PERFORCE change 105793 for review
Todd Miller
millert at FreeBSD.org
Thu Sep 7 14:59:23 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=105793
Change 105793 by millert at millert_g5tower on 2006/09/07 14:57:46
Audit updates
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/bsm/bsm/etc/audit_event#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kernel.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kevents.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_audit.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_klib.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_prot.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#8 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#4 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/bsm/bsm/etc/audit_event#2 (text+ko) ====
@@ -283,6 +283,36 @@
359:AUE_PIDFORTASK:pid_for_task():pc
360:AUE_SYSCTL_NONADMIN:sysctl() - non-admin:ot
361:AUE_COPYFILE:copyfile():fr,fw
+400:AUE_MAC_GET_PROC:mac_get_proc(2):pc
+401:AUE_MAC_SET_PROC:mac_set_proc(2):pc
+402:AUE_MAC_GET_PID:mac_get_pid(2):pc
+403:AUE_MAC_SET_FILE:mac_set_file(2):fm
+404:AUE_MAC_GET_FILE:mac_get_file(2):fa
+405:AUE_MAC_SET_LINK:mac_set_link(2):fm
+406:AUE_MAC_GET_LINK:mac_get_link(2):fa
+407:AUE_MAC_SET_FD:mac_set_fd(2):fm
+408:AUE_MAC_GET_FD:mac_get_fd(2):fa
+409:AUE_MAC_EXECVE:mac_execve(2):pc,ex
+410:AUE_MAC_SYSCALL:mac_syscall(2):ad
+411:AUE_MAC_GET_LCID:mac_get_lcid(2):pc
+412:AUE_MAC_GET_LCTX:mac_get_lctx(2):pc
+413:AUE_MAC_SET_LCTX:mac_set_lctx(2):pc
+414:AUE_SETLCID:setlcid(2):pc
+415:AUE_GETLCID:getlcid(2):pc
+416:AUE_MAC_MOUNT:mac_mount(2):ad
+417:AUE_MAC_GET_MOUNT:mac_get_mount(2):fa
+451:AUE_EXTATTR_SET_FILE:extattr_set_file(2):fm
+452:AUE_EXTATTR_GET_FILE:extattr_get_file(2):fa
+453:AUE_EXTATTR_DELETE_FILE:extattr_delete_file(2):fm
+454:AUE_EXTATTR_LIST_FILE:extattr_list_file(2):fa
+455:AUE_EXTATTR_SET_LINK:extattr_set_link(2):fm
+456:AUE_EXTATTR_GET_LINK:extattr_get_link(2):fa
+457:AUE_EXTATTR_DELETE_LINK:extattr_delete_link(2):fm
+458:AUE_EXTATTR_LIST_LINK:extattr_list_link(2):fa
+459:AUE_EXTATTR_SET_FD:extattr_set_fd(2):fm
+460:AUE_EXTATTR_GET_FD:extattr_get_fd(2):fa
+461:AUE_EXTATTR_DELETE_FD:extattr_delete_fd(2):fm
+462:AUE_EXTATTR_LIST_FD:extattr_list_fd(2):fa
6152:AUE_login:login - local:lo
6153:AUE_logout:logout - local:lo
6159:AUE_su:su(1):lo
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kernel.h#3 (text+ko) ====
@@ -106,6 +106,7 @@
#define ARG_PROCESS 0x0000080000000000ULL
#define ARG_MACHPORT1 0x0000100000000000ULL
#define ARG_MACHPORT2 0x0000200000000000ULL
+#define ARG_MAC_STRING 0x0000400000000000ULL
#define ARG_NONE 0x0000000000000000ULL
#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
@@ -231,6 +232,7 @@
char *ar_vnode1_mac_labels;
char *ar_vnode2_mac_labels;
char *ar_cred_mac_labels;
+ char *ar_arg_mac_string;
#endif
char *ar_arg_text;
struct au_mask ar_arg_amask;
@@ -383,6 +385,7 @@
* It currently creates only text and data audit tokens.
