PERFORCE change 180786 for review

Efstratios Karatzas gpf at FreeBSD.org
Sun Jul 11 23:22:34 UTC 2010 

http://p4web.freebsd.org/@@180786?ac=10

Change 180786 by gpf at gpf_desktop on 2010/07/11 23:22:14

	- audit 'locktype' for the 'lock*' nfsv4 rpcs.
	- audit 'lockowner' for 'lock', 'lockt' & 'releaselckown' nfsv4 rpcs.
	- audit the 'client name' used by 'setclientid', when RPCSEC_GSS is used.
	Along with clientid and socket address info, the users should be able 
	to figure out the client in each following rpc.
	
	The 'client name' & 'lockowner' are strings; au_to_text() is used 
	once again. I'm mostly worried about auditing everything we need, so 
	I'll leave it as a future exercise to make the output of praudit
	pretty.

Affected files ...

.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#14 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#10 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#10 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#6 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#18 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#8 edit

Differences ...

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#14 (text+ko) ====

@@ -2102,6 +2102,7 @@
 		AUDIT_ARG_VNODE1(vp);
 	NFSM_DISSECT(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
 	i = fxdr_unsigned(int, *tl++);
+	AUDIT_ARG_LOCKTYPE(i);
 	switch (i) {
 	case NFSV4LOCKT_READW:
 		flags |= NFSLCK_BLOCKING;
@@ -2155,6 +2156,8 @@
 		error = nfsrv_mtostr(nd, stp->ls_owner, stp->ls_ownerlen);
 		if (error)
 			goto nfsmout;
+		else
+			AUDIT_ARG_LOCKOWNER(stp->ls_owner, stp->ls_ownerlen);
 	} else {
 		NFSM_DISSECT(tl, u_int32_t *, NFSX_STATEID + NFSX_UNSIGNED);
 		MALLOC(stp, struct nfsstate *, sizeof (struct nfsstate),
@@ -2175,6 +2178,7 @@
 			nd->nd_flag |= ND_IMPLIEDCLID;
 			nd->nd_clientid.qval = clientid.qval;
 		}
+		AUDIT_ARG_CLIENTID(clientid.qval);
 	}
 	MALLOC(lop, struct nfslock *, sizeof (struct nfslock),
 		M_NFSDLOCK, M_WAITOK);
@@ -2289,6 +2293,7 @@
 	stp->ls_flags = NFSLCK_TEST;
 	stp->ls_uid = nd->nd_cred->cr_uid;
 	i = fxdr_unsigned(int, *tl++);
+	AUDIT_ARG_LOCKTYPE(i);
 	switch (i) {
 	case NFSV4LOCKT_READW:
 		stp->ls_flags |= NFSLCK_BLOCKING;
@@ -2328,6 +2333,8 @@
 	error = nfsrv_mtostr(nd, stp->ls_owner, stp->ls_ownerlen);
 	if (error)
 		goto nfsmout;
+	else
+		AUDIT_ARG_LOCKOWNER(stp->ls_owner, stp->ls_ownerlen);
 	if (!nd->nd_repstat && vnode_vtype(vp) != VREG) {
 	    if (vnode_vtype(vp) == VDIR)
 		nd->nd_repstat = NFSERR_ISDIR;
@@ -2395,6 +2402,7 @@
 	lop->lo_flags = NFSLCK_UNLOCK;
 	stp->ls_op = nd->nd_rp;
 	i = fxdr_unsigned(int, *tl++);
+	AUDIT_ARG_LOCKTYPE(i);
 	switch (i) {
 	case NFSV4LOCKT_READW:
 		stp->ls_flags |= NFSLCK_BLOCKING;
@@ -3323,6 +3331,7 @@
 		clp->lc_namelen = nd->nd_princlen;
 		clp->lc_name = &clp->lc_id[idlen];
 		NFSBCOPY(nd->nd_principal, clp->lc_name, clp->lc_namelen);
+		AUDIT_ARG_CLIENTNAME(clp->lc_name, clp->lc_namelen);
 	} else {
 		clp->lc_uid = nd->nd_cred->cr_uid;
 		clp->lc_gid = nd->nd_cred->cr_gid;
@@ -3511,6 +3520,8 @@
 	error = nfsrv_mtostr(nd, stp->ls_owner, len);
 	if (error)
 		goto nfsmout;
+	else
+		AUDIT_ARG_LOCKOWNER(stp->ls_owner, len);
 	nd->nd_repstat = nfsrv_releaselckown(stp, clientid, p);
 	FREE((caddr_t)stp, M_NFSDSTATE);
 	return (0);

