PERFORCE change 127985 for review

Tue Oct 23 17:40:38 PDT 2007

http://perforce.freebsd.org/chv.cgi?CH=127985

Change 127985 by csjp at push on 2007/10/24 00:39:50

	Bring in audit_proc_coredump() which will be called anytime the
	coredump(9) function is activated.  This function will result in
	a coredump audit record being created.  Currently, we structure
	the audit record much the same way Solaris does with respect to
	tokens.  However, I think it will make sense to add a process
	token too.

Affected files ...

.. //depot/projects/trustedbsd/audit3/sys/kern/kern_sig.c#22 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#50 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#29 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm.c#32 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/sys/kern/kern_sig.c#22 (text+ko) ====

@@ -3063,8 +3063,19 @@
 	MPASS((p->p_flag & P_HADTHREADS) == 0 || p->p_singlethread == td);
 	_STOPEVENT(p, S_CORE, 0);
 
+	name = expand_name(p->p_comm, td->td_ucred->cr_uid, p->p_pid);
+	if (name == NULL) {
+#ifdef AUDIT
+		audit_proc_coredump(td, NULL, EINVAL);
+#endif
+		return (EINVAL);
+	}
 	if (((sugid_coredump == 0) && p->p_flag & P_SUGID) || do_coredump == 0) {
 		PROC_UNLOCK(p);
+#ifdef AUDIT
+		audit_proc_coredump(td, name, EFAULT);
+#endif
+		free(name, M_TEMP);
 		return (EFAULT);
 	}
 	
@@ -3078,19 +3089,25 @@
 	 */
 	limit = (off_t)lim_cur(p, RLIMIT_CORE);
 	PROC_UNLOCK(p);
-	if (limit == 0)
+	if (limit == 0) {
+#ifdef AUDIT
+		audit_proc_coredump(td, name, EFBIG);
+#endif
+		free(name, M_TEMP);
 		return (EFBIG);
+	}
 
 restart:
-	name = expand_name(p->p_comm, td->td_ucred->cr_uid, p->p_pid);
-	if (name == NULL)
-		return (EINVAL);
 	NDINIT(&nd, LOOKUP, NOFOLLOW | MPSAFE, UIO_SYSSPACE, name, td);
 	flags = O_CREAT | FWRITE | O_NOFOLLOW;
 	error = vn_open(&nd, &flags, S_IRUSR | S_IWUSR, NULL);
-	free(name, M_TEMP);
-	if (error)
+	if (error) {
+#ifdef AUDIT
+		audit_proc_coredump(td, name, error);
+#endif
+		free(name, M_TEMP);
 		return (error);
+	}
 	vfslocked = NDHASGIANT(&nd);
 	NDFREE(&nd, NDF_ONLY_PNBUF);
 	vp = nd.ni_vp;
@@ -3148,6 +3165,10 @@
 	if (error == 0)
 		error = error1;
 out:
+#ifdef AUDIT
+	audit_proc_coredump(td, name, error);
+#endif
+	free(name, M_TEMP);
 	VFS_UNLOCK_GIANT(vfslocked);
 	return (error);
 }

==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#50 (text+ko) ====

@@ -575,3 +575,51 @@
 
 	KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL"));
 }
+
+void
+audit_proc_coredump(struct thread *td, char *path, int errcode)
+{
+	struct kaudit_record *ar;
+	struct au_mask *aumask;
+	au_class_t class;
+	int ret, sorf;
+	char **pathp;
+	au_id_t auid;
+
+	/*
+	 * Make sure we are using the correct preselection mask.
+	 */
+	auid = td->td_ucred->cr_audit.ai_auid;
+	if (auid == AU_DEFAUDITID)
+		aumask = &audit_nae_mask;
+	else
+		aumask = &td->td_ucred->cr_audit.ai_mask;
+	/*
+	 * It's possible for coredump(9) generation to fail.  Make sure that
+	 * we handle this case correctly for preselection.
+	 */
+	if (errcode != 0)
+		sorf = AU_PRS_FAILURE;
+	else
+		sorf = AU_PRS_SUCCESS;
+	class = au_event_class(AUE_CORE);
+	if (au_preselect(AUE_CORE, class, aumask, sorf) == 0)
+		return;
+	/*
+	 * If we are interested in seeing this audit record, allocate it.
+	 * Where possible coredump records should contain a pathname and arg32
+	 * (signal) tokens.
+	 */
+	ar = audit_new(AUE_CORE, td);
+	if (path != NULL) {
+		pathp = &ar->k_ar.ar_arg_upath1;
+		*pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
+		canon_path(td, path, *pathp);
+		ARG_SET_VALID(ar, ARG_UPATH1);
+	}
+	ar->k_ar.ar_arg_signum = td->td_proc->p_sig;
+	ARG_SET_VALID(ar, ARG_SIGNUM);
+	if (errcode != 0)
+		ret = 1;
+	audit_commit(ar, errcode, ret);
+}

==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#29 (text+ko) ====

@@ -179,6 +179,7 @@
 void	 audit_cred_init(struct ucred *cred);
 void	 audit_cred_kproc0(struct ucred *cred);
 void	 audit_cred_proc1(struct ucred *cred);
+void	 audit_proc_coredump(struct thread *td, char *path, int errcode);
 void	 audit_thread_alloc(struct thread *td);
 void	 audit_thread_free(struct thread *td);
 

==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm.c#32 (text+ko) ====

@@ -725,6 +725,14 @@
 		UPATH1_VNODE1_TOKENS;
 		break;
 
+	case AUE_CORE:
+		if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
+			tok = au_to_arg32(0, "signal", ar->ar_arg_signum);
+			kau_write(rec, tok);
+		}
+		UPATH1_VNODE1_TOKENS;
+		break;
+
 	case AUE_EXTATTRCTL:
 		UPATH1_VNODE1_TOKENS;
 		if (ARG_IS_VALID(kar, ARG_CMD)) {
