PERFORCE change 167216 for review
Ilias Marinos
marinosi at FreeBSD.org
Tue Aug 11 16:46:53 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=167216
Change 167216 by marinosi at marinosi_redrum on 2009/08/11 16:46:08
Merge with the latest audit codebase.
Affected files ...
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.c#16 integrate
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.h#5 integrate
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_private.h#7 integrate
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_worker.c#8 integrate
Differences ...
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.c#16 (text) ====
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/audit/audit.c,v 1.51 2009/04/19 14:53:17 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/audit/audit.c,v 1.53 2009/07/28 21:39:58 rwatson Exp $");
#include <sys/param.h>
#include <sys/condvar.h>
@@ -80,6 +80,7 @@
MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage");
MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
+MALLOC_DEFINE(M_AUDITGIDSET, "audit_gidset", "Audit GID set storage");
MALLOC_DEFINE(M_AUDITSLICE, "audit_slice", "Audit slice storage");
SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0,
@@ -221,6 +222,8 @@
free(ar->k_ar.ar_arg_argv, M_AUDITTEXT);
if (ar->k_ar.ar_arg_envv != NULL)
free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);
+ if (ar->k_ar.ar_arg_groups.gidset != NULL)
+ free(ar->k_ar.ar_arg_groups.gidset, M_AUDITGIDSET);
}
/*
@@ -395,17 +398,22 @@
else
sorf = AU_PRS_SUCCESS;
+ /*
+ * syscalls.master sometimes contains a prototype event number, which
+ * we will transform into a more specific event number now that we
+ * have more complete information gathered during the system call.
+ */
switch(ar->k_ar.ar_event) {
case AUE_OPEN_RWTC:
- /*
- * The open syscall always writes a AUE_OPEN_RWTC event;
- * change it to the proper type of event based on the flags
- * and the error value.
- */
ar->k_ar.ar_event = audit_flags_and_error_to_openevent(
ar->k_ar.ar_arg_fflags, error);
break;
+ case AUE_OPENAT_RWTC:
+ ar->k_ar.ar_event = audit_flags_and_error_to_openatevent(
+ ar->k_ar.ar_arg_fflags, error);
+ break;
+
case AUE_SYSCTL:
ar->k_ar.ar_event = audit_ctlname_to_sysctlevent(
ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg);
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.h#5 (text) ====
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/audit/audit.h,v 1.24 2009/03/09 10:45:58 rwatson Exp $
+ * $FreeBSD: src/sys/security/audit/audit.h,v 1.29 2009/07/29 07:44:43 rwatson Exp $
*/
/*
@@ -56,67 +56,6 @@
extern int audit_enabled;
extern int audit_suspended;
-/*
- * Define the masks for the audited arguments.
- *
- * XXXRW: These need to remain in audit.h for now because our vnode and name
- * lookup audit calls rely on passing in flags to indicate which name or
- * vnode is being logged. These should move to audit_private.h when that is
- * fixed.