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#10 (text) ====

@@ -81,6 +81,8 @@
 MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
 MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
 MALLOC_DEFINE(M_AUDITGIDSET, "audit_gidset", "Audit GID set storage");
+MALLOC_DEFINE(M_AUDITLOCKOWNER, "audit_lockowner", "Audit lockowner storage");
+MALLOC_DEFINE(M_AUDITCLIENTNAME, "audit_clientname", "Audit client name storage");
 
 SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0,
     "TrustedBSD audit controls");
@@ -259,6 +261,10 @@
 		free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);
 	if (ar->k_ar.ar_arg_groups.gidset != NULL)
 		free(ar->k_ar.ar_arg_groups.gidset, M_AUDITGIDSET);
+	if (ar->k_ar.ar_arg_lockowner != NULL)
+		free(ar->k_ar.ar_arg_lockowner, M_AUDITLOCKOWNER);
+	if (ar->k_ar.ar_arg_clientname != NULL)
+		free(ar->k_ar.ar_arg_clientname, M_AUDITCLIENTNAME);
 }
 
 /*

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#10 (text) ====

@@ -131,6 +131,9 @@
 void	 audit_arg_protocol(int protocol);
 void	 audit_arg_vtype(int vtype);
 void	 audit_arg_clientid(uint64_t clientid);
+void	 audit_arg_lockowner(char *lockowner, u_short len);
+void	 audit_arg_locktype(int locktype);
+void	 audit_arg_clientname(char *clientname, u_short len);
 
 /*
  * Define macros to wrap the audit_arg_* calls by checking the global
@@ -168,6 +171,11 @@
 		audit_arg_clientid((clientid));				\
 } while (0)
 
+#define AUDIT_ARG_CLIENTNAME(clientname, size) do {			\
+	if (AUDITING_TD(curthread))					\
+		audit_arg_clientname((clientname), (size));		\
+} while (0)
+
 #define	AUDIT_ARG_CMD(cmd) do {						\
 	if (AUDITING_TD(curthread))					\
 		audit_arg_cmd((cmd));					\
@@ -223,6 +231,16 @@
 		audit_arg_groupset((gidset), (gidset_size));		\
 } while (0)
 
+#define AUDIT_ARG_LOCKOWNER(lockowner, size) do {			\
+	if (AUDITING_TD(curthread))					\
+		audit_arg_lockowner((lockowner), (size));		\
+} while (0)
+
+#define AUDIT_ARG_LOCKTYPE(locktype) do {				\
+	if (AUDITING_TD(curthread))					\
+		audit_arg_locktype((locktype));				\
+} while (0)
+
 #define	AUDIT_ARG_MODE(mode) do {					\
 	if (AUDITING_TD(curthread))					\
 		audit_arg_mode((mode));					\
@@ -366,6 +384,7 @@
 #define	AUDIT_ARG_ATFD2(atfd)
 #define	AUDIT_ARG_AUDITON(udata)
 #define AUDIT_ARG_CLIENTID(clientid)
+#define AUDIT_ARG_CLIENTNAME(clientname, size)
 #define	AUDIT_ARG_CMD(cmd)
 #define	AUDIT_ARG_DEV(dev)
 #define	AUDIT_ARG_EGID(egid)
@@ -377,6 +396,8 @@
 #define	AUDIT_ARG_FFLAGS(fflags)
 #define	AUDIT_ARG_GID(gid)
 #define	AUDIT_ARG_GROUPSET(gidset, gidset_size)
+#define AUDIT_ARG_LOCKOWNER(lockowner, size)
+#define AUDIT_ARG_LOCKTYPE(locktype)
 #define	AUDIT_ARG_MODE(mode)
 #define	AUDIT_ARG_OWNER(uid, gid)
 #define	AUDIT_ARG_PID(pid)

