+ c->ac_class = strtoul(classflag, (char **) NULL, 0);
+
+ return (c);
+}
+
+/*
+ * Return the next au_class_ent structure from the file setauclass should be
+ * called before invoking this function for the first time.
+ *
+ * Must be called with mutex held.
+ */
+static struct au_class_ent *
+getauclassent_r_locked(struct au_class_ent *c)
+{
+ char *tokptr, *nl;
+
+ if ((fp == NULL) && ((fp = fopen(AUDIT_CLASS_FILE, "r")) == NULL))
+ return (NULL);
+
+ /*
+ * Read until next non-comment line is found, or EOF.
+ */
+ while (1) {
+ if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
+ return (NULL);
+
+ /* Skip comments. */
+ if (linestr[0] == '#')
+ continue;
+
+ /* Remove trailing new line character. */
+ if ((nl = strrchr(linestr, '\n')) != NULL)
+ *nl = '\0';
+
+ /* Parse tokptr to au_class_ent components. */
+ tokptr = linestr;
+ if (classfromstr(tokptr, c) == NULL)
+ return (NULL);
+ break;
+ }
+
+ return (c);
+}
+
+struct au_class_ent *
+getauclassent_r(struct au_class_ent *c)
+{
+ struct au_class_ent *cp;
+
+ pthread_mutex_lock(&mutex);
+ cp = getauclassent_r_locked(c);
+ pthread_mutex_unlock(&mutex);
+ return (cp);
+}
+
+struct au_class_ent *
+getauclassent(void)
+{
+ static char class_ent_name[AU_CLASS_NAME_MAX];
+ static char class_ent_desc[AU_CLASS_DESC_MAX];
+ static struct au_class_ent c, *cp;
+
+ bzero(&c, sizeof(c));
+ bzero(class_ent_name, sizeof(class_ent_name));
+ bzero(class_ent_desc, sizeof(class_ent_desc));
+ c.ac_name = class_ent_name;
+ c.ac_desc = class_ent_desc;
+
+ pthread_mutex_lock(&mutex);
+ cp = getauclassent_r_locked(&c);
+ pthread_mutex_unlock(&mutex);
+ return (cp);
+}
+
+/*
+ * Rewind to the beginning of the enumeration.
+ *
+ * Must be called with mutex held.
+ */
+static void
+setauclass_locked(void)
+{
+
+ if (fp != NULL)
+ fseek(fp, 0, SEEK_SET);
+}
+
+void
+setauclass(void)
+{
+
+ pthread_mutex_lock(&mutex);
+ setauclass_locked();
+ pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Return the next au_class_entry having the given class name.
+ */
+struct au_class_ent *
+getauclassnam_r(struct au_class_ent *c, const char *name)
+{
+ struct au_class_ent *cp;
+
+ if (name == NULL)
+ return (NULL);
+
+ pthread_mutex_lock(&mutex);
+ setauclass_locked();
+ while ((cp = getauclassent_r_locked(c)) != NULL) {
+ if (strcmp(name, cp->ac_name) == 0) {
+ pthread_mutex_unlock(&mutex);
+ return (cp);
+ }
+ }
+ pthread_mutex_unlock(&mutex);
+ return (NULL);
+}
+
+struct au_class_ent *
+getauclassnam(const char *name)
+{
+ static char class_ent_name[AU_CLASS_NAME_MAX];
+ static char class_ent_desc[AU_CLASS_DESC_MAX];
+ static struct au_class_ent c;
+
+ bzero(&c, sizeof(c));
+ bzero(class_ent_name, sizeof(class_ent_name));
+ bzero(class_ent_desc, sizeof(class_ent_desc));
+ c.ac_name = class_ent_name;
+ c.ac_desc = class_ent_desc;
+
+ return (getauclassnam_r(&c, name));
+}
+
+
+/*
+ * Return the next au_class_entry having the given class number.
+ *
+ * OpenBSM extension.
+ */
+struct au_class_ent *
+getauclassnum_r(struct au_class_ent *c, au_class_t class_number)
+{
+ struct au_class_ent *cp;
+
+ pthread_mutex_lock(&mutex);
+ setauclass_locked();
+ while ((cp = getauclassent_r_locked(c)) != NULL) {
+ if (class_number == cp->ac_class)
+ return (cp);
+ }
+ pthread_mutex_unlock(&mutex);
+ return (NULL);
+}
+
+struct au_class_ent *
+getauclassnum(au_class_t class_number)
+{
+ static char class_ent_name[AU_CLASS_NAME_MAX];
+ static char class_ent_desc[AU_CLASS_DESC_MAX];
+ static struct au_class_ent c;
+
+ bzero(&c, sizeof(c));
+ bzero(class_ent_name, sizeof(class_ent_name));
+ bzero(class_ent_desc, sizeof(class_ent_desc));
+ c.ac_name = class_ent_name;
+ c.ac_desc = class_ent_desc;
+
+ return (getauclassnum_r(&c, class_number));
+}
+
+/*
+ * audit_class processing is complete; close any open files.
+ */
+void
+endauclass(void)
+{
+
+ pthread_mutex_lock(&mutex);
+ if (fp != NULL) {
+ fclose(fp);
+ fp = NULL;
+ }
+ pthread_mutex_unlock(&mutex);
+}
diff --git a/contrib/openbsm/libbsm/bsm_control.c b/contrib/openbsm/libbsm/bsm_control.c
new file mode 100644
index 000000000000..438082bca892
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_control.c
@@ -0,0 +1,275 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#13 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_control file to return the audit control
+ * parameters.
+ */
+static FILE *fp = NULL;
+static char linestr[AU_LINE_MAX];
+static char *delim = ":";
+
+static char inacdir = 0;
+static char ptrmoved = 0;
+
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Returns the string value corresponding to the given label from the
+ * configuration file.
+ *
+ * Must be called with mutex held.
+ */
+static int
+getstrfromtype_locked(char *name, char **str)
+{
+ char *type, *nl;
+ char *tokptr;
+ char *last;
+
+ *str = NULL;
+
+ if ((fp == NULL) && ((fp = fopen(AUDIT_CONTROL_FILE, "r")) == NULL))
+ return (-1); /* Error */
+
+ while (1) {
+ if (fgets(linestr, AU_LINE_MAX, fp) == NULL) {
+ if (ferror(fp))
+ return (-1);
+ return (0); /* EOF */
+ }
+
+ if (linestr[0] == '#')
+ continue;
+
+ /* Remove trailing new line character. */
+ if ((nl = strrchr(linestr, '\n')) != NULL)
+ *nl = '\0';
+
+ tokptr = linestr;
+ if ((type = strtok_r(tokptr, delim, &last)) != NULL) {
+ if (strcmp(name, type) == 0) {
+ /* Found matching name. */
+ *str = strtok_r(NULL, delim, &last);
+ if (*str == NULL) {
+ errno = EINVAL;
+ return (-1); /* Parse error in file */
+ }
+ return (0); /* Success */
+ }
+ }
+ }
+}
+
+/*
+ * Rewind the file pointer to beginning.
+ */
+void
+setac(void)
+{
+
+ pthread_mutex_lock(&mutex);
+ ptrmoved = 1;
+ if (fp != NULL)
+ fseek(fp, 0, SEEK_SET);
+ pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Close the audit_control file
+ */
+void
+endac(void)
+{
+
+ pthread_mutex_lock(&mutex);
+ ptrmoved = 1;
+ if (fp != NULL) {
+ fclose(fp);
+ fp = NULL;
+ }
+ pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Return audit directory information from the audit control file.
+ */
+int
+getacdir(char *name, int len)
+{
+ char *dir;
+ int ret = 0;
+
+ if (name == NULL) {
+ errno = EINVAL;
+ return (-2);
+ }
+
+ pthread_mutex_lock(&mutex);
+
+ /*
+ * Check if another function was called between
+ * successive calls to getacdir
+ */
+ if (inacdir && ptrmoved) {
+ ptrmoved = 0;
+ if (fp != NULL)
+ fseek(fp, 0, SEEK_SET);
+ ret = 2;
+ }
+
+
+ if (getstrfromtype_locked(DIR_CONTROL_ENTRY, &dir) < 0) {
+ pthread_mutex_unlock(&mutex);
+ return (-2);
+ }
+
+ pthread_mutex_unlock(&mutex);
+
+ if (dir == NULL)
+ return (-1);
+
+ if (strlen(dir) >= len)
+ return (-3);
+
+ strcpy(name, dir);
+
+ return (ret);
+}
+
+/*
+ * Return the minimum free diskspace value from the audit control file
+ */
+int
+getacmin(int *min_val)
+{
+ char *min;
+
+ setac();
+
+ if (min_val == NULL) {
+ errno = EINVAL;
+ return (-2);
+ }
+
+ pthread_mutex_lock(&mutex);
+
+ if (getstrfromtype_locked(MINFREE_CONTROL_ENTRY, &min) < 0) {
+ pthread_mutex_unlock(&mutex);
+ return (-2);
+ }
+
+ pthread_mutex_unlock(&mutex);
+
+ if (min == NULL)
+ return (1);
+
+ *min_val = atoi(min);
+
+ return (0);
+}
+
+/*
+ * Return the system audit value from the audit contol file.
+ */
+int
+getacflg(char *auditstr, int len)
+{
+ char *str;
+
+ setac();
+
+ if (auditstr == NULL) {
+ errno = EINVAL;
+ return (-2);
+ }
+
+ pthread_mutex_lock(&mutex);
+
+ if (getstrfromtype_locked(FLAGS_CONTROL_ENTRY, &str) < 0) {
+ pthread_mutex_unlock(&mutex);
+ return (-2);
+ }
+
+ pthread_mutex_unlock(&mutex);
+
+ if (str == NULL)
+ return (1);
+
+ if (strlen(str) >= len)
+ return (-3);
+
+ strcpy(auditstr, str);
+
+ return (0);
+}
+
+/*
+ * Return the non attributable flags from the audit contol file.
+ */
+int
+getacna(char *auditstr, int len)
+{
+ char *str;
+
+ setac();
+
+ if (auditstr == NULL) {
+ errno = EINVAL;
+ return (-2);
+ }
+
+ pthread_mutex_lock(&mutex);
+
+ if (getstrfromtype_locked(NA_CONTROL_ENTRY, &str) < 0) {
+ pthread_mutex_unlock(&mutex);
+ return (-2);
+ }
+ pthread_mutex_unlock(&mutex);
+
+ if (str == NULL)
+ return (1);
+
+ if (strlen(str) >= len)
+ return (-3);
+
+ strcpy(auditstr, str);
+
+ return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_event.c b/contrib/openbsm/libbsm/bsm_event.c
new file mode 100644
index 000000000000..6e22e4c15b73
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_event.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_event.c#11 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_event file to return
+ * au_event_ent entries
+ */
+static FILE *fp = NULL;
+static char linestr[AU_LINE_MAX];
+static const char *eventdelim = ":";
+
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Parse one line from the audit_event file into the au_event_ent structure.
+ */
+static struct au_event_ent *
+eventfromstr(char *str, struct au_event_ent *e)
+{
+ char *evno, *evname, *evdesc, *evclass;
+ struct au_mask evmask;
+ char *last;
+
+ evno = strtok_r(str, eventdelim, &last);
+ evname = strtok_r(NULL, eventdelim, &last);
+ evdesc = strtok_r(NULL, eventdelim, &last);
+ evclass = strtok_r(NULL, eventdelim, &last);
+
+ if ((evno == NULL) || (evname == NULL) || (evdesc == NULL) ||
+ (evclass == NULL))
+ return (NULL);
+
+ if (strlen(evname) >= AU_EVENT_NAME_MAX)
+ return (NULL);
+
+ strcpy(e->ae_name, evname);
+ if (strlen(evdesc) >= AU_EVENT_DESC_MAX)
+ return (NULL);
+ strcpy(e->ae_desc, evdesc);
+
+ e->ae_number = atoi(evno);
+
+ /*
+ * Find out the mask that corresponds to the given list of classes.
+ */
+ if (getauditflagsbin(evclass, &evmask) != 0)
+ e->ae_class = AU_NULL;
+ else
+ e->ae_class = evmask.am_success;
+
+ return (e);
+}
+
+/*
+ * Rewind the audit_event file.
+ */
+static void
+setauevent_locked(void)
+{
+
+ if (fp != NULL)
+ fseek(fp, 0, SEEK_SET);
+}
+
+void
+setauevent(void)
+{
+
+ pthread_mutex_lock(&mutex);
+ setauevent_locked();
+ pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Close the open file pointers.
+ */
+void
+endauevent(void)
+{
+
+ pthread_mutex_lock(&mutex);
+ if (fp != NULL) {
+ fclose(fp);
+ fp = NULL;
+ }
+ pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Enumerate the au_event_ent entries.
+ */
+static struct au_event_ent *
+getauevent_r_locked(struct au_event_ent *e)
+{
+ char *nl;
+
+ if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
+ return (NULL);
+
+ while (1) {
+ if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
+ return (NULL);
+
+ /* Remove new lines. */
+ if ((nl = strrchr(linestr, '\n')) != NULL)
+ *nl = '\0';
+
+ /* Skip comments. */
+ if (linestr[0] == '#')
+ continue;
+
+ /* Get the next event structure. */
+ if (eventfromstr(linestr, e) == NULL)
+ return (NULL);
+ break;
+ }
+
+ return (e);
+}
+
+struct au_event_ent *
+getauevent_r(struct au_event_ent *e)
+{
+ struct au_event_ent *ep;
+
+ pthread_mutex_lock(&mutex);
+ ep = getauevent_r_locked(e);
+ pthread_mutex_unlock(&mutex);
+ return (ep);
+}
+
+struct au_event_ent *
+getauevent(void)
+{
+ static char event_ent_name[AU_EVENT_NAME_MAX];
+ static char event_ent_desc[AU_EVENT_DESC_MAX];
+ static struct au_event_ent e;
+
+ bzero(&e, sizeof(e));
+ bzero(event_ent_name, sizeof(event_ent_name));
+ bzero(event_ent_desc, sizeof(event_ent_desc));
+ e.ae_name = event_ent_name;
+ e.ae_desc = event_ent_desc;
+ return (getauevent_r(&e));
+}
+
+/*
+ * Search for an audit event structure having the given event name.
+ *
+ * XXXRW: Why accept NULL name?
+ */
+static struct au_event_ent *
+getauevnam_r_locked(struct au_event_ent *e, const char *name)
+{
+ char *nl;
+
+ if (name == NULL)
+ return (NULL);
+
+ /* Rewind to beginning of the file. */
+ setauevent_locked();
+
+ if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
+ return (NULL);
+
+ while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
+ /* Remove new lines. */
+ if ((nl = strrchr(linestr, '\n')) != NULL)
+ *nl = '\0';
+
+ if (eventfromstr(linestr, e) != NULL) {
+ if (strcmp(name, e->ae_name) == 0)
+ return (e);
+ }
+ }
+
+ return (NULL);
+}
+
+struct au_event_ent *
+getauevnam_r(struct au_event_ent *e, const char *name)
+{
+ struct au_event_ent *ep;
+
+ pthread_mutex_lock(&mutex);
+ ep = getauevnam_r_locked(e, name);
+ pthread_mutex_unlock(&mutex);
+ return (ep);
+}
+
+struct au_event_ent *
+getauevnam(const char *name)
+{
+ static char event_ent_name[AU_EVENT_NAME_MAX];
+ static char event_ent_desc[AU_EVENT_DESC_MAX];
+ static struct au_event_ent e;
+
+ bzero(&e, sizeof(e));
+ bzero(event_ent_name, sizeof(event_ent_name));
+ bzero(event_ent_desc, sizeof(event_ent_desc));
+ e.ae_name = event_ent_name;
+ e.ae_desc = event_ent_desc;
+ return (getauevnam_r(&e, name));
+}
+
+/*
+ * Search for an audit event structure having the given event number.
+ */
+static struct au_event_ent *
+getauevnum_r_locked(struct au_event_ent *e, au_event_t event_number)
+{
+ char *nl;
+
+ /* Rewind to beginning of the file. */
+ setauevent_locked();
+
+ if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
+ return (NULL);
+
+ while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
+ /* Remove new lines. */
+ if ((nl = strrchr(linestr, '\n')) != NULL)
+ *nl = '\0';
+
+ if (eventfromstr(linestr, e) != NULL) {
+ if (event_number == e->ae_number)
+ return (e);
+ }
+ }
+
+ return (NULL);
+}
+
+struct au_event_ent *
+getauevnum_r(struct au_event_ent *e, au_event_t event_number)
+{
+ struct au_event_ent *ep;
+
+ pthread_mutex_lock(&mutex);
+ ep = getauevnum_r_locked(e, event_number);
+ pthread_mutex_unlock(&mutex);
+ return (ep);
+}
+
+struct au_event_ent *
+getauevnum(au_event_t event_number)
+{
+ static char event_ent_name[AU_EVENT_NAME_MAX];
+ static char event_ent_desc[AU_EVENT_DESC_MAX];
+ static struct au_event_ent e;
+
+ bzero(&e, sizeof(e));
+ bzero(event_ent_name, sizeof(event_ent_name));
+ bzero(event_ent_desc, sizeof(event_ent_desc));
+ e.ae_name = event_ent_name;
+ e.ae_desc = event_ent_desc;
+ return (getauevnum_r(&e, event_number));
+}
+
+/*
+ * Search for an audit_event entry with a given event_name and returns the
+ * corresponding event number.
+ */
+au_event_t *
+getauevnonam_r(au_event_t *ev, const char *event_name)
+{
+ static char event_ent_name[AU_EVENT_NAME_MAX];
+ static char event_ent_desc[AU_EVENT_DESC_MAX];
+ static struct au_event_ent e, *ep;
+
+ bzero(event_ent_name, sizeof(event_ent_name));
+ bzero(event_ent_desc, sizeof(event_ent_desc));
+ bzero(&e, sizeof(e));
+ e.ae_name = event_ent_name;
+ e.ae_desc = event_ent_desc;
+
+ ep = getauevnam_r(&e, event_name);
+ if (ep == NULL)
+ return (NULL);
+
+ *ev = e.ae_number;
+ return (ev);
+}
+
+au_event_t *
+getauevnonam(const char *event_name)
+{
+ static au_event_t event;
+
+ return (getauevnonam_r(&event, event_name));
+}
diff --git a/contrib/openbsm/libbsm/bsm_flags.c b/contrib/openbsm/libbsm/bsm_flags.c
new file mode 100644
index 000000000000..e514c86080f4
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_flags.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_flags.c#13 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+static const char *flagdelim = ",";
+
+/*
+ * Convert the character representation of audit values into the au_mask_t
+ * field.
