From owner-p4-projects@FreeBSD.ORG Sat Jan 21 13:49:40 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id F329116A458; Sat, 21 Jan 2006 13:49:38 +0000 (GMT) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AED316A41F for ; Sat, 21 Jan 2006 13:49:38 +0000 (GMT) (envelope-from wsalamon@computer.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 315E843D45 for ; Sat, 21 Jan 2006 13:49:38 +0000 (GMT) (envelope-from wsalamon@computer.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k0LDncfo082132 for ; Sat, 21 Jan 2006 13:49:38 GMT (envelope-from wsalamon@computer.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k0LDnbJu082126 for perforce@freebsd.org; Sat, 21 Jan 2006 13:49:37 GMT (envelope-from wsalamon@computer.org) Date: Sat, 21 Jan 2006 13:49:37 GMT Message-Id: <200601211349.k0LDnbJu082126@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to wsalamon@computer.org using -f From: Wayne Salamon To: Perforce Change Reviews Cc: Subject: PERFORCE change 90076 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2006 13:49:40 -0000 http://perforce.freebsd.org/chv.cgi?CH=90076 Change 90076 by wsalamon@gretsch on 2006/01/21 13:48:47 Audit the monut() and unmount() system calls; nmount() still to come. For mount(), we copy in the user path explicitly for audit because there are many possible error exits before the path is normally copied in. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/kern/vfs_mount.c#6 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/kern/vfs_mount.c#6 (text+ko) ==== @@ -58,6 +58,8 @@ #include #include +#include + #include #include @@ -366,6 +368,11 @@ int error; u_int iovcnt; + /* XXXAUDIT Audit is not complete for nmount() yet; need to create + * a new audit event. + */ + AUDIT_ARG(fflags, uap->flags); + /* Kick out MNT_ROOTFS early as it is legal internally */ if (uap->flags & MNT_ROOTFS) return (EINVAL); @@ -488,7 +495,6 @@ error = EINVAL; goto bail; } - /* * Be ultra-paranoid about making sure the type and fspath * variables will fit in our mp buffers, including the @@ -536,6 +542,8 @@ struct mntarg *ma = NULL; int error; + AUDIT_ARG(fflags, uap->flags); + /* Kick out MNT_ROOTFS early as it is legal internally */ uap->flags &= ~MNT_ROOTFS; @@ -545,11 +553,30 @@ fstype = malloc(MFSNAMELEN, M_TEMP, M_WAITOK); error = copyinstr(uap->type, fstype, MFSNAMELEN, NULL); if (!error) { + /* Audit the fstype here, even though it will be copied + * again later. But if an error is detected, it won't get + * copied later, so grab as much info as possible. + */ + AUDIT_ARG(text, fstype); mtx_lock(&Giant); /* XXX ? */ vfsp = vfs_byname_kld(fstype, td, &error); mtx_unlock(&Giant); } free(fstype, M_TEMP); + +#ifdef AUDIT + { + /* Even though it will get captured again during vnode lookup, + * capture the user-supplied path here because there are several + * error-out cases before the lookup, or the lookup may fail. + */ + char *pathbuf = malloc(MNAMELEN, M_TEMP, M_WAITOK); + error = copyinstr(uap->path, pathbuf, MNAMELEN, NULL); + if (!error) + AUDIT_ARG(upath, td, pathbuf, ARG_UPATH1); + free(pathbuf, M_TEMP); + } +#endif if (error) return (error); if (vfsp == NULL) @@ -563,6 +590,12 @@ ma = mount_argb(ma, !(uap->flags & MNT_NOSUID), "nosuid"); ma = mount_argb(ma, !(uap->flags & MNT_NOEXEC), "noexec"); + /* Note that for auditing purposes, the we depend on the + * file system cmount function to call kernel_mount(), which + * calls vfs_donmount(), and that is where the user path and + * type information is copied into the kernel; only then can + * we capture the path information for auditing. + */ error = vfsp->vfc_vfsops->vfs_cmount(ma, uap->data, uap->flags, td); return (error); } @@ -620,7 +653,8 @@ /* * Get vnode to be covered */ - NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, fspath, td); + NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1, UIO_SYSSPACE, + fspath, td); if ((error = namei(&nd)) != 0) return (error); NDFREE(&nd, NDF_ONLY_PNBUF); @@ -845,6 +879,7 @@ free(pathbuf, M_TEMP); return (error); } + AUDIT_ARG(upath, td, pathbuf, ARG_UPATH1); if (uap->flags & MNT_BYFSID) { /* Decode the filesystem ID. */ if (sscanf(pathbuf, "FSID:%d:%d", &id0, &id1) != 2) { @@ -878,6 +913,21 @@ return ((uap->flags & MNT_BYFSID) ? ENOENT : EINVAL); } +#ifdef AUDIT + { + int vfslocked; + struct vnode *vp = mp->mnt_vnodecovered; + + if (vp != NULL) { + vfslocked = VFS_LOCK_GIANT(vp->v_mount); + vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); + AUDIT_ARG(vnode, vp, ARG_VNODE1); + VOP_UNLOCK(vp, 0, td); + VFS_UNLOCK_GIANT(vfslocked); + } + } +#endif + /* * Only privileged root, or (if MNT_USER is set) the user that did the * original mount is permitted to unmount this filesystem.