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#6 (text) ====

@@ -949,7 +949,7 @@
 }
 
 /*
- *  Audit the vnode type of the file created by some NFS RPC
+ *  Audit the clientid used by some NFSv4 RPCs
  */
 void
 audit_arg_clientid(uint64_t clientid)
@@ -963,3 +963,69 @@
 	ar->k_ar.ar_arg_clientid = clientid;
 	ARG_SET_VALID(ar, ARG_CLIENTID);
 }
+
+void
+audit_arg_lockowner(char *lockowner, u_short len)
+{
+	struct kaudit_record *ar;
+
+	len++;
+
+	KASSERT(lockowner != NULL, ("audit_arg_lockowner: lockowner == NULL"));
+	KASSERT(len != 0, ("audit_arg_lockowner: len == 0"));
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	/* Invalidate the lockowner string */
+	ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_LOCKOWNER);
+
+	if (ar->k_ar.ar_arg_lockowner == NULL)
+		ar->k_ar.ar_arg_lockowner = malloc(len, M_AUDITLOCKOWNER,
+		    M_WAITOK);
+
+	strlcpy(ar->k_ar.ar_arg_lockowner, lockowner, len);
+	ARG_SET_VALID(ar, ARG_LOCKOWNER);
+}
+
+void
+audit_arg_clientname(char *clientname, u_short len)
+{
+	struct kaudit_record *ar;
+
+	len++;
+
+	KASSERT(clientname != NULL, ("audit_arg_clientname: clientname == NULL"));
+	KASSERT(len != 0, ("audit_arg_clientname: len == 0"));
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	/* Invalidate the clientname string */
+	ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_CLIENTNAME);
+
+	if (ar->k_ar.ar_arg_clientname == NULL)
+		ar->k_ar.ar_arg_clientname = malloc(len, M_AUDITCLIENTNAME,
+		    M_WAITOK);
+
+	strlcpy(ar->k_ar.ar_arg_clientname, clientname, len);
+	ARG_SET_VALID(ar, ARG_CLIENTNAME);
+}
+
+/*
+ *  Audit the locktype used for the NFSv4 RPCs lock,lockt,locku
+ */
+void
+audit_arg_locktype(int locktype)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	ar->k_ar.ar_arg_locktype = locktype;
+	ARG_SET_VALID(ar, ARG_LOCKTYPE);
+}

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#18 (text) ====

@@ -1693,6 +1693,53 @@
 		}
 		break;
 
