From owner-p4-projects@FreeBSD.ORG Sat Jul 12 23:03:00 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 1ACD51065676; Sat, 12 Jul 2008 23:03:00 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D29EC1065672 for ; Sat, 12 Jul 2008 23:02:59 +0000 (UTC) (envelope-from diego@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id C489D8FC12 for ; Sat, 12 Jul 2008 23:02:59 +0000 (UTC) (envelope-from diego@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m6CN2xL9054339 for ; Sat, 12 Jul 2008 23:02:59 GMT (envelope-from diego@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.2/8.14.1/Submit) id m6CN2xd8054337 for perforce@freebsd.org; Sat, 12 Jul 2008 23:02:59 GMT (envelope-from diego@FreeBSD.org) Date: Sat, 12 Jul 2008 23:02:59 GMT Message-Id: <200807122302.m6CN2xd8054337@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to diego@FreeBSD.org using -f From: Diego Giagio To: Perforce Change Reviews Cc: Subject: PERFORCE change 145116 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2008 23:03:00 -0000 http://perforce.freebsd.org/chv.cgi?CH=145116 Change 145116 by diego@diego_black on 2008/07/12 23:02:26 Almost finished support for auditing administrative pf events on kernel. Affected files ... .. //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#6 edit .. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#9 edit .. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#6 edit Differences ... ==== //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#6 (text+ko) ==== @@ -1173,6 +1173,7 @@ if (rs_num < 0 || rs_num >= PF_RULESET_MAX) return (EINVAL); + rs = pf_find_ruleset(anchor); if (rs == NULL || !rs->rules[rs_num].inactive.open || ticket != rs->rules[rs_num].inactive.ticket) @@ -1216,6 +1217,12 @@ rs->rules[rs_num].inactive.open = 0; pf_remove_if_empty_ruleset(rs); splx(s); + + if (rs->rules[rs_num].active.rcount == 0) + AUDIT_CALL(audit_pf_flush(anchor, old_rcount, 0)); + else + AUDIT_CALL(audit_pf_addrule(anchor, + rs->rules[rs_num].active.rcount,0)); return (0); } @@ -1423,6 +1430,7 @@ } DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n")); } + AUDIT_CALL(audit_pf_enable(error)); break; case DIOCSTOP: @@ -1443,6 +1451,7 @@ pf_status.since = time_second; DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n")); } + AUDIT_CALL(audit_pf_disable(error)); break; case DIOCADDRULE: { @@ -1917,6 +1926,8 @@ if (pcr->action == PF_CHANGE_REMOVE) { pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule); ruleset->rules[rs_num].active.rcount--; + AUDIT_CALL(audit_pf_delrule(oldrule->anchor->name, + error)); } else { if (oldrule == NULL) TAILQ_INSERT_TAIL( @@ -1930,6 +1941,7 @@ ruleset->rules[rs_num].active.ptr, oldrule, newrule, entries); ruleset->rules[rs_num].active.rcount++; + AUDIT_CALL(audit_pf_addrule(newrule->anchor->name,1,0)); } nr = 0; ==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#9 (text) ==== @@ -128,7 +128,6 @@ */ void audit_ipfw_enable(int error); void audit_ipfw_disable(int error); - void audit_ipfw_addrule(int set, int rulenum, int error); void audit_ipfw_delrule(int set, int rulenum, int error); void audit_ipfw_flush(int error); @@ -138,6 +137,9 @@ void audit_pf_enable(int error); void audit_pf_disable(int error); +void audit_pf_addrule(char *anchor, int nrules, int error); +void audit_pf_delrule(char *anchor, int error); +void audit_pf_flush(char *anchor, int nrules, int error); /* * The remaining kernel functions are conditionally compiled in as they are ==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#6 (text+ko) ==== @@ -213,3 +213,65 @@ audit_commit(ar, error, 0); } +static void +pf_rule_to_text(char *anchor, int nrules, struct sbuf *sb) +{ + sbuf_printf(sb, "pf: "); + if (anchor != NULL) + sbuf_printf(sb, "anchor=%s, ", anchor); + if (nrules != -1) + sbuf_printf(sb, "nrules=%u", nrules); + sbuf_finish(sb); +} + +void +audit_pf_addrule(char *anchor, int nrules, int error) +{ + struct kaudit_record *ar; + struct sbuf sb; + + ar = audit_begin(AUE_PFIL_POLICY_ADDRULE, curthread); + if (ar == NULL) + return; + + sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND); + pf_rule_to_text(anchor, nrules, &sb); + audit_record_arg_text(ar, sbuf_data(&sb)); + sbuf_delete(&sb); + audit_commit(ar, error, 0); +} + +void +audit_pf_delrule(char *anchor, int error) +{ + struct kaudit_record *ar; + struct sbuf sb; + + ar = audit_begin(AUE_PFIL_POLICY_DELRULE, curthread); + if (ar == NULL) + return; + + sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND); + pf_rule_to_text(anchor, 1, &sb); + audit_record_arg_text(ar, sbuf_data(&sb)); + sbuf_delete(&sb); + audit_commit(ar, error, 0); +} + +void +audit_pf_flush(char *anchor, int nrules, int error) +{ + struct kaudit_record *ar; + struct sbuf sb; + + ar = audit_begin(AUE_PFIL_POLICY_FLUSH, curthread); + if (ar == NULL) + return; + + sbuf_new(&sb, NULL, 0, SBUF_AUTOEXTEND); + pf_rule_to_text(anchor, nrules, &sb); + audit_record_arg_text(ar, sbuf_data(&sb)); + sbuf_delete(&sb); + audit_commit(ar, error, 0); +} +