From owner-p4-projects@FreeBSD.ORG  Thu Jul  8 13:04:05 2010
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id BC385106566C; Thu,  8 Jul 2010 13:04:05 +0000 (UTC)
Delivered-To: perforce@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 80516106564A
	for <perforce@FreeBSD.org>; Thu,  8 Jul 2010 13:04:05 +0000 (UTC)
	(envelope-from gpf@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 6D8828FC20
	for <perforce@FreeBSD.org>; Thu,  8 Jul 2010 13:04:05 +0000 (UTC)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id o68D45G2052572
	for <perforce@FreeBSD.org>; Thu, 8 Jul 2010 13:04:05 GMT
	(envelope-from gpf@FreeBSD.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.3/8.14.3/Submit) id o68D456Y052570
	for perforce@freebsd.org; Thu, 8 Jul 2010 13:04:05 GMT
	(envelope-from gpf@FreeBSD.org)
Date: Thu, 8 Jul 2010 13:04:05 GMT
Message-Id: <201007081304.o68D456Y052570@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	gpf@FreeBSD.org using -f
From: Efstratios Karatzas <gpf@FreeBSD.org>
To: Perforce Change Reviews <perforce@FreeBSD.org>
Precedence: bulk
Cc: 
Subject: PERFORCE change 180631 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jul 2010 13:04:06 -0000

http://p4web.freebsd.org/@@180631?ac=10

Change 180631 by gpf@gpf_desktop on 2010/07/08 13:04:03

	- audit paths & vnode info for those nfsv4 rpcs that we have to. 
	This is not done for open* rpcs yet, they deserve special handling.
	
	- nfsv3 rpc 'mknod' + nfsv4 rpc 'create' can create files of 
	various types. So I guess it makes sense to audit what kind of 
	file is created each time. Again, when creating the bsm record 
	I use a text field for this information; perhaps it would be 
	best to create a new token type and make praudit responsible 
	for changing the vnode type (int) to something we can make 
	understand (char *).
	
	also, some minor fixes & changes here and there.

Affected files ...

.. //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#6 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdport.c#8 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#10 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#13 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_serv.c#18 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#8 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#8 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#4 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#14 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm_klib.c#3 edit
.. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#5 edit

Differences ...

==== //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#6 (text) ====

@@ -395,7 +395,7 @@
 2027:AUE_NFS_LOCK:nfsrv_lock():fm
 2028:AUE_NFS_LOCKT:nfsrv_lockt():fm
 2029:AUE_NFS_LOCKU:nfsrv_locku():fm
-2030:AUE_NFS_LOOKUPP:nfsrv_lockupp():fa,ad
+2030:AUE_NFS_LOOKUPP:nfsrv_lookupp():fa,ad
 2031:AUE_NFS_NVERIFY:nfsrv_nverify():fa
 2032:AUE_NFS_OPEN:nfsrv_open():fa,fc
 2033:AUE_NFS_OPENATTR:nfsrv_openattr():fa

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdport.c#8 (text+ko) ====

@@ -772,6 +772,8 @@
 			return (ENXIO);
 		}
 		*vpp = ndp->ni_vp;
+		if (!error)
+			AUDIT_ARG_VNODE1(ndp->ni_vp);
 	} else {
 		/*
 		 * Handle cases where error is already set and/or
@@ -859,6 +861,8 @@
 		 * see any reason to do the lookup.
 		 */
 	}
+	if (!error)
+		AUDIT_ARG_VNODE1(ndp->ni_vp);
 
 	return (error);
 }

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#10 (text+ko) ====

@@ -1007,8 +1007,6 @@
 	    &exclusive_flag, cverf, rdev, p, exp);
 
 	if (!nd->nd_repstat) {
-		if (vp != NULL)
-			AUDIT_ARG_VNODE1(vp);
 		nd->nd_repstat = nfsvno_getfh(vp, &fh, p, named.ni_dvp);
 		if (!nd->nd_repstat)
 			nd->nd_repstat = nfsvno_getattr(vp, &nva, nd->nd_cred,
@@ -1082,8 +1080,8 @@
 	if (nd->nd_flag & ND_NFSV4) {
 		NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
 		vtyp = nfsv34tov_type(*tl);
+		AUDIT_ARG_VTYPE(vtyp);
 		nfs4type = fxdr_unsigned(nfstype, *tl);
-		/* lalala */
 		switch (nfs4type) {
 		case NFLNK:
 			error = nfsvno_getsymlink(nd, &nva, p, &pathcp,
@@ -1135,6 +1133,7 @@
 		if (nd->nd_flag & ND_NFSV3) {
 			NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
 			vtyp = nfsv34tov_type(*tl);
+			AUDIT_ARG_VTYPE(vtyp);
 		}
 		error = nfsrv_sattr(nd, &nva, &attrbits, aclp, p);
 		if (error) {
@@ -1234,7 +1233,6 @@
 	nd->nd_repstat = nfsvno_mknod(&named, &nva, nd->nd_cred, p);
 	if (!nd->nd_repstat) {		
 		vp = named.ni_vp;
-		AUDIT_ARG_VNODE1(vp);
 		nfsrv_fixattr(nd, vp, &nva, aclp, p, &attrbits, exp);
 		nd->nd_repstat = nfsvno_getfh(vp, fhp, p, named.ni_dvp);
 		if ((nd->nd_flag & ND_NFSV3) && !nd->nd_repstat)
@@ -2094,6 +2092,8 @@
 	nfsv4stateid_t stateid;
 	nfsquad_t clientid;
 
