From owner-p4-projects@FreeBSD.ORG  Thu May 15 02:16:44 2008
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 782A11065671; Thu, 15 May 2008 02:16:44 +0000 (UTC)
Delivered-To: perforce@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3A7B0106564A
	for <perforce@FreeBSD.org>; Thu, 15 May 2008 02:16:44 +0000 (UTC)
	(envelope-from diego@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 2CC3A8FC0A
	for <perforce@FreeBSD.org>; Thu, 15 May 2008 02:16:44 +0000 (UTC)
	(envelope-from diego@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m4F2GiXn086046
	for <perforce@FreeBSD.org>; Thu, 15 May 2008 02:16:44 GMT
	(envelope-from diego@FreeBSD.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m4F2GhOF086044
	for perforce@freebsd.org; Thu, 15 May 2008 02:16:43 GMT
	(envelope-from diego@FreeBSD.org)
Date: Thu, 15 May 2008 02:16:43 GMT
Message-Id: <200805150216.m4F2GhOF086044@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	diego@FreeBSD.org using -f
From: Diego Giagio <diego@FreeBSD.org>
To: Perforce Change Reviews <perforce@FreeBSD.org>
Cc: 
Subject: PERFORCE change 141621 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 May 2008 02:16:44 -0000

http://perforce.freebsd.org/chv.cgi?CH=141621

Change 141621 by diego@diego_black on 2008/05/15 02:16:31

	- Added audit support for pf enable/disable
	- Added preliminary audit support for ipfw rule and table changes

Affected files ...

.. //depot/projects/soc2008/diego-audit/src/sys/bsm/audit_kevents.h#3 edit
.. //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#3 edit
.. //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#3 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#6 edit
.. //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#2 edit

Differences ...

==== //depot/projects/soc2008/diego-audit/src/sys/bsm/audit_kevents.h#3 (text) ====

@@ -550,6 +550,10 @@
 #define	AUE_SYMLINKAT		43152	/* FreeBSD. */
 #define	AUE_PFIL_ENABLE		43153	/* FreeBSD. */
 #define	AUE_PFIL_DISABLE	43154	/* FreeBSD. */
+#define	AUE_PFIL_POLICY_ADDRULE	43155	/* FreeBSD. */
+#define	AUE_PFIL_POLICY_DELRULE	43156	/* FreeBSD. */
+#define	AUE_PFIL_POLICY_FLUSH	43157	/* FreeBSD. */
+#define	AUE_PFIL_POLICY_TABLE	43158	/* FreeBSD. */
 
 /*
  * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the

==== //depot/projects/soc2008/diego-audit/src/sys/contrib/pf/net/pf_ioctl.c#3 (text+ko) ====

@@ -140,6 +140,10 @@
 #endif /* __FreeBSD__ */
 
 #ifdef __FreeBSD__
+#include <security/audit/audit.h>
+#endif /* __FreeBSD__ */
+
+#ifdef __FreeBSD__
 void			 init_zone_var(void);
 void			 cleanup_pf_zone(void);
 int			 pfattach(void);
@@ -3871,10 +3875,12 @@
 	switch(type) {
 	case MOD_LOAD:
 		error = pf_load();
+		AUDIT_CALL(audit_pfil_enable_pf(error));
 		break;
 
 	case MOD_UNLOAD:
 		error = pf_unload();
+		AUDIT_CALL(audit_pfil_disable_pf(error));
 		break;
 	default:
 		error = EINVAL;

==== //depot/projects/soc2008/diego-audit/src/sys/netinet/ip_fw2.c#3 (text+ko) ====

@@ -104,6 +104,7 @@
 
 #include <machine/in_cksum.h>	/* XXX for in_cksum */
 
+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>
 
 /*
@@ -4209,6 +4210,7 @@
 		IPFW_WUNLOCK(&layer3_chain);
 		if (rule != NULL)
 			reap_rules(rule);
+		AUDIT_CALL(audit_pfil_flush_ipfw(error));
 		break;
 
 	case IP_FW_ADD:
@@ -4223,6 +4225,7 @@
 			if (!error && sopt->sopt_dir == SOPT_GET)
 				error = sooptcopyout(sopt, rule, size);
 		}
+		AUDIT_CALL(audit_pfil_addrule_ipfw(rule, error));
 		free(rule, M_TEMP);
 		break;
 
