PERFORCE change 148315 for review
Robert Watson
rwatson at FreeBSD.org
Mon Aug 25 01:45:42 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=148315
Change 148315 by rwatson at rwatson_freebsd_capabilities on 2008/08/25 01:45:26
Audit extended file descriptor information for cap_new(2) so that
we see information on the underlying object a capability is created
for in the audit trail. Right now the utility functions in
audit_bsm.c doesn't properly capture all of this in the BSM trail,
which needs to be fixed.
Affected files ...
.. //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#20 edit
.. //depot/projects/trustedbsd/capabilities/src/sys/security/audit/audit_bsm.c#6 edit
Differences ...
==== //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#20 (text+ko) ====
@@ -50,7 +50,7 @@
#include "opt_capabilities.h"
#include <sys/cdefs.h>
-__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#19 $");
+__FBSDID("$P4: //depot/projects/trustedbsd/capabilities/src/sys/kern/sys_capability.c#20 $");
#include <sys/param.h>
#include <sys/capability.h>
@@ -246,6 +246,8 @@
if (error)
goto fail;
+ AUDIT_ARG(file, td->td_proc, fp);
+
/*
* If a new capability is being derived from an existing capability,
* then the new capability rights must be a subset of the existing
==== //depot/projects/trustedbsd/capabilities/src/sys/security/audit/audit_bsm.c#6 (text) ====
@@ -1423,10 +1423,10 @@
break;
case AUE_CAP_NEW:
- if (ARG_IS_VALID(kar, ARG_FD)) {
- tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
- kau_write(rec, tok);
- }
+ /*
+ * XXXRW: Would be nice to audit socket/etc information also.
+ */
+ FD_VNODE1_TOKENS;
if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
tok = au_to_arg64(2, "rights", ar->ar_arg_rights);
kau_write(rec, tok);
More information about the p4-projects
mailing list