Date: Sun, 11 Jul 2010 23:22:33 GMT From: Efstratios Karatzas <gpf@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 180786 for review Message-ID: <201007112322.o6BNMX8X021459@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@180786?ac=10 Change 180786 by gpf@gpf_desktop on 2010/07/11 23:22:14 - audit 'locktype' for the 'lock*' nfsv4 rpcs. - audit 'lockowner' for 'lock', 'lockt' & 'releaselckown' nfsv4 rpcs. - audit the 'client name' used by 'setclientid', when RPCSEC_GSS is used. Along with clientid and socket address info, the users should be able to figure out the client in each following rpc. The 'client name' & 'lockowner' are strings; au_to_text() is used once again. I'm mostly worried about auditing everything we need, so I'll leave it as a future exercise to make the output of praudit pretty. Affected files ... .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#14 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#10 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#10 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#6 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#18 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#8 edit Differences ... ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#14 (text+ko) ==== @@ -2102,6 +2102,7 @@ AUDIT_ARG_VNODE1(vp); NFSM_DISSECT(tl, u_int32_t *, 7 * NFSX_UNSIGNED); i = fxdr_unsigned(int, *tl++); + AUDIT_ARG_LOCKTYPE(i); switch (i) { case NFSV4LOCKT_READW: flags |= NFSLCK_BLOCKING; @@ -2155,6 +2156,8 @@ error = nfsrv_mtostr(nd, stp->ls_owner, stp->ls_ownerlen); if (error) goto nfsmout; + else + AUDIT_ARG_LOCKOWNER(stp->ls_owner, stp->ls_ownerlen); } else { NFSM_DISSECT(tl, u_int32_t *, NFSX_STATEID + NFSX_UNSIGNED); MALLOC(stp, struct nfsstate *, sizeof (struct nfsstate), @@ -2175,6 +2178,7 @@ nd->nd_flag |= ND_IMPLIEDCLID; nd->nd_clientid.qval = clientid.qval; } + AUDIT_ARG_CLIENTID(clientid.qval); } MALLOC(lop, struct nfslock *, sizeof (struct nfslock), M_NFSDLOCK, M_WAITOK); @@ -2289,6 +2293,7 @@ stp->ls_flags = NFSLCK_TEST; stp->ls_uid = nd->nd_cred->cr_uid; i = fxdr_unsigned(int, *tl++); + AUDIT_ARG_LOCKTYPE(i); switch (i) { case NFSV4LOCKT_READW: stp->ls_flags |= NFSLCK_BLOCKING; @@ -2328,6 +2333,8 @@ error = nfsrv_mtostr(nd, stp->ls_owner, stp->ls_ownerlen); if (error) goto nfsmout; + else + AUDIT_ARG_LOCKOWNER(stp->ls_owner, stp->ls_ownerlen); if (!nd->nd_repstat && vnode_vtype(vp) != VREG) { if (vnode_vtype(vp) == VDIR) nd->nd_repstat = NFSERR_ISDIR; @@ -2395,6 +2402,7 @@ lop->lo_flags = NFSLCK_UNLOCK; stp->ls_op = nd->nd_rp; i = fxdr_unsigned(int, *tl++); + AUDIT_ARG_LOCKTYPE(i); switch (i) { case NFSV4LOCKT_READW: stp->ls_flags |= NFSLCK_BLOCKING; @@ -3323,6 +3331,7 @@ clp->lc_namelen = nd->nd_princlen; clp->lc_name = &clp->lc_id[idlen]; NFSBCOPY(nd->nd_principal, clp->lc_name, clp->lc_namelen); + AUDIT_ARG_CLIENTNAME(clp->lc_name, clp->lc_namelen); } else { clp->lc_uid = nd->nd_cred->cr_uid; clp->lc_gid = nd->nd_cred->cr_gid; @@ -3511,6 +3520,8 @@ error = nfsrv_mtostr(nd, stp->ls_owner, len); if (error) goto nfsmout; + else + AUDIT_ARG_LOCKOWNER(stp->ls_owner, len); nd->nd_repstat = nfsrv_releaselckown(stp, clientid, p); FREE((caddr_t)stp, M_NFSDSTATE); return (0); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#10 (text) ==== @@ -81,6 +81,8 @@ MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage"); MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); MALLOC_DEFINE(M_AUDITGIDSET, "audit_gidset", "Audit GID set storage"); +MALLOC_DEFINE(M_AUDITLOCKOWNER, "audit_lockowner", "Audit lockowner storage"); +MALLOC_DEFINE(M_AUDITCLIENTNAME, "audit_clientname", "Audit client name