+ */
+int
+getauditflagsbin(char *auditstr, au_mask_t *masks)
+{
+ char class_ent_name[AU_CLASS_NAME_MAX];
+ char class_ent_desc[AU_CLASS_DESC_MAX];
+ struct au_class_ent c;
+ char *tok;
+ char sel, sub;
+ char *last;
+
+ bzero(&c, sizeof(c));
+ bzero(class_ent_name, sizeof(class_ent_name));
+ bzero(class_ent_desc, sizeof(class_ent_desc));
+ c.ac_name = class_ent_name;
+ c.ac_desc = class_ent_desc;
+
+ masks->am_success = 0;
+ masks->am_failure = 0;
+
+ tok = strtok_r(auditstr, flagdelim, &last);
+ while (tok != NULL) {
+ /* Check for the events that should not be audited. */
+ if (tok[0] == '^') {
+ sub = 1;
+ tok++;
+ } else
+ sub = 0;
+
+ /* Check for the events to be audited for success. */
+ if (tok[0] == '+') {
+ sel = AU_PRS_SUCCESS;
+ tok++;
+ } else if (tok[0] == '-') {
+ sel = AU_PRS_FAILURE;
+ tok++;
+ } else
+ sel = AU_PRS_BOTH;
+
+ if ((getauclassnam_r(&c, tok)) != NULL) {
+ if (sub)
+ SUB_FROM_MASK(masks, c.ac_class, sel);
+ else
+ ADD_TO_MASK(masks, c.ac_class, sel);
+ } else {
+ errno = EINVAL;
+ return (-1);
+ }
+
+ /* Get the next class. */
+ tok = strtok_r(NULL, flagdelim, &last);
+ }
+ return (0);
+}
+
+/*
+ * Convert the au_mask_t fields into a string value. If verbose is non-zero
+ * the long flag names are used else the short (2-character)flag names are
+ * used.
+ *
+ * XXXRW: If bits are specified that are not matched by any class, they are
+ * omitted rather than rejected with EINVAL.
+ *
+ * XXXRW: This is not thread-safe as it relies on atomicity between
+ * setauclass() and sequential calls to getauclassent(). This could be
+ * fixed by iterating through the bitmask fields rather than iterating
+ * through the classes.
+ */
+int
+getauditflagschar(char *auditstr, au_mask_t *masks, int verbose)
+{
+ char class_ent_name[AU_CLASS_NAME_MAX];
+ char class_ent_desc[AU_CLASS_DESC_MAX];
+ struct au_class_ent c;
+ char *strptr = auditstr;
+ u_char sel;
+
+ bzero(&c, sizeof(c));
+ bzero(class_ent_name, sizeof(class_ent_name));
+ bzero(class_ent_desc, sizeof(class_ent_desc));
+ c.ac_name = class_ent_name;
+ c.ac_desc = class_ent_desc;
+
+ /*
+ * Enumerate the class entries, check if each is selected in either
+ * the success or failure masks.
+ */
+ setauclass();
+ while ((getauclassent_r(&c)) != NULL) {
+ sel = 0;
+
+ /* Dont do anything for class = no. */
+ if (c.ac_class == 0)
+ continue;
+
+ sel |= ((c.ac_class & masks->am_success) == c.ac_class) ?
+ AU_PRS_SUCCESS : 0;
+ sel |= ((c.ac_class & masks->am_failure) == c.ac_class) ?
+ AU_PRS_FAILURE : 0;
+
+ /*
+ * No prefix should be attached if both success and failure
+ * are selected.
+ */
+ if ((sel & AU_PRS_BOTH) == 0) {
+ if ((sel & AU_PRS_SUCCESS) != 0) {
+ *strptr = '+';
+ strptr = strptr + 1;
+ } else if ((sel & AU_PRS_FAILURE) != 0) {
+ *strptr = '-';
+ strptr = strptr + 1;
+ }
+ }
+
+ if (sel != 0) {
+ if (verbose) {
+ strcpy(strptr, c.ac_desc);
+ strptr += strlen(c.ac_desc);
+ } else {
+ strcpy(strptr, c.ac_name);
+ strptr += strlen(c.ac_name);
+ }
+ *strptr = ','; /* delimiter */
+ strptr = strptr + 1;
+ }
+ }
+
+ /* Overwrite the last delimiter with the string terminator. */
+ if (strptr != auditstr)
+ *(strptr-1) = '\0';
+
+ return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_io.c b/contrib/openbsm/libbsm/bsm_io.c
new file mode 100644
index 000000000000..bfdd366a994c
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_io.c
@@ -0,0 +1,2831 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#29 $
+ */
+
+#include <sys/types.h>
+#ifdef __APPLE__
+#include <compat/endian.h>
+#else /* !__APPLE__ */
+#include <sys/endian.h>
+#endif /* __APPLE__*/
+#include <sys/stat.h>
+#include <sys/socket.h>
+
+#include <bsm/libbsm.h>
+
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <time.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <pwd.h>
+#include <grp.h>
+
+#include <bsm/audit_internal.h>
+
+#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
+ if (bytesread + size > len) { \
+ err = 1; \
+ } else { \
+ memcpy(dest, buf + bytesread, size); \
+ bytesread += size; \
+ } \
+} while (0)
+
+#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
+ if (bytesread + sizeof(u_char) <= len) { \
+ dest = buf[bytesread]; \
+ bytesread += sizeof(u_char); \
+ } else \
+ err = 1; \
+} while (0)
+
+#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
+ if (bytesread + sizeof(u_int16_t) <= len) { \
+ dest = be16dec(buf + bytesread); \
+ bytesread += sizeof(u_int16_t); \
+ } else \
+ err = 1; \
+} while (0)
+
+#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
+ if (bytesread + sizeof(u_int32_t) <= len) { \
+ dest = be32dec(buf + bytesread); \
+ bytesread += sizeof(u_int32_t); \
+ } else \
+ err = 1; \
+} while (0)
+
+#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
+ if (bytesread + sizeof(u_int64_t) <= len) { \
+ dest = be64dec(buf + bytesread); \
+ bytesread += sizeof(u_int64_t); \
+ } else \
+ err = 1; \
+} while (0)
+
+#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
+ if ((bytesread) + (size) > (len)) \
+ (err) = 1; \
+ else { \
+ (ptr) = (buf) + (bytesread); \
+ (bytesread) += (size); \
+ } \
+} while (0)
+
+/*
+ * Prints the delimiter string.
+ */
+static void
+print_delim(FILE *fp, const char *del)
+{
+
+ fprintf(fp, "%s", del);
+}
+
+/*
+ * Prints a single byte in the given format.
+ */
+static void
+print_1_byte(FILE *fp, u_char val, const char *format)
+{
+
+ fprintf(fp, format, val);
+}
+
+/*
+ * Print 2 bytes in the given format.
+ */
+static void
+print_2_bytes(FILE *fp, u_int16_t val, const char *format)
+{
+
+ fprintf(fp, format, val);
+}
+
+/*
+ * Prints 4 bytes in the given format.
+ */
+static void
+print_4_bytes(FILE *fp, u_int32_t val, const char *format)
+{
+
+ fprintf(fp, format, val);
+}
+
+/*
+ * Prints 8 bytes in the given format.
+ */
+static void
+print_8_bytes(FILE *fp, u_int64_t val, const char *format)
+{
+
+ fprintf(fp, format, val);
+}
+
+/*
+ * Prints the given size of data bytes in hex.
+ */
+static void
+print_mem(FILE *fp, u_char *data, size_t len)
+{
+ int i;
+
+ if (len > 0) {
+ fprintf(fp, "0x");
+ for (i = 0; i < len; i++)
+ fprintf(fp, "%x", data[i]);
+ }
+}
+
+/*
+ * Prints the given data bytes as a string.
+ */
+static void
+print_string(FILE *fp, u_char *str, size_t len)
+{
+ int i;
+
+ if (len > 0) {
+ for (i = 0; i < len; i++) {
+ if (str[i] != '\0')
+ fprintf(fp, "%c", str[i]);
+ }
+ }
+}
+
+/*
+ * Prints the token type in either the raw or the default form.
+ */
+static void
+print_tok_type(FILE *fp, u_char type, const char *tokname, char raw)
+{
+
+ if (raw)
+ fprintf(fp, "%u", type);
+ else
+ fprintf(fp, "%s", tokname);
+}
+
+/*
+ * Prints a user value.
+ */
+static void
+print_user(FILE *fp, u_int32_t usr, char raw)
+{
+ struct passwd *pwent;
+
+ if (raw)
+ fprintf(fp, "%d", usr);
+ else {
+ pwent = getpwuid(usr);
+ if (pwent != NULL)
+ fprintf(fp, "%s", pwent->pw_name);
+ else
+ fprintf(fp, "%d", usr);
+ }
+}
+
+/*
+ * Prints a group value.
+ */
+static void
+print_group(FILE *fp, u_int32_t grp, char raw)
+{
+ struct group *grpent;
+
+ if (raw)
+ fprintf(fp, "%d", grp);
+ else {
+ grpent = getgrgid(grp);
+ if (grpent != NULL)
+ fprintf(fp, "%s", grpent->gr_name);
+ else
+ fprintf(fp, "%d", grp);
+ }
+}
+
+/*
+ * Prints the event from the header token in either the short, default or raw
+ * form.
+ */
+static void
+print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
+{
+ char event_ent_name[AU_EVENT_NAME_MAX];
+ char event_ent_desc[AU_EVENT_DESC_MAX];
+ struct au_event_ent e, *ep;
+
+ bzero(&e, sizeof(e));
+ bzero(event_ent_name, sizeof(event_ent_name));
+ bzero(event_ent_desc, sizeof(event_ent_desc));
+ e.ae_name = event_ent_name;
+ e.ae_desc = event_ent_desc;
+
+ ep = getauevnum_r(&e, ev);
+ if (ep == NULL) {
+ fprintf(fp, "%u", ev);
+ return;
+ }
+
+ if (raw)
+ fprintf(fp, "%u", ev);
+ else if (sfrm)
+ fprintf(fp, "%s", e.ae_name);
+ else
+ fprintf(fp, "%s", e.ae_desc);
+}
+
+
+/*
+ * Prints the event modifier from the header token in either the default or
+ * raw form.
+ */
+static void
+print_evmod(FILE *fp, u_int16_t evmod, char raw)
+{
+ if (raw)
+ fprintf(fp, "%u", evmod);
+ else
+ fprintf(fp, "%u", evmod);
+}
+
+/*
+ * Prints seconds in the ctime format.
+ */
+static void
+print_sec32(FILE *fp, u_int32_t sec, char raw)
+{
+ time_t timestamp;
+ char timestr[26];
+
+ if (raw)
+ fprintf(fp, "%u", sec);
+ else {
+ timestamp = (time_t)sec;
+ ctime_r(&timestamp, timestr);
+ timestr[24] = '\0'; /* No new line */
+ fprintf(fp, "%s", timestr);
+ }
+}
+
+/*
+ * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
+ * assume a 32-bit time_t, we simply truncate for now.
+ */
+static void
+print_sec64(FILE *fp, u_int64_t sec, char raw)
+{
+ time_t timestamp;
+ char timestr[26];
+
+ if (raw)
+ fprintf(fp, "%u", (u_int32_t)sec);
+ else {
+ timestamp = (time_t)sec;
+ ctime_r(&timestamp, timestr);
+ timestr[24] = '\0'; /* No new line */
+ fprintf(fp, "%s", timestr);
+ }
+}
+
+/*
+ * Prints the excess milliseconds.
+ */
+static void
+print_msec32(FILE *fp, u_int32_t msec, char raw)
+{
+ if (raw)
+ fprintf(fp, "%u", msec);
+ else
+ fprintf(fp, " + %u msec", msec);
+}
+
+/*
+ * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
+ * a 32-bit msec, we simply truncate for now.
+ */
+static void
+print_msec64(FILE *fp, u_int64_t msec, char raw)
+{
+
+ msec &= 0xffffffff;
+ if (raw)
+ fprintf(fp, "%u", (u_int32_t)msec);
+ else
+ fprintf(fp, " + %u msec", (u_int32_t)msec);
+}
+
+/*
+ * Prints a dotted form for the IP address.
+ */
+static void
+print_ip_address(FILE *fp, u_int32_t ip)
+{
+ struct in_addr ipaddr;
+
+ ipaddr.s_addr = ip;
+ fprintf(fp, "%s", inet_ntoa(ipaddr));
+}
+
+/*
+ * Prints a string value for the given ip address.
+ */
+static void
+print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
+{
+ struct in_addr ipv4;
+ struct in6_addr ipv6;
+ char dst[INET6_ADDRSTRLEN];
+
+ switch (type) {
+ case AU_IPv4:
+ ipv4.s_addr = (in_addr_t)(ipaddr[0]);
+ fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
+ INET6_ADDRSTRLEN));
+ break;
+
+ case AU_IPv6:
+ ipv6.__u6_addr.__u6_addr32[0] = ipaddr[0];
+ ipv6.__u6_addr.__u6_addr32[1] = ipaddr[1];
+ ipv6.__u6_addr.__u6_addr32[2] = ipaddr[2];
+ ipv6.__u6_addr.__u6_addr32[3] = ipaddr[3];
+ fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
+ INET6_ADDRSTRLEN));
+ break;
+
+ default:
+ fprintf(fp, "invalid");
+ }
+}
+
+/*
+ * Prints return value as success or failure.
+ */
+static void
+print_retval(FILE *fp, u_char status, char raw)
+{
+ if (raw)
+ fprintf(fp, "%u", status);
+ else {
+ if (status == 0)
+ fprintf(fp, "success");
+ else
+ fprintf(fp, "failure : %s", strerror(status));
+ }
+}
+
+/*
+ * Prints the exit value.
+ */
+static void
+print_errval(FILE *fp, u_int32_t val)
+{
+
+ fprintf(fp, "Error %u", val);
+}
+
+/*
+ * Prints IPC type.
+ */
+static void
+print_ipctype(FILE *fp, u_char type, char raw)
+{
+ if (raw)
+ fprintf(fp, "%u", type);
+ else {
+ if (type == AT_IPC_MSG)
+ fprintf(fp, "Message IPC");
+ else if (type == AT_IPC_SEM)
+ fprintf(fp, "Semaphore IPC");
+ else if (type == AT_IPC_SHM)
+ fprintf(fp, "Shared Memory IPC");
+ else
+ fprintf(fp, "%u", type);
+ }
+}
+
+/*
+ * record byte count 4 bytes
+ * version # 1 byte [2]
+ * event type 2 bytes
+ * event modifier 2 bytes
+ * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+ */
+static int
+fetch_header32_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "header", raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr32.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr32.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr32.e_mod, raw);
+ print_delim(fp, del);
+ print_sec32(fp, tok->tt.hdr32.s, raw);
+ print_delim(fp, del);
+ print_msec32(fp, tok->tt.hdr32.ms, raw);
+}
+
+/*
+ * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
+ * depending on the bit of the specifications found. The OpenSolaris source
+ * code uses a 4-byte address length, followed by some number of bytes of
+ * address data. This contrasts with the Solaris audit.log.5 man page, which
+ * specifies a 1-byte length field. We use the Solaris 10 definition so that
+ * we can parse audit trails from that system.
+ *
+ * record byte count 4 bytes
+ * version # 1 byte [2]
+ * event type 2 bytes
+ * event modifier 2 bytes
+ * address type/length 4 bytes
+ * [ Solaris man page: address type/length 1 byte]
+ * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time 4 bytes/8 bytes (32/64-bits)
+ * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
+ */
+static int
+fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
+ if (err)
+ return (-1);
+
+ bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
+ switch (tok->tt.hdr32_ex.ad_type) {
+ case AU_IPv4:
+ READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
+ sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ break;
+
+ case AU_IPv6:
+ READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
+ sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
+ break;
+ }
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "header_ex", raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
+ tok->tt.hdr32_ex.addr);
+ print_delim(fp, del);
+ print_sec32(fp, tok->tt.hdr32_ex.s, raw);
+ print_delim(fp, del);
+ print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+}
+
+/*
+ * record byte count 4 bytes
+ * event type 2 bytes
+ * event modifier 2 bytes
+ * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+ * version #
+ */
+static int
+fetch_header64_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "header", raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr64.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr64.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr64.e_mod, raw);
+ print_delim(fp, del);
+ print_sec64(fp, tok->tt.hdr64.s, raw);
+ print_delim(fp, del);
+ print_msec64(fp, tok->tt.hdr64.ms, raw);
+}
+/*
+ * record byte count 4 bytes
+ * version # 1 byte [2]
+ * event type 2 bytes
+ * event modifier 2 bytes
+ * address type/length 4 bytes
+ * [ Solaris man page: address type/length 1 byte]
+ * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time 4 bytes/8 bytes (32/64-bits)
+ * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
+ *
+ * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
+ * accuracy of the BSM spec.
+ */
+static int
+fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
+ if (err)
+ return (-1);
+
+ bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
+ switch (tok->tt.hdr64_ex.ad_type) {
+ case AU_IPv4:
+ READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
+ sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ break;
+
+ case AU_IPv6:
+ READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
+ sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
+ break;
+ }
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "header_ex", raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
+ tok->tt.hdr64_ex.addr);
+ print_delim(fp, del);
+ print_sec64(fp, tok->tt.hdr64_ex.s, raw);
+ print_delim(fp, del);
+ print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+}
+
+/*
+ * trailer magic 2 bytes
+ * record size 4 bytes
+ */
+static int
+fetch_trailer_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "trailer", raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.trail.count, "%u");
+}
+
+/*
+ * argument # 1 byte
+ * argument value 4 bytes/8 bytes (32-bit/64-bit value)
+ * text length 2 bytes
+ * text N bytes + 1 terminating NULL byte
+ */
+static int
+fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
+ if (err)
+ return (-1);
+
+ SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "argument", raw);
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arg32.no, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.arg32.val, "%#x");
+ print_delim(fp, del);
+ print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
+}
+
+static int
+fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
+ if (err)
+ return (-1);
+
+ SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "argument", raw);
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arg64.no, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.arg64.val, "%#llx");
+ print_delim(fp, del);
+ print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+}
+
+/*
+ * how to print 1 byte
+ * basic unit 1 byte
+ * unit count 1 byte
+ * data items (depends on basic unit)
+ */
+static int
+fetch_arb_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+ int datasize;
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
+ if (err)
+ return (-1);
+
+ /*
+ * Determine the size of the basic unit.
+ */
+ switch(tok->tt.arb.bu) {
+ case AUR_BYTE:
+ datasize = AUR_BYTE_SIZE;
+ break;
+
+ case AUR_SHORT:
+ datasize = AUR_SHORT_SIZE;
+ break;
+
+ case AUR_LONG:
+ datasize = AUR_LONG_SIZE;
+ break;
+
+ default:
+ return (-1);
+ }
+
+ SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
+ tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+ char *str;
+ char *format;
+ size_t size;
+ int i;
+
+ print_tok_type(fp, tok->id, "arbitrary", raw);
+ print_delim(fp, del);
+
+ switch(tok->tt.arb.howtopr) {
+ case AUP_BINARY:
+ str = "binary";
+ format = " %c";
+ break;
+
+ case AUP_OCTAL:
+ str = "octal";
+ format = " %o";
+ break;
+
+ case AUP_DECIMAL:
+ str = "decimal";
+ format = " %d";
+ break;
+
+ case AUP_HEX:
+ str = "hex";
+ format = " %x";
+ break;
+
+ case AUP_STRING:
+ str = "string";
+ format = "%c";
+ break;
+
+ default:
+ return;
+ }
+
+ print_string(fp, str, strlen(str));
+ print_delim(fp, del);
+ switch(tok->tt.arb.bu) {
+ case AUR_BYTE:
+ str = "byte";
+ size = AUR_BYTE_SIZE;
+ print_string(fp, str, strlen(str));
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ print_delim(fp, del);
+ for (i = 0; i<tok->tt.arb.uc; i++)
+ fprintf(fp, format, *(tok->tt.arb.data + (size * i)));
+ break;
+
+ case AUR_SHORT:
+ str = "short";
+ size = AUR_SHORT_SIZE;
+ print_string(fp, str, strlen(str));
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ print_delim(fp, del);
+ for (i = 0; i<tok->tt.arb.uc; i++)
+ fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data +
+ (size * i))));
+ break;
+
+ case AUR_LONG:
+ str = "int";
+ size = AUR_LONG_SIZE;
+ print_string(fp, str, strlen(str));
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ print_delim(fp, del);
+ for (i = 0; i<tok->tt.arb.uc; i++)
+ fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data +
+ (size * i))));
+ break;
+
+ default:
+ return;
+ }
+}
+
+/*
+ * file access mode 4 bytes
+ * owner user ID 4 bytes
+ * owner group ID 4 bytes
+ * file system ID 4 bytes
+ * node ID 8 bytes
+ * device 4 bytes/8 bytes (32-bit/64-bit)
+ */
+static int
+fetch_attr32_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "attribute", raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.attr32.mode, "%o");
+ print_delim(fp, del);
+ print_user(fp, tok->tt.attr32.uid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.attr32.gid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.attr32.dev, "%u");
+}
+
+/*
+ * file access mode 4 bytes
+ * owner user ID 4 bytes
+ * owner group ID 4 bytes
+ * file system ID 4 bytes
+ * node ID 8 bytes
+ * device 4 bytes/8 bytes (32-bit/64-bit)
+ */
+static int
+fetch_attr64_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "attribute", raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.attr64.mode, "%o");
+ print_delim(fp, del);
+ print_user(fp, tok->tt.attr64.uid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.attr64.gid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
+}
+
+/*
+ * status 4 bytes
+ * return value 4 bytes
+ */
+static int
+fetch_exit_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "exit", raw);
+ print_delim(fp, del);
+ print_errval(fp, tok->tt.exit.status);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.exit.ret, "%u");
+}
+
+/*
+ * count 4 bytes
+ * text count null-terminated string(s)
+ */
+static int
+fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+ int i;
+ char *bptr;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
+ if (err)
+ return (-1);
+
+ for (i = 0; i < tok->tt.execarg.count; i++) {
+ bptr = buf + tok->len;
+ tok->tt.execarg.text[i] = bptr;
+
+ /* Look for a null terminated string. */
+ while (bptr && (*bptr != '\0')) {
+ if (++tok->len >=len)
+ return (-1);
+ bptr = buf + tok->len;
+ }
+ if (!bptr)
+ return (-1);
+ tok->len++; /* \0 character */
+ }
+
+ return (0);
+}
+
+static void
+print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+ int i;
+
+ print_tok_type(fp, tok->id, "exec arg", raw);
+ for (i = 0; i < tok->tt.execarg.count; i++) {
+ print_delim(fp, del);
+ print_string(fp, tok->tt.execarg.text[i],
+ strlen(tok->tt.execarg.text[i]));
+ }
+}
+
+/*
+ * count 4 bytes
+ * text count null-terminated string(s)
+ */
+static int
+fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+ int i;
+ char *bptr;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
+ if (err)
+ return (-1);
+
+ for (i = 0; i< tok->tt.execenv.count; i++) {
+ bptr = buf + tok->len;
+ tok->tt.execenv.text[i] = bptr;
+
+ /* Look for a null terminated string. */
+ while (bptr && (*bptr != '\0')) {
+ if (++tok->len >=len)
+ return (-1);
+ bptr = buf + tok->len;
+ }
+ if (!bptr)
+ return (-1);
+ tok->len++; /* \0 character */
+ }
+
+ return (0);
+}
+
+static void
+print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+ int i;
+
+ print_tok_type(fp, tok->id, "exec arg", raw);
+ for (i = 0; i< tok->tt.execenv.count; i++) {
+ print_delim(fp, del);
+ print_string(fp, tok->tt.execenv.text[i],
+ strlen(tok->tt.execenv.text[i]));
+ }
+}
+
+/*
+ * seconds of time 4 bytes
+ * milliseconds of time 4 bytes
+ * file name len 2 bytes
+ * file pathname N bytes + 1 terminating NULL byte
+ */
+static int
+fetch_file_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
+ if (err)
+ return (-1);
+
+ SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "file", raw);
+ print_delim(fp, del);
+ print_sec32(fp, tok->tt.file.s, raw);
+ print_delim(fp, del);
+ print_msec32(fp, tok->tt.file.ms, raw);
+ print_delim(fp, del);
+ print_string(fp, tok->tt.file.name, tok->tt.file.len);
+}
+
+/*
+ * number groups 2 bytes
+ * group list count * 4 bytes
+ */
+static int
+fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int i;
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
+ if (err)
+ return (-1);
+
+ for (i = 0; i<tok->tt.grps.no; i++) {
+ READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
+ err);
+ if (err)
+ return (-1);
+ }
+
+ return (0);
+}
+
+static void
+print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+ int i;
+
+ print_tok_type(fp, tok->id, "group", raw);
+ for (i = 0; i < tok->tt.grps.no; i++) {
+ print_delim(fp, del);
+ print_group(fp, tok->tt.grps.list[i], raw);
+ }
+}
+
+/*
+ * Internet addr 4 bytes
+ */
+static int
+fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr.addr, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+
+}
+
+static void
+print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "ip addr", raw);
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.inaddr.addr);
+}
+
+/*
+ * type 4 bytes
+ * address 16 bytes
+ */
+static int
+fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
+ if (err)
+ return (-1);
+
+ if (tok->tt.inaddr_ex.type == AU_IPv4) {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
+ sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
+ READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
+ sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
+ if (err)
+ return (-1);
+ } else
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "ip addr ex", raw);
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
+ tok->tt.inaddr_ex.addr);
+}
+
+/*
+ * ip header 20 bytes
+ */
+static int
+fetch_ip_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.ip.len, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.ip.id, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.ip.offset, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.ip.chksm, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
+ tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
+ tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "ip", raw);
+ print_delim(fp, del);
+ print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char));
+ print_delim(fp, del);
+ print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.ip.len, "%u");
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.ip.id, "%u");
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.ip.offset, "%u");
+ print_delim(fp, del);
+ print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
+ print_delim(fp, del);
+ print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.ip.chksm, "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.ip.src);
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.ip.dest);
+}
+
+/*
+ * object ID type 1 byte
+ * Object ID 4 bytes
+ */
+static int
+fetch_ipc_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "IPC", raw);
+ print_delim(fp, del);
+ print_ipctype(fp, tok->tt.ipc.type, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.ipc.id, "%u");
+}
+
+/*
+ * owner user id 4 bytes
+ * owner group id 4 bytes
+ * creator user id 4 bytes
+ * creator group id 4 bytes
+ * access mode 4 bytes
+ * slot seq 4 bytes
+ * key 4 bytes
+ */
+static int
+fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "IPC perm", raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.ipcperm.uid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.ipcperm.gid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.ipcperm.puid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.ipcperm.pgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
+}
+
+/*
+ * port Ip address 2 bytes
+ */
+static int
+fetch_iport_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.iport.port, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "ip port", raw);
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.iport.port, "%#x");
+}
+
+/*
+ * size 2 bytes
+ * data size bytes
+ */
+static int
+fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
+ if (err)
+ return (-1);
+
+ SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "opaque", raw);
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.opaque.size, "%u");
+ print_delim(fp, del);
+ print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size);
+}
+
+/*
+ * size 2 bytes
+ * data size bytes
+ */
+static int
+fetch_path_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
+ if (err)
+ return (-1);
+
+ SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "path", raw);
+ print_delim(fp, del);
+ print_string(fp, tok->tt.path.path, tok->tt.path.len);
+}
+
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * euid 4 bytes
+ * egid 4 bytes
+ * ruid 4 bytes
+ * rgid 4 bytes
+ * pid 4 bytes
+ * sessid 4 bytes
+ * terminal ID
+ * portid 4 bytes
+ * machine id 4 bytes
+ */
+static int
+fetch_process32_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.addr, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "process", raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc32.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc32.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32.sid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.proc32.tid.addr);
+}
+
+static int
+fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
+ sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
+ READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
+ sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
+ if (err)
+ return (-1);
+ } else
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "process_ex", raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32_ex.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32_ex.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc32_ex.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32_ex.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc32_ex.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
+ tok->tt.proc32_ex.tid.addr);
+}
+
+/*
+ * errno 1 byte
+ * return value 4 bytes
+ */
+static int
+fetch_return32_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "return", raw);
+ print_delim(fp, del);
+ print_retval(fp, tok->tt.ret32.status, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.ret32.ret, "%u");
+}
+
+static int
+fetch_return64_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "return", raw);
+ print_delim(fp, del);
+ print_retval(fp, tok->tt.ret64.err, raw);
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.ret64.val, "%lld");
+}
+
+/*
+ * seq 4 bytes
+ */
+static int
+fetch_seq_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "sequence", raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.seq.seqno, "%u");
+}
+
+/*
+ * socket family 2 bytes
+ * local port 2 bytes
+ * socket address 4 bytes
+ */
+static int
+fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.port, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
+ sizeof(tok->tt.sockinet32.addr), tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "socket-inet", raw);
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.sockinet32.port, "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.sockinet32.addr);
+}
+
+/*
+ * socket family 2 bytes
+ * path 104 bytes
+ */
+static int fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "socket-unix", raw);
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.sockunix.family, "%u");
+ print_delim(fp, del);
+ print_string(fp, tok->tt.sockunix.path,
+ strlen(tok->tt.sockunix.path));
+}
+
+/*
+ * socket type 2 bytes
+ * local port 2 bytes
+ * local address 4 bytes
+ * remote port 2 bytes
+ * remote address 4 bytes
+ */
+static int fetch_socket_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.socket.l_port, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
+ sizeof(tok->tt.socket.l_addr), tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.socket.r_port, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
+ sizeof(tok->tt.socket.r_addr), tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "socket", raw);
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.socket.type, "%u");
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.socket.l_port, "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.socket.l_addr);
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.socket.r_port, "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.socket.r_addr);
+}
+
+/*
+ * audit ID 4 bytes
+ * euid 4 bytes
+ * egid 4 bytes
+ * ruid 4 bytes
+ * rgid 4 bytes
+ * pid 4 bytes
+ * sessid 4 bytes
+ * terminal ID
+ * portid 4 bytes/8 bytes (32-bit/64-bit value)
+ * machine id 4 bytes
+ */
+static int
+fetch_subject32_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
+ sizeof(tok->tt.subj32.tid.addr), tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "subject", raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj32.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj32.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32.sid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.subj32.tid.addr);
+}
+
+/*
+ * audit ID 4 bytes
+ * euid 4 bytes
+ * egid 4 bytes
+ * ruid 4 bytes
+ * rgid 4 bytes
+ * pid 4 bytes
+ * sessid 4 bytes
+ * terminal ID
+ * portid 4 bytes/8 bytes (32-bit/64-bit value)
+ * machine id 4 bytes
+ */
+static int
+fetch_subject64_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
+ sizeof(tok->tt.subj64.tid.addr), tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "subject", raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj64.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj64.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj64.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj64.sid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.subj64.tid.addr);
+}
+
+/*
+ * audit ID 4 bytes
+ * euid 4 bytes
+ * egid 4 bytes
+ * ruid 4 bytes
+ * rgid 4 bytes
+ * pid 4 bytes
+ * sessid 4 bytes
+ * terminal ID
+ * portid 4 bytes
+ * type 4 bytes
+ * machine id 16 bytes
+ */
+static int
+fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
+ sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
+ READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
+ sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
+ if (err)
+ return (-1);
+ } else
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "subject_ex", raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32_ex.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32_ex.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj32_ex.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32_ex.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj32_ex.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
+ tok->tt.subj32_ex.tid.addr);
+}
+
+/*
+ * size 2 bytes
+ * data size bytes
+ */
+static int
+fetch_text_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
+ if (err)
+ return (-1);
+
+ SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "text", raw);
+ print_delim(fp, del);
+ print_string(fp, tok->tt.text.text, tok->tt.text.len);
+}
+
+/*
+ * socket type 2 bytes
+ * local port 2 bytes
+ * address type/length 4 bytes
+ * local Internet address 4 bytes
+ * remote port 4 bytes
+ * address type/length 4 bytes
+ * remote Internet address 4 bytes
+ */
+static int
+fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.l_port, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
+ sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_port, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
+ sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "socket", raw);
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.socket_ex32.l_port, "%#x");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.socket_ex32.r_port, "%#x");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+}
+
+static int
+fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
+{
+ int err = 0;
+ int recoversize;
+
+ recoversize = len - (tok->len + BSM_TRAILER_SIZE);
+ if (recoversize <= 0)
+ return (-1);
+
+ tok->tt.invalid.length = recoversize;
+
+ SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm)
+{
+
+ print_tok_type(fp, tok->id, "unknown", raw);
+ print_delim(fp, del);
+ print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length);
+}
+
+
+/*
+ * Reads the token beginning at buf into tok.
+ */
+int
+au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+
+ if (len <= 0)
+ return (-1);
+
+ tok->len = 1;
+ tok->data = buf;
+ tok->id = *buf;
+
+ switch(tok->id) {
+ case AUT_HEADER32:
+ return (fetch_header32_tok(tok, buf, len));
+
+ case AUT_HEADER32_EX:
+ return (fetch_header32_ex_tok(tok, buf, len));
+
+ case AUT_HEADER64:
+ return (fetch_header64_tok(tok, buf, len));
+
+ case AUT_HEADER64_EX:
+ return (fetch_header64_ex_tok(tok, buf, len));
+
+ case AUT_TRAILER:
+ return (fetch_trailer_tok(tok, buf, len));
+
+ case AUT_ARG32:
+ return (fetch_arg32_tok(tok, buf, len));
+
+ case AUT_ARG64:
+ return (fetch_arg64_tok(tok, buf, len));
+
+ case AUT_ATTR32:
+ return (fetch_attr32_tok(tok, buf, len));
+
+ case AUT_ATTR64:
+ return (fetch_attr64_tok(tok, buf, len));
+
+ case AUT_EXIT:
+ return (fetch_exit_tok(tok, buf, len));
+
+ case AUT_EXEC_ARGS:
+ return (fetch_execarg_tok(tok, buf, len));
+
+ case AUT_EXEC_ENV:
+ return (fetch_execenv_tok(tok, buf, len));
+
+ case AUT_OTHER_FILE32:
+ return (fetch_file_tok(tok, buf, len));
+
+ case AUT_NEWGROUPS:
+ return (fetch_newgroups_tok(tok, buf, len));
+
+ case AUT_IN_ADDR:
+ return (fetch_inaddr_tok(tok, buf, len));
+
+ case AUT_IN_ADDR_EX:
+ return (fetch_inaddr_ex_tok(tok, buf, len));
+
+ case AUT_IP:
+ return (fetch_ip_tok(tok, buf, len));
+
+ case AUT_IPC:
+ return (fetch_ipc_tok(tok, buf, len));
+
+ case AUT_IPC_PERM:
+ return (fetch_ipcperm_tok(tok, buf, len));
+
+ case AUT_IPORT:
+ return (fetch_iport_tok(tok, buf, len));
+
+ case AUT_OPAQUE:
+ return (fetch_opaque_tok(tok, buf, len));
+
+ case AUT_PATH:
+ return (fetch_path_tok(tok, buf, len));
+
+ case AUT_PROCESS32:
+ return (fetch_process32_tok(tok, buf, len));
+
+ case AUT_PROCESS32_EX:
+ return (fetch_process32ex_tok(tok, buf, len));
+
+ case AUT_RETURN32:
+ return (fetch_return32_tok(tok, buf, len));
+
+ case AUT_RETURN64:
+ return (fetch_return64_tok(tok, buf, len));
+
+ case AUT_SEQ:
+ return (fetch_seq_tok(tok, buf, len));
+
+ case AUT_SOCKET:
+ return (fetch_socket_tok(tok, buf, len));
+
+ case AUT_SOCKINET32:
+ return (fetch_sock_inet32_tok(tok, buf, len));
+
+ case AUT_SOCKUNIX:
+ return (fetch_sock_unix_tok(tok, buf, len));
+
+ case AUT_SUBJECT32:
+ return (fetch_subject32_tok(tok, buf, len));
+
+ case AUT_SUBJECT64:
+ return (fetch_subject64_tok(tok, buf, len));
+
+ case AUT_SUBJECT32_EX:
+ return (fetch_subject32ex_tok(tok, buf, len));
+
+ case AUT_TEXT:
+ return (fetch_text_tok(tok, buf, len));
+
+ case AUT_SOCKET_EX:
+ return (fetch_socketex32_tok(tok, buf, len));
+
+ case AUT_DATA:
+ return (fetch_arb_tok(tok, buf, len));
+
+ default:
+ return (fetch_invalid_tok(tok, buf, len));
+ }
+}
+
+/*
+ * 'prints' the token out to outfp
+ */
+void
+au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+ switch(tok->id) {
+ case AUT_HEADER32:
+ print_header32_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_HEADER32_EX:
+ print_header32_ex_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_HEADER64:
+ print_header64_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_HEADER64_EX:
+ print_header64_ex_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_TRAILER:
+ print_trailer_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_ARG32:
+ print_arg32_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_ARG64:
+ print_arg64_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_DATA:
+ print_arb_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_ATTR32:
+ print_attr32_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_ATTR64:
+ print_attr64_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_EXIT:
+ print_exit_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_EXEC_ARGS:
+ print_execarg_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_EXEC_ENV:
+ print_execenv_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_OTHER_FILE32:
+ print_file_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_NEWGROUPS:
+ print_newgroups_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_IN_ADDR:
+ print_inaddr_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_IN_ADDR_EX:
+ print_inaddr_ex_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_IP:
+ print_ip_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_IPC:
+ print_ipc_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_IPC_PERM:
+ print_ipcperm_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_IPORT:
+ print_iport_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_OPAQUE:
+ print_opaque_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_PATH:
+ print_path_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_PROCESS32:
+ print_process32_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_PROCESS32_EX:
+ print_process32ex_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_RETURN32:
+ print_return32_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_RETURN64:
+ print_return64_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_SEQ:
+ print_seq_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_SOCKET:
+ print_socket_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_SOCKINET32:
+ print_sock_inet32_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_SOCKUNIX:
+ print_sock_unix_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_SUBJECT32:
+ print_subject32_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_SUBJECT64:
+ print_subject64_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_SUBJECT32_EX:
+ print_subject32ex_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_TEXT:
+ print_text_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ case AUT_SOCKET_EX:
+ print_socketex32_tok(outfp, tok, del, raw, sfrm);
+ return;
+
+ default:
+ print_invalid_tok(outfp, tok, del, raw, sfrm);
+ }
+}
+
+/*
+ * Read a record from the file pointer, store data in buf memory for buf is
+ * also allocated in this function and has to be free'd outside this call.
