PERFORCE change 145348 for review

Wed Jul 16 22:42:37 UTC 2008

http://perforce.freebsd.org/chv.cgi?CH=145348

Change 145348 by diego at diego_black on 2008/07/16 22:42:24

	Finish audit support for pf admin events.

Affected files ...

.. //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#7 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#10 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#8 edit

Differences ...

==== //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#7 (text+ko) ====

@@ -2933,6 +2933,8 @@
 		error = pfr_add_addrs(&io->pfrio_table, io->pfrio_buffer,
 		    io->pfrio_size, &io->pfrio_nadd, io->pfrio_flags |
 		    PFR_FLAG_USERIOCTL);
+		AUDIT_CALL(audit_pf_addtable(io->pfrio_table.pfrt_anchor,
+		    io->pfrio_table.pfrt_name, io->pfrio_nadd, error));
 		break;
 	}
 
@@ -2946,6 +2948,8 @@
 		error = pfr_del_addrs(&io->pfrio_table, io->pfrio_buffer,
 		    io->pfrio_size, &io->pfrio_ndel, io->pfrio_flags |
 		    PFR_FLAG_USERIOCTL);
+		AUDIT_CALL(audit_pf_deltable(io->pfrio_table.pfrt_anchor,
+		    io->pfrio_table.pfrt_name, io->pfrio_ndel, error));
 		break;
 	}
 
@@ -2960,6 +2964,12 @@
 		    io->pfrio_size, &io->pfrio_size2, &io->pfrio_nadd,
 		    &io->pfrio_ndel, &io->pfrio_nchange, io->pfrio_flags |
 		    PFR_FLAG_USERIOCTL, 0);
+		AUDIT_CALL(audit_pf_deltable(io->pfrio_table.pfrt_anchor,
+		    io->pfrio_table.pfrt_name, io->pfrio_ndel +
+		    io->pfrio_nchange, error));
+		AUDIT_CALL(audit_pf_addtable(io->pfrio_table.pfrt_anchor,
+		    io->pfrio_table.pfrt_name, io->pfrio_nadd +
+		    io->pfrio_nchange, error));
 		break;
 	}
 

==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#10 (text) ====

@@ -140,6 +140,8 @@
 void	 audit_pf_addrule(char *anchor, int nrules, int error);
 void	 audit_pf_delrule(char *anchor, int error);
 void	 audit_pf_flush(char *anchor, int nrules, int error);
+void	 audit_pf_addtable(char *anchor, char *table, int nadd, int error);
+void	 audit_pf_deltable(char *anchor, char *table, int ndel, int error);
 
 /*
  * The remaining kernel functions are conditionally compiled in as they are

==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#8 (text+ko) ====

@@ -274,3 +274,49 @@
 	audit_commit(ar, error, 0);
 }
 
+static void
+pf_table_to_text(char *anchor, char *table, int nentries, struct sbuf *sb)
+{
+	sbuf_printf(sb, "pf: ");
+	if (anchor != NULL)
+		sbuf_printf(sb, "anchor=%s, ", anchor);
+	if (table != NULL)
+		sbuf_printf(sb, "table=%s, ", table);
+	sbuf_printf(sb, "nentries=%u", nentries);
+	sbuf_finish(sb);
+}
+
+void
+audit_pf_addtable(char *anchor, char *table, int nadd, int error)
+{
+	struct kaudit_record *ar;
+	struct sbuf sb;
+
+	ar = audit_begin(AUE_PFIL_POLICY_ADDTABLE, curthread);
+	if (ar == NULL)
+		return;
+
+	sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND);
+	pf_table_to_text(anchor, table, nadd, &sb);
+	audit_record_arg_text(ar, sbuf_data(&sb));
+	sbuf_delete(&sb);
+	audit_commit(ar, error, 0);
+}
+
+void
+audit_pf_deltable(char *anchor, char *table, int ndel, int error)
+{
+	struct kaudit_record *ar;
+	struct sbuf sb;
+
+	ar = audit_begin(AUE_PFIL_POLICY_DELTABLE, curthread);
+	if (ar == NULL)
+		return;
+
+	sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND);
+	pf_table_to_text(anchor, table, ndel, &sb);
+	audit_record_arg_text(ar, sbuf_data(&sb));
+	sbuf_delete(&sb);
+	audit_commit(ar, error, 0);
+}
+
