PERFORCE change 179225 for review
Efstratios Karatzas
gpf at FreeBSD.org
Sat Jun 5 17:17:17 UTC 2010
http://p4web.freebsd.org/@@179225?ac=10
Change 179225 by gpf at gpf_desktop on 2010/06/05 17:17:12
- experimental nfs server: made all changes so that vnode
information will be gathered in all of nfsv2&3 operations.
Also keeping track of 'ioflags' arg for vop_read/write and 'file mode'
arg for vops that create new files.
- smp stuff: AUDIT_ARG_VNODE1 requires a locked vfs and a locked vnode.
In current nfsserver, I haven't paid attention to either.
In the experimental nfsserver, vfs is locked before a v2 or 3 rpc is
serviced and vp is always locked, except for some cases where
the file is being created by the vop. Also, in current nfsserver my
implementation is a little racy as I don't hold any references
to the vnode that I'm auditing at the time of the rpc; there's
a slight chance that after the rpc is serviced, but before audit code,
the vnode will be destroyed by some other kernel call.
Come tommorow, I'll work on making my changes smp safe.
- removed a silly useless line in dir_ilookup()
Affected files ...
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdport.c#4 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#3 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/ufs/ffs/ffs_vnops.c#6 edit
Differences ...
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdport.c#4 (text+ko) ====
@@ -44,6 +44,7 @@
#include <sys/sysctl.h>
#include <nlm/nlm_prot.h>
#include <nlm/nlm.h>
+#include <security/audit/audit.h>
extern u_int32_t newnfs_true, newnfs_false, newnfs_xdrneg1;
extern int nfsv4root_set;
@@ -636,6 +637,7 @@
uiop->uio_resid = len;
uiop->uio_rw = UIO_READ;
uiop->uio_segflg = UIO_SYSSPACE;
+ AUDIT_ARG_FFLAGS(IO_NODELOCKED | ioflag);
error = VOP_READ(vp, uiop, IO_NODELOCKED | ioflag, cred);
FREE((caddr_t)iv2, M_TEMP);
if (error) {
@@ -701,6 +703,7 @@
uiop->uio_segflg = UIO_SYSSPACE;
NFSUIOPROC(uiop, p);
uiop->uio_offset = off;
+ AUDIT_ARG_FFLAGS(ioflags);
error = VOP_WRITE(vp, uiop, ioflags, cred);
FREE((caddr_t)iv, M_TEMP);
return (error);
@@ -721,6 +724,7 @@
if (!error && ndp->ni_vp == NULL) {
if (nvap->na_type == VREG || nvap->na_type == VSOCK) {
vrele(ndp->ni_startdir);
+ AUDIT_ARG_MODE(nvap->na_vattr.va_mode);
error = VOP_CREATE(ndp->ni_dvp,
&ndp->ni_vp, &ndp->ni_cnd, &nvap->na_vattr);
vput(ndp->ni_dvp);
@@ -752,6 +756,7 @@
return (error);
}
nvap->na_rdev = rdev;
+ AUDIT_ARG_MODE(nvap->na_vattr.va_mode);
error = VOP_MKNOD(ndp->ni_dvp, &ndp->ni_vp,
&ndp->ni_cnd, &nvap->na_vattr);
vput(ndp->ni_dvp);
@@ -828,6 +833,7 @@
}
if (vtyp == VSOCK) {
vrele(ndp->ni_startdir);
+ AUDIT_ARG_MODE(nvap->na_vattr.va_mode);
error = VOP_CREATE(ndp->ni_dvp, &ndp->ni_vp,
&ndp->ni_cnd, &nvap->na_vattr);
vput(ndp->ni_dvp);
@@ -840,6 +846,7 @@
vput(ndp->ni_dvp);
return (error);
}
+ AUDIT_ARG_MODE(nvap->na_vattr.va_mode);
error = VOP_MKNOD(ndp->ni_dvp, &ndp->ni_vp,
&ndp->ni_cnd, &nvap->na_vattr);
vput(ndp->ni_dvp);
@@ -872,6 +879,7 @@
nfsvno_relpathbuf(ndp);
return (EEXIST);
}
+ AUDIT_ARG_MODE(nvap->na_vattr.va_mode);
error = VOP_MKDIR(ndp->ni_dvp, &ndp->ni_vp, &ndp->ni_cnd,
&nvap->na_vattr);
vput(ndp->ni_dvp);
@@ -900,6 +908,7 @@
return (EEXIST);
}
+ AUDIT_ARG_MODE(nvap->na_vattr.va_mode);
error = VOP_SYMLINK(ndp->ni_dvp, &ndp->ni_vp, &ndp->ni_cnd,
&nvap->na_vattr, pathcp);
vput(ndp->ni_dvp);
@@ -1292,6 +1301,7 @@
if (!nd->nd_repstat) {
if (ndp->ni_vp == NULL) {
vrele(ndp->ni_startdir);
+ AUDIT_ARG_MODE(nvap->na_vattr.va_mode);
nd->nd_repstat = VOP_CREATE(ndp->ni_dvp,
&ndp->ni_vp, &ndp->ni_cnd, &nvap->na_vattr);
vput(ndp->ni_dvp);
@@ -1432,6 +1442,9 @@
struct uio io;
struct iovec iv;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
+
if (nd->nd_repstat) {
nfsrv_postopattr(nd, getret, &at);
return (0);
@@ -1678,6 +1691,9 @@
struct iovec iv;
struct componentname cn;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
+
if (nd->nd_repstat) {
nfsrv_postopattr(nd, getret, &at);
return (0);
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#3 (text+ko) ====
@@ -53,6 +53,7 @@
extern struct timeval nfsboottime;
extern int nfs_rootfhset, nfsv4root_set;
#endif /* !APPLEKEXT */
+#include <security/audit/audit.h>
/*
* This list defines the GSS mechanisms supported.
