From owner-cvs-src@FreeBSD.ORG Fri Oct 26 01:23:08 2007 Return-Path: Delivered-To: cvs-src@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0713516A419; Fri, 26 Oct 2007 01:23:08 +0000 (UTC) (envelope-from csjp@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id E4A4513C4C4; Fri, 26 Oct 2007 01:23:07 +0000 (UTC) (envelope-from csjp@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id l9Q1N7YN019069; Fri, 26 Oct 2007 01:23:07 GMT (envelope-from csjp@repoman.freebsd.org) Received: (from csjp@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id l9Q1N7rv019068; Fri, 26 Oct 2007 01:23:07 GMT (envelope-from csjp) Message-Id: <200710260123.l9Q1N7rv019068@repoman.freebsd.org> From: "Christian S.J. Peron" Date: Fri, 26 Oct 2007 01:23:07 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: src/sys/kern kern_sig.c src/sys/security/audit audit.c audit.h audit_bsm.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Oct 2007 01:23:08 -0000 csjp 2007-10-26 01:23:07 UTC FreeBSD src repository Modified files: sys/kern kern_sig.c sys/security/audit audit.c audit.h audit_bsm.c Log: Implement AUE_CORE, which adds process core dump support into the kernel. This change introduces audit_proc_coredump() which is called by coredump(9) to create an audit record for the coredump event. When a process dumps a core, it could be security relevant. It could be an indicator that a stack within the process has been overflowed with an incorrectly constructed malicious payload or a number of other events. The record that is generated looks like this: header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec argument,0,0xb,signal path,/usr/home/csjp/test.core subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2 return,success,1 trailer,111 - We allocate a completely new record to make sure we arent clobbering the audit data associated with the syscall that produced the core (assuming the core is being generated in response to SIGABRT and not an invalid memory access). - Shuffle around expand_name() so we can use the coredump name at the very beginning of the coredump call. Make sure we free the storage referenced by "name" if we need to bail out early. - Audit both successful and failed coredump creation efforts Obtained from: TrustedBSD Project Reviewed by: rwatson MFC after: 1 month Revision Changes Path 1.351 +27 -6 src/sys/kern/kern_sig.c 1.34 +48 -0 src/sys/security/audit/audit.c 1.15 +1 -0 src/sys/security/audit/audit.h 1.22 +8 -0 src/sys/security/audit/audit_bsm.c