+ *
+ * au_read_rec() handles two possibilities: a stand-alone file token, or a
+ * complete audit record.
+ *
+ * XXXRW: Note that if we hit an error, we leave the stream in an unusable
+ * state, because it will be partly offset into a record. We should rewind
+ * or do something more intelligent. Particularly interesting is the case
+ * where we perform a partial read of a record from a non-blockable file
+ * descriptor. We should return the partial read and continue...?
+ */
+int
+au_read_rec(FILE *fp, u_char **buf)
+{
+ u_char *bptr;
+ u_int32_t recsize;
+ u_int32_t bytestoread;
+ u_char type;
+
+ u_int32_t sec, msec;
+ u_int16_t filenamelen;
+
+ type = fgetc(fp);
+
+ switch (type) {
+ case AUT_HEADER32:
+ case AUT_HEADER32_EX:
+ case AUT_HEADER64:
+ case AUT_HEADER64_EX:
+ /* read the record size from the token */
+ if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
+ sizeof(u_int32_t)) {
+ errno = EINVAL;
+ return (-1);
+ }
+ recsize = be32toh(recsize);
+
+ /* Check for recsize sanity */
+ if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
+ errno = EINVAL;
+ return (-1);
+ }
+
+ *buf = malloc(recsize * sizeof(u_char));
+ if (*buf == NULL)
+ return (-1);
+ bptr = *buf;
+ memset(bptr, 0, recsize);
+
+ /* store the token contents already read, back to the buffer*/
+ *bptr = type;
+ bptr++;
+ be32enc(bptr, recsize);
+ bptr += sizeof(u_int32_t);
+
+ /* now read remaining record bytes */
+ bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
+
+ if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
+ free(*buf);
+ errno = EINVAL;
+ return (-1);
+ }
+ break;
+
+ case AUT_OTHER_FILE32:
+ /*
+ * The file token is variable-length, as it includes a
+ * pathname. As a result, we have to read incrementally
+ * until we know the total length, then allocate space and
+ * read the rest.
+ */
+ if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
+ errno = EINVAL;
+ return (-1);
+ }
+ if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
+ errno = EINVAL;
+ return (-1);
+ }
+ if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
+ sizeof(filenamelen)) {
+ errno = EINVAL;
+ return (-1);
+ }
+ recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
+ sizeof(filenamelen) + ntohs(filenamelen);
+ *buf = malloc(recsize);
+ if (*buf == NULL)
+ return (-1);
+ bptr = *buf;
+
+ bcopy(&type, bptr, sizeof(type));
+ bptr += sizeof(type);
+ bcopy(&sec, bptr, sizeof(sec));
+ bptr += sizeof(sec);
+ bcopy(&msec, bptr, sizeof(msec));
+ bptr += sizeof(msec);
+ bcopy(&filenamelen, bptr, sizeof(filenamelen));
+ bptr += sizeof(filenamelen);
+
+ if (fread(bptr, 1, ntohs(filenamelen), fp) <
+ ntohs(filenamelen)) {
+ free(buf);
+ errno = EINVAL;
+ return (-1);
+ }
+ break;
+
+ default:
+ errno = EINVAL;
+ return (-1);
+ }
+
+ return (recsize);
+}
diff --git a/contrib/openbsm/libbsm/bsm_mask.c b/contrib/openbsm/libbsm/bsm_mask.c
new file mode 100644
index 000000000000..b575bbcb0b6f
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_mask.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_mask.c#11 $
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+
+#include <bsm/libbsm.h>
+
+#include <pthread.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* MT-Safe */
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+static int firsttime = 1;
+
+/*
+ * XXX ev_cache, once created, sticks around until the calling program exits.
+ * This may or may not be a problem as far as absolute memory usage goes, but
+ * at least there don't appear to be any leaks in using the cache.
+ *
+ * XXXRW: Note that despite (mutex), load_event_table() could race with
+ * other consumers of the getauevents() API.
+ */
+struct audit_event_map {
+ char ev_name[AU_EVENT_NAME_MAX];
+ char ev_desc[AU_EVENT_DESC_MAX];
+ struct au_event_ent ev;
+ LIST_ENTRY(audit_event_map) ev_list;
+};
+static LIST_HEAD(, audit_event_map) ev_cache;
+
+static struct audit_event_map *
+audit_event_map_alloc(void)
+{
+ struct audit_event_map *aemp;
+
+ aemp = malloc(sizeof(*aemp));
+ if (aemp == NULL)
+ return (aemp);
+ bzero(aemp, sizeof(*aemp));
+ aemp->ev.ae_name = aemp->ev_name;
+ aemp->ev.ae_desc = aemp->ev_desc;
+ return (aemp);
+}
+
+static void
+audit_event_map_free(struct audit_event_map *aemp)
+{
+
+ free(aemp);
+}
+
+/*
+ * When reading into the cache fails, we need to flush the entire cache to
+ * prevent it from containing some but not all records.
+ */
+static void
+flush_cache(void)
+{
+ struct audit_event_map *aemp;
+
+ /* XXX: Would assert 'mutex'. */
+
+ while ((aemp = LIST_FIRST(&ev_cache)) != NULL) {
+ LIST_REMOVE(aemp, ev_list);
+ audit_event_map_free(aemp);
+ }
+}
+
+static int
+load_event_table(void)
+{
+ struct audit_event_map *aemp;
+ struct au_event_ent *ep;
+
+ /*
+ * XXX: Would assert 'mutex'.
+ * Loading of the cache happens only once; dont check if cache is
+ * already loaded.
+ */
+ LIST_INIT(&ev_cache);
+ setauevent(); /* Rewind to beginning of entries. */
+ do {
+ aemp = audit_event_map_alloc();
+ if (aemp == NULL) {
+ flush_cache();
+ return (-1);
+ }
+ ep = getauevent_r(&aemp->ev);
+ if (ep != NULL)
+ LIST_INSERT_HEAD(&ev_cache, aemp, ev_list);
+ else
+ audit_event_map_free(aemp);
+ } while (ep != NULL);
+ return (1);
+}
+
+/*
+ * Read the event with the matching event number from the cache.
+ */
+static struct au_event_ent *
+read_from_cache(au_event_t event)
+{
+ struct audit_event_map *elem;
+
+ /* XXX: Would assert 'mutex'. */
+
+ LIST_FOREACH(elem, &ev_cache, ev_list) {
+ if (elem->ev.ae_number == event)
+ return (&elem->ev);
+ }
+
+ return (NULL);
+}
+
+/*
+ * Check if the audit event is preselected against the preselection mask.
+ */
+int
+au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag)
+{
+ struct au_event_ent *ev;
+ au_class_t effmask = 0;
+
+ if (mask_p == NULL)
+ return (-1);
+
+
+ pthread_mutex_lock(&mutex);
+ if (firsttime) {
+ firsttime = 0;
+ if ( -1 == load_event_table()) {
+ pthread_mutex_unlock(&mutex);
+ return (-1);
+ }
+ }
+ switch (flag) {
+ case AU_PRS_REREAD:
+ flush_cache();
+ if (load_event_table() == -1) {
+ pthread_mutex_unlock(&mutex);
+ return (-1);
+ }
+ ev = read_from_cache(event);
+ break;
+ case AU_PRS_USECACHE:
+ ev = read_from_cache(event);
+ break;
+ default:
+ ev = NULL;
+ }
+ if (ev == NULL) {
+ pthread_mutex_unlock(&mutex);
+ return (-1);
+ }
+ if (sorf & AU_PRS_SUCCESS)
+ effmask |= (mask_p->am_success & ev->ae_class);
+ if (sorf & AU_PRS_FAILURE)
+ effmask |= (mask_p->am_failure & ev->ae_class);
+ pthread_mutex_unlock(&mutex);
+ if (effmask != 0)
+ return (1);
+ return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_notify.c b/contrib/openbsm/libbsm/bsm_notify.c
new file mode 100644
index 000000000000..92f9b504d7fc
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_notify.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#8 $
+ */
+
+#ifdef __APPLE__
+
+/*
+ * Based on sample code from Marc Majka.
+ */
+#include <notify.h>
+#include <string.h> /* strerror() */
+#include <sys/errno.h> /* errno */
+#include <bsm/libbsm.h>
+#include <stdint.h> /* uint32_t */
+#include <syslog.h> /* syslog() */
+#include <stdarg.h> /* syslog() */
+
+/* If 1, assumes a kernel that sends the right notification. */
+#define AUDIT_NOTIFICATION_ENABLED 1
+
+#if AUDIT_NOTIFICATION_ENABLED
+static int token = 0;
+#endif /* AUDIT_NOTIFICATION_ENABLED */
+
+static long au_cond = AUC_UNSET; /* <bsm/audit.h> */
+
+uint32_t
+au_notify_initialize(void)
+{
+#if AUDIT_NOTIFICATION_ENABLED
+ uint32_t status, ignore_first;
+
+ status = notify_register_check(__BSM_INTERNAL_NOTIFY_KEY, &token);
+ if (status != NOTIFY_STATUS_OK)
+ return (status);
+ status = notify_check(token, &ignore_first);
+ if (status != NOTIFY_STATUS_OK)
+ return (status);
+#endif
+
+ if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
+ syslog(LOG_ERR, "Initial audit status check failed (%s)",
+ strerror(errno));
+ if (errno == ENOSYS) /* auditon() unimplemented. */
+ return (AU_UNIMPL);
+ return (NOTIFY_STATUS_FAILED); /* Is there a better code? */
+ }
+ return (NOTIFY_STATUS_OK);
+}
+
+int
+au_notify_terminate(void)
+{
+
+#if AUDIT_NOTIFICATION_ENABLED
+ return ((notify_cancel(token) == NOTIFY_STATUS_OK) ? 0 : -1);
+#else
+ return (0);
+#endif
+}
+
+/*
+ * On error of any notify(3) call, reset 'au_cond' to ensure we re-run
+ * au_notify_initialize() next time 'round--but assume auditing is on. This
+ * is a slight performance hit if auditing is off, but at least the system
+ * will behave correctly. The notification calls are unlikely to fail,
+ * anyway.
+ */
+int
+au_get_state(void)
+{
+#if AUDIT_NOTIFICATION_ENABLED
+ uint32_t did_notify;
+#endif
+ int status;
+
+ /*
+ * Don't make the client initialize this set of routines, but take the
+ * slight performance hit by checking ourselves every time.
+ */
+ if (au_cond == AUC_UNSET) {
+ status = au_notify_initialize();
+ if (status != NOTIFY_STATUS_OK) {
+ if (status == AU_UNIMPL)
+ return (AU_UNIMPL);
+ return (AUC_AUDITING);
+ } else
+ return (au_cond);
+ }
+#if AUDIT_NOTIFICATION_ENABLED
+ status = notify_check(token, &did_notify);
+ if (status != NOTIFY_STATUS_OK) {
+ au_cond = AUC_UNSET;
+ return (AUC_AUDITING);
+ }
+
+ if (did_notify == 0)
+ return (au_cond);
+#endif
+
+ if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
+ /* XXX Reset au_cond to AUC_UNSET? */
+ syslog(LOG_ERR, "Audit status check failed (%s)",
+ strerror(errno));
+ if (errno == ENOSYS) /* Function unimplemented. */
+ return (AU_UNIMPL);
+ return (errno);
+ }
+
+ switch (au_cond) {
+ case AUC_NOAUDIT: /* Auditing suspended. */
+ case AUC_DISABLED: /* Auditing shut off. */
+ return (AUC_NOAUDIT);
+
+ case AUC_UNSET: /* Uninitialized; shouldn't get here. */
+ case AUC_AUDITING: /* Audit on. */
+ default:
+ return (AUC_AUDITING);
+ }
+}
+
+#endif /* !__APPLE__ */
diff --git a/contrib/openbsm/libbsm/bsm_token.c b/contrib/openbsm/libbsm/bsm_token.c
new file mode 100644
index 000000000000..d7eadb28f808
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_token.c
@@ -0,0 +1,1219 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#34 $
+ */
+
+#include <sys/types.h>
+#ifdef __APPLE__
+#include <compat/endian.h>
+#else /* !__APPLE__ */
+#include <sys/endian.h>
+#endif /* __APPLE__*/
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/un.h>
+
+#include <sys/ipc.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+
+#include <assert.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socketvar.h>
+
+#include <bsm/audit_internal.h>
+#include <bsm/libbsm.h>
+
+#define GET_TOKEN_AREA(t, dptr, length) do { \
+ (t) = malloc(sizeof(token_t)); \
+ if ((t) != NULL) { \
+ (t)->len = (length); \
+ (dptr) = (t->t_data) = malloc((length) * sizeof(u_char)); \
+ if ((dptr) == NULL) { \
+ free(t); \
+ (t) = NULL; \
+ } else \
+ memset((dptr), 0, (length)); \
+ } else \
+ (dptr) = NULL; \
+ assert(t == NULL || dptr != NULL); \
+} while (0)
+
+/*
+ * token ID 1 byte
+ * argument # 1 byte
+ * argument value 4 bytes/8 bytes (32-bit/64-bit value)
+ * text length 2 bytes
+ * text N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_arg32(char n, char *text, u_int32_t v)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int16_t textlen;
+
+ textlen = strlen(text);
+ textlen += 1;
+
+ GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
+ sizeof(u_int16_t) + textlen);
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_ARG32);
+ ADD_U_CHAR(dptr, n);
+ ADD_U_INT32(dptr, v);
+ ADD_U_INT16(dptr, textlen);
+ ADD_STRING(dptr, text, textlen);
+
+ return (t);
+
+}
+
+token_t *
+au_to_arg64(char n, char *text, u_int64_t v)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int16_t textlen;
+
+ textlen = strlen(text);
+ textlen += 1;
+
+ GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
+ sizeof(u_int16_t) + textlen);
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_ARG64);
+ ADD_U_CHAR(dptr, n);
+ ADD_U_INT64(dptr, v);
+ ADD_U_INT16(dptr, textlen);
+ ADD_STRING(dptr, text, textlen);
+
+ return (t);
+
+}
+
+token_t *
+au_to_arg(char n, char *text, u_int32_t v)
+{
+
+ return (au_to_arg32(n, text, v));
+}
+
+#if defined(_KERNEL) || defined(KERNEL)
+/*
+ * token ID 1 byte
+ * file access mode 4 bytes
+ * owner user ID 4 bytes
+ * owner group ID 4 bytes
+ * file system ID 4 bytes
+ * node ID 8 bytes
+ * device 4 bytes/8 bytes (32-bit/64-bit)
+ */
+token_t *
+au_to_attr32(struct vnode_au_info *vni)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int16_t pad0_16 = 0;
+ u_int16_t pad0_32 = 0;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
+ 3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_ATTR32);
+
+ /*
+ * Darwin defines the size for the file mode
+ * as 2 bytes; BSM defines 4 so pad with 0
+ */
+ ADD_U_INT16(dptr, pad0_16);
+ ADD_U_INT16(dptr, vni->vn_mode);
+
+ ADD_U_INT32(dptr, vni->vn_uid);
+ ADD_U_INT32(dptr, vni->vn_gid);
+ ADD_U_INT32(dptr, vni->vn_fsid);
+
+ /*
+ * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
+ * Attempt to handle both, and let the compiler sort it out. If we
+ * could pick this out at compile-time, it would be better, so as to
+ * avoid the else case below.
