Date: Mon, 3 Oct 2005 10:21:31 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 84705 for review Message-ID: <200510031021.j93ALV1f060423@repoman.freebsd.org>
index | next in thread | raw e-mail
http://perforce.freebsd.org/chv.cgi?CH=84705 Change 84705 by rwatson@rwatson_zoo on 2005/10/03 10:21:31 Move declarations of many audit internal data structures and defines from sys/security/audit/audit.h, which contains kernel-public definitions, to audit_private.h. This includes kernel BSM definitions, the internal structure of the kernel audit record, memory types, etc. Annotate that the ARG_* mask values remain exposed to the rest of the kernel audit the path1/path2 and vnode1/vnode2 mask entries which are arguments to audit_arg_*() calls, but largely could be private. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#2 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#4 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_trigger.c#4 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit.h#2 (text+ko) ==== @@ -42,12 +42,13 @@ extern int audit_enabled; extern int audit_suspended; -#define BSM_SUCCESS 0 -#define BSM_FAILURE 1 -#define BSM_NOAUDIT 2 - /* * Define the masks for the audited arguments. + * + * XXXRW: These need to remain in audit.h for now because our vnode and name + * lookup audit calls rely on passing in flags to indicate which name or + * vnode is being logged. These should move to audit_private.h when that is + * fixed. */ #define ARG_EUID 0x0000000000000001ULL #define ARG_RUID 0x0000000000000002ULL @@ -99,177 +100,19 @@ #define ARG_NONE 0x0000000000000000ULL #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL -#ifdef MALLOC_DECLARE -MALLOC_DECLARE(M_AUDIT); -#endif - -/* Defines for the kernel audit record k_ar_commit field */ -#define AR_COMMIT_KERNEL 0x00000001U -#define AR_COMMIT_USER 0x00000010U - -struct vnode_au_info { - mode_t vn_mode; - uid_t vn_uid; - gid_t vn_gid; - dev_t vn_dev; - long vn_fsid; - long vn_fileid; - long vn_gen; -}; - -struct groupset { - gid_t gidset[NGROUPS]; - u_int gidset_size; -}; - -struct socket_au_info { - int so_domain; - int so_type; - int so_protocol; - in_addr_t so_raddr; /* remote address if INET socket */ - in_addr_t so_laddr; /* local address if INET socket */ - u_short so_rport; /* remote port */ - u_short so_lport; /* local port */ -}; - -union auditon_udata { - char *au_path; - long au_cond; - long au_flags; - long au_policy; - int au_trigger; - au_evclass_map_t au_evclass; - au_mask_t au_mask; - auditinfo_t au_auinfo; - auditpinfo_t au_aupinfo; - auditpinfo_addr_t au_aupinfo_addr; - au_qctrl_t au_qctrl; - au_stat_t au_stat; - au_fstat_t au_fstat; -}; - -struct posix_ipc_perm { - uid_t pipc_uid; - gid_t pipc_gid; - mode_t pipc_mode; -}; - -struct audit_record { - /* Audit record header. */ - u_int32_t ar_magic; - int ar_event; - int ar_retval; /* value returned to the process */ - int ar_errno; /* return status of system call */ - struct timespec ar_starttime; - struct timespec ar_endtime; - u_int64_t ar_valid_arg; /* Bitmask of valid arguments */ - - /* Audit subject information. */ - struct xucred ar_subj_cred; - uid_t ar_subj_ruid; - gid_t ar_subj_rgid; - gid_t ar_subj_egid; - uid_t ar_subj_auid; /* Audit user ID */ - pid_t ar_subj_asid; /* Audit session ID */ - pid_t ar_subj_pid; - struct au_tid ar_subj_term; - char ar_subj_comm[MAXCOMLEN + 1]; - struct au_mask ar_subj_amask; - - /* Operation arguments. */ - uid_t ar_arg_euid; - uid_t ar_arg_ruid; - uid_t ar_arg_suid; - gid_t ar_arg_egid; - gid_t ar_arg_rgid; - gid_t ar_arg_sgid; - pid_t ar_arg_pid; - pid_t ar_arg_asid; - struct