PERFORCE change 84705 for review
Robert Watson
rwatson at FreeBSD.org
Mon Oct 3 10:21:31 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=84705
Change 84705 by rwatson at rwatson_zoo on 2005/10/03 10:21:31
Move declarations of many audit internal data structures and defines
from sys/security/audit/audit.h, which contains kernel-public
definitions, to audit_private.h. This includes kernel BSM
definitions, the internal structure of the kernel audit record,
memory types, etc.
Annotate that the ARG_* mask values remain exposed to the rest of
the kernel audit the path1/path2 and vnode1/vnode2 mask entries
which are arguments to audit_arg_*() calls, but largely could be
private.
Affected files ...
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#2 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#4 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_trigger.c#4 edit
Differences ...
==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#2 (text+ko) ====
@@ -42,12 +42,13 @@
extern int audit_enabled;
extern int audit_suspended;
-#define BSM_SUCCESS 0
-#define BSM_FAILURE 1
-#define BSM_NOAUDIT 2
-
/*
* Define the masks for the audited arguments.
+ *
+ * XXXRW: These need to remain in audit.h for now because our vnode and name
+ * lookup audit calls rely on passing in flags to indicate which name or
+ * vnode is being logged. These should move to audit_private.h when that is
+ * fixed.
*/
#define ARG_EUID 0x0000000000000001ULL
#define ARG_RUID 0x0000000000000002ULL
@@ -99,177 +100,19 @@
#define ARG_NONE 0x0000000000000000ULL
#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
-#ifdef MALLOC_DECLARE
-MALLOC_DECLARE(M_AUDIT);
-#endif
-
-/* Defines for the kernel audit record k_ar_commit field */
-#define AR_COMMIT_KERNEL 0x00000001U
-#define AR_COMMIT_USER 0x00000010U
-
-struct vnode_au_info {
- mode_t vn_mode;
- uid_t vn_uid;
- gid_t vn_gid;
- dev_t vn_dev;
- long vn_fsid;
- long vn_fileid;
- long vn_gen;
-};
-
-struct groupset {
- gid_t gidset[NGROUPS];
- u_int gidset_size;
-};
-
-struct socket_au_info {
- int so_domain;
- int so_type;
- int so_protocol;
- in_addr_t so_raddr; /* remote address if INET socket */
- in_addr_t so_laddr; /* local address if INET socket */
- u_short so_rport; /* remote port */
- u_short so_lport; /* local port */
-};
-
-union auditon_udata {
- char *au_path;
- long au_cond;
- long au_flags;
- long au_policy;
- int au_trigger;
- au_evclass_map_t au_evclass;
- au_mask_t au_mask;
- auditinfo_t au_auinfo;
- auditpinfo_t au_aupinfo;
- auditpinfo_addr_t au_aupinfo_addr;
- au_qctrl_t au_qctrl;
- au_stat_t au_stat;
- au_fstat_t au_fstat;
-};
-
-struct posix_ipc_perm {
- uid_t pipc_uid;
- gid_t pipc_gid;
- mode_t pipc_mode;
-};
-
-struct audit_record {
- /* Audit record header. */
- u_int32_t ar_magic;
- int ar_event;
- int ar_retval; /* value returned to the process */
- int ar_errno; /* return status of system call */
- struct timespec ar_starttime;
- struct timespec ar_endtime;
- u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
-
- /* Audit subject information. */
- struct xucred ar_subj_cred;
- uid_t ar_subj_ruid;
- gid_t ar_subj_rgid;
- gid_t ar_subj_egid;
- uid_t ar_subj_auid; /* Audit user ID */
- pid_t ar_subj_asid; /* Audit session ID */
- pid_t ar_subj_pid;
- struct au_tid ar_subj_term;
- char ar_subj_comm[MAXCOMLEN + 1];
- struct au_mask ar_subj_amask;
-
- /* Operation arguments. */
- uid_t ar_arg_euid;
- uid_t ar_arg_ruid;
- uid_t ar_arg_suid;
- gid_t ar_arg_egid;
- gid_t ar_arg_rgid;
- gid_t ar_arg_sgid;
- pid_t ar_arg_pid;
- pid_t ar_arg_asid;
- struct au_tid ar_arg_termid;
- uid_t ar_arg_uid;
- uid_t ar_arg_auid;
- gid_t ar_arg_gid;
- struct groupset ar_arg_groups;
- int ar_arg_fd;
- int ar_arg_fflags;
- mode_t ar_arg_mode;
- int ar_arg_dev;
- long ar_arg_value;
- void * ar_arg_addr;
- int ar_arg_len;
- int ar_arg_mask;
- u_int ar_arg_signum;
- char ar_arg_login[MAXLOGNAME];
- int ar_arg_ctlname[CTL_MAXNAME];
- struct sockaddr ar_arg_sockaddr;
- struct socket_au_info ar_arg_sockinfo;
- char *ar_arg_upath1;
- char *ar_arg_upath2;
- char *ar_arg_kpath1;
- char *ar_arg_kpath2;
- char *ar_arg_text;
- struct au_mask ar_arg_amask;
- struct vnode_au_info ar_arg_vnode1;
- struct vnode_au_info ar_arg_vnode2;
- int ar_arg_cmd;
- int ar_arg_svipc_cmd;
- struct ipc_perm ar_arg_svipc_perm;
- int ar_arg_svipc_id;
- void * ar_arg_svipc_addr;
- struct posix_ipc_perm ar_arg_pipc_perm;
- union auditon_udata ar_arg_auditon;
- int ar_arg_exitstatus;
- int ar_arg_exitretval;
-};
-
-/*
- * In-kernel version of audit record; the basic record plus queue meta-data.