+	if (vp != NULL)
+		AUDIT_ARG_VNODE1(vp);
 	NFSM_DISSECT(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
 	i = fxdr_unsigned(int, *tl++);
 	switch (i) {
@@ -2267,6 +2267,8 @@
 	nfsquad_t clientid;
 	u_int64_t len;
 
+	if (vp != NULL)
+		AUDIT_ARG_VNODE1(vp);
 	NFSM_DISSECT(tl, u_int32_t *, 8 * NFSX_UNSIGNED);
 	i = fxdr_unsigned(int, *(tl + 7));
 	if (i <= 0 || i > NFSV4_OPAQUELIMIT) {
@@ -2374,6 +2376,8 @@
 	nfsquad_t clientid;
 	u_int64_t len;
 
+	if (vp != NULL)
+		AUDIT_ARG_VNODE1(vp);
 	NFSM_DISSECT(tl, u_int32_t *, 6 * NFSX_UNSIGNED + NFSX_STATEID);
 	MALLOC(stp, struct nfsstate *, sizeof (struct nfsstate),
 	    M_NFSDSTATE, M_WAITOK);
@@ -2861,7 +2865,9 @@
 	int error = 0;
 	nfsv4stateid_t stateid;
 	nfsquad_t clientid;
-
+	
+	if (vp != NULL)
+		AUDIT_ARG_VNODE1(vp);
 	NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED + NFSX_STATEID);
 	stp->ls_seq = fxdr_unsigned(u_int32_t, *tl++);
 	stp->ls_ownerlen = 0;
@@ -2937,6 +2943,8 @@
 	nfsv4stateid_t stateid;
 	nfsquad_t clientid;
 
+	if (vp != NULL)
+		AUDIT_ARG_VNODE1(vp);
 	NFSM_DISSECT(tl, u_int32_t *, NFSX_STATEID);
 	stateid.seqid = fxdr_unsigned(u_int32_t, *tl++);
 	NFSBCOPY((caddr_t)tl, (caddr_t)stateid.other, NFSX_STATEIDOTHER);
@@ -3385,6 +3393,8 @@
 	struct nfsfsinfo fs;
 	fhandle_t fh;
 
+	if (vp != NULL)
+		AUDIT_ARG_VNODE1(vp);
 	nd->nd_repstat = nfsvno_getattr(vp, &nva, nd->nd_cred, p);
 	if (!nd->nd_repstat)
 		nd->nd_repstat = nfsvno_statfs(vp, &sf);

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#13 (text+ko) ====

@@ -741,8 +741,6 @@
 			AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd->nd_nam);
 		AUDIT_ARG_PROTOCOL(ND_NFSV4);
 		switch (op) {
-		/* xxx gpf dbg */
-		printf("op = %d\n", op);
 		case NFSV4OP_PUTFH:
 			error = nfsrv_mtofh(nd, &fh);
 			if (error) {
@@ -897,6 +895,7 @@
 			else {
 				(void) nfsm_fhtom(nd, (u_int8_t *)fh.nfsrvfh_data, 0, 0);
 				error = nd->nd_repstat = 0;
+				nfsrv_auditpath(vp, NULL, NULL, (fhandle_t *)fh.nfsrvfh_data, 1);
 			}
 			break;
 		default:
@@ -1035,9 +1034,16 @@
 					}
 					break;
 				}
-				/* lalala */
+				if (vp != NULL)
+					vref(vp);
 				error = (*(nfsrv4_ops0[op]))(nd, isdgram, vp,
 					p, &vpnes);
+				if (vp != NULL) {
+					if (nd->nd_procnum != NFSV4OP_REMOVE)
+						nfsrv_auditpath(vp, NULL, NULL, 
+							(fhandle_t *)fh.nfsrvfh_data, 1);
+					vrele(vp);
+				}
 				if (nfsv4_opflag[op].modifyfs)
 					NFS_ENDWRITE(mp);
 			} else {

