audit

Jonathan Anderson Mon, 18 Jul 2011 05:59:17 -0700

Author: jonathan
Date: Mon Jul 18 12:58:18 2011
New Revision: 224181
URL: http://svn.freebsd.org/changeset/base/224181


Log:
  Provide ability to audit cap_rights_t arguments.
  
  We wish to be able to audit capability rights arguments; this code
  provides the necessary infrastructure.
  
  This commit does not, of itself, turn on such auditing for any
  system call; that should follow shortly.
  
  Approved by: mentor (rwatson), re (Capsicum blanket)
  Sponsored by: Google Inc

Modified:
  head/sys/security/audit/audit.h
  head/sys/security/audit/audit_arg.c
  head/sys/security/audit/audit_bsm.c
  head/sys/security/audit/audit_private.h

Modified: head/sys/security/audit/audit.h
==============================================================================
--- head/sys/security/audit/audit.h     Mon Jul 18 12:03:58 2011        
(r224180)
+++ head/sys/security/audit/audit.h     Mon Jul 18 12:58:18 2011        
(r224181)
@@ -114,6 +114,7 @@ void         audit_arg_auditon(union auditon_ud
 void    audit_arg_file(struct proc *p, struct file *fp);
 void    audit_arg_argv(char *argv, int argc, int length);
 void    audit_arg_envv(char *envv, int envc, int length);
+void    audit_arg_rights(cap_rights_t rights);
 void    audit_sysclose(struct thread *td, int fd);
 void    audit_cred_copy(struct ucred *src, struct ucred *dest);
 void    audit_cred_destroy(struct ucred *cred);
@@ -235,6 +236,11 @@ void        audit_thread_free(struct thread *t
                audit_arg_rgid((rgid));                                 \
 } while (0)
 
+#define        AUDIT_ARG_RIGHTS(rights) do {                                   
\
+       if (AUDITING_TD(curthread))                                     \
+               audit_arg_rights((rights));                             \
+} while (0)
+
 #define        AUDIT_ARG_RUID(ruid) do {                                       
\
        if (AUDITING_TD(curthread))                                     \
                audit_arg_ruid((ruid));                                 \
@@ -342,6 +348,7 @@ void         audit_thread_free(struct thread *t
 #define        AUDIT_ARG_PID(pid)
 #define        AUDIT_ARG_PROCESS(p)
 #define        AUDIT_ARG_RGID(rgid)
+#define        AUDIT_ARG_RIGHTS(rights)
 #define        AUDIT_ARG_RUID(ruid)
 #define        AUDIT_ARG_SIGNUM(signum)
 #define        AUDIT_ARG_SGID(sgid)

Modified: head/sys/security/audit/audit_arg.c
==============================================================================
--- head/sys/security/audit/audit_arg.c Mon Jul 18 12:03:58 2011        
(r224180)
+++ head/sys/security/audit/audit_arg.c Mon Jul 18 12:58:18 2011        
(r224181)
@@ -865,6 +865,19 @@ audit_arg_envv(char *envv, int envc, int
        ARG_SET_VALID(ar, ARG_ENVV);
 }
 
+void
+audit_arg_rights(cap_rights_t rights)
+{
+       struct kaudit_record *ar;
+
+       ar = currecord();
+       if (ar == NULL)
+               return;
+
+       ar->k_ar.ar_arg_rights = rights;
+       ARG_SET_VALID(ar, ARG_RIGHTS);
+}
+
 /*
  * The close() system call uses it's own audit call to capture the path/vnode
  * information because those pieces are not easily obtained within the system

Modified: head/sys/security/audit/audit_bsm.c
==============================================================================
--- head/sys/security/audit/audit_bsm.c Mon Jul 18 12:03:58 2011        
(r224180)
+++ head/sys/security/audit/audit_bsm.c Mon Jul 18 12:58:18 2011        
(r224181)
@@ -1589,6 +1589,28 @@ kaudit_to_bsm(struct kaudit_record *kar,
                }
                break;
 
+       case AUE_CAP_NEW:
+               /*
+                * XXXRW/XXXJA: Would be nice to audit socket/etc information.
+                */
+               FD_VNODE1_TOKENS;
+               if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
+                       tok = au_to_arg64(2, "rights", ar->ar_arg_rights);
+                       kau_write(rec, tok);
+               }
+               break;
+
+       case AUE_CAP_GETRIGHTS:
+               if (ARG_IS_VALID(kar, ARG_FD)) {
+                       tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+                       kau_write(rec, tok);
+               }
+               break;
+
+       case AUE_CAP_ENTER:
+       case AUE_CAP_GETMODE:
+               break;
+
        case AUE_NULL:
        default:
                printf("BSM conversion requested for unknown event %d\n",

Modified: head/sys/security/audit/audit_private.h
==============================================================================
--- head/sys/security/audit/audit_private.h     Mon Jul 18 12:03:58 2011        
(r224180)
+++ head/sys/security/audit/audit_private.h     Mon Jul 18 12:58:18 2011        
(r224181)
@@ -229,6 +229,7 @@ struct audit_record {
        int                     ar_arg_exitstatus;
        int                     ar_arg_exitretval;
        struct sockaddr_storage ar_arg_sockaddr;
+       cap_rights_t            ar_arg_rights;
 };
 
 /*
@@ -288,6 +289,7 @@ struct audit_record {
 #define        ARG_ENVV                0x0002000000000000ULL
 #define        ARG_ATFD1               0x0004000000000000ULL
 #define        ARG_ATFD2               0x0008000000000000ULL
+#define        ARG_RIGHTS              0x0010000000000000ULL
 #define        ARG_NONE                0x0000000000000000ULL
 #define        ARG_ALL                 0xFFFFFFFFFFFFFFFFULL
 
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

svn commit: r224181 - head/sys/security/audit

Reply via email to