PERFORCE change 178037 for review
Efstratios Karatzas
gpf at FreeBSD.org
Mon May 10 14:09:16 UTC 2010
http://p4web.freebsd.org/@@178037?ac=10
Change 178037 by gpf at gpf_desktop on 2010/05/10 14:08:55
Keeping track of nfs rpc user credentials without
knowing where the rpc came from is somewhat useless.
I added the AUDIT_ARG_SOCKADDR_IN interface and now
the "ip_addr:port" string is saved in the text field
of the audit record. I do believe that in the case
of nfs rpcs this information must be in the same
td_ar as the rpc, and not a different one.
Affected files ...
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#4 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#4 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#2 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#6 edit
Differences ...
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#4 (text+ko) ====
@@ -294,7 +294,7 @@
nd.nd_nam2 = rqst->rq_addr;
nd.nd_procnum = procnum;
nd.nd_cr = NULL;
- nd.nd_flag = flag;
+ nd.nd_flag = flag;
if (nfs_privport) {
/* Check if source port is privileged */
@@ -353,6 +353,7 @@
nfsrvstats.srvrpccnt[nd.nd_procnum]++;
AUDIT_NFS_ENTER(procnum, nd.nd_cr, td);
+ AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam);
error = proc(&nd, NULL, &mrep);
AUDIT_NFS_EXIT(error, td);
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#4 (text) ====
@@ -70,6 +70,7 @@
#ifdef AUDIT
struct ipc_perm;
struct sockaddr;
+struct sockaddr_in;
union auditon_udata;
void audit_arg_addr(void * addr);
void audit_arg_exit(int status, int retval);
@@ -99,6 +100,7 @@
void audit_arg_signum(u_int signum);
void audit_arg_socket(int sodomain, int sotype, int soprotocol);
void audit_arg_sockaddr(struct thread *td, struct sockaddr *sa);
+void audit_arg_sockaddr_in(struct sockaddr_in *sin);
void audit_arg_auid(uid_t auid);
void audit_arg_auditinfo(struct auditinfo *au_info);
void audit_arg_auditinfo_addr(struct auditinfo_addr *au_info);
@@ -258,6 +260,11 @@
audit_arg_socket((sodomain), (sotype), (soprotocol)); \
} while (0)
+#define AUDIT_ARG_SOCKADDR_IN(sin) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_sockaddr_in((sin)); \
+} while (0)
+
#define AUDIT_ARG_SUID(suid) do { \
if (AUDITING_TD(curthread)) \
audit_arg_suid((suid)); \
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#2 (text) ====
@@ -471,6 +471,24 @@
}
void
+audit_arg_sockaddr_in(struct sockaddr_in *sin)
+{
+ char text[MAXPATHLEN];
+ struct kaudit_record *ar;
+ u_short port;
+
+ KASSERT(sin != NULL, ("audit_arg_sockaddr_in: sin == NULL"));
+
+ ar = currecord();
+ if (ar == NULL)
+ return;
+
+ port = ntohs(sin->sin_port);
+ snprintf(text, sizeof(text), "%s:%d", inet_ntoa(sin->sin_addr), port);
+ AUDIT_ARG_TEXT(text);
+}
+
+void
audit_arg_auid(uid_t auid)
{
struct kaudit_record *ar;
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#6 (text) ====
@@ -1596,21 +1596,28 @@
if (ARG_IS_VALID(kar, ARG_MODE)) {
tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
kau_write(rec, tok);
+ }
+ UPATH1_VNODE1_TOKENS;
+ if (ARG_IS_VALID(kar, ARG_TEXT)) {
+ tok = au_to_text(ar->ar_arg_text);
+ kau_write(rec, tok);
}
-
- UPATH1_VNODE1_TOKENS;
break;
case AUE_NFS_SYMLINK:
+ UPATH1_VNODE1_TOKENS;
if (ARG_IS_VALID(kar, ARG_TEXT)) {
tok = au_to_text(ar->ar_arg_text);
kau_write(rec, tok);
}
- UPATH1_VNODE1_TOKENS;
break;
case AUE_NFS_NOOP:
case AUE_NFS_NULL:
+ if (ARG_IS_VALID(kar, ARG_TEXT)) {
+ tok = au_to_text(ar->ar_arg_text);
+ kau_write(rec, tok);
+ }
break;
case AUE_NFS_LINK:
@@ -1619,8 +1626,12 @@
if (ARG_IS_VALID(kar, ARG_MODE)) {
tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
kau_write(rec, tok);
- }
+ }
UPATH2_TOKENS;
+ if (ARG_IS_VALID(kar, ARG_TEXT)) {
+ tok = au_to_text(ar->ar_arg_text);
+ kau_write(rec, tok);
+ }
break;
case AUE_WAIT4:
More information about the p4-projects
mailing list