PERFORCE change 178061 for review
Efstratios Karatzas
gpf at FreeBSD.org
Mon May 10 19:54:06 UTC 2010
http://p4web.freebsd.org/@@178061?ac=10
Change 178061 by gpf at gpf_desktop on 2010/05/10 19:54:01
* I was afraid that no user credentials are
sent for some rpcs, e.g. if we want to ping
the nfs server. That's true, so I relaxed
the checks at audit_nfs_enter()
* added support for the final nfs rpcs.
ufs tests are ok although we may encounter
some problem with the fsinfo rpc over zfs
(readdirplus, statfs, fsinfo, pathconf)
procedures serviced: 23/23
Affected files ...
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_serv.c#7 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#5 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#8 edit
Differences ...
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_serv.c#7 (text+ko) ====
@@ -3557,6 +3557,7 @@
struct mbuf *mb, *mreq;
char *cpos, *cend, *rbuf;
struct vnode *vp = NULL, *nvp;
+ struct vnode *dir_vp = NULL;
struct flrep fl;
nfsfh_t nfh;
fhandle_t *fhp, *nfhp = (fhandle_t *)fl.fl_nfh;
@@ -3594,6 +3595,9 @@
fullsiz = siz;
error = nfsrv_fhtovp(fhp, 1, &vp, &vfslocked, nfsd, slp,
nam, &rdonly, TRUE);
+
+ dir_vp = vp;
+
if (!error && vp->v_type != VDIR) {
error = ENOTDIR;
vput(vp);
@@ -3886,6 +3890,24 @@
if (vp)
vrele(vp);
VFS_UNLOCK_GIANT(vfslocked);
+
+ /* XXX AUDIT */
+ if (AUDITING_TD(curthread)) {
+ if (dir_vp != NULL) {
+ struct thread *td = curthread;
+ char *fullpath, *freepath;
+
+ AUDIT_ARG_VNODE1(dir_vp);
+
+ freepath = NULL;
+ vn_fullpath_global(td, dir_vp, &fullpath, &freepath);
+ if (freepath != NULL) {
+ AUDIT_ARG_UPATH1(td, fullpath);
+ free(freepath, M_TEMP);
+ }
+ }
+ }
+
return(error);
}
@@ -4092,6 +4114,7 @@
int v3 = (nfsd->nd_flag & ND_NFSV3);
struct mbuf *mb, *mreq;
struct vnode *vp = NULL;
+ struct vnode *AUDIT_vp = NULL;
struct vattr at;
nfsfh_t nfh;
fhandle_t *fhp;
@@ -4105,6 +4128,9 @@
nfsm_srvmtofh(fhp);
error = nfsrv_fhtovp(fhp, 1, &vp, &vfslocked, nfsd, slp,
nam, &rdonly, TRUE);
+
+ AUDIT_vp = vp;
+
if (error) {
nfsm_reply(NFSX_UNSIGNED);
if (v3)
@@ -4165,6 +4191,24 @@
if (vp)
vput(vp);
VFS_UNLOCK_GIANT(vfslocked);
+
+ /* XXX AUDIT */
+ if (AUDITING_TD(curthread)) {
+ if (AUDIT_vp != NULL) {
+ struct thread *td = curthread;
+ char *fullpath, *freepath;
+
+ AUDIT_ARG_VNODE1(AUDIT_vp);
+
+ freepath = NULL;
+ vn_fullpath_global(td, AUDIT_vp, &fullpath, &freepath);
+ if (freepath != NULL) {
+ AUDIT_ARG_UPATH1(td, fullpath);
+ free(freepath, M_TEMP);
+ }
+ }
+ }
+
return(error);
}
@@ -4184,6 +4228,7 @@
int error = 0, rdonly, getret = 1, pref;
struct mbuf *mb, *mreq;
struct vnode *vp = NULL;
+ struct vnode *AUDIT_vp = NULL;
struct vattr at;
nfsfh_t nfh;
fhandle_t *fhp;
@@ -4200,6 +4245,9 @@
nfsm_srvmtofh(fhp);
