From owner-p4-projects@FreeBSD.ORG Mon May 10 14:09:16 2010 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 8D383106567A; Mon, 10 May 2010 14:09:16 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 394C31065675 for ; Mon, 10 May 2010 14:09:16 +0000 (UTC) (envelope-from gpf@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 26DB18FC15 for ; Mon, 10 May 2010 14:09:16 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id o4AE9GGU006008 for ; Mon, 10 May 2010 14:09:16 GMT (envelope-from gpf@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id o4AE9FWJ006006 for perforce@freebsd.org; Mon, 10 May 2010 14:09:15 GMT (envelope-from gpf@FreeBSD.org) Date: Mon, 10 May 2010 14:09:15 GMT Message-Id: <201005101409.o4AE9FWJ006006@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to gpf@FreeBSD.org using -f From: Efstratios Karatzas To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 178037 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2010 14:09:16 -0000 http://p4web.freebsd.org/@@178037?ac=10 Change 178037 by gpf@gpf_desktop on 2010/05/10 14:08:55 Keeping track of nfs rpc user credentials without knowing where the rpc came from is somewhat useless. I added the AUDIT_ARG_SOCKADDR_IN interface and now the "ip_addr:port" string is saved in the text field of the audit record. I do believe that in the case of nfs rpcs this information must be in the same td_ar as the rpc, and not a different one. Affected files ... .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#4 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#4 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#2 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#6 edit Differences ... ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#4 (text+ko) ==== @@ -294,7 +294,7 @@ nd.nd_nam2 = rqst->rq_addr; nd.nd_procnum = procnum; nd.nd_cr = NULL; - nd.nd_flag = flag; + nd.nd_flag = flag; if (nfs_privport) { /* Check if source port is privileged */ @@ -353,6 +353,7 @@ nfsrvstats.srvrpccnt[nd.nd_procnum]++; AUDIT_NFS_ENTER(procnum, nd.nd_cr, td); + AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam); error = proc(&nd, NULL, &mrep); AUDIT_NFS_EXIT(error, td); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#4 (text) ==== @@ -70,6 +70,7 @@ #ifdef AUDIT struct ipc_perm; struct sockaddr; +struct sockaddr_in; union auditon_udata; void audit_arg_addr(void * addr); void audit_arg_exit(int status, int retval); @@ -99,6 +100,7 @@ void audit_arg_signum(u_int signum); void audit_arg_socket(int sodomain, int sotype, int soprotocol); void audit_arg_sockaddr(struct thread *td, struct sockaddr *sa); +void audit_arg_sockaddr_in(struct sockaddr_in *sin); void audit_arg_auid(uid_t auid); void audit_arg_auditinfo(struct auditinfo *au_info); void audit_arg_auditinfo_addr(struct auditinfo_addr *au_info); @@ -258,6 +260,11 @@ audit_arg_socket((sodomain), (sotype), (soprotocol)); \ } while (0) +#define AUDIT_ARG_SOCKADDR_IN(sin) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_sockaddr_in((sin)); \ +} while (0) + #define AUDIT_ARG_SUID(suid) do { \ if (AUDITING_TD(curthread)) \ audit_arg_suid((suid)); \ ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#2 (text) ==== @@ -471,6 +471,24 @@ } void +audit_arg_sockaddr_in(struct sockaddr_in *sin) +{ + char text[MAXPATHLEN]; + struct kaudit_record *ar; + u_short port; + + KASSERT(sin != NULL, ("audit_arg_sockaddr_in: sin == NULL")); + + ar = currecord(); + if (ar == NULL) + return; + + port = ntohs(sin->sin_port); + snprintf(text, sizeof(text), "%s:%d", inet_ntoa(sin->sin_addr), port); + AUDIT_ARG_TEXT(text); +} + +void audit_arg_auid(uid_t auid) { struct kaudit_record *ar; ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#6 (text) ==== @@ -1596,21 +1596,28 @@ if (ARG_IS_VALID(kar, ARG_MODE)) { tok = au_to_arg32(3, "mode", ar->ar_arg_mode); kau_write(rec, tok); + } + UPATH1_VNODE1_TOKENS; + if (ARG_IS_VALID(kar, ARG_TEXT)) { + tok = au_to_text(ar->ar_arg_text); + kau_write(rec, tok); } - - UPATH1_VNODE1_TOKENS; break; case AUE_NFS_SYMLINK: + UPATH1_VNODE1_TOKENS; if (ARG_IS_VALID(kar, ARG_TEXT)) { tok = au_to_text(ar->ar_arg_text); kau_write(rec, tok); } - UPATH1_VNODE1_TOKENS; break; case AUE_NFS_NOOP: case AUE_NFS_NULL: + if (ARG_IS_VALID(kar, ARG_TEXT)) { + tok = au_to_text(ar->ar_arg_text); + kau_write(rec, tok); + } break; case AUE_NFS_LINK: @@ -1619,8 +1626,12 @@ if (ARG_IS_VALID(kar, ARG_MODE)) { tok = au_to_arg32(3, "mode", ar->ar_arg_mode); kau_write(rec, tok); - } + } UPATH2_TOKENS; + if (ARG_IS_VALID(kar, ARG_TEXT)) { + tok = au_to_text(ar->ar_arg_text); + kau_write(rec, tok); + } break; case AUE_WAIT4: