PERFORCE change 90076 for review
Wayne Salamon
wsalamon at FreeBSD.org
Sat Jan 21 13:49:37 GMT 2006
http://perforce.freebsd.org/chv.cgi?CH=90076
Change 90076 by wsalamon at gretsch on 2006/01/21 13:48:47
Audit the monut() and unmount() system calls; nmount() still to come.
For mount(), we copy in the user path explicitly for audit because
there are many possible error exits before the path is normally
copied in.
Affected files ...
.. //depot/projects/trustedbsd/audit3/sys/kern/vfs_mount.c#6 edit
Differences ...
==== //depot/projects/trustedbsd/audit3/sys/kern/vfs_mount.c#6 (text+ko) ====
@@ -58,6 +58,8 @@
#include <sys/systm.h>
#include <sys/vnode.h>
+#include <security/audit/audit.h>
+
#include <geom/geom.h>
#include <machine/stdarg.h>
@@ -366,6 +368,11 @@
int error;
u_int iovcnt;
+ /* XXXAUDIT Audit is not complete for nmount() yet; need to create
+ * a new audit event.
+ */
+ AUDIT_ARG(fflags, uap->flags);
+
/* Kick out MNT_ROOTFS early as it is legal internally */
if (uap->flags & MNT_ROOTFS)
return (EINVAL);
@@ -488,7 +495,6 @@
error = EINVAL;
goto bail;
}
-
/*
* Be ultra-paranoid about making sure the type and fspath
* variables will fit in our mp buffers, including the
@@ -536,6 +542,8 @@
struct mntarg *ma = NULL;
int error;
+ AUDIT_ARG(fflags, uap->flags);
+
/* Kick out MNT_ROOTFS early as it is legal internally */
uap->flags &= ~MNT_ROOTFS;
@@ -545,11 +553,30 @@
fstype = malloc(MFSNAMELEN, M_TEMP, M_WAITOK);
error = copyinstr(uap->type, fstype, MFSNAMELEN, NULL);
if (!error) {
+ /* Audit the fstype here, even though it will be copied
+ * again later. But if an error is detected, it won't get
+ * copied later, so grab as much info as possible.
+ */
+ AUDIT_ARG(text, fstype);
mtx_lock(&Giant); /* XXX ? */
vfsp = vfs_byname_kld(fstype, td, &error);
mtx_unlock(&Giant);
}
free(fstype, M_TEMP);
+
+#ifdef AUDIT
+ {
+ /* Even though it will get captured again during vnode lookup,
+ * capture the user-supplied path here because there are several
+ * error-out cases before the lookup, or the lookup may fail.
+ */
+ char *pathbuf = malloc(MNAMELEN, M_TEMP, M_WAITOK);
+ error = copyinstr(uap->path, pathbuf, MNAMELEN, NULL);
+ if (!error)
+ AUDIT_ARG(upath, td, pathbuf, ARG_UPATH1);
+ free(pathbuf, M_TEMP);
+ }
+#endif
if (error)
return (error);
if (vfsp == NULL)
@@ -563,6 +590,12 @@
ma = mount_argb(ma, !(uap->flags & MNT_NOSUID), "nosuid");
ma = mount_argb(ma, !(uap->flags & MNT_NOEXEC), "noexec");
+ /* Note that for auditing purposes, the we depend on the
+ * file system cmount function to call kernel_mount(), which
+ * calls vfs_donmount(), and that is where the user path and
+ * type information is copied into the kernel; only then can
+ * we capture the path information for auditing.
+ */
error = vfsp->vfc_vfsops->vfs_cmount(ma, uap->data, uap->flags, td);
return (error);
}
@@ -620,7 +653,8 @@
/*
* Get vnode to be covered
*/
- NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, fspath, td);
+ NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1, UIO_SYSSPACE,
+ fspath, td);
if ((error = namei(&nd)) != 0)
return (error);
NDFREE(&nd, NDF_ONLY_PNBUF);
@@ -845,6 +879,7 @@
free(pathbuf, M_TEMP);
return (error);
}
+ AUDIT_ARG(upath, td, pathbuf, ARG_UPATH1);
if (uap->flags & MNT_BYFSID) {
/* Decode the filesystem ID. */
if (sscanf(pathbuf, "FSID:%d:%d", &id0, &id1) != 2) {
@@ -878,6 +913,21 @@
return ((uap->flags & MNT_BYFSID) ? ENOENT : EINVAL);
}
+#ifdef AUDIT
+ {
+ int vfslocked;
+ struct vnode *vp = mp->mnt_vnodecovered;
+
+ if (vp != NULL) {
+ vfslocked = VFS_LOCK_GIANT(vp->v_mount);
+ vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+ AUDIT_ARG(vnode, vp, ARG_VNODE1);
+ VOP_UNLOCK(vp, 0, td);
+ VFS_UNLOCK_GIANT(vfslocked);
+ }
+ }
+#endif
+
/*
* Only privileged root, or (if MNT_USER is set) the user that did the
* original mount is permitted to unmount this filesystem.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list