- */
-#define ARG_EUID 0x0000000000000001ULL
-#define ARG_RUID 0x0000000000000002ULL
-#define ARG_SUID 0x0000000000000004ULL
-#define ARG_EGID 0x0000000000000008ULL
-#define ARG_RGID 0x0000000000000010ULL
-#define ARG_SGID 0x0000000000000020ULL
-#define ARG_PID 0x0000000000000040ULL
-#define ARG_UID 0x0000000000000080ULL
-#define ARG_AUID 0x0000000000000100ULL
-#define ARG_GID 0x0000000000000200ULL
-#define ARG_FD 0x0000000000000400ULL
-#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
-#define ARG_FFLAGS 0x0000000000001000ULL
-#define ARG_MODE 0x0000000000002000ULL
-#define ARG_DEV 0x0000000000004000ULL
-#define ARG_ADDR 0x0000000000008000ULL
-#define ARG_LEN 0x0000000000010000ULL
-#define ARG_MASK 0x0000000000020000ULL
-#define ARG_SIGNUM 0x0000000000040000ULL
-#define ARG_LOGIN 0x0000000000080000ULL
-#define ARG_SADDRINET 0x0000000000100000ULL
-#define ARG_SADDRINET6 0x0000000000200000ULL
-#define ARG_SADDRUNIX 0x0000000000400000ULL
-#define ARG_TERMID_ADDR 0x0000000000400000ULL
-#define ARG_UNUSED2 0x0000000001000000ULL
-#define ARG_UPATH1 0x0000000002000000ULL
-#define ARG_UPATH2 0x0000000004000000ULL
-#define ARG_TEXT 0x0000000008000000ULL
-#define ARG_VNODE1 0x0000000010000000ULL
-#define ARG_VNODE2 0x0000000020000000ULL
-#define ARG_SVIPC_CMD 0x0000000040000000ULL
-#define ARG_SVIPC_PERM 0x0000000080000000ULL
-#define ARG_SVIPC_ID 0x0000000100000000ULL
-#define ARG_SVIPC_ADDR 0x0000000200000000ULL
-#define ARG_GROUPSET 0x0000000400000000ULL
-#define ARG_CMD 0x0000000800000000ULL
-#define ARG_SOCKINFO 0x0000001000000000ULL
-#define ARG_ASID 0x0000002000000000ULL
-#define ARG_TERMID 0x0000004000000000ULL
-#define ARG_AUDITON 0x0000008000000000ULL
-#define ARG_VALUE 0x0000010000000000ULL
-#define ARG_AMASK 0x0000020000000000ULL
-#define ARG_CTLNAME 0x0000040000000000ULL
-#define ARG_PROCESS 0x0000080000000000ULL
-#define ARG_MACHPORT1 0x0000100000000000ULL
-#define ARG_MACHPORT2 0x0000200000000000ULL
-#define ARG_EXIT 0x0000400000000000ULL
-#define ARG_IOVECSTR 0x0000800000000000ULL
-#define ARG_ARGV 0x0001000000000000ULL
-#define ARG_ENVV 0x0002000000000000ULL
-#define ARG_NONE 0x0000000000000000ULL
-#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
-
void audit_syscall_enter(unsigned short code, struct thread *td);
void audit_syscall_exit(int error, struct thread *td);
@@ -132,6 +71,8 @@
void audit_arg_addr(void * addr);
void audit_arg_exit(int status, int retval);
void audit_arg_len(int len);
+void audit_arg_atfd1(int atfd);
+void audit_arg_atfd2(int atfd);
void audit_arg_fd(int fd);
void audit_arg_fflags(int fflags);
void audit_arg_gid(gid_t gid);
@@ -158,8 +99,10 @@
void audit_arg_auid(uid_t auid);
void audit_arg_auditinfo(struct auditinfo *au_info);
void audit_arg_auditinfo_addr(struct auditinfo_addr *au_info);
-void audit_arg_upath(struct thread *td, char *upath, u_int64_t flags);
-void audit_arg_vnode(struct vnode *vp, u_int64_t flags);
+void audit_arg_upath1(struct thread *td, char *upath);
+void audit_arg_upath2(struct thread *td, char *upath);
+void audit_arg_vnode1(struct vnode *vp);
+void audit_arg_vnode2(struct vnode *vp);
void audit_arg_text(char *text);
void audit_arg_cmd(int cmd);
void audit_arg_svipc_cmd(int cmd);
@@ -182,14 +125,175 @@
void audit_thread_free(struct thread *td);
/*
- * Define a macro to wrap the audit_arg_* calls by checking the global
+ * Define macros to wrap the audit_arg_* calls by checking the global
* audit_enabled flag before performing the actual call.