*/
int audit_mac_data(int type, int len, u_char *data);
+void audit_arg_mac_string(const char *string);
#endif
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kevents.h#2 (text+ko) ====
@@ -335,6 +335,7 @@
#define AUE_SYSCTL_NONADMIN 360
// BSM events for security system calls
+#define AUE_MAC_GET_PROC 400
#define AUE_MAC_SET_PROC 401
#define AUE_MAC_GET_PID 402
#define AUE_MAC_SET_FILE 403
@@ -351,6 +352,7 @@
#define AUE_SETLCID 414
#define AUE_GETLCID 415
#define AUE_MAC_MOUNT 416
+#define AUE_MAC_GET_MOUNT 417
// BSM events for extended attributes
#define AUE_EXTATTR_SET_FILE 451
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_audit.c#4 (text+ko) ====
@@ -71,6 +71,8 @@
#include <security/mac.h>
#include <security/mac_framework.h>
#include <security/mac_policy.h>
+#define MAC_ARG_PREFIX "arg: "
+#define MAC_ARG_PREFIX_LEN 5
#endif
#include <net/route.h>
@@ -258,6 +260,10 @@
if (ar->k_ar.ar_cred_mac_labels != NULL) {
kfree(ar->k_ar.ar_cred_mac_labels, MAC_AUDIT_LABEL_LEN);
}
+ if (ar->k_ar.ar_arg_mac_string != NULL) {
+ kfree(ar->k_ar.ar_arg_mac_string,
+ MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
+ }
/* Free the audit data from the MAC policies. */
do {
@@ -1344,7 +1350,7 @@
struct nameidata nd;
kauth_cred_t cred;
struct vnode *vp;
- int error, flags;
+ int error;
struct vfs_context context;
context.vc_proc = p;
@@ -1362,15 +1368,20 @@
* validity checks, and grab another reference to the current
* credential.
*/
- if (uap->path != 0) {
+ if (uap->path != USER_ADDR_NULL) {
NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
- (IS_64BIT_PROCESS(p) ? UIO_USERSPACE64 : UIO_USERSPACE32),
- uap->path, &context);
- flags = audit_open_flags;
- error = vn_open(&nd, flags, 0);
+ UIO_USERSPACE, uap->path, &context);
+ error = vn_open(&nd, audit_open_flags, 0);
if (error)
goto out;
vp = nd.ni_vp;
+
+ if (vp->v_type != VREG) {
+ vn_close(vp, audit_close_flags, kauth_cred_get(), p);
+ vnode_put(vp);
+ error = EINVAL;
+ goto out;
+ }
#ifdef MAC
/*
* Accessibility of the vnode was determined in
@@ -1383,19 +1394,13 @@
* sensitivity.
*/
- error = mac_system_check_auditctl(kauth_cred_get(), nd.ni_vp);
+ error = mac_system_check_auditctl(kauth_cred_get(), vp);
if (error) {
- vn_close(nd.ni_vp, audit_close_flags, kauth_cred_get(), p);
+ vn_close(vp, audit_close_flags, kauth_cred_get(), p);
vnode_put(vp);
goto out;
}
#endif
- if (vp->v_type != VREG) {
- vn_close(vp, audit_close_flags, kauth_cred_get(), p);
- vnode_put(vp);
- error = EINVAL;
- goto out;
- }
cred = kauth_cred_get_with_ref();
audit_suspended = 0;
}
@@ -2618,6 +2623,27 @@
kfree(data, len);
return (ret);
}
+
+void
+audit_arg_mac_string(const char *string)
+{
+ struct kaudit_record *ar;
+
+ ar = currecord();
+ if (ar == NULL)
+ return;
+
+ if (ar->k_ar.ar_arg_mac_string == NULL) {
+ ar->k_ar.ar_arg_mac_string =
+ (char *)kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
+ if (ar->k_ar.ar_arg_mac_string == NULL)
+ return;
+ }
+ strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX, MAC_ARG_PREFIX_LEN);
+ strcpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string);
+ ar->k_ar.ar_valid_arg |= ARG_MAC_STRING;
+
+}
#endif /* MAC */
/*
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#3 (text+ko) ====
@@ -341,6 +341,14 @@
} \
} while (0) \
+#define PROCESS_MAC_TOKENS \
+ do { \
