PERFORCE change 108433 for review

Todd Miller millert at FreeBSD.org
Wed Oct 25 13:59:36 PDT 2006


http://perforce.freebsd.org/chv.cgi?CH=108433

Change 108433 by millert at millert_macbook on 2006/10/25 20:55:51

	Log path buffer in avc audit logs.  Note that the path may
	be relative rather than absolute but is better than nothing.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#27 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#4 (text+ko) ====

@@ -705,6 +705,8 @@
 #endif
 		case AVC_AUDIT_DATA_FS:
 			if (a->u.fs.vp && tsk) {
+				char *pbuf = NULL;
+				char *path = a->u.fs.path;
 				struct vnode *vp = a->u.fs.vp;
 				struct vnode_attr va;
 				struct vfs_context vfs_ctx =
@@ -712,10 +714,22 @@
 				VATTR_INIT(&va);
 				VATTR_WANTED(&va, va_fileid);
 				if (vnode_getattr(vp, &va, &vfs_ctx) == 0) {
-					audit_log_format(ab,
-					    " inode=%llu, mountpoint=%s,",
-					    va.va_fileid, 
+					audit_log_format(ab, " inode=%llu, "
+					    "mountpoint=%s,", va.va_fileid, 
 					    vp->v_mount->mnt_vfsstat.f_mntonname);
+					if (path == NULL) {
+						int len = MAXPATHLEN;
+						pbuf = sebsd_malloc(MAXPATHLEN,
+						    M_SEBSD, M_NOWAIT);
+						if (pbuf != NULL &&
+						    !vn_getpath(vp, pbuf, &len))
+							path = pbuf;
+					}
+					if (path != NULL)
+						audit_log_format(ab,
+						    " path=%s,", path);
+					if (pbuf != NULL)
+						sebsd_free(pbuf, M_SEBSD);
 					break;
 				}
 				audit_log_format(ab,

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#3 (text+ko) ====

@@ -49,6 +49,7 @@
 	union 	{
 		struct {
 			struct vnode *vp;
+			char *path;
 		} fs;
 		struct {
 			char *netif;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#27 (text+ko) ====

@@ -440,7 +440,7 @@
 }
 
 static int
-vnode_has_perm(struct ucred *cred, struct vnode *vp, u_int32_t perm)
+vnode_has_perm(struct ucred *cred, struct vnode *vp, char *path, u_int32_t perm)
 {
 	struct task_security_struct *task;
 	struct vnode_security_struct *file;
@@ -451,6 +451,7 @@
 
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.vp = vp;
+	ad.u.fs.path = path;
 
 	/* Update security class if not set or vnode was recycled. */
 	if (file->sclass == 0 || vp->v_type == VBAD)
@@ -1482,7 +1483,7 @@
 	vsec = SLOT(vl);
 	task = SLOT(cred->cr_label);
 
-	rc = vnode_has_perm(cred, vp, FILE__MOUNTON);
+	rc = vnode_has_perm(cred, vp, NULL, FILE__MOUNTON);
 	if (rc)
 		goto done;
 
@@ -1950,7 +1951,7 @@
 	if (mask == 0)
 		return (0);
 
-	return (vnode_has_perm(cred, vp,
+	return (vnode_has_perm(cred, vp, NULL,
 	    file_mask_to_av(vp->v_type, mask)));
 }
 
@@ -1960,7 +1961,7 @@
 {
 
 	/* MAY_EXEC ~= DIR__SEARCH */
-	return (vnode_has_perm(cred, dvp, DIR__SEARCH));
+	return (vnode_has_perm(cred, dvp, NULL, DIR__SEARCH));
 }
 
 static int
@@ -1970,7 +1971,7 @@
 
 	/* TBD: Incomplete, SELinux also check capability(CAP_SYS_CHROOT)) */
 	/* MAY_EXEC ~= DIR__SEARCH */
-	return (vnode_has_perm(cred, dvp, DIR__SEARCH));
+	return (vnode_has_perm(cred, dvp, NULL, DIR__SEARCH));
 }
 
 static int
@@ -1995,6 +1996,7 @@
 
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.vp = dvp;
+	ad.u.fs.path = cnp->cn_pnbuf;
 
 	rc = avc_has_perm(task->sid, dir->sid, SECCLASS_DIR,
 	    DIR__ADD_NAME | DIR__SEARCH, &ad);
@@ -2051,6 +2053,7 @@
 
