From owner-p4-projects@FreeBSD.ORG Fri Jul 2 21:38:54 2010 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 506EE106567B; Fri, 2 Jul 2010 21:38:54 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F26751065674 for ; Fri, 2 Jul 2010 21:38:53 +0000 (UTC) (envelope-from gpf@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id DFB248FC19 for ; Fri, 2 Jul 2010 21:38:53 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id o62Lcr0C081603 for ; Fri, 2 Jul 2010 21:38:53 GMT (envelope-from gpf@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id o62LcrjA081601 for perforce@freebsd.org; Fri, 2 Jul 2010 21:38:53 GMT (envelope-from gpf@FreeBSD.org) Date: Fri, 2 Jul 2010 21:38:53 GMT Message-Id: <201007022138.o62LcrjA081601@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to gpf@FreeBSD.org using -f From: Efstratios Karatzas To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 180422 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jul 2010 21:38:54 -0000 http://p4web.freebsd.org/@@180422?ac=10 Change 180422 by gpf@gpf_desktop on 2010/07/02 21:38:21 - nfsv4 open operation for nfsv4 belongs to audit class 'fc' - made the required changes so that nfsv4 ops that are supposed to change the current filehandle, actually do so. Also, changed getfh() so that the filehandle containing the hint is returned to the client. savefh() now saves the actual filehandle instead of just the vnode pointer. Tested the hell out of this change and it seems to be working fine. - provided audit support for a few more nfsv4 ops This is a work in progress - the code I'm editing now will be going through changes this weekend. Affected files ... .. //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#5 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#7 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#10 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#12 edit Differences ... ==== //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#5 (text) ==== @@ -397,7 +397,7 @@ 2029:AUE_NFS_LOCKU:nfsrv_locku():fm 2030:AUE_NFS_LOOKUPP:nfsrv_lockupp():fa,ad 2031:AUE_NFS_NVERIFY:nfsrv_nverify():fa -2032:AUE_NFS_OPEN:nfsrv_open():fa +2032:AUE_NFS_OPEN:nfsrv_open():fa,fc 2033:AUE_NFS_OPENATTR:nfsrv_openattr():fa 2034:AUE_NFS_OPENCONFIRM:nfsrv_openconfirm():fa 2035:AUE_NFS_OPENDOWNGRADE:nfsrv_opendowngrade():fm ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#7 (text+ko) ==== @@ -1729,6 +1729,8 @@ nd->nd_repstat = nfsvno_getattr(ndp->ni_vp, nvap, nd->nd_cred, p); } + else if (nd->nd_flag & ND_NFSV4) + nfsvno_getfh(ndp->ni_vp, fhp, p, ndp->ni_dvp); if (vpp) { NFSVOPUNLOCK(ndp->ni_vp, 0, p); *vpp = ndp->ni_vp; @@ -2826,6 +2828,7 @@ (void) nfsm_strtom(nd, "OWNER@", 6); } *vpp = vp; + nfsvno_getfh(vp, fhp, p, dp); } else if (vp) { vrele(vp); } ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#10 (text+ko) ==== @@ -534,11 +534,12 @@ u_int32_t minorvers, retops = 0, *retopsp = NULL, *repp; u_char tag[NFSV4_SMALLSTR + 1], *tagstr; vnode_t vp, nvp, savevp; - struct nfsrvfh fh; + struct nfsrvfh fh, savefh; mount_t mp, savemp; struct ucred *credanon; struct nfsexstuff nes, vpnes, savevpnes; static u_int64_t compref = 0; + int rootfhflag = 0, pubfhflag = 0; NFSVNO_EXINIT(&vpnes); NFSVNO_EXINIT(&savevpnes); @@ -742,7 +743,7 @@ if (nd->nd_nam != NULL) AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd->nd_nam); switch (op) { - /* xxx gpf */ + /* xxx