PERFORCE change 180657 for review

Thu Jul 8 19:01:38 UTC 2010

http://p4web.freebsd.org/@@180657?ac=10

Change 180657 by gpf at gpf_desktop on 2010/07/08 19:00:38

	- audit vnode info for nfsv4 open* rpcs
	
	- instead of having just one AUE for nfsv4 rpc 'open', it's
	better to differentiate between multiple AUEs, each for the 
	way we are opening the file, just like we do for open(2).
	The problem with my implementation is that I'm ignoring 
	deny_shares, this does not seem to be right but, *if* my 
	understanding is correct, FreeBSD does not support deny_shares
	and we just use deny_none anyway. I may have to take another 
	look at this in the future but for now, it's working and I'm 
	moving on.	
	
	This may need to be done for other NFS RPCs, I'm investigating it.

Affected files ...

.. //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#7 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/bsm/audit_kevents.h#5 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfs/nfs.h#2 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#11 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#9 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#15 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm_klib.c#4 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#6 edit

Differences ...

==== //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#7 (text) ====

@@ -397,7 +397,7 @@
 2029:AUE_NFS_LOCKU:nfsrv_locku():fm
 2030:AUE_NFS_LOOKUPP:nfsrv_lookupp():fa,ad
 2031:AUE_NFS_NVERIFY:nfsrv_nverify():fa
-2032:AUE_NFS_OPEN:nfsrv_open():fa,fc
+2032:AUE_NFS_OPEN:nfsrv_open():fa
 2033:AUE_NFS_OPENATTR:nfsrv_openattr():fa
 2034:AUE_NFS_OPENCONFIRM:nfsrv_openconfirm():fa
 2035:AUE_NFS_OPENDOWNGRADE:nfsrv_opendowngrade():fm
@@ -412,6 +412,18 @@
 2044:AUE_NFS_SETCLIENTIDCFRM:nfsrv_setclientidcfrm():aa
 2045:AUE_NFS_VERIFY:nfsrv_verify():fa
 2046:AUE_NFS_RELEASELCKOWN:nfsrv_releaselckown():ad
+2047:AUE_NFS_OPEN_R:nfsrv_open() - read:fr
+2048:AUE_NFS_OPEN_RC:nfsrv_open() - read, creat:fr,fc,fa,fm
+2049:AUE_NFS_OPEN_RTC:nfsrv_open() - read, trunc, creat:fr,fd,fc,fa,fm
+2050:AUE_NFS_OPEN_RT:nfsrv_open() - read, trunc:fr,fd,fa,fm
+2051:AUE_NFS_OPEN_RW:nfsrv_open() - read, write:fr,fw
+2052:AUE_NFS_OPEN_RWC:nfsrv_open() - read, write, creat:fr,fw,fc,fa,fm
+2053:AUE_NFS_OPEN_RWTC:nfsrv_open() - read, write, trunc, creat:fr,fw,fd,fc,fa,fm
+2054:AUE_NFS_OPEN_RWT:nfsrv_open() - read, write, trunc:fr,fw,fd,fa,fm
+2055:AUE_NFS_OPEN_W:nfsrv_open() - write:fw
+2056:AUE_NFS_OPEN_WC:nfsrv_open() - write, creat:fw,fc,fa,fm
+2057:AUE_NFS_OPEN_WTC:nfsrv_open() - write, trunc, creat:fw,fd,fc,fa,fm
+2058:AUE_NFS_OPEN_WT:nfsrv_open() - write, trunc:fw,fd,fa,fm
 #
 # OpenBSM-specific kernel events.
 #

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/bsm/audit_kevents.h#5 (text) ====

@@ -435,6 +435,18 @@
 #define	AUE_NFS_SETCLIENTIDCFRM 2044
 #define	AUE_NFS_VERIFY 2045
 #define	AUE_NFS_RELEASELCKOWN 2046
+#define	AUE_NFS_OPEN_R 2047
+#define	AUE_NFS_OPEN_RC 2048
+#define	AUE_NFS_OPEN_RTC 2049
+#define	AUE_NFS_OPEN_RT 2050
+#define	AUE_NFS_OPEN_RW 2051
+#define	AUE_NFS_OPEN_RWC 2052
+#define	AUE_NFS_OPEN_RWTC 2053
+#define	AUE_NFS_OPEN_RWT 2054
+#define	AUE_NFS_OPEN_W 2055
+#define	AUE_NFS_OPEN_WC 2056
+#define	AUE_NFS_OPEN_WTC 2057
+#define	AUE_NFS_OPEN_WT 2058
 
 /*
  * Audit event identifiers added as part of OpenBSM, generally corresponding

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfs/nfs.h#2 (text+ko) ====

@@ -273,6 +273,10 @@
 
 #define	LCL_GSS		LCL_KERBV	/* Or of all mechs */
 
+/* flags for auditing the open RPC */
+#define NFS_CREATE		0x00000010
+#define NFS_TRUNC		0x00000020
+
 /*
  * Bits for flags in nfslock and nfsstate.
  * The access, deny, NFSLCK_READ and NFSLCK_WRITE bits must be defined as

