From owner-svn-src-all@freebsd.org  Sat May 16 03:45:16 2020
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 96B672E34EE;
 Sat, 16 May 2020 03:45:16 +0000 (UTC)
 (envelope-from csjp@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 49PB4X3XhXz3MJb;
 Sat, 16 May 2020 03:45:16 +0000 (UTC)
 (envelope-from csjp@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 74D207875;
 Sat, 16 May 2020 03:45:16 +0000 (UTC)
 (envelope-from csjp@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 04G3jGX0044103;
 Sat, 16 May 2020 03:45:16 GMT (envelope-from csjp@FreeBSD.org)
Received: (from csjp@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 04G3jGgj044101;
 Sat, 16 May 2020 03:45:16 GMT (envelope-from csjp@FreeBSD.org)
Message-Id: <202005160345.04G3jGgj044101@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: csjp set sender to
 csjp@FreeBSD.org using -f
From: "Christian S.J. Peron" <csjp@FreeBSD.org>
Date: Sat, 16 May 2020 03:45:16 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r361103 - in head/sys: kern security/audit
X-SVN-Group: head
X-SVN-Commit-Author: csjp
X-SVN-Commit-Paths: in head/sys: kern security/audit
X-SVN-Commit-Revision: 361103
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 03:45:16 -0000

Author: csjp
Date: Sat May 16 03:45:15 2020
New Revision: 361103
URL: https://svnweb.freebsd.org/changeset/base/361103

Log:
  Add BSM record conversion for a number of syscalls:
  
  - thr_kill(2) and thr_exit(2) generally (no argument auditing here.
  - A set of syscalls for the process descriptor family, specifically:
    pdfork(2), pdgetpid(2) and pdkill(2)
  
    For these syscalls, audit the file descriptor. In the case of pdfork(2)
    a pointer to an integer (file descriptor) is passed in as an argument.
    We audit the post initialized file descriptor (not the random garbage
    that would have been passed in). We will also audit the child process
    which was created from the fork operation (similar to what is done for
    the fork(2) syscall).
  
    pdkill(2) we audit the signal value and fd, and finally pdgetpid(2)
    just the file descriptor:
  
  - Following is a sample of the produced audit trails:
  
    header,111,11,pdfork(2),0,Sat May 16 03:07:50 2020, + 394 msec
    argument,0,0x39d,child PID
    argument,2,0x2,flags
    argument,1,0x8,fd
    subject,root,root,0,root,0,924,0,0,0.0.0.0
    return,success,925
  
    header,79,11,pdgetpid(2),0,Sat May 16 03:07:50 2020, + 394 msec
    argument,1,0x8,fd
    subject,root,root,0,root,0,924,0,0,0.0.0.0
    return,success,0
    trailer,79
  
    header,135,11,pdkill(2),0,Sat May 16 03:07:50 2020, + 395 msec
    argument,1,0x8,fd
    argument,2,0xf,signal
    process_ex,root,root,0,root,0,925,0,0,0.0.0.0
    subject,root,root,0,root,0,924,0,0,0.0.0.0
    return,success,0
    trailer,135
  
  MFC after:      1 week

Modified:
  head/sys/kern/kern_fork.c
  head/sys/security/audit/audit_bsm.c

Modified: head/sys/kern/kern_fork.c
==============================================================================
--- head/sys/kern/kern_fork.c	Sat May 16 03:33:28 2020	(r361102)
+++ head/sys/kern/kern_fork.c	Sat May 16 03:45:15 2020	(r361103)
@@ -128,6 +128,7 @@ sys_pdfork(struct thread *td, struct pdfork_args *uap)
 	fr.fr_pidp = &pid;
 	fr.fr_pd_fd = &fd;
 	fr.fr_pd_flags = uap->flags;
+	AUDIT_ARG_FFLAGS(uap->flags);
 	/*
 	 * It is necessary to return fd by reference because 0 is a valid file
 	 * descriptor number, and the child needs to be able to distinguish
@@ -909,6 +910,7 @@ fork1(struct thread *td, struct fork_req *fr)
 		    fr->fr_pd_flags, fr->fr_pd_fcaps);
 		if (error != 0)
 			goto fail2;
+		AUDIT_ARG_FD(*fr->fr_pd_fd);
 	}
 
 	mem_charged = 0;

Modified: head/sys/security/audit/audit_bsm.c
==============================================================================
--- head/sys/security/audit/audit_bsm.c	Sat May 16 03:33:28 2020	(r361102)
+++ head/sys/security/audit/audit_bsm.c	Sat May 16 03:45:15 2020	(r361103)
@@ -1317,6 +1317,38 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_rec
 		UPATH1_VNODE1_TOKENS;
 		break;
 
+	case AUE_PDKILL:
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
+			tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
+			kau_write(rec, tok);
+		}
+		PROCESS_PID_TOKENS(1);
+		break;
+	case AUE_PDFORK:
+		if (ARG_IS_VALID(kar, ARG_PID)) {
+			tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
+			tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		break;
+	case AUE_PDGETPID:
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		break;
+
 	case AUE_PROCCTL:
 		if (ARG_IS_VALID(kar, ARG_VALUE)) {
 			tok = au_to_arg32(1, "idtype", ar->ar_arg_value);
@@ -1747,6 +1779,8 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_rec
 		break;
 
 	case AUE_THR_NEW:
+	case AUE_THR_KILL:
+	case AUE_THR_EXIT:
 		break;
 
 	case AUE_NULL: