Date: Fri, 5 May 2006 13:34:51 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 96700 for review Message-ID: <200605051334.k45DYpog042093@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=96700 Change 96700 by rwatson@rwatson_zoo on 2006/05/05 13:34:03 Add three new ioctls to audit pipes: AUDITPIPE_DELETE_AUID, which will delete the preselection state for a particular auid on the pipe, and AUDITPIPE_{GET/SET}_PRESELECT_TRAIL, which set the AUDIT_PIPE_TRAIL flag on the pipe, which indicates that the pipe will follow the trail preselection model, rather than using its own preselection settings. This is now the default, restoring the behavior of praudit(1) on /dev/auditpipe to its default prior to adding preselection magic. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#28 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_ioctl.h#8 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_pipe.c#19 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#27 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_worker.c#11 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#28 (text+ko) ==== @@ -389,7 +389,8 @@ ar->k_ar_commit |= AR_COMMIT_KERNEL; if (au_preselect(event, class, aumask, sorf) != 0) ar->k_ar_commit |= AR_PRESELECT_TRAIL; - if (audit_pipe_preselect(auid, event, class, sorf) != 0) + if (audit_pipe_preselect(auid, event, class, sorf, + ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0) ar->k_ar_commit |= AR_PRESELECT_PIPE; if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE)) == 0) { @@ -511,7 +512,7 @@ panic("audit_failing_stop: thread continued"); } td->td_ar = audit_new(event, td); - } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH)) + } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) td->td_ar = audit_new(event, td); else td->td_ar = NULL; ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_ioctl.h#8 (text+ko) ==== @@ -59,8 +59,11 @@ struct auditpipe_preselect) #define AUDITPIPE_SET_PRESELECT_AUID _IOW(AUDITPIPE_IOBASE, 11, \ struct auditpipe_preselect) -#define AUDITPIPE_FLUSH_PRESELECT_AUID _IO(AUDITPIPE_IOBASE, 12) -#define AUDITPIPE_FLUSH _IO(AUDITPIPE_IOBASE, 13) +#define AUDITPIPE_DELETE_PRESELECT_AUID _IOW(AUDITPIPE_IOBASE, 12, au_id_t) +#define AUDITPIPE_FLUSH_PRESELECT_AUID _IO(AUDITPIPE_IOBASE, 13) +#define AUDITPIPE_GET_PRESELECT_TRAIL _IOR(AUDITPIPE_IOBASE, 14, int) +#define AUDITPIPE_SET_PRESELECT_TRAIL _IOW(AUDITPIPE_IOBASE, 14, int) +#define AUDITPIPE_FLUSH _IO(AUDITPIPE_IOBASE, 15) /* * Ioctls to retrieve audit pipe statistics. ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_pipe.c#19 (text+ko) ==== @@ -103,6 +103,7 @@ */ #define AUDIT_PIPE_ASYNC 0x00000001 #define AUDIT_PIPE_NBIO 0x00000002 +#define AUDIT_PIPE_TRAIL 0x00000004 /* Use trail preselection. */ struct audit_pipe { int ap_open; /* Device open? */ u_int ap_flags; @@ -200,16 +201,25 @@ /* * Determine whether a specific audit pipe matches a record with these - * properties. + * properties. Algorithm is as follows: + * + * - If the pipe is configured to track the default trail configuration, then + * use that. + * - If not, search for a specifically configured auid entry matching the + * event. If it is found, use that. + * - Otherwise, use the default flags or naflags configured for the pipe. */ static int audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, - au_event_t event, au_class_t class, int sorf) + au_event_t event, au_class_t class, int sorf, int trail_preselect) { struct audit_pipe_preselect *app; mtx_assert(&audit_pipe_mtx, MA_OWNED); + if ((ap->ap_flags & AUDIT_PIPE_TRAIL) && trail_preselect) + return (1); + TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { if (app->app_auid == auid) break; @@ -232,13 +242,14 @@ */ int audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, - int sorf) + int sorf, int trail_preselect) { struct audit_pipe *ap; mtx_lock(&audit_pipe_mtx); TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { - if (audit_pipe_preselect_check(ap, auid, event, class, sorf)) { + if (audit_pipe_preselect_check(ap, auid, event, class, sorf, + trail_preselect)) { mtx_unlock(&audit_pipe_mtx); return (1); } @@ -301,7 +312,7 @@ */ void audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, - void *record, u_int record_len) + int trail_select, void *record, u_int record_len) { struct audit_pipe *ap; @@ -313,7 +324,8 @@ mtx_lock(&audit_pipe_mtx); TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { - if (audit_pipe_preselect_check(ap, auid, event, class, sorf)) + if (audit_pipe_preselect_check(ap, auid, event, class, sorf, + trail_select)) audit_pipe_append(ap, record, record_len); } audit_pipe_records++; @@ -387,20 +399,15 @@ TAILQ_INIT(&ap->ap_queue); /* - * Initialize pre-selection state to match all events by default, and - * have no particular auid-specific entries. This allows praudit(1) - * to be run directly on an audit pipe without any configuration or - * special handling. However, it also requires that applications - * flush the pipe after specifying preselection prequirements so that - * they don't see events captured before they completed - * configuration. + * Default flags, naflags, and auid-specific preselection settings to + * 0. Initialize the AUDIT_PIPE_TRAIL flag so that if praudit(1) is + * run on /dev/auditpipe, it sees events associated with the default + * trail. Pipe-aware application can clear the flag, set custom + * masks, and flush the pipe as needed. */ bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags)); - ap->ap_preselect_flags.am_success = 0xffffffff; - ap->ap_preselect_flags.am_failure = 0xffffffff; bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags)); - ap->ap_preselect_naflags.am_success = 0xffffffff; - ap->ap_preselect_naflags.am_failure = 0xffffffff; + ap->ap_flags |= AUDIT_PIPE_TRAIL; TAILQ_INIT(&ap->ap_preselect_list); TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); @@ -535,6 +542,7 @@ struct auditpipe_preselect *aps; struct audit_pipe *ap; au_mask_t *maskp; + au_id_t auid; int error; ap = dev->si_drv1; @@ -650,10 +658,28 @@ error = EOPNOTSUPP; break; + case AUDITPIPE_DELETE_PRESELECT_AUID: + auid = *(au_id_t *)data; + error = EOPNOTSUPP; + break; + case AUDITPIPE_FLUSH_PRESELECT_AUID: error = EOPNOTSUPP; break; + case AUDITPIPE_GET_PRESELECT_TRAIL: + *(int *)data = (ap->ap_flags & AUDIT_PIPE_TRAIL) ? 1 : 0; + error = 0; + break; + + case AUDITPIPE_SET_PRESELECT_TRAIL: + if (*(int *)data) + ap->ap_flags |= AUDIT_PIPE_TRAIL; + else + ap->ap_flags &= ~AUDIT_PIPE_TRAIL; + error = 0; + break; + case AUDITPIPE_FLUSH: audit_pipe_flush(ap); error = 0; ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#27 (text+ko) ==== @@ -344,9 +344,9 @@ * Audit pipe functions. */ int audit_pipe_preselect(au_id_t auid, au_event_t event, - au_class_t class, int sorf); + au_class_t class, int sorf, int trail_select); void audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, - int sorf, void *record, u_int record_len); + int sorf, int trail_select, void *record, u_int record_len); void audit_pipe_submit_user(void *record, u_int record_len); #endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */ ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_worker.c#11 (text+ko) ==== @@ -373,7 +373,8 @@ } if (ar->k_ar_commit & AR_PRESELECT_PIPE) audit_pipe_submit(auid, event, class, sorf, - bsm->data, bsm->len); + ar->k_ar_commit & AR_PRESELECT_TRAIL, bsm->data, + bsm->len); kau_free(bsm); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605051334.k45DYpog042093>