Date: Tue, 11 Aug 2009 16:46:52 GMT From: Ilias Marinos <marinosi@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 167216 for review Message-ID: <200908111646.n7BGkqHi042892@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=167216 Change 167216 by marinosi@marinosi_redrum on 2009/08/11 16:46:08 Merge with the latest audit codebase. Affected files ... .. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.c#16 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.h#5 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_private.h#7 integrate .. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_worker.c#8 integrate Differences ... ==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.c#16 (text) ==== @@ -29,7 +29,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/security/audit/audit.c,v 1.51 2009/04/19 14:53:17 rwatson Exp $"); +__FBSDID("$FreeBSD: src/sys/security/audit/audit.c,v 1.53 2009/07/28 21:39:58 rwatson Exp $"); #include <sys/param.h> #include <sys/condvar.h> @@ -80,6 +80,7 @@ MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage"); MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage"); MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); +MALLOC_DEFINE(M_AUDITGIDSET, "audit_gidset", "Audit GID set storage"); MALLOC_DEFINE(M_AUDITSLICE, "audit_slice", "Audit slice storage"); SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0, @@ -221,6 +222,8 @@ free(ar->k_ar.ar_arg_argv, M_AUDITTEXT); if (ar->k_ar.ar_arg_envv != NULL) free(ar->k_ar.ar_arg_envv, M_AUDITTEXT); + if (ar->k_ar.ar_arg_groups.gidset != NULL) + free(ar->k_ar.ar_arg_groups.gidset, M_AUDITGIDSET); } /* @@ -395,17 +398,22 @@ else sorf = AU_PRS_SUCCESS; + /* + * syscalls.master sometimes contains a prototype event number, which + * we will transform into a more specific event number now that we + * have more complete information gathered during the system call. + */ switch(ar->k_ar.ar_event) { case AUE_OPEN_RWTC: - /* - * The open syscall always writes a AUE_OPEN_RWTC event; - * change it to the proper type of event based on the flags - * and the error value. - */ ar->k_ar.ar_event = audit_flags_and_error_to_openevent( ar->k_ar.ar_arg_fflags, error); break; + case AUE_OPENAT_RWTC: + ar->k_ar.ar_event = audit_flags_and_error_to_openatevent( + ar->k_ar.ar_arg_fflags, error); + break; + case AUE_SYSCTL: ar->k_ar.ar_event = audit_ctlname_to_sysctlevent( ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg); ==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.h#5 (text) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $FreeBSD: src/sys/security/audit/audit.h,v 1.24 2009/03/09 10:45:58 rwatson Exp $ + * $FreeBSD: src/sys/security/audit/audit.h,v 1.29 2009/07/29 07:44:43 rwatson Exp $ */ /* @@ -56,67 +56,6 @@ extern int audit_enabled; extern int audit_suspended; -/* - * Define the masks for the audited arguments. - * - * XXXRW: These need to remain in audit.h for now because our vnode and name - * lookup audit calls rely on passing in flags to indicate which name or - * vnode is being logged. These should move to audit_private.h when that is - * fixed. - */ -#define ARG_EUID 0x0000000000000001ULL -#define ARG_RUID 0x0000000000000002ULL -#define ARG_SUID 0x0000000000000004ULL -#define ARG_EGID 0x0000000000000008ULL -#define ARG_RGID 0x0000000000000010ULL -#define ARG_SGID 0x0000000000000020ULL -#define ARG_PID 0x0000000000000040ULL -#define