- * This record can also have a pointer set to some opaque data that will
- * be passed through to the audit writing mechanism.
- */
-struct kaudit_record {
- struct audit_record k_ar;
- u_int32_t k_ar_commit;
- void *k_udata; /* user data */
- u_int k_ulen; /* user data length */
- struct uthread *k_uthread; /* thread we are auditing */
- TAILQ_ENTRY(kaudit_record) k_q;
-};
-
-struct proc;
-struct vnode;
-struct componentname;
-
-void audit_abort(struct kaudit_record *ar);
-void audit_commit(struct kaudit_record *ar, int error,
- int retval);
-
-struct kaudit_record *audit_new(int event, struct thread *td);
-
void audit_syscall_enter(unsigned short code,
struct thread *td);
void audit_syscall_exit(int error, struct thread *td);
-int kaudit_to_bsm(struct kaudit_record *kar,
- struct au_record **pau);
-
-int bsm_rec_verify(void *rec);
-
/*
- * Kernel versions of the BSM audit record functions.
- */
-struct au_record *kau_open(void);
-int kau_write(struct au_record *rec, token_t *m);
-void kau_close(struct au_record *rec,
- struct timespec *endtime, short event);
-void kau_free(struct au_record *rec);
-void kau_init(void);
-/*
* The remaining kernel functions are conditionally compiled in as they
* are wrapped by a macro, and the macro should be the only place in
* the source tree where these functions are referenced.
*/
#ifdef AUDIT
+struct ipc_perm;
+struct sockaddr;
+union auditon_udata;
void audit_arg_addr(void * addr);
void audit_arg_exit(int status, int retval);
void audit_arg_len(int len);
==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#4 (text+ko) ====
@@ -24,9 +24,177 @@
#ifndef _BSM_AUDIT_PRIVATE_H
#define _BSM_AUDIT_PRIVATE_H
+#include <sys/ipc.h>
+#include <sys/socket.h>
+#include <sys/ucred.h>
+
+#define BSM_SUCCESS 0
+#define BSM_FAILURE 1
+#define BSM_NOAUDIT 2
+
+#ifdef MALLOC_DECLARE
+MALLOC_DECLARE(M_AUDIT);
+#endif
+
+/* Defines for the kernel audit record k_ar_commit field */
+#define AR_COMMIT_KERNEL 0x00000001U
+#define AR_COMMIT_USER 0x00000010U
+
+struct vnode_au_info {
+ mode_t vn_mode;
+ uid_t vn_uid;
+ gid_t vn_gid;
+ dev_t vn_dev;
+ long vn_fsid;
+ long vn_fileid;
+ long vn_gen;
+};
+
+struct groupset {
+ gid_t gidset[NGROUPS];
+ u_int gidset_size;
+};
+
+struct socket_au_info {
+ int so_domain;
+ int so_type;
+ int so_protocol;
+ in_addr_t so_raddr; /* remote address if INET socket */
+ in_addr_t so_laddr; /* local address if INET socket */
+ u_short so_rport; /* remote port */
+ u_short so_lport; /* local port */
+};
+
+union auditon_udata {
+ char *au_path;
+ long au_cond;
+ long au_flags;
+ long au_policy;
+ int au_trigger;
+ au_evclass_map_t au_evclass;
+ au_mask_t au_mask;
+ auditinfo_t au_auinfo;
+ auditpinfo_t au_aupinfo;
+ auditpinfo_addr_t au_aupinfo_addr;
+ au_qctrl_t au_qctrl;
+ au_stat_t au_stat;
+ au_fstat_t au_fstat;
+};
+
+struct posix_ipc_perm {
+ uid_t pipc_uid;
+ gid_t pipc_gid;
+ mode_t pipc_mode;
+};
+
+struct audit_record {
+ /* Audit record header. */
+ u_int32_t ar_magic;
+ int ar_event;
+ int ar_retval; /* value returned to the process */
+ int ar_errno; /* return status of system call */
