From owner-svn-src-head@FreeBSD.ORG Thu Jan 17 21:02:54 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id EC54FDD; Thu, 17 Jan 2013 21:02:54 +0000 (UTC) (envelope-from csjp@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id DD3B6D7; Thu, 17 Jan 2013 21:02:54 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r0HL2s9w095158; Thu, 17 Jan 2013 21:02:54 GMT (envelope-from csjp@svn.freebsd.org) Received: (from csjp@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r0HL2sjL095155; Thu, 17 Jan 2013 21:02:54 GMT (envelope-from csjp@svn.freebsd.org) Message-Id: <201301172102.r0HL2sjL095155@svn.freebsd.org> From: "Christian S.J. Peron" Date: Thu, 17 Jan 2013 21:02:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r245573 - head/sys/security/audit X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jan 2013 21:02:55 -0000 Author: csjp Date: Thu Jan 17 21:02:53 2013 New Revision: 245573 URL: http://svnweb.freebsd.org/changeset/base/245573 Log: Implement the zonename token for jailed processes. If a process has an auditid/preselection masks specified, and is jailed, include the zonename (jailname) token as a part of the audit record. Reviewed by: pjd MFC after: 2 weeks Modified: head/sys/security/audit/audit.c head/sys/security/audit/audit_bsm.c head/sys/security/audit/audit_private.h Modified: head/sys/security/audit/audit.c ============================================================================== --- head/sys/security/audit/audit.c Thu Jan 17 20:21:56 2013 (r245572) +++ head/sys/security/audit/audit.c Thu Jan 17 21:02:53 2013 (r245573) @@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -211,6 +212,7 @@ audit_record_ctor(void *mem, int size, v struct kaudit_record *ar; struct thread *td; struct ucred *cred; + struct prison *pr; KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size")); @@ -233,6 +235,17 @@ audit_record_ctor(void *mem, int size, v ar->k_ar.ar_subj_pid = td->td_proc->p_pid; ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask; ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid; + /* + * If this process is jailed, make sure we capture the name of the + * jail so we can use it to generate a zonename token when we covert + * this record to BSM. + */ + if (jailed(cred)) { + pr = cred->cr_prison; + (void) strlcpy(ar->k_ar.ar_jailname, pr->pr_name, + sizeof(ar->k_ar.ar_jailname)); + } else + ar->k_ar.ar_jailname[0] = '\0'; return (0); } Modified: head/sys/security/audit/audit_bsm.c ============================================================================== --- head/sys/security/audit/audit_bsm.c Thu Jan 17 20:21:56 2013 (r245572) +++ head/sys/security/audit/audit_bsm.c Thu Jan 17 21:02:53 2013 (r245573) @@ -462,7 +462,7 @@ audit_sys_auditon(struct audit_record *a int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) { - struct au_token *tok, *subj_tok; + struct au_token *tok, *subj_tok, *jail_tok; struct au_record *rec; au_tid_t tid; struct audit_record *ar; @@ -475,8 +475,13 @@ kaudit_to_bsm(struct kaudit_record *kar, rec = kau_open(); /* - * Create the subject token. + * Create the subject token. If this credential was jailed be sure to + * generate a zonename token. */ + if (ar->ar_jailname[0] != '\0') + jail_tok = au_to_zonename(ar->ar_jailname); + else + jail_tok = NULL; switch (ar->ar_subj_term_addr.at_type) { case AU_IPv4: tid.port = ar->ar_subj_term_addr.at_port; @@ -1623,11 +1628,15 @@ kaudit_to_bsm(struct kaudit_record *kar, /* * Write the subject token so it is properly freed here. */ + if (jail_tok != NULL) + kau_write(rec, jail_tok); kau_write(rec, subj_tok); kau_free(rec); return (BSM_NOAUDIT); } + if (jail_tok != NULL) + kau_write(rec, jail_tok); kau_write(rec, subj_tok); tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); kau_write(rec, tok); /* Every record gets a return token */ Modified: head/sys/security/audit/audit_private.h ============================================================================== --- head/sys/security/audit/audit_private.h Thu Jan 17 20:21:56 2013 (r245572) +++ head/sys/security/audit/audit_private.h Thu Jan 17 21:02:53 2013 (r245573) @@ -230,6 +230,7 @@ struct audit_record { int ar_arg_exitretval; struct sockaddr_storage ar_arg_sockaddr; cap_rights_t ar_arg_rights; + char ar_jailname[MAXHOSTNAMELEN]; }; /*