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.vp = vp;
+	ad.u.fs.path = cnp->cn_pnbuf;
 
 	rc = avc_has_perm(task->sid, dir->sid, SECCLASS_DIR,
 	    DIR__SEARCH | DIR__REMOVE_NAME, &ad);
@@ -2073,7 +2076,7 @@
     struct label *label, acl_type_t type)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__SETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR));
 }
 #endif
 
@@ -2083,10 +2086,10 @@
 {
 	int error;
 
-	error = vnode_has_perm(cred, v1, FILE__READ | FILE__WRITE);
+	error = vnode_has_perm(cred, v1, NULL, FILE__READ | FILE__WRITE);
 	if (error)
 		return (error);
-	return (vnode_has_perm(cred, v2, FILE__READ | FILE__WRITE));
+	return (vnode_has_perm(cred, v2, NULL, FILE__READ | FILE__WRITE));
 }
 
 static int
@@ -2151,7 +2154,7 @@
     struct label *label, acl_type_t type)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__GETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__GETATTR));
 }
 #endif
 
@@ -2160,7 +2163,7 @@
     struct label *vlabel, struct attrlist *alist)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__GETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__GETATTR));
 }
 
 static int
@@ -2168,7 +2171,7 @@
     struct label *label, const char *name, struct uio *uio)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__GETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__GETATTR));
 }
 
 #if defined(FILE__POLL) && defined(FILE__GETATTR)
@@ -2180,9 +2183,9 @@
 	switch (kn->kn_filter) {
 	case EVFILT_READ:
 	case EVFILT_WRITE:
-		return (vnode_has_perm(cred, vp, FILE__POLL));
+		return (vnode_has_perm(cred, vp, NULL, FILE__POLL));
 	case EVFILT_VNODE:
-		return (vnode_has_perm(cred, vp, FILE__GETATTR));
+		return (vnode_has_perm(cred, vp, NULL, FILE__GETATTR));
 	default:
 		return (0);
 	}
@@ -2208,6 +2211,7 @@
 
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.vp = vp;
+	ad.u.fs.path = cnp->cn_pnbuf;
 
 	rc = avc_has_perm(task->sid, dir->sid, SECCLASS_DIR,
 	    DIR__SEARCH | DIR__ADD_NAME, &ad);
@@ -2228,7 +2232,7 @@
 		return (ENOTDIR);
 
 	/* TBD: DIR__READ as well? */
-	return (vnode_has_perm(cred, dvp, DIR__SEARCH));
+	return (vnode_has_perm(cred, dvp, cnp->cn_pnbuf, DIR__SEARCH));
 }
 
 static int
@@ -2247,7 +2251,7 @@
 	if (!mask)
 		return (0);
 
-	return (vnode_has_perm(cred, vp,
+	return (vnode_has_perm(cred, vp, NULL,
 	    file_mask_to_av(vp->v_type, mask)));
 }
 
@@ -2256,7 +2260,7 @@
     struct vnode *vp, struct label *label)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__READ));
+	return (vnode_has_perm(cred, vp, NULL, FILE__READ));
 }
 
 static int
@@ -2264,7 +2268,7 @@
     struct label *dlabel)
 {
 
-	return (vnode_has_perm(cred, dvp, DIR__READ));
+	return (vnode_has_perm(cred, dvp, NULL, DIR__READ));
 }
 
 static int
@@ -2272,7 +2276,7 @@
     struct label *label)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__READ));
+	return (vnode_has_perm(cred, vp, NULL, FILE__READ));
 }
 
 static int
@@ -2342,6 +2346,8 @@
 	sebsd_audit_sid("source directory", old_dir->sid);
 