gpf dbg */ printf("op = %d\n", op); case NFSV4OP_PUTFH: error = nfsrv_mtofh(nd, &fh); @@ -770,6 +771,7 @@ } break; case NFSV4OP_PUTPUBFH: + pubfhflag = 1; if (nfs_pubfhset) { nes.nes_vfslocked = vpnes.nes_vfslocked; nfsd_fhtovp(nd, &nfs_pubfh, &nvp, @@ -791,7 +793,9 @@ } break; case NFSV4OP_PUTROOTFH: + rootfhflag = 1; if (nfs_rootfhset) { + printf("mpkha sto prwto\n"); nes.nes_vfslocked = vpnes.nes_vfslocked; nfsd_fhtovp(nd, &nfs_rootfh, &nvp, &nes, &mp, 0, p); @@ -808,6 +812,7 @@ vpnes = nes; } } else if (nfsv4root_vp && nfsv4root_set) { + printf("mpkha sto deytero\n"); if (vp) { if (vpnes.nes_vfslocked) nfsvno_unlockvfs(mp); @@ -833,8 +838,8 @@ savevp = vp; savevpnes = vpnes; savemp = mp; + NFSBCOPY(&fh, &savefh, sizeof(fh)); } - /* XXXgpf: is this the correct filehandle? */ if (savevp) { nfsrv_auditpath(savevp, NULL, NULL, (fhandle_t *)fh.nfsrvfh_data, 1); @@ -849,10 +854,9 @@ case NFSV4OP_RESTOREFH: if (savevp) { nd->nd_repstat = 0; - /* XXXgpf: file handle? */ vref(savevp); nfsrv_auditpath(savevp, NULL, NULL, - NULL, 1); + (fhandle_t *)savefh.nfsrvfh_data, 1); vn_lock(savevp, LK_EXCLUSIVE); AUDIT_ARG_VNODE1(savevp); VOP_UNLOCK(savevp, 0); @@ -877,6 +881,7 @@ vp = savevp; vpnes = savevpnes; mp = savemp; + NFSBCOPY(&savefh, &fh, sizeof(fh)); } } else { nd->nd_repstat = NFSERR_RESTOREFH; @@ -929,6 +934,8 @@ NFS_STARTWRITE(NULL, &mp); error = (*(nfsrv4_ops1[op]))(nd, isdgram, vp, &nvp, (fhandle_t *)fh.nfsrvfh_data, p, &vpnes); + nfsrv_auditpath(nvp, NULL, NULL, + (fhandle_t *)fh.nfsrvfh_data, 1); if (!error && !nd->nd_repstat) { if (vfs_statfs(mp)->f_fsid.val[0] != vfs_statfs(vnode_mount(nvp))->f_fsid.val[0] || @@ -987,9 +994,9 @@ error = (*(nfsrv4_ops2[op]))(nd, isdgram, savevp, vp, p, &savevpnes, &vpnes); if (savevp) { - if (nd->nd_procnum == NFSPROC_LINK) + if (nd->nd_procnum == NFSV4OP_LINK) nfsrv_auditpath(savevp, NULL, NULL, - (fhandle_t *)fh.nfsrvfh_data, 2); + (fhandle_t *)savefh.nfsrvfh_data, 2); vrele(savevp); } if (nfsv4_opflag[op].modifyfs) @@ -1016,8 +1023,27 @@ } break; } - error = (*(nfsrv4_ops0[op]))(nd, isdgram, vp, - p, &vpnes); + /* + * XXXgpf: + * NFSV4OP_GETFH hack so that current filehandle, with the hint stored inside, + * is returned instead of recomputing the filehandle and losing the hint. + */ + if (op == NFSV4OP_GETFH) { + fhandle_t * fhp; + + vput(vp); + if (rootfhflag) + fhp = (fhandle_t *)nfs_rootfh.nfsrvfh_data; + else if (pubfhflag) + fhp = (fhandle_t *)nfs_pubfh.nfsrvfh_data; + else + fhp = (fhandle_t *)fh.nfsrvfh_data; + (void) nfsm_fhtom(nd, (u_int8_t *)fhp, 0, 0); + error = 0; + } + else + error = (*(nfsrv4_ops0[op]))(nd, isdgram, vp, + p, &vpnes); if (nfsv4_opflag[op].modifyfs) NFS_ENDWRITE(mp); } else { ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#12 (text) ==== @@ -1648,11 +1648,14 @@ } break; + /* XXXgpf: temporary fallthrough for nfsv4 events */ case AUE_NFS_PUTFH: case AUE_NFS_PUTPUBFH: case AUE_NFS_PUTROOTFH: case AUE_NFS_RESTOREFH: case AUE_NFS_SAVEFH: + case AUE_NFS_OPEN: + case AUE_NFS_LOOKUPP: UPATH1_VNODE1_TOKENS; if (ARG_IS_VALID(kar, ARG_TEXT)) { tok = au_to_text(ar->ar_arg_text); @@ -1667,10 +1670,8 @@ case AUE_NFSv4_GETFH: case AUE_NFS_LOCK: case AUE_NFS_LOCKT: - case AUE_NFS_LOCKU: - case AUE_NFS_LOOKUPP: - case AUE_NFS_NVERIFY: - case AUE_NFS_OPEN: + case AUE_NFS_LOCKU: + case AUE_NFS_NVERIFY: case AUE_NFS_OPENATTR: case AUE_NFS_OPENCONFIRM: case AUE_NFS_OPENDOWNGRADE: