svn commit: r195280 - in head/sys: kern security/audit

Robert Watson rwatson at FreeBSD.org
Thu Jul 2 09:15:31 UTC 2009


Author: rwatson
Date: Thu Jul  2 09:15:30 2009
New Revision: 195280
URL: http://svn.freebsd.org/changeset/base/195280

Log:
  Clean up a number of aspects of token generation from audit arguments to
  system calls:
  
  - Centralize generation of argument tokens for VM addresses in a macro,
    ADDR_TOKEN(), and properly encode 64-bit addresses in 64-bit arguments.
  - Fix up argument numbers across a large number of syscalls so that they
    match the numeric argument into the system call.
  - Don't audit the address argument to ioctl(2) or ptrace(2), but do keep
    generating tokens for mmap(2), minherit(2), since they relate to passing
    object access across execve(2).
  
  Approved by:	re (audit argument blanket)
  Obtained from:	TrustedBSD Project
  MFC after:	1 week

Modified:
  head/sys/kern/sys_process.c
  head/sys/security/audit/audit_bsm.c

Modified: head/sys/kern/sys_process.c
==============================================================================
--- head/sys/kern/sys_process.c	Thu Jul  2 04:56:11 2009	(r195279)
+++ head/sys/kern/sys_process.c	Thu Jul  2 09:15:30 2009	(r195280)
@@ -402,7 +402,6 @@ ptrace(struct thread *td, struct ptrace_
 #endif
 	AUDIT_ARG_PID(uap->pid);
 	AUDIT_ARG_CMD(uap->req);
-	AUDIT_ARG_ADDR(uap->addr);
 	AUDIT_ARG_VALUE(uap->data);
 	addr = &r;
 	switch (uap->req) {

Modified: head/sys/security/audit/audit_bsm.c
==============================================================================
--- head/sys/security/audit/audit_bsm.c	Thu Jul  2 04:56:11 2009	(r195279)
+++ head/sys/security/audit/audit_bsm.c	Thu Jul  2 09:15:30 2009	(r195280)
@@ -253,7 +253,7 @@ kau_free(struct au_record *rec)
 	}								\
 } while (0)
 
-#define	EXTATTR_TOKENS do {						\
+#define	EXTATTR_TOKENS(namespace_argnum) do {				\
 	if (ARG_IS_VALID(kar, ARG_VALUE)) {				\
 		switch (ar->ar_arg_value) {				\
 		case EXTATTR_NAMESPACE_USER:				\
@@ -263,8 +263,8 @@ kau_free(struct au_record *rec)
 			tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
 			break;						\
 		default:						\
-			tok = au_to_arg32(3, "attrnamespace",		\
-			    ar->ar_arg_value);				\
+			tok = au_to_arg32((namespace_argnum),		\
+			    "attrnamespace", ar->ar_arg_value);		\
 			break;						\
 		}							\
 		kau_write(rec, tok);					\
@@ -277,6 +277,24 @@ kau_free(struct au_record *rec)
 } while (0)
 
 /*
+ * Not all pointer arguments to system calls are of interest, but in some
+ * cases they reflect delegation of rights, such as mmap(2) falled by
+ * minherit(2) before execve(2), so do the best we can.
+ */
+#define	ADDR_TOKEN(argnum, argname) do {				\
+	if (ARG_IS_VALID(kar, ARG_ADDR)) {				\
+		if (sizeof(void *) == sizeof(uint32_t))			\
+			tok = au_to_arg32((argnum), (argname),		\
+			    (uint32_t)(uintptr_t)ar->ar_arg_addr);	\
+		else							\
+			tok = au_to_arg64((argnum), (argname),		\
+			    (uint64_t)(uintptr_t)ar->ar_arg_addr);	\
+		kau_write(rec, tok);					\
+	}								\
+} while (0)
+
+
+/*
  * Implement auditing for the auditon() system call. The audit tokens that
  * are generated depend on the command that was sent into the auditon()
  * system call.
@@ -286,21 +304,20 @@ audit_sys_auditon(struct audit_record *a
 {
 	struct au_token *tok;
 
