From owner-p4-projects@FreeBSD.ORG  Tue Mar 25 22:03:50 2008
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 13071106566B; Tue, 25 Mar 2008 22:03:50 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AEBFD1065674
	for <perforce@freebsd.org>; Tue, 25 Mar 2008 22:03:49 +0000 (UTC)
	(envelope-from wsalamon@computer.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 897F08FC1A
	for <perforce@freebsd.org>; Tue, 25 Mar 2008 22:03:49 +0000 (UTC)
	(envelope-from wsalamon@computer.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m2PM3n9t013680
	for <perforce@freebsd.org>; Tue, 25 Mar 2008 22:03:49 GMT
	(envelope-from wsalamon@computer.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.1/8.14.1/Submit) id m2PM3npn013678
	for perforce@freebsd.org; Tue, 25 Mar 2008 22:03:49 GMT
	(envelope-from wsalamon@computer.org)
Date: Tue, 25 Mar 2008 22:03:49 GMT
Message-Id: <200803252203.m2PM3npn013678@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	wsalamon@computer.org using -f
From: Wayne Salamon <wsalamon@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 138558 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Mar 2008 22:03:50 -0000

http://perforce.freebsd.org/chv.cgi?CH=138558

Change 138558 by wsalamon@vh2 on 2008/03/25 22:03:00

	MAC->Audit integration: Add functionality to allow a MAC policy to
	annotate an audit record with text. The MAC annotation is stored
	on the audit record, and that storage is managed by the audit subsystem,
	not MAC.
	Obtained from:SEDarwin8 project, with modifications.

Affected files ...

.. //depot/projects/trustedbsd/audit_mac/src/sys/conf/files#3 edit
.. //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit.c#3 edit
.. //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit.h#2 edit
.. //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit_bsm.c#2 edit
.. //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit_private.h#3 edit
.. //depot/projects/trustedbsd/audit_mac/src/sys/security/mac/mac_audit.c#2 edit
.. //depot/projects/trustedbsd/audit_mac/src/sys/security/mac/mac_policy.h#2 edit

Differences ...

==== //depot/projects/trustedbsd/audit_mac/src/sys/conf/files#3 (text+ko) ====

@@ -2058,6 +2058,7 @@
 security/audit/audit_bsm.c	optional audit
 security/audit/audit_bsm_klib.c	optional audit
 security/audit/audit_bsm_token.c	optional audit
+security/audit/audit_mac.c	optional audit
 security/audit/audit_pipe.c	optional audit
 security/audit/audit_syscalls.c	standard
 security/audit/audit_trigger.c	optional audit

==== //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit.c#3 (text) ====

@@ -76,6 +76,9 @@
 MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage");
 MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage");
 MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage");
+#ifdef MAC
+MALLOC_DEFINE(M_AUDITMAC, "audit_mac", "Audit MAC policy storage");
+#endif
 
 SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0,
     "TrustedBSD audit controls");
@@ -185,6 +188,12 @@
 	ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
 	ar->k_ar.ar_subj_amask = td->td_ucred->cr_audit.ai_mask;
 	ar->k_ar.ar_subj_term_addr = td->td_ucred->cr_audit.ai_termid;
+#ifdef MAC
+	ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *)
+	    malloc(sizeof(*ar->k_ar.ar_mac_records), M_AUDITMAC, M_WAITOK);
+	LIST_INIT(ar->k_ar.ar_mac_records);
+	ar->k_ar.ar_forced_by_mac = 0;
+#endif
 	return (0);
 }
 
@@ -208,6 +217,24 @@
 		free(ar->k_ar.ar_arg_argv, M_AUDITTEXT);
 	if (ar->k_ar.ar_arg_envv != NULL)
 		free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);
+
+#ifdef MAC
+	/* Free the audit data from the MAC policies. */
+        do {
+                struct mac_audit_record *head, *next;
+
+		head = LIST_FIRST(ar->k_ar.ar_mac_records);
+		while (head != NULL) {
+			next = LIST_NEXT(head, records);
+			free(head->data, M_TEMP);
+			free(head, M_AUDITMAC);
+			head = next;
+		}
+ 
+		free(ar->k_ar.ar_mac_records, M_AUDITMAC);
+	} while (0);
+#endif
+
 }
 
 /*

==== //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit.h#2 (text) ====

@@ -41,6 +41,8 @@
 #error "no user-serviceable parts inside"
 #endif
 
+#include "opt_mac.h"
+
 #include <bsm/audit.h>
 
 #include <sys/file.h>
@@ -181,6 +183,23 @@
 void	 audit_thread_alloc(struct thread *td);
 void	 audit_thread_free(struct thread *td);
 
+#ifdef MAC
+/* 
+ * Arbitrary limit on how much data will be logged by the audit entry points.
+ */
+#define MAC_AUDIT_DATA_LIMIT	1024
+
+/*
+ * audit_mac_data() is the MAC Framework's entry point to the audit subsystem.
+ * It currently creates only text and data audit tokens.
+ */
+
+#define MAC_AUDIT_DATA_TYPE	0
+#define MAC_AUDIT_TEXT_TYPE	1
+
+int	audit_mac_data(int type, int len, u_char *data);
+#endif
+
 /*
  * Define a macro to wrap the audit_arg_* calls by checking the global
  * audit_enabled flag before performing the actual call.