+ */
+ if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
+ ADD_U_INT32(dptr, pad0_32);
+ ADD_U_INT32(dptr, vni->vn_fileid);
+ } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
+ ADD_U_INT64(dptr, vni->vn_fileid);
+ else
+ ADD_U_INT64(dptr, 0LL);
+
+ ADD_U_INT32(dptr, vni->vn_dev);
+
+ return (t);
+}
+
+token_t *
+au_to_attr64(struct vnode_au_info *vni)
+{
+
+ errno = ENOTSUP;
+ return (NULL);
+}
+
+token_t *
+au_to_attr(struct vnode_au_info *vni)
+{
+
+ return (au_to_attr32(vni));
+}
+#endif /* !(defined(_KERNEL) || defined(KERNEL) */
+
+/*
+ * token ID 1 byte
+ * how to print 1 byte
+ * basic unit 1 byte
+ * unit count 1 byte
+ * data items (depends on basic unit)
+ */
+token_t *
+au_to_data(char unit_print, char unit_type, char unit_count, char *p)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ size_t datasize, totdata;
+
+ /* Determine the size of the basic unit. */
+ switch (unit_type) {
+ case AUR_BYTE:
+ datasize = AUR_BYTE_SIZE;
+ break;
+
+ case AUR_SHORT:
+ datasize = AUR_SHORT_SIZE;
+ break;
+
+ case AUR_LONG:
+ datasize = AUR_LONG_SIZE;
+ break;
+
+ default:
+ errno = EINVAL;
+ return (NULL);
+ }
+
+ totdata = datasize * unit_count;
+
+ GET_TOKEN_AREA(t, dptr, totdata + 4 * sizeof(u_char));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_DATA);
+ ADD_U_CHAR(dptr, unit_print);
+ ADD_U_CHAR(dptr, unit_type);
+ ADD_U_CHAR(dptr, unit_count);
+ ADD_MEM(dptr, p, totdata);
+
+ return (t);
+}
+
+
+/*
+ * token ID 1 byte
+ * status 4 bytes
+ * return value 4 bytes
+ */
+token_t *
+au_to_exit(int retval, int err)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_EXIT);
+ ADD_U_INT32(dptr, err);
+ ADD_U_INT32(dptr, retval);
+
+ return (t);
+}
+
+/*
+ */
+token_t *
+au_to_groups(int *groups)
+{
+
+ return (au_to_newgroups(BSM_MAX_GROUPS, groups));
+}
+
+/*
+ * token ID 1 byte
+ * number groups 2 bytes
+ * group list count * 4 bytes
+ */
+token_t *
+au_to_newgroups(u_int16_t n, gid_t *groups)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ int i;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
+ n * sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_NEWGROUPS);
+ ADD_U_INT16(dptr, n);
+ for (i = 0; i < n; i++)
+ ADD_U_INT32(dptr, groups[i]);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * internet address 4 bytes
+ */
+token_t *
+au_to_in_addr(struct in_addr *internet_addr)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_IN_ADDR);
+ ADD_U_INT32(dptr, internet_addr->s_addr);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * address type/length 4 bytes
+ * Address 16 bytes
+ */
+token_t *
+au_to_in_addr_ex(struct in6_addr *internet_addr)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int32_t type = AF_INET6;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
+ ADD_U_INT32(dptr, type);
+ ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[0]);
+ ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[1]);
+ ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[2]);
+ ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[3]);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * ip header 20 bytes
+ */
+token_t *
+au_to_ip(struct ip *ip)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_IP);
+ /*
+ * XXXRW: Any byte order work needed on the IP header before writing?
+ */
+ ADD_MEM(dptr, ip, sizeof(struct ip));
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * object ID type 1 byte
+ * object ID 4 bytes
+ */
+token_t *
+au_to_ipc(char type, int id)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_IPC);
+ ADD_U_CHAR(dptr, type);
+ ADD_U_INT32(dptr, id);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * owner user ID 4 bytes
+ * owner group ID 4 bytes
+ * creator user ID 4 bytes
+ * creator group ID 4 bytes
+ * access mode 4 bytes
+ * slot sequence # 4 bytes
+ * key 4 bytes
+ */
+token_t *
+au_to_ipc_perm(struct ipc_perm *perm)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int16_t pad0 = 0;
+
+ GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_IPC_PERM);
+
+ /*
+ * Darwin defines the sizes for ipc_perm members
+ * as 2 bytes; BSM defines 4 so pad with 0
+ */
+ ADD_U_INT16(dptr, pad0);
+ ADD_U_INT16(dptr, perm->uid);
+
+ ADD_U_INT16(dptr, pad0);
+ ADD_U_INT16(dptr, perm->gid);
+
+ ADD_U_INT16(dptr, pad0);
+ ADD_U_INT16(dptr, perm->cuid);
+
+ ADD_U_INT16(dptr, pad0);
+ ADD_U_INT16(dptr, perm->cgid);
+
+ ADD_U_INT16(dptr, pad0);
+ ADD_U_INT16(dptr, perm->mode);
+
+ ADD_U_INT16(dptr, pad0);
+ ADD_U_INT16(dptr, perm->seq);
+
+ ADD_U_INT32(dptr, perm->key);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * port IP address 2 bytes
+ */
+token_t *
+au_to_iport(u_int16_t iport)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_IPORT);
+ ADD_U_INT16(dptr, iport);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * size 2 bytes
+ * data size bytes
+ */
+token_t *
+au_to_opaque(char *data, u_int16_t bytes)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_OPAQUE);
+ ADD_U_INT16(dptr, bytes);
+ ADD_MEM(dptr, data, bytes);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * seconds of time 4 bytes
+ * milliseconds of time 4 bytes
+ * file name len 2 bytes
+ * file pathname N bytes + 1 terminating NULL byte
+ */
+token_t *
+#if defined(KERNEL) || defined(_KERNEL)
+au_to_file(char *file, struct timeval tm)
+#else
+au_to_file(char *file)
+#endif
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int16_t filelen;
+ u_int32_t timems;
+#if !defined(KERNEL) && !defined(_KERNEL)
+ struct timeval tm;
+ struct timezone tzp;
+
+ if (gettimeofday(&tm, &tzp) == -1)
+ return (NULL);
+#endif
+
+ filelen = strlen(file);
+ filelen += 1;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
+ sizeof(u_int16_t) + filelen);
+ if (t == NULL)
+ return (NULL);
+
+ timems = tm.tv_usec/1000;
+
+ ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
+ ADD_U_INT32(dptr, tm.tv_sec);
+ ADD_U_INT32(dptr, timems); /* We need time in ms. */
+ ADD_U_INT16(dptr, filelen);
+ ADD_STRING(dptr, file, filelen);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * text length 2 bytes
+ * text N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_text(char *text)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int16_t textlen;
+
+ textlen = strlen(text);
+ textlen += 1;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_TEXT);
+ ADD_U_INT16(dptr, textlen);
+ ADD_STRING(dptr, text, textlen);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * path length 2 bytes
+ * path N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_path(char *text)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int16_t textlen;
+
+ textlen = strlen(text);
+ textlen += 1;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_PATH);
+ ADD_U_INT16(dptr, textlen);
+ ADD_STRING(dptr, text, textlen);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * machine address 4 bytes
+ */
+token_t *
+au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+ pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_PROCESS32);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT32(dptr, tid->port);
+ ADD_U_INT32(dptr, tid->machine);
+
+ return (t);
+}
+
+token_t *
+au_to_process64(__unused au_id_t auid, __unused uid_t euid,
+ __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
+ __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
+{
+
+ errno = ENOTSUP;
+ return (NULL);
+}
+
+token_t *
+au_to_process(__unused au_id_t auid, __unused uid_t euid,
+ __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
+ __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
+{
+
+ return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
+ tid));
+}
+
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * address type-len 4 bytes
+ * machine address 16 bytes
+ */
+token_t *
+au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT32(dptr, tid->at_port);
+ ADD_U_INT32(dptr, tid->at_type);
+ ADD_U_INT32(dptr, tid->at_addr[0]);
+ ADD_U_INT32(dptr, tid->at_addr[1]);
+ ADD_U_INT32(dptr, tid->at_addr[2]);
+ ADD_U_INT32(dptr, tid->at_addr[3]);
+
+ return (t);
+}
+
+token_t *
+au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+ errno = ENOTSUP;
+ return (NULL);
+}
+
+token_t *
+au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+ return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
+ tid));
+}
+
+/*
+ * token ID 1 byte
+ * error status 1 byte
+ * return value 4 bytes/8 bytes (32-bit/64-bit value)
+ */
+token_t *
+au_to_return32(char status, u_int32_t ret)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_RETURN32);
+ ADD_U_CHAR(dptr, status);
+ ADD_U_INT32(dptr, ret);
+
+ return (t);
+}
+
+token_t *
+au_to_return64(char status, u_int64_t ret)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_RETURN64);
+ ADD_U_CHAR(dptr, status);
+ ADD_U_INT64(dptr, ret);
+
+ return (t);
+}
+
+token_t *
+au_to_return(char status, u_int32_t ret)
+{
+
+ return (au_to_return32(status, ret));
+}
+
+/*
+ * token ID 1 byte
+ * sequence number 4 bytes
+ */
+token_t *
+au_to_seq(long audit_count)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_SEQ);
+ ADD_U_INT32(dptr, audit_count);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * socket type 2 bytes
+ * local port 2 bytes
+ * local Internet address 4 bytes
+ * remote port 2 bytes
+ * remote Internet address 4 bytes
+ */
+token_t *
+au_to_socket(struct socket *so)
+{
+
+ errno = ENOTSUP;
+ return (NULL);
+}
+
+/*
+ * token ID 1 byte
+ * socket type 2 bytes
+ * local port 2 bytes
+ * address type/length 4 bytes
+ * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+ * remote port 4 bytes
+ * address type/length 4 bytes
+ * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+token_t *
+au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
+ struct sockaddr *ra)
+{
+
+ errno = ENOTSUP;
+ return (NULL);
+}
+
+token_t *
+au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
+ struct sockaddr *ra)
+{
+
+ errno = ENOTSUP;
+ return (NULL);
+}
+
+/*
+ * token ID 1 byte
+ * socket family 2 bytes
+ * path 104 bytes
+ */
+token_t *
+au_to_sock_unix(struct sockaddr_un *so)
+{
+ token_t *t;
+ u_char *dptr;
+
+ GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
+ /* BSM token has two bytes for family */
+ ADD_U_CHAR(dptr, 0);
+ ADD_U_CHAR(dptr, so->sun_family);
+ ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * socket family 2 bytes
+ * local port 2 bytes
+ * socket address 4 bytes
+ */
+token_t *
+au_to_sock_inet32(struct sockaddr_in *so)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
+ sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_SOCKINET32);
+ /*
+ * In Darwin, sin_family is one octet, but BSM defines the token
+ * to store two. So we copy in a 0 first.
+ */
+ ADD_U_CHAR(dptr, 0);
+ ADD_U_CHAR(dptr, so->sin_family);
+ ADD_U_INT16(dptr, so->sin_port);
+ ADD_U_INT32(dptr, so->sin_addr.s_addr);
+
+ return (t);
+
+}
+
+token_t *
+au_to_sock_inet128(struct sockaddr_in6 *so)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
+ 4 * sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_SOCKINET128);
+ /*
+ * In Darwin, sin6_family is one octet, but BSM defines the token
+ * to store two. So we copy in a 0 first.
+ */
+ ADD_U_CHAR(dptr, 0);
+ ADD_U_CHAR(dptr, so->sin6_family);
+
+ ADD_U_INT16(dptr, so->sin6_port);
+ ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[0]);
+ ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[1]);
+ ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[2]);
+ ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[3]);
+
+ return (t);
+
+}
+
+token_t *
+au_to_sock_inet(struct sockaddr_in *so)
+{
+
+ return (au_to_sock_inet32(so));
+}
+
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * machine address 4 bytes
+ */
+token_t *
+au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+ pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_SUBJECT32);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT32(dptr, tid->port);
+ ADD_U_INT32(dptr, tid->machine);
+
+ return (t);
+}
+
+token_t *
+au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+ pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+
+ errno = ENOTSUP;
+ return (NULL);
+}
+
+token_t *
+au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+ pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+
+ return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
+ tid));
+}
+
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * address type/length 4 bytes
+ * machine address 16 bytes
+ */
+token_t *
+au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT32(dptr, tid->at_port);
+ ADD_U_INT32(dptr, tid->at_type);
+ ADD_U_INT32(dptr, tid->at_addr[0]);
+ ADD_U_INT32(dptr, tid->at_addr[1]);
+ ADD_U_INT32(dptr, tid->at_addr[2]);
+ ADD_U_INT32(dptr, tid->at_addr[3]);
+
+ return (t);
+}
+
+token_t *
+au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+ errno = ENOTSUP;
+ return (NULL);
+}
+
+token_t *
+au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+ return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
+ tid));
+}
+
+#if !defined(_KERNEL) && !defined(KERNEL)
+/*
+ * Collects audit information for the current process
+ * and creates a subject token from it
+ */
+token_t *
+au_to_me(void)
+{
+ auditinfo_t auinfo;
+
+ if (getaudit(&auinfo) != 0)
+ return (NULL);
+
+ return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(),
+ getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid));
+}
+#endif
+
+/*
+ * token ID 1 byte
+ * count 4 bytes
+ * text count null-terminated strings
+ */
+token_t *
+au_to_exec_args(const char **args)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ const char *nextarg;
+ int i, count = 0;
+ size_t totlen = 0;
+
+ nextarg = *args;
+
+ while (nextarg != NULL) {
+ int nextlen;
+
+ nextlen = strlen(nextarg);
+ totlen += nextlen + 1;
+ count++;
+ nextarg = *(args + count);
+ }
+
+ totlen += count * sizeof(char); /* nul terminations. */
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
+ ADD_U_INT32(dptr, count);
+
+ for (i = 0; i < count; i++) {
+ nextarg = *(args + i);
+ ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
+ }
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * count 4 bytes
+ * text count null-terminated strings
+ */
+token_t *
+au_to_exec_env(const char **env)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ int i, count = 0;
+ size_t totlen = 0;
+ const char *nextenv;
+
+ nextenv = *env;
+
+ while (nextenv != NULL) {
+ int nextlen;
+
+ nextlen = strlen(nextenv);
+ totlen += nextlen + 1;
+ count++;
+ nextenv = *(env + count);
+ }
+
+ totlen += sizeof(char) * count;
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_EXEC_ENV);
+ ADD_U_INT32(dptr, count);
+
+ for (i = 0; i < count; i++) {
+ nextenv = *(env + i);
+ ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
+ }
+
+ return (t);
+}
+
+/*
+ * token ID 1 byte
+ * record byte count 4 bytes
+ * version # 1 byte [2]
+ * event type 2 bytes
+ * event modifier 2 bytes
+ * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+ */
+token_t *
+#if defined(KERNEL) || defined(_KERNEL)
+au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm)
+#else
+au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
+#endif
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int32_t timems;
+#if !defined(KERNEL) && !defined(_KERNEL)
+ struct timeval tm;
+ struct timezone tzp;
+
+ if (gettimeofday(&tm, &tzp) == -1)
+ return (NULL);
+#endif
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
+ sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_HEADER32);
+ ADD_U_INT32(dptr, rec_size);
+ ADD_U_CHAR(dptr, HEADER_VERSION);
+ ADD_U_INT16(dptr, e_type);
+ ADD_U_INT16(dptr, e_mod);
+
+ timems = tm.tv_usec/1000;
+ /* Add the timestamp */
+ ADD_U_INT32(dptr, tm.tv_sec);
+ ADD_U_INT32(dptr, timems); /* We need time in ms. */
+
+ return (t);
+}
+
+token_t *
+au_to_header64(__unused int rec_size, __unused au_event_t e_type,
+ __unused au_emod_t e_mod)
+{
+
+ errno = ENOTSUP;
+ return (NULL);
+}
+
+token_t *
+au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
+{
+
+ return (au_to_header32(rec_size, e_type, e_mod));
+}
+
+/*
+ * token ID 1 byte
+ * trailer magic number 2 bytes
+ * record byte count 4 bytes
+ */
+token_t *
+au_to_trailer(int rec_size)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int16_t magic = TRAILER_PAD_MAGIC;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
+ sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_TRAILER);
+ ADD_U_INT16(dptr, magic);
+ ADD_U_INT32(dptr, rec_size);
+
+ return (t);
+}
diff --git a/contrib/openbsm/libbsm/bsm_user.c b/contrib/openbsm/libbsm/bsm_user.c
new file mode 100644
index 000000000000..3927423f5119
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_user.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_user.c#14 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_user file into au_user_ent structures.
+ */
+
+static FILE *fp = NULL;
+static char linestr[AU_LINE_MAX];
+static const char *user_delim = ":";
+
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Parse one line from the audit_user file into the au_user_ent structure.
+ */
+static struct au_user_ent *
+userfromstr(char *str, struct au_user_ent *u)
+{
+ char *username, *always, *never;
+ char *last;
+
+ username = strtok_r(str, user_delim, &last);
+ always = strtok_r(NULL, user_delim, &last);
+ never = strtok_r(NULL, user_delim, &last);
+
+ if ((username == NULL) || (always == NULL) || (never == NULL))
+ return (NULL);
+
+ if (strlen(username) >= AU_USER_NAME_MAX)
+ return (NULL);
+
+ strcpy(u->au_name, username);
+ if (getauditflagsbin(always, &(u->au_always)) == -1)
+ return (NULL);
+
+ if (getauditflagsbin(never, &(u->au_never)) == -1)
+ return (NULL);
+
+ return (u);
+}
+
+/*
+ * Rewind to beginning of the file
+ */
+static void
+setauuser_locked(void)
+{
+
+ if (fp != NULL)
+ fseek(fp, 0, SEEK_SET);
+}
+
+void
+setauuser(void)
+{
+
+ pthread_mutex_lock(&mutex);
+ setauuser_locked();
+ pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Close the file descriptor
+ */
+void
+endauuser(void)
+{
+
+ pthread_mutex_lock(&mutex);
+ if (fp != NULL) {
+ fclose(fp);
+ fp = NULL;
+ }
+ pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Enumerate the au_user_ent structures from the file
+ */
+static struct au_user_ent *
+getauuserent_r_locked(struct au_user_ent *u)
+{
+ char *nl;
+
+ if ((fp == NULL) && ((fp = fopen(AUDIT_USER_FILE, "r")) == NULL))
+ return (NULL);
+
+ while (1) {
+ if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
+ return (NULL);
+
+ /* Remove new lines. */
+ if ((nl = strrchr(linestr, '\n')) != NULL)
+ *nl = '\0';
+
+ /* Skip comments. */
+ if (linestr[0] == '#')
+ continue;
+
+ /* Get the next structure. */
+ if (userfromstr(linestr, u) == NULL)
+ return (NULL);
+ break;
+ }
+
+ return (u);
+}
+
+struct au_user_ent *
+getauuserent_r(struct au_user_ent *u)
+{
+ struct au_user_ent *up;
+
+ pthread_mutex_lock(&mutex);
+ up = getauuserent_r_locked(u);
+ pthread_mutex_unlock(&mutex);
+ return (up);
+}
+
+struct au_user_ent *
+getauuserent(void)
+{
+ static char user_ent_name[AU_USER_NAME_MAX];
+ static struct au_user_ent u;
+
+ bzero(&u, sizeof(u));
+ bzero(user_ent_name, sizeof(user_ent_name));
+ u.au_name = user_ent_name;
+
+ return (getauuserent_r(&u));
+}
+
+/*
+ * Find a au_user_ent structure matching the given user name.
