PERFORCE change 180631 for review
Efstratios Karatzas
gpf at FreeBSD.org
Thu Jul 8 13:04:06 UTC 2010
http://p4web.freebsd.org/@@180631?ac=10
Change 180631 by gpf at gpf_desktop on 2010/07/08 13:04:03
- audit paths & vnode info for those nfsv4 rpcs that we have to.
This is not done for open* rpcs yet, they deserve special handling.
- nfsv3 rpc 'mknod' + nfsv4 rpc 'create' can create files of
various types. So I guess it makes sense to audit what kind of
file is created each time. Again, when creating the bsm record
I use a text field for this information; perhaps it would be
best to create a new token type and make praudit responsible
for changing the vnode type (int) to something we can make
understand (char *).
also, some minor fixes & changes here and there.
Affected files ...
.. //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#6 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdport.c#8 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#10 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#13 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_serv.c#18 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#8 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#8 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#4 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#14 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm_klib.c#3 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#5 edit
Differences ...
==== //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#6 (text) ====
@@ -395,7 +395,7 @@
2027:AUE_NFS_LOCK:nfsrv_lock():fm
2028:AUE_NFS_LOCKT:nfsrv_lockt():fm
2029:AUE_NFS_LOCKU:nfsrv_locku():fm
-2030:AUE_NFS_LOOKUPP:nfsrv_lockupp():fa,ad
+2030:AUE_NFS_LOOKUPP:nfsrv_lookupp():fa,ad
2031:AUE_NFS_NVERIFY:nfsrv_nverify():fa
2032:AUE_NFS_OPEN:nfsrv_open():fa,fc
2033:AUE_NFS_OPENATTR:nfsrv_openattr():fa
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdport.c#8 (text+ko) ====
@@ -772,6 +772,8 @@
return (ENXIO);
}
*vpp = ndp->ni_vp;
+ if (!error)
+ AUDIT_ARG_VNODE1(ndp->ni_vp);
} else {
/*
* Handle cases where error is already set and/or
@@ -859,6 +861,8 @@
* see any reason to do the lookup.
*/
}
+ if (!error)
+ AUDIT_ARG_VNODE1(ndp->ni_vp);
return (error);
}
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#10 (text+ko) ====
@@ -1007,8 +1007,6 @@
&exclusive_flag, cverf, rdev, p, exp);
if (!nd->nd_repstat) {
- if (vp != NULL)
- AUDIT_ARG_VNODE1(vp);
nd->nd_repstat = nfsvno_getfh(vp, &fh, p, named.ni_dvp);
if (!nd->nd_repstat)
nd->nd_repstat = nfsvno_getattr(vp, &nva, nd->nd_cred,
@@ -1082,8 +1080,8 @@
if (nd->nd_flag & ND_NFSV4) {
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
vtyp = nfsv34tov_type(*tl);
+ AUDIT_ARG_VTYPE(vtyp);
nfs4type = fxdr_unsigned(nfstype, *tl);
- /* lalala */
switch (nfs4type) {
case NFLNK:
error = nfsvno_getsymlink(nd, &nva, p, &pathcp,
@@ -1135,6 +1133,7 @@
if (nd->nd_flag & ND_NFSV3) {