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#11 (text+ko) ====

@@ -2479,6 +2479,7 @@
 	char *bufp = NULL;
 	u_long *hashp;
 	NFSACL_T *aclp = NULL;
+	int AUDIT_flags = 0;
 
 #ifdef NFS4_ACL_EXTATTR_NAME
 	aclp = acl_alloc(M_WAITOK);
@@ -2534,6 +2535,8 @@
 	default:
 		nd->nd_repstat = NFSERR_INVAL;
 	};
+	AUDIT_flags = stp->ls_flags & ( NFSLCK_READACCESS | NFSLCK_WRITEACCESS 
+					| NFSLCK_READDENY | NFSLCK_WRITEDENY);
 	clientid.lval[0] = *tl++;
 	clientid.lval[1] = *tl;
 	if (nd->nd_flag & ND_IMPLIEDCLID) {
@@ -2555,6 +2558,8 @@
 	NFSVNO_ATTRINIT(&nva);
 	NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
 	create = fxdr_unsigned(int, *tl);
+	if (create)
+		AUDIT_flags |= NFS_CREATE;
 	if (!nd->nd_repstat)
 		nd->nd_repstat = nfsvno_getattr(dp, &dirfor, nd->nd_cred, p);
 	if (create == NFSV4OPEN_CREATE) {
@@ -2565,7 +2570,7 @@
 		switch (how) {
 		case NFSCREATE_UNCHECKED:
 		case NFSCREATE_GUARDED:
-			error = nfsv4_sattr(nd, &nva, &attrbits, aclp, p);
+			error = nfsv4_sattr(nd, &nva, &attrbits, aclp, p);			
 			if (error) {
 				vrele(dp);
 #ifdef NFS4_ACL_EXTATTR_NAME
@@ -2688,6 +2693,9 @@
 				nva.na_mode = 0;
 		    };
 		}
+		/* XXXgpf: not sure this means that we are to truncate the file */
+		if (NFSVNO_ISSETSIZE(&nva) && nva.na_size == 0)
+			AUDIT_flags |= NFS_TRUNC;
 		nfsvno_open(nd, &named, clientid, &stateid, stp,
 		    &exclusive_flag, &nva, cverf, create, aclp, &attrbits,
 		    nd->nd_cred, p, exp, &vp);
@@ -2725,6 +2733,7 @@
 		FREE((caddr_t)stp, M_NFSDSTATE);
 		return (0);
 	}
+	AUDIT_ARG_FFLAGS(AUDIT_flags);
 
 	/*
 	 * Do basic access checking.
@@ -2771,8 +2780,10 @@
 	 * below, to avoid a deadlock with the lookup in nfsvno_namei() above.
 	 * (ie: Leave the NFSVOPUNLOCK() about here.)
 	 */
-	if (vp)
+	if (vp) {
+		AUDIT_ARG_VNODE1(vp);
 		NFSVOPUNLOCK(vp, 0, p);
+	}
 	if (stp)
 		FREE((caddr_t)stp, M_NFSDSTATE);
 	if (!nd->nd_repstat && dirp)
@@ -2993,6 +3004,8 @@
 	nfsv4stateid_t stateid;
 	nfsquad_t clientid;
 
+	if (vp != NULL)
+		AUDIT_ARG_VNODE1(vp);
 	NFSM_DISSECT(tl, u_int32_t *, NFSX_STATEID + NFSX_UNSIGNED);
 	stp->ls_ownerlen = 0;
 	stp->ls_op = nd->nd_rp;
@@ -3037,6 +3050,8 @@
 	nfsv4stateid_t stateid;
 	nfsquad_t clientid;
 
+	if (vp != NULL)
+		AUDIT_ARG_VNODE1(vp);
 	NFSM_DISSECT(tl, u_int32_t *, NFSX_STATEID + 3 * NFSX_UNSIGNED);
 	stp->ls_ownerlen = 0;
 	stp->ls_op = nd->nd_rp;

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#9 (text) ====

@@ -437,6 +437,10 @@
 		/* Convert the auditon() command to an event. */
 		ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
 		break;
+		
+	case AUE_NFS_OPEN:
+		ar->k_ar.ar_event = audit_flags_to_nfs_openevent(ar->k_ar.ar_arg_fflags);
+		break;
 	}
 
 	auid = ar->k_ar.ar_subj_auid;

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#15 (text) ====

@@ -1676,6 +1676,18 @@
 		break;
 
