svn commit: r245573 - head/sys/security/audit

Thu Jan 17 21:02:55 UTC 2013

Author: csjp
Date: Thu Jan 17 21:02:53 2013
New Revision: 245573
URL: http://svnweb.freebsd.org/changeset/base/245573

Log:
  Implement the zonename token for jailed processes.  If
  a process has an auditid/preselection masks specified, and
  is jailed, include the zonename (jailname) token as a
  part of the audit record.
  
  Reviewed by:	pjd
  MFC after:	2 weeks

Modified:
  head/sys/security/audit/audit.c
  head/sys/security/audit/audit_bsm.c
  head/sys/security/audit/audit_private.h

Modified: head/sys/security/audit/audit.c
==============================================================================

--- head/sys/security/audit/audit.c	Thu Jan 17 20:21:56 2013	(r245572)
+++ head/sys/security/audit/audit.c	Thu Jan 17 21:02:53 2013	(r245573)
@@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/filedesc.h>
 #include <sys/fcntl.h>
 #include <sys/ipc.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/kthread.h>
 #include <sys/malloc.h>
@@ -211,6 +212,7 @@ audit_record_ctor(void *mem, int size, v
 	struct kaudit_record *ar;
 	struct thread *td;
 	struct ucred *cred;
+	struct prison *pr;
 
 	KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
 
@@ -233,6 +235,17 @@ audit_record_ctor(void *mem, int size, v
 	ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
 	ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask;
 	ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid;
+	/*
+	 * If this process is jailed, make sure we capture the name of the
+	 * jail so we can use it to generate a zonename token when we covert
+	 * this record to BSM.
+	 */
+	if (jailed(cred)) {
+		pr = cred->cr_prison;
+		(void) strlcpy(ar->k_ar.ar_jailname, pr->pr_name,
+		    sizeof(ar->k_ar.ar_jailname));
+	} else
+		ar->k_ar.ar_jailname[0] = '\0';
 	return (0);
 }
 

Modified: head/sys/security/audit/audit_bsm.c
==============================================================================
--- head/sys/security/audit/audit_bsm.c	Thu Jan 17 20:21:56 2013	(r245572)
+++ head/sys/security/audit/audit_bsm.c	Thu Jan 17 21:02:53 2013	(r245573)
@@ -462,7 +462,7 @@ audit_sys_auditon(struct audit_record *a
 int
 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 {
-	struct au_token *tok, *subj_tok;
+	struct au_token *tok, *subj_tok, *jail_tok;
 	struct au_record *rec;
 	au_tid_t tid;
 	struct audit_record *ar;
@@ -475,8 +475,13 @@ kaudit_to_bsm(struct kaudit_record *kar,
 	rec = kau_open();
 
 	/*
-	 * Create the subject token.
+	 * Create the subject token.  If this credential was jailed be sure to
+	 * generate a zonename token.
 	 */
+	if (ar->ar_jailname[0] != '\0')
+		jail_tok = au_to_zonename(ar->ar_jailname);
+	else
+		jail_tok = NULL;
 	switch (ar->ar_subj_term_addr.at_type) {
 	case AU_IPv4:
 		tid.port = ar->ar_subj_term_addr.at_port;
@@ -1623,11 +1628,15 @@ kaudit_to_bsm(struct kaudit_record *kar,
 		/*
 		 * Write the subject token so it is properly freed here.
 		 */
+		if (jail_tok != NULL)
+			kau_write(rec, jail_tok);
 		kau_write(rec, subj_tok);
 		kau_free(rec);
 		return (BSM_NOAUDIT);
 	}
 
+	if (jail_tok != NULL)
+		kau_write(rec, jail_tok);
 	kau_write(rec, subj_tok);
 	tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
 	kau_write(rec, tok);  /* Every record gets a return token */

Modified: head/sys/security/audit/audit_private.h
==============================================================================
--- head/sys/security/audit/audit_private.h	Thu Jan 17 20:21:56 2013	(r245572)
+++ head/sys/security/audit/audit_private.h	Thu Jan 17 21:02:53 2013	(r245573)
@@ -230,6 +230,7 @@ struct audit_record {
 	int			ar_arg_exitretval;
 	struct sockaddr_storage ar_arg_sockaddr;
 	cap_rights_t		ar_arg_rights;
+	char			ar_jailname[MAXHOSTNAMELEN];
 };
 
 /*
