From owner-p4-projects@FreeBSD.ORG Wed Dec 15 02:17:59 2004 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 80DC016A4D0; Wed, 15 Dec 2004 02:17:58 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38ACB16A4CE for ; Wed, 15 Dec 2004 02:17:58 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id F27A543D1F for ; Wed, 15 Dec 2004 02:17:57 +0000 (GMT) (envelope-from wsalamon@computer.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id iBF2HvBG094506 for ; Wed, 15 Dec 2004 02:17:57 GMT (envelope-from wsalamon@computer.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id iBF2Hvv3094503 for perforce@freebsd.org; Wed, 15 Dec 2004 02:17:57 GMT (envelope-from wsalamon@computer.org) Date: Wed, 15 Dec 2004 02:17:57 GMT Message-Id: <200412150217.iBF2Hvv3094503@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to wsalamon@computer.org using -f From: Wayne Salamon To: Perforce Change Reviews Subject: PERFORCE change 67101 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2004 02:17:59 -0000 http://perforce.freebsd.org/chv.cgi?CH=67101 Change 67101 by wsalamon@rickenbacker on 2004/12/15 02:17:46 Fixup the auditing of the open() event: First, because we rely on userspace (auditd) to set the kernel's event->class mapping, we don't need kern_bsm_klib::au_evclassmap_inuit() to do it for the specific AUE_OPEN events. Second: Use the AUE_OPEN_RWTC, an event that covers all types of open-related classes, as the event to associate with the open() system call. Any open call will therefore be covered by preselection. Change this event mapping for freebsd32 and linux compat as well. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/compat/freebsd32/freebsd32_sysent.c#5 edit .. //depot/projects/trustedbsd/audit3/sys/compat/freebsd32/syscalls.master#5 edit .. //depot/projects/trustedbsd/audit3/sys/i386/linux/linux_sysent.c#5 edit .. //depot/projects/trustedbsd/audit3/sys/i386/linux/syscalls.master#5 edit .. //depot/projects/trustedbsd/audit3/sys/kern/init_sysent.c#10 edit .. //depot/projects/trustedbsd/audit3/sys/kern/syscalls.master#10 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#14 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_klib.c#8 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/compat/freebsd32/freebsd32_sysent.c#5 (text+ko) ==== @@ -31,7 +31,7 @@ { SYF_MPSAFE | 0, (sy_call_t *)fork, AUE_FORK }, /* 2 = fork */ { SYF_MPSAFE | AS(read_args), (sy_call_t *)read, AUE_NULL }, /* 3 = read */ { SYF_MPSAFE | AS(write_args), (sy_call_t *)write, AUE_NULL }, /* 4 = write */ - { AS(open_args), (sy_call_t *)open, AUE_OPEN }, /* 5 = open */ + { AS(open_args), (sy_call_t *)open, AUE_OPEN_RWTC }, /* 5 = open */ { SYF_MPSAFE | AS(close_args), (sy_call_t *)close, AUE_CLOSE }, /* 6 = close */ { SYF_MPSAFE | AS(freebsd32_wait4_args), (sy_call_t *)freebsd32_wait4, AUE_NULL }, /* 7 = freebsd32_wait4 */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 8 = obsolete old creat */ @@ -44,7 +44,7 @@ { AS(chmod_args), (sy_call_t *)chmod, AUE_NULL }, /* 15 = chmod */ { AS(chown_args), (sy_call_t *)chown, AUE_NULL }, /* 16 = chown */ { SYF_MPSAFE | AS(obreak_args), (sy_call_t *)obreak, AUE_NULL }, /* 17 = break */ - { compat4(AS(freebsd4_freebsd32_getfsstat_args),freebsd32_getfsstat) }, /* 18 = old freebsd32_getfsstat */ + { compat4(AS(freebsd4_freebsd32_getfsstat_args),freebsd32_getfsstat), AUE_NULL }, /* 18 = old freebsd32_getfsstat */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 19 = obsolete olseek */ { SYF_MPSAFE | 0, (sy_call_t *)getpid, AUE_NULL }, /* 20 = getpid */ { AS(mount_args), (sy_call_t *)mount, AUE_NULL }, /* 21 = mount */ @@ -183,8 +183,8 @@ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 154 = nosys */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 155 = nfssvc */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 156 = obsolete ogetdirentries */ - { compat4(AS(freebsd4_freebsd32_statfs_args),freebsd32_statfs) }, /* 157 = old freebsd32_statfs */ - { compat4(AS(freebsd4_freebsd32_fstatfs_args),freebsd32_fstatfs) }, /* 158 = old freebsd32_fstatfs */ + { compat4(AS(freebsd4_freebsd32_statfs_args),freebsd32_statfs), AUE_NULL }, /* 157 = old freebsd32_statfs */ + { compat4(AS(freebsd4_freebsd32_fstatfs_args),freebsd32_fstatfs), AUE_NULL }, /* 158 = old freebsd32_fstatfs */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 159 = nosys */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 160 = nosys */ { AS(getfh_args), (sy_call_t *)getfh, AUE_NULL }, /* 161 = getfh */ @@ -323,7 +323,7 @@ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 294 = nosys */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 295 = nosys */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 296 = nosys */ - { compat4(AS(freebsd4_freebsd32_fhstatfs_args),freebsd32_fhstatfs) }, /* 297 = old freebsd32_fhstatfs */ + { compat4(AS(freebsd4_freebsd32_fhstatfs_args),freebsd32_fhstatfs), AUE_NULL }, /* 297 = old freebsd32_fhstatfs */ { AS(fhopen_args), (sy_call_t *)fhopen, AUE_NULL }, /* 298 = fhopen */ { AS(fhstat_args), (sy_call_t *)fhstat, AUE_NULL }, /* 299 = fhstat */ { SYF_MPSAFE | AS(modnext_args), (sy_call_t *)modnext, AUE_NULL }, /* 300 = modnext */ @@ -362,15 +362,15 @@ { SYF_MPSAFE | AS(sched_get_priority_min_args), (sy_call_t *)sched_get_priority_min, AUE_NULL }, /* 333 = sched_get_priority_min */ { SYF_MPSAFE | AS(sched_rr_get_interval_args), (sy_call_t *)sched_rr_get_interval, AUE_NULL }, /* 334 = sched_rr_get_interval */ { SYF_MPSAFE | AS(utrace_args), (sy_call_t *)utrace, AUE_NULL }, /* 335 = utrace */ - { compat4(SYF_MPSAFE | AS(freebsd4_freebsd32_sendfile_args),freebsd32_sendfile) }, /* 336 = old freebsd32_sendfile */ + { compat4(SYF_MPSAFE | AS(freebsd4_freebsd32_sendfile_args),freebsd32_sendfile), AUE_NULL }, /* 336 = old freebsd32_sendfile */ { AS(kldsym_args), (sy_call_t *)kldsym, AUE_NULL }, /* 337 = kldsym */ { SYF_MPSAFE | AS(jail_args), (sy_call_t *)jail, AUE_NULL }, /* 338 = jail */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 339 = pioctl */ { SYF_MPSAFE | AS(sigprocmask_args), (sy_call_t *)sigprocmask, AUE_NULL }, /* 340 = sigprocmask */ { SYF_MPSAFE | AS(sigsuspend_args), (sy_call_t *)sigsuspend, AUE_NULL }, /* 341 = sigsuspend */ - { compat4(SYF_MPSAFE | AS(freebsd4_freebsd32_sigaction_args),freebsd32_sigaction) }, /* 342 = old freebsd32_sigaction */ + { compat4(SYF_MPSAFE | AS(freebsd4_freebsd32_sigaction_args),freebsd32_sigaction), AUE_NULL }, /* 342 = old freebsd32_sigaction */ { SYF_MPSAFE | AS(sigpending_args), (sy_call_t *)sigpending, AUE_NULL }, /* 343 = sigpending */ - { compat4(SYF_MPSAFE | AS(freebsd4_freebsd32_sigreturn_args),freebsd32_sigreturn) }, /* 344 = old freebsd32_sigreturn */ + { compat4(SYF_MPSAFE | AS(freebsd4_freebsd32_sigreturn_args),freebsd32_sigreturn), AUE_NULL }, /* 344 = old freebsd32_sigreturn */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 345 = sigtimedwait */ { 0, (sy_call_t *)nosys, AUE_NULL }, /* 346 = sigwaitinfo */ { SYF_MPSAFE | AS(__acl_get_file_args), (sy_call_t *)__acl_get_file, AUE_NULL }, /* 347 = __acl_get_file */ ==== //depot/projects/trustedbsd/audit3/sys/compat/freebsd32/syscalls.master#5 (text+ko) ==== @@ -57,7 +57,7 @@ 3 MNOPROTO { ssize_t read(int fd, void *buf, size_t nbyte); } AUE_NULL 4 MNOPROTO { ssize_t write(int fd, const void *buf, \ size_t nbyte); } AUE_NULL -5 NOPROTO { int open(char *path, int flags, int mode); } AUE_OPEN +5 NOPROTO { int open(char *path, int flags, int mode); } AUE_OPEN_RWTC 6 MNOPROTO { int close(int fd); } AUE_CLOSE 7 MSTD { int freebsd32_wait4(int pid, int *status, int options, \ struct rusage32 *rusage); } AUE_NULL ==== //depot/projects/trustedbsd/audit3/sys/i386/linux/linux_sysent.c#5 (text+ko) ==== @@ -23,7 +23,7 @@ { SYF_MPSAFE | 0, (sy_call_t *)linux_fork, AUE_FORK }, /* 2 = linux_fork */ { SYF_MPSAFE | AS(read_args), (sy_call_t *)read, AUE_NULL }, /* 3 = read */ { SYF_MPSAFE | AS(write_args), (sy_call_t *)write, AUE_NULL }, /* 4 = write */ - { AS(linux_open_args), (sy_call_t *)linux_open, AUE_OPEN }, /* 5 = linux_open */ + { AS(linux_open_args), (sy_call_t *)linux_open, AUE_OPEN_RWTC }, /* 5 = linux_open */ { SYF_MPSAFE | AS(close_args), (sy_call_t *)close, AUE_CLOSE }, /* 6 = close */ { SYF_MPSAFE | AS(linux_waitpid_args), (sy_call_t *)linux_waitpid, AUE_NULL }, /* 7 = linux_waitpid */ { AS(linux_creat_args), (sy_call_t *)linux_creat, AUE_O_CREAT }, /* 8 = linux_creat */ ==== //depot/projects/trustedbsd/audit3/sys/i386/linux/syscalls.master#5 (text+ko) ==== @@ -40,7 +40,8 @@ 2 MSTD { int linux_fork(void); } AUE_FORK 3 MNOPROTO { int read(int fd, char *buf, u_int nbyte); } AUE_NULL 4 MNOPROTO { int write(int fd, char *buf, u_int nbyte); } AUE_NULL -5 STD { int linux_open(char *path, l_int flags, l_int mode); } AUE_OPEN +5 STD { int linux_open(char *path, l_int flags, l_int mode); } \ + AUE_OPEN_RWTC 6 MNOPROTO { int close(int fd); } AUE_CLOSE 7 MSTD { int linux_waitpid(l_pid_t pid, \ l_int *status, l_int options); } AUE_NULL ==== //depot/projects/trustedbsd/audit3/sys/kern/init_sysent.c#10 (text+ko) ==== @@ -34,7 +34,7 @@ { SYF_MPSAFE | 0, (sy_call_t *)fork, AUE_FORK }, /* 2 = fork */ { SYF_MPSAFE | AS(read_args), (sy_call_t *)read, AUE_NULL }, /* 3 = read */ { SYF_MPSAFE | AS(write_args), (sy_call_t *)write, AUE_NULL }, /* 4 = write */ - { SYF_MPSAFE | AS(open_args), (sy_call_t *)open, AUE_OPEN }, /* 5 = open */ + { SYF_MPSAFE | AS(open_args), (sy_call_t *)open, AUE_OPEN_RWTC }, /* 5 = open */ { SYF_MPSAFE | AS(close_args), (sy_call_t *)close, AUE_CLOSE }, /* 6 = close */ { SYF_MPSAFE | AS(wait_args), (sy_call_t *)wait4, AUE_NULL }, /* 7 = wait4 */ { compat(SYF_MPSAFE | AS(ocreat_args),creat), AUE_O_CREAT }, /* 8 = old creat */ ==== //depot/projects/trustedbsd/audit3/sys/kern/syscalls.master#10 (text+ko) ==== @@ -56,7 +56,7 @@ 3 MSTD { ssize_t read(int fd, void *buf, size_t nbyte); } AUE_NULL 4 MSTD { ssize_t write(int fd, const void *buf, size_t nbyte); } \ AUE_NULL -5 MSTD { int open(char *path, int flags, int mode); } AUE_OPEN +5 MSTD { int open(char *path, int flags, int mode); } AUE_OPEN_RWTC ; XXX should be { int open(const char *path, int flags, ...); } ; but we're not ready for `const' or varargs. ; XXX man page says `mode_t mode'. ==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#14 (text+ko) ==== @@ -1276,12 +1276,13 @@ switch(ar->k_ar.ar_event) { - case AUE_OPEN: - /* The open syscall always writes a AUE_OPEN event; change it - * to the proper type of event based on the flags and the error - * value. + case AUE_OPEN_RWTC: + /* The open syscall always writes a AUE_OPEN_RWTC event; change + * it to the proper type of event based on the flags and the + * error value. */ - ar->k_ar.ar_event = flags_and_error_to_openevent(ar->k_ar.ar_arg_fflags, error); + ar->k_ar.ar_event = flags_and_error_to_openevent( + ar->k_ar.ar_arg_fflags, error); break; case AUE_SYSCTL: ==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_klib.c#8 (text+ko) ==== @@ -112,19 +112,6 @@ } } - /* Add the specific open events to the mapping. */ - au_evclassmap_insert(AUE_OPEN_R, AU_FREAD); - au_evclassmap_insert(AUE_OPEN_RC, AU_FREAD|AU_FCREATE); - au_evclassmap_insert(AUE_OPEN_RTC, AU_FREAD|AU_FCREATE|AU_FDELETE); - au_evclassmap_insert(AUE_OPEN_RT, AU_FREAD|AU_FDELETE); - au_evclassmap_insert(AUE_OPEN_RW, AU_FREAD|AU_FWRITE); - au_evclassmap_insert(AUE_OPEN_RWC, AU_FREAD|AU_FWRITE|AU_FCREATE); - au_evclassmap_insert(AUE_OPEN_RWTC, AU_FREAD|AU_FWRITE|AU_FCREATE|AU_FDELETE); - au_evclassmap_insert(AUE_OPEN_RWT, AU_FREAD|AU_FWRITE|AU_FDELETE); - au_evclassmap_insert(AUE_OPEN_W, AU_FWRITE); - au_evclassmap_insert(AUE_OPEN_WC, AU_FWRITE|AU_FCREATE); - au_evclassmap_insert(AUE_OPEN_WTC, AU_FWRITE|AU_FCREATE|AU_FDELETE); - au_evclassmap_insert(AUE_OPEN_WT, AU_FWRITE|AU_FDELETE); } /*