Date: Mon, 28 Jun 2010 18:14:15 GMT From: Efstratios Karatzas <gpf@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 180298 for review Message-ID: <201006281814.o5SIEFO1061452@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@180298?ac=10 Change 180298 by gpf@gpf_desktop on 2010/06/28 18:13:20 - added new audit events for nfsv4 specific operations. - while I'm here, changed the classes that some nfs specific events are mapped to. Still not 100% sure about the mapping of events to classes but this is something that can wait. - altered the audit_nfs_enter() interface() so that we can support nfsv4. Now, it may also be possible to keep track of the nfs protocol of the rpc that we are auditing. Not sure if this can be done for the current nfs server but certainly for the new experimental server. - a few trivial changes such as renaming events Affected files ... .. //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#3 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/bsm/audit_kevents.h#4 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdkrpc.c#3 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#8 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#6 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#7 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#6 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#10 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#3 edit Differences ... ==== //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#3 (text) ==== @@ -362,30 +362,57 @@ # # NFS-specific kernel events # -2000:AUE_NFS_NULL:nfsrv_null():no +2000:AUE_NFS_NULL:nfsrv_null():ot 2001:AUE_NFS_GETATTR:nfsrv_getattr():fa 2002:AUE_NFS_SETATTR:nfsrv_setattr():fm -2003:AUE_NFS_LOOKUP:nfsrv_lookup():ot -2004:AUE_NFS_ACCESS:nfsrv3_access():fa +2003:AUE_NFS_LOOKUP:nfsrv_lookup():fa,ad +2004:AUE_NFS_ACCESS:nfsrv_access():fa 2005:AUE_NFS_READLINK:nfsrv_readlink():fr 2006:AUE_NFS_READ:nfsrv_read():fr 2007:AUE_NFS_WRITE:nfsrv_write():fw -2008:AUE_NFS_CREATE:nfsrv_create():fc -2009:AUE_NFS_MKDIR:nfsrv_mkdir():fc -2010:AUE_NFS_SYMLINK:nfsrv_symlink():fc -2011:AUE_NFS_MKNODE:nfsrv_mknod():fc +2008:AUE_NFS_CREATE:nfsrv_create():fc,ad +2009:AUE_NFS_MKDIR:nfsrv_mkdir():fc,ad +2010:AUE_NFS_SYMLINK:nfsrv_symlink():fc,ad +2011:AUE_NFS_MKNOD:nfsrv_mknod():fc,ad 2012:AUE_NFS_REMOVE:nfsrv_remove():fd 2013:AUE_NFS_RMDIR:nfsrv_rmdir():fd 2014:AUE_NFS_RENAME:nfsrv_rename():fc,fd 2015:AUE_NFS_LINK:nfsrv_link():fc 2016:AUE_NFS_READDIR:nfsrv_readdir():fr -2017:AUE_NFS_READDIR_PLUS:nfsrv_readdirplus():fr +2017:AUE_NFS_READDIR_PLUS:nfsrv_readdirplus():fr,ad 2018:AUE_NFS_STATFS:nfsrv_statfs():fa 2019:AUE_NFS_FSINFO:nfsrv_fsinfo():ot -2020:AUE_NFS_PATHCONF:nfsrv_pathconf():ot -2021:AUE_NFS_COMMIT:nfsrv_commit():ot +2020:AUE_NFS_PATHCONF:nfsrv_pathconf():fa +2021:AUE_NFS_COMMIT:nfsrv_commit():fw 2022:AUE_NFS_NOOP:nfsrv_noop():no # +# NFSv4 specific RPC events +# +2023:AUE_NFS_CLOSE:nfsrv_close():cl +2024:AUE_NFS_DELEGPURGE:nfsrv_delegpurge():ad +2025:AUE_NFS_DELEGRETURN:nfsrv_delegreturn():ad +2026:AUE_NFSv4_GETFH:nfsrv_getfh():ad +2027:AUE_NFS_LOCK:nfsrv_lock():fm +2028:AUE_NFS_LOCKT:nfsrv_lockt():fm +2029:AUE_NFS_LOCKU:nfsrv_locku():fm +2030:AUE_NFS_LOOKUPP:nfsrv_lockupp():fa,ad +2031:AUE_NFS_NVERIFY:nfsrv_nverify():fa +2032:AUE_NFS_OPEN:nfsrv_open():fa +2033:AUE_NFS_OPENATTR:nfsrv_openattr():fa +2034:AUE_NFS_OPENCONFIRM:nfsrv_openconfirm():fa +2035:AUE_NFS_OPENDOWNGRADE:nfsrv_opendowngrade():fm +2036:AUE_NFS_PUTFH:nfsrv_putfh():ad +2037:AUE_NFS_PUTPUBFH:nfsrv_putpubfh():ad +2038:AUE_NFS_PUTROOTFH:nfsrv_rootfh():ad +2039:AUE_NFS_RENEW:nfsrv_renew():ad +2040:AUE_NFS_RESTOREFH:nfsrv_restorefh():ad +2041:AUE_NFS_SAVEFH:nfsrv_savefh():ad +2042:AUE_NFS_SECINFO:nfsrv_secinfo():ot +2043:AUE_NFS_SETCLIENTID:nfsrv_setclientid():aa +2044:AUE_NFS_SETCLIENTIDCFRM:nfsrv_setclientidcfrm():aa +2045:AUE_NFS_VERIFY:nfsrv_verify():fa +2046:AUE_NFS_RELEASELCKOWN:nfsrv_releaselckown():ad +# # OpenBSM-specific kernel events. # 43001:AUE_GETFSSTAT:getfsstat(2):fa ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/bsm/audit_kevents.h#4 (text) ==== @@ -398,7 +398,7 @@ #define AUE_NFS_CREATE 2008 #define AUE_NFS_MKDIR 2009 #define AUE_NFS_SYMLINK 2010 -#define AUE_NFS_MKNODE 2011 +#define AUE_NFS_MKNOD 2011 #define AUE_NFS_REMOVE 2012 #define AUE_NFS_RMDIR 2013 #define AUE_NFS_RENAME 2014 @@ -410,6 +410,31 @@ #define AUE_NFS_PATHCONF 2020 #define AUE_NFS_COMMIT 2021 #define AUE_NFS_NOOP 2022 +/* NFSv4 specific RPC events */ +#define AUE_NFS_CLOSE 2023 +#define AUE_NFS_DELEGPURGE 2024 +#define AUE_NFS_DELEGRETURN 2025 +#define AUE_NFSv4_GETFH 2026 +#define AUE_NFS_LOCK 2027 +#define AUE_NFS_LOCKT 2028 +#define AUE_NFS_LOCKU 2029 +#define AUE_NFS_LOOKUPP 2030 +#define AUE_NFS_NVERIFY 2031 +#define AUE_NFS_OPEN 2032 +#define AUE_NFS_OPENATTR 2033 +#define AUE_NFS_OPENCONFIRM 2034 +#define AUE_NFS_OPENDOWNGRADE 2035 +#define AUE_NFS_PUTFH 2036 +#define AUE_NFS_PUTPUBFH 2037 +#define AUE_NFS_PUTROOTFH 2038 +#define AUE_NFS_RENEW 2039 +#define AUE_NFS_RESTOREFH 2040 +#define AUE_NFS_SAVEFH 2041 +#define AUE_NFS_SECINFO 2042 +#define AUE_NFS_SETCLIENTID 2043 +#define AUE_NFS_SETCLIENTIDCFRM 2044 +#define AUE_NFS_VERIFY 2045 +#define AUE_NFS_RELEASELCKOWN 2046 /* * Audit event identifiers added as part of OpenBSM, generally corresponding ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdkrpc.c#3 (text+ko) ==== @@ -234,7 +234,7 @@ cacherep = nfs_proc(&nd, rqst->rq_xid, xprt->xp_socket, xprt->xp_sockref, &rp); } else { - AUDIT_NFS_ENTER(NFSPROC_NULL, nd.nd_cred, curthread); + AUDIT_NFS_ENTER(NFSPROC_NULL, nd.nd_cred, curthread, ND_NFSV3); AUDIT_NFS_EXIT(0, curthread); NFSMGET(nd.nd_mreq); nd.nd_mreq->m_len = 0; ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#8 (text+ko) ==== @@ -362,6 +362,7 @@ mount_t mp = NULL; struct nfsrvfh fh; struct nfsexstuff nes; + int nfsprot; /* * Get a locked vnode for the first file handle @@ -435,8 +436,11 @@ nfsrvd_compound(nd, isdgram, p); printf("compound rpc exit\n"); } else { - printf("non compound rpc %d\n", nd->nd_procnum); - AUDIT_NFS_ENTER(nd->nd_procnum, nd->nd_cred, curthread); + if (nd->nd_flag & ND_NFSV2) + nfsprot = ND_NFSV2; + else + nfsprot = ND_NFSV3; + AUDIT_NFS_ENTER(nd->nd_procnum, nd->nd_cred, curthread, nfsprot); if (nd->nd_nam != NULL) AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd->nd_nam); if (nfs_retfh[nd->nd_procnum] == 1) { ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#6 (text+ko) ==== @@ -352,7 +352,7 @@ } nfsrvstats.srvrpccnt[nd.nd_procnum]++; - AUDIT_NFS_ENTER(procnum, nd.nd_cr, td); + AUDIT_NFS_ENTER(procnum, nd.nd_cr, td, ND_NFSV3); AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam); error = proc(&nd, NULL, &mrep); AUDIT_NFS_EXIT(nd.nd_repstat, td); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#7 (text) ==== @@ -596,7 +596,7 @@ * Convert an NFS RPC procedure number to an audit event */ int -audit_nfs_proc_to_event(unsigned int proc, au_event_t *event) +audit_nfs_proc_to_event(unsigned int proc, au_event_t *event, int nfsprot) { au_event_t nfsv3toevent[] = { AUE_NFS_NULL, @@ -610,7 +610,7 @@ AUE_NFS_CREATE, AUE_NFS_MKDIR, AUE_NFS_SYMLINK, - AUE_NFS_MKNODE, + AUE_NFS_MKNOD, AUE_NFS_REMOVE, AUE_NFS_RMDIR, AUE_NFS_RENAME, @@ -621,17 +621,73 @@ AUE_NFS_FSINFO, AUE_NFS_PATHCONF, AUE_NFS_COMMIT, - AUE_NFS_NOOP, + AUE_NFS_NOOP, + }; + au_event_t nfsv4toevent[] = { + AUE_NFS_NULL, + AUE_NFS_NOOP, + AUE_NFS_NOOP, + AUE_NFS_ACCESS, + AUE_NFS_CLOSE, + AUE_NFS_COMMIT, + AUE_NFS_CREATE, + AUE_NFS_DELEGPURGE, + AUE_NFS_DELEGRETURN, + AUE_NFS_GETATTR, + AUE_NFSv4_GETFH, + AUE_NFS_LINK, + AUE_NFS_LOCK, + AUE_NFS_LOCKT, + AUE_NFS_LOCKU, + AUE_NFS_LOOKUP, + AUE_NFS_LOOKUPP, + AUE_NFS_NVERIFY, + AUE_NFS_OPEN, + AUE_NFS_OPENATTR, + AUE_NFS_OPENCONFIRM, + AUE_NFS_OPENDOWNGRADE, + AUE_NFS_PUTFH, + AUE_NFS_PUTPUBFH, + AUE_NFS_PUTROOTFH, + AUE_NFS_READ, + AUE_NFS_READDIR, + AUE_NFS_READLINK, + AUE_NFS_REMOVE, + AUE_NFS_RENAME, + AUE_NFS_RENEW, + AUE_NFS_RESTOREFH, + AUE_NFS_SAVEFH, + AUE_NFS_SECINFO, + AUE_NFS_SETATTR, + AUE_NFS_SETCLIENTID, + AUE_NFS_SETCLIENTIDCFRM, + AUE_NFS_VERIFY, + AUE_NFS_WRITE, + AUE_NFS_RELEASELCKOWN, }; static int nfs_v3nprocs = sizeof(nfsv3toevent) / sizeof(au_event_t); - - if (proc < nfs_v3nprocs) { - *event = nfsv3toevent[proc]; - return 0; + static int nfs_v4nprocs = sizeof(nfsv4toevent) / sizeof(au_event_t); + int error = 0; + + switch (nfsprot) { + case ND_NFSV4: + if (proc < nfs_v4nprocs) + *event = nfsv4toevent[proc]; + else + error = EINVAL; + break; + /* FALLTHROUGH */ + default: + case ND_NFSV2: + case ND_NFSV3: + if (proc < nfs_v3nprocs) + *event = nfsv3toevent[proc]; + else + error = EINVAL; + break; } - else { - return EINVAL; - } + + return error; } /* @@ -642,7 +698,7 @@ * audit_new() will fill in basic thread/credential properties. */ void -audit_nfs_enter(unsigned int proc, struct ucred *user_cr, struct thread *td) +audit_nfs_enter(unsigned int proc, struct ucred *user_cr, struct thread *td, int nfsprot) { struct au_mask *aumask; au_class_t class; @@ -654,7 +710,7 @@ KASSERT((td->td_pflags & TDP_AUDITREC) == 0, ("audit_nfs_enter: TDP_AUDITREC set")); - error = audit_nfs_proc_to_event(proc, &event); + error = audit_nfs_proc_to_event(proc, &event, nfsprot); if (error) { td->td_ar = NULL; return; ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#6 (text) ==== @@ -59,7 +59,7 @@ void audit_syscall_enter(unsigned short code, struct thread *td); void audit_syscall_exit(int error, struct thread *td); -void audit_nfs_enter(unsigned int proc, struct ucred *user_cr, struct thread *td); +void audit_nfs_enter(unsigned int proc, struct ucred *user_cr, struct thread *td, int nfsprot); void audit_nfs_exit(int error, struct thread *td); /* @@ -321,9 +321,9 @@ audit_syscall_exit(error, td); \ } while (0) -#define AUDIT_NFS_ENTER(proc, user_cr, td) do { \ +#define AUDIT_NFS_ENTER(proc, user_cr, td, nfsprot) do { \ if (audit_enabled) { \ - audit_nfs_enter(proc, user_cr, td); \ + audit_nfs_enter(proc, user_cr, td, nfsprot); \ } \ } while (0) @@ -381,7 +381,7 @@ #define AUDIT_SYSCLOSE(p, fd) -#define AUDIT_NFS_ENTER(proc, user_cr, td) +#define AUDIT_NFS_ENTER(proc, user_cr, td, prot) #define AUDIT_NFS_EXIT(error, td) #endif /* AUDIT */ ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#10 (text) ==== @@ -1583,7 +1583,7 @@ case AUE_NFS_CREATE: case AUE_NFS_MKDIR: - case AUE_NFS_MKNODE: + case AUE_NFS_MKNOD: if (ARG_IS_VALID(kar, ARG_MODE)) { tok = au_to_arg32(3, "mode", ar->ar_arg_mode); kau_write(rec, tok); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#3 (text) ==== @@ -324,9 +324,13 @@ struct kaudit_record *audit_new(int event, struct thread *td); /* - * NFS specific functions + * NFS specific stuff */ -int audit_nfs_proc_to_event(unsigned int proc, au_event_t *event); +int audit_nfs_proc_to_event(unsigned int proc, au_event_t *event, int nfsprot); + +#define ND_NFSV2 0x00000004 +#define ND_NFSV3 0x00000008 +#define ND_NFSV4 0x00000010 /* * Functions relating to the conversion of internal kernel audit records to
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201006281814.o5SIEFO1061452>