Date: Wed, 24 Oct 2007 00:40:37 GMT From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 127985 for review Message-ID: <200710240040.l9O0eb2L034024@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=127985 Change 127985 by csjp@push on 2007/10/24 00:39:50 Bring in audit_proc_coredump() which will be called anytime the coredump(9) function is activated. This function will result in a coredump audit record being created. Currently, we structure the audit record much the same way Solaris does with respect to tokens. However, I think it will make sense to add a process token too. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/kern/kern_sig.c#22 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#50 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#29 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm.c#32 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/kern/kern_sig.c#22 (text+ko) ==== @@ -3063,8 +3063,19 @@ MPASS((p->p_flag & P_HADTHREADS) == 0 || p->p_singlethread == td); _STOPEVENT(p, S_CORE, 0); + name = expand_name(p->p_comm, td->td_ucred->cr_uid, p->p_pid); + if (name == NULL) { +#ifdef AUDIT + audit_proc_coredump(td, NULL, EINVAL); +#endif + return (EINVAL); + } if (((sugid_coredump == 0) && p->p_flag & P_SUGID) || do_coredump == 0) { PROC_UNLOCK(p); +#ifdef AUDIT + audit_proc_coredump(td, name, EFAULT); +#endif + free(name, M_TEMP); return (EFAULT); } @@ -3078,19 +3089,25 @@ */ limit = (off_t)lim_cur(p, RLIMIT_CORE); PROC_UNLOCK(p); - if (limit == 0) + if (limit == 0) { +#ifdef AUDIT + audit_proc_coredump(td, name, EFBIG); +#endif + free(name, M_TEMP); return (EFBIG); + } restart: - name = expand_name(p->p_comm, td->td_ucred->cr_uid, p->p_pid); - if (name == NULL) - return (EINVAL); NDINIT(&nd, LOOKUP, NOFOLLOW | MPSAFE, UIO_SYSSPACE, name, td); flags = O_CREAT | FWRITE | O_NOFOLLOW; error = vn_open(&nd, &flags, S_IRUSR | S_IWUSR, NULL); - free(name, M_TEMP); - if (error) + if (error) { +#ifdef AUDIT + audit_proc_coredump(td, name, error); +#endif + free(name, M_TEMP); return (error); + } vfslocked = NDHASGIANT(&nd); NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; @@ -3148,6 +3165,10 @@ if (error == 0) error = error1; out: +#ifdef AUDIT + audit_proc_coredump(td, name, error); +#endif + free(name, M_TEMP); VFS_UNLOCK_GIANT(vfslocked); return (error); } ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#50 (text+ko) ==== @@ -575,3 +575,51 @@ KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL")); } + +void +audit_proc_coredump(struct thread *td, char *path, int errcode) +{ + struct kaudit_record *ar; + struct au_mask *aumask; + au_class_t class; + int ret, sorf; + char **pathp; + au_id_t auid; + + /* + * Make sure we are using the correct preselection mask. + */ + auid = td->td_ucred->cr_audit.ai_auid; + if (auid == AU_DEFAUDITID) + aumask = &audit_nae_mask; + else + aumask = &td->td_ucred->cr_audit.ai_mask; + /* + * It's possible for coredump(9) generation to fail. Make sure that + * we handle this case correctly for preselection. + */ + if (errcode != 0) + sorf = AU_PRS_FAILURE; + else + sorf = AU_PRS_SUCCESS; + class = au_event_class(AUE_CORE); + if (au_preselect(AUE_CORE, class, aumask, sorf) == 0) + return; + /* + * If we are interested in seeing this audit record, allocate it. + * Where possible coredump records should contain a pathname and arg32 + * (signal) tokens. + */ + ar = audit_new(AUE_CORE, td); + if (path != NULL) { + pathp = &ar->k_ar.ar_arg_upath1; + *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); + canon_path(td, path, *pathp); + ARG_SET_VALID(ar, ARG_UPATH1); + } + ar->k_ar.ar_arg_signum = td->td_proc->p_sig; + ARG_SET_VALID(ar, ARG_SIGNUM); + if (errcode != 0) + ret = 1; + audit_commit(ar, errcode, ret); +} ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#29 (text+ko) ==== @@ -179,6 +179,7 @@ void audit_cred_init(struct ucred *cred); void audit_cred_kproc0(struct ucred *cred); void audit_cred_proc1(struct ucred *cred); +void audit_proc_coredump(struct thread *td, char *path, int errcode); void audit_thread_alloc(struct thread *td); void audit_thread_free(struct thread *td); ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm.c#32 (text+ko) ==== @@ -725,6 +725,14 @@ UPATH1_VNODE1_TOKENS; break; + case AUE_CORE: + if (ARG_IS_VALID(kar, ARG_SIGNUM)) { + tok = au_to_arg32(0, "signal", ar->ar_arg_signum); + kau_write(rec, tok); + } + UPATH1_VNODE1_TOKENS; + break; + case AUE_EXTATTRCTL: UPATH1_VNODE1_TOKENS; if (ARG_IS_VALID(kar, ARG_CMD)) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710240040.l9O0eb2L034024>