PERFORCE change 66934 for review

Mon Dec 13 02:30:58 GMT 2004

http://perforce.freebsd.org/chv.cgi?CH=66934

Change 66934 by wsalamon at rickenbacker on 2004/12/13 02:30:03

	Add auditing to the open() and close() system calls. 

Affected files ...

.. //depot/projects/trustedbsd/audit3/sys/bsm/audit_kernel.h#10 edit
.. //depot/projects/trustedbsd/audit3/sys/kern/kern_descrip.c#3 edit
.. //depot/projects/trustedbsd/audit3/sys/kern/vfs_syscalls.c#6 edit
.. //depot/projects/trustedbsd/audit3/sys/kern/vfs_vnops.c#4 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#13 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_audit.c#6 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/sys/bsm/audit_kernel.h#10 (text+ko) ====

@@ -357,9 +357,9 @@
 /*
  * A Macro to wrap the audit_sysclose() function.
  */
-#define	AUDIT_SYSCLOSE(args...)	do {					\
+#define	AUDIT_SYSCLOSE(p, fd)	do {					\
 	if (audit_enabled)						\
-		audit_sysclose(args);					\
+		audit_sysclose(p, fd);					\
 	} while (0)
 
 #else /* !AUDIT */
@@ -378,7 +378,7 @@
 #define AUDIT_SYSCALL_EXIT(error, td)	do {				\
 	} while (0)
 
-#define	AUDIT_SYSCLOSE(op, args...)	do {				\
+#define	AUDIT_SYSCLOSE(p, fd)	do {					\
 	} while (0)
 
 #endif /* AUDIT */

==== //depot/projects/trustedbsd/audit3/sys/kern/kern_descrip.c#3 (text+ko) ====

@@ -39,6 +39,9 @@
 
 #include "opt_compat.h"
 
+#include <bsm/audit_kernel.h>
+#include <bsm/audit_kernel.h>
+
 #include <sys/param.h>
 #include <sys/limits.h>
 #include <sys/systm.h>
@@ -965,6 +968,12 @@
 	holdleaders = 0;
 	fdp = td->td_proc->p_fd;
 	mtx_lock(&Giant);
+
+	/* The call to AUDIT_SYSCLOSE must be made with Giant held,
+	 * but without the fd lock.
+	 */
+	AUDIT_SYSCLOSE(td->td_proc, fd);
+
 	FILEDESC_LOCK(fdp);
 	if ((unsigned)fd >= fdp->fd_nfiles ||
 	    (fp = fdp->fd_ofiles[fd]) == NULL) {

==== //depot/projects/trustedbsd/audit3/sys/kern/vfs_syscalls.c#6 (text+ko) ====

@@ -953,6 +953,8 @@
 	struct flock lf;
 	struct nameidata nd;
 
+	AUDIT_ARG(fflags, flags);
+	AUDIT_ARG(mode, mode);
 	if ((flags & O_ACCMODE) == O_ACCMODE)
 		return (EINVAL);
 	flags = FFLAGS(flags);
@@ -962,7 +964,7 @@
 	/* An extra reference on `nfp' has been held for us by falloc(). */
 	fp = nfp;
 	cmode = ((mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
-	NDINIT(&nd, LOOKUP, FOLLOW, pathseg, path, td);
+	NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNPATH1, pathseg, path, td);
 	td->td_dupfd = -1;		/* XXX check for fdopen */
 	mtx_lock(&Giant);
 	error = vn_open(&nd, &flags, cmode, indx);
@@ -1135,7 +1137,7 @@
 		int mode;
 	} */ *uap;
 {
-
+	/* Auditing is done in kern_open() */
 	return (kern_open(td, uap->path, UIO_USERSPACE,
 	    O_WRONLY | O_CREAT | O_TRUNC, uap->mode));
 }

==== //depot/projects/trustedbsd/audit3/sys/kern/vfs_vnops.c#4 (text+ko) ====

@@ -123,7 +123,7 @@
 	fmode = *flagp;
 	if (fmode & O_CREAT) {
 		ndp->ni_cnd.cn_nameiop = CREATE;
-		ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF;
+		ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF | AUDITVNPATH1;
 		if ((fmode & O_EXCL) == 0 && (fmode & O_NOFOLLOW) == 0)
 			ndp->ni_cnd.cn_flags |= FOLLOW;
 		bwillwrite();
@@ -185,10 +185,11 @@
 #ifdef LOOKUP_SHARED
 		ndp->ni_cnd.cn_flags =
 		    ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) |
-		    LOCKSHARED | LOCKLEAF;
+		    LOCKSHARED | LOCKLEAF | AUDITVNPATH1;
 #else
 		ndp->ni_cnd.cn_flags =
-		    ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | LOCKLEAF;
+		    ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | 
+		    LOCKLEAF | AUDITVNPATH1;
 #endif
 		if ((error = namei(ndp)) != 0)
 			return (error);

==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#13 (text+ko) ====

@@ -1276,8 +1276,8 @@
 
 	switch(ar->k_ar.ar_event) {
 
-	case AUE_OPEN_RWTC:
-		/* The open syscall always writes a OPEN_RWTC event; limit the
+	case AUE_OPEN:
+		/* The open syscall always writes a AUE_OPEN event; change it
 		 * to the proper type of event based on the flags and the error
 		 * value.
 		 */

==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_audit.c#6 (text+ko) ====

@@ -797,18 +797,25 @@
 		kau_write(rec, tok);
 		break;
 	
-	case AUE_OPEN_R:
 	case AUE_OPEN_RC:
 	case AUE_OPEN_RTC:
+	case AUE_OPEN_RWC:
+	case AUE_OPEN_RWTC:
+	case AUE_OPEN_WC:
+	case AUE_OPEN_WTC:
+	/* case AUE_O_CREAT: */		/* AUE_O_CREAT == AUE_OPEN_RWTC */
+		tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
+		kau_write(rec, tok);
+		/* fall through */
+
+	case AUE_OPEN_R:
 	case AUE_OPEN_RT:
 	case AUE_OPEN_RW:
-	case AUE_OPEN_RWC:
-	case AUE_OPEN_RWTC:
 	case AUE_OPEN_RWT:
 	case AUE_OPEN_W:
-	case AUE_OPEN_WC:
-	case AUE_OPEN_WTC:
 	case AUE_OPEN_WT:
+		tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
+		kau_write(rec, tok);
 		UPATH1_TOKENS;		/* Save the user space path */
 		KPATH1_VNODE1_TOKENS;	/* Audit the kernel path as well */
 		break;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

