Change behavior when plugin I/O logging function returns 0 or -1.

For -1 (error) return, we now kill the command and disable
the I/O logging function that returned the error.
For a 0 (reject) return, we no longer display the rejected
output to the user's terminal.  The plugin API revision is now 1.6.

doc/sudo_plugin.man.in

@@ -1,7 +1,7 @@
 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
 .\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in
 .\"
-.\" Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2009-2014 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDO_PLUGIN" "5" "December 20, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
+.TH "SUDO_PLUGIN" "5" "August 25, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -1419,6 +1419,20 @@ Any of the logging functions may be set to the
 pointer if no logging is to be performed.
 If the open function returns 0, no I/O will be sent to the plugin.
 .PP
+If a logging function returns an error
+(\-1),
+the running command will be terminated and all of the plugin's logging
+functions will be disabled.
+Other I/O logging plugins will still receive any remaining
+input or output that has not yet been processed.
+.PP
+If an input logging function rejects the data by returning 0, the
+command will be terminated and the data will not be passed to the
+command, though it will still be sent to any other I/O logging plugins.
+If an output logging function rejects the data by returning 0, the
+command will be terminated and the data will not be written to the
+terminal, though it will still be sent to any other I/O logging plugins.
+.PP
 The io_plugin struct has the following fields:
 .TP 6n
 type
@@ -1452,15 +1466,18 @@ int (*open)(unsigned int version, sudo_conv_t conversation,
 The
 \fBopen\fR()
 function is run before the
-\fBlog_input\fR(),
-\fBlog_output\fR()
+\fBlog_ttyin\fR(),
+\fBlog_ttyout\fR(),
+\fBlog_stdin\fR(),
+\fBlog_stdout\fR(),
+\fBlog_stderr\fR(),
 or
 \fBshow_version\fR()
 functions are called.
-It is only called if the version is being requested or the
+It is only called if the version is being requested or if the
+policy plugin's
 \fBcheck_policy\fR()
-function has
-returned successfully.
+function has returned successfully.
 It returns 1 on success, 0 on failure, \-1 if a general error occurred,
 or \-2 if there was a usage error.
 In the latter case,
@@ -1716,7 +1733,8 @@ the user but before it is passed to the running command.
 This allows the plugin to reject data if it chooses to (for instance
 if the input contains banned content).
 Returns 1 if the data should be passed to the command, 0 if the data
-is rejected (which will terminate the command) or \-1 if an error occurred.
+is rejected (which will terminate the running command) or \-1 if an
+error occurred.
 .sp
 The function arguments are as follows:
 .TP 6n
@@ -1747,7 +1765,7 @@ the command but before it is written to the user's terminal.
 This allows the plugin to reject data if it chooses to (for instance
 if the output contains banned content).
 Returns 1 if the data should be passed to the user, 0 if the data is rejected
-(which will terminate the command) or \-1 if an error occurred.
+(which will terminate the running command) or \-1 if an error occurred.
 .sp
 The function arguments are as follows:
 .TP 6n
@@ -1780,7 +1798,7 @@ before it is passed to the running command.
 This allows the plugin to reject data if it chooses to
 (for instance if the input contains banned content).
 Returns 1 if the data should be passed to the command, 0 if the data is
-rejected (which will terminate the command) or \-1 if an error occurred.
+rejected (which will terminate the running command) or \-1 if an error occurred.
 .sp
 The function arguments are as follows:
 .TP 6n
@@ -1813,7 +1831,7 @@ it is written to the standard output.
 This allows the plugin to reject data if it chooses to
 (for instance if the output contains banned content).
 Returns 1 if the data should be passed to the user, 0 if the data is
-rejected (which will terminate the command) or \-1 if an error occurred.
+rejected (which will terminate the running command) or \-1 if an error occurred.
 .sp
 The function arguments are as follows:
 .TP 6n
@@ -1846,7 +1864,7 @@ is written to the standard error.
 This allows the plugin to reject data if it chooses to
 (for instance if the output contains banned content).
 Returns 1 if the data should be passed to the user, 0 if the data is
-rejected (which will terminate the command) or \-1 if an error occurred.
+rejected (which will terminate the running command) or \-1 if an error occurred.
 .sp
 The function arguments are as follows:
 .TP 6n
@@ -2593,6 +2611,25 @@ The
 entry was added to the
 \fRcommand_info\fR
 list.
+.TP 6n
+Version 1.6 (sudo 1.8.11)
+The behavior when an I/O logging plugin returns an error
+(\-1)
+has changed.
+Previously, the
+\fBsudo\fR
+front end took no action when the
+\fBlog_ttyin\fR(),
+\fBlog_ttyout\fR(),
+\fBlog_stdin\fR(),
+\fBlog_stdout\fR(),
+or
+\fBlog_stderr\fR()
+function returned an error.
+.sp
+The behavior when an I/O logging plugin returns 0 has changed.
+Previously, output from the command would be displayed to the
+terminal even if an output logging function returned 0.
 .SH "SEE ALSO"
 sudo.conf(@mansectform@),
 sudoers(@mansectform@),