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
vtyp = nfsv34tov_type(*tl);
+ AUDIT_ARG_VTYPE(vtyp);
}
error = nfsrv_sattr(nd, &nva, &attrbits, aclp, p);
if (error) {
@@ -1234,7 +1233,6 @@
nd->nd_repstat = nfsvno_mknod(&named, &nva, nd->nd_cred, p);
if (!nd->nd_repstat) {
vp = named.ni_vp;
- AUDIT_ARG_VNODE1(vp);
nfsrv_fixattr(nd, vp, &nva, aclp, p, &attrbits, exp);
nd->nd_repstat = nfsvno_getfh(vp, fhp, p, named.ni_dvp);
if ((nd->nd_flag & ND_NFSV3) && !nd->nd_repstat)
@@ -2094,6 +2092,8 @@
nfsv4stateid_t stateid;
nfsquad_t clientid;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
NFSM_DISSECT(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
i = fxdr_unsigned(int, *tl++);
switch (i) {
@@ -2267,6 +2267,8 @@
nfsquad_t clientid;
u_int64_t len;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
NFSM_DISSECT(tl, u_int32_t *, 8 * NFSX_UNSIGNED);
i = fxdr_unsigned(int, *(tl + 7));
if (i <= 0 || i > NFSV4_OPAQUELIMIT) {
@@ -2374,6 +2376,8 @@
nfsquad_t clientid;
u_int64_t len;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
NFSM_DISSECT(tl, u_int32_t *, 6 * NFSX_UNSIGNED + NFSX_STATEID);
MALLOC(stp, struct nfsstate *, sizeof (struct nfsstate),
M_NFSDSTATE, M_WAITOK);
@@ -2861,7 +2865,9 @@
int error = 0;
nfsv4stateid_t stateid;
nfsquad_t clientid;
-
+
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED + NFSX_STATEID);
stp->ls_seq = fxdr_unsigned(u_int32_t, *tl++);
stp->ls_ownerlen = 0;
@@ -2937,6 +2943,8 @@
nfsv4stateid_t stateid;
nfsquad_t clientid;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
NFSM_DISSECT(tl, u_int32_t *, NFSX_STATEID);
stateid.seqid = fxdr_unsigned(u_int32_t, *tl++);
NFSBCOPY((caddr_t)tl, (caddr_t)stateid.other, NFSX_STATEIDOTHER);
@@ -3385,6 +3393,8 @@
struct nfsfsinfo fs;
fhandle_t fh;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
nd->nd_repstat = nfsvno_getattr(vp, &nva, nd->nd_cred, p);
if (!nd->nd_repstat)
nd->nd_repstat = nfsvno_statfs(vp, &sf);
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#13 (text+ko) ====
@@ -741,8 +741,6 @@
AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd->nd_nam);
AUDIT_ARG_PROTOCOL(ND_NFSV4);
switch (op) {
- /* xxx gpf dbg */
- printf("op = %d\n", op);
case NFSV4OP_PUTFH:
error = nfsrv_mtofh(nd, &fh);
if (error) {
@@ -897,6 +895,7 @@
else {
(void) nfsm_fhtom(nd, (u_int8_t *)fh.nfsrvfh_data, 0, 0);
error = nd->nd_repstat = 0;
+ nfsrv_auditpath(vp, NULL, NULL, (fhandle_t *)fh.nfsrvfh_data, 1);
}
break;
default:
@@ -1035,9 +1034,16 @@
}
break;
}
- /* lalala */
+ if (vp != NULL)
+ vref(vp);
error = (*(nfsrv4_ops0[op]))(nd, isdgram, vp,
p, &vpnes);
+ if (vp != NULL) {
+ if (nd->nd_procnum != NFSV4OP_REMOVE)
+ nfsrv_auditpath(vp, NULL, NULL,
+ (fhandle_t *)fh.nfsrvfh_data, 1);
+ vrele(vp);
+ }
if (nfsv4_opflag[op].modifyfs)
NFS_ENDWRITE(mp);
} else {
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_serv.c#18 (text+ko) ====
@@ -1850,6 +1850,7 @@
tl = nfsm_dissect_nonblock(u_int32_t *, NFSX_UNSIGNED);
vtyp = nfsv3tov_type(*tl);
+ AUDIT_ARG_VTYPE(vtyp);
if (vtyp != VCHR && vtyp != VBLK && vtyp != VSOCK && vtyp != VFIFO) {
error = NFSERR_BADTYPE;
goto out;
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#8 (text+ko) ====
@@ -353,12 +353,12 @@
}
nfsrvstats.srvrpccnt[nd.nd_procnum]++;
- AUDIT_NFS_ENTER(procnum, nd.nd_cr, td, ND_NFSV3);
- AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam);
if (flag)
protocol = ND_NFSV3;
else
protocol = ND_NFSV2;
+ AUDIT_NFS_ENTER(procnum, nd.nd_cr, td, protocol);
+ AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam);
AUDIT_ARG_PROTOCOL(protocol);
error = proc(&nd, NULL, &mrep);
AUDIT_NFS_EXIT(nd.nd_repstat, td);
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#8 (text) ====
@@ -129,6 +129,7 @@
void audit_thread_alloc(struct thread *td);
void audit_thread_free(struct thread *td);
void audit_arg_protocol(int protocol);
+void audit_arg_vtype(int vtype);
/*
* Define macros to wrap the audit_arg_* calls by checking the global
@@ -236,7 +237,7 @@
audit_arg_process((p)); \
} while (0)
-#define AUDIT_ARG_PROTOCOL(prot) do{ \
+#define AUDIT_ARG_PROTOCOL(prot) do { \
if (AUDITING_TD(curthread)) \
audit_arg_protocol((prot)); \
} while (0)
@@ -311,6 +312,11 @@
audit_arg_vnode2((vp)); \
} while (0)
+#define AUDIT_ARG_VTYPE(vtype) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_vtype((vtype)); \
+} while (0)
+
#define AUDIT_SYSCALL_ENTER(code, td) do { \
if (audit_enabled) { \
audit_syscall_enter(code, td); \
@@ -368,10 +374,12 @@
#define AUDIT_ARG_OWNER(uid, gid)
#define AUDIT_ARG_PID(pid)
#define AUDIT_ARG_PROCESS(p)
+#define AUDIT_ARG_PROTOCOL(prot)
#define AUDIT_ARG_RGID(rgid)
#define AUDIT_ARG_RUID(ruid)
#define AUDIT_ARG_SIGNUM(signum)
#define AUDIT_ARG_SGID(sgid)
+#define AUDIT_ARG_SOCKADDR_IN(sin)
#define AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol)
#define AUDIT_ARG_SUID(suid)
#define AUDIT_ARG_TEXT(text)
@@ -381,6 +389,7 @@
#define AUDIT_ARG_VALUE(value)
#define AUDIT_ARG_VNODE1(vp)
#define AUDIT_ARG_VNODE2(vp)
+#define AUDIT_ARG_VTYPE(vtype)
#define AUDIT_SYSCALL_ENTER(code, td)
#define AUDIT_SYSCALL_EXIT(error, td)
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#4 (text) ====
@@ -916,7 +916,9 @@
fdrop(fp, td);
}
-/* Keeping track of NFS protocols used in NFS RPCs */
+/*
+ * Audit the NFS protocol used in NFS RPCs
+ */
void
audit_arg_protocol(int protocol)
{
@@ -929,3 +931,19 @@
ar->k_ar.ar_arg_protocol = protocol;
ARG_SET_VALID(ar, ARG_PROTOCOL);
}
+
+/*
+ * Audit the vnode type of the file created by some NFS RPC
+ */
+void
+audit_arg_vtype(int vtype)
+{
+ struct kaudit_record *ar;
+
+ ar = currecord();
+ if (ar == NULL)
+ return;
+
+ ar->k_ar.ar_arg_vtype = vtype;
+ ARG_SET_VALID(ar, ARG_VTYPE);
+}
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#14 (text) ====
@@ -1581,9 +1581,15 @@
kau_write(rec, tok);
break;
- case AUE_NFS_CREATE:
+ case AUE_NFS_CREATE:
