From owner-trustedbsd-cvs@FreeBSD.ORG  Thu May  4 13:59:05 2006
Return-Path: <owner-trustedbsd-cvs@FreeBSD.ORG>
X-Original-To: trustedbsd-cvs@freebsd.org
Delivered-To: trustedbsd-cvs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C12BB16A488
	for <trustedbsd-cvs@freebsd.org>; Thu,  4 May 2006 13:59:05 +0000 (UTC)
	(envelope-from owner-perforce@freebsd.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 08EBD43D55
	for <trustedbsd-cvs@freebsd.org>; Thu,  4 May 2006 13:59:04 +0000 (GMT)
	(envelope-from owner-perforce@freebsd.org)
Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119])
	by cyrus.watson.org (Postfix) with ESMTP id BD62646D41
	for <trustedbsd-cvs@trustedbsd.org>;
	Thu,  4 May 2006 09:59:00 -0400 (EDT)
Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18])
	by mx2.freebsd.org (Postfix) with ESMTP id 3544673B8D;
	Thu,  4 May 2006 13:58:58 +0000 (GMT)
	(envelope-from owner-perforce@freebsd.org)
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 3066E16A433; Thu,  4 May 2006 13:58:58 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E7F8216A42C
	for <perforce@freebsd.org>; Thu,  4 May 2006 13:58:57 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2678C43D5C
	for <perforce@freebsd.org>; Thu,  4 May 2006 13:58:56 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k44Dwtbb056428
	for <perforce@freebsd.org>; Thu, 4 May 2006 13:58:56 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k44DwtGf056422
	for perforce@freebsd.org; Thu, 4 May 2006 13:58:55 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Thu, 4 May 2006 13:58:55 GMT
Message-Id: <200605041358.k44DwtGf056422@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 96655 for review
X-BeenThere: trustedbsd-cvs@FreeBSD.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TrustedBSD CVS and Perforce commit message list
	<trustedbsd-cvs.FreeBSD.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-cvs>, 
	<mailto:trustedbsd-cvs-request@FreeBSD.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-cvs>
List-Post: <mailto:trustedbsd-cvs@FreeBSD.org>
List-Help: <mailto:trustedbsd-cvs-request@FreeBSD.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-cvs>,
	<mailto:trustedbsd-cvs-request@FreeBSD.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2006 13:59:05 -0000

http://perforce.freebsd.org/chv.cgi?CH=96655

Change 96655 by rwatson@rwatson_zoo on 2006/05/04 13:57:56

	A variety of changes in support of preselection for audit pipes:
	
	- Add two new preselection flags for queued audit records:
	  AR_PRESELECT_TRAIL and AR_PRESELECT_PIPE, which are used to track
	  whether a particular queued record was requested by the global
	  trail configuration, or if some or another pipe has requested it.
	  This flag is now set during record commit preselection to be used
	  by the audit worker in deciding where to send the record.
	
	- au_preselect() now accepts a class argument so that the caller
	  can look up the class once for all trail/pipe preselection and
	  avoid repeated class lookups for an event type.

Affected files ...

.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#27 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_klib.c#6 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_pipe.c#18 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#26 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_syscalls.c#13 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_worker.c#10 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.c#27 (text+ko) ====

@@ -334,6 +334,9 @@
 void
 audit_commit(struct kaudit_record *ar, int error, int retval)
 {
+	au_event_t event;
+	au_class_t class;
+	au_id_t auid;
 	int sorf;
 	struct au_mask *aumask;
 
@@ -379,14 +382,17 @@
 		break;
 	}
 
-	if (au_preselect(ar->k_ar.ar_event, aumask, sorf) != 0)
-		ar->k_ar_commit |= AR_COMMIT_KERNEL;
+	auid = ar->k_ar.ar_subj_auid;
+	event = ar->k_ar.ar_event;
+	class = au_event_class(event);
 
-	/*
-	 * XXXRW: Why is this necessary?  Should we ever accept a record that
-	 * we're not willing to commit?
-	 */
-	if ((ar->k_ar_commit & (AR_COMMIT_USER | AR_COMMIT_KERNEL)) == 0) {
+	ar->k_ar_commit |= AR_COMMIT_KERNEL;
+	if (au_preselect(event, class, aumask, sorf) != 0)
+		ar->k_ar_commit |= AR_PRESELECT_TRAIL;
+	if (audit_pipe_preselect(auid, event, class, sorf) != 0)
+		ar->k_ar_commit |= AR_PRESELECT_PIPE;
+	if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE)) ==
+	    0) {
 		mtx_lock(&audit_mtx);
 		audit_pre_q_len--;
 		mtx_unlock(&audit_mtx);
@@ -448,8 +454,10 @@
 void
 audit_syscall_enter(unsigned short code, struct thread *td)
 {
-	int audit_event;
 	struct au_mask *aumask;
+	au_class_t class;
+	au_event_t event;
+	au_id_t auid;
 