@@ -4252,6 +4255,7 @@
 			    ~(1<<RESVD_SET); /* set RESVD_SET always enabled */
 		else
 			error = EINVAL;
+		AUDIT_CALL(audit_pfil_delrule_ipfw(NULL /* XXX */, error));
 		break;
 
 	case IP_FW_ZERO:
@@ -4277,6 +4281,7 @@
 				break;
 			error = add_table_entry(&layer3_chain, ent.tbl,
 			    ent.addr, ent.masklen, ent.value);
+			AUDIT_CALL(audit_pfil_table_ipfw(ent.tbl, error));
 		}
 		break;
 
@@ -4290,6 +4295,7 @@
 				break;
 			error = del_table_entry(&layer3_chain, ent.tbl,
 			    ent.addr, ent.masklen);
+			AUDIT_CALL(audit_pfil_table_ipfw(ent.tbl, error));
 		}
 		break;
 
@@ -4304,6 +4310,7 @@
 			IPFW_WLOCK(&layer3_chain);
 			error = flush_table(&layer3_chain, tbl);
 			IPFW_WUNLOCK(&layer3_chain);
+			AUDIT_CALL(audit_pfil_table_ipfw(tbl, error));
 		}
 		break;
 

==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit.h#6 (text) ====

@@ -126,8 +126,16 @@
 /*
  * Functions for auditing packet filter events.
  */
-void	audit_pfil_enable_ipfw(int error);
-void	audit_pfil_disable_ipfw(int error);
+void	 audit_pfil_enable_ipfw(int error);
+void	 audit_pfil_disable_ipfw(int error);
+void	 audit_pfil_enable_pf(int error);
+void	 audit_pfil_disable_pf(int error);
+
+struct ip_fw;
+void	 audit_pfil_addrule_ipfw(struct ip_fw *rule, int error);
+void	 audit_pfil_delrule_ipfw(struct ip_fw *rule, int error);
+void	 audit_pfil_flush_ipfw(int error);
+void	 audit_pfil_table_ipfw(u_int table, int error);
 
 /*
  * The remaining kernel functions are conditionally compiled in as they are

==== //depot/projects/soc2008/diego-audit/src/sys/security/audit/audit_pfil.c#2 (text+ko) ====

@@ -30,6 +30,11 @@
 #include <sys/param.h>
 #include <sys/proc.h>
 
+#include <sys/socket.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <netinet/ip_fw.h>
+
 #include <bsm/audit_kevents.h>
 
 #include <security/audit/audit.h>
@@ -73,3 +78,71 @@
 	audit_pfil_disable_common("ipfw", error);
 }
 
+void
+audit_pfil_enable_pf(int error)
+{
+	audit_pfil_enable_common("pf", error);
+}
+
+void
+audit_pfil_disable_pf(int error)
+{
+	audit_pfil_disable_common("pf", error);
+}
+
+void
+audit_pfil_addrule_ipfw(struct ip_fw *rule, int error)
+{
+	struct kaudit_record *ar;
+
+	ar = audit_begin(AUE_PFIL_POLICY_ADDRULE, curthread);
+	if (ar == NULL)
+		return;
+
+	audit_record_arg_text(ar, "ipfw");
+	/* XXX tokens */
+	audit_commit(ar, error, 0);
+}
+
+void
+audit_pfil_delrule_ipfw(struct ip_fw *rule, int error)
+{
+	struct kaudit_record *ar;
+
+	ar = audit_begin(AUE_PFIL_POLICY_DELRULE, curthread);
+	if (ar == NULL)
+		return;
+
+	audit_record_arg_text(ar, "ipfw");
+	/* XXX tokens */
+	audit_commit(ar, error, 0);
+}
+
+void
+audit_pfil_flush_ipfw(int error)
+{
+	struct kaudit_record *ar;
+
+	ar = audit_begin(AUE_PFIL_POLICY_FLUSH, curthread);
+	if (ar == NULL)
+		return;
+
+	audit_record_arg_text(ar, "ipfw");
+	/* XXX tokens */
+	audit_commit(ar, error, 0);
+}
+
+void
+audit_pfil_table_ipfw(u_int32_t table, int error)
+{
+	struct kaudit_record *ar;
+
+	ar = audit_begin(AUE_PFIL_POLICY_TABLE, curthread);
+	if (ar == NULL)
+		return;
+
+	audit_record_arg_text(ar, "ipfw");
+	/* XXX tokens */
+	audit_commit(ar, error, 0);
+}
+