+ */
+struct au_user_ent *
+getauusernam_r(struct au_user_ent *u, const char *name)
+{
+ struct au_user_ent *up;
+
+ if (name == NULL)
+ return (NULL);
+
+ pthread_mutex_lock(&mutex);
+
+ setauuser_locked();
+ while ((up = getauuserent_r_locked(u)) != NULL) {
+ if (strcmp(name, u->au_name) == 0) {
+ pthread_mutex_unlock(&mutex);
+ return (u);
+ }
+ }
+
+ pthread_mutex_unlock(&mutex);
+ return (NULL);
+
+}
+
+struct au_user_ent *
+getauusernam(const char *name)
+{
+ static char user_ent_name[AU_USER_NAME_MAX];
+ static struct au_user_ent u;
+
+ bzero(&u, sizeof(u));
+ bzero(user_ent_name, sizeof(user_ent_name));
+ u.au_name = user_ent_name;
+
+ return (getauusernam_r(&u, name));
+}
+
+/*
+ * Read the default system wide audit classes from audit_control, combine with
+ * the per-user audit class and update the binary preselection mask.
+ */
+int
+au_user_mask(char *username, au_mask_t *mask_p)
+{
+ char auditstring[MAX_AUDITSTRING_LEN + 1];
+ char user_ent_name[AU_USER_NAME_MAX];
+ struct au_user_ent u, *up;
+
+ bzero(&u, sizeof(u));
+ bzero(user_ent_name, sizeof(user_ent_name));
+ u.au_name = user_ent_name;
+
+ /* Get user mask. */
+ if ((up = getauusernam_r(&u, username)) != NULL) {
+ if (-1 == getfauditflags(&up->au_always, &up->au_never,
+ mask_p))
+ return (-1);
+ return (0);
+ }
+
+ /* Read the default system mask. */
+ if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) {
+ if (-1 == getauditflagsbin(auditstring, mask_p))
+ return (-1);
+ return (0);
+ }
+
+ /* No masks defined. */
+ return (-1);
+}
+
+/*
+ * Generate the process audit state by combining the audit masks passed as
+ * parameters with the system audit masks.
+ */
+int
+getfauditflags(au_mask_t *usremask, au_mask_t *usrdmask, au_mask_t *lastmask)
+{
+ char auditstring[MAX_AUDITSTRING_LEN + 1];
+
+ if ((usremask == NULL) || (usrdmask == NULL) || (lastmask == NULL))
+ return (-1);
+
+ lastmask->am_success = 0;
+ lastmask->am_failure = 0;
+
+ /* Get the system mask. */
+ if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) {
+ if (getauditflagsbin(auditstring, lastmask) != 0)
+ return (-1);
+ }
+
+ ADDMASK(lastmask, usremask);
+ SUBMASK(lastmask, usrdmask);
+
+ return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_wrappers.c b/contrib/openbsm/libbsm/bsm_wrappers.c
new file mode 100644
index 000000000000..e7600e7f5ee2
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_wrappers.c
@@ -0,0 +1,322 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#14 $
+ */
+
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/sysctl.h>
+
+#include <bsm/libbsm.h>
+
+#include <unistd.h>
+#include <syslog.h>
+#include <string.h>
+#include <errno.h>
+
+/* These are not advertised in libbsm.h */
+int audit_set_terminal_port(dev_t *p);
+int audit_set_terminal_host(uint32_t *m);
+
+int
+audit_set_terminal_port(dev_t *p)
+{
+ struct stat st;
+
+ if (p == NULL)
+ return (kAUBadParamErr);
+
+ *p = NODEV;
+
+ /* for /usr/bin/login, try fstat() first */
+ if (fstat(STDIN_FILENO, &st) != 0) {
+ if (errno != EBADF) {
+ syslog(LOG_ERR, "fstat() failed (%s)",
+ strerror(errno));
+ return (kAUStatErr);
+ }
+ if (stat("/dev/console", &st) != 0) {
+ syslog(LOG_ERR, "stat() failed (%s)",
+ strerror(errno));
+ return (kAUStatErr);
+ }
+ }
+ *p = st.st_rdev;
+ return (kAUNoErr);
+}
+
+int
+audit_set_terminal_host(uint32_t *m)
+{
+ int name[2] = { CTL_KERN, KERN_HOSTID };
+ size_t len;
+
+ if (m == NULL)
+ return (kAUBadParamErr);
+ *m = 0;
+ len = sizeof(*m);
+ if (sysctl(name, 2, m, &len, NULL, 0) != 0) {
+ syslog(LOG_ERR, "sysctl() failed (%s)", strerror(errno));
+ return (kAUSysctlErr);
+ }
+ return (kAUNoErr);
+}
+
+int
+audit_set_terminal_id(au_tid_t *tid)
+{
+ int ret;
+
+ if (tid == NULL)
+ return (kAUBadParamErr);
+ if ((ret = audit_set_terminal_port(&tid->port)) != kAUNoErr)
+ return (ret);
+ return (audit_set_terminal_host(&tid->machine));
+}
+
+/*
+ * This is OK for those callers who have only one token to write. If you have
+ * multiple tokens that logically form part of the same audit record, you need
+ * to use the existing au_open()/au_write()/au_close() API:
+ *
+ * aufd = au_open();
+ * tok = au_to_random_token_1(...);
+ * au_write(aufd, tok);
+ * tok = au_to_random_token_2(...);
+ * au_write(aufd, tok);
+ * ...
+ * au_close(aufd, 1, AUE_your_event_type);
+ *
+ * Assumes, like all wrapper calls, that the caller has previously checked
+ * that auditing is enabled via the audit_get_state() call.
+ *
+ * XXX: Should be more robust against bad arguments.
+ */
+int
+audit_write(short event_code, token_t *subject, token_t *misctok, char retval,
+ int errcode)
+{
+ int aufd;
+ char *func = "audit_write()";
+ token_t *rettok;
+
+ if ((aufd = au_open()) == -1) {
+ au_free_token(subject);
+ au_free_token(misctok);
+ syslog(LOG_ERR, "%s: au_open() failed", func);
+ return (kAUOpenErr);
+ }
+
+ /* Save subject. */
+ if (subject && au_write(aufd, subject) == -1) {
+ au_free_token(subject);
+ au_free_token(misctok);
+ (void)au_close(aufd, 0, event_code);
+ syslog(LOG_ERR, "%s: write of subject failed", func);
+ return (kAUWriteSubjectTokErr);
+ }
+
+ /* Save the event-specific token. */
+ if (misctok && au_write(aufd, misctok) == -1) {
+ au_free_token(misctok);
+ (void)au_close(aufd, 0, event_code);
+ syslog(LOG_ERR, "%s: write of caller token failed", func);
+ return (kAUWriteCallerTokErr);
+ }
+
+ /* Tokenize and save the return value. */
+ if ((rettok = au_to_return32(retval, errcode)) == NULL) {
+ (void)au_close(aufd, 0, event_code);
+ syslog(LOG_ERR, "%s: au_to_return32() failed", func);
+ return (kAUMakeReturnTokErr);
+ }
+
+ if (au_write(aufd, rettok) == -1) {
+ au_free_token(rettok);
+ (void)au_close(aufd, 0, event_code);
+ syslog(LOG_ERR, "%s: write of return code failed", func);
+ return (kAUWriteReturnTokErr);
+ }
+
+ /*
+ * au_close()'s second argument is "keep": if keep == 0, the record is
+ * discarded. We assume the caller wouldn't have bothered with this
+ * function if it hadn't already decided to keep the record.
+ */
+ if (au_close(aufd, 1, event_code) < 0) {
+ syslog(LOG_ERR, "%s: au_close() failed", func);
+ return (kAUCloseErr);
+ }
+
+ return (kAUNoErr);
+}
+
+/*
+ * Same caveats as audit_write(). In addition, this function explicitly
+ * assumes success; use audit_write_failure() on error.
+ */
+int
+audit_write_success(short event_code, token_t *tok, au_id_t auid, uid_t euid,
+ gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+ au_tid_t *tid)
+{
+ char *func = "audit_write_success()";
+ token_t *subject = NULL;
+
+ /* Tokenize and save subject. */
+ subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
+ tid);
+ if (subject == NULL) {
+ syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
+ return kAUMakeSubjectTokErr;
+ }
+
+ return (audit_write(event_code, subject, tok, 0, 0));
+}
+
+/*
+ * Same caveats as audit_write(). In addition, this function explicitly
+ * assumes success; use audit_write_failure_self() on error.
+ */
+int
+audit_write_success_self(short event_code, token_t *tok)
+{
+ token_t *subject;
+ char *func = "audit_write_success_self()";
+
+ if ((subject = au_to_me()) == NULL) {
+ syslog(LOG_ERR, "%s: au_to_me() failed", func);
+ return (kAUMakeSubjectTokErr);
+ }
+
+ return (audit_write(event_code, subject, tok, 0, 0));
+}
+
+/*
+ * Same caveats as audit_write(). In addition, this function explicitly
+ * assumes failure; use audit_write_success() otherwise.
+ *
+ * XXX This should let the caller pass an error return value rather than
+ * hard-coding -1.
+ */
+int
+audit_write_failure(short event_code, char *errmsg, int errcode, au_id_t auid,
+ uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+ au_tid_t *tid)
+{
+ char *func = "audit_write_failure()";
+ token_t *subject, *errtok;
+
+ subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, tid);
+ if (subject == NULL) {
+ syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
+ return (kAUMakeSubjectTokErr);
+ }
+
+ /* tokenize and save the error message */
+ if ((errtok = au_to_text(errmsg)) == NULL) {
+ au_free_token(subject);
+ syslog(LOG_ERR, "%s: au_to_text() failed", func);
+ return (kAUMakeTextTokErr);
+ }
+
+ return (audit_write(event_code, subject, errtok, -1, errcode));
+}
+
+/*
+ * Same caveats as audit_write(). In addition, this function explicitly
+ * assumes failure; use audit_write_success_self() otherwise.
+ *
+ * XXX This should let the caller pass an error return value rather than
+ * hard-coding -1.
+ */
+int
+audit_write_failure_self(short event_code, char *errmsg, int errret)
+{
+ char *func = "audit_write_failure_self()";
+ token_t *subject, *errtok;
+
+ if ((subject = au_to_me()) == NULL) {
+ syslog(LOG_ERR, "%s: au_to_me() failed", func);
+ return (kAUMakeSubjectTokErr);
+ }
+ /* tokenize and save the error message */
+ if ((errtok = au_to_text(errmsg)) == NULL) {
+ au_free_token(subject);
+ syslog(LOG_ERR, "%s: au_to_text() failed", func);
+ return (kAUMakeTextTokErr);
+ }
+ return (audit_write(event_code, subject, errtok, -1, errret));
+}
+
+/*
+ * For auditing errors during login. Such errors are implicitly
+ * non-attributable (i.e., not ascribable to any user).
+ *
+ * Assumes, like all wrapper calls, that the caller has previously checked
+ * that auditing is enabled via the audit_get_state() call.
+ */
+int
+audit_write_failure_na(short event_code, char *errmsg, int errret, uid_t euid,
+ uid_t egid, pid_t pid, au_tid_t *tid)
+{
+
+ return (audit_write_failure(event_code, errmsg, errret, -1, euid,
+ egid, -1, -1, pid, -1, tid));
+}
+
+/* END OF au_write() WRAPPERS */
+
+#ifdef __APPLE__
+void
+audit_token_to_au32(audit_token_t atoken, uid_t *auidp, uid_t *euidp,
+ gid_t *egidp, uid_t *ruidp, gid_t *rgidp, pid_t *pidp, au_asid_t *asidp,
+ au_tid_t *tidp)
+{
+
+ if (auidp != NULL)
+ *auidp = (uid_t)atoken.val[0];
+ if (euidp != NULL)
+ *euidp = (uid_t)atoken.val[1];
+ if (egidp != NULL)
+ *egidp = (gid_t)atoken.val[2];
+ if (ruidp != NULL)
+ *ruidp = (uid_t)atoken.val[3];
+ if (rgidp != NULL)
+ *rgidp = (gid_t)atoken.val[4];
+ if (pidp != NULL)
+ *pidp = (pid_t)atoken.val[5];
+ if (asidp != NULL)
+ *asidp = (au_asid_t)atoken.val[6];
+ if (tidp != NULL) {
+ audit_set_terminal_host(&tidp->machine);
+ tidp->port = (dev_t)atoken.val[7];
+ }
+}
+#endif /* !__APPLE__ */
diff --git a/contrib/openbsm/libbsm/libbsm.3 b/contrib/openbsm/libbsm/libbsm.3
new file mode 100644
index 000000000000..3ec8168435a2
--- /dev/null
+++ b/contrib/openbsm/libbsm/libbsm.3
@@ -0,0 +1,220 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt LIBBSM 3
+.Os
+.Sh NAME
+.Nm libbsm
+.Nd "Basic Security Module (BSM) Audit API"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Sh DESCRIPTION
+The
+.Nm
+library routines provide an interface to BSM audit record streams, allowing
+both the parsing of existing audit streams, as well as the creation of new
+audit records and streams.
+.Sh INTERFACES
+.Nm
+provides a large number of Audit programming interfaces in several classes:
+event stream interfaces, class interfaces, control interfaces, event
+interfaces, I/O interfaces, mask interfaces, notification interfaces, token
+interfaces, and user interfaces.
+These are described respectively in the
+.Xr au_stream 3 ,
+.Xr au_class 3 ,
+.Xr au_control 3 ,
+.Xr au_event 3 ,
+.Xr au_mask 3 ,
+.Xr au_notify 3 ,
+.Xr au_token 3 ,
+.Xr au_user 3
+man pages.
+.Ss Audit Event Stream Interfaces
+Audit event stream interfaces support interaction with file-backed audit
+event streams:
+.Xr au_free_token 3 ,
+.Xr au_free_token 3 ,
+.Xr au_open 3 ,
+.Xr au_write 3 ,
+.Xr au_close 3 .
+.Ss Audit Class Interfaces
+Audit class interfaces support the look up of information from the
+.Xr audit_class 5
+database:
+.Xr getauclassent 3 ,
+.Xr getauclassent_r 3 ,
+.Xr getauclassnam 3 ,
+.Xr getauclassnam_r 3 ,
+.Xr setauclass 3 ,
+.Xr endauclass 3 .
+.Ss Audit Control Interfaces
+Audit control interfaces support the look up of information from the
+.Xr audit_control 5
+database:
+.Xr setac 3 ,
+.Xr endac 3 ,
+.Xr getacdir 3 ,
+.Xr getacmin 3 ,
+.Xr getacflg 3 ,
+.Xr getacna 3 .
+.Ss Audit Event Interfaces
+Audit event interfaces support the look up of information from the
+.Xr audit_event 5
+database:
+.Xr setauevent 3 ,
+.Xr endauevent 3 ,
+.Xr getauevent 3 ,
+.Xr getauevent_r 3 ,
+.Xr getauevnam 3 ,
+.Xr getauevnam_r 3 ,
+.Xr getauevnum 3 ,
+.Xr getauevnum_r 3 ,
+.Xr getauevnonam 3 ,
+.Xr getauevnonam_r 3 ,
+.Ss Audit I/O Interfaces
+Audit I/O interfaces support the processing and printing of tokens, as well
+as the reading of audit records:
+.Xr au_fetch_tok 3 ,
+.Xr au_print_tok 3 ,
+.Xr au_read_rec 3 .
+.Ss Audit Mask Interfaces
+Audit mask interfaces convert support the conversion between strings and
+.Vt au_mask_t
+values.
+They may also be used to determine if a particular audit event is matched
+by a mask:
+.Xr au_preselect 3 ,
+.Xr getauditflagsbin 3 ,
+.Xr getauditflagschar 3 .
+.Ss Audit Notification Interfaces
+Audit notification routines track audit state in a form permitting efficient
+update, avoiding frequent system calls to check the kernel audit state:
+.Xr au_notify_initialize 3 ,
+.Xr au_notify_terminate 3 ,
+.Xr au_get_state 3 .
+These interfaces are implemented only for Darwin/Mac OS X.
+.Ss Audit Token Interface
+Audit token interfaces permit the creation of tokens for use in creating
+audit records for submission to event streams.
+Each interface converts a C type to its
+.Vt token_t
+representation.
+.Xr au_to_arg32 3 ,
+.Xr au_to_arg64 3 ,
+.Xr au_to_arg 3 ,
+.Xr au_to_attr64 3 ,
+.Xr au_to_data 3 ,
+.Xr au_to_exit 3 ,
+.Xr au_to_groups 3 ,
+.Xr au_to_newgroups 3 ,
+.Xr au_to_in_addr 3 ,
+.Xr au_to_in_addr_ex 3 ,
+.Xr au_to_ip 3 ,
+.Xr au_to_ipc 3 ,
+.Xr au_to_ipc_perm 3 ,
+.Xr au_to_iport 3 ,
+.Xr au_to_opaque 3 ,
+.Xr au_to_file 3 ,
+.Xr au_to_text 3 ,
+.Xr au_to_path 3 ,
+.Xr au_to_process32 3 ,
+.Xr au_to_process64 3 ,
+.Xr au_to_process 3 ,
+.Xr au_to_process32_ex 3 ,
+.Xr au_to_process64_ex 3 ,
+.Xr au_to_process_ex 3 ,
+.Xr au_to_return32 3 ,
+.Xr au_to_return64 3 ,
+.Xr au_to_return 3 ,
+.Xr au_to_seq 3 ,
+.Xr au_to_socket 3 ,
+.Xr au_to_socket_ex_32 3 ,
+.Xr au_to_socket_ex_128 3 ,
+.Xr au_to_sock_inet32 3 ,
+.Xr au_to_sock_inet128 3 ,
+.Xr au_to_sock_inet 3 ,
+.Xr au_to_subject32 3 ,
+.Xr au_to_subject64 3 ,
+.Xr au_to_subject 3 ,
+.Xr au_to_subject32_ex 3 ,
+.Xr au_to_subject64_ex 3 ,
+.Xr au_to_subject_ex 3 ,
+.Xr au_to_me 3 ,
+.Xr au_to_exec_args 3 ,
+.Xr au_to_exec_env 3 ,
+.Xr au_to_header32 3 ,
+.Xr au_to_header64 3 ,
+.Xr au_to_trailer 3 .
