From owner-p4-projects@FreeBSD.ORG Thu Jul 8 19:01:38 2010 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 818361065677; Thu, 8 Jul 2010 19:01:38 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45E8C106566C for ; Thu, 8 Jul 2010 19:01:38 +0000 (UTC) (envelope-from gpf@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 32E8D8FC17 for ; Thu, 8 Jul 2010 19:01:38 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id o68J1c9D095624 for ; Thu, 8 Jul 2010 19:01:38 GMT (envelope-from gpf@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id o68J1cwg095622 for perforce@freebsd.org; Thu, 8 Jul 2010 19:01:38 GMT (envelope-from gpf@FreeBSD.org) Date: Thu, 8 Jul 2010 19:01:38 GMT Message-Id: <201007081901.o68J1cwg095622@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to gpf@FreeBSD.org using -f From: Efstratios Karatzas To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 180657 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2010 19:01:38 -0000 http://p4web.freebsd.org/@@180657?ac=10 Change 180657 by gpf@gpf_desktop on 2010/07/08 19:00:38 - audit vnode info for nfsv4 open* rpcs - instead of having just one AUE for nfsv4 rpc 'open', it's better to differentiate between multiple AUEs, each for the way we are opening the file, just like we do for open(2). The problem with my implementation is that I'm ignoring deny_shares, this does not seem to be right but, *if* my understanding is correct, FreeBSD does not support deny_shares and we just use deny_none anyway. I may have to take another look at this in the future but for now, it's working and I'm moving on. This may need to be done for other NFS RPCs, I'm investigating it. Affected files ... .. //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#7 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/bsm/audit_kevents.h#5 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfs/nfs.h#2 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#11 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#9 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#15 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm_klib.c#4 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#6 edit Differences ... ==== //depot/projects/soc2010/gpf_audit/freebsd/src/contrib/openbsm/etc/audit_event#7 (text) ==== @@ -397,7 +397,7 @@ 2029:AUE_NFS_LOCKU:nfsrv_locku():fm 2030:AUE_NFS_LOOKUPP:nfsrv_lookupp():fa,ad 2031:AUE_NFS_NVERIFY:nfsrv_nverify():fa -2032:AUE_NFS_OPEN:nfsrv_open():fa,fc +2032:AUE_NFS_OPEN:nfsrv_open():fa 2033:AUE_NFS_OPENATTR:nfsrv_openattr():fa 2034:AUE_NFS_OPENCONFIRM:nfsrv_openconfirm():fa 2035:AUE_NFS_OPENDOWNGRADE:nfsrv_opendowngrade():fm @@ -412,6 +412,18 @@ 2044:AUE_NFS_SETCLIENTIDCFRM:nfsrv_setclientidcfrm():aa 2045:AUE_NFS_VERIFY:nfsrv_verify():fa 2046:AUE_NFS_RELEASELCKOWN:nfsrv_releaselckown():ad +2047:AUE_NFS_OPEN_R:nfsrv_open() - read:fr +2048:AUE_NFS_OPEN_RC:nfsrv_open() - read, creat:fr,fc,fa,fm +2049:AUE_NFS_OPEN_RTC:nfsrv_open() - read, trunc, creat:fr,fd,fc,fa,fm +2050:AUE_NFS_OPEN_RT:nfsrv_open() - read, trunc:fr,fd,fa,fm +2051:AUE_NFS_OPEN_RW:nfsrv_open() - read, write:fr,fw +2052:AUE_NFS_OPEN_RWC:nfsrv_open() - read, write, creat:fr,fw,fc,fa,fm +2053:AUE_NFS_OPEN_RWTC:nfsrv_open() - read, write, trunc, creat:fr,fw,fd,fc,fa,fm +2054:AUE_NFS_OPEN_RWT:nfsrv_open() - read, write, trunc:fr,fw,fd,fa,fm +2055:AUE_NFS_OPEN_W:nfsrv_open() - write:fw +2056:AUE_NFS_OPEN_WC:nfsrv_open() - write, creat:fw,fc,fa,fm +2057:AUE_NFS_OPEN_WTC:nfsrv_open() - write, trunc, creat:fw,fd,fc,fa,fm +2058:AUE_NFS_OPEN_WT:nfsrv_open() - write, trunc:fw,fd,fa,fm # # OpenBSM-specific kernel events. # ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/bsm/audit_kevents.h#5 (text) ==== @@ -435,6 +435,18 @@ #define AUE_NFS_SETCLIENTIDCFRM 2044 #define AUE_NFS_VERIFY 2045 #define AUE_NFS_RELEASELCKOWN 2046 +#define AUE_NFS_OPEN_R 2047 +#define AUE_NFS_OPEN_RC 2048 +#define AUE_NFS_OPEN_RTC 2049 +#define AUE_NFS_OPEN_RT 2050 +#define AUE_NFS_OPEN_RW 2051 +#define AUE_NFS_OPEN_RWC 2052 +#define AUE_NFS_OPEN_RWTC 2053 +#define AUE_NFS_OPEN_RWT 2054 +#define AUE_NFS_OPEN_W 2055 +#define AUE_NFS_OPEN_WC 2056 +#define AUE_NFS_OPEN_WTC 2057 +#define AUE_NFS_OPEN_WT 2058 /* * Audit event identifiers added as part of OpenBSM, generally corresponding ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfs/nfs.h#2 (text+ko) ==== @@ -273,6 +273,10 @@ #define LCL_GSS LCL_KERBV /* Or of all mechs */ +/* flags for auditing the open RPC */ +#define NFS_CREATE 0x00000010 +#define NFS_TRUNC 0x00000020 + /* * Bits for flags in nfslock and nfsstate. * The access, deny, NFSLCK_READ and NFSLCK_WRITE bits must be defined as ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#11 (text+ko) ==== @@ -2479,6 +2479,7 @@ char *bufp = NULL; u_long *hashp; NFSACL_T *aclp = NULL; + int AUDIT_flags = 0; #ifdef NFS4_ACL_EXTATTR_NAME aclp = acl_alloc(M_WAITOK); @@ -2534,6 +2535,8 @@ default: nd->nd_repstat = NFSERR_INVAL; }; + AUDIT_flags = stp->ls_flags & ( NFSLCK_READACCESS | NFSLCK_WRITEACCESS + | NFSLCK_READDENY | NFSLCK_WRITEDENY); clientid.lval[0] = *tl++; clientid.lval[1] = *tl; if (nd->nd_flag & ND_IMPLIEDCLID) { @@ -2555,6 +2558,8 @@ NFSVNO_ATTRINIT(&nva); NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED); create = fxdr_unsigned(int, *tl); + if (create) + AUDIT_flags |= NFS_CREATE; if (!nd->nd_repstat) nd->nd_repstat = nfsvno_getattr(dp, &dirfor, nd->nd_cred, p); if (create == NFSV4OPEN_CREATE) { @@ -2565,7 +2570,7 @@ switch (how) { case NFSCREATE_UNCHECKED: case NFSCREATE_GUARDED: - error = nfsv4_sattr(nd, &nva, &attrbits, aclp, p); + error = nfsv4_sattr(nd, &nva, &attrbits, aclp, p); if (error) { vrele(dp); #ifdef NFS4_ACL_EXTATTR_NAME @@ -2688,6 +2693,9 @@ nva.na_mode = 0; }; } + /* XXXgpf: not sure this means that we are to truncate the file */ + if (NFSVNO_ISSETSIZE(&nva) && nva.na_size == 0) + AUDIT_flags |= NFS_TRUNC; nfsvno_open(nd, &named, clientid, &stateid, stp, &exclusive_flag, &nva, cverf, create, aclp, &attrbits, nd->nd_cred, p, exp, &vp); @@ -2725,6 +2733,7 @@ FREE((caddr_t)stp, M_NFSDSTATE); return (0); } + AUDIT_ARG_FFLAGS(AUDIT_flags); /* * Do basic access checking. @@ -2771,8 +2780,10 @@ * below, to avoid a deadlock with the lookup in nfsvno_namei() above. * (ie: Leave the NFSVOPUNLOCK() about here.) */ - if (vp) + if (vp) { + AUDIT_ARG_VNODE1(vp); NFSVOPUNLOCK(vp, 0, p); + } if (stp) FREE((caddr_t)stp, M_NFSDSTATE); if (!nd->nd_repstat && dirp) @@ -2993,6 +3004,8 @@ nfsv4stateid_t stateid; nfsquad_t clientid; + if (vp != NULL) + AUDIT_ARG_VNODE1(vp); NFSM_DISSECT(tl, u_int32_t *, NFSX_STATEID + NFSX_UNSIGNED); stp->ls_ownerlen = 0; stp->ls_op = nd->nd_rp; @@ -3037,6 +3050,8 @@ nfsv4stateid_t stateid; nfsquad_t clientid; + if (vp != NULL) + AUDIT_ARG_VNODE1(vp); NFSM_DISSECT(tl, u_int32_t *, NFSX_STATEID + 3 * NFSX_UNSIGNED); stp->ls_ownerlen = 0; stp->ls_op = nd->nd_rp; ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit.c#9 (text) ==== @@ -437,6 +437,10 @@ /* Convert the auditon() command to an event. */ ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd); break; + + case AUE_NFS_OPEN: + ar->k_ar.ar_event = audit_flags_to_nfs_openevent(ar->k_ar.ar_arg_fflags); + break; } auid = ar->k_ar.ar_subj_auid; ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm.c#15 (text) ==== @@ -1676,6 +1676,18 @@ break; /* XXXgpf: temporary fallthrough for nfsv4 events */ + case AUE_NFS_OPEN_RC: + case AUE_NFS_OPEN_RTC: + case AUE_NFS_OPEN_RWC: + case AUE_NFS_OPEN_RWTC: + case AUE_NFS_OPEN_WC: + case AUE_NFS_OPEN_WTC: + if (ARG_IS_VALID(kar, ARG_MODE)) { + tok = au_to_arg32(3, "mode", ar->ar_arg_mode); + kau_write(rec, tok); + } + + /* FALLTHROUGH */ case AUE_NFS_PUTFH: case AUE_NFS_PUTPUBFH: case AUE_NFS_PUTROOTFH: @@ -1690,6 +1702,12 @@ case AUE_NFS_LOCKU: case AUE_NFS_NVERIFY: case AUE_NFS_OPEN: + case AUE_NFS_OPEN_R: + case AUE_NFS_OPEN_RT: + case AUE_NFS_OPEN_RW: + case AUE_NFS_OPEN_RWT: + case AUE_NFS_OPEN_W: + case AUE_NFS_OPEN_WT: case AUE_NFS_OPENATTR: case AUE_NFS_OPENCONFIRM: case AUE_NFS_OPENDOWNGRADE: ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_bsm_klib.c#4 (text) ==== @@ -112,6 +112,22 @@ }; static const int aue_openat_count = sizeof(aue_openat) / sizeof(aue_openat[0]); +static const struct aue_open_event aue_nfs_open[] = { + { NFS_READACCESS, AUE_NFS_OPEN_R }, + { (NFS_READACCESS | NFS_CREATE), AUE_NFS_OPEN_RC }, + { (NFS_READACCESS | NFS_CREATE | NFS_TRUNC), AUE_NFS_OPEN_RTC }, + { (NFS_READACCESS | NFS_TRUNC), AUE_NFS_OPEN_RT }, + { NFS_RWACCESS, AUE_NFS_OPEN_RW }, + { (NFS_RWACCESS | NFS_CREATE), AUE_NFS_OPEN_RWC }, + { (NFS_RWACCESS | NFS_CREATE | NFS_TRUNC), AUE_NFS_OPEN_RWTC }, + { (NFS_RWACCESS | NFS_TRUNC), AUE_NFS_OPEN_RWT }, + { NFS_WRITEACCESS, AUE_NFS_OPEN_W }, + { (NFS_WRITEACCESS | NFS_CREATE), AUE_NFS_OPEN_WC }, + { (NFS_WRITEACCESS | NFS_CREATE | NFS_TRUNC), AUE_NFS_OPEN_WTC }, + { (NFS_WRITEACCESS | NFS_TRUNC), AUE_NFS_OPEN_WT }, +}; +static const int aue_nfs_open_count = sizeof(aue_nfs_open) / sizeof(aue_nfs_open[0]); + /* * Look up the class for an audit event in the class mapping table. */ @@ -319,6 +335,25 @@ return (AUE_OPENAT); } +au_event_t +audit_flags_to_nfs_openevent(int oflags) +{ + int i; + + /* + * Need to check only those flags we care about. + * XXXgpf: Actually, the deny bits are ignored when + * determining a specific event type + */ + oflags = oflags & (NFS_READACCESS | NFS_WRITEACCESS | NFS_READDENY + | NFS_WRITEDENY | NFS_CREATE | NFS_TRUNC); + for (i = 0; i < aue_nfs_open_count; i++) { + if (aue_nfs_open[i].aoe_flags == oflags) + return (aue_nfs_open[i].aoe_event); + } + return (AUE_NFS_OPEN); +} + /* * Convert a MSGCTL command to a specific event. */ ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/security/audit/audit_private.h#6 (text) ==== @@ -336,6 +336,15 @@ #define ND_NFSV3 0x00000008 #define ND_NFSV4 0x00000010 +#define NFS_READACCESS 0x00000001 +#define NFS_WRITEACCESS 0x00000002 +#define NFS_RWACCESS NFS_READACCESS | NFS_WRITEACCESS +#define NFS_READDENY 0x00000004 +#define NFS_WRITEDENY 0x00000008 +#define NFS_RWDENY NFS_READDENY | NFS_WRITEDENY +#define NFS_CREATE 0x00000010 +#define NFS_TRUNC 0x00000020 + /* * Functions relating to the conversion of internal kernel audit records to * the BSM file format. @@ -397,6 +406,7 @@ au_event_t audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg); au_event_t audit_flags_and_error_to_openevent(int oflags, int error); au_event_t audit_flags_and_error_to_openatevent(int oflags, int error); +au_event_t audit_flags_to_nfs_openevent(int oflags); au_event_t audit_msgctl_to_event(int cmd); au_event_t audit_semctl_to_event(int cmr); void audit_canon_path(struct thread *td, char *path, char *cpath);