@@ -90,6 +91,8 @@
u_int32_t testmode, nfsmode, supported = 0;
accmode_t deletebit;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat) {
nfsrv_postopattr(nd, 1, &nva);
return (0);
@@ -173,6 +176,8 @@
struct nfsreferral *refp;
nfsattrbit_t attrbits;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat)
return (0);
if (nd->nd_flag & ND_NFSV4) {
@@ -237,6 +242,8 @@
nfsv4stateid_t stateid;
NFSACL_T *aclp = NULL;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat) {
nfsrv_wcc(nd, preat_ret, &nva2, postat_ret, &nva);
return (0);
@@ -467,6 +474,8 @@
vrele(named.ni_startdir);
nfsvno_relpathbuf(&named);
vp = named.ni_vp;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
nd->nd_repstat = nfsvno_getfh(vp, fhp, p, named.ni_dvp);
if (named.ni_dvp)
vrele(named.ni_dvp);
@@ -512,6 +521,8 @@
int getret = 1, len;
struct nfsvattr nva;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat) {
nfsrv_postopattr(nd, getret, &nva);
return (0);
@@ -557,6 +568,8 @@
nfsv4stateid_t stateid;
nfsquad_t clientid;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat) {
nfsrv_postopattr(nd, getret, &nva);
return (0);
@@ -712,6 +725,8 @@
nfsv4stateid_t stateid;
nfsquad_t clientid;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat) {
nfsrv_wcc(nd, forat_ret, &forat, aftat_ret, &nva);
return (0);
@@ -992,6 +1007,8 @@
&exclusive_flag, cverf, rdev, p, exp);
if (!nd->nd_repstat) {
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
nd->nd_repstat = nfsvno_getfh(vp, &fh, p, named.ni_dvp);
if (!nd->nd_repstat)
nd->nd_repstat = nfsvno_getattr(vp, &nva, nd->nd_cred,
@@ -1213,8 +1230,10 @@
}
nd->nd_repstat = nfsvno_mknod(&named, &nva, nd->nd_cred, p);
- if (!nd->nd_repstat) {
+ if (!nd->nd_repstat) {
vp = named.ni_vp;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
nfsrv_fixattr(nd, vp, &nva, aclp, p, &attrbits, exp);
nd->nd_repstat = nfsvno_getfh(vp, fhp, p, named.ni_dvp);
if ((nd->nd_flag & ND_NFSV3) && !nd->nd_repstat)
@@ -1440,6 +1459,8 @@
/*
* Done parsing, now down to business.
*/
+ if (fromnd.ni_vp != NULL)
+ AUDIT_ARG_VNODE1(fromnd.ni_vp);
nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 1, exp, p, &fdirp);
if (nd->nd_repstat) {
if (nd->nd_flag & ND_NFSV3) {
@@ -1512,6 +1533,8 @@
char *bufp;
u_long *hashp;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat) {
nfsrv_postopattr(nd, getret, &at);
nfsrv_wcc(nd, dirfor_ret, &dirfor, diraft_ret, &diraft);
@@ -1661,10 +1684,12 @@
if (!nd->nd_repstat) {
if (dirp != NULL)
dirfor_ret = nfsvno_getattr(dirp, &dirfor, nd->nd_cred,
- p);
+ p);
nfsrvd_symlinksub(nd, &named, &nva, fhp, vpp, dirp,
&dirfor, &diraft, &diraft_ret, NULL, NULL, p, exp,
pathcp, pathlen);
+ if (named.ni_vp != NULL)
+ AUDIT_ARG_VNODE1(named.ni_vp);
} else if (dirp != NULL) {
dirfor_ret = nfsvno_getattr(dirp, &dirfor, nd->nd_cred, p);
vrele(dirp);
@@ -1798,7 +1823,8 @@
*/
nfsrvd_mkdirsub(nd, &named, &nva, fhp, vpp, dirp, &dirfor, &diraft,
&diraft_ret, NULL, NULL, p, exp);
-
+ if (named.ni_vp != NULL)
+ AUDIT_ARG_VNODE1(named.ni_vp);
if (nd->nd_flag & ND_NFSV3) {
if (!nd->nd_repstat) {
(void) nfsm_fhtom(nd, (u_int8_t *)fhp, 0, 1);
@@ -1872,6 +1898,8 @@
int error = 0, for_ret = 1, aft_ret = 1, cnt;
u_int64_t off;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat) {
nfsrv_wcc(nd, for_ret, &bfor, aft_ret, &aft);
return (0);
@@ -1917,6 +1945,8 @@
struct statfs sfs;
u_quad_t tval;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat) {
nfsrv_postopattr(nd, getret, &at);
return (0);
@@ -1970,6 +2000,8 @@
int getret = 1;
struct nfsvattr at;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat) {
nfsrv_postopattr(nd, getret, &at);
return (0);
@@ -2006,6 +2038,8 @@
register_t linkmax, namemax, chownres, notrunc;
struct nfsvattr at;
+ if (vp != NULL)
+ AUDIT_ARG_VNODE1(vp);
if (nd->nd_repstat) {
nfsrv_postopattr(nd, getret, &at);
return (0);
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/ufs/ffs/ffs_vnops.c#6 (text+ko) ====
@@ -1920,7 +1920,6 @@
if (!error) {
foundit = 1;
- error = 0;
break;
}
}
More information about the p4-projects
mailing list