 	AVC_AUDIT_DATA_INIT(&ad, FS);
+	ad.u.fs.vp = vp;
+	ad.u.fs.path = cnp->cn_pnbuf;
 
 	rc = avc_has_perm(task->sid, old_dir->sid, SECCLASS_DIR,
 	    DIR__REMOVE_NAME | DIR__SEARCH, &ad);
@@ -2400,6 +2406,7 @@
 
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.vp = vp;
+	ad.u.fs.path = cnp->cn_pnbuf;
 
 	rc = avc_has_perm(task->sid, new_dir->sid, SECCLASS_DIR, av, NULL);
 	if (rc)
@@ -2439,7 +2446,7 @@
     struct label *label, int which)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__POLL));
+	return (vnode_has_perm(cred, vp, NULL, FILE__POLL));
 }
 #endif
 
@@ -2449,7 +2456,7 @@
     struct label *label, acl_type_t type, struct acl *acl)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__SETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR));
 }
 #endif
 
@@ -2459,7 +2466,7 @@
     struct label *vlabel, struct attrlist *alist)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__SETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR));
 }
 #endif
 
@@ -2468,7 +2475,7 @@
     struct label *label, const char *name, struct uio *uio)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__SETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR));
 }
 
 static int
@@ -2476,7 +2483,7 @@
     struct label *label, u_long flags)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__SETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR));
 }
 
 static int
@@ -2484,7 +2491,7 @@
     struct label *label, mode_t mode)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__SETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR));
 }
 
 static int
@@ -2492,7 +2499,7 @@
     struct label *label, uid_t uid, gid_t gid)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__SETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR));
 }
 
 static int
@@ -2500,7 +2507,7 @@
     struct label *label, struct timespec atime, struct timespec mtime)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__SETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR));
 }
 
 static int
@@ -2508,7 +2515,7 @@
     struct vnode *vp, struct label *vnodelabel)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__GETATTR));
+	return (vnode_has_perm(cred, vp, NULL, FILE__GETATTR));
 }
 
 static int
@@ -2831,7 +2838,7 @@
     struct label *vnodelabel)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__SWAPON));
+	return (vnode_has_perm(cred, vp, NULL, FILE__SWAPON));
 }
 
 #if 0
@@ -2840,7 +2847,7 @@
     struct label *vnodelabel)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__SWAPON));
+	return (vnode_has_perm(cred, vp, NULL, FILE__SWAPON));
 }
 #endif
 
@@ -2863,7 +2870,7 @@
     struct vnode *vp, struct label *label)
 {
 
-	return (vnode_has_perm(cred, vp, FILE__WRITE));
+	return (vnode_has_perm(cred, vp, NULL, FILE__WRITE));
 }
 
 static int
@@ -2885,7 +2892,7 @@
 		if (prot & PROT_EXEC)
 			av |= FILE__EXECUTE;
 
-		return (vnode_has_perm(cred, vp, av));
+		return (vnode_has_perm(cred, vp, NULL, av));
 	}
 	return (0);
 }
@@ -2908,7 +2915,7 @@
 		if (prot & PROT_EXEC)
 			av |= FILE__EXECUTE;
 
-		return (vnode_has_perm(cred, vp, av));
+		return (vnode_has_perm(cred, vp, NULL, av));
 	}
 	return (0);
 }
@@ -3026,7 +3033,7 @@
 		return (0);
 
 	return (vnode_has_perm(cred, (struct vnode *)fg->fg_data,
-	    FILE__IOCTL));
+	    NULL, FILE__IOCTL));
 }
 
 /*


More information about the trustedbsd-cvs mailing list