+.Ss Audit User Interfaces
+Audit user interfaces support the look up of information from the
+.Xr audit_user 5
+database:
+.Xr setauuser 3 ,
+.Xr endauuser 3 ,
+.Xr getauuserent 3 ,
+.Xr getauuserent_r 3 ,
+.Xr getauusernam 3 ,
+.Xr getauusernam_r 3 ,
+.Xr au_user_mask 3 ,
+.Xr getfauditflags 3 .
+.Sh SEE ALSO
+.Xr au_class 3 ,
+.Xr au_mask 3 ,
+.Xr au_notify 3 ,
+.Xr au_stream 3 ,
+.Xr au_token 3 ,
+.Xr au_user 3 ,
+.Xr audit_class 5 ,
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+Bugs would not be unlikely.
+.Pp
+The
+.Nm
+library implementations are generally thread-safe, but not reentrant.
+.Pp
+The assignment of routines to classes could use some work, as it is
+decidely ad hoc.
+For example,
+.Fn au_read_rec
+should probably be considered a stream routine.
diff --git a/contrib/openbsm/man/Makefile b/contrib/openbsm/man/Makefile
new file mode 100644
index 000000000000..fec665106ef0
--- /dev/null
+++ b/contrib/openbsm/man/Makefile
@@ -0,0 +1,19 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile#5 $
+#
+
+MAN= audit.2 \
+ auditctl.2 \
+ auditon.2 \
+ getaudit.2 \
+ getauid.2 \
+ setaudit.2 \
+ setauid.2 \
+ audit.log.5 \
+ audit_class.5 \
+ audit_control.5 \
+ audit_event.5 \
+ audit_user.5 \
+ audit_warn.5
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/man/audit.2 b/contrib/openbsm/man/audit.2
new file mode 100644
index 000000000000..6e14899c2ad1
--- /dev/null
+++ b/contrib/openbsm/man/audit.2
@@ -0,0 +1,96 @@
+.\"-
+.\" Copyright (c) 2005 Tom Rhodes
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#6 $
+.\"
+.Dd April 19, 2005
+.Dt AUDIT 2
+.Os
+.Sh NAME
+.Nm audit
+.Nd "Commit a BSM audit record to the audit log"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn audit "const char *record" "u_int length"
+.Sh DESCRIPTION
+.Fn audit
+submits a completed BSM audit record to the system audit log.
+.Pp
+.Fa record
+is a pointer to the the specific event to be recorded and
+.Vt length
+is the size in bytes of the data to be written.
+.Sh RETURN VALUES
+.Rv -std
+.Sh ERRORS
+The
+.Fn audit
+system call will fail and the data never written if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+The
+.Fa record
+argument is beyond the allocated address space of the process.
+.It Bq Er EINVAL
+The token ID is invalid or
+.Vt length
+is larger than
+.Vt MAXAUDITDATA .
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
+.Sh SEE ALSO
+.Xr auditon 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Tom Rhodes Aq trhodes@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+The
+.Fx
+kernel does not fully validate that the argument passed is syntactically
+valid BSM.
+Submitting invalid audit records may corrupt the audit log.
diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5
new file mode 100644
index 000000000000..5d2dec4f91d5
--- /dev/null
+++ b/contrib/openbsm/man/audit.log.5
@@ -0,0 +1,622 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#6 $
+.\"
+.Dd May 1, 2005
+.Dt AUDIT.LOG 5
+.Os
+.Sh NAME
+.Nm audit
+.Nd "Basic Security Module (BSM) File Format"
+.Sh DESCRIPTION
+The
+.Nm
+file format is based on Sun's Basic Security Module (BSM) file format, a
+token-based record stream to represent system audit data.
+This file format is both flexible and extensible, able to describe a broad
+range of data types, and easily extended to describe new data types in a
+moderately backward and forward compatible way.
+.Pp
+BSM token streams typically begin and end with a
+.Dv file
+token, which provides time stamp and file name information for the stream;
+when processing a BSM token stream from a stream as opposed to a single file
+source, file tokens may be seen at any point between ordinary records
+identifying when particular parts of the stream begin and end.
+All other tokens will appear in the context of a complete BSM audit record,
+which begins with a
+.Dv header
+token, and ends with a
+.Dv trailer
+token, which describe the audit record.
+Between these two tokens will appear a variety of data tokens, such as
+process information, file path names, IPC object information, MAC labels,
+socket information, and so on.
+.Pp
+The BSM file format defines specific token orders for each record event type;
+however, some variation may occur depending on the operating system in use,
+what system options, such as mandatory access control, are present.
+.Pp
+This manual page documents the common token types and their binary format, and
+is intended for reference purposes only.
+It is recommended that application programmers use the
+.Xr libbsm 3
+interface to read and write tokens, rather than parsing or constructing
+records by hand.
+.Ss File Token
+The
+.Dv file
+token is used at the beginning and end of an audit log file to indicate
+when the audit log begins and ends.
+It includes a pathname so that, if concatenated together, original file
+boundaries are still observable, and gaps in the audit log can be identified.
+A
+.Dv file
+token can be created using
+.Xr au_to_file 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Seconds" Ta "4 bytes" Ta "File time stamp"
+.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp"
+.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail"
+.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail"
+.El
+.Ss Header Token
+The
+.Dv header
+token is used to mark the beginning of a complete audit record, and includes
+the length of the total record in bytes, a version number for the record
+layout, the event type and subtype, and the time at which the event occurred.
+A
+.Dv header
+token can be created using
+.Xr au_to_header32 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
+.It Li "Event Type" Ta "2 bytes" Ta "Event type"
+.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
+.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
+.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.El
+.Ss Expanded Header Token
+The
+.Dv expanded header
+token is an expanded version of the
+.Dv header
+token, with the addition of a machine IPv4 or IPv6 address.
+The
+.Xr libbsm 3
+API cannot currently create an
+.Dv expanded header
+token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
+.It Li "Event Type" Ta "2 bytes" Ta "Event type"
+.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
+.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length"
+.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
+.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
+.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.El
+.Ss Trailer Token
+The
+.Dv trailer
+terminates a BSM audit record, and contains a magic number,
+.Dv TRAILER_PAD_MAGIC
+and length that can be used to validate that the record was read properly.
+A
+.Dv trailer
+token can be created using
+.Xr au_to_trailer 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number"
+.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.El
+.Ss Arbitrary Data Token
+The
+.Dv arbitrary data
+token contains a byte stream of opaque (untyped) data.
+The size of the data is calculated as the size of each unit of data
+multipled by the number of units of data.
+A
+.Dv How to print
+field is present to specify how to print the data, but interpretation of
+that field is not currently defined.
+The
+.Xr libbsm 3
+API cannot currently create an
+.Dv arbitrary data
+token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information"
+.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes"
+.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present"
+.It Li "Data Items" Ta "Variable" Ta "User data"
+.El
+.Ss in_addr Token
+The
+.Dv in_addr
+token holds a network byte order IPv4 or IPv6 address.
+An
+.Dv in_addr
+token can be created using
+.Xr au_to_in_addr 3
+for an IPv4 address, or
+.Xr au_to_in_addr_ex 3
+for an IPv6 address.
+.Pp
+See the BUGS section for information on the storage of this token.
+.Pp
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "IP Address Type" Ta "1 byte" Ta "Type of address"
+.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
+.El
+.Ss Expanded in_addr Token
+The
+.Dv expanded in_addr
+token ...
+.Pp
+See the BUGS section for information on the storage of this token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It XXXX
+.El
+.Ss ip Token
+The
+.Dv ip
+token contains an IP packet header in network byte order.
+An
+.Dv ip
+token can be cread using
+.Xr au_to_ip 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length"
+.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field"
+.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order"
+.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly"
+.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order"
+.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live"
+.It Li "Protocol" Ta "1 byte" Ta "IP protocol number"
+.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order"
+.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address"
+.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address"
+.El
+.Ss Expanded ip Token
+The
+.Dv expanded ip
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It XXXX
+.El
+.Ss iport Token
+The
+.Dv iport
+token stores an IP port number in network byte order.
+An
+.Dv iport
+token can be created using
+.Xr au_to_iport 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order"
+.El
+.Ss Path Token
+The
+.Dv path
+token contains a pathname.
+A
+.Dv path
+token can be created using
+.Xr auto_path 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes"
+.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name"
+.El
+.Ss path_attr Token
+The
+.Dv path_attr
+token contains a set of nul-terminated path names.
+The
+.Xr libbsm 3
+API cannot currently create an
+.Dv path_attr
+token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token"
+.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)"
+.El
+.Ss Process Token
+The
+.Dv process
+token contains a description of the security properties of a process
+involved as the target of an auditable event, such as the destination for
+signal delivery.
+It should not be confused with the
+.Dv subject
+token, which describes the subject performing an auditable event.
+This includes both the traditional
+.Ux
+security properties, such as user IDs and group IDs, but also audit
+information such as the audit user ID and sesion.
+A
+.Dv process
+token can be created using
+.Xr au_to_process32 3
+or
+.Xr au_to_process64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.El
+.Ss Expanded Process Token
+The .Dv expanded process
+token contains the contents of the
+.Dv process
+token, with the addition of a machine address type and variable length
+address storage capable of containing IPv6 addresses.
+A
+.Dv expanded process
+token can be created using
+.Xr au_to_process32_ex 3
+or
+.Xr au_to_process64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.El
+.Ss Return Token
+The
+.Dv return
+token contains a system call or library function return condition, including
+return value and error number associated with the global variable
+.Er errno .
+A
+.Dv return
+token can be created using
+.Xr au_to_return32 3
+or
+.Xr au_to_return64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined"
+.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)"
+.El
+.Ss Subject Token
+The
+.Dv subject
+token contains information on the subject performing the operation described
+by an audit record, and includes similar information to that found in the
+.Dv process
+and
+.Dv expanded process
+tokens.
+However, those tokens are used where the process being described is the
+target of the operation, not the authorizing party.
+A
+.Dv subject
+token can be created using
+.Xr au_to_subject32 3
+and
+.Xr au_to_subject64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.El
+.Ss Expanded Subject Token
+The
+.Dv expanded subject
+token consists of the same elements as the
+.Dv subject
+token, with the addition of type/length and variable size machine address
+information in the terminal ID.
+A
+.Dv expanded subject
+token can be created using
+.Xr au_to_subject32_ex 3
+or
+.Xr au_to_subject64_ex 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.El
+.Ss System V IPC Token
+The
+.Dv System V IPC
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Text Token
+The
+.Dv text
+token contains a single nul-terminated text string.
+A
+.Dv text
+token may be created using
+.Xr au_to_text 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul"
+.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul"
+.El
+.Ss Attribute Token
+The
+.Dv attribute
+token describes the attributes of a file associated with the audit event.
+As files may be identified by 0, 1, or many path names, a path name is not
+included with the attribute block for a file; optional
+.Dv path
+tokens may also be present in an audit record indicating which path, if any,
+was used to reach the object.
+A
+.Dv attribute
+token can be created using
+.Xr au_to_attr32 3
+or
+.Xr au_to_attr64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file"
+.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file"
+.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file"
+.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file"
+.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file"
+.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)"
+.El
+.Ss Groups Token
+The
+.Dv groups
+token contains a list of group IDs associated with the audit event.
+A
+.Dv groups
+token can be created using
+.Xr au_to_groups 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token"
+.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs"
+.El
+.Ss System V IPC Permission Token
+The
+.Dv System V IPC permission
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Arg Token
+The
+.Dv arg
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss exec_args Token
+The
+.Dv exec_args
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss exec_env Token
+The
+.Dv exec_env
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Exit Token
+The
+.Dv exit
+token contains process exit/return code information.
+An
+.Dv exit
+token can be created using
+.Xr au_to_exit 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Status" Ta "4 bytes" Ta "Process status on exit"
+.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit"
+.El
+.Ss Socket Token
+The
+.Dv socket
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Expanded Socket Token
+The
+.Dv expanded socket
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Seq Token
+The
+.Dv seq
+token contains a unique and monotonically increasing audit event sequence ID.
+Due to the limited range of 32 bits, serial number arithmetic and caution
+should be used when comparing sequence numbers.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number"
+.El
+.Ss privilege Token
+The
+.Dv privilege
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Use-of-auth Token
+The
+.Dv use-of-auth
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Command Token
+The
+.Dv command
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss ACL Token
+The
+.Dv ACL
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Zonename Token
+The
+.Dv zonename
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Sh SEE ALSO
+.Xr libbsm 3
+.Sh AUTHORS
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+The
+.Dv How to print
+field in the
+.Dv arbitrary data
+token has undefined values.
+.Pp
+The
+.Dv in_addr
+and
+.Dv in_addr_ex
+token layout documented here appears to be in conflict with the
+.Xr libbsm 3
+implementations of
+.Xr au_to_in_addr 3
+and
+.Xr au_to_in_addr_ex 3 .
diff --git a/contrib/openbsm/man/audit_class.5 b/contrib/openbsm/man/audit_class.5
new file mode 100644
index 000000000000..81b60cb5c7ea
--- /dev/null
+++ b/contrib/openbsm/man/audit_class.5
@@ -0,0 +1,70 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" its contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_CLASS 5
+.Os
+.Sh NAME
+.Nm audit_class
+.Nd "contains audit event class descriptions"
+.Sh DESCRIPTION
+The
+.Nm
+file contains descriptions of the auditable event classes on the system.
+Each auditable event is a member of an event class.
+Each line maps an audit event
+mask (bitmap) to a class and a description.
+Entries are of the form
+.Dl classmask:eventclass:description.
+.Pp
+Example entries in this file are:
+.Bd -literal -offset indent
+0x00000000:no:invalid class
+0x00000001:fr:file read
+0x00000002:fw:file write
+0x00000004:fa:file attribute access
+0x00000080:pc:process
+0xffffffff:all:all flags set
+.Ed
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_class" -compact
+.It Pa /etc/security/audit_class
+.El
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5
new file mode 100644
index 000000000000..d39b68129cff
--- /dev/null
+++ b/contrib/openbsm/man/audit_control.5
@@ -0,0 +1,121 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" its contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_CONTROL 5
+.Os
+.Sh NAME
+.Nm audit_control
+.Nd "contains audit system parameters"
+.Sh DESCRIPTION
+The
+.Nm
+file contains several audit system parameters.
+Each line of this file is of the form:
+.Dl parameter:value.
+The parameters are:
+.Bl -tag -width Ds
+.It Pa dir
+The directory where audit log files are stored.
+There may be more than one of these entries.
+Changes to this entry can only be enacted by restarting the
+audit system.
+See
+.Xr audit 1
+for a description of how to restart the audit system.
+.It Va flags
+Specifies which audit event classes are audited for all users.
+.Xr audit_user 5
+describes how to audit events for individual users.
+See the information below for the format of the audit flags.
+.It Va naflags
+Contains the audit flags that define what classes of events are audited when
+an action cannot be attributed to a specific user.
+.It Va minfree
+The minimum free space required on the file system audit logs are being written to.
+When the free space falls below this limit a warning will be issued.
+Not currently used as the value of 20 percent is chosen by the kernel.
+.El
+.Sh AUDIT FLAGS
+Audit flags are a comma delimited list of audit classes as defined in the
+audit_class file.
+See
+.Xr audit_class 5
+for details.
+Event classes may be preceded by a prefix which changes their interpretation.
+The following prefixes may be used for each class:
+.Bl -tag -width Ds -compact -offset indent
+.It +
+Record successful events
+.It -
+Record failed events
+.It ^
+Record both successful and failed events
+.It ^+
+Don't record successful events
+.It ^-
+Don't record failed events
+.El
+.Sh DEFAULT
+The following settings appear in the default
+.Nm
+file:
+.Bd -literal -offset indent
+dir:/var/audit
+flags:lo,ad,-all,^-fc,^-cl
+minfree:20
+naflags:lo
+.Ed
+.Pp
+The
+.Va flags
+parameter above specifies the system-wide mask corresponding to login/logout
+events, administrative events, and all failures except for failures in creating
+or closing files.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_control" -compact
+.It Pa /etc/security/audit_control
+.El
+.Sh SEE ALSO
+.Xr audit 1 ,
+.Xr auditd 8 ,
+.Xr audit_class 5 ,
+.Xr audit_user 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_event.5 b/contrib/openbsm/man/audit_event.5
new file mode 100644
index 000000000000..36029ef3b90f
--- /dev/null
+++ b/contrib/openbsm/man/audit_event.5
@@ -0,0 +1,74 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" its contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_EVENT 5
+.Os
+.Sh NAME
+.Nm audit_event
+.Nd "contains audit event descriptions"
+.Sh DESCRIPTION
+The
+.Nm
+file contains descriptions of the auditable events on the system.
+Each line maps an audit event number to a name, a description, and a class.
+Entries are of the form
+.Dl eventnum:eventname:description:eventclass .
+Each
+.Vt eventclass
+should have a corresponding entry in the audit_class file.
+See
+.Xr audit_class 5
+for details.
+.Pp
+Example entries in this file are:
+.Bd -literal -offset indent
+0:AUE_NULL:indir system call:no
+1:AUE_EXIT:exit(2):pc
+2:AUE_FORK:fork(2):pc
+3:AUE_OPEN:open(2):fa
+.Ed
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_event" -compact
+.It Pa /etc/security/audit_event
+.El
+.Sh SEE ALSO
+.Xr audit_class 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_user.5 b/contrib/openbsm/man/audit_user.5
new file mode 100644
index 000000000000..abb74a322123
--- /dev/null
+++ b/contrib/openbsm/man/audit_user.5
@@ -0,0 +1,91 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" its contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_USER 5
+.Os
+.Sh NAME
+.Nm audit_user
+.Nd "specifies events to be audited for the given users"
+.Sh DESCRIPTION
+The
+.Nm
+file specifies which audit event classes are to be audited for the given users.
+If specified, these flags are combined with the system-wide audit flags in the
+.Pa audit_control
+file to determine which classes of events to audit for that user.
+These settings take effect when the user logs in.
+.Pp
+Each line maps a user name to a list of classes that should be audited and a
+list of classes that should not be audited.
+Entries are of the form of
+.Dl username:alwaysaudit:neveraudit ,
+where
+.Vt alwaysaudit
+is a set of event classes that are always audited, and
+.Vt neveraudit
+is a set of event classes that should not be audited.
+These sets can indicate
+the inclusion or exclusion of multiple classes, and whether to audit successful
+or failed events.
+See
+.Xr audit_control 5
+for more information about audit flags.
