Date: Wed, 25 Oct 2006 20:56:18 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 108433 for review Message-ID: <200610252056.k9PKuIMX082035@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=108433 Change 108433 by millert@millert_macbook on 2006/10/25 20:55:51 Log path buffer in avc audit logs. Note that the path may be relative rather than absolute but is better than nothing. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#27 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.c#4 (text+ko) ==== @@ -705,6 +705,8 @@ #endif case AVC_AUDIT_DATA_FS: if (a->u.fs.vp && tsk) { + char *pbuf = NULL; + char *path = a->u.fs.path; struct vnode *vp = a->u.fs.vp; struct vnode_attr va; struct vfs_context vfs_ctx = @@ -712,10 +714,22 @@ VATTR_INIT(&va); VATTR_WANTED(&va, va_fileid); if (vnode_getattr(vp, &va, &vfs_ctx) == 0) { - audit_log_format(ab, - " inode=%llu, mountpoint=%s,", - va.va_fileid, + audit_log_format(ab, " inode=%llu, " + "mountpoint=%s,", va.va_fileid, vp->v_mount->mnt_vfsstat.f_mntonname); + if (path == NULL) { + int len = MAXPATHLEN; + pbuf = sebsd_malloc(MAXPATHLEN, + M_SEBSD, M_NOWAIT); + if (pbuf != NULL && + !vn_getpath(vp, pbuf, &len)) + path = pbuf; + } + if (path != NULL) + audit_log_format(ab, + " path=%s,", path); + if (pbuf != NULL) + sebsd_free(pbuf, M_SEBSD); break; } audit_log_format(ab, ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/avc/avc.h#3 (text+ko) ==== @@ -49,6 +49,7 @@ union { struct { struct vnode *vp; + char *path; } fs; struct { char *netif; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#27 (text+ko) ==== @@ -440,7 +440,7 @@ } static int -vnode_has_perm(struct ucred *cred, struct vnode *vp, u_int32_t perm) +vnode_has_perm(struct ucred *cred, struct vnode *vp, char *path, u_int32_t perm) { struct task_security_struct *task; struct vnode_security_struct *file; @@ -451,6 +451,7 @@ AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.vp = vp; + ad.u.fs.path = path; /* Update security class if not set or vnode was recycled. */ if (file->sclass == 0 || vp->v_type == VBAD) @@ -1482,7 +1483,7 @@ vsec = SLOT(vl); task = SLOT(cred->cr_label); - rc = vnode_has_perm(cred, vp, FILE__MOUNTON); + rc = vnode_has_perm(cred, vp, NULL, FILE__MOUNTON); if (rc) goto done; @@ -1950,7 +1951,7 @@ if (mask == 0) return (0); - return (vnode_has_perm(cred, vp, + return (vnode_has_perm(cred, vp, NULL, file_mask_to_av(vp->v_type, mask))); } @@ -1960,7 +1961,7 @@ { /* MAY_EXEC ~= DIR__SEARCH */ - return (vnode_has_perm(cred, dvp, DIR__SEARCH)); + return (vnode_has_perm(cred, dvp, NULL, DIR__SEARCH)); } static int @@ -1970,7 +1971,7 @@ /* TBD: Incomplete, SELinux also check capability(CAP_SYS_CHROOT)) */ /* MAY_EXEC ~= DIR__SEARCH */ - return (vnode_has_perm(cred, dvp, DIR__SEARCH)); + return (vnode_has_perm(cred, dvp, NULL, DIR__SEARCH)); } static int @@ -1995,6 +1996,7 @@ AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.vp = dvp; + ad.u.fs.path = cnp->cn_pnbuf; rc = avc_has_perm(task->sid, dir->sid, SECCLASS_DIR, DIR__ADD_NAME | DIR__SEARCH, &ad); @@ -2051,6 +2053,7 @@ AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.vp = vp; + ad.u.fs.path = cnp->cn_pnbuf; rc = avc_has_perm(task->sid, dir->sid, SECCLASS_DIR, DIR__SEARCH | DIR__REMOVE_NAME, &ad); @@ -2073,7 +2076,7 @@ struct label *label, acl_type_t type) { - return (vnode_has_perm(cred, vp, FILE__SETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR)); } #endif @@ -2083,10 +2086,10 @@ { int error; - error = vnode_has_perm(cred, v1, FILE__READ | FILE__WRITE); + error = vnode_has_perm(cred, v1, NULL, FILE__READ | FILE__WRITE); if (error) return (error); - return (vnode_has_perm(cred, v2, FILE__READ | FILE__WRITE)); + return (vnode_has_perm(cred, v2, NULL, FILE__READ | FILE__WRITE)); } static int @@ -2151,7 +2154,7 @@ struct label *label, acl_type_t type) { - return (vnode_has_perm(cred, vp, FILE__GETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__GETATTR)); } #endif @@ -2160,7 +2163,7 @@ struct label *vlabel, struct attrlist *alist) { - return (vnode_has_perm(cred, vp, FILE__GETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__GETATTR)); } static int @@ -2168,7 +2171,7 @@ struct label *label, const char *name, struct uio *uio) { - return (vnode_has_perm(cred, vp, FILE__GETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__GETATTR)); } #if defined(FILE__POLL) && defined(FILE__GETATTR) @@ -2180,9 +2183,9 @@ switch (kn->kn_filter) { case EVFILT_READ: case EVFILT_WRITE: - return (vnode_has_perm(cred, vp, FILE__POLL)); + return (vnode_has_perm(cred, vp, NULL, FILE__POLL)); case EVFILT_VNODE: - return (vnode_has_perm(cred, vp, FILE__GETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__GETATTR)); default: return (0); } @@ -2208,6 +2211,7 @@ AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.vp = vp; + ad.u.fs.path = cnp->cn_pnbuf; rc = avc_has_perm(task->sid, dir->sid, SECCLASS_DIR, DIR__SEARCH | DIR__ADD_NAME, &ad); @@ -2228,7 +2232,7 @@ return (ENOTDIR); /* TBD: DIR__READ as well? */ - return (vnode_has_perm(cred, dvp, DIR__SEARCH)); + return (vnode_has_perm(cred, dvp, cnp->cn_pnbuf, DIR__SEARCH)); } static int @@ -2247,7 +2251,7 @@ if (!mask) return (0); - return (vnode_has_perm(cred, vp, + return (vnode_has_perm(cred, vp, NULL, file_mask_to_av(vp->v_type, mask))); } @@ -2256,7 +2260,7 @@ struct vnode *vp, struct label *label) { - return (vnode_has_perm(cred, vp, FILE__READ)); + return (vnode_has_perm(cred, vp, NULL, FILE__READ)); } static int @@ -2264,7 +2268,7 @@ struct label *dlabel) { - return (vnode_has_perm(cred, dvp, DIR__READ)); + return (vnode_has_perm(cred, dvp, NULL, DIR__READ)); } static int @@ -2272,7 +2276,7 @@ struct label *label) { - return (vnode_has_perm(cred, vp, FILE__READ)); + return (vnode_has_perm(cred, vp, NULL, FILE__READ)); } static int @@ -2342,6 +2346,8 @@ sebsd_audit_sid("source directory", old_dir->sid); AVC_AUDIT_DATA_INIT(&ad, FS); + ad.u.fs.vp = vp; + ad.u.fs.path = cnp->cn_pnbuf; rc = avc_has_perm(task->sid, old_dir->sid, SECCLASS_DIR, DIR__REMOVE_NAME | DIR__SEARCH, &ad); @@ -2400,6 +2406,7 @@ AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.vp = vp; + ad.u.fs.path = cnp->cn_pnbuf; rc = avc_has_perm(task->sid, new_dir->sid, SECCLASS_DIR, av, NULL); if (rc) @@ -2439,7 +2446,7 @@ struct label *label, int which) { - return (vnode_has_perm(cred, vp, FILE__POLL)); + return (vnode_has_perm(cred, vp, NULL, FILE__POLL)); } #endif @@ -2449,7 +2456,7 @@ struct label *label, acl_type_t type, struct acl *acl) { - return (vnode_has_perm(cred, vp, FILE__SETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR)); } #endif @@ -2459,7 +2466,7 @@ struct label *vlabel, struct attrlist *alist) { - return (vnode_has_perm(cred, vp, FILE__SETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR)); } #endif @@ -2468,7 +2475,7 @@ struct label *label, const char *name, struct uio *uio) { - return (vnode_has_perm(cred, vp, FILE__SETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR)); } static int @@ -2476,7 +2483,7 @@ struct label *label, u_long flags) { - return (vnode_has_perm(cred, vp, FILE__SETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR)); } static int @@ -2484,7 +2491,7 @@ struct label *label, mode_t mode) { - return (vnode_has_perm(cred, vp, FILE__SETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR)); } static int @@ -2492,7 +2499,7 @@ struct label *label, uid_t uid, gid_t gid) { - return (vnode_has_perm(cred, vp, FILE__SETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR)); } static int @@ -2500,7 +2507,7 @@ struct label *label, struct timespec atime, struct timespec mtime) { - return (vnode_has_perm(cred, vp, FILE__SETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__SETATTR)); } static int @@ -2508,7 +2515,7 @@ struct vnode *vp, struct label *vnodelabel) { - return (vnode_has_perm(cred, vp, FILE__GETATTR)); + return (vnode_has_perm(cred, vp, NULL, FILE__GETATTR)); } static int @@ -2831,7 +2838,7 @@ struct label *vnodelabel) { - return (vnode_has_perm(cred, vp, FILE__SWAPON)); + return (vnode_has_perm(cred, vp, NULL, FILE__SWAPON)); } #if 0 @@ -2840,7 +2847,7 @@ struct label *vnodelabel) { - return (vnode_has_perm(cred, vp, FILE__SWAPON)); + return (vnode_has_perm(cred, vp, NULL, FILE__SWAPON)); } #endif @@ -2863,7 +2870,7 @@ struct vnode *vp, struct label *label) { - return (vnode_has_perm(cred, vp, FILE__WRITE)); + return (vnode_has_perm(cred, vp, NULL, FILE__WRITE)); } static int @@ -2885,7 +2892,7 @@ if (prot & PROT_EXEC) av |= FILE__EXECUTE; - return (vnode_has_perm(cred, vp, av)); + return (vnode_has_perm(cred, vp, NULL, av)); } return (0); } @@ -2908,7 +2915,7 @@ if (prot & PROT_EXEC) av |= FILE__EXECUTE; - return (vnode_has_perm(cred, vp, av)); + return (vnode_has_perm(cred, vp, NULL, av)); } return (0); } @@ -3026,7 +3033,7 @@ return (0); return (vnode_has_perm(cred, (struct vnode *)fg->fg_data, - FILE__IOCTL)); + NULL, FILE__IOCTL)); } /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610252056.k9PKuIMX082035>