+ case AUE_NFS_MKNOD:
+ if (ARG_IS_VALID(kar, ARG_VTYPE)) {
+ tok = au_to_text(audit_vtype_to_text(ar->ar_arg_vtype));
+ kau_write(rec, tok);
+ }
+
+ /* FALLTHROUGH */
case AUE_NFS_MKDIR:
- case AUE_NFS_MKNOD:
if (ARG_IS_VALID(kar, ARG_MODE)) {
tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
kau_write(rec, tok);
@@ -1675,8 +1681,20 @@
case AUE_NFS_PUTROOTFH:
case AUE_NFS_RESTOREFH:
case AUE_NFS_SAVEFH:
+ case AUE_NFS_LOOKUPP:
+ case AUE_NFS_CLOSE:
+ case AUE_NFS_DELEGRETURN:
+ case AUE_NFSv4_GETFH:
+ case AUE_NFS_LOCK:
+ case AUE_NFS_LOCKT:
+ case AUE_NFS_LOCKU:
+ case AUE_NFS_NVERIFY:
case AUE_NFS_OPEN:
- case AUE_NFS_LOOKUPP:
+ case AUE_NFS_OPENATTR:
+ case AUE_NFS_OPENCONFIRM:
+ case AUE_NFS_OPENDOWNGRADE:
+ case AUE_NFS_VERIFY:
+ case AUE_NFS_SECINFO:
UPATH1_VNODE1_TOKENS;
if (ARG_IS_VALID(kar, ARG_TEXT)) {
tok = au_to_text(ar->ar_arg_text);
@@ -1689,22 +1707,10 @@
break;
/* XXXgpf: temporary fallthrough for nfsv4 events */
- case AUE_NFS_CLOSE:
case AUE_NFS_DELEGPURGE:
- case AUE_NFS_DELEGRETURN:
- case AUE_NFSv4_GETFH:
- case AUE_NFS_LOCK:
- case AUE_NFS_LOCKT:
- case AUE_NFS_LOCKU:
- case AUE_NFS_NVERIFY:
- case AUE_NFS_OPENATTR:
- case AUE_NFS_OPENCONFIRM:
- case AUE_NFS_OPENDOWNGRADE:
case AUE_NFS_RENEW:
- case AUE_NFS_SECINFO:
case AUE_NFS_SETCLIENTID:
case AUE_NFS_SETCLIENTIDCFRM:
- case AUE_NFS_VERIFY:
case AUE_NFS_RELEASELCKOWN:
if (ARG_IS_VALID(kar, ARG_TEXT)) {
tok = au_to_text(ar->ar_arg_text);
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm_klib.c#3 (text) ====
@@ -586,3 +586,27 @@
return prot;
}
+
+char *
+audit_vtype_to_text(int vtype)
+{
+ char *vtypes[] = {
+ "VNON",
+ "VREG",
+ "VDIR",
+ "VBLK",
+ "VCHR",
+ "VLNK",
+ "VSOCK",
+ "VFIFO",
+ "VBAD",
+ "VMARKER"
+ };
+
+ if (vtype != VCHR && vtype != VBLK && vtype != VSOCK && vtype != VFIFO
+ && vtype != VNON && vtype != VREG && vtype != VDIR && vtype != VLNK
+ && vtype != VBAD && vtype != VMARKER)
+ return vtypes[VBAD];
+ else
+ return vtypes[vtype];
+}
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#5 (text) ====
@@ -229,7 +229,8 @@
int ar_arg_exitstatus;
int ar_arg_exitretval;
struct sockaddr_storage ar_arg_sockaddr;
- u_int ar_arg_protocol;
+ int ar_arg_protocol;
+ int ar_arg_vtype;
};
/*
@@ -289,7 +290,7 @@
#define ARG_ENVV 0x0002000000000000ULL
#define ARG_ATFD1 0x0004000000000000ULL
#define ARG_ATFD2 0x0008000000000000ULL
-#define ARG_FTYPE 0x0010000000000000ULL
+#define ARG_VTYPE 0x0010000000000000ULL
#define ARG_PROTOCOL 0x0020000000000000ULL
#define ARG_NONE 0x0000000000000000ULL
#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
@@ -401,6 +402,7 @@
void audit_canon_path(struct thread *td, char *path, char *cpath);
au_event_t auditon_command_event(int cmd);
char * audit_protocol_to_text(int protocol);
+char * audit_vtype_to_text(int vtype);
/*
* Audit trigger events notify user space of kernel audit conditions
More information about the p4-projects
mailing list