Date: Thu, 15 May 2008 02:16:43 GMT From: Diego Giagio <diego@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 141621 for review Message-ID: <200805150216.m4F2GhOF086044@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=141621 Change 141621 by diego@diego_black on 2008/05/15 02:16:31 - Added audit support for pf enable/disable - Added preliminary audit support for ipfw rule and table changes Affected files ... .. //depot/projects/soc2008/diego-audit/src/sys/bsm/audit_kevents.h#3 edit .. //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#3 edit .. //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#3 edit .. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#6 edit .. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#2 edit Differences ... ==== //depot/projects/soc2008/diego-audit/src/sys/bsm/audit_kevents.h#3 (text) ==== @@ -550,6 +550,10 @@ #define AUE_SYMLINKAT 43152 /* FreeBSD. */ #define AUE_PFIL_ENABLE 43153 /* FreeBSD. */ #define AUE_PFIL_DISABLE 43154 /* FreeBSD. */ +#define AUE_PFIL_POLICY_ADDRULE 43155 /* FreeBSD. */ +#define AUE_PFIL_POLICY_DELRULE 43156 /* FreeBSD. */ +#define AUE_PFIL_POLICY_FLUSH 43157 /* FreeBSD. */ +#define AUE_PFIL_POLICY_TABLE 43158 /* FreeBSD. */ /* * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the ==== //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#3 (text+ko) ==== @@ -140,6 +140,10 @@ #endif /* __FreeBSD__ */ #ifdef __FreeBSD__ +#include <security/audit/audit.h> +#endif /* __FreeBSD__ */ + +#ifdef __FreeBSD__ void init_zone_var(void); void cleanup_pf_zone(void); int pfattach(void); @@ -3871,10 +3875,12 @@ switch(type) { case MOD_LOAD: error = pf_load(); + AUDIT_CALL(audit_pfil_enable_pf(error)); break; case MOD_UNLOAD: error = pf_unload(); + AUDIT_CALL(audit_pfil_disable_pf(error)); break; default: error = EINVAL; ==== //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#3 (text+ko) ==== @@ -104,6 +104,7 @@ #include <machine/in_cksum.h> /* XXX for in_cksum */ +#include <security/audit/audit.h> #include <security/mac/mac_framework.h> /* @@ -4209,6 +4210,7 @@ IPFW_WUNLOCK(&layer3_chain); if (rule != NULL) reap_rules(rule); + AUDIT_CALL(audit_pfil_flush_ipfw(error)); break; case IP_FW_ADD: @@ -4223,6 +4225,7 @@ if (!error && sopt->sopt_dir == SOPT_GET) error = sooptcopyout(sopt, rule, size); } + AUDIT_CALL(audit_pfil_addrule_ipfw(rule, error)); free(rule, M_TEMP); break; @@ -4252,6 +4255,7 @@ ~(1<<RESVD_SET); /* set RESVD_SET always enabled */ else error = EINVAL; + AUDIT_CALL(audit_pfil_delrule_ipfw(NULL /* XXX */, error)); break; case IP_FW_ZERO: @@ -4277,6 +4281,7 @@ break; error = add_table_entry(&layer3_chain, ent.tbl, ent.addr, ent.masklen, ent.value); + AUDIT_CALL(audit_pfil_table_ipfw(ent.tbl, error)); } break; @@ -4290,6 +4295,7 @@ break; error = del_table_entry(&layer3_chain, ent.tbl, ent.addr, ent.masklen); + AUDIT_CALL(audit_pfil_table_ipfw(ent.tbl, error)); } break; @@ -4304,6 +4310,7 @@ IPFW_WLOCK(&layer3_chain); error = flush_table(&layer3_chain, tbl); IPFW_WUNLOCK(&layer3_chain); + AUDIT_CALL(audit_pfil_table_ipfw(tbl, error)); } break; ==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#6 (text) ==== @@ -126,8 +126,16 @@ /* * Functions for auditing packet filter events. */ -void audit_pfil_enable_ipfw(int error); -void audit_pfil_disable_ipfw(int error); +void audit_pfil_enable_ipfw(int error); +void audit_pfil_disable_ipfw(int error); +void audit_pfil_enable_pf(int error); +void audit_pfil_disable_pf(int error); + +struct ip_fw; +void audit_pfil_addrule_ipfw(struct ip_fw *rule, int error); +void audit_pfil_delrule_ipfw(struct ip_fw *rule, int error); +void audit_pfil_flush_ipfw(int error); +void audit_pfil_table_ipfw(u_int table, int error); /* * The remaining kernel functions are conditionally compiled in as they are ==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#2 (text+ko) ==== @@ -30,6 +30,11 @@ #include <sys/param.h> #include <sys/proc.h> +#include <sys/socket.h> +#include <net/if.h> +#include <netinet/in.h> +#include <netinet/ip_fw.h> + #include <bsm/audit_kevents.h> #include <security/audit/audit.h> @@ -73,3 +78,71 @@ audit_pfil_disable_common("ipfw", error); } +void +audit_pfil_enable_pf(int error) +{ + audit_pfil_enable_common("pf", error); +} + +void +audit_pfil_disable_pf(int error) +{ + audit_pfil_disable_common("pf", error); +} + +void +audit_pfil_addrule_ipfw(struct ip_fw *rule, int error) +{ + struct kaudit_record *ar; + + ar = audit_begin(AUE_PFIL_POLICY_ADDRULE, curthread); + if (ar == NULL) + return; + + audit_record_arg_text(ar, "ipfw"); + /* XXX tokens */ + audit_commit(ar, error, 0); +} + +void +audit_pfil_delrule_ipfw(struct ip_fw *rule, int error) +{ + struct kaudit_record *ar; + + ar = audit_begin(AUE_PFIL_POLICY_DELRULE, curthread); + if (ar == NULL) + return; + + audit_record_arg_text(ar, "ipfw"); + /* XXX tokens */ + audit_commit(ar, error, 0); +} + +void +audit_pfil_flush_ipfw(int error) +{ + struct kaudit_record *ar; + + ar = audit_begin(AUE_PFIL_POLICY_FLUSH, curthread); + if (ar == NULL) + return; + + audit_record_arg_text(ar, "ipfw"); + /* XXX tokens */ + audit_commit(ar, error, 0); +} + +void +audit_pfil_table_ipfw(u_int32_t table, int error) +{ + struct kaudit_record *ar; + + ar = audit_begin(AUE_PFIL_POLICY_TABLE, curthread); + if (ar == NULL) + return; + + audit_record_arg_text(ar, "ipfw"); + /* XXX tokens */ + audit_commit(ar, error, 0); +} +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805150216.m4F2GhOF086044>