au_tid ar_arg_termid; - uid_t ar_arg_uid; - uid_t ar_arg_auid; - gid_t ar_arg_gid; - struct groupset ar_arg_groups; - int ar_arg_fd; - int ar_arg_fflags; - mode_t ar_arg_mode; - int ar_arg_dev; - long ar_arg_value; - void * ar_arg_addr; - int ar_arg_len; - int ar_arg_mask; - u_int ar_arg_signum; - char ar_arg_login[MAXLOGNAME]; - int ar_arg_ctlname[CTL_MAXNAME]; - struct sockaddr ar_arg_sockaddr; - struct socket_au_info ar_arg_sockinfo; - char *ar_arg_upath1; - char *ar_arg_upath2; - char *ar_arg_kpath1; - char *ar_arg_kpath2; - char *ar_arg_text; - struct au_mask ar_arg_amask; - struct vnode_au_info ar_arg_vnode1; - struct vnode_au_info ar_arg_vnode2; - int ar_arg_cmd; - int ar_arg_svipc_cmd; - struct ipc_perm ar_arg_svipc_perm; - int ar_arg_svipc_id; - void * ar_arg_svipc_addr; - struct posix_ipc_perm ar_arg_pipc_perm; - union auditon_udata ar_arg_auditon; - int ar_arg_exitstatus; - int ar_arg_exitretval; -}; - -/* - * In-kernel version of audit record; the basic record plus queue meta-data. - * This record can also have a pointer set to some opaque data that will - * be passed through to the audit writing mechanism. - */ -struct kaudit_record { - struct audit_record k_ar; - u_int32_t k_ar_commit; - void *k_udata; /* user data */ - u_int k_ulen; /* user data length */ - struct uthread *k_uthread; /* thread we are auditing */ - TAILQ_ENTRY(kaudit_record) k_q; -}; - -struct proc; -struct vnode; -struct componentname; - -void audit_abort(struct kaudit_record *ar); -void audit_commit(struct kaudit_record *ar, int error, - int retval); - -struct kaudit_record *audit_new(int event, struct thread *td); - void audit_syscall_enter(unsigned short code, struct thread *td); void audit_syscall_exit(int error, struct thread *td); -int kaudit_to_bsm(struct kaudit_record *kar, - struct au_record **pau); - -int bsm_rec_verify(void *rec); - /* - * Kernel versions of the BSM audit record functions. - */ -struct au_record *kau_open(void); -int kau_write(struct au_record *rec, token_t *m); -void kau_close(struct au_record *rec, - struct timespec *endtime, short event); -void kau_free(struct au_record *rec); -void kau_init(void); -/* * The remaining kernel functions are conditionally compiled in as they * are wrapped by a macro, and the macro should be the only place in * the source tree where these functions are referenced. */ #ifdef AUDIT +struct ipc_perm; +struct sockaddr; +union auditon_udata; void audit_arg_addr(void * addr); void audit_arg_exit(int status, int retval); void audit_arg_len(int len); ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_private.h#4 (text+ko) ==== @@ -24,9 +24,177 @@ #ifndef _BSM_AUDIT_PRIVATE_H #define _BSM_AUDIT_PRIVATE_H +#include <sys/ipc.h> +#include <sys/socket.h> +#include <sys/ucred.h> + +#define BSM_SUCCESS 0 +#define BSM_FAILURE 1 +#define BSM_NOAUDIT 2 + +#ifdef MALLOC_DECLARE +MALLOC_DECLARE(M_AUDIT); +#endif + +/* Defines for the kernel audit record k_ar_commit field */ +#define AR_COMMIT_KERNEL 0x00000001U +#define AR_COMMIT_USER 0x00000010U + +struct vnode_au_info { + mode_t vn_mode; + uid_t vn_uid; + gid_t vn_gid; + dev_t vn_dev; + long vn_fsid; + long vn_fileid; + long vn_gen; +}; + +struct groupset { + gid_t gidset[NGROUPS]; + u_int gidset_size; +}; + +struct socket_au_info { + int so_domain; + int so_type; + int so_protocol; + in_addr_t so_raddr; /* remote address if INET socket */ + in_addr_t so_laddr; /* local address if INET socket */ + u_short so_rport; /* remote port */ + u_short so_lport; /* local port */ +}; + +union auditon_udata { + char *au_path; + long au_cond; + long au_flags; + long au_policy; + int