PERFORCE change 90076 for review

Wayne Salamon wsalamon at FreeBSD.org
Sat Jan 21 05:49:40 PST 2006


http://perforce.freebsd.org/chv.cgi?CH=90076

Change 90076 by wsalamon at gretsch on 2006/01/21 13:48:47

	Audit the monut() and unmount() system calls; nmount() still to come.
	For mount(), we copy in the user path explicitly for audit because
	there are many possible error exits before the path is normally
	copied in.

Affected files ...

.. //depot/projects/trustedbsd/audit3/sys/kern/vfs_mount.c#6 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/sys/kern/vfs_mount.c#6 (text+ko) ====

@@ -58,6 +58,8 @@
 #include <sys/systm.h>
 #include <sys/vnode.h>
 
+#include <security/audit/audit.h>
+
 #include <geom/geom.h>
 
 #include <machine/stdarg.h>
@@ -366,6 +368,11 @@
 	int error;
 	u_int iovcnt;
 
+	/* XXXAUDIT Audit is not complete for nmount() yet; need to create
+	 * a new audit event. 
+	 */
+	AUDIT_ARG(fflags, uap->flags);
+
 	/* Kick out MNT_ROOTFS early as it is legal internally */
 	if (uap->flags & MNT_ROOTFS)
 		return (EINVAL);
@@ -488,7 +495,6 @@
 		error = EINVAL;
 		goto bail;
 	}
-
 	/*
 	 * Be ultra-paranoid about making sure the type and fspath
 	 * variables will fit in our mp buffers, including the
@@ -536,6 +542,8 @@
 	struct mntarg *ma = NULL;
 	int error;
 
+	AUDIT_ARG(fflags, uap->flags);
+
 	/* Kick out MNT_ROOTFS early as it is legal internally */
 	uap->flags &= ~MNT_ROOTFS;
 
@@ -545,11 +553,30 @@
 	fstype = malloc(MFSNAMELEN, M_TEMP, M_WAITOK);
 	error = copyinstr(uap->type, fstype, MFSNAMELEN, NULL);
 	if (!error) {
+		/* Audit the fstype here, even though it will be copied
+		 * again later. But if an error is detected, it won't get
+		 * copied later, so grab as much info as possible.
+		 */
+		AUDIT_ARG(text, fstype);
 		mtx_lock(&Giant);	/* XXX ? */
 		vfsp = vfs_byname_kld(fstype, td, &error);
 		mtx_unlock(&Giant);
 	}
 	free(fstype, M_TEMP);
+
+#ifdef AUDIT
+	{
+		/* Even though it will get captured again during vnode lookup,
+		 * capture the user-supplied path here because there are several
+		 * error-out cases before the lookup, or the lookup may fail.
+		 */
+		char *pathbuf = malloc(MNAMELEN, M_TEMP, M_WAITOK);
+		error = copyinstr(uap->path, pathbuf, MNAMELEN, NULL);
+		if (!error)
+			AUDIT_ARG(upath, td, pathbuf, ARG_UPATH1);
+		free(pathbuf, M_TEMP);
+	}
+#endif
 	if (error)
 		return (error);
 	if (vfsp == NULL)
@@ -563,6 +590,12 @@
 	ma = mount_argb(ma, !(uap->flags & MNT_NOSUID), "nosuid");
 	ma = mount_argb(ma, !(uap->flags & MNT_NOEXEC), "noexec");
 
+	/* Note that for auditing purposes, the we depend on the 
+	 * file system cmount function to call kernel_mount(), which
+	 * calls vfs_donmount(), and that is where the user path and
+	 * type information is copied into the kernel; only then can
+	 * we capture the path information for auditing.
+	 */
 	error = vfsp->vfc_vfsops->vfs_cmount(ma, uap->data, uap->flags, td);
 	return (error);
 }
@@ -620,7 +653,8 @@
 	/*
 	 * Get vnode to be covered
 	 */
-	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, fspath, td);
+	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1, UIO_SYSSPACE,
+	    fspath, td);
 	if ((error = namei(&nd)) != 0)
 		return (error);
 	NDFREE(&nd, NDF_ONLY_PNBUF);
@@ -845,6 +879,7 @@
 		free(pathbuf, M_TEMP);
 		return (error);
 	}
+	AUDIT_ARG(upath, td, pathbuf, ARG_UPATH1);
 	if (uap->flags & MNT_BYFSID) {
 		/* Decode the filesystem ID. */
 		if (sscanf(pathbuf, "FSID:%d:%d", &id0, &id1) != 2) {
@@ -878,6 +913,21 @@
 		return ((uap->flags & MNT_BYFSID) ? ENOENT : EINVAL);
 	}
 
+#ifdef AUDIT
+	{
+		int vfslocked;
+		struct vnode *vp = mp->mnt_vnodecovered;
+
+		if (vp != NULL) {
+			vfslocked = VFS_LOCK_GIANT(vp->v_mount);
+			vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+			AUDIT_ARG(vnode, vp, ARG_VNODE1);
+			VOP_UNLOCK(vp, 0, td);
+			VFS_UNLOCK_GIANT(vfslocked);
+		}
+	}
+#endif
+
 	/*
 	 * Only privileged root, or (if MNT_USER is set) the user that did the
 	 * original mount is permitted to unmount this filesystem.


More information about the p4-projects mailing list