From owner-p4-projects@FreeBSD.ORG Mon Dec 13 02:30:59 2004 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 49D3116A4D0; Mon, 13 Dec 2004 02:30:59 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2618016A4CE for ; Mon, 13 Dec 2004 02:30:59 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0137443D2D for ; Mon, 13 Dec 2004 02:30:59 +0000 (GMT) (envelope-from wsalamon@computer.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id iBD2Uw5h000142 for ; Mon, 13 Dec 2004 02:30:58 GMT (envelope-from wsalamon@computer.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id iBD2UwG9000139 for perforce@freebsd.org; Mon, 13 Dec 2004 02:30:58 GMT (envelope-from wsalamon@computer.org) Date: Mon, 13 Dec 2004 02:30:58 GMT Message-Id: <200412130230.iBD2UwG9000139@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to wsalamon@computer.org using -f From: Wayne Salamon To: Perforce Change Reviews Subject: PERFORCE change 66934 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2004 02:30:59 -0000 http://perforce.freebsd.org/chv.cgi?CH=66934 Change 66934 by wsalamon@rickenbacker on 2004/12/13 02:30:03 Add auditing to the open() and close() system calls. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/bsm/audit_kernel.h#10 edit .. //depot/projects/trustedbsd/audit3/sys/kern/kern_descrip.c#3 edit .. //depot/projects/trustedbsd/audit3/sys/kern/vfs_syscalls.c#6 edit .. //depot/projects/trustedbsd/audit3/sys/kern/vfs_vnops.c#4 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#13 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_audit.c#6 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/bsm/audit_kernel.h#10 (text+ko) ==== @@ -357,9 +357,9 @@ /* * A Macro to wrap the audit_sysclose() function. */ -#define AUDIT_SYSCLOSE(args...) do { \ +#define AUDIT_SYSCLOSE(p, fd) do { \ if (audit_enabled) \ - audit_sysclose(args); \ + audit_sysclose(p, fd); \ } while (0) #else /* !AUDIT */ @@ -378,7 +378,7 @@ #define AUDIT_SYSCALL_EXIT(error, td) do { \ } while (0) -#define AUDIT_SYSCLOSE(op, args...) do { \ +#define AUDIT_SYSCLOSE(p, fd) do { \ } while (0) #endif /* AUDIT */ ==== //depot/projects/trustedbsd/audit3/sys/kern/kern_descrip.c#3 (text+ko) ==== @@ -39,6 +39,9 @@ #include "opt_compat.h" +#include +#include + #include #include #include @@ -965,6 +968,12 @@ holdleaders = 0; fdp = td->td_proc->p_fd; mtx_lock(&Giant); + + /* The call to AUDIT_SYSCLOSE must be made with Giant held, + * but without the fd lock. + */ + AUDIT_SYSCLOSE(td->td_proc, fd); + FILEDESC_LOCK(fdp); if ((unsigned)fd >= fdp->fd_nfiles || (fp = fdp->fd_ofiles[fd]) == NULL) { ==== //depot/projects/trustedbsd/audit3/sys/kern/vfs_syscalls.c#6 (text+ko) ==== @@ -953,6 +953,8 @@ struct flock lf; struct nameidata nd; + AUDIT_ARG(fflags, flags); + AUDIT_ARG(mode, mode); if ((flags & O_ACCMODE) == O_ACCMODE) return (EINVAL); flags = FFLAGS(flags); @@ -962,7 +964,7 @@ /* An extra reference on `nfp' has been held for us by falloc(). */ fp = nfp; cmode = ((mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; - NDINIT(&nd, LOOKUP, FOLLOW, pathseg, path, td); + NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNPATH1, pathseg, path, td); td->td_dupfd = -1; /* XXX check for fdopen */ mtx_lock(&Giant); error = vn_open(&nd, &flags, cmode, indx); @@ -1135,7 +1137,7 @@ int mode; } */ *uap; { - + /* Auditing is done in kern_open() */ return (kern_open(td, uap->path, UIO_USERSPACE, O_WRONLY | O_CREAT | O_TRUNC, uap->mode)); } ==== //depot/projects/trustedbsd/audit3/sys/kern/vfs_vnops.c#4 (text+ko) ==== @@ -123,7 +123,7 @@ fmode = *flagp; if (fmode & O_CREAT) { ndp->ni_cnd.cn_nameiop = CREATE; - ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF; + ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF | AUDITVNPATH1; if ((fmode & O_EXCL) == 0 && (fmode & O_NOFOLLOW) == 0) ndp->ni_cnd.cn_flags |= FOLLOW; bwillwrite(); @@ -185,10 +185,11 @@ #ifdef LOOKUP_SHARED ndp->ni_cnd.cn_flags = ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | - LOCKSHARED | LOCKLEAF; + LOCKSHARED | LOCKLEAF | AUDITVNPATH1; #else ndp->ni_cnd.cn_flags = - ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | LOCKLEAF; + ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | + LOCKLEAF | AUDITVNPATH1; #endif if ((error = namei(ndp)) != 0) return (error); ==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#13 (text+ko) ==== @@ -1276,8 +1276,8 @@ switch(ar->k_ar.ar_event) { - case AUE_OPEN_RWTC: - /* The open syscall always writes a OPEN_RWTC event; limit the + case AUE_OPEN: + /* The open syscall always writes a AUE_OPEN event; change it * to the proper type of event based on the flags and the error * value. */ ==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_audit.c#6 (text+ko) ==== @@ -797,18 +797,25 @@ kau_write(rec, tok); break; - case AUE_OPEN_R: case AUE_OPEN_RC: case AUE_OPEN_RTC: + case AUE_OPEN_RWC: + case AUE_OPEN_RWTC: + case AUE_OPEN_WC: + case AUE_OPEN_WTC: + /* case AUE_O_CREAT: */ /* AUE_O_CREAT == AUE_OPEN_RWTC */ + tok = au_to_arg32(3, "mode", ar->ar_arg_mode); + kau_write(rec, tok); + /* fall through */ + + case AUE_OPEN_R: case AUE_OPEN_RT: case AUE_OPEN_RW: - case AUE_OPEN_RWC: - case AUE_OPEN_RWTC: case AUE_OPEN_RWT: case AUE_OPEN_W: - case AUE_OPEN_WC: - case AUE_OPEN_WTC: case AUE_OPEN_WT: + tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); + kau_write(rec, tok); UPATH1_TOKENS; /* Save the user space path */ KPATH1_VNODE1_TOKENS; /* Audit the kernel path as well */ break;