PERFORCE change 180565 for review
Efstratios Karatzas
gpf at FreeBSD.org
Tue Jul 6 21:26:17 UTC 2010
http://p4web.freebsd.org/@@180565?ac=10
Change 180565 by gpf at gpf_desktop on 2010/07/06 21:25:27
- audit nfs protocol used in each rpc that we are servicing.
While constructing the bsm record, I use au_to_text() for the protocol,
instead of creating a new method for a new token type - not sure this
is what we want.
Affected files ...
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdkrpc.c#4 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#9 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#12 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs.h#2 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#7 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#7 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#3 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#13 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm_klib.c#2 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#4 edit
Differences ...
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdkrpc.c#4 (text+ko) ====
@@ -109,6 +109,7 @@
struct nfsrv_descript nd;
struct nfsrvcache *rp = NULL;
int cacherep, credflavor;
+ int nfsprot;
memset(&nd, 0, sizeof(nd));
if (rqst->rq_vers == NFS_VER2) {
@@ -234,8 +235,12 @@
cacherep = nfs_proc(&nd, rqst->rq_xid, xprt->xp_socket,
xprt->xp_sockref, &rp);
} else {
- AUDIT_NFS_ENTER(NFSPROC_NULL, nd.nd_cred, curthread, ND_NFSV3);
- AUDIT_NFS_EXIT(0, curthread);
+ nfsprot = nd.nd_flag & (ND_NFSV2 | ND_NFSV3 | ND_NFSV4);
+ AUDIT_NFS_ENTER(NFSPROC_NULL, nd.nd_cred, curthread, nfsprot);
+ AUDIT_ARG_PROTOCOL(nfsprot);
+ if (nd.nd_nam != NULL)
+ AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam);
+ AUDIT_NFS_EXIT(0, curthread);
NFSMGET(nd.nd_mreq);
nd.nd_mreq->m_len = 0;
cacherep = RC_REPLY;
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#9 (text+ko) ====
@@ -1083,6 +1083,7 @@
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
vtyp = nfsv34tov_type(*tl);
nfs4type = fxdr_unsigned(nfstype, *tl);
+ /* lalala */
switch (nfs4type) {
case NFLNK:
error = nfsvno_getsymlink(nd, &nva, p, &pathcp,
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#12 (text+ko) ====
@@ -437,13 +437,11 @@
printf("compound rpc exit\n");
} else {
printf("non compound rpc %d\n", nd->nd_procnum);
- if (nd->nd_flag & ND_NFSV2)
- nfsprot = ND_NFSV2;
- else
- nfsprot = ND_NFSV3;
+ nfsprot = nd->nd_flag & (ND_NFSV2 | ND_NFSV3);
AUDIT_NFS_ENTER(nd->nd_procnum, nd->nd_cred, curthread, nfsprot);
if (nd->nd_nam != NULL)
AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd->nd_nam);
+ AUDIT_ARG_PROTOCOL(nfsprot);
if (nfs_retfh[nd->nd_procnum] == 1) {
if (vp)
NFSVOPUNLOCK(vp, 0, p);
@@ -741,6 +739,7 @@
AUDIT_NFS_ENTER(op, nd->nd_cred, curthread, ND_NFSV4);
if (nd->nd_nam != NULL)
AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd->nd_nam);
+ AUDIT_ARG_PROTOCOL(ND_NFSV4);
switch (op) {
/* xxx gpf dbg */
printf("op = %d\n", op);
@@ -1036,6 +1035,7 @@
}
break;
}
+ /* lalala */
error = (*(nfsrv4_ops0[op]))(nd, isdgram, vp,
p, &vpnes);
if (nfsv4_opflag[op].modifyfs)
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs.h#2 (text+ko) ====
@@ -195,6 +195,7 @@
};
/* Bits for "nd_flag" */
+#define ND_NFSV2 0x04
#define ND_NFSV3 0x08
/*
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#7 (text+ko) ====
@@ -256,6 +256,7 @@
struct nfsrv_descript nd;
struct mbuf *mreq, *mrep;
int error;
+ int protocol;
struct thread *td = curthread;
if (rqst->rq_vers == NFS_VER2) {
@@ -354,6 +355,11 @@
AUDIT_NFS_ENTER(procnum, nd.nd_cr, td, ND_NFSV3);
AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam);
+ if (flag)
+ protocol = ND_NFSV3;
+ else
+ protocol = ND_NFSV2;
+ AUDIT_ARG_PROTOCOL(protocol);
error = proc(&nd, NULL, &mrep);
AUDIT_NFS_EXIT(nd.nd_repstat, td);
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#7 (text) ====
@@ -128,6 +128,7 @@
void audit_proc_coredump(struct thread *td, char *path, int errcode);
void audit_thread_alloc(struct thread *td);
void audit_thread_free(struct thread *td);
