Date: Wed, 18 Aug 2004 01:40:32 GMT From: Wayne Salamon <wsalamon@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 59949 for review Message-ID: <200408180140.i7I1eWMd022449@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=59949 Change 59949 by wsalamon@wsalamon_epi on 2004/08/18 01:39:59 Audit the fchflags, fchmod, fchown, ftruncate, futimes, fstatfs, and getdirentries system calls. Note that auditing of these calls will show how vn_getpath() often does not succeed, and hence no path will be in the audit log. Also, the sys_au_event table in kern_bsm_klib.c is modified to match the above system calls for FreeBSD. However, many of the entries in this table need to be fixed, or the table replaced with something better (adding the audit event to the sysent table, for example?). Affected files ... .. //depot/projects/trustedbsd/audit3/sys/kern/vfs_syscalls.c#3 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_klib.c#6 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/kern/vfs_syscalls.c#3 (text+ko) ==== @@ -279,8 +279,12 @@ struct statfs *sp, sb; int error; + AUDIT_ARG(fd, uap->fd); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); + + AUDIT_ARG(vnpath, fp->f_vnode, ARG_VNODE1); + mp = fp->f_vnode->v_mount; fdrop(fp, td); if (mp == NULL) @@ -2393,8 +2397,13 @@ struct file *fp; int error; + AUDIT_ARG(fd, uap->fd); + AUDIT_ARG(fflags, uap->flags); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); + + AUDIT_ARG(vnpath, fp->f_vnode, ARG_VNODE1); + error = setfflags(td, fp->f_vnode, uap->flags); fdrop(fp, td); return (error); @@ -2514,8 +2523,13 @@ struct file *fp; int error; + AUDIT_ARG(fd, uap->fd); + AUDIT_ARG(mode, uap->mode); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); + + AUDIT_ARG(vnpath, fp->f_vnode, ARG_VNODE1); + error = setfmode(td, fp->f_vnode, uap->mode); fdrop(fp, td); return (error); @@ -2653,8 +2667,12 @@ struct file *fp; int error; + AUDIT_ARG(owner, uap->uid, uap->gid); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); + + AUDIT_ARG(vnpath, fp->f_vnode, ARG_VNODE1); + error = setfown(td, fp->f_vnode, uap->uid, uap->gid); fdrop(fp, td); return (error); @@ -2846,10 +2864,14 @@ struct file *fp; int error; + AUDIT_ARG(fd, fd); + if ((error = getvnode(td->td_proc->p_fd, fd, &fp)) != 0) + return (error); + + AUDIT_ARG(vnpath, fp->f_vnode, ARG_VNODE1); + if ((error = getutimes(tptr, tptrseg, ts)) != 0) return (error); - if ((error = getvnode(td->td_proc->p_fd, fd, &fp)) != 0) - return (error); error = setutimes(td, fp->f_vnode, ts, 2, tptr == NULL); fdrop(fp, td); return (error); @@ -2942,10 +2964,14 @@ struct file *fp; int error; + AUDIT_ARG(fd, uap->fd); if (uap->length < 0) return(EINVAL); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); + + AUDIT_ARG(vnpath, fp->f_vnode, ARG_VNODE1); + if ((fp->f_flag & FWRITE) == 