storage"); SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0, "TrustedBSD audit controls"); @@ -259,6 +261,10 @@ free(ar->k_ar.ar_arg_envv, M_AUDITTEXT); if (ar->k_ar.ar_arg_groups.gidset != NULL) free(ar->k_ar.ar_arg_groups.gidset, M_AUDITGIDSET); + if (ar->k_ar.ar_arg_lockowner != NULL) + free(ar->k_ar.ar_arg_lockowner, M_AUDITLOCKOWNER); + if (ar->k_ar.ar_arg_clientname != NULL) + free(ar->k_ar.ar_arg_clientname, M_AUDITCLIENTNAME); } /* ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#10 (text) ==== @@ -131,6 +131,9 @@ void audit_arg_protocol(int protocol); void audit_arg_vtype(int vtype); void audit_arg_clientid(uint64_t clientid); +void audit_arg_lockowner(char *lockowner, u_short len); +void audit_arg_locktype(int locktype); +void audit_arg_clientname(char *clientname, u_short len); /* * Define macros to wrap the audit_arg_* calls by checking the global @@ -168,6 +171,11 @@ audit_arg_clientid((clientid)); \ } while (0) +#define AUDIT_ARG_CLIENTNAME(clientname, size) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_clientname((clientname), (size)); \ +} while (0) + #define AUDIT_ARG_CMD(cmd) do { \ if (AUDITING_TD(curthread)) \ audit_arg_cmd((cmd)); \ @@ -223,6 +231,16 @@ audit_arg_groupset((gidset), (gidset_size)); \ } while (0) +#define AUDIT_ARG_LOCKOWNER(lockowner, size) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_lockowner((lockowner), (size)); \ +} while (0) + +#define AUDIT_ARG_LOCKTYPE(locktype) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_locktype((locktype)); \ +} while (0) + #define AUDIT_ARG_MODE(mode) do { \ if (AUDITING_TD(curthread)) \ audit_arg_mode((mode)); \ @@ -366,6 +384,7 @@ #define AUDIT_ARG_ATFD2(atfd) #define AUDIT_ARG_AUDITON(udata) #define AUDIT_ARG_CLIENTID(clientid) +#define AUDIT_ARG_CLIENTNAME(clientname, size) #define AUDIT_ARG_CMD(cmd) #define AUDIT_ARG_DEV(dev) #define AUDIT_ARG_EGID(egid) @@ -377,6 +396,8 @@ #define AUDIT_ARG_FFLAGS(fflags) #define AUDIT_ARG_GID(gid) #define AUDIT_ARG_GROUPSET(gidset, gidset_size) +#define AUDIT_ARG_LOCKOWNER(lockowner, size) +#define AUDIT_ARG_LOCKTYPE(locktype) #define AUDIT_ARG_MODE(mode) #define AUDIT_ARG_OWNER(uid, gid) #define AUDIT_ARG_PID(pid) ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#6 (text) ==== @@ -949,7 +949,7 @@ } /* - * Audit the vnode type of the file created by some NFS RPC + * Audit the clientid used by some NFSv4 RPCs */ void audit_arg_clientid(uint64_t clientid) @@ -963,3 +963,69 @@ ar->k_ar.ar_arg_clientid = clientid; ARG_SET_VALID(ar, ARG_CLIENTID); } + +void +audit_arg_lockowner(char *lockowner, u_short len) +{ + struct kaudit_record *ar; + + len++; + + KASSERT(lockowner != NULL, ("audit_arg_lockowner: lockowner == NULL")); + KASSERT(len != 0, ("audit_arg_lockowner: len == 0")); + + ar = currecord(); + if (ar == NULL) + return; + + /* Invalidate the lockowner string */ + ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_LOCKOWNER); + + if (ar->k_ar.ar_arg_lockowner == NULL) + ar->k_ar.ar_arg_lockowner = malloc(len, M_AUDITLOCKOWNER, + M_WAITOK); + + strlcpy(ar->k_ar.ar_arg_lockowner, lockowner, len); + ARG_SET_VALID(ar, ARG_LOCKOWNER); +} + +void +audit_arg_clientname(char *clientname, u_short len) +{ + struct kaudit_record *ar; + + len++; + + KASSERT(clientname != NULL, ("audit_arg_clientname: clientname == NULL")); + KASSERT(len != 0, ("audit_arg_clientname: len == 0")); + + ar = currecord(); + if (ar == NULL) + return; + + /* Invalidate the clientname string */ + ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_CLIENTNAME); + + if (ar->k_ar.ar_arg_clientname == NULL) + ar->k_ar.ar_arg_clientname = malloc(len, M_AUDITCLIENTNAME, + M_WAITOK); + + strlcpy(ar->k_ar.ar_arg_clientname, clientname, len); + ARG_SET_VALID(ar, ARG_CLIENTNAME); +} + +/* + * Audit the locktype used for the NFSv4 RPCs lock,lockt,locku + */ +void +audit_arg_locktype(int locktype) +{ + struct kaudit_record *ar; + + ar = currecord(); + if (ar == NULL) + return; + + ar->k_ar.ar_arg_locktype = locktype; + ARG_SET_VALID(ar, ARG_LOCKTYPE); +} ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#18 (text) ==== @@ -1693,6 +1693,53 @@ } break; + case AUE_NFS_LOCK: + case AUE_NFS_LOCKT: + if (ARG_IS_VALID(kar, ARG_LOCKOWNER)) { + tok = au_to_text(ar->ar_arg_lockowner); + kau_write(rec, tok); + } + + /* FALLTHROUGH */ + case AUE_NFS_LOCKU: + if (ARG_IS_VALID(kar, ARG_LOCKTYPE)) { + tok = au_to_arg32(1, "lock type", ar->ar_arg_locktype); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_CLIENTID)) { + tok = au_to_arg64(2, "client id", ar->ar_arg_clientid); + kau_write(rec, tok); + } + UPATH1_VNODE1_TOKENS; + if (ARG_IS_VALID(kar, ARG_TEXT)) { + tok = au_to_text(ar->ar_arg_text); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_PROTOCOL)) { + tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol)); + kau_write(rec, tok); + } + break; + + case AUE_NFS_RELEASELCKOWN: + if (ARG_IS_VALID(kar, ARG_LOCKOWNER)) { + tok = au_to_text(ar->ar_arg_lockowner); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_CLIENTID)) { + tok = au_to_arg64(2, "client id", ar->ar_arg_clientid); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_TEXT)) { + tok = au_to_text(ar->ar_arg_text); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_PROTOCOL)) { + tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol)); + kau_write(rec, tok); + } + break; + /* XXXgpf: temporary fallthrough for nfsv4 events */ case AUE_NFS_OPEN_RC: case AUE_NFS_OPEN_RTC: @@ -1708,9 +1755,6 @@ /* FALLTHROUGH */ case AUE_NFS_CLOSE: case AUE_NFS_DELEGRETURN: - case AUE_NFS_LOCK: - case AUE_NFS_LOCKT: - case AUE_NFS_LOCKU: case AUE_NFS_OPEN: case AUE_NFS_OPEN_R: case AUE_NFS_OPEN_RT: @@ -1748,10 +1792,27 @@ /* XXXgpf: temporary fallthrough for nfsv4 events */ case AUE_NFS_DELEGPURGE: - case AUE_NFS_RENEW: + case AUE_NFS_RENEW: + case AUE_NFS_SETCLIENTIDCFRM: + if (ARG_IS_VALID(kar, ARG_CLIENTID)) { + tok = au_to_arg64(2, "client id", ar->ar_arg_clientid); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_TEXT)) { + tok = au_to_text(ar->ar_arg_text); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_PROTOCOL)) { + tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol)); + kau_write(rec, tok); + } + break; + case AUE_NFS_SETCLIENTID: - case AUE_NFS_SETCLIENTIDCFRM: - case AUE_NFS_RELEASELCKOWN: + if (ARG_IS_VALID(kar, ARG_CLIENTNAME)) { + tok = au_to_text(ar->ar_arg_clientname); + kau_write(rec, tok); + } if (ARG_IS_VALID(kar, ARG_CLIENTID)) { tok = au_to_arg64(2, "client id", ar->ar_arg_clientid); kau_write(rec, tok); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#8 (text) ==== @@ -51,6 +51,8 @@ MALLOC_DECLARE(M_AUDITPATH); MALLOC_DECLARE(M_AUDITTEXT); MALLOC_DECLARE(M_AUDITGIDSET); +MALLOC_DECLARE(M_AUDITLOCKOWNER); +MALLOC_DECLARE(M_AUDITCLIENTNAME); #endif /* @@ -232,6 +234,9 @@ int ar_arg_protocol; int ar_arg_vtype; uint64_t ar_arg_clientid; + char *ar_arg_lockowner; + int ar_arg_locktype; + char *ar_arg_clientname; }; /* @@ -294,6 +299,9 @@ #define ARG_VTYPE 0x0010000000000000ULL #define ARG_PROTOCOL 0x0020000000000000ULL #define ARG_CLIENTID 0x0040000000000000ULL +#define ARG_LOCKOWNER 0x0080000000000000ULL +#define ARG_LOCKTYPE 0x0100000000000000ULL +#define ARG_CLIENTNAME 0x0200000000000000ULL #define ARG_NONE 0x0000000000000000ULL #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201007112322.o6BNMX8X021459>