 	/* XXXgpf: temporary fallthrough for nfsv4 events */
+	case AUE_NFS_OPEN_RC:
+	case AUE_NFS_OPEN_RTC:
+	case AUE_NFS_OPEN_RWC:
+	case AUE_NFS_OPEN_RWTC:
+	case AUE_NFS_OPEN_WC:
+	case AUE_NFS_OPEN_WTC:
+		if (ARG_IS_VALID(kar, ARG_MODE)) {
+			tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
+			kau_write(rec, tok);
+		}
+	
+		/* FALLTHROUGH */
 	case AUE_NFS_PUTFH:
 	case AUE_NFS_PUTPUBFH:
 	case AUE_NFS_PUTROOTFH:
@@ -1690,6 +1702,12 @@
 	case AUE_NFS_LOCKU:
 	case AUE_NFS_NVERIFY:
 	case AUE_NFS_OPEN:
+	case AUE_NFS_OPEN_R:
+	case AUE_NFS_OPEN_RT:
+	case AUE_NFS_OPEN_RW:	
+	case AUE_NFS_OPEN_RWT:
+	case AUE_NFS_OPEN_W:	
+	case AUE_NFS_OPEN_WT:
 	case AUE_NFS_OPENATTR:
 	case AUE_NFS_OPENCONFIRM:
 	case AUE_NFS_OPENDOWNGRADE:

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm_klib.c#4 (text) ====

@@ -112,6 +112,22 @@
 };
 static const int aue_openat_count = sizeof(aue_openat) / sizeof(aue_openat[0]);
 
+static const struct aue_open_event aue_nfs_open[] = {
+	{ NFS_READACCESS,				AUE_NFS_OPEN_R },
+	{ (NFS_READACCESS | NFS_CREATE),		AUE_NFS_OPEN_RC },
+	{ (NFS_READACCESS | NFS_CREATE | NFS_TRUNC),	AUE_NFS_OPEN_RTC },
+	{ (NFS_READACCESS | NFS_TRUNC),			AUE_NFS_OPEN_RT },
+	{ NFS_RWACCESS,					AUE_NFS_OPEN_RW },
+	{ (NFS_RWACCESS | NFS_CREATE),			AUE_NFS_OPEN_RWC },
+	{ (NFS_RWACCESS | NFS_CREATE | NFS_TRUNC),	AUE_NFS_OPEN_RWTC },
+	{ (NFS_RWACCESS | NFS_TRUNC),			AUE_NFS_OPEN_RWT },
+	{ NFS_WRITEACCESS,				AUE_NFS_OPEN_W },
+	{ (NFS_WRITEACCESS | NFS_CREATE),		AUE_NFS_OPEN_WC },
+	{ (NFS_WRITEACCESS | NFS_CREATE | NFS_TRUNC),	AUE_NFS_OPEN_WTC },
+	{ (NFS_WRITEACCESS | NFS_TRUNC),		AUE_NFS_OPEN_WT },
+};
+static const int aue_nfs_open_count = sizeof(aue_nfs_open) / sizeof(aue_nfs_open[0]);
+
 /*
  * Look up the class for an audit event in the class mapping table.
  */
@@ -319,6 +335,25 @@
 	return (AUE_OPENAT);
 }
 
+au_event_t
+audit_flags_to_nfs_openevent(int oflags)
+{
+	int i;
+	
+	/*
+	 * Need to check only those flags we care about.
+	 * XXXgpf: Actually, the deny bits are ignored when 
+	 * determining a specific event type
+	 */
+	oflags = oflags & (NFS_READACCESS | NFS_WRITEACCESS | NFS_READDENY 
+				| NFS_WRITEDENY | NFS_CREATE | NFS_TRUNC);
+	for (i = 0; i < aue_nfs_open_count; i++) {
+		if (aue_nfs_open[i].aoe_flags == oflags)
+			return (aue_nfs_open[i].aoe_event);
+	}
+	return (AUE_NFS_OPEN);
+}
+
 /*
  * Convert a MSGCTL command to a specific event.
  */

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#6 (text) ====

@@ -336,6 +336,15 @@
 #define ND_NFSV3                0x00000008
 #define ND_NFSV4                0x00000010
 
+#define NFS_READACCESS		0x00000001
+#define NFS_WRITEACCESS		0x00000002
+#define NFS_RWACCESS		NFS_READACCESS | NFS_WRITEACCESS
+#define NFS_READDENY		0x00000004
+#define NFS_WRITEDENY		0x00000008
+#define NFS_RWDENY		NFS_READDENY | NFS_WRITEDENY
+#define NFS_CREATE		0x00000010
+#define NFS_TRUNC		0x00000020
+
 /*
  * Functions relating to the conversion of internal kernel audit records to
  * the BSM file format.
@@ -397,6 +406,7 @@
 au_event_t	 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg);
 au_event_t	 audit_flags_and_error_to_openevent(int oflags, int error);
 au_event_t	 audit_flags_and_error_to_openatevent(int oflags, int error);
+au_event_t	 audit_flags_to_nfs_openevent(int oflags);
 au_event_t	 audit_msgctl_to_event(int cmd);
 au_event_t	 audit_semctl_to_event(int cmr);
 void		 audit_canon_path(struct thread *td, char *path, char *cpath);