0) { fdrop(fp, td); return (EINVAL); @@ -3561,8 +3587,12 @@ long loff; int error, eofflag; + AUDIT_ARG(fd, uap->fd); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); + + AUDIT_ARG(vnpath, fp->f_vnode, ARG_VNODE1); + if ((fp->f_flag & FREAD) == 0) { fdrop(fp, td); return (EBADF); ==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_klib.c#6 (text+ko) ==== @@ -188,7 +188,7 @@ AUE_MKDIR, /* 136 = mkdir */ AUE_RMDIR, /* 137 = rmdir */ AUE_UTIMES, /* 138 = utimes */ - AUE_FUTIMES, /* 139 = futimes */ + AUE_NULL, /* 139 = obsolete 4.2 sigreturn */ AUE_ADJTIME, /* 140 = adjtime */ AUE_NULL, /* 141 = getpeername */ AUE_NULL, /* 142 = old gethostid */ @@ -206,8 +206,8 @@ AUE_NULL, /* 154 = pwrite */ AUE_NULL, /* 155 = nfs_svc */ AUE_O_GETDIRENTRIES, /* 156 = old getdirentries */ - AUE_STATFS, /* 157 = statfs */ - AUE_FSTATFS, /* 158 = fstatfs */ + AUE_NULL, /* 157 = old statfs */ + AUE_NULL, /* 158 = old fstatfs */ AUE_UMOUNT, /* 159 = unmount */ AUE_NULL, /* 160 was async_daemon */ AUE_GETFH, /* 161 = get file handle */ @@ -263,16 +263,16 @@ AUE_MLOCK, /* 203 = mlock */ AUE_MUNLOCK, /* 204 = munlock */ AUE_UNDELETE, /* 205 = undelete */ - AUE_NULL, /* 206 = ATsocket */ - AUE_NULL, /* 207 = ATgetmsg*/ - AUE_NULL, /* 208 = ATputmsg*/ - AUE_NULL, /* 209 = ATPsndreq*/ - AUE_NULL, /* 210 = ATPsndrsp*/ - AUE_NULL, /* 211 = ATPgetreq*/ - AUE_NULL, /* 212 = ATPgetrsp*/ - AUE_NULL, /* 213 = Reserved for AppleTalk */ - AUE_NULL, /* 214 = Reserved for AppleTalk */ - AUE_NULL, /* 215 = Reserved for AppleTalk */ + AUE_FUTIMES, /* 206 = futimes */ + AUE_NULL, /* 207 = */ + AUE_NULL, /* 208 = */ + AUE_NULL, /* 209 = */ + AUE_NULL, /* 210 = */ + AUE_NULL, /* 211 = */ + AUE_NULL, /* 212 = */ + AUE_NULL, /* 213 = for AppleTalk */ + AUE_NULL, /* 214 = for AppleTalk */ + AUE_NULL, /* 215 = for AppleTalk */ AUE_NULL, /* 216 = HFS make complex file call (multipel forks */ AUE_NULL, /* 217 = HFS statv extended stat call for HFS */ @@ -427,7 +427,37 @@ AUE_NULL, /* 366 */ AUE_NULL, /* 367 */ AUE_NULL, /* 368 */ - AUE_NULL /* 369 */ + AUE_NULL, /* 369 */ + AUE_NULL, /* 370 */ + AUE_NULL, /* 371 */ + AUE_NULL, /* 372 */ + AUE_NULL, /* 373 */ + AUE_NULL, /* 374 */ + AUE_NULL, /* 375 */ + AUE_NULL, /* 376 */ + AUE_NULL, /* 377 */ + AUE_NULL, /* 378 */ + AUE_NULL, /* 379 */ + AUE_NULL, /* 380 */ + AUE_NULL, /* 381 */ + AUE_NULL, /* 382 */ + AUE_NULL, /* 383 */ + AUE_NULL, /* 384 */ + AUE_NULL, /* 385 */ + AUE_NULL, /* 386 */ + AUE_NULL, /* 387 */ + AUE_NULL, /* 388 */ + AUE_NULL, /* 389 */ + AUE_NULL, /* 390 */ + AUE_NULL, /* 391 */ + AUE_NULL, /* 392 */ + AUE_NULL, /* 393 */ + AUE_NULL, /* 394 */ + AUE_NULL, /* 395 */ + AUE_STATFS, /* 396 = statfs */ + AUE_FSTATFS, /* 397 = fstafs */ + AUE_NULL, /* 398 */ + AUE_NULL /* 399 */ }; int nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408180140.i7I1eWMd022449>