au_trigger; + au_evclass_map_t au_evclass; + au_mask_t au_mask; + auditinfo_t au_auinfo; + auditpinfo_t au_aupinfo; + auditpinfo_addr_t au_aupinfo_addr; + au_qctrl_t au_qctrl; + au_stat_t au_stat; + au_fstat_t au_fstat; +}; + +struct posix_ipc_perm { + uid_t pipc_uid; + gid_t pipc_gid; + mode_t pipc_mode; +}; + +struct audit_record { + /* Audit record header. */ + u_int32_t ar_magic; + int ar_event; + int ar_retval; /* value returned to the process */ + int ar_errno; /* return status of system call */ + struct timespec ar_starttime; + struct timespec ar_endtime; + u_int64_t ar_valid_arg; /* Bitmask of valid arguments */ + + /* Audit subject information. */ + struct xucred ar_subj_cred; + uid_t ar_subj_ruid; + gid_t ar_subj_rgid; + gid_t ar_subj_egid; + uid_t ar_subj_auid; /* Audit user ID */ + pid_t ar_subj_asid; /* Audit session ID */ + pid_t ar_subj_pid; + struct au_tid ar_subj_term; + char ar_subj_comm[MAXCOMLEN + 1]; + struct au_mask ar_subj_amask; + + /* Operation arguments. */ + uid_t ar_arg_euid; + uid_t ar_arg_ruid; + uid_t ar_arg_suid; + gid_t ar_arg_egid; + gid_t ar_arg_rgid; + gid_t ar_arg_sgid; + pid_t ar_arg_pid; + pid_t ar_arg_asid; + struct au_tid ar_arg_termid; + uid_t ar_arg_uid; + uid_t ar_arg_auid; + gid_t ar_arg_gid; + struct groupset ar_arg_groups; + int ar_arg_fd; + int ar_arg_fflags; + mode_t ar_arg_mode; + int ar_arg_dev; + long ar_arg_value; + void * ar_arg_addr; + int ar_arg_len; + int ar_arg_mask; + u_int ar_arg_signum; + char ar_arg_login[MAXLOGNAME]; + int ar_arg_ctlname[CTL_MAXNAME]; + struct sockaddr ar_arg_sockaddr; + struct socket_au_info ar_arg_sockinfo; + char *ar_arg_upath1; + char *ar_arg_upath2; + char *ar_arg_kpath1; + char *ar_arg_kpath2; + char *ar_arg_text; + struct au_mask ar_arg_amask; + struct vnode_au_info ar_arg_vnode1; + struct vnode_au_info ar_arg_vnode2; + int ar_arg_cmd; + int ar_arg_svipc_cmd; + struct ipc_perm ar_arg_svipc_perm; + int ar_arg_svipc_id; + void * ar_arg_svipc_addr; + struct posix_ipc_perm ar_arg_pipc_perm; + union auditon_udata ar_arg_auditon; + int ar_arg_exitstatus; + int ar_arg_exitretval; +}; + +/* + * In-kernel version of audit record; the basic record plus queue meta-data. + * This record can also have a pointer set to some opaque data that will + * be passed through to the audit writing mechanism. + */ +struct kaudit_record { + struct audit_record k_ar; + u_int32_t k_ar_commit; + void *k_udata; /* user data */ + u_int k_ulen; /* user data length */ + struct uthread *k_uthread; /* thread we are auditing */ + TAILQ_ENTRY(kaudit_record) k_q; +}; + +void audit_abort(struct kaudit_record *ar); +void audit_commit(struct kaudit_record *ar, int error, + int retval); + +struct kaudit_record *audit_new(int event, struct thread *td); + +int kaudit_to_bsm(struct kaudit_record *kar, + struct au_record **pau); + +int bsm_rec_verify(void *rec); + +/* + * Kernel versions of the BSM audit record functions. + */ +struct au_record *kau_open(void); +int kau_write(struct au_record *rec, token_t *m); +void kau_close(struct au_record *rec, + struct timespec *endtime, short event); +void kau_free(struct au_record *rec); +void kau_init(void); + + #define AU_PRS_SUCCESS 1 #define AU_PRS_FAILURE 2 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) + /* * Flags to use on audit files when opening and closing. */ ==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_trigger.c#4 (text+ko) ==== @@ -35,6 +35,7 @@ #include <sys/systm.h> #include <sys/uio.h> +#include <security/audit/audit.h> #include <security/audit/audit_private.h> /*home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510031021.j93ALV1f060423>