+ if (ar->ar_valid_arg & ARG_MAC_STRING) { \
+ tok = au_to_text(ar->ar_arg_mac_string); \
+ kau_write(rec, tok); \
+ } \
+ } while (0) \
+
/*
* Implement auditing for the auditon() system call. The audit tokens
* that are generated depend on the command that was sent into the
@@ -619,7 +627,6 @@
case AUE_GETATTRLIST:
case AUE_GETFH:
case AUE_LSTAT:
- case AUE_MAC_EXECVE:
case AUE_MKFIFO:
case AUE_PATHCONF:
case AUE_READLINK:
@@ -694,12 +701,8 @@
case AUE_EXTATTR_LIST_FD:
case AUE_EXTATTR_SET_FD:
case AUE_EXTATTR_DELETE_FD:
-#ifdef MAC
- case AUE_MAC_GET_FD:
- case AUE_MAC_SET_FD:
FD_KPATH1_VNODE1_TOKENS;
break;
-#endif
case AUE_FCHOWN:
tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
@@ -735,6 +738,18 @@
kau_write(rec, tok);
break;
+ case AUE_GETLCID:
+ tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
+ kau_write(rec, tok);
+ break;
+
+ case AUE_SETLCID:
+ tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
+ kau_write(rec, tok);
+ tok = au_to_arg32(2, "lcid", (u_int32_t)ar->ar_arg_value);
+ kau_write(rec, tok);
+ break;
+
case AUE_IOCTL:
tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
kau_write(rec, tok);
@@ -816,8 +831,11 @@
}
break;
+#ifdef MAC
case AUE_MAC_MOUNT:
- /* XXX Audit the label string? */
+ PROCESS_MAC_TOKENS;
+ /* fall through */
+#endif
case AUE_MOUNT:
/* XXX Need to handle NFS mounts */
tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
@@ -1168,12 +1186,6 @@
FD_KPATH1_VNODE1_TOKENS;
break;
-#ifdef MAC
- case AUE_MAC_GET_FILE:
- case AUE_MAC_SET_FILE:
- case AUE_MAC_GET_LINK:
- case AUE_MAC_SET_LINK:
-#endif
case AUE_EXTATTR_GET_FILE:
case AUE_EXTATTR_SET_FILE:
case AUE_EXTATTR_LIST_FILE:
@@ -1186,8 +1198,49 @@
break;
#ifdef MAC
+ case AUE_MAC_GET_FILE:
+ case AUE_MAC_SET_FILE:
+ case AUE_MAC_GET_LINK:
+ case AUE_MAC_SET_LINK:
+ case AUE_MAC_GET_MOUNT:
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ PROCESS_MAC_TOKENS;
+ break;
+
+ case AUE_MAC_GET_FD:
+ case AUE_MAC_SET_FD:
+ FD_KPATH1_VNODE1_TOKENS;
+ PROCESS_MAC_TOKENS;
+ break;
+
+ case AUE_MAC_SYSCALL:
+ PROCESS_MAC_TOKENS;
+ tok = au_to_arg32(3, "call", ar->ar_arg_value);
+ kau_write(rec, tok);
+ break;
+
+ case AUE_MAC_EXECVE:
+ UPATH1_KPATH1_VNODE1_TOKENS;
+ PROCESS_MAC_TOKENS;
+ break;
+
+ case AUE_MAC_GET_PID:
+ tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
+ kau_write(rec, tok);
+ PROCESS_MAC_TOKENS;
+ break;
+
+ case AUE_MAC_GET_LCID:
+ tok = au_to_arg32(1, "lcid", (u_int32_t)ar->ar_arg_value);
+ kau_write(rec, tok);
+ PROCESS_MAC_TOKENS;
+ break;
+
+ case AUE_MAC_GET_PROC:
case AUE_MAC_SET_PROC:
- case AUE_MAC_SYSCALL:
+ case AUE_MAC_GET_LCTX:
+ case AUE_MAC_SET_LCTX:
+ PROCESS_MAC_TOKENS;
break;
#endif
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_klib.c#2 (text+ko) ====
@@ -448,7 +448,7 @@
AUE_MAC_SET_FILE, /* 383 = __mac_set_file */
AUE_MAC_GET_LINK, /* 384 = __mac_get_link */
AUE_MAC_SET_LINK, /* 385 = __mac_set_link */
- AUE_NULL, /* 386 = __mac_get_proc */
+ AUE_MAC_GET_PROC, /* 386 = __mac_get_proc */
AUE_MAC_SET_PROC, /* 387 = __mac_set_proc */
AUE_MAC_GET_FD, /* 388 = __mac_get_fd */
AUE_MAC_SET_FD, /* 389 = __mac_set_fd */
@@ -459,6 +459,7 @@
AUE_SETLCID, /* 394 = setlcid */
AUE_GETLCID, /* 395 = getlcid */
AUE_MAC_MOUNT, /* 396 = __mac_mount */
+ AUE_MAC_GET_MOUNT, /* 397 = __mac_get_mount */
};
int nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_prot.c#5 (text+ko) ====
@@ -1049,6 +1049,8 @@
struct lctx *l;
int error;
+ AUDIT_ARG(pid, uap->pid);
+ AUDIT_ARG(value, uap->lcid);
if (uap->pid == LCID_PROC_SELF) { /* Create/Join/Leave */
p = p0;
} else { /* Adopt/Orphan */
@@ -1131,6 +1133,7 @@
struct proc *p;
int error;
+ AUDIT_ARG(pid, uap->pid);
if (uap->pid == LCID_PROC_SELF) {
p = p0;
} else {
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#8 (text+ko) ====
@@ -1029,6 +1029,7 @@
int error;
size_t ulen;
+ AUDIT_ARG(pid, uap->pid);
error = copyin(CAST_USER_ADDR_T(uap->mac_p), &mac, sizeof(mac));
if (error)
return (error);
@@ -1049,6 +1050,7 @@
kauth_cred_rele(tcred);
return (error);
}
+ AUDIT_ARG(mac_string, elements);
MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_cred_externalize_label(tcred->cr_label, elements,
@@ -1085,6 +1087,7 @@
FREE(elements, M_MACTEMP);
return (error);
}
+ AUDIT_ARG(mac_string, elements);
cr = kauth_cred_proc_ref(p);
@@ -1128,6 +1131,7 @@
FREE(buffer, M_MACTEMP);
return (error);
}
+ AUDIT_ARG(mac_string, buffer);
intlabel = mac_cred_alloc_label();
error = mac_cred_internalize_label(intlabel, buffer);
@@ -1174,6 +1178,7 @@
int error;
size_t ulen;
+ AUDIT_ARG(value, uap->lcid);
error = copyin(CAST_USER_ADDR_T(uap->mac_p), &mac, sizeof(mac));
if (error)
return (error);
@@ -1193,6 +1198,7 @@
FREE(elements, M_MACTEMP);
return (error);
}
+ AUDIT_ARG(mac_string, elements);
MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
error = mac_lctx_externalize_label(l->lc_label, elements,
buffer, mac.m_buflen);
@@ -1227,6 +1233,7 @@
FREE(elements, M_MACTEMP);
return (error);
}
+ AUDIT_ARG(mac_string, elements);
MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
PROC_LOCK(p);
@@ -1271,6 +1278,7 @@
FREE(buffer, M_MACTEMP);
return (error);
}
+ AUDIT_ARG(mac_string, buffer);
intlabel = mac_lctx_alloc_label();
error = mac_lctx_internalize_label(intlabel, buffer);
@@ -1349,6 +1357,7 @@
FREE(elements, M_MACTEMP);
return (error);
}
+ AUDIT_ARG(mac_string, elements);
MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
error = fdgetf_noref(p, uap->fd, &fp);
@@ -1419,6 +1428,7 @@
FREE(elements, M_MACTEMP);
return (error);
}
+ AUDIT_ARG(mac_string, elements);
context.vc_proc = p;
context.vc_ucred = kauth_cred_get();
@@ -1498,6 +1508,7 @@
FREE(buffer, M_MACTEMP);
return (error);
}
+ AUDIT_ARG(mac_string, buffer);
error = fdgetf_noref(p, uap->fd, &fp);
if (error) {
@@ -1564,6 +1575,7 @@
FREE(buffer, M_MACTEMP);
return (error);
}
+ AUDIT_ARG(mac_string, buffer);
intlabel = mac_vnode_alloc_label();
error = mac_vnode_internalize_label(intlabel, buffer);
@@ -1627,6 +1639,8 @@
error = copyinstr(CAST_USER_ADDR_T(uap->policy), target, sizeof(target), &ulen);
if (error)
return (error);
+ AUDIT_ARG(value, uap->call);
+ AUDIT_ARG(mac_string, target);
error = ENOSYS;
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#4 (text+ko) ====
@@ -47,6 +47,12 @@
#include <security/mac_internal.h>
+#ifdef MAC_DEBUG
+extern u_int nmaccreds, nmacprocs;
+#endif
+
+#include <bsd/bsm/audit_kernel.h>
+
struct label *
mac_cred_alloc_label(void)
{
@@ -219,6 +225,7 @@
FREE(buffer, M_MACTEMP);
return (error);
}
+ AUDIT_ARG(mac_string, buffer);
error = mac_cred_internalize_label(execlabelstorage, buffer);
FREE(buffer, M_MACTEMP);
More information about the trustedbsd-cvs
mailing list