- (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM
audit breakage in Solaris 11. Patch from Magnus Johansson.
diff --git a/ChangeLog b/ChangeLog
index 3f5630d..05749a6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20120224
+ - (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM
+ audit breakage in Solaris 11. Patch from Magnus Johansson.
+
20120215
- (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for
unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c
diff --git a/audit-bsm.c b/audit-bsm.c
index f196d4f..6135591 100644
--- a/audit-bsm.c
+++ b/audit-bsm.c
@@ -1,4 +1,4 @@
-/* $Id: audit-bsm.c,v 1.7 2011/01/17 10:15:29 dtucker Exp $ */
+/* $Id: audit-bsm.c,v 1.8 2012/02/23 23:40:43 dtucker Exp $ */
/*
* TODO
@@ -45,6 +45,10 @@
#include <string.h>
#include <unistd.h>
+#ifdef BROKEN_BSM_API
+#include <libscf.h>
+#endif
+
#include "ssh.h"
#include "log.h"
#include "key.h"
@@ -114,6 +118,12 @@
extern Authctxt *the_authctxt;
static AuditInfoTermID ssh_bsm_tid;
+#ifdef BROKEN_BSM_API
+/* For some reason this constant is no longer defined
+ in Solaris 11. */
+#define BSM_TEXTBUFSZ 256
+#endif
+
/* Below is the low-level BSM interface code */
/*
@@ -161,6 +171,65 @@
}
#endif
+#ifdef BROKEN_BSM_API
+/*
+ In Solaris 11 the audit daemon has been moved to SMF. In the process
+ they simply dropped getacna() from the API, since it read from a now
+ non-existent config file. This function re-implements getacna() to
+ read from the SMF repository instead.
+ */
+int
+getacna(char *auditstring, int len)
+{
+ scf_handle_t *handle = NULL;
+ scf_property_t *property = NULL;
+ scf_value_t *value = NULL;
+ int ret = 0;
+
+ handle = scf_handle_create(SCF_VERSION);
+ if (handle == NULL)
+ return -2; /* The man page for getacna on Solaris 10 states
+ we should return -2 in case of error and set
+ errno to indicate the error. We don't bother
+ with errno here, though, since the only use
+ of this function below doesn't check for errors
+ anyway.
+ */
+
+ ret = scf_handle_bind(handle);
+ if (ret == -1)
+ return -2;
+
+ property = scf_property_create(handle);
+ if (property == NULL)
+ return -2;
+
+ ret = scf_handle_decode_fmri(handle,
+ "svc:/system/auditd:default/:properties/preselection/naflags",
+ NULL, NULL, NULL, NULL, property, 0);
+ if (ret == -1)
+ return -2;
+
+ value = scf_value_create(handle);
+ if (value == NULL)
+ return -2;
+
+ ret = scf_property_get_value(property, value);
+ if (ret == -1)
+ return -2;
+
+ ret = scf_value_get_astring(value, auditstring, len);
+ if (ret == -1)
+ return -2;
+
+ scf_value_destroy(value);
+ scf_property_destroy(property);
+ scf_handle_destroy(handle);
+
+ return 0;
+}
+#endif
+
/*
* Check if the specified event is selected (enabled) for auditing.
* Returns 1 if the event is selected, 0 if not and -1 on failure.
@@ -213,7 +282,15 @@
(void) au_write(ad, au_to_text(string));
(void) au_write(ad, AUToReturnFunc(typ, rc));
+#ifdef BROKEN_BSM_API
+ /* The last argument is the event modifier flags. For
+ some seemingly undocumented reason it was added in
+ Solaris 11. */
+ rc = au_close(ad, AU_TO_WRITE, event_no, 0);
+#else
rc = au_close(ad, AU_TO_WRITE, event_no);
+#endif
+
if (rc < 0)
error("BSM audit: %s failed to write \"%s\" record: %s",
__func__, string, strerror(errno));
diff --git a/configure.ac b/configure.ac
index 54fc7d0..acf529b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.486 2012/01/17 03:03:37 dtucker Exp $
+# $Id: configure.ac,v 1.487 2012/02/23 23:40:43 dtucker Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
@@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.486 $)
+AC_REVISION($Revision: 1.487 $)
AC_CONFIG_SRCDIR([ssh.c])
AC_LANG([C])
@@ -1434,6 +1434,11 @@
# These are optional
AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
+ if test "$sol2ver" -eq 11; then
+ SSHDLIBS="$SSHDLIBS -lscf"
+ AC_DEFINE([BROKEN_BSM_API], [1],
+ [The system has incomplete BSM API])
+ fi
;;
linux)
AC_MSG_RESULT([linux])