*/
-#define AUDIT_ARG(op, args...) do { \
- if (td->td_pflags & TDP_AUDITREC) \
- audit_arg_ ## op (args); \
+#define AUDITING_TD(td) ((td)->td_pflags & TDP_AUDITREC)
+
+#define AUDIT_ARG_ADDR(addr) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_addr((addr)); \
+} while (0)
+
+#define AUDIT_ARG_ARGV(argv, argc, length) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_argv((argv), (argc), (length)); \
+} while (0)
+
+#define AUDIT_ARG_ATFD1(atfd) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_atfd1((atfd)); \
+} while (0)
+
+#define AUDIT_ARG_ATFD2(atfd) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_atfd2((atfd)); \
+} while (0)
+
+#define AUDIT_ARG_AUDITON(udata) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_auditon((udata)); \
+} while (0)
+
+#define AUDIT_ARG_CMD(cmd) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_cmd((cmd)); \
+} while (0)
+
+#define AUDIT_ARG_DEV(dev) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_dev((dev)); \
+} while (0)
+
+#define AUDIT_ARG_EGID(egid) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_egid((egid)); \
+} while (0)
+
+#define AUDIT_ARG_ENVV(envv, envc, length) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_envv((envv), (envc), (length)); \
+} while (0)
+
+#define AUDIT_ARG_EXIT(status, retval) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_exit((status), (retval)); \
+} while (0)
+
+#define AUDIT_ARG_EUID(euid) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_euid((euid)); \
+} while (0)
+
+#define AUDIT_ARG_FD(fd) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_fd((fd)); \
+} while (0)
+
+#define AUDIT_ARG_FILE(p, fp) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_file((p), (fp)); \
+} while (0)
+
+#define AUDIT_ARG_FFLAGS(fflags) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_fflags((fflags)); \
+} while (0)
+
+#define AUDIT_ARG_GID(gid) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_gid((gid)); \
+} while (0)
+
+#define AUDIT_ARG_GROUPSET(gidset, gidset_size) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_groupset((gidset), (gidset_size)); \
+} while (0)
+
+#define AUDIT_ARG_MODE(mode) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_mode((mode)); \
+} while (0)
+
+#define AUDIT_ARG_OWNER(uid, gid) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_owner((uid), (gid)); \
+} while (0)
+
+#define AUDIT_ARG_PID(pid) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_pid((pid)); \
+} while (0)
+
+#define AUDIT_ARG_PROCESS(p) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_process((p)); \
+} while (0)
+
+#define AUDIT_ARG_RGID(rgid) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_gid((rgid)); \
+} while (0)
+
+#define AUDIT_ARG_RUID(ruid) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_ruid((ruid)); \
+} while (0)
+
+#define AUDIT_ARG_SIGNUM(signum) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_signum((signum)); \
+} while (0)
+
+#define AUDIT_ARG_SGID(sgid) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_sgid((sgid)); \
+} while (0)
+
+#define AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_socket((sodomain), (sotype), (soprotocol)); \
+} while (0)
+
+#define AUDIT_ARG_SUID(suid) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_suid((suid)); \
+} while (0)
+