+	tok = au_to_arg32(3, "length", ar->ar_arg_len);
+	kau_write(rec, tok);
 	switch (ar->ar_arg_cmd) {
 	case A_OLDSETPOLICY:
 		if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
-			tok = au_to_arg32(3, "length", ar->ar_arg_len);
-			kau_write(rec, tok);
 			tok = au_to_arg64(2, "policy",
 			    ar->ar_arg_auditon.au_policy64);
 			kau_write(rec, tok);
 			break;
 		}
 		/* FALLTHROUGH */
+
 	case A_SETPOLICY:
-		tok = au_to_arg32(3, "length", ar->ar_arg_len);
-		kau_write(rec, tok);
-		tok = au_to_arg32(1, "policy", ar->ar_arg_auditon.au_policy);
+		tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
 		kau_write(rec, tok);
 		break;
 
@@ -315,8 +332,6 @@ audit_sys_auditon(struct audit_record *a
 
 	case A_OLDSETQCTRL:
 		if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
-			tok = au_to_arg32(3, "length", ar->ar_arg_len);
-			kau_write(rec, tok);
 			tok = au_to_arg64(2, "setqctrl:aq_hiwater",
 			    ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
 			kau_write(rec, tok);
@@ -335,8 +350,9 @@ audit_sys_auditon(struct audit_record *a
 			break;
 		}
 		/* FALLTHROUGH */
+
 	case A_SETQCTRL:
-		tok = au_to_arg32(3, "setqctrl:aq_hiwater",
+		tok = au_to_arg32(2, "setqctrl:aq_hiwater",
 		    ar->ar_arg_auditon.au_qctrl.aq_hiwater);
 		kau_write(rec, tok);
 		tok = au_to_arg32(2, "setqctrl:aq_lowater",
@@ -354,17 +370,15 @@ audit_sys_auditon(struct audit_record *a
 		break;
 
 	case A_SETUMASK:
-		tok = au_to_arg32(3, "setumask:as_success",
+		tok = au_to_arg32(2, "setumask:as_success",
 		    ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
 		kau_write(rec, tok);
-		tok = au_to_arg32(3, "setumask:as_failure",
+		tok = au_to_arg32(2, "setumask:as_failure",
 		    ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
 		kau_write(rec, tok);
 		break;
 
 	case A_SETSMASK:
-		tok = au_to_arg32(3, "length", ar->ar_arg_len);
-		kau_write(rec, tok);
 		tok = au_to_arg32(2, "setsmask:as_success",
 		    ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
 		kau_write(rec, tok);
@@ -375,23 +389,19 @@ audit_sys_auditon(struct audit_record *a
 
 	case A_OLDSETCOND:
 		if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
-			tok = au_to_arg32(3, "length", ar->ar_arg_len);
-			kau_write(rec, tok);
 			tok = au_to_arg64(2, "setcond",
 			    ar->ar_arg_auditon.au_cond64);
 			kau_write(rec, tok);
 			break;
 		}
 		/* FALLTHROUGH */
+
 	case A_SETCOND:
-		tok = au_to_arg32(3, "length", ar->ar_arg_len);
-		kau_write(rec, tok);
-		tok = au_to_arg32(3, "setcond", ar->ar_arg_auditon.au_cond);
+		tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
 		kau_write(rec, tok);
 		break;
 
 	case A_SETCLASS:
-		tok = au_to_arg32(3, "length", ar->ar_arg_len);
 		kau_write(rec, tok);
 		tok = au_to_arg32(2, "setclass:ec_event",
 		    ar->ar_arg_auditon.au_evclass.ec_number);
@@ -402,8 +412,6 @@ audit_sys_auditon(struct audit_record *a
 		break;
 
 	case A_SETPMASK:
-		tok = au_to_arg32(3, "length", ar->ar_arg_len);
-		kau_write(rec, tok);
 		tok = au_to_arg32(2, "setpmask:as_success",
 		    ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
 		kau_write(rec, tok);
@@ -413,8 +421,6 @@ audit_sys_auditon(struct audit_record *a
 		break;
 