ARG_UID 0x0000000000000080ULL -#define ARG_AUID 0x0000000000000100ULL -#define ARG_GID 0x0000000000000200ULL -#define ARG_FD 0x0000000000000400ULL -#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL -#define ARG_FFLAGS 0x0000000000001000ULL -#define ARG_MODE 0x0000000000002000ULL -#define ARG_DEV 0x0000000000004000ULL -#define ARG_ADDR 0x0000000000008000ULL -#define ARG_LEN 0x0000000000010000ULL -#define ARG_MASK 0x0000000000020000ULL -#define ARG_SIGNUM 0x0000000000040000ULL -#define ARG_LOGIN 0x0000000000080000ULL -#define ARG_SADDRINET 0x0000000000100000ULL -#define ARG_SADDRINET6 0x0000000000200000ULL -#define ARG_SADDRUNIX 0x0000000000400000ULL -#define ARG_TERMID_ADDR 0x0000000000400000ULL -#define ARG_UNUSED2 0x0000000001000000ULL -#define ARG_UPATH1 0x0000000002000000ULL -#define ARG_UPATH2 0x0000000004000000ULL -#define ARG_TEXT 0x0000000008000000ULL -#define ARG_VNODE1 0x0000000010000000ULL -#define ARG_VNODE2 0x0000000020000000ULL -#define ARG_SVIPC_CMD 0x0000000040000000ULL -#define ARG_SVIPC_PERM 0x0000000080000000ULL -#define ARG_SVIPC_ID 0x0000000100000000ULL -#define ARG_SVIPC_ADDR 0x0000000200000000ULL -#define ARG_GROUPSET 0x0000000400000000ULL -#define ARG_CMD 0x0000000800000000ULL -#define ARG_SOCKINFO 0x0000001000000000ULL -#define ARG_ASID 0x0000002000000000ULL -#define ARG_TERMID 0x0000004000000000ULL -#define ARG_AUDITON 0x0000008000000000ULL -#define ARG_VALUE 0x0000010000000000ULL -#define ARG_AMASK 0x0000020000000000ULL -#define ARG_CTLNAME 0x0000040000000000ULL -#define ARG_PROCESS 0x0000080000000000ULL -#define ARG_MACHPORT1 0x0000100000000000ULL -#define ARG_MACHPORT2 0x0000200000000000ULL -#define ARG_EXIT 0x0000400000000000ULL -#define ARG_IOVECSTR 0x0000800000000000ULL -#define ARG_ARGV 0x0001000000000000ULL -#define ARG_ENVV 0x0002000000000000ULL -#define ARG_NONE 0x0000000000000000ULL -#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL - void audit_syscall_enter(unsigned short code, struct thread *td); void audit_syscall_exit(int error, struct thread *td); @@ -132,6 +71,8 @@ void audit_arg_addr(void * addr); void audit_arg_exit(int status, int retval); void audit_arg_len(int len); +void audit_arg_atfd1(int atfd); +void audit_arg_atfd2(int atfd); void audit_arg_fd(int fd); void audit_arg_fflags(int fflags); void audit_arg_gid(gid_t gid); @@ -158,8 +99,10 @@ void audit_arg_auid(uid_t auid); void audit_arg_auditinfo(struct auditinfo *au_info); void audit_arg_auditinfo_addr(struct auditinfo_addr *au_info); -void audit_arg_upath(struct thread *td, char *upath, u_int64_t flags); -void audit_arg_vnode(struct vnode *vp, u_int64_t flags); +void audit_arg_upath1(struct thread *td, char *upath); +void audit_arg_upath2(struct thread *td, char *upath); +void audit_arg_vnode1(struct vnode *vp); +void audit_arg_vnode2(struct vnode *vp); void audit_arg_text(char *text); void audit_arg_cmd(int cmd); void audit_arg_svipc_cmd(int cmd); @@ -182,14 +125,175 @@ void audit_thread_free(struct thread *td); /* - * Define a macro to wrap the audit_arg_* calls by checking the global + * Define macros to wrap the audit_arg_* calls by checking the global * audit_enabled flag before performing the actual call. */ -#define AUDIT_ARG(op, args...) do { \ - if (td->td_pflags & TDP_AUDITREC) \ - audit_arg_ ## op (args); \ +#define AUDITING_TD(td) ((td)->td_pflags & TDP_AUDITREC) + +#define AUDIT_ARG_ADDR(addr) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_addr((addr)); \ +} while (0) + +#define AUDIT_ARG_ARGV(argv, argc, length) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_argv((argv), (argc), (length)); \ +} while (0) + +#define AUDIT_ARG_ATFD1(atfd) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_atfd1((atfd)); \ +} while (0) + +#define AUDIT_ARG_ATFD2(atfd) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_atfd2((atfd)); \ +} while (0) + +#define AUDIT_ARG_AUDITON(udata) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_auditon((udata)); \ +} while (0) + +#define AUDIT_ARG_CMD(cmd) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_cmd((cmd)); \ +} while (0) + +#define AUDIT_ARG_DEV(dev) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_dev((dev)); \ +} while (0) + +#define AUDIT_ARG_EGID(egid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_egid((egid)); \ +} while (0) + +#define AUDIT_ARG_ENVV(envv, envc, length) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_envv((envv), (envc), (length)); \ +} while (0) + +#define AUDIT_ARG_EXIT(status, retval) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_exit((status), (retval)); \ +} while (0) + +#define AUDIT_ARG_EUID(euid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_euid((euid)); \ +} while (0) + +#define AUDIT_ARG_FD(fd) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_fd((fd)); \ +} while (0) + +#define AUDIT_ARG_FILE(p, fp) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_file((p), (fp)); \ +} while (0) + +#define AUDIT_ARG_FFLAGS(fflags) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_fflags((fflags)); \ +} while (0) + +#define AUDIT_ARG_GID(gid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_gid((gid)); \ +} while (0) + +#define AUDIT_ARG_GROUPSET(gidset, gidset_size) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_groupset((gidset), (gidset_size)); \ +} while (0) + +#define AUDIT_ARG_MODE(mode) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_mode((mode)); \ +} while (0) + +#define AUDIT_ARG_OWNER(uid, gid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_owner((uid), (gid)); \ +} while (0) + +#define AUDIT_ARG_PID(pid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_pid((pid)); \ +} while (0) + +#define AUDIT_ARG_PROCESS(p) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_process((p)); \ +} while (0) + +#define AUDIT_ARG_RGID(rgid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_gid((rgid)); \ +} while (0) + +#define AUDIT_ARG_RUID(ruid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_ruid((ruid)); \ +} while (0) + +#define AUDIT_ARG_SIGNUM(signum) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_signum((signum)); \ +} while (0) + +#define AUDIT_ARG_SGID(sgid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_sgid((sgid)); \ +} while (0) + +#define AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_socket((sodomain), (sotype), (soprotocol)); \ +} while (0) + +#define AUDIT_ARG_SUID(suid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_suid((suid)); \ +} while (0) + +#define AUDIT_ARG_TEXT(text) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_text((text)); \ +} while (0) + +#define AUDIT_ARG_UID(uid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_uid((uid)); \ +} while (0) + +#define AUDIT_ARG_UPATH1(td, upath) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_upath1((td), (upath)); \ +} while (0) + +#define