+ struct timespec ar_starttime;
+ struct timespec ar_endtime;
+ u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
+
+ /* Audit subject information. */
+ struct xucred ar_subj_cred;
+ uid_t ar_subj_ruid;
+ gid_t ar_subj_rgid;
+ gid_t ar_subj_egid;
+ uid_t ar_subj_auid; /* Audit user ID */
+ pid_t ar_subj_asid; /* Audit session ID */
+ pid_t ar_subj_pid;
+ struct au_tid ar_subj_term;
+ char ar_subj_comm[MAXCOMLEN + 1];
+ struct au_mask ar_subj_amask;
+
+ /* Operation arguments. */
+ uid_t ar_arg_euid;
+ uid_t ar_arg_ruid;
+ uid_t ar_arg_suid;
+ gid_t ar_arg_egid;
+ gid_t ar_arg_rgid;
+ gid_t ar_arg_sgid;
+ pid_t ar_arg_pid;
+ pid_t ar_arg_asid;
+ struct au_tid ar_arg_termid;
+ uid_t ar_arg_uid;
+ uid_t ar_arg_auid;
+ gid_t ar_arg_gid;
+ struct groupset ar_arg_groups;
+ int ar_arg_fd;
+ int ar_arg_fflags;
+ mode_t ar_arg_mode;
+ int ar_arg_dev;
+ long ar_arg_value;
+ void * ar_arg_addr;
+ int ar_arg_len;
+ int ar_arg_mask;
+ u_int ar_arg_signum;
+ char ar_arg_login[MAXLOGNAME];
+ int ar_arg_ctlname[CTL_MAXNAME];
+ struct sockaddr ar_arg_sockaddr;
+ struct socket_au_info ar_arg_sockinfo;
+ char *ar_arg_upath1;
+ char *ar_arg_upath2;
+ char *ar_arg_kpath1;
+ char *ar_arg_kpath2;
+ char *ar_arg_text;
+ struct au_mask ar_arg_amask;
+ struct vnode_au_info ar_arg_vnode1;
+ struct vnode_au_info ar_arg_vnode2;
+ int ar_arg_cmd;
+ int ar_arg_svipc_cmd;
+ struct ipc_perm ar_arg_svipc_perm;
+ int ar_arg_svipc_id;
+ void * ar_arg_svipc_addr;
+ struct posix_ipc_perm ar_arg_pipc_perm;
+ union auditon_udata ar_arg_auditon;
+ int ar_arg_exitstatus;
+ int ar_arg_exitretval;
+};
+
+/*
+ * In-kernel version of audit record; the basic record plus queue meta-data.
+ * This record can also have a pointer set to some opaque data that will
+ * be passed through to the audit writing mechanism.
+ */
+struct kaudit_record {
+ struct audit_record k_ar;
+ u_int32_t k_ar_commit;
+ void *k_udata; /* user data */
+ u_int k_ulen; /* user data length */
+ struct uthread *k_uthread; /* thread we are auditing */
+ TAILQ_ENTRY(kaudit_record) k_q;
+};
+
+void audit_abort(struct kaudit_record *ar);
+void audit_commit(struct kaudit_record *ar, int error,
+ int retval);
+
+struct kaudit_record *audit_new(int event, struct thread *td);
+
+int kaudit_to_bsm(struct kaudit_record *kar,
+ struct au_record **pau);
+
+int bsm_rec_verify(void *rec);
+
+/*
+ * Kernel versions of the BSM audit record functions.
+ */
+struct au_record *kau_open(void);
+int kau_write(struct au_record *rec, token_t *m);
+void kau_close(struct au_record *rec,
+ struct timespec *endtime, short event);
+void kau_free(struct au_record *rec);
+void kau_init(void);
+
+
#define AU_PRS_SUCCESS 1
#define AU_PRS_FAILURE 2
#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
+
/*
* Flags to use on audit files when opening and closing.
*/
==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_trigger.c#4 (text+ko) ====
@@ -35,6 +35,7 @@
#include <sys/systm.h>
#include <sys/uio.h>
+#include <security/audit/audit.h>
#include <security/audit/audit_private.h>
/*
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list