2 * Copyright (c) 2004 Apple Computer, Inc.
3 * Copyright (c) 2006 Robert N. M. Watson
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
30 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_event.c#13 $
33 #include <bsm/libbsm.h>
41 * Parse the contents of the audit_event file to return
42 * au_event_ent entries
44 static FILE *fp = NULL;
45 static char linestr[AU_LINE_MAX];
46 static const char *eventdelim = ":";
48 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
51 * Parse one line from the audit_event file into the au_event_ent structure.
53 static struct au_event_ent *
54 eventfromstr(char *str, struct au_event_ent *e)
56 char *evno, *evname, *evdesc, *evclass;
57 struct au_mask evmask;
60 evno = strtok_r(str, eventdelim, &last);
61 evname = strtok_r(NULL, eventdelim, &last);
62 evdesc = strtok_r(NULL, eventdelim, &last);
63 evclass = strtok_r(NULL, eventdelim, &last);
65 if ((evno == NULL) || (evname == NULL))
68 if (strlen(evname) >= AU_EVENT_NAME_MAX)
71 strcpy(e->ae_name, evname);
73 if (strlen(evdesc) >= AU_EVENT_DESC_MAX)
75 strcpy(e->ae_desc, evdesc);
77 strcpy(e->ae_desc, "");
79 e->ae_number = atoi(evno);
82 * Find out the mask that corresponds to the given list of classes.
84 if (evclass != NULL) {
85 if (getauditflagsbin(evclass, &evmask) != 0)
88 e->ae_class = evmask.am_success;
96 * Rewind the audit_event file.
99 setauevent_locked(void)
103 fseek(fp, 0, SEEK_SET);
110 pthread_mutex_lock(&mutex);
112 pthread_mutex_unlock(&mutex);
116 * Close the open file pointers.
122 pthread_mutex_lock(&mutex);
127 pthread_mutex_unlock(&mutex);
131 * Enumerate the au_event_ent entries.
133 static struct au_event_ent *
134 getauevent_r_locked(struct au_event_ent *e)
138 if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
142 if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
145 /* Remove new lines. */
146 if ((nl = strrchr(linestr, '\n')) != NULL)
150 if (linestr[0] == '#')
153 /* Get the next event structure. */
154 if (eventfromstr(linestr, e) == NULL)
162 struct au_event_ent *
163 getauevent_r(struct au_event_ent *e)
165 struct au_event_ent *ep;
167 pthread_mutex_lock(&mutex);
168 ep = getauevent_r_locked(e);
169 pthread_mutex_unlock(&mutex);
173 struct au_event_ent *
176 static char event_ent_name[AU_EVENT_NAME_MAX];
177 static char event_ent_desc[AU_EVENT_DESC_MAX];
178 static struct au_event_ent e;
180 bzero(&e, sizeof(e));
181 bzero(event_ent_name, sizeof(event_ent_name));
182 bzero(event_ent_desc, sizeof(event_ent_desc));
183 e.ae_name = event_ent_name;
184 e.ae_desc = event_ent_desc;
185 return (getauevent_r(&e));
189 * Search for an audit event structure having the given event name.
191 * XXXRW: Why accept NULL name?
193 static struct au_event_ent *
194 getauevnam_r_locked(struct au_event_ent *e, const char *name)
201 /* Rewind to beginning of the file. */
204 if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
207 while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
208 /* Remove new lines. */
209 if ((nl = strrchr(linestr, '\n')) != NULL)
212 if (eventfromstr(linestr, e) != NULL) {
213 if (strcmp(name, e->ae_name) == 0)
221 struct au_event_ent *
222 getauevnam_r(struct au_event_ent *e, const char *name)
224 struct au_event_ent *ep;
226 pthread_mutex_lock(&mutex);
227 ep = getauevnam_r_locked(e, name);
228 pthread_mutex_unlock(&mutex);
232 struct au_event_ent *
233 getauevnam(const char *name)
235 static char event_ent_name[AU_EVENT_NAME_MAX];
236 static char event_ent_desc[AU_EVENT_DESC_MAX];
237 static struct au_event_ent e;
239 bzero(&e, sizeof(e));
240 bzero(event_ent_name, sizeof(event_ent_name));
241 bzero(event_ent_desc, sizeof(event_ent_desc));
242 e.ae_name = event_ent_name;
243 e.ae_desc = event_ent_desc;
244 return (getauevnam_r(&e, name));
248 * Search for an audit event structure having the given event number.
250 static struct au_event_ent *
251 getauevnum_r_locked(struct au_event_ent *e, au_event_t event_number)
255 /* Rewind to beginning of the file. */
258 if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
261 while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
262 /* Remove new lines. */
263 if ((nl = strrchr(linestr, '\n')) != NULL)
266 if (eventfromstr(linestr, e) != NULL) {
267 if (event_number == e->ae_number)
275 struct au_event_ent *
276 getauevnum_r(struct au_event_ent *e, au_event_t event_number)
278 struct au_event_ent *ep;
280 pthread_mutex_lock(&mutex);
281 ep = getauevnum_r_locked(e, event_number);
282 pthread_mutex_unlock(&mutex);
286 struct au_event_ent *
287 getauevnum(au_event_t event_number)
289 static char event_ent_name[AU_EVENT_NAME_MAX];
290 static char event_ent_desc[AU_EVENT_DESC_MAX];
291 static struct au_event_ent e;
293 bzero(&e, sizeof(e));
294 bzero(event_ent_name, sizeof(event_ent_name));
295 bzero(event_ent_desc, sizeof(event_ent_desc));
296 e.ae_name = event_ent_name;
297 e.ae_desc = event_ent_desc;
298 return (getauevnum_r(&e, event_number));
302 * Search for an audit_event entry with a given event_name and returns the
303 * corresponding event number.
306 getauevnonam_r(au_event_t *ev, const char *event_name)
308 static char event_ent_name[AU_EVENT_NAME_MAX];
309 static char event_ent_desc[AU_EVENT_DESC_MAX];
310 static struct au_event_ent e, *ep;
312 bzero(event_ent_name, sizeof(event_ent_name));
313 bzero(event_ent_desc, sizeof(event_ent_desc));
314 bzero(&e, sizeof(e));
315 e.ae_name = event_ent_name;
316 e.ae_desc = event_ent_desc;
318 ep = getauevnam_r(&e, event_name);
327 getauevnonam(const char *event_name)
329 static au_event_t event;
331 return (getauevnonam_r(&event, event_name));