PERFORCE change 145116 for review
Diego Giagio
diego at FreeBSD.org
Sat Jul 12 23:03:00 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=145116
Change 145116 by diego at diego_black on 2008/07/12 23:02:26
Almost finished support for auditing administrative pf events on kernel.
Affected files ...
.. //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#6 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#9 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#6 edit
Differences ...
==== //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#6 (text+ko) ====
@@ -1173,6 +1173,7 @@
if (rs_num < 0 || rs_num >= PF_RULESET_MAX)
return (EINVAL);
+
rs = pf_find_ruleset(anchor);
if (rs == NULL || !rs->rules[rs_num].inactive.open ||
ticket != rs->rules[rs_num].inactive.ticket)
@@ -1216,6 +1217,12 @@
rs->rules[rs_num].inactive.open = 0;
pf_remove_if_empty_ruleset(rs);
splx(s);
+
+ if (rs->rules[rs_num].active.rcount == 0)
+ AUDIT_CALL(audit_pf_flush(anchor, old_rcount, 0));
+ else
+ AUDIT_CALL(audit_pf_addrule(anchor,
+ rs->rules[rs_num].active.rcount,0));
return (0);
}
@@ -1423,6 +1430,7 @@
}
DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n"));
}
+ AUDIT_CALL(audit_pf_enable(error));
break;
case DIOCSTOP:
@@ -1443,6 +1451,7 @@
pf_status.since = time_second;
DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
}
+ AUDIT_CALL(audit_pf_disable(error));
break;
case DIOCADDRULE: {
@@ -1917,6 +1926,8 @@
if (pcr->action == PF_CHANGE_REMOVE) {
pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule);
ruleset->rules[rs_num].active.rcount--;
+ AUDIT_CALL(audit_pf_delrule(oldrule->anchor->name,
+ error));
} else {
if (oldrule == NULL)
TAILQ_INSERT_TAIL(
@@ -1930,6 +1941,7 @@
ruleset->rules[rs_num].active.ptr,
oldrule, newrule, entries);
ruleset->rules[rs_num].active.rcount++;
+ AUDIT_CALL(audit_pf_addrule(newrule->anchor->name,1,0));
}
nr = 0;
==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#9 (text) ====
@@ -128,7 +128,6 @@
*/
void audit_ipfw_enable(int error);
void audit_ipfw_disable(int error);
-
void audit_ipfw_addrule(int set, int rulenum, int error);
void audit_ipfw_delrule(int set, int rulenum, int error);
void audit_ipfw_flush(int error);
@@ -138,6 +137,9 @@
void audit_pf_enable(int error);
void audit_pf_disable(int error);
+void audit_pf_addrule(char *anchor, int nrules, int error);
+void audit_pf_delrule(char *anchor, int error);
+void audit_pf_flush(char *anchor, int nrules, int error);
/*
* The remaining kernel functions are conditionally compiled in as they are
==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#6 (text+ko) ====
@@ -213,3 +213,65 @@
audit_commit(ar, error, 0);
}
+static void
+pf_rule_to_text(char *anchor, int nrules, struct sbuf *sb)
+{
+ sbuf_printf(sb, "pf: ");
+ if (anchor != NULL)
+ sbuf_printf(sb, "anchor=%s, ", anchor);
+ if (nrules != -1)
+ sbuf_printf(sb, "nrules=%u", nrules);
+ sbuf_finish(sb);
+}
+
+void
+audit_pf_addrule(char *anchor, int nrules, int error)
+{
+ struct kaudit_record *ar;
+ struct sbuf sb;
+
+ ar = audit_begin(AUE_PFIL_POLICY_ADDRULE, curthread);
+ if (ar == NULL)
+ return;
+
+ sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND);
+ pf_rule_to_text(anchor, nrules, &sb);
+ audit_record_arg_text(ar, sbuf_data(&sb));
+ sbuf_delete(&sb);
+ audit_commit(ar, error, 0);
+}
+
+void
+audit_pf_delrule(char *anchor, int error)
+{
+ struct kaudit_record *ar;
+ struct sbuf sb;
+
+ ar = audit_begin(AUE_PFIL_POLICY_DELRULE, curthread);
+ if (ar == NULL)
+ return;
+
+ sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND);
+ pf_rule_to_text(anchor, 1, &sb);
+ audit_record_arg_text(ar, sbuf_data(&sb));
+ sbuf_delete(&sb);
+ audit_commit(ar, error, 0);
+}
+
+void
+audit_pf_flush(char *anchor, int nrules, int error)
+{
+ struct kaudit_record *ar;
+ struct sbuf sb;
+
+ ar = audit_begin(AUE_PFIL_POLICY_FLUSH, curthread);
+ if (ar == NULL)
+ return;
+
+ sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND);
+ pf_rule_to_text(anchor, nrules, &sb);
+ audit_record_arg_text(ar, sbuf_data(&sb));
+ sbuf_delete(&sb);
+ audit_commit(ar, error, 0);
+}
+
More information about the p4-projects
mailing list