 	KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL"));
 
@@ -466,15 +474,16 @@
 	if (code >= td->td_proc->p_sysent->sv_size)
 		return;
 
-	audit_event = td->td_proc->p_sysent->sv_table[code].sy_auevent;
-	if (audit_event == AUE_NULL)
+	event = td->td_proc->p_sysent->sv_table[code].sy_auevent;
+	if (event == AUE_NULL)
 		return;
 
 	/*
 	 * Check which audit mask to use; either the kernel non-attributable
 	 * event mask or the process audit mask.
 	 */
-	if (td->td_proc->p_au->ai_auid == AU_DEFAUDITID)
+	auid = td->td_proc->p_au->ai_auid;
+	if (auid == AU_DEFAUDITID)
 		aumask = &audit_nae_mask;
 	else
 		aumask = &td->td_proc->p_au->ai_mask;
@@ -483,8 +492,8 @@
 	 * Allocate an audit record, if preselection allows it, and store
 	 * in the thread for later use.
 	 */
-	if (au_preselect(audit_event, aumask,
-			AU_PRS_FAILURE | AU_PRS_SUCCESS)) {
+	class = au_event_class(event);
+	if (au_preselect(event, class, aumask, AU_PRS_BOTH)) {
 		/*
 		 * If we're out of space and need to suspend unprivileged
 		 * processes, do that here rather than trying to allocate
@@ -501,8 +510,10 @@
 			cv_wait(&audit_fail_cv, &audit_mtx);
 			panic("audit_failing_stop: thread continued");
 		}
-		td->td_ar = audit_new(audit_event, td);
-	} else
+		td->td_ar = audit_new(event, td);
+	} else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH))
+		td->td_ar = audit_new(event, td);
+	else
 		td->td_ar = NULL;
 }
 

==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_klib.c#6 (text+ko) ====

@@ -155,24 +155,21 @@
  * event is part of against the given mask.
  */
 int
-au_preselect(au_event_t event, au_mask_t *mask_p, int sorf)
+au_preselect(au_event_t event, au_class_t class, au_mask_t *mask_p, int sorf)
 {
 	au_class_t effmask = 0;
-	au_class_t ae_class;
 
 	if (mask_p == NULL)
 		return (-1);
 
-	ae_class = au_event_class(event);
-
 	/*
 	 * Perform the actual check of the masks against the event.
 	 */
 	if (sorf & AU_PRS_SUCCESS)
-		effmask |= (mask_p->am_success & ae_class);
+		effmask |= (mask_p->am_success & class);
 
 	if (sorf & AU_PRS_FAILURE)
-		effmask |= (mask_p->am_failure & ae_class);
+		effmask |= (mask_p->am_failure & class);
 
 	if (effmask)
 		return (1);

==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_pipe.c#18 (text+ko) ====

@@ -216,13 +216,13 @@
 	}
 	if (app == NULL) {
 		if (auid == AU_DEFAUDITID)
-			return (au_preselect(event, &ap->ap_preselect_naflags,
-			    sorf));
+			return (au_preselect(event, class,
+			    &ap->ap_preselect_naflags, sorf));
 		else
-			return (au_preselect(event, &ap->ap_preselect_flags,
-			    sorf));
+			return (au_preselect(event, class,
+			    &ap->ap_preselect_flags, sorf));
 	} else
-		return (au_preselect(event, &app->app_mask, sorf));
+		return (au_preselect(event, class, &app->app_mask, sorf));
 	return (0);
 }
 
@@ -239,7 +239,7 @@
 	mtx_lock(&audit_pipe_mtx);
 	TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
 		if (audit_pipe_preselect_check(ap, auid, event, class, sorf)) {
-			mtx_lock(&audit_pipe_mtx);
+			mtx_unlock(&audit_pipe_mtx);
 			return (1);
 		}
 	}

==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#26 (text+ko) ====

@@ -84,11 +84,16 @@
 #define	BSM_NOAUDIT	2
 
 /*
- * Defines for the kernel audit record k_ar_commit field.
+ * Defines for the kernel audit record k_ar_commit field.  Flags are set to
+ * indicate what sort of record it is, and which preselection mechanism
+ * selected it.
  */
 #define	AR_COMMIT_KERNEL	0x00000001U
 #define	AR_COMMIT_USER		0x00000010U
 