+#define AUDIT_ARG_TEXT(text) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_text((text)); \
+} while (0)
+
+#define AUDIT_ARG_UID(uid) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_uid((uid)); \
+} while (0)
+
+#define AUDIT_ARG_UPATH1(td, upath) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_upath1((td), (upath)); \
+} while (0)
+
+#define AUDIT_ARG_UPATH2(td, upath) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_upath2((td), (upath)); \
+} while (0)
+
+#define AUDIT_ARG_VALUE(value) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_value((value)); \
+} while (0)
+
+#define AUDIT_ARG_VNODE1(vp) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_vnode1((vp)); \
} while (0)
+#define AUDIT_ARG_VNODE2(vp) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_vnode2((vp)); \
+} while (0)
#define AUDIT_SYSCALL_ENTER(code, td) do { \
if (audit_enabled) { \
@@ -217,17 +321,44 @@
#else /* !AUDIT */
-#define AUDIT_ARG(op, args...) do { \
-} while (0)
+#define AUDIT_ARG_ADDR(addr)
+#define AUDIT_ARG_ARGV(argv, argc, length)
+#define AUDIT_ARG_ATFD1(atfd)
+#define AUDIT_ARG_ATFD2(atfd)
+#define AUDIT_ARG_AUDITON(udata)
+#define AUDIT_ARG_CMD(cmd)
+#define AUDIT_ARG_DEV(dev)
+#define AUDIT_ARG_EGID(egid)
+#define AUDIT_ARG_ENVV(envv, envc, length)
+#define AUDIT_ARG_EXIT(status, retval)
+#define AUDIT_ARG_EUID(euid)
+#define AUDIT_ARG_FD(fd)
+#define AUDIT_ARG_FILE(p, fp)
+#define AUDIT_ARG_FFLAGS(fflags)
+#define AUDIT_ARG_GID(gid)
+#define AUDIT_ARG_GROUPSET(gidset, gidset_size)
+#define AUDIT_ARG_MODE(mode)
+#define AUDIT_ARG_OWNER(uid, gid)
+#define AUDIT_ARG_PID(pid)
+#define AUDIT_ARG_PROCESS(p)
+#define AUDIT_ARG_RGID(rgid)
+#define AUDIT_ARG_RUID(ruid)
+#define AUDIT_ARG_SIGNUM(signum)
+#define AUDIT_ARG_SGID(sgid)
+#define AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol)
+#define AUDIT_ARG_SUID(suid)
+#define AUDIT_ARG_TEXT(text)
+#define AUDIT_ARG_UID(uid)
+#define AUDIT_ARG_UPATH1(td, upath)
+#define AUDIT_ARG_UPATH2(td, upath)
+#define AUDIT_ARG_VALUE(value)
+#define AUDIT_ARG_VNODE1(vp)
+#define AUDIT_ARG_VNODE2(vp)
-#define AUDIT_SYSCALL_ENTER(code, td) do { \
-} while (0)
+#define AUDIT_SYSCALL_ENTER(code, td)
+#define AUDIT_SYSCALL_EXIT(error, td)
-#define AUDIT_SYSCALL_EXIT(error, td) do { \
-} while (0)
-
-#define AUDIT_SYSCLOSE(p, fd) do { \
-} while (0)
+#define AUDIT_SYSCLOSE(p, fd)
#endif /* AUDIT */
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_private.h#7 (text) ====
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/audit/audit_private.h,v 1.27 2009/04/19 14:53:17 rwatson Exp $
+ * $FreeBSD: src/sys/security/audit/audit_private.h,v 1.31 2009/07/29 07:44:43 rwatson Exp $
*/
/*
@@ -50,6 +50,7 @@
MALLOC_DECLARE(M_AUDITDATA);
MALLOC_DECLARE(M_AUDITPATH);
MALLOC_DECLARE(M_AUDITTEXT);
+MALLOC_DECLARE(M_AUDITGIDSET);
MALLOC_DECLARE(M_AUDITSLICE);
#endif
@@ -105,8 +106,8 @@
};
struct groupset {
- gid_t gidset[NGROUPS];
- u_int gidset_size;
+ gid_t *gidset;
+ u_int gidset_size;
};
struct socket_au_info {
@@ -242,6 +243,8 @@
gid_t ar_arg_gid;
struct groupset ar_arg_groups;
int ar_arg_fd;
+ int ar_arg_atfd1;
+ int ar_arg_atfd2;
int ar_arg_fflags;
mode_t ar_arg_mode;
int ar_arg_dev;
@@ -281,10 +284,68 @@
* indicate if they are present so they can be included in the audit log
* stream only if defined.