+void audit_arg_protocol(int protocol);
/*
* Define macros to wrap the audit_arg_* calls by checking the global
@@ -235,6 +236,11 @@
audit_arg_process((p)); \
} while (0)
+#define AUDIT_ARG_PROTOCOL(prot) do{ \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_protocol((prot)); \
+} while (0)
+
#define AUDIT_ARG_RGID(rgid) do { \
if (AUDITING_TD(curthread)) \
audit_arg_rgid((rgid)); \
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#3 (text) ====
@@ -915,3 +915,17 @@
VFS_UNLOCK_GIANT(vfslocked);
fdrop(fp, td);
}
+
+/* Keeping track of NFS protocols used in NFS RPCs */
+void
+audit_arg_protocol(int protocol)
+{
+ struct kaudit_record *ar;
+
+ ar = currecord();
+ if (ar == NULL)
+ return;
+
+ ar->k_ar.ar_arg_protocol = protocol;
+ ARG_SET_VALID(ar, ARG_PROTOCOL);
+}
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#13 (text) ====
@@ -1608,6 +1608,11 @@
tok = au_to_text(ar->ar_arg_text);
kau_write(rec, tok);
}
+ if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+ tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+ kau_write(rec, tok);
+ }
+
break;
case AUE_NFS_READ:
@@ -1621,6 +1626,10 @@
tok = au_to_text(ar->ar_arg_text);
kau_write(rec, tok);
}
+ if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+ tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+ kau_write(rec, tok);
+ }
break;
case AUE_NFS_NOOP:
@@ -1629,6 +1638,10 @@
tok = au_to_text(ar->ar_arg_text);
kau_write(rec, tok);
}
+ if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+ tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+ kau_write(rec, tok);
+ }
break;
case AUE_NFS_SYMLINK:
@@ -1636,6 +1649,10 @@
tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
kau_write(rec, tok);
}
+ if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+ tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+ kau_write(rec, tok);
+ }
/* FALLTHROUGH */
case AUE_NFS_LINK:
@@ -1646,6 +1663,10 @@
tok = au_to_text(ar->ar_arg_text);
kau_write(rec, tok);
}
+ if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+ tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+ kau_write(rec, tok);
+ }
break;
/* XXXgpf: temporary fallthrough for nfsv4 events */
@@ -1661,6 +1682,10 @@
tok = au_to_text(ar->ar_arg_text);
kau_write(rec, tok);
}
+ if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+ tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+ kau_write(rec, tok);
+ }
break;
/* XXXgpf: temporary fallthrough for nfsv4 events */
@@ -1685,6 +1710,10 @@
tok = au_to_text(ar->ar_arg_text);
kau_write(rec, tok);
}
+ if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+ tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+ kau_write(rec, tok);
+ }
break;
case AUE_WAIT4:
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm_klib.c#2 (text) ====
@@ -554,3 +554,35 @@
}
sbuf_finish(&sbf);
}
+
+char *
+audit_protocol_to_text(int protocol)
+{
+ char *protocols[] = {
+ "NFSv2",
+ "NFSv3",
+ "NFSv4",
+ "Unknown Protocol"
+ };
+ char *prot;
+
+ switch (protocol) {
+ case ND_NFSV2:
+ prot = protocols[0];
+ break;
+
+ case ND_NFSV3:
+ prot = protocols[1];
+ break;
+
+ case ND_NFSV4:
+ prot = protocols[2];
+ break;
+
+ default:
+ prot = protocols[3];
+ break;
+ }
+
+ return prot;
+}
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#4 (text) ====
@@ -229,6 +229,7 @@
int ar_arg_exitstatus;
int ar_arg_exitretval;
struct sockaddr_storage ar_arg_sockaddr;
+ u_int ar_arg_protocol;
};
/*
@@ -288,6 +289,8 @@
#define ARG_ENVV 0x0002000000000000ULL
#define ARG_ATFD1 0x0004000000000000ULL
#define ARG_ATFD2 0x0008000000000000ULL
+#define ARG_FTYPE 0x0010000000000000ULL
+#define ARG_PROTOCOL 0x0020000000000000ULL
#define ARG_NONE 0x0000000000000000ULL
#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
@@ -397,6 +400,7 @@
au_event_t audit_semctl_to_event(int cmr);
void audit_canon_path(struct thread *td, char *path, char *cpath);
au_event_t auditon_command_event(int cmd);
+char * audit_protocol_to_text(int protocol);
/*
* Audit trigger events notify user space of kernel audit conditions
More information about the p4-projects
mailing list