==== //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit_bsm.c#2 (text) ====

@@ -1422,6 +1422,36 @@
 		return (BSM_NOAUDIT);
 	}
 
+#ifdef MAC
+	do {
+		/* Convert the audit data from the MAC policies */
+		struct mac_audit_record *mar;
+		
+		LIST_FOREACH(mar, ar->ar_mac_records, records) {
+			switch (mar->type) {
+				case MAC_AUDIT_DATA_TYPE:
+					tok = au_to_data(AUP_BINARY, AUR_BYTE,
+					    mar->length, mar->data);
+					kau_write(rec, tok);
+					break;
+				case MAC_AUDIT_TEXT_TYPE:
+					tok = au_to_text(mar->data);
+					kau_write(rec, tok);
+					break;
+				default:
+					/*
+					 * XXX: we can either continue,
+					 * skipping this particular entry,
+					 * or we can pre-verify the list and
+					 * abort before writing any records
+					 */
+					printf("kaudit_to_bsm(): BSM conversion requested for unknown mac_audit data type %d\n",
+					    mar->type);
+			}
+		}
+	} while (0);
+#endif
+
 	kau_write(rec, subj_tok);
 	tok = au_to_return32((char)ar->ar_errno, ar->ar_retval);
 	kau_write(rec, tok);  /* Every record gets a return token */

==== //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit_private.h#3 (text) ====

@@ -140,6 +140,15 @@
 	mode_t	pipc_mode;
 };
 
+#ifdef MAC
+struct mac_audit_record {
+	int			type;	/* one of the MAC_AUDIT types */
+	int			length;	/* byte length of the data field */
+	u_char		       *data;	/* the payload */
+	LIST_ENTRY(mac_audit_record) records;
+};
+#endif
+
 struct audit_record {
 	/* Audit record header. */
 	u_int32_t		ar_magic;
@@ -209,6 +218,14 @@
 	int			ar_arg_exitstatus;
 	int			ar_arg_exitretval;
 	struct sockaddr_storage ar_arg_sockaddr;
+#ifdef MAC
+	/* MAC security related fields added by MAC policies
+	 * ar_forced_by_mac is 1 if mac_audit_check_preselect() forced this
+	 * call to be audited, 0 otherwise.
+	 */
+	LIST_HEAD(mac_audit_record_list_t, mac_audit_record)*	ar_mac_records;
+	int			ar_forced_by_mac;
+#endif
 };
 
 /*

==== //depot/projects/trustedbsd/audit_mac/src/sys/security/mac/mac_audit.c#2 (text+ko) ====

@@ -39,6 +39,7 @@
  * $FreeBSD: src/sys/security/mac/mac_audit.c,v 1.3 2007/10/24 19:04:00 rwatson Exp $
  */
 
+#include <sys/libkern.h>
 #include <sys/param.h>
 #include <sys/module.h>
 #include <sys/vnode.h>
@@ -113,3 +114,35 @@
 
 	return (error);
 }
+
+int
+mac_audit_text(char *text, struct mac_policy_conf *mpc)
+{
+	char *sanitized;
+	const char *name;
+	int i, size, plen, len;
+
+	name = mpc->mpc_name;
+	len = strlen(text);
+	plen = 2 + strlen(name);
+	if (plen + len >= MAC_AUDIT_DATA_LIMIT)
+		return (EINVAL);
+
+	/*
+	 * Make sure the text is only composed of only ASCII printable
+	 * characters.
+	 */
+	for (i=0; i < len; i++)
+		if (text[i] < (char) 32 || text[i] > (char) 126)
+			return (EINVAL);
+
+	size = len + plen + 1;
+	/* XXX Should we use a malloc area for MAC storage (M_AUDITMAC)? */
+ 	sanitized = (char *)malloc(size, M_TEMP, M_WAITOK);
+
+	strcpy(sanitized, name);
+	strcat(sanitized, ": ");
+	strcat(sanitized, text);
+
+	return (audit_mac_data(MAC_AUDIT_TEXT_TYPE, size, sanitized));
+}

==== //depot/projects/trustedbsd/audit_mac/src/sys/security/mac/mac_policy.h#2 (text+ko) ====

@@ -1,7 +1,7 @@
 /*-
  * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
- * Copyright (c) 2005-2006 SPARTA, Inc.
+ * Copyright (c) 2005-2007 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -981,4 +981,10 @@
 intptr_t	mac_label_get(struct label *l, int slot);
 void		mac_label_set(struct label *l, int slot, intptr_t v);
 
+/*
+ * This is the entry point a MAC policy will call to add NULL-terminated
+ * ASCII text to the current audit record.
+ */
+int	mac_audit_text(char *text, struct mac_policy_conf *mpc);
+
 #endif /* !_SYS_SECURITY_MAC_MAC_POLICY_H_ */