Date: Sun, 11 Jul 2010 16:53:26 GMT From: Efstratios Karatzas <gpf@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 180768 for review Message-ID: <201007111653.o6BGrQXY074308@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@180768?ac=10 Change 180768 by gpf@gpf_desktop on 2010/07/11 16:53:25 - audit clientid for those NFSv4 RPCs that actually use it. Using the information gathered during the setclientid RPC, the sysadmin using Audit will be able to figure out exactly who is doing what. To this end, I need to audit the name that is used by Kerberos @ the setclientid RPC -> todo. Affected files ... .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#13 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#14 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#9 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#5 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#17 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#7 edit Differences ... ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#13 (text+ko) ==== @@ -613,6 +613,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); stp->ls_stateid.other[2] = *tl++; off = fxdr_hyper(tl); lop->lo_first = off; @@ -763,6 +764,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); stp->ls_stateid.other[2] = *tl++; off = fxdr_hyper(tl); lop->lo_first = off; @@ -2149,6 +2151,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); error = nfsrv_mtostr(nd, stp->ls_owner, stp->ls_ownerlen); if (error) goto nfsmout; @@ -2321,6 +2324,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); error = nfsrv_mtostr(nd, stp->ls_owner, stp->ls_ownerlen); if (error) goto nfsmout; @@ -2432,6 +2436,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); if (!nd->nd_repstat && vnode_vtype(vp) != VREG) { if (vnode_vtype(vp) == VDIR) nd->nd_repstat = NFSERR_ISDIR; @@ -2550,6 +2555,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); error = nfsrv_mtostr(nd, stp->ls_owner, stp->ls_ownerlen); if (error) { vrele(dp); @@ -2901,6 +2907,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); nd->nd_repstat = nfsrv_openupdate(vp, stp, clientid, &stateid, nd, p); vput(vp); if (!nd->nd_repstat) { @@ -2940,6 +2947,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); nd->nd_repstat = nfsrv_delegupdate(clientid, NULL, NULL, NFSV4OP_DELEGPURGE, nd->nd_cred, p); nfsmout: @@ -2972,6 +2980,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); nd->nd_repstat = nfsrv_delegupdate(clientid, &stateid, vp, NFSV4OP_DELEGRETURN, nd->nd_cred, p); nfsmout: @@ -3029,6 +3038,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); nd->nd_repstat = nfsrv_openupdate(vp, stp, clientid, &stateid, nd, p); if (!nd->nd_repstat) { NFSM_BUILD(tl, u_int32_t *, NFSX_STATEID); @@ -3106,6 +3116,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); if (!nd->nd_repstat) nd->nd_repstat = nfsrv_openupdate(vp, stp, clientid, &stateid, nd, p); @@ -3145,6 +3156,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); nd->nd_repstat = nfsrv_getclient(clientid, (CLOPS_RENEWOP|CLOPS_RENEW), NULL, (nfsquad_t)((u_quad_t)0), nd, p); nfsmout: @@ -3331,6 +3343,7 @@ * so it should be free'd. */ nd->nd_repstat = nfsrv_setclient(nd, &clp, &clientid, &confirm, p); + AUDIT_ARG_CLIENTID(clientid.qval); if (nd->nd_repstat == NFSERR_CLIDINUSE) { if (clp->lc_flags & LCL_TCPCALLBACK) (void) nfsm_strtom(nd, "tcp", 3); @@ -3388,7 +3401,7 @@ clientid.lval[1] = *tl++; confirm.lval[0] = *tl++; confirm.lval[1] = *tl; - + AUDIT_ARG_CLIENTID(clientid.qval); /* * nfsrv_getclient() searches the client list for a match and * returns the appropriate NFSERR status. @@ -3494,6 +3507,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); error = nfsrv_mtostr(nd, stp->ls_owner, len); if (error) goto nfsmout; ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#14 (text+ko) ==== @@ -431,12 +431,9 @@ * The procedures are in three groups with different arguments. * The group is indicated by the value in nfs_retfh[]. */ - if (nd->nd_flag & ND_NFSV4) { - printf("compound rpc enter\n"); + if (nd->nd_flag & ND_NFSV4) nfsrvd_compound(nd, isdgram, p); - printf("compound rpc exit\n"); - } else { - printf("non compound rpc %d\n", nd->nd_procnum); + else { nfsprot = nd->nd_flag & (ND_NFSV2 | ND_NFSV3); AUDIT_NFS_ENTER(nd->nd_procnum, nd->nd_cred, curthread, nfsprot); if (nd->nd_nam != NULL) @@ -1073,7 +1070,6 @@ nfsmout: /* XXXgpf: when error occurs, we may jump here */ AUDIT_NFS_EXIT(nd->nd_repstat, curthread); - KASSERT(curthread->td_ar == NULL, ("gamw sto nfsmout: td->td_ar != NULL")); if (error) { if (error == EBADRPC || error == NFSERR_BADXDR) nd->nd_repstat = NFSERR_BADXDR; ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#9 (text) ==== @@ -130,6 +130,7 @@ void audit_thread_free(struct thread *td); void audit_arg_protocol(int protocol); void audit_arg_vtype(int vtype); +void audit_arg_clientid(uint64_t clientid); /* * Define macros to wrap the audit_arg_* calls by checking the global @@ -162,6 +163,11 @@ audit_arg_auditon((udata)); \ } while (0) +#define AUDIT_ARG_CLIENTID(clientid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_clientid((clientid)); \ +} while (0) + #define AUDIT_ARG_CMD(cmd) do { \ if (AUDITING_TD(curthread)) \ audit_arg_cmd((cmd)); \ @@ -359,6 +365,7 @@ #define AUDIT_ARG_ATFD1(atfd) #define AUDIT_ARG_ATFD2(atfd) #define AUDIT_ARG_AUDITON(udata) +#define AUDIT_ARG_CLIENTID(clientid) #define AUDIT_ARG_CMD(cmd) #define AUDIT_ARG_DEV(dev) #define AUDIT_ARG_EGID(egid) ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#5 (text) ==== @@ -947,3 +947,19 @@ ar->k_ar.ar_arg_vtype = vtype; ARG_SET_VALID(ar, ARG_VTYPE); } + +/* + * Audit the vnode type of the file created by some NFS RPC + */ +void +audit_arg_clientid(uint64_t clientid) +{ + struct kaudit_record *ar; + + ar = currecord(); + if (ar == NULL) + return; + + ar->k_ar.ar_arg_clientid = clientid; + ARG_SET_VALID(ar, ARG_CLIENTID); +} ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#17 (text) ==== @@ -1603,6 +1603,7 @@ case AUE_NFS_RMDIR: case AUE_NFS_GETATTR: case AUE_NFS_LOOKUP: + case AUE_NFS_LOOKUPP: case AUE_NFS_COMMIT: case AUE_NFS_PATHCONF: case AUE_NFS_STATFS: @@ -1621,6 +1622,10 @@ case AUE_NFS_READ: case AUE_NFS_WRITE: + if (ARG_IS_VALID(kar, ARG_CLIENTID)) { + tok = au_to_arg64(2, "client id", ar->ar_arg_clientid); + kau_write(rec, tok); + } case AUE_NFS_ACCESS: if (ARG_IS_VALID(kar, ARG_FFLAGS)) { tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); @@ -1639,6 +1644,7 @@ case AUE_NFS_NOOP: case AUE_NFS_NULL: + case AUE_NFS_OPENATTR: if (ARG_IS_VALID(kar, ARG_TEXT)) { tok = au_to_text(ar->ar_arg_text); kau_write(rec, tok); @@ -1700,29 +1706,33 @@ } /* FALLTHROUGH */ - case AUE_NFS_PUTFH: - case AUE_NFS_PUTPUBFH: - case AUE_NFS_PUTROOTFH: - case AUE_NFS_RESTOREFH: - case AUE_NFS_SAVEFH: - case AUE_NFS_LOOKUPP: case AUE_NFS_CLOSE: case AUE_NFS_DELEGRETURN: - case AUE_NFSv4_GETFH: case AUE_NFS_LOCK: case AUE_NFS_LOCKT: case AUE_NFS_LOCKU: - case AUE_NFS_NVERIFY: case AUE_NFS_OPEN: case AUE_NFS_OPEN_R: case AUE_NFS_OPEN_RT: case AUE_NFS_OPEN_RW: case AUE_NFS_OPEN_RWT: case AUE_NFS_OPEN_W: - case AUE_NFS_OPEN_WT: - case AUE_NFS_OPENATTR: + case AUE_NFS_OPEN_WT: case AUE_NFS_OPENCONFIRM: - case AUE_NFS_OPENDOWNGRADE: + case AUE_NFS_OPENDOWNGRADE: + if (ARG_IS_VALID(kar, ARG_CLIENTID)) { + tok = au_to_arg64(2, "client id", ar->ar_arg_clientid); + kau_write(rec, tok); + } + + /* FALLTHROUGH */ + case AUE_NFS_PUTFH: + case AUE_NFS_PUTPUBFH: + case AUE_NFS_PUTROOTFH: + case AUE_NFS_RESTOREFH: + case AUE_NFS_SAVEFH: + case AUE_NFSv4_GETFH: + case AUE_NFS_NVERIFY: case AUE_NFS_VERIFY: case AUE_NFS_SECINFO: UPATH1_VNODE1_TOKENS; @@ -1742,6 +1752,10 @@ case AUE_NFS_SETCLIENTID: case AUE_NFS_SETCLIENTIDCFRM: case AUE_NFS_RELEASELCKOWN: + if (ARG_IS_VALID(kar, ARG_CLIENTID)) { + tok = au_to_arg64(2, "client id", ar->ar_arg_clientid); + kau_write(rec, tok); + } if (ARG_IS_VALID(kar, ARG_TEXT)) { tok = au_to_text(ar->ar_arg_text); kau_write(rec, tok); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#7 (text) ==== @@ -231,6 +231,7 @@ struct sockaddr_storage ar_arg_sockaddr; int ar_arg_protocol; int ar_arg_vtype; + uint64_t ar_arg_clientid; }; /* @@ -292,6 +293,7 @@ #define ARG_ATFD2 0x0008000000000000ULL #define ARG_VTYPE 0x0010000000000000ULL #define ARG_PROTOCOL 0x0020000000000000ULL +#define ARG_CLIENTID 0x0040000000000000ULL #define ARG_NONE 0x0000000000000000ULL #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201007111653.o6BGrQXY074308>