AUDIT_ARG_UPATH2(td, upath) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_upath2((td), (upath)); \ +} while (0) + +#define AUDIT_ARG_VALUE(value) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_value((value)); \ +} while (0) + +#define AUDIT_ARG_VNODE1(vp) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_vnode1((vp)); \ } while (0) +#define AUDIT_ARG_VNODE2(vp) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_vnode2((vp)); \ +} while (0) #define AUDIT_SYSCALL_ENTER(code, td) do { \ if (audit_enabled) { \ @@ -217,17 +321,44 @@ #else /* !AUDIT */ -#define AUDIT_ARG(op, args...) do { \ -} while (0) +#define AUDIT_ARG_ADDR(addr) +#define AUDIT_ARG_ARGV(argv, argc, length) +#define AUDIT_ARG_ATFD1(atfd) +#define AUDIT_ARG_ATFD2(atfd) +#define AUDIT_ARG_AUDITON(udata) +#define AUDIT_ARG_CMD(cmd) +#define AUDIT_ARG_DEV(dev) +#define AUDIT_ARG_EGID(egid) +#define AUDIT_ARG_ENVV(envv, envc, length) +#define AUDIT_ARG_EXIT(status, retval) +#define AUDIT_ARG_EUID(euid) +#define AUDIT_ARG_FD(fd) +#define AUDIT_ARG_FILE(p, fp) +#define AUDIT_ARG_FFLAGS(fflags) +#define AUDIT_ARG_GID(gid) +#define AUDIT_ARG_GROUPSET(gidset, gidset_size) +#define AUDIT_ARG_MODE(mode) +#define AUDIT_ARG_OWNER(uid, gid) +#define AUDIT_ARG_PID(pid) +#define AUDIT_ARG_PROCESS(p) +#define AUDIT_ARG_RGID(rgid) +#define AUDIT_ARG_RUID(ruid) +#define AUDIT_ARG_SIGNUM(signum) +#define AUDIT_ARG_SGID(sgid) +#define AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol) +#define AUDIT_ARG_SUID(suid) +#define AUDIT_ARG_TEXT(text) +#define AUDIT_ARG_UID(uid) +#define AUDIT_ARG_UPATH1(td, upath) +#define AUDIT_ARG_UPATH2(td, upath) +#define AUDIT_ARG_VALUE(value) +#define AUDIT_ARG_VNODE1(vp) +#define AUDIT_ARG_VNODE2(vp) -#define AUDIT_SYSCALL_ENTER(code, td) do { \ -} while (0) +#define AUDIT_SYSCALL_ENTER(code, td) +#define AUDIT_SYSCALL_EXIT(error, td) -#define AUDIT_SYSCALL_EXIT(error, td) do { \ -} while (0) - -#define AUDIT_SYSCLOSE(p, fd) do { \ -} while (0) +#define AUDIT_SYSCLOSE(p, fd) #endif /* AUDIT */ ==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_private.h#7 (text) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $FreeBSD: src/sys/security/audit/audit_private.h,v 1.27 2009/04/19 14:53:17 rwatson Exp $ + * $FreeBSD: src/sys/security/audit/audit_private.h,v 1.31 2009/07/29 07:44:43 rwatson Exp $ */ /* @@ -50,6 +50,7 @@ MALLOC_DECLARE(M_AUDITDATA); MALLOC_DECLARE(M_AUDITPATH); MALLOC_DECLARE(M_AUDITTEXT); +MALLOC_DECLARE(M_AUDITGIDSET); MALLOC_DECLARE(M_AUDITSLICE); #endif @@ -105,8 +106,8 @@ }; struct groupset { - gid_t gidset[NGROUPS]; - u_int gidset_size; + gid_t *gidset; + u_int gidset_size; }; struct socket_au_info { @@ -242,6 +243,8 @@ gid_t ar_arg_gid; struct groupset ar_arg_groups; int ar_arg_fd; + int ar_arg_atfd1; + int ar_arg_atfd2; int ar_arg_fflags; mode_t ar_arg_mode; int ar_arg_dev; @@ -281,10 +284,68 @@ * indicate if they are present so they can be included in the audit log * stream only if defined. */ +#define ARG_EUID 0x0000000000000001ULL +#define ARG_RUID 0x0000000000000002ULL +#define ARG_SUID 0x0000000000000004ULL +#define ARG_EGID 0x0000000000000008ULL +#define ARG_RGID 0x0000000000000010ULL +#define ARG_SGID 0x0000000000000020ULL +#define ARG_PID 0x0000000000000040ULL +#define ARG_UID 0x0000000000000080ULL +#define ARG_AUID 0x0000000000000100ULL +#define ARG_GID 0x0000000000000200ULL +#define ARG_FD 0x0000000000000400ULL +#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL +#define ARG_FFLAGS 0x0000000000001000ULL +#define ARG_MODE 0x0000000000002000ULL +#define ARG_DEV 0x0000000000004000ULL +#define ARG_ADDR 0x0000000000008000ULL +#define ARG_LEN 0x0000000000010000ULL +#define ARG_MASK 0x0000000000020000ULL +#define ARG_SIGNUM 0x0000000000040000ULL +#define ARG_LOGIN 0x0000000000080000ULL +#define ARG_SADDRINET 0x0000000000100000ULL +#define ARG_SADDRINET6 0x0000000000200000ULL +#define ARG_SADDRUNIX 0x0000000000400000ULL +#define ARG_TERMID_ADDR 0x0000000000400000ULL +#define ARG_UNUSED2 0x0000000001000000ULL +#define ARG_UPATH1 0x0000000002000000ULL +#define ARG_UPATH2 0x0000000004000000ULL +#define ARG_TEXT 0x0000000008000000ULL +#define ARG_VNODE1 0x0000000010000000ULL +#define ARG_VNODE2 0x0000000020000000ULL +#define ARG_SVIPC_CMD 0x0000000040000000ULL +#define ARG_SVIPC_PERM 0x0000000080000000ULL +#define ARG_SVIPC_ID 0x0000000100000000ULL +#define ARG_SVIPC_ADDR 0x0000000200000000ULL +#define ARG_GROUPSET 0x0000000400000000ULL +#define ARG_CMD 0x0000000800000000ULL +#define ARG_SOCKINFO 0x0000001000000000ULL +#define ARG_ASID 0x0000002000000000ULL +#define ARG_TERMID 0x0000004000000000ULL +#define ARG_AUDITON 0x0000008000000000ULL +#define ARG_VALUE 0x0000010000000000ULL +#define ARG_AMASK 0x0000020000000000ULL +#define ARG_CTLNAME 0x0000040000000000ULL +#define ARG_PROCESS 0x0000080000000000ULL +#define ARG_MACHPORT1 0x0000100000000000ULL +#define ARG_MACHPORT2 0x0000200000000000ULL +#define ARG_EXIT 0x0000400000000000ULL +#define ARG_IOVECSTR 0x0000800000000000ULL +#define ARG_ARGV 0x0001000000000000ULL +#define ARG_ENVV 0x0002000000000000ULL +#define ARG_ATFD1 0x0004000000000000ULL +#define ARG_ATFD2 0x0008000000000000ULL +#define ARG_NONE 0x0000000000000000ULL +#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL + #define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg)) #define ARG_SET_VALID(kar, arg) do { \ (kar)->k_ar.ar_valid_arg |= (arg); \ } while (0) +#define ARG_CLEAR_VALID(kar, arg) do { \ + (kar)->k_ar.ar_valid_arg &= ~(arg); \ +} while (0) /* * In-kernel version of audit record; the basic record plus queue meta-data. @@ -358,6 +419,7 @@ au_class_t au_event_class(au_event_t event); au_event_t audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg); au_event_t audit_flags_and_error_to_openevent(int oflags, int error); +au_event_t audit_flags_and_error_to_openatevent(int oflags, int error); au_event_t audit_msgctl_to_event(int cmd); au_event_t audit_semctl_to_event(int cmr); void audit_canon_path(struct thread *td, char *path, char *cpath); ==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_worker.c#8 (text) ==== @@ -29,7 +29,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/security/audit/audit_worker.c,v 1.31 2008/11/10 22:06:24 rwatson Exp $"); +__FBSDID("$FreeBSD: src/sys/security/audit/audit_worker.c,v 1.32 2009/05/11 15:33:26 attilio Exp $"); #include <sys/param.h> #include <sys/condvar.h> @@ -121,7 +121,7 @@ * that we know how we're doing on space. Consider failure of these * operations to indicate a future inability to write to the file. */ - error = VFS_STATFS(as->audit_vp->v_mount, mnt_stat, curthread); + error = VFS_STATFS(as->audit_vp->v_mount, mnt_stat); if (error) goto fail; vn_lock(as->audit_vp, LK_EXCLUSIVE | LK_RETRY);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908111646.n7BGkqHi042892>