Date: Thu, 17 Jan 2013 21:02:54 +0000 (UTC) From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r245573 - head/sys/security/audit Message-ID: <201301172102.r0HL2sjL095155@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: csjp Date: Thu Jan 17 21:02:53 2013 New Revision: 245573 URL: http://svnweb.freebsd.org/changeset/base/245573 Log: Implement the zonename token for jailed processes. If a process has an auditid/preselection masks specified, and is jailed, include the zonename (jailname) token as a part of the audit record. Reviewed by: pjd MFC after: 2 weeks Modified: head/sys/security/audit/audit.c head/sys/security/audit/audit_bsm.c head/sys/security/audit/audit_private.h Modified: head/sys/security/audit/audit.c ============================================================================== --- head/sys/security/audit/audit.c Thu Jan 17 20:21:56 2013 (r245572) +++ head/sys/security/audit/audit.c Thu Jan 17 21:02:53 2013 (r245573) @@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$"); #include <sys/filedesc.h> #include <sys/fcntl.h> #include <sys/ipc.h> +#include <sys/jail.h> #include <sys/kernel.h> #include <sys/kthread.h> #include <sys/malloc.h> @@ -211,6 +212,7 @@ audit_record_ctor(void *mem, int size, v struct kaudit_record *ar; struct thread *td; struct ucred *cred; + struct prison *pr; KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size")); @@ -233,6 +235,17 @@ audit_record_ctor(void *mem, int size, v ar->k_ar.ar_subj_pid = td->td_proc->p_pid; ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask; ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid; + /* + * If this process is jailed, make sure we capture the name of the + * jail so we can use it to generate a zonename token when we covert + * this record to BSM. + */ + if (jailed(cred)) { + pr = cred->cr_prison; + (void) strlcpy(ar->k_ar.ar_jailname, pr->pr_name, + sizeof(ar->k_ar.ar_jailname)); + } else + ar->k_ar.ar_jailname[0] = '\0'; return (0); } Modified: head/sys/security/audit/audit_bsm.c ============================================================================== --- head/sys/security/audit/audit_bsm.c Thu Jan 17 20:21:56 2013 (r245572) +++ head/sys/security/audit/audit_bsm.c Thu Jan 17 21:02:53 2013 (r245573) @@ -462,7 +462,7 @@ audit_sys_auditon(struct audit_record *a int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) { - struct au_token *tok, *subj_tok; + struct au_token *tok, *subj_tok, *jail_tok; struct au_record *rec; au_tid_t tid; struct audit_record *ar; @@ -475,8 +475,13 @@ kaudit_to_bsm(struct kaudit_record *kar, rec = kau_open(); /* - * Create the subject token. + * Create the subject token. If this credential was jailed be sure to + * generate a zonename token. */ + if (ar->ar_jailname[0] != '\0') + jail_tok = au_to_zonename(ar->ar_jailname); + else + jail_tok = NULL; switch (ar->ar_subj_term_addr.at_type) { case AU_IPv4: tid.port = ar->ar_subj_term_addr.at_port; @@ -1623,11 +1628,15 @@ kaudit_to_bsm(struct kaudit_record *kar, /* * Write the subject token so it is properly freed here. */ + if (jail_tok != NULL) + kau_write(rec, jail_tok); kau_write(rec, subj_tok); kau_free(rec); return (BSM_NOAUDIT); } + if (jail_tok != NULL) + kau_write(rec, jail_tok); kau_write(rec, subj_tok); tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); kau_write(rec, tok); /* Every record gets a return token */ Modified: head/sys/security/audit/audit_private.h ============================================================================== --- head/sys/security/audit/audit_private.h Thu Jan 17 20:21:56 2013 (r245572) +++ head/sys/security/audit/audit_private.h Thu Jan 17 21:02:53 2013 (r245573) @@ -230,6 +230,7 @@ struct audit_record { int ar_arg_exitretval; struct sockaddr_storage ar_arg_sockaddr; cap_rights_t ar_arg_rights; + char ar_jailname[MAXHOSTNAMELEN]; }; /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301172102.r0HL2sjL095155>