*/
+#define ARG_EUID 0x0000000000000001ULL
+#define ARG_RUID 0x0000000000000002ULL
+#define ARG_SUID 0x0000000000000004ULL
+#define ARG_EGID 0x0000000000000008ULL
+#define ARG_RGID 0x0000000000000010ULL
+#define ARG_SGID 0x0000000000000020ULL
+#define ARG_PID 0x0000000000000040ULL
+#define ARG_UID 0x0000000000000080ULL
+#define ARG_AUID 0x0000000000000100ULL
+#define ARG_GID 0x0000000000000200ULL
+#define ARG_FD 0x0000000000000400ULL
+#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
+#define ARG_FFLAGS 0x0000000000001000ULL
+#define ARG_MODE 0x0000000000002000ULL
+#define ARG_DEV 0x0000000000004000ULL
+#define ARG_ADDR 0x0000000000008000ULL
+#define ARG_LEN 0x0000000000010000ULL
+#define ARG_MASK 0x0000000000020000ULL
+#define ARG_SIGNUM 0x0000000000040000ULL
+#define ARG_LOGIN 0x0000000000080000ULL
+#define ARG_SADDRINET 0x0000000000100000ULL
+#define ARG_SADDRINET6 0x0000000000200000ULL
+#define ARG_SADDRUNIX 0x0000000000400000ULL
+#define ARG_TERMID_ADDR 0x0000000000400000ULL
+#define ARG_UNUSED2 0x0000000001000000ULL
+#define ARG_UPATH1 0x0000000002000000ULL
+#define ARG_UPATH2 0x0000000004000000ULL
+#define ARG_TEXT 0x0000000008000000ULL
+#define ARG_VNODE1 0x0000000010000000ULL
+#define ARG_VNODE2 0x0000000020000000ULL
+#define ARG_SVIPC_CMD 0x0000000040000000ULL
+#define ARG_SVIPC_PERM 0x0000000080000000ULL
+#define ARG_SVIPC_ID 0x0000000100000000ULL
+#define ARG_SVIPC_ADDR 0x0000000200000000ULL
+#define ARG_GROUPSET 0x0000000400000000ULL
+#define ARG_CMD 0x0000000800000000ULL
+#define ARG_SOCKINFO 0x0000001000000000ULL
+#define ARG_ASID 0x0000002000000000ULL
+#define ARG_TERMID 0x0000004000000000ULL
+#define ARG_AUDITON 0x0000008000000000ULL
+#define ARG_VALUE 0x0000010000000000ULL
+#define ARG_AMASK 0x0000020000000000ULL
+#define ARG_CTLNAME 0x0000040000000000ULL
+#define ARG_PROCESS 0x0000080000000000ULL
+#define ARG_MACHPORT1 0x0000100000000000ULL
+#define ARG_MACHPORT2 0x0000200000000000ULL
+#define ARG_EXIT 0x0000400000000000ULL
+#define ARG_IOVECSTR 0x0000800000000000ULL
+#define ARG_ARGV 0x0001000000000000ULL
+#define ARG_ENVV 0x0002000000000000ULL
+#define ARG_ATFD1 0x0004000000000000ULL
+#define ARG_ATFD2 0x0008000000000000ULL
+#define ARG_NONE 0x0000000000000000ULL
+#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
+
#define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg))
#define ARG_SET_VALID(kar, arg) do { \
(kar)->k_ar.ar_valid_arg |= (arg); \
} while (0)
+#define ARG_CLEAR_VALID(kar, arg) do { \
+ (kar)->k_ar.ar_valid_arg &= ~(arg); \
+} while (0)
/*
* In-kernel version of audit record; the basic record plus queue meta-data.
@@ -358,6 +419,7 @@
au_class_t au_event_class(au_event_t event);
au_event_t audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg);
au_event_t audit_flags_and_error_to_openevent(int oflags, int error);
+au_event_t audit_flags_and_error_to_openatevent(int oflags, int error);
au_event_t audit_msgctl_to_event(int cmd);
au_event_t audit_semctl_to_event(int cmr);
void audit_canon_path(struct thread *td, char *path, char *cpath);
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_worker.c#8 (text) ====
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/audit/audit_worker.c,v 1.31 2008/11/10 22:06:24 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/audit/audit_worker.c,v 1.32 2009/05/11 15:33:26 attilio Exp $");
#include <sys/param.h>
#include <sys/condvar.h>
@@ -121,7 +121,7 @@
* that we know how we're doing on space. Consider failure of these
* operations to indicate a future inability to write to the file.
*/
- error = VFS_STATFS(as->audit_vp->v_mount, mnt_stat, curthread);
+ error = VFS_STATFS(as->audit_vp->v_mount, mnt_stat);
if (error)
goto fail;
vn_lock(as->audit_vp, LK_EXCLUSIVE | LK_RETRY);
More information about the p4-projects
mailing list