PERFORCE change 141621 for review

Thu May 15 02:16:44 UTC 2008

http://perforce.freebsd.org/chv.cgi?CH=141621

Change 141621 by diego at diego_black on 2008/05/15 02:16:31

	- Added audit support for pf enable/disable
	- Added preliminary audit support for ipfw rule and table changes

Affected files ...

.. //depot/projects/soc2008/diego-audit/src/sys/bsm/audit_kevents.h#3 edit
.. //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#3 edit
.. //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#3 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#6 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#2 edit

Differences ...

==== //depot/projects/soc2008/diego-audit/src/sys/bsm/audit_kevents.h#3 (text) ====

@@ -550,6 +550,10 @@
 #define	AUE_SYMLINKAT		43152	/* FreeBSD. */
 #define	AUE_PFIL_ENABLE		43153	/* FreeBSD. */
 #define	AUE_PFIL_DISABLE	43154	/* FreeBSD. */
+#define	AUE_PFIL_POLICY_ADDRULE	43155	/* FreeBSD. */
+#define	AUE_PFIL_POLICY_DELRULE	43156	/* FreeBSD. */
+#define	AUE_PFIL_POLICY_FLUSH	43157	/* FreeBSD. */
+#define	AUE_PFIL_POLICY_TABLE	43158	/* FreeBSD. */
 
 /*
  * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the

==== //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#3 (text+ko) ====

@@ -140,6 +140,10 @@
 #endif /* __FreeBSD__ */
 
 #ifdef __FreeBSD__
+#include <security/audit/audit.h>
+#endif /* __FreeBSD__ */
+
+#ifdef __FreeBSD__
 void			 init_zone_var(void);
 void			 cleanup_pf_zone(void);
 int			 pfattach(void);
@@ -3871,10 +3875,12 @@
 	switch(type) {
 	case MOD_LOAD:
 		error = pf_load();
+		AUDIT_CALL(audit_pfil_enable_pf(error));
 		break;
 
 	case MOD_UNLOAD:
 		error = pf_unload();
+		AUDIT_CALL(audit_pfil_disable_pf(error));
 		break;
 	default:
 		error = EINVAL;

==== //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#3 (text+ko) ====

@@ -104,6 +104,7 @@
 
 #include <machine/in_cksum.h>	/* XXX for in_cksum */
 
+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>
 
 /*
@@ -4209,6 +4210,7 @@
 		IPFW_WUNLOCK(&layer3_chain);
 		if (rule != NULL)
 			reap_rules(rule);
+		AUDIT_CALL(audit_pfil_flush_ipfw(error));
 		break;
 
 	case IP_FW_ADD:
@@ -4223,6 +4225,7 @@
 			if (!error && sopt->sopt_dir == SOPT_GET)
 				error = sooptcopyout(sopt, rule, size);
 		}
+		AUDIT_CALL(audit_pfil_addrule_ipfw(rule, error));
 		free(rule, M_TEMP);
 		break;
 
@@ -4252,6 +4255,7 @@
 			    ~(1<<RESVD_SET); /* set RESVD_SET always enabled */
 		else
 			error = EINVAL;
+		AUDIT_CALL(audit_pfil_delrule_ipfw(NULL /* XXX */, error));
 		break;
 
 	case IP_FW_ZERO:
@@ -4277,6 +4281,7 @@
 				break;
 			error = add_table_entry(&layer3_chain, ent.tbl,
 			    ent.addr, ent.masklen, ent.value);
+			AUDIT_CALL(audit_pfil_table_ipfw(ent.tbl, error));
 		}
 		break;
 
@@ -4290,6 +4295,7 @@
 				break;
 			error = del_table_entry(&layer3_chain, ent.tbl,
 			    ent.addr, ent.masklen);
+			AUDIT_CALL(audit_pfil_table_ipfw(ent.tbl, error));
 		}
 		break;
 
@@ -4304,6 +4310,7 @@
 			IPFW_WLOCK(&layer3_chain);
 			error = flush_table(&layer3_chain, tbl);
 			IPFW_WUNLOCK(&layer3_chain);
+			AUDIT_CALL(audit_pfil_table_ipfw(tbl, error));
 		}
 		break;
 

==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#6 (text) ====

@@ -126,8 +126,16 @@
 /*
  * Functions for auditing packet filter events.
  */
-void	audit_pfil_enable_ipfw(int error);
-void	audit_pfil_disable_ipfw(int error);
+void	 audit_pfil_enable_ipfw(int error);
+void	 audit_pfil_disable_ipfw(int error);
+void	 audit_pfil_enable_pf(int error);
+void	 audit_pfil_disable_pf(int error);
+
+struct ip_fw;
+void	 audit_pfil_addrule_ipfw(struct ip_fw *rule, int error);
+void	 audit_pfil_delrule_ipfw(struct ip_fw *rule, int error);
+void	 audit_pfil_flush_ipfw(int error);
+void	 audit_pfil_table_ipfw(u_int table, int error);
 
 /*
  * The remaining kernel functions are conditionally compiled in as they are

==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#2 (text+ko) ====

@@ -30,6 +30,11 @@
 #include <sys/param.h>
 #include <sys/proc.h>
 
+#include <sys/socket.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <netinet/ip_fw.h>
+
 #include <bsm/audit_kevents.h>
 
 #include <security/audit/audit.h>
@@ -73,3 +78,71 @@
 	audit_pfil_disable_common("ipfw", error);
 }
 
+void
+audit_pfil_enable_pf(int error)
+{
+	audit_pfil_enable_common("pf", error);
+}
+
+void
+audit_pfil_disable_pf(int error)
+{
+	audit_pfil_disable_common("pf", error);
+}
+
+void
+audit_pfil_addrule_ipfw(struct ip_fw *rule, int error)
+{
+	struct kaudit_record *ar;
+
+	ar = audit_begin(AUE_PFIL_POLICY_ADDRULE, curthread);
+	if (ar == NULL)
+		return;
+
+	audit_record_arg_text(ar, "ipfw");
+	/* XXX tokens */
+	audit_commit(ar, error, 0);
+}
+
+void
+audit_pfil_delrule_ipfw(struct ip_fw *rule, int error)
+{
+	struct kaudit_record *ar;
+
+	ar = audit_begin(AUE_PFIL_POLICY_DELRULE, curthread);
+	if (ar == NULL)
+		return;
+
+	audit_record_arg_text(ar, "ipfw");
+	/* XXX tokens */
+	audit_commit(ar, error, 0);
+}
+
+void
+audit_pfil_flush_ipfw(int error)
+{
+	struct kaudit_record *ar;
+
+	ar = audit_begin(AUE_PFIL_POLICY_FLUSH, curthread);
+	if (ar == NULL)
+		return;
+
+	audit_record_arg_text(ar, "ipfw");
+	/* XXX tokens */
+	audit_commit(ar, error, 0);
+}
+
+void
+audit_pfil_table_ipfw(u_int32_t table, int error)
+{
+	struct kaudit_record *ar;
+
+	ar = audit_begin(AUE_PFIL_POLICY_TABLE, curthread);
+	if (ar == NULL)
+		return;
+
+	audit_record_arg_text(ar, "ipfw");
+	/* XXX tokens */
+	audit_commit(ar, error, 0);
+}
+
