PERFORCE change 180703 for review

Fri Jul 9 21:22:40 UTC 2010

http://p4web.freebsd.org/@@180703?ac=10

Change 180703 by gpf at gpf_desktop on 2010/07/09 21:21:55

	- setattr: audit vnode information @ the begging and @ the end of 
	the rpc. 
	This way, we may clearly see what attributes were changed. 
	AUDIT_ARG_VNODE* may have to adapt so that it can keep track of 
	other vnode attributes as well, such as file size.
	
	- access: audit the access flag used in the rpc so that we know 
	what access rights were checked.

Affected files ...

.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#12 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_serv.c#19 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#16 edit

Differences ...

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#12 (text+ko) ====

@@ -99,6 +99,7 @@
 	}
 	NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
 	nfsmode = fxdr_unsigned(u_int32_t, *tl);
+	AUDIT_ARG_FFLAGS(nfsmode);
 	if ((nd->nd_flag & ND_NFSV4) &&
 	    (nfsmode & ~(NFSACCESS_READ | NFSACCESS_LOOKUP |
 	     NFSACCESS_MODIFY | NFSACCESS_EXTEND | NFSACCESS_DELETE |
@@ -242,6 +243,9 @@
 	nfsv4stateid_t stateid;
 	NFSACL_T *aclp = NULL;
 	
+	if (vp)
+		AUDIT_ARG_VNODE1(vp);
+	
 	if (nd->nd_repstat) {
 		nfsrv_wcc(nd, preat_ret, &nva2, postat_ret, &nva);
 		return (0);
@@ -384,7 +388,7 @@
 		if (!nd->nd_repstat)
 			nd->nd_repstat = postat_ret;
 	}
-	AUDIT_ARG_VNODE1(vp);
+	AUDIT_ARG_VNODE2(vp);
 	vput(vp);
 #ifdef NFS4_ACL_EXTATTR_NAME
 	acl_free(aclp);

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_serv.c#19 (text+ko) ====

@@ -338,6 +338,7 @@
 		AUDIT_ARG_VNODE1(AUDIT_vp);
 	}
 	nfsmode = fxdr_unsigned(u_int32_t, *tl);
+	AUDIT_ARG_FFLAGS(nfsmode);
 	if ((nfsmode & NFSV3ACCESS_READ) &&
 		nfsrv_access(vp, VREAD, cred, rdonly, 0))
 		nfsmode &= ~NFSV3ACCESS_READ;
@@ -543,8 +544,10 @@
 	}
 
 	AUDIT_vp = vp;
-	if (AUDIT_vp != NULL && AUDITING_TD(curthread))
-		vref(AUDIT_vp);		
+	if (AUDIT_vp != NULL && AUDITING_TD(curthread)) {
+		vref(AUDIT_vp);
+		AUDIT_ARG_VNODE1(AUDIT_vp);
+	}
 
 	/*
 	 * vp now an active resource, pay careful attention to cleanup
@@ -585,7 +588,7 @@
 	}
 	error = VOP_SETATTR(vp, vap, cred);
 	if (AUDIT_vp != NULL)
-		AUDIT_ARG_VNODE1(AUDIT_vp);
+		AUDIT_ARG_VNODE2(AUDIT_vp);
 	postat_ret = VOP_GETATTR(vp, vap, cred);
 	if (!error)
 		error = postat_ret;

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#16 (text) ====

@@ -1602,8 +1602,6 @@
 	case AUE_NFS_REMOVE:
 	case AUE_NFS_RMDIR:
 	case AUE_NFS_GETATTR:
-	case AUE_NFS_SETATTR:
-	case AUE_NFS_ACCESS:
 	case AUE_NFS_LOOKUP:
 	case AUE_NFS_COMMIT:
 	case AUE_NFS_PATHCONF:
@@ -1623,6 +1621,7 @@
 
 	case AUE_NFS_READ:
 	case AUE_NFS_WRITE:
+	case AUE_NFS_ACCESS:
 		if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
 			tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
 			kau_write(rec, tok);
@@ -1660,9 +1659,22 @@
 			kau_write(rec, tok);
 		}
 		/* FALLTHROUGH */
-		
+	
+	case AUE_NFS_SETATTR:
+		UPATH1_VNODE1_TOKENS;
+		VNODE2_TOKENS;
+		if (ARG_IS_VALID(kar, ARG_TEXT)) {
+			tok = au_to_text(ar->ar_arg_text);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+			tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+			kau_write(rec, tok);
+		}
+		break;
+	
 	case AUE_NFS_LINK:
-	case AUE_NFS_RENAME:
+	case AUE_NFS_RENAME:	
 		UPATH1_VNODE1_TOKENS;
 		UPATH2_TOKENS;
 		if (ARG_IS_VALID(kar, ARG_TEXT)) {