error = nfsrv_fhtovp(fhp, 1, &vp, &vfslocked, nfsd, slp,
nam, &rdonly, TRUE);
+
+ AUDIT_vp = vp;
+
if (error) {
nfsm_reply(NFSX_UNSIGNED);
nfsm_srvpostop_attr(getret, &at);
@@ -4241,6 +4289,24 @@
if (vp)
vput(vp);
VFS_UNLOCK_GIANT(vfslocked);
+
+ /* XXX AUDIT */
+ if (AUDITING_TD(curthread)) {
+ if (AUDIT_vp != NULL) {
+ struct thread *td = curthread;
+ char *fullpath, *freepath;
+
+ AUDIT_ARG_VNODE1(AUDIT_vp);
+
+ freepath = NULL;
+ vn_fullpath_global(td, AUDIT_vp, &fullpath, &freepath);
+ if (freepath != NULL) {
+ AUDIT_ARG_UPATH1(td, fullpath);
+ free(freepath, M_TEMP);
+ }
+ }
+ }
+
return(error);
}
@@ -4261,6 +4327,7 @@
register_t linkmax, namemax, chownres, notrunc;
struct mbuf *mb, *mreq;
struct vnode *vp = NULL;
+ struct vnode *AUDIT_vp = NULL;
struct vattr at;
nfsfh_t nfh;
fhandle_t *fhp;
@@ -4275,6 +4342,9 @@
nfsm_srvmtofh(fhp);
error = nfsrv_fhtovp(fhp, 1, &vp, &vfslocked, nfsd, slp,
nam, &rdonly, TRUE);
+
+ AUDIT_vp = vp;
+
if (error) {
nfsm_reply(NFSX_UNSIGNED);
nfsm_srvpostop_attr(getret, &at);
@@ -4315,6 +4385,24 @@
if (vp)
vput(vp);
VFS_UNLOCK_GIANT(vfslocked);
+
+ /* XXX AUDIT */
+ if (AUDITING_TD(curthread)) {
+ if (AUDIT_vp != NULL) {
+ struct thread *td = curthread;
+ char *fullpath, *freepath;
+
+ AUDIT_ARG_VNODE1(AUDIT_vp);
+
+ freepath = NULL;
+ vn_fullpath_global(td, AUDIT_vp, &fullpath, &freepath);
+ if (freepath != NULL) {
+ AUDIT_ARG_UPATH1(td, fullpath);
+ free(freepath, M_TEMP);
+ }
+ }
+ }
+
return(error);
}
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#5 (text) ====
@@ -740,7 +740,6 @@
KASSERT(td->td_ar == NULL, ("audit_nfs_enter: td->td_ar != NULL"));
KASSERT((td->td_pflags & TDP_AUDITREC) == 0,
("audit_nfs_enter: TDP_AUDITREC set"));
- KASSERT(user_cr != NULL, ("audit_nfs_enter: user_cr == NULL"));
/* XXXgpf: perhaps log a failure to match a rpc to an audit event? */
audit_nfs_proc_to_event(proc, &event);
@@ -807,7 +806,7 @@
* td->ar = audit_new(...);
* td->td_ucred = orig_cr;
*/
- if (td->td_ar != NULL) {
+ if (td->td_ar != NULL && user_cr != NULL) {
cru2x(user_cr, &td->td_ar->k_ar.ar_subj_cred);
td->td_ar->k_ar.ar_subj_ruid = user_cr->cr_ruid;
td->td_ar->k_ar.ar_subj_rgid = user_cr->cr_rgid;
==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#8 (text) ====
@@ -1586,6 +1586,7 @@
case AUE_NFS_WRITE:
case AUE_NFS_MKDIR:
case AUE_NFS_READDIR:
+ case AUE_NFS_READDIR_PLUS:
case AUE_NFS_READLINK:
case AUE_NFS_REMOVE:
case AUE_NFS_RMDIR:
@@ -1595,6 +1596,9 @@
case AUE_NFS_LOOKUP:
case AUE_NFS_MKNODE:
case AUE_NFS_COMMIT:
+ case AUE_NFS_PATHCONF:
+ case AUE_NFS_STATFS:
+ case AUE_NFS_FSINFO:
if (ARG_IS_VALID(kar, ARG_MODE)) {
tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
kau_write(rec, tok);
More information about the p4-projects
mailing list