+.Pp
+Example entries in this file are:
+.Bd -literal -offset indent
+root:lo,ad:no
+jdoe:-fc,ad:+fw
+.Ed
+.Pp
+These settings would cause login and administrative events that succeed on
+behalf of user root to be audited.
+No failure events are audited.
+For the user
+.Em jdoe ,
+failed file creation events are audited, administrative events are
+audited, and successful file write events are never audited.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_user" -compact
+.It Pa /etc/security/audit_user
+.El
+.Sh SEE ALSO
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_warn.5 b/contrib/openbsm/man/audit_warn.5
new file mode 100644
index 000000000000..4581d8c87bf6
--- /dev/null
+++ b/contrib/openbsm/man/audit_warn.5
@@ -0,0 +1,69 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" its contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#5 $
+.\"
+.Dd Mar 17, 2004
+.Dt AUDIT_WARN 5
+.Os
+.Sh NAME
+.Nm audit_warn
+.Nd "alert when audit daemon issues warnings"
+.Sh DESCRIPTION
+.Nm
+runs when
+.Xr auditd 8
+generates warning messages.
+.Pp
+The default
+.Nm
+is a script whose first parameter is the type of warning; the script
+appends its arguments to
+.Pa /etc/security/audit_messages .
+Administrators may replace this script: a more comprehensive one would take
+different actions based on the type of warning.
+For example, a low-space warning
+could result in an email message being sent to the administrator.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_warn" -compact
+.It Pa /etc/security/audit_warn
+.It Pa /etc/security/audit_messages
+.El
+.Sh SEE ALSO
+.Xr auditd 8
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/auditctl.2 b/contrib/openbsm/man/auditctl.2
new file mode 100644
index 000000000000..48bec1cd2cbb
--- /dev/null
+++ b/contrib/openbsm/man/auditctl.2
@@ -0,0 +1,78 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt AUDITCTL 2
+.Os
+.Sh NAME
+.Nm auditctl
+.Nd "Configure system audit parameters"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn auditon "const char *path"
+.Sh DESCRIPTION
+The
+.Fn auditctl
+system call directs the kernel to open a new audit trail log file.
+.Fn auditctl
+requires appropriate privilege.
+In the
+.Fx
+implementation,
+.Fn auditctl
+opens new files, but
+.Fn auditon
+is used to disable the audit log.
+In the Mac OS X implementation, passing
+.Va NULL
+to
+.Fn auditctl
+will disable the audit log.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr auditd 8
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2
new file mode 100644
index 000000000000..4e38dc4f68fc
--- /dev/null
+++ b/contrib/openbsm/man/auditon.2
@@ -0,0 +1,288 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2005 Tom Rhodes
+.\" Copyright (c) 2005 Wayne J. Salamon
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#6 $
+.\"
+.Dd April 19, 2005
+.Dt AUDITON 2
+.Os
+.Sh NAME
+.Nm auditon
+.Nd "Configure system audit parameters"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn auditon "int cmd" "void *data" "u_int length"
+.Sh DESCRIPTION
+The
+.Nm
+system call is used to manipulate various audit control operations.
+.Ft *data
+should point to a structure whose type depends on the command.
+.Ft length
+specifies the size of the
+.Em data
+in bytes.
+.Ft cmd
+may be any of the following:
+.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
+.It Dv A_SETPOLICY
+Set audit policy flags.
+.Ft *data
+must point to an long value set to one of the audit
+policy control values defined in audit.h.
+Currently, only
+.Dv AUDIT_CNT
+and
+.Dv AUDIT_AHLT
+are implemented.
+In the
+.Dv AUDIT_CNT
+case, the action will continue regardless if
+an event will not be audited.
+In the
+.Dv AUDIT_AHLT
+case, a
+.Xr panic 9
+will result if an event will not be written to the
+audit log file.
+.It Dv A_SETKAUDIT
+Return
+.Er ENOSYS .
+.It Dv A_SETKMASK
+Set the kernel preselection masks (success and failure).
+.Ft *data
+must point to a
+.Ft au_mask_t
+structure containing the mask values.
+These masks are used for non-attributable audit event preselection.
+.It Dv A_SETQCTRL
+Set kernel audit queue parameters.
+.Ft *data
+must point to a
+.Ft au_qctrl_t
+structure containing the
+kernel audit queue control settings:
+.Va high water ,
+.Va low water ,
+.Va output buffer size ,
+.Va percent min free disk space ,
+and
+.Em delay
+(not currently used).
+.It Dv A_SETSTAT
+Return
+.Er ENOSYS .
+.It Dv A_SETUMASK
+Return
+.Er ENOSYS .
+.It Dv A_SETSMASK
+Return
+.Er ENOSYS .
+.It Dv A_SETCOND
+Set the current auditing condition.
+.Ft *data
+must point to an long value containing the new
+audit condition, one of
+.Dv AUC_AUDITING ,
+.Dv AUC_NOAUDIT ,
+or
+.Dv AUC_DISABLED .
+.It Dv A_SETCLASS
+Set the event class preselection mask for an audit event.
+.Ft *data
+must point to a
+.Ft au_evclass_map_t
+structure containing the audit event and mask.
+.It Dv A_SETPMASK
+Set the preselection masks for a process.
+.Ft *data
+must point to a
+.Ft auditpinfo_t
+structure that contains the given process's audit
+preselection masks for both success and failure.
+.It Dv A_SETFSIZE
+Set the maximum size of the audit log file.
+.Ft *data
+must point to a
+.Ft au_fstat_t
+structure with the
+.Ft af_filesz
+field set to the maximum audit log file size. A value of 0
+indicates no limit to the size.
+.It Dv A_SETKAUDIT
+Return
+.Er ENOSYS .
+.It Dv A_GETCLASS
+Return the event to class mapping for the designated audit event.
+.Ft *data
+must point to a
+.Ft au_evclass_map_t
+structure.
+.It Dv A_GETKAUDIT
+Return
+.Er ENOSYS .
+.It Dv A_GETPINFO
+Return the audit settings for a process.
+.Ft *data
+must point to a
+.Ft auditpinfo_t
+structure which will be set to contain
+the audit ID, preselection mask, terminal ID, and audit session
+ID of the given process.
+.It Dv A_GETPINFO_ADDR
+Return
+.Er ENOSYS .
+.It Dv A_GETKMASK
+Return the current kernel preselection masks.
+.Ft *data
+must point to a
+.Ft au_mask_t
+structure which will be set to
+the current kernel preselection masks for non-attributable events.
+.It Dv A_GETPOLICY
+Return the current audit policy setting.
+.Ft *data
+must point to an long value which will be set to
+one of the current audit policy flags.
+Currently, only
+.Dv AUDIT_CNT
+and
+.Dv AUDIT_AHLT
+are implemented.
+.It Dv A_GETQCTRL
+Return the current kernel audit queue control parameters.
+.Ft *data
+must point to a
+.Ft au_qctrl_t
+structure which will be set to the current
+kernel audit queue control parameters.
+.It Dv A_GETFSIZE
+Returns the maximum size of the audit log file.
+.Ft *data
+must point to a
+.Ft au_fstat_t
+structure. The
+.Ft af_filesz
+field will set to the maximum audit log file size. A value of 0
+indicates no limit to the size.
+The
+.Ft af_filesz
+will be set to the current audit log file size.
+.It Dv A_GETCWD
+.\" [COMMENTED OUT]: Valid description, not yet implemented.
+.\" Return the current working directory as stored in the audit subsystem.
+Return
+.Er ENOSYS .
+.It Dv A_GETCAR
+.\" [COMMENTED OUT]: Valid description, not yet implemented.
+.\"Stores and returns the current active root as stored in the audit
+.\"subsystem.
+Return
+.Er ENOSYS .
+.It Dv A_GETSTAT
+.\" [COMMENTED OUT]: Valid description, not yet implemented.
+.\"Return the statistics stored in the audit system.
+Return
+.Er ENOSYS .
+.It Dv A_GETCOND
+Return the current auditing condition.
+.Ft *data
+must point to a long value which will be set to
+the current audit condition, either
+.Dv AUC_AUDITING
+or
+.Dv AUC_NOAUDIT .
+.It Dv A_SENDTRIGGER
+Send a trigger to the audit daemon.
+.Fr *data
+must point to a long value set to one of the acceptable
+trigger values:
+.Dv AUDIT_TRIGGER_LOW_SPACE
+(low disk space where the audit log resides),
+.Dv AUDIT_TRIGGER_OPEN_NEW
+(open a new audit log file),
+.Dv AUDIT_TRIGGER_READ_FILE
+(read the audit_control file),
+.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
+(close the current log file and exit),
+or
+.Dv AUDIT_TRIGGER_NO_SPACE
+(no disk space left for audit log file).
+.El
+.Sh RETURN VALUES
+.Rv -std
+.Sh ERRORS
+The
+.Fn auditon
+function will fail if:
+.Bl -tag -width Er
+.It Bq Er ENOSYS
+Returned by options not yet implemented.
+.It Bq Er EFAULT
+A failure occurred while data transferred to or from
+the kernel failed.
+.It Bq Er EINVAL
+Illegal argument was passed by a system call.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
+.Pp
+The
+.Dv A_SENDTRIGGER
+command is specific to the
+.Fx
+and Mac OS X implementations, and is not present in Solaris.
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditctl 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Tom Rhodes Aq trhodes@FreeBSD.org ,
+.An Robert Watson Aq rwatson@FreeBSD.org ,
+and
+.An Wayne Salamon Aq wsalamon@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/getaudit.2 b/contrib/openbsm/man/getaudit.2
new file mode 100644
index 000000000000..c20aab00073d
--- /dev/null
+++ b/contrib/openbsm/man/getaudit.2
@@ -0,0 +1,80 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt GETAUDIT 2
+.Os
+.Sh NAME
+.Nm getaudit ,
+.Nm getaudit_addr
+.Nd "Retrieve audit session state"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn getaudit "auditinfo_t *auditinfo"
+.Ft int
+.Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
+.Sh DESCRIPTION
+.Fn getaudit
+retrieves the active audit session state for the current process via the
+.Vt auditinfo_t
+pointed to by
+.Va auditinfo .
+.Fn getaudit_addr
+retrieves extended state via
+.Va auditinfo_addr
+and
+.Va length .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr setaudit 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/getauid.2 b/contrib/openbsm/man/getauid.2
new file mode 100644
index 000000000000..de36f731df3c
--- /dev/null
+++ b/contrib/openbsm/man/getauid.2
@@ -0,0 +1,74 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt GETAUID 2
+.Os
+.Sh NAME
+.Nm getauid
+.Nd "Retrieve audit session ID"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn getauid "au_id_t *auid"
+.Sh DESCRIPTION
+.Nm
+retrieves the active audit session ID for the current process via the
+.Vt au_id_t
+pointed to by
+.Va auid .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/setaudit.2 b/contrib/openbsm/man/setaudit.2
new file mode 100644
index 000000000000..2d994ecfb0cf
--- /dev/null
+++ b/contrib/openbsm/man/setaudit.2
@@ -0,0 +1,81 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt SETAUDIT 2
+.Os
+.Sh NAME
+.Nm setaudit ,
+.Nm setaudit_addr
+.Nd "Set audit session state"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn setaudit "auditinfo_t *auditinfo"
+.Ft int
+.Fn setaudit_addr "auditinfo_addr_t *auditinfo" "u_int length"
+.Sh DESCRIPTION
+.Nm
+sets the active audit session state for the current process via the
+.Vt auditinfo_t
+pointed to by
+.Va auditinfo .
+.Fn setaudit_addr
+sets extended state via
+.Va auditinfo_addr
+and
+.Va length .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr getaudit 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/setauid.2 b/contrib/openbsm/man/setauid.2
new file mode 100644
index 000000000000..d03b0d9474e9
--- /dev/null
+++ b/contrib/openbsm/man/setauid.2
@@ -0,0 +1,74 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt SETAUID 2
+.Os
+.Sh NAME
+.Nm setauid
+.Nd "Set audit session ID"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn setauid "au_id_t *auid"
+.Sh DESCRIPTION
+.Nm
+sets the active audit session ID for the current process from the
+.Vt au_id_t
+pointed to by
+.Va auid .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr getauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/tools/Makefile b/contrib/openbsm/tools/Makefile
new file mode 100644
index 000000000000..79e582d03f1d
--- /dev/null
+++ b/contrib/openbsm/tools/Makefile
@@ -0,0 +1,13 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/tools/Makefile#3 $
+#
+
+CFLAGS+= -I- -I .. -I ../libbsm -L ../libbsm -I.
+PROG= audump
+NO_MAN=
+DPADD= /usr/lib/libbsm.a
+LDADD= -lbsm
+BINDIR= /usr/sbin
+WARNS= 3
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/tools/audump.c b/contrib/openbsm/tools/audump.c
new file mode 100644
index 000000000000..f1429b599fef
--- /dev/null
+++ b/contrib/openbsm/tools/audump.c
@@ -0,0 +1,234 @@
+/*-
+ * Copyright (c) 2005 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#4 $
+ */
+
+#include <bsm/libbsm.h>
+#include <string.h>
+#include <err.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Simple tool to dump various /etc/security databases using the defined APIs.
+ */
+
+static void
+usage(void)
+{
+
+ fprintf(stderr, "usage: dump [class|class_r|control|event|event_r|"
+ "user|user_r]\n");
+ exit(-1);
+}
+
+static void
+audump_class(void)
+{
+ au_class_ent_t *cp;
+
+ while ((cp = getauclassent()) != NULL)
+ printf("0x%08x:%s:%s\n", cp->ac_class, cp->ac_name,
+ cp->ac_desc);
+}
+
+static void
+audump_class_r(void)
+{
+ char class_ent_name[AU_CLASS_NAME_MAX];
+ char class_ent_desc[AU_CLASS_DESC_MAX];
+ au_class_ent_t c, *cp;
+
+ bzero(&c, sizeof(c));
+ bzero(class_ent_name, sizeof(class_ent_name));
+ bzero(class_ent_desc, sizeof(class_ent_desc));
+ c.ac_name = class_ent_name;
+ c.ac_desc = class_ent_desc;
+
+ while ((cp = getauclassent_r(&c)) != NULL)
+ printf("0x%08x:%s:%s\n", cp->ac_class, cp->ac_name,
+ cp->ac_desc);
+}
+
+static void
+audump_control(void)
+{
+ char string[PATH_MAX];
+ int ret, val;
+
+ ret = getacflg(string, PATH_MAX);
+ if (ret == -2)
+ err(-1, "getacflg");
+ if (ret != 0)
+ errx(-1, "getacflg: %d", ret);
+
+ printf("flags:%s\n", string);
+
+ ret = getacmin(&val);
+ if (ret == -2)
+ err(-1, "getacmin");
+ if (ret != 0)
+ errx(-1, "getacmin: %d", ret);
+
+ printf("min:%d\n", val);
+
+ ret = getacna(string, PATH_MAX);
+ if (ret == -2)
+ err(-1, "getacna");
+ if (ret != 0)
+ errx(-1, "getacna: %d", ret);
+
+ printf("naflags:%s\n", string);
+
+ setac();
+ do {
+ ret = getacdir(string, PATH_MAX);
+ if (ret == -1)
+ break;
+ if (ret == -2)
+ err(-1, "getacdir");
+ if (ret != 0)
+ errx(-1, "getacdir: %d", ret);
+ printf("dir:%s\n", string);
+
+ } while (ret == 0);
+}
+
+static void
+printf_classmask(au_class_t classmask)
+{
+ au_class_ent_t *c;
+ u_int32_t i;
+ int first;
+
+ first = 1;
+ for (i = 0; i < 32; i++) {
+ if (classmask & (2 << i)) {
+ if (first)
+ first = 0;
+ else
+ printf(",");
+ c = getauclassnum(2 << i);
+ if (c != NULL)
+ printf("%s", c->ac_name);
+ else
+ printf("0x%x", 2 << i);
+ }
+ }
+}
+
+static void
+audump_event(void)
+{
+ au_event_ent_t *ep;
+
+ while ((ep = getauevent()) != NULL) {
+ printf("%d:%s:%s:", ep->ae_number, ep->ae_name, ep->ae_desc);
+ printf_classmask(ep->ae_class);
+ printf("\n");
+ }
+}
+
+static void
+audump_event_r(void)
+{
+ char event_ent_name[AU_EVENT_NAME_MAX];
+ char event_ent_desc[AU_EVENT_DESC_MAX];
+ au_event_ent_t e, *ep;
+
+ bzero(&e, sizeof(e));
+ bzero(event_ent_name, sizeof(event_ent_name));
+ bzero(event_ent_desc, sizeof(event_ent_desc));
+ e.ae_name = event_ent_name;
+ e.ae_desc = event_ent_desc;
+
+ while ((ep = getauevent_r(&e)) != NULL) {
+ printf("%d:%s:%s:", ep->ae_number, ep->ae_name, ep->ae_desc);
+ printf_classmask(ep->ae_class);
+ printf("\n");
+ }
+}
+
+static void
+audump_user(void)
+{
+ au_user_ent_t *up;
+
+ while ((up = getauuserent()) != NULL) {
+ printf("%s:", up->au_name);
+ // printf_classmask(up->au_always);
+ printf(":");
+ // printf_classmask(up->au_never);
+ printf("\n");
+ }
+}
+
+static void
+audump_user_r(void)
+{
+ char user_ent_name[AU_USER_NAME_MAX];
+ au_user_ent_t u, *up;
+
+ bzero(&u, sizeof(u));
+ bzero(user_ent_name, sizeof(user_ent_name));
+ u.au_name = user_ent_name;
+
+ while ((up = getauuserent_r(&u)) != NULL) {
+ printf("%s:", up->au_name);
+ // printf_classmask(up->au_always);
+ printf(":");
+ // printf_classmask(up->au_never);
+ printf("\n");
+ }
+}
+
+int
+main(int argc, char *argv[])
+{
+
+ if (argc != 2)
+ usage();
+
+ if (strcmp(argv[1], "class") == 0)
+ audump_class();
+ else if (strcmp(argv[1], "class_r") == 0)
+ audump_class_r();
+ else if (strcmp(argv[1], "control") == 0)
+ audump_control();
+ else if (strcmp(argv[1], "event") == 0)
+ audump_event();
+ else if (strcmp(argv[1], "event_r") == 0)
+ audump_event_r();
+ else if (strcmp(argv[1], "user") == 0)
+ audump_user();
+ else if (strcmp(argv[1], "user_r") == 0)
+ audump_user_r();
+ else
+ usage();
+
+ return (0);
+}