+#define	AR_PRESELECT_TRAIL	0x00001000U
+#define	AR_PRESELECT_PIPE	0x00002000U
+
 /*
  * Audit data is generated as a stream of struct audit_record structures,
  * linked by struct kaudit_record, and contain storage for possible audit so
@@ -305,7 +310,8 @@
 /*
  * audit_klib prototypes
  */
-int		 au_preselect(au_event_t event, au_mask_t *mask_p, int sorf);
+int		 au_preselect(au_event_t event, au_class_t class,
+		    au_mask_t *mask_p, int sorf);
 au_event_t	 flags_and_error_to_openevent(int oflags, int error);
 void		 au_evclassmap_init(void);
 void		 au_evclassmap_insert(au_event_t event, au_class_t class);

==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_syscalls.c#13 (text+ko) ====


==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_worker.c#10 (text+ko) ====

@@ -321,52 +321,60 @@
 	au_id_t auid;
 	int sorf;
 
-	if (ar->k_ar_commit & AR_COMMIT_USER) {
+	if ((ar->k_ar_commit & AR_COMMIT_USER) &&
+	    (ar->k_ar_commit & AR_PRESELECT_TRAIL)) {
 		error = audit_record_write(audit_vp, audit_cred, audit_td,
 		    ar->k_udata, ar->k_ulen);
 		if (error && audit_panic_on_write_fail)
 			panic("audit_worker: write error %d\n", error);
 		else if (error)
 			printf("audit_worker: write error %d\n", error);
+	}
+	if ((ar->k_ar_commit & AR_COMMIT_USER) &&
+	    (ar->k_ar_commit & AR_PRESELECT_PIPE))
 		audit_pipe_submit_user(ar->k_udata, ar->k_ulen);
-	}
+
+	if (!(ar->k_ar_commit & AR_COMMIT_KERNEL))
+		return;
+
+	auid = ar->k_ar.ar_subj_auid;
+	event = ar->k_ar.ar_event;
+	class = au_event_class(event);
+	if (ar->k_ar.ar_errno == 0)
+		sorf = AU_PRS_SUCCESS;
+	else
+		sorf = AU_PRS_FAILURE;
 
-	if (ar->k_ar_commit & AR_COMMIT_KERNEL) {
-		auid = ar->k_ar.ar_subj_auid;
-		event = ar->k_ar.ar_event;
-		class = au_event_class(event);
-		if (ar->k_ar.ar_errno == 0)
-			sorf = AU_PRS_SUCCESS;
-		else
-			sorf = AU_PRS_FAILURE;
+	ret = kaudit_to_bsm(ar, &bsm);
+	switch (ret) {
+	case BSM_NOAUDIT:
+		return;
 
-		ret = kaudit_to_bsm(ar, &bsm);
-		switch (ret) {
-		case BSM_NOAUDIT:
-			break;
+	case BSM_FAILURE:
+		printf("audit_worker_process_record: BSM_FAILURE\n");
+		return;
 
-		case BSM_FAILURE:
-			printf("audit_worker_process_record: BSM_FAILURE\n");
-			break;
+	case BSM_SUCCESS:
+		break;
 
-		case BSM_SUCCESS:
-			error = audit_record_write(audit_vp, audit_cred,
-			    audit_td, bsm->data, bsm->len);
-			if (error && audit_panic_on_write_fail)
-				panic("audit_worker: write error %d\n",
-				    error);
-			else if (error)
-				printf("audit_worker: write error %d\n",
-				    error);
-			audit_pipe_submit(auid, event, class, sorf,
-			    bsm->data, bsm->len);
-			kau_free(bsm);
-			break;
+	default:
+		panic("kaudit_to_bsm returned %d", ret);
+	}
 
-		default:
-			panic("kaudit_to_bsm returned %d", ret);
-		}
+	if (ar->k_ar_commit & AR_PRESELECT_TRAIL) {
+		error = audit_record_write(audit_vp, audit_cred,
+		    audit_td, bsm->data, bsm->len);
+		if (error && audit_panic_on_write_fail)
+			panic("audit_worker: write error %d\n",
+			    error);
+		else if (error)
+			printf("audit_worker: write error %d\n",
+			    error);
 	}
+	if (ar->k_ar_commit & AR_PRESELECT_PIPE)
+		audit_pipe_submit(auid, event, class, sorf,
+		    bsm->data, bsm->len);
+	kau_free(bsm);
 }
 
 /*