svn commit: r361103 - in head/sys: kern security/audit
Christian S.J. Peron
csjp at FreeBSD.org
Sat May 16 03:45:16 UTC 2020
Author: csjp
Date: Sat May 16 03:45:15 2020
New Revision: 361103
URL: https://svnweb.freebsd.org/changeset/base/361103
Log:
Add BSM record conversion for a number of syscalls:
- thr_kill(2) and thr_exit(2) generally (no argument auditing here.
- A set of syscalls for the process descriptor family, specifically:
pdfork(2), pdgetpid(2) and pdkill(2)
For these syscalls, audit the file descriptor. In the case of pdfork(2)
a pointer to an integer (file descriptor) is passed in as an argument.
We audit the post initialized file descriptor (not the random garbage
that would have been passed in). We will also audit the child process
which was created from the fork operation (similar to what is done for
the fork(2) syscall).
pdkill(2) we audit the signal value and fd, and finally pdgetpid(2)
just the file descriptor:
- Following is a sample of the produced audit trails:
header,111,11,pdfork(2),0,Sat May 16 03:07:50 2020, + 394 msec
argument,0,0x39d,child PID
argument,2,0x2,flags
argument,1,0x8,fd
subject,root,root,0,root,0,924,0,0,0.0.0.0
return,success,925
header,79,11,pdgetpid(2),0,Sat May 16 03:07:50 2020, + 394 msec
argument,1,0x8,fd
subject,root,root,0,root,0,924,0,0,0.0.0.0
return,success,0
trailer,79
header,135,11,pdkill(2),0,Sat May 16 03:07:50 2020, + 395 msec
argument,1,0x8,fd
argument,2,0xf,signal
process_ex,root,root,0,root,0,925,0,0,0.0.0.0
subject,root,root,0,root,0,924,0,0,0.0.0.0
return,success,0
trailer,135
MFC after: 1 week
Modified:
head/sys/kern/kern_fork.c
head/sys/security/audit/audit_bsm.c
Modified: head/sys/kern/kern_fork.c
==============================================================================
--- head/sys/kern/kern_fork.c Sat May 16 03:33:28 2020 (r361102)
+++ head/sys/kern/kern_fork.c Sat May 16 03:45:15 2020 (r361103)
@@ -128,6 +128,7 @@ sys_pdfork(struct thread *td, struct pdfork_args *uap)
fr.fr_pidp = &pid;
fr.fr_pd_fd = &fd;
fr.fr_pd_flags = uap->flags;
+ AUDIT_ARG_FFLAGS(uap->flags);
/*
* It is necessary to return fd by reference because 0 is a valid file
* descriptor number, and the child needs to be able to distinguish
@@ -909,6 +910,7 @@ fork1(struct thread *td, struct fork_req *fr)
fr->fr_pd_flags, fr->fr_pd_fcaps);
if (error != 0)
goto fail2;
+ AUDIT_ARG_FD(*fr->fr_pd_fd);
}
mem_charged = 0;
Modified: head/sys/security/audit/audit_bsm.c
==============================================================================
--- head/sys/security/audit/audit_bsm.c Sat May 16 03:33:28 2020 (r361102)
+++ head/sys/security/audit/audit_bsm.c Sat May 16 03:45:15 2020 (r361103)
@@ -1317,6 +1317,38 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_rec
UPATH1_VNODE1_TOKENS;
break;
+ case AUE_PDKILL:
+ if (ARG_IS_VALID(kar, ARG_FD)) {
+ tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+ kau_write(rec, tok);
+ }
+ if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
+ tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
+ kau_write(rec, tok);
+ }
+ PROCESS_PID_TOKENS(1);
+ break;
+ case AUE_PDFORK:
+ if (ARG_IS_VALID(kar, ARG_PID)) {
+ tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
+ kau_write(rec, tok);
+ }
+ if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
+ tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
+ kau_write(rec, tok);
+ }
+ if (ARG_IS_VALID(kar, ARG_FD)) {
+ tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+ kau_write(rec, tok);
+ }
+ break;
+ case AUE_PDGETPID:
+ if (ARG_IS_VALID(kar, ARG_FD)) {
+ tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+ kau_write(rec, tok);
+ }
+ break;
+
case AUE_PROCCTL:
if (ARG_IS_VALID(kar, ARG_VALUE)) {
tok = au_to_arg32(1, "idtype", ar->ar_arg_value);
@@ -1747,6 +1779,8 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_rec
break;
case AUE_THR_NEW:
+ case AUE_THR_KILL:
+ case AUE_THR_EXIT:
break;
case AUE_NULL:
More information about the svn-src-head
mailing list