+	case AUE_NFS_LOCK:
+	case AUE_NFS_LOCKT:
+		if (ARG_IS_VALID(kar, ARG_LOCKOWNER)) {
+			tok = au_to_text(ar->ar_arg_lockowner);
+			kau_write(rec, tok);
+		}
+
+		/* FALLTHROUGH */
+	case AUE_NFS_LOCKU:
+		if (ARG_IS_VALID(kar, ARG_LOCKTYPE)) {
+			tok = au_to_arg32(1, "lock type", ar->ar_arg_locktype);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_CLIENTID)) {
+			tok = au_to_arg64(2, "client id", ar->ar_arg_clientid);
+			kau_write(rec, tok);
+		}
+		UPATH1_VNODE1_TOKENS;
+		if (ARG_IS_VALID(kar, ARG_TEXT)) {
+			tok = au_to_text(ar->ar_arg_text);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+			tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+			kau_write(rec, tok);
+		}
+		break;
+
+	case AUE_NFS_RELEASELCKOWN:
+		if (ARG_IS_VALID(kar, ARG_LOCKOWNER)) {
+			tok = au_to_text(ar->ar_arg_lockowner);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_CLIENTID)) {
+			tok = au_to_arg64(2, "client id", ar->ar_arg_clientid);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_TEXT)) {
+			tok = au_to_text(ar->ar_arg_text);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+			tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+			kau_write(rec, tok);
+		}
+		break;
+		
 	/* XXXgpf: temporary fallthrough for nfsv4 events */
 	case AUE_NFS_OPEN_RC:
 	case AUE_NFS_OPEN_RTC:
@@ -1708,9 +1755,6 @@
 		/* FALLTHROUGH */
 	case AUE_NFS_CLOSE:
 	case AUE_NFS_DELEGRETURN:
-	case AUE_NFS_LOCK:
-	case AUE_NFS_LOCKT:
-	case AUE_NFS_LOCKU:
 	case AUE_NFS_OPEN:
 	case AUE_NFS_OPEN_R:
 	case AUE_NFS_OPEN_RT:
@@ -1748,10 +1792,27 @@
 
 	/* XXXgpf: temporary fallthrough for nfsv4 events */
 	case AUE_NFS_DELEGPURGE:
-	case AUE_NFS_RENEW:
+	case AUE_NFS_RENEW:	
+	case AUE_NFS_SETCLIENTIDCFRM:	
+		if (ARG_IS_VALID(kar, ARG_CLIENTID)) {
+			tok = au_to_arg64(2, "client id", ar->ar_arg_clientid);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_TEXT)) {
+			tok = au_to_text(ar->ar_arg_text);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_PROTOCOL)) {
+			tok = au_to_text(audit_protocol_to_text(ar->ar_arg_protocol));
+			kau_write(rec, tok);
+		}
+		break;
+
 	case AUE_NFS_SETCLIENTID:
-	case AUE_NFS_SETCLIENTIDCFRM:
-	case AUE_NFS_RELEASELCKOWN:
+		if (ARG_IS_VALID(kar, ARG_CLIENTNAME)) {
+			tok = au_to_text(ar->ar_arg_clientname);
+			kau_write(rec, tok);
+		}
 		if (ARG_IS_VALID(kar, ARG_CLIENTID)) {
 			tok = au_to_arg64(2, "client id", ar->ar_arg_clientid);
 			kau_write(rec, tok);

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#8 (text) ====

@@ -51,6 +51,8 @@
 MALLOC_DECLARE(M_AUDITPATH);
 MALLOC_DECLARE(M_AUDITTEXT);
 MALLOC_DECLARE(M_AUDITGIDSET);
+MALLOC_DECLARE(M_AUDITLOCKOWNER);
+MALLOC_DECLARE(M_AUDITCLIENTNAME);
 #endif
 
 /*
@@ -232,6 +234,9 @@
 	int			ar_arg_protocol;
 	int			ar_arg_vtype;
 	uint64_t		ar_arg_clientid;
+	char			*ar_arg_lockowner;
+	int			ar_arg_locktype;
+	char			*ar_arg_clientname;
 };
 
 /*
@@ -294,6 +299,9 @@
 #define	ARG_VTYPE		0x0010000000000000ULL
 #define	ARG_PROTOCOL		0x0020000000000000ULL
 #define ARG_CLIENTID		0x0040000000000000ULL
+#define ARG_LOCKOWNER		0x0080000000000000ULL
+#define ARG_LOCKTYPE		0x0100000000000000ULL
+#define ARG_CLIENTNAME		0x0200000000000000ULL
 #define	ARG_NONE		0x0000000000000000ULL
 #define	ARG_ALL			0xFFFFFFFFFFFFFFFFULL

More information about the p4-projects mailing list