 	case A_SETFSIZE:
-		tok = au_to_arg32(3, "length", ar->ar_arg_len);
-		kau_write(rec, tok);
 		tok = au_to_arg32(2, "setfsize:filesize",
 		    ar->ar_arg_auditon.au_fstat.af_filesz);
 		kau_write(rec, tok);
@@ -530,13 +536,13 @@ kaudit_to_bsm(struct kaudit_record *kar,
 	case AUE_SOCKET:
 	case AUE_SOCKETPAIR:
 		if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
-			tok = au_to_arg32(1,"domain",
+			tok = au_to_arg32(1, "domain",
 			    ar->ar_arg_sockinfo.so_domain);
 			kau_write(rec, tok);
-			tok = au_to_arg32(2,"type",
+			tok = au_to_arg32(2, "type",
 			    ar->ar_arg_sockinfo.so_type);
 			kau_write(rec, tok);
-			tok = au_to_arg32(3,"protocol",
+			tok = au_to_arg32(3, "protocol",
 			    ar->ar_arg_sockinfo.so_protocol);
 			kau_write(rec, tok);
 		}
@@ -734,7 +740,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 	case AUE_EACCESS:
 		UPATH1_VNODE1_TOKENS;
 		if (ARG_IS_VALID(kar, ARG_VALUE)) {
-			tok = au_to_arg32(1, "mode", ar->ar_arg_value);
+			tok = au_to_arg32(2, "mode", ar->ar_arg_value);
 			kau_write(rec, tok);
 		}
 		break;
@@ -784,7 +790,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 
 	case AUE_CLOSE:
 		if (ARG_IS_VALID(kar, ARG_FD)) {
-			tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
+			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
 			kau_write(rec, tok);
 		}
 		UPATH1_VNODE1_TOKENS;
@@ -792,7 +798,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 
 	case AUE_CORE:
 		if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
-			tok = au_to_arg32(0, "signal", ar->ar_arg_signum);
+			tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
 			kau_write(rec, tok);
 		}
 		UPATH1_VNODE1_TOKENS;
@@ -807,7 +813,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 		/* extattrctl(2) filename parameter is in upath2/vnode2 */
 		UPATH2_TOKENS;
 		VNODE2_TOKENS;
-		EXTATTR_TOKENS;
+		EXTATTR_TOKENS(4);
 		break;
 
 	case AUE_EXTATTR_GET_FILE:
@@ -819,7 +825,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 	case AUE_EXTATTR_LIST_LINK:
 	case AUE_EXTATTR_DELETE_LINK:
 		UPATH1_VNODE1_TOKENS;
-		EXTATTR_TOKENS;
+		EXTATTR_TOKENS(2);
 		break;
 
 	case AUE_EXTATTR_GET_FD:
@@ -830,7 +836,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 			tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
 			kau_write(rec, tok);
 		}
-		EXTATTR_TOKENS;
+		EXTATTR_TOKENS(2);
 		break;
 
 	case AUE_FEXECVE:
@@ -945,11 +951,6 @@ kaudit_to_bsm(struct kaudit_record *kar,
 			tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
 			kau_write(rec, tok);
 		}
-		if (ARG_IS_VALID(kar, ARG_ADDR)) {
-			tok = au_to_arg32(1, "arg",
-			    (u_int32_t)(uintptr_t)ar->ar_arg_addr);
-			kau_write(rec, tok);
-		}
 		if (ARG_IS_VALID(kar, ARG_VNODE1))
 			FD_VNODE1_TOKENS;
 		else {
@@ -995,11 +996,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 		break;
 
 	case AUE_LOADSHFILE:
-		if (ARG_IS_VALID(kar, ARG_ADDR)) {
-			tok = au_to_arg32(4, "base addr",
-			    (u_int32_t)(uintptr_t)ar->ar_arg_addr);
-			kau_write(rec, tok);
-		}
+		ADDR_TOKEN(4, "base addr");
 		UPATH1_VNODE1_TOKENS;
 		break;
 
