From owner-svn-src-all@freebsd.org Thu Mar 30 21:39:04 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB87ED24F5B; Thu, 30 Mar 2017 21:39:04 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C1D66CBA; Thu, 30 Mar 2017 21:39:04 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v2ULd30J083801; Thu, 30 Mar 2017 21:39:03 GMT (envelope-from rwatson@FreeBSD.org) Received: (from rwatson@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v2ULd3Gn083800; Thu, 30 Mar 2017 21:39:03 GMT (envelope-from rwatson@FreeBSD.org) Message-Id: <201703302139.v2ULd3Gn083800@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rwatson set sender to rwatson@FreeBSD.org using -f From: Robert Watson Date: Thu, 30 Mar 2017 21:39:03 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r316305 - head/sys/security/audit X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2017 21:39:05 -0000 Author: rwatson Date: Thu Mar 30 21:39:03 2017 New Revision: 316305 URL: https://svnweb.freebsd.org/changeset/base/316305 Log: Various BSM generation improvements when auditing AUE_ACCEPT, AUE_PROCCTL, AUE_SENDFILE, AUE_ACL_*, and AUE_POSIX_FALLOCATE. Audit AUE_SHMUNLINK path in the path token rather than as a text string, and AUE_SHMOPEN flags as an integer token rather than a System V IPC address token. Obtained from: TrustedBSD Project MFC after: 3 weeks Sponsored by: DARPA, AFRL Modified: head/sys/security/audit/audit_bsm.c Modified: head/sys/security/audit/audit_bsm.c ============================================================================== --- head/sys/security/audit/audit_bsm.c Thu Mar 30 20:42:16 2017 (r316304) +++ head/sys/security/audit/audit_bsm.c Thu Mar 30 21:39:03 2017 (r316305) @@ -530,6 +530,23 @@ kaudit_to_bsm(struct kaudit_record *kar, */ switch(ar->ar_event) { case AUE_ACCEPT: + if (ARG_IS_VALID(kar, ARG_FD)) { + tok = au_to_arg32(1, "fd", ar->ar_arg_fd); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_SADDRINET)) { + tok = au_to_sock_inet((struct sockaddr_in *) + &ar->ar_arg_sockaddr); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { + tok = au_to_sock_unix((struct sockaddr_un *) + &ar->ar_arg_sockaddr); + kau_write(rec, tok); + UPATH1_TOKENS; + } + break; + case AUE_BIND: case AUE_LISTEN: case AUE_CONNECT: @@ -537,7 +554,6 @@ kaudit_to_bsm(struct kaudit_record *kar, case AUE_RECVFROM: case AUE_RECVMSG: case AUE_SEND: - case AUE_SENDFILE: case AUE_SENDMSG: case AUE_SENDTO: /* @@ -576,6 +592,22 @@ kaudit_to_bsm(struct kaudit_record *kar, } break; + case AUE_SENDFILE: + FD_VNODE1_TOKENS; + if (ARG_IS_VALID(kar, ARG_SADDRINET)) { + tok = au_to_sock_inet((struct sockaddr_in *) + &ar->ar_arg_sockaddr); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_SADDRUNIX)) { + tok = au_to_sock_unix((struct sockaddr_un *) + &ar->ar_arg_sockaddr); + kau_write(rec, tok); + UPATH1_TOKENS; + } + /* XXX Need to handle ARG_SADDRINET6 */ + break; + case AUE_SOCKET: case AUE_SOCKETPAIR: if (ARG_IS_VALID(kar, ARG_SOCKINFO)) { @@ -749,6 +781,26 @@ kaudit_to_bsm(struct kaudit_record *kar, */ break; + case AUE_ACL_DELETE_FD: + case AUE_ACL_DELETE_FILE: + case AUE_ACL_CHECK_FD: + case AUE_ACL_CHECK_FILE: + case AUE_ACL_CHECK_LINK: + case AUE_ACL_DELETE_LINK: + case AUE_ACL_GET_FD: + case AUE_ACL_GET_FILE: + case AUE_ACL_GET_LINK: + case AUE_ACL_SET_FD: + case AUE_ACL_SET_FILE: + case AUE_ACL_SET_LINK: + if (ARG_IS_VALID(kar, ARG_VALUE)) { + tok = au_to_arg32(1, "type", ar->ar_arg_value); + kau_write(rec, tok); + } + ATFD1_TOKENS(1); + UPATH1_VNODE1_TOKENS; + break; + case AUE_CHDIR: case AUE_CHROOT: case AUE_FSTATAT: @@ -959,6 +1011,7 @@ kaudit_to_bsm(struct kaudit_record *kar, case AUE_GETDIRENTRIESATTR: case AUE_LSEEK: case AUE_POLL: + case AUE_POSIX_FALLOCATE: case AUE_PREAD: case AUE_PWRITE: case AUE_READ: @@ -1245,6 +1298,18 @@ kaudit_to_bsm(struct kaudit_record *kar, UPATH1_VNODE1_TOKENS; break; + case AUE_PROCCTL: + if (ARG_IS_VALID(kar, ARG_VALUE)) { + tok = au_to_arg32(1, "idtype", ar->ar_arg_value); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_CMD)) { + tok = au_to_arg32(2, "com", ar->ar_arg_cmd); + kau_write(rec, tok); + } + PROCESS_PID_TOKENS(3); + break; + case AUE_PTRACE: if (ARG_IS_VALID(kar, ARG_CMD)) { tok = au_to_arg32(1, "request", ar->ar_arg_cmd); @@ -1499,7 +1564,7 @@ kaudit_to_bsm(struct kaudit_record *kar, /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE * and AUE_SEMUNLINK are Posix IPC */ case AUE_SHMOPEN: - if (ARG_IS_VALID(kar, ARG_SVIPC_ADDR)) { + if (ARG_IS_VALID(kar, ARG_FFLAGS)) { tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); kau_write(rec, tok); } @@ -1510,10 +1575,7 @@ kaudit_to_bsm(struct kaudit_record *kar, /* FALLTHROUGH */ case AUE_SHMUNLINK: - if (ARG_IS_VALID(kar, ARG_TEXT)) { - tok = au_to_text(ar->ar_arg_text); - kau_write(rec, tok); - } + UPATH1_TOKENS; if (ARG_IS_VALID(kar, ARG_POSIX_IPC_PERM)) { struct ipc_perm perm;