From owner-svn-src-all@freebsd.org Thu Mar 30 22:27:32 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6821D2602F; Thu, 30 Mar 2017 22:27:32 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [96.47.72.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 689B0682; Thu, 30 Mar 2017 22:27:32 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v2UMQGL0003680; Thu, 30 Mar 2017 22:26:16 GMT (envelope-from rwatson@FreeBSD.org) Received: (from rwatson@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v2UMQGSt003675; Thu, 30 Mar 2017 22:26:16 GMT (envelope-from rwatson@FreeBSD.org) Message-Id: <201703302226.v2UMQGSt003675@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rwatson set sender to rwatson@FreeBSD.org using -f From: Robert Watson Date: Thu, 30 Mar 2017 22:26:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r316308 - in head/sys: kern security/audit X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Mar 2017 22:27:32 -0000 Author: rwatson Date: Thu Mar 30 22:26:15 2017 New Revision: 316308 URL: https://svnweb.freebsd.org/changeset/base/316308 Log: Audit arguments to System V IPC system calls implementing sempahores, message queues, and shared memory. Obtained from: TrustedBSD Project MFC after: 3 weeks Sponsored by: DARPA, AFRL Modified: head/sys/kern/sysv_msg.c head/sys/kern/sysv_sem.c head/sys/kern/sysv_shm.c head/sys/security/audit/audit.h Modified: head/sys/kern/sysv_msg.c ============================================================================== --- head/sys/kern/sysv_msg.c Thu Mar 30 22:00:58 2017 (r316307) +++ head/sys/kern/sysv_msg.c Thu Mar 30 22:26:15 2017 (r316308) @@ -18,6 +18,7 @@ */ /*- * Copyright (c) 2003-2005 McAfee, Inc. + * Copyright (c) 2016-2017 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by McAfee @@ -25,6 +26,11 @@ * contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research * program. * + * Portions of this software were developed by BAE Systems, the University of + * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL + * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent + * Computing (TC) research program. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -508,6 +514,8 @@ kern_msgctl(td, msqid, cmd, msqbuf) if (rpr == NULL) return (ENOSYS); + AUDIT_ARG_SVIPC_CMD(cmd); + AUDIT_ARG_SVIPC_ID(msqid); msqix = IPCID_TO_IX(msqid); if (msqix < 0 || msqix >= msginfo.msgmni) { @@ -579,6 +587,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) break; case IPC_SET: + AUDIT_ARG_SVIPC_PERM(&msqbuf->msg_perm); if ((error = ipcperm(td, &msqkptr->u.msg_perm, IPC_M))) goto done2; if (msqbuf->msg_qbytes > msqkptr->u.msg_qbytes) { @@ -667,6 +676,8 @@ sys_msgget(td, uap) error = EEXIST; goto done2; } + AUDIT_ARG_SVIPC_ID(IXSEQ_TO_IPCID(msqid, + msqkptr->u.msg_perm)); if ((error = ipcperm(td, &msqkptr->u.msg_perm, msgflg & 0700))) { DPRINTF(("requester doesn't have 0%o access\n", @@ -735,6 +746,7 @@ sys_msgget(td, uap) #ifdef MAC mac_sysvmsq_create(cred, msqkptr); #endif + AUDIT_ARG_SVIPC_PERM(&msqkptr->u.msg_perm); } else { DPRINTF(("didn't find it and wasn't asked to create it\n")); error = ENOENT; @@ -780,6 +792,7 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgf return (ENOSYS); mtx_lock(&msq_mtx); + AUDIT_ARG_SVIPC_ID(msqid); msqix = IPCID_TO_IX(msqid); if (msqix < 0 || msqix >= msginfo.msgmni) { @@ -790,6 +803,7 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgf } msqkptr = &msqids[msqix]; + AUDIT_ARG_SVIPC_PERM(&msqkptr->u.msg_perm); if (msqkptr->u.msg_qbytes == 0) { DPRINTF(("no such message queue id\n")); error = EINVAL; @@ -1152,6 +1166,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgt if (rpr == NULL) return (ENOSYS); + AUDIT_ARG_SVIPC_ID(msqid); msqix = IPCID_TO_IX(msqid); if (msqix < 0 || msqix >= msginfo.msgmni) { @@ -1162,6 +1177,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgt msqkptr = &msqids[msqix]; mtx_lock(&msq_mtx); + AUDIT_ARG_SVIPC_PERM(&msqkptr->u.msg_perm); if (msqkptr->u.msg_qbytes == 0) { DPRINTF(("no such message queue id\n")); error = EINVAL; Modified: head/sys/kern/sysv_sem.c ============================================================================== --- head/sys/kern/sysv_sem.c Thu Mar 30 22:00:58 2017 (r316307) +++ head/sys/kern/sysv_sem.c Thu Mar 30 22:26:15 2017 (r316308) @@ -7,6 +7,7 @@ */ /*- * Copyright (c) 2003-2005 McAfee, Inc. + * Copyright (c) 2016-2017 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by McAfee @@ -14,6 +15,11 @@ * contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research * program. * + * Portions of this software were developed by BAE Systems, the University of + * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL + * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent + * Computing (TC) research program. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -691,6 +697,9 @@ kern_semctl(struct thread *td, int semid DPRINTF(("call to semctl(%d, %d, %d, 0x%p)\n", semid, semnum, cmd, arg)); + AUDIT_ARG_SVIPC_CMD(cmd); + AUDIT_ARG_SVIPC_ID(semid); + rpr = sem_find_prison(td->td_ucred); if (sem == NULL) return (ENOSYS); @@ -758,6 +767,7 @@ kern_semctl(struct thread *td, int semid break; case IPC_SET: + AUDIT_ARG_SVIPC_PERM(&arg->buf->sem_perm); if ((error = semvalid(semid, rpr, semakptr)) != 0) goto done2; if ((error = ipcperm(td, &semakptr->u.sem_perm, IPC_M))) @@ -948,6 +958,8 @@ sys_semget(struct thread *td, struct sem DPRINTF(("semget(0x%x, %d, 0%o)\n", key, nsems, semflg)); + AUDIT_ARG_VALUE(semflg); + if (sem_find_prison(cred) == NULL) return (ENOSYS); @@ -961,6 +973,7 @@ sys_semget(struct thread *td, struct sem break; } if (semid < seminfo.semmni) { + AUDIT_ARG_SVIPC_ID(semid); DPRINTF(("found public key\n")); if ((semflg & IPC_CREAT) && (semflg & IPC_EXCL)) { DPRINTF(("not exclusive\n")); @@ -1090,6 +1103,8 @@ sys_semop(struct thread *td, struct semo #endif DPRINTF(("call to semop(%d, %p, %u)\n", semid, sops, nsops)); + AUDIT_ARG_SVIPC_ID(semid); + rpr = sem_find_prison(td->td_ucred); if (sem == NULL) return (ENOSYS); Modified: head/sys/kern/sysv_shm.c ============================================================================== --- head/sys/kern/sysv_shm.c Thu Mar 30 22:00:58 2017 (r316307) +++ head/sys/kern/sysv_shm.c Thu Mar 30 22:26:15 2017 (r316308) @@ -30,6 +30,7 @@ */ /*- * Copyright (c) 2003-2005 McAfee, Inc. + * Copyright (c) 2016-2017 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by McAfee @@ -37,6 +38,11 @@ * contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research * program. * + * Portions of this software were developed by BAE Systems, the University of + * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL + * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent + * Computing (TC) research program. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -324,8 +330,10 @@ kern_shmdt_locked(struct thread *td, con { struct proc *p = td->td_proc; struct shmmap_state *shmmap_s; -#ifdef MAC +#if defined(AUDIT) || defined(MAC) struct shmid_kernel *shmsegptr; +#endif +#ifdef MAC int error; #endif int i; @@ -336,6 +344,7 @@ kern_shmdt_locked(struct thread *td, con shmmap_s = p->p_vmspace->vm_shm; if (shmmap_s == NULL) return (EINVAL); + AUDIT_ARG_SVIPC_ID(shmmap_s->shmid); for (i = 0; i < shminfo.shmseg; i++, shmmap_s++) { if (shmmap_s->shmid != -1 && shmmap_s->va == (vm_offset_t)shmaddr) { @@ -344,8 +353,10 @@ kern_shmdt_locked(struct thread *td, con } if (i == shminfo.shmseg) return (EINVAL); -#ifdef MAC +#if (defined(AUDIT) && defined(KDTRACE_HOOKS)) || defined(MAC) shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)]; +#endif +#ifdef MAC error = mac_sysvshm_check_shmdt(td->td_ucred, shmsegptr); if (error != 0) return (error); @@ -382,6 +393,9 @@ kern_shmat_locked(struct thread *td, int vm_size_t size; int error, i, rv; + AUDIT_ARG_SVIPC_ID(shmid); + AUDIT_ARG_VALUE(shmflg); + SYSVSHM_ASSERT_LOCKED(); rpr = shm_find_prison(td->td_ucred); if (rpr == NULL) @@ -493,6 +507,9 @@ kern_shmctl_locked(struct thread *td, in if (rpr == NULL) return (ENOSYS); + AUDIT_ARG_SVIPC_ID(shmid); + AUDIT_ARG_SVIPC_CMD(cmd); + switch (cmd) { /* * It is possible that kern_shmctl is being called from the Linux ABI @@ -550,6 +567,7 @@ kern_shmctl_locked(struct thread *td, in break; case IPC_SET: shmidp = (struct shmid_ds *)buf; + AUDIT_ARG_SVIPC_PERM(&shmidp->shm_perm); error = ipcperm(td, &shmseg->u.shm_perm, IPC_M); if (error != 0) return (error); Modified: head/sys/security/audit/audit.h ============================================================================== --- head/sys/security/audit/audit.h Thu Mar 30 22:00:58 2017 (r316307) +++ head/sys/security/audit/audit.h Thu Mar 30 22:26:15 2017 (r316308) @@ -239,6 +239,11 @@ void audit_thread_free(struct thread *t audit_arg_pid((pid)); \ } while (0) +#define AUDIT_ARG_POSIX_IPC_PERM(uid, gid, mode) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_posix_ipc_perm((uid), (gid), (mod)); \ +} while (0) + #define AUDIT_ARG_PROCESS(p) do { \ if (AUDITING_TD(curthread)) \ audit_arg_process((p)); \ @@ -289,6 +294,26 @@ void audit_thread_free(struct thread *t audit_arg_suid((suid)); \ } while (0) +#define AUDIT_ARG_SVIPC_CMD(cmd) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_svipc_cmd((cmd)); \ +} while (0) + +#define AUDIT_ARG_SVIPC_PERM(perm) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_svipc_perm((perm)); \ +} while (0) + +#define AUDIT_ARG_SVIPC_ID(id) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_svipc_id((id)); \ +} while (0) + +#define AUDIT_ARG_SVIPC_ADDR(addr) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_svipc_addr((addr)); \ +} while (0) + #define AUDIT_ARG_SVIPC_WHICH(which) do { \ if (AUDITING_TD(curthread)) \ audit_arg_svipc_which((which)); \ @@ -375,6 +400,7 @@ void audit_thread_free(struct thread *t #define AUDIT_ARG_MODE(mode) #define AUDIT_ARG_OWNER(uid, gid) #define AUDIT_ARG_PID(pid) +#define AUDIT_ARG_POSIX_IPC_PERM(uid, gid, mode) #define AUDIT_ARG_PROCESS(p) #define AUDIT_ARG_RGID(rgid) #define AUDIT_ARG_RIGHTS(rights) @@ -385,6 +411,10 @@ void audit_thread_free(struct thread *t #define AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol) #define AUDIT_ARG_SOCKADDR(td, dirfd, sa) #define AUDIT_ARG_SUID(suid) +#define AUDIT_ARG_SVIPC_CMD(cmd) +#define AUDIT_ARG_SVIPC_PERM(perm) +#define AUDIT_ARG_SVIPC_ID(id) +#define AUDIT_ARG_SVIPC_ADDR(addr) #define AUDIT_ARG_SVIPC_WHICH(which) #define AUDIT_ARG_TEXT(text) #define AUDIT_ARG_UID(uid)