@@ -1029,11 +1026,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 	case AUE_MLOCK:
 	case AUE_MUNLOCK:
 	case AUE_MINHERIT:
-		if (ARG_IS_VALID(kar, ARG_ADDR)) {
-			tok = au_to_arg32(1, "addr",
-			    (u_int32_t)(uintptr_t)ar->ar_arg_addr);
-			kau_write(rec, tok);
-		}
+		ADDR_TOKEN(1, "addr");
 		if (ARG_IS_VALID(kar, ARG_LEN)) {
 			tok = au_to_arg32(2, "len", ar->ar_arg_len);
 			kau_write(rec, tok);
@@ -1071,14 +1064,14 @@ kaudit_to_bsm(struct kaudit_record *kar,
 
 	case AUE_NFS_SVC:
 		if (ARG_IS_VALID(kar, ARG_CMD)) {
-			tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
+			tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
 			kau_write(rec, tok);
 		}
 		break;
 
 	case AUE_UMOUNT:
 		if (ARG_IS_VALID(kar, ARG_VALUE)) {
-			tok = au_to_arg32(1, "flags", ar->ar_arg_value);
+			tok = au_to_arg32(2, "flags", ar->ar_arg_value);
 			kau_write(rec, tok);
 		}
 		UPATH1_VNODE1_TOKENS;
@@ -1113,11 +1106,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 		break;
 
 	case AUE_RESETSHFILE:
-		if (ARG_IS_VALID(kar, ARG_ADDR)) {
-			tok = au_to_arg32(1, "base addr",
-			    (u_int32_t)(uintptr_t)ar->ar_arg_addr);
-			kau_write(rec, tok);
-		}
+		ADDR_TOKEN(1, "base addr");
 		break;
 
 	case AUE_OPEN_RC:
@@ -1151,11 +1140,6 @@ kaudit_to_bsm(struct kaudit_record *kar,
 			tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
 			kau_write(rec, tok);
 		}
-		if (ARG_IS_VALID(kar, ARG_ADDR)) {
-			tok = au_to_arg32(3, "addr",
-			    (u_int32_t)(uintptr_t)ar->ar_arg_addr);
-			kau_write(rec, tok);
-		}
 		if (ARG_IS_VALID(kar, ARG_VALUE)) {
 			tok = au_to_arg32(4, "data", ar->ar_arg_value);
 			kau_write(rec, tok);
@@ -1172,6 +1156,10 @@ kaudit_to_bsm(struct kaudit_record *kar,
 			tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
 			kau_write(rec, tok);
 		}
+		if (ARG_IS_VALID(kar, ARG_GID)) {
+			tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
+			kau_write(rec, tok);
+		}
 		UPATH1_VNODE1_TOKENS;
 		break;
 
@@ -1210,14 +1198,14 @@ kaudit_to_bsm(struct kaudit_record *kar,
 
 	case AUE_SETEGID:
 		if (ARG_IS_VALID(kar, ARG_EGID)) {
-			tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
+			tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
 			kau_write(rec, tok);
 		}
 		break;
 
 	case AUE_SETEUID:
 		if (ARG_IS_VALID(kar, ARG_EUID)) {
-			tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
+			tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
 			kau_write(rec, tok);
 		}
 		break;
@@ -1315,8 +1303,9 @@ kaudit_to_bsm(struct kaudit_record *kar,
 			tok = au_to_arg32(2, "who", ar->ar_arg_uid);
 			kau_write(rec, tok);
 		}
+		PROCESS_PID_TOKENS(2);
 		if (ARG_IS_VALID(kar, ARG_VALUE)) {
-			tok = au_to_arg32(2, "priority", ar->ar_arg_value);
+			tok = au_to_arg32(3, "priority", ar->ar_arg_value);
 			kau_write(rec, tok);
 		}
 		break;
@@ -1509,12 +1498,9 @@ kaudit_to_bsm(struct kaudit_record *kar,
 		break;
 
 	case AUE_WAIT4:
-		if (ARG_IS_VALID(kar, ARG_PID)) {
-			tok = au_to_arg32(0, "pid", ar->ar_arg_pid);
-			kau_write(rec, tok);
-		}
+		PROCESS_PID_TOKENS(1);
 		if (ARG_IS_VALID(kar, ARG_VALUE)) {
-			tok = au_to_arg32(0, "options", ar->ar_arg_value);
+			tok = au_to_arg32(3, "options", ar->ar_arg_value);
 			kau_write(rec, tok);
 		}
 		break;


More information about the svn-src-all mailing list