Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Mar 2017 21:39:03 +0000 (UTC)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r316305 - head/sys/security/audit
Message-ID:  <201703302139.v2ULd3Gn083800@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: rwatson
Date: Thu Mar 30 21:39:03 2017
New Revision: 316305
URL: https://svnweb.freebsd.org/changeset/base/316305

Log:
  Various BSM generation improvements when auditing AUE_ACCEPT,
  AUE_PROCCTL, AUE_SENDFILE, AUE_ACL_*, and AUE_POSIX_FALLOCATE.
  Audit AUE_SHMUNLINK path in the path token rather than as a
  text string, and AUE_SHMOPEN flags as an integer token rather
  than a System V IPC address token.
  
  Obtained from:	TrustedBSD Project
  MFC after:	3 weeks
  Sponsored by:	DARPA, AFRL

Modified:
  head/sys/security/audit/audit_bsm.c

Modified: head/sys/security/audit/audit_bsm.c
==============================================================================
--- head/sys/security/audit/audit_bsm.c	Thu Mar 30 20:42:16 2017	(r316304)
+++ head/sys/security/audit/audit_bsm.c	Thu Mar 30 21:39:03 2017	(r316305)
@@ -530,6 +530,23 @@ kaudit_to_bsm(struct kaudit_record *kar,
 	 */
 	switch(ar->ar_event) {
 	case AUE_ACCEPT:
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
+			tok = au_to_sock_inet((struct sockaddr_in *)
+			    &ar->ar_arg_sockaddr);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
+			tok = au_to_sock_unix((struct sockaddr_un *)
+			    &ar->ar_arg_sockaddr);
+			kau_write(rec, tok);
+			UPATH1_TOKENS;
+		}
+		break;
+
 	case AUE_BIND:
 	case AUE_LISTEN:
 	case AUE_CONNECT:
@@ -537,7 +554,6 @@ kaudit_to_bsm(struct kaudit_record *kar,
 	case AUE_RECVFROM:
 	case AUE_RECVMSG:
 	case AUE_SEND:
-	case AUE_SENDFILE:
 	case AUE_SENDMSG:
 	case AUE_SENDTO:
 		/*
@@ -576,6 +592,22 @@ kaudit_to_bsm(struct kaudit_record *kar,
 		}
 		break;
 
+	case AUE_SENDFILE:
+		FD_VNODE1_TOKENS;
+		if (ARG_IS_VALID(kar, ARG_SADDRINET)) {
+			tok = au_to_sock_inet((struct sockaddr_in *)
+			    &ar->ar_arg_sockaddr);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) {
+			tok = au_to_sock_unix((struct sockaddr_un *)
+			    &ar->ar_arg_sockaddr);
+			kau_write(rec, tok);
+			UPATH1_TOKENS;
+		}
+		/* XXX Need to handle ARG_SADDRINET6 */
+		break;
+
 	case AUE_SOCKET:
 	case AUE_SOCKETPAIR:
 		if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
@@ -749,6 +781,26 @@ kaudit_to_bsm(struct kaudit_record *kar,
 		 */
 		break;
 
+	case AUE_ACL_DELETE_FD:
+	case AUE_ACL_DELETE_FILE:
+	case AUE_ACL_CHECK_FD:
+	case AUE_ACL_CHECK_FILE:
+	case AUE_ACL_CHECK_LINK:
+	case AUE_ACL_DELETE_LINK:
+	case AUE_ACL_GET_FD:
+	case AUE_ACL_GET_FILE:
+	case AUE_ACL_GET_LINK:
+	case AUE_ACL_SET_FD:
+	case AUE_ACL_SET_FILE:
+	case AUE_ACL_SET_LINK:
+		if (ARG_IS_VALID(kar, ARG_VALUE)) {
+			tok = au_to_arg32(1, "type", ar->ar_arg_value);
+			kau_write(rec, tok);
+		}
+		ATFD1_TOKENS(1);
+		UPATH1_VNODE1_TOKENS;
+		break;
+
 	case AUE_CHDIR:
 	case AUE_CHROOT:
 	case AUE_FSTATAT:
@@ -959,6 +1011,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 	case AUE_GETDIRENTRIESATTR:
 	case AUE_LSEEK:
 	case AUE_POLL:
+	case AUE_POSIX_FALLOCATE:
 	case AUE_PREAD:
 	case AUE_PWRITE:
 	case AUE_READ:
@@ -1245,6 +1298,18 @@ kaudit_to_bsm(struct kaudit_record *kar,
 		UPATH1_VNODE1_TOKENS;
 		break;
 
+	case AUE_PROCCTL:
+		if (ARG_IS_VALID(kar, ARG_VALUE)) {
+			tok = au_to_arg32(1, "idtype", ar->ar_arg_value);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_CMD)) {
+			tok = au_to_arg32(2, "com", ar->ar_arg_cmd);
+			kau_write(rec, tok);
+		}
+		PROCESS_PID_TOKENS(3);
+		break;
+
 	case AUE_PTRACE:
 		if (ARG_IS_VALID(kar, ARG_CMD)) {
 			tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
@@ -1499,7 +1564,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 	/* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
 	 * and AUE_SEMUNLINK are Posix IPC */
 	case AUE_SHMOPEN:
-		if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) {
+		if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
 			tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
 			kau_write(rec, tok);
 		}
@@ -1510,10 +1575,7 @@ kaudit_to_bsm(struct kaudit_record *kar,
 		/* FALLTHROUGH */
 
 	case AUE_SHMUNLINK:
-		if (ARG_IS_VALID(kar, ARG_TEXT)) {
-			tok = au_to_text(ar->ar_arg_text);
-			kau_write(rec, tok);
-		}
+		UPATH1_TOKENS;
 		if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) {
 			struct ipc_perm perm;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201703302139.v2ULd3Gn083800>