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_serv.c#18 (text+ko) ====

@@ -1850,6 +1850,7 @@
 
 	tl = nfsm_dissect_nonblock(u_int32_t *, NFSX_UNSIGNED);
 	vtyp = nfsv3tov_type(*tl);
+	AUDIT_ARG_VTYPE(vtyp);
 	if (vtyp != VCHR && vtyp != VBLK && vtyp != VSOCK && vtyp != VFIFO) {
 		error = NFSERR_BADTYPE;
 		goto out;

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#8 (text+ko) ====

@@ -353,12 +353,12 @@
 	}
 	nfsrvstats.srvrpccnt[nd.nd_procnum]++;
 
-	AUDIT_NFS_ENTER(procnum, nd.nd_cr, td, ND_NFSV3);
-	AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam);
 	if (flag)
 		protocol = ND_NFSV3;
 	else 
 		protocol = ND_NFSV2;
+	AUDIT_NFS_ENTER(procnum, nd.nd_cr, td, protocol);
+	AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam);	
 	AUDIT_ARG_PROTOCOL(protocol);
 	error = proc(&nd, NULL, &mrep);
 	AUDIT_NFS_EXIT(nd.nd_repstat, td);

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.h#8 (text) ====

@@ -129,6 +129,7 @@
 void	 audit_thread_alloc(struct thread *td);
 void	 audit_thread_free(struct thread *td);
 void	 audit_arg_protocol(int protocol);
+void	 audit_arg_vtype(int vtype);
 
 /*
  * Define macros to wrap the audit_arg_* calls by checking the global
@@ -236,7 +237,7 @@
 		audit_arg_process((p));					\
 } while (0)
 
-#define AUDIT_ARG_PROTOCOL(prot) do{					\
+#define AUDIT_ARG_PROTOCOL(prot) do {					\
 	if (AUDITING_TD(curthread))					\
 		audit_arg_protocol((prot));				\
 } while (0)
@@ -311,6 +312,11 @@
 		audit_arg_vnode2((vp));					\
 } while (0)
 
+#define AUDIT_ARG_VTYPE(vtype) do {					\
+	if (AUDITING_TD(curthread))					\
+		audit_arg_vtype((vtype));				\
+} while (0)
+
 #define	AUDIT_SYSCALL_ENTER(code, td)	do {				\
 	if (audit_enabled) {						\
 		audit_syscall_enter(code, td);				\
@@ -368,10 +374,12 @@
 #define	AUDIT_ARG_OWNER(uid, gid)
 #define	AUDIT_ARG_PID(pid)
 #define	AUDIT_ARG_PROCESS(p)
+#define AUDIT_ARG_PROTOCOL(prot)
 #define	AUDIT_ARG_RGID(rgid)
 #define	AUDIT_ARG_RUID(ruid)
 #define	AUDIT_ARG_SIGNUM(signum)
 #define	AUDIT_ARG_SGID(sgid)
+#define AUDIT_ARG_SOCKADDR_IN(sin)
 #define	AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol)
 #define	AUDIT_ARG_SUID(suid)
 #define	AUDIT_ARG_TEXT(text)
@@ -381,6 +389,7 @@
 #define	AUDIT_ARG_VALUE(value)
 #define	AUDIT_ARG_VNODE1(vp)
 #define	AUDIT_ARG_VNODE2(vp)
+#define AUDIT_ARG_VTYPE(vtype)
 
 #define	AUDIT_SYSCALL_ENTER(code, td)
 #define	AUDIT_SYSCALL_EXIT(error, td)

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_arg.c#4 (text) ====

@@ -916,7 +916,9 @@
 	fdrop(fp, td);
 }
 
-/* Keeping track of NFS protocols used in NFS RPCs */
+/* 
+ * Audit the NFS protocol used in NFS RPCs 
+ */
 void
 audit_arg_protocol(int protocol)
 {
@@ -929,3 +931,19 @@
 	ar->k_ar.ar_arg_protocol = protocol;
 	ARG_SET_VALID(ar, ARG_PROTOCOL);
 }
+
+/*
+ *  Audit the vnode type of the file created by some NFS RPC
+ */
+void
+audit_arg_vtype(int vtype)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	ar->k_ar.ar_arg_vtype = vtype;
+	ARG_SET_VALID(ar, ARG_VTYPE);
+}

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#14 (text) ====

@@ -1581,9 +1581,15 @@
 		kau_write(rec, tok);
 		break;
 
-	case AUE_NFS_CREATE:
+	case AUE_NFS_CREATE:	
+	case AUE_NFS_MKNOD:
+		if (ARG_IS_VALID(kar, ARG_VTYPE)) {
+			tok = au_to_text(audit_vtype_to_text(ar->ar_arg_vtype));
+			kau_write(rec, tok);
+		}
+	
+		/* FALLTHROUGH */
 	case AUE_NFS_MKDIR:
-	case AUE_NFS_MKNOD:
 		if (ARG_IS_VALID(kar, ARG_MODE)) {
 			tok = au_to_arg32(3, "mode", ar->ar_arg_mode);
 			kau_write(rec, tok);
@@ -1675,8 +1681,20 @@
 	case AUE_NFS_PUTROOTFH:
 	case AUE_NFS_RESTOREFH:
 	case AUE_NFS_SAVEFH:
+	case AUE_NFS_LOOKUPP:
+	case AUE_NFS_CLOSE:
+	case AUE_NFS_DELEGRETURN:
+	case AUE_NFSv4_GETFH:
+	case AUE_NFS_LOCK:
+	case AUE_NFS_LOCKT:
+	case AUE_NFS_LOCKU:
+	case AUE_NFS_NVERIFY:
 	case AUE_NFS_OPEN:
-	case AUE_NFS_LOOKUPP:
+	case AUE_NFS_OPENATTR:
+	case AUE_NFS_OPENCONFIRM:
+	case AUE_NFS_OPENDOWNGRADE:
+	case AUE_NFS_VERIFY:
+	case AUE_NFS_SECINFO:
 		UPATH1_VNODE1_TOKENS;
 		if (ARG_IS_VALID(kar, ARG_TEXT)) {
 			tok = au_to_text(ar->ar_arg_text);
@@ -1689,22 +1707,10 @@
 		break;
 
 	/* XXXgpf: temporary fallthrough for nfsv4 events */
-	case AUE_NFS_CLOSE:
 	case AUE_NFS_DELEGPURGE:
-	case AUE_NFS_DELEGRETURN:
-	case AUE_NFSv4_GETFH:
-	case AUE_NFS_LOCK:
-	case AUE_NFS_LOCKT:
-	case AUE_NFS_LOCKU:	
-	case AUE_NFS_NVERIFY:	
-	case AUE_NFS_OPENATTR:
-	case AUE_NFS_OPENCONFIRM:
-	case AUE_NFS_OPENDOWNGRADE:
 	case AUE_NFS_RENEW:
-	case AUE_NFS_SECINFO:
 	case AUE_NFS_SETCLIENTID:
 	case AUE_NFS_SETCLIENTIDCFRM:
-	case AUE_NFS_VERIFY:
 	case AUE_NFS_RELEASELCKOWN:
 		if (ARG_IS_VALID(kar, ARG_TEXT)) {
 			tok = au_to_text(ar->ar_arg_text);

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm_klib.c#3 (text) ====

@@ -586,3 +586,27 @@
 	
 	return prot;
 }
+
+char *
+audit_vtype_to_text(int vtype)
+{
+	char *vtypes[] = {
+			"VNON",
+			"VREG",
+			"VDIR",
+			"VBLK",
+			"VCHR",
+			"VLNK",
+			"VSOCK",
+			"VFIFO",
+			"VBAD",
+			"VMARKER"
+	};
+	
+	if (vtype != VCHR && vtype != VBLK && vtype != VSOCK && vtype != VFIFO
+	    && vtype != VNON && vtype != VREG && vtype != VDIR && vtype != VLNK
+	    && vtype != VBAD && vtype != VMARKER)
+		return vtypes[VBAD];
+	else
+		return vtypes[vtype];
+}

==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#5 (text) ====

@@ -229,7 +229,8 @@
 	int			ar_arg_exitstatus;
 	int			ar_arg_exitretval;
 	struct sockaddr_storage ar_arg_sockaddr;
-	u_int			ar_arg_protocol;
+	int			ar_arg_protocol;
+	int			ar_arg_vtype;
 };
 
 /*
@@ -289,7 +290,7 @@
 #define	ARG_ENVV		0x0002000000000000ULL
 #define	ARG_ATFD1		0x0004000000000000ULL
 #define	ARG_ATFD2		0x0008000000000000ULL
-#define	ARG_FTYPE		0x0010000000000000ULL
+#define	ARG_VTYPE		0x0010000000000000ULL
 #define	ARG_PROTOCOL		0x0020000000000000ULL
 #define	ARG_NONE		0x0000000000000000ULL
 #define	ARG_ALL			0xFFFFFFFFFFFFFFFFULL
@@ -401,6 +402,7 @@
 void		 audit_canon_path(struct thread *td, char *path, char *cpath);
 au_event_t	 auditon_command_event(int cmd);
 char *		 audit_protocol_to_text(int protocol);
+char *		 audit_vtype_to_text(int vtype);
 
 /*
  * Audit trigger events notify user space of kernel audit conditions