Date: Tue, 25 Mar 2008 22:03:49 GMT From: Wayne Salamon <wsalamon@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 138558 for review Message-ID: <200803252203.m2PM3npn013678@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=138558 Change 138558 by wsalamon@vh2 on 2008/03/25 22:03:00 MAC->Audit integration: Add functionality to allow a MAC policy to annotate an audit record with text. The MAC annotation is stored on the audit record, and that storage is managed by the audit subsystem, not MAC. Obtained from:SEDarwin8 project, with modifications. Affected files ... .. //depot/projects/trustedbsd/audit_mac/src/sys/conf/files#3 edit .. //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit.c#3 edit .. //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit.h#2 edit .. //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit_bsm.c#2 edit .. //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit_private.h#3 edit .. //depot/projects/trustedbsd/audit_mac/src/sys/security/mac/mac_audit.c#2 edit .. //depot/projects/trustedbsd/audit_mac/src/sys/security/mac/mac_policy.h#2 edit Differences ... ==== //depot/projects/trustedbsd/audit_mac/src/sys/conf/files#3 (text+ko) ==== @@ -2058,6 +2058,7 @@ security/audit/audit_bsm.c optional audit security/audit/audit_bsm_klib.c optional audit security/audit/audit_bsm_token.c optional audit +security/audit/audit_mac.c optional audit security/audit/audit_pipe.c optional audit security/audit/audit_syscalls.c standard security/audit/audit_trigger.c optional audit ==== //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit.c#3 (text) ==== @@ -76,6 +76,9 @@ MALLOC_DEFINE(M_AUDITDATA, "audit_data", "Audit data storage"); MALLOC_DEFINE(M_AUDITPATH, "audit_path", "Audit path storage"); MALLOC_DEFINE(M_AUDITTEXT, "audit_text", "Audit text storage"); +#ifdef MAC +MALLOC_DEFINE(M_AUDITMAC, "audit_mac", "Audit MAC policy storage"); +#endif SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0, "TrustedBSD audit controls"); @@ -185,6 +188,12 @@ ar->k_ar.ar_subj_pid = td->td_proc->p_pid; ar->k_ar.ar_subj_amask = td->td_ucred->cr_audit.ai_mask; ar->k_ar.ar_subj_term_addr = td->td_ucred->cr_audit.ai_termid; +#ifdef MAC + ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *) + malloc(sizeof(*ar->k_ar.ar_mac_records), M_AUDITMAC, M_WAITOK); + LIST_INIT(ar->k_ar.ar_mac_records); + ar->k_ar.ar_forced_by_mac = 0; +#endif return (0); } @@ -208,6 +217,24 @@ free(ar->k_ar.ar_arg_argv, M_AUDITTEXT); if (ar->k_ar.ar_arg_envv != NULL) free(ar->k_ar.ar_arg_envv, M_AUDITTEXT); + +#ifdef MAC + /* Free the audit data from the MAC policies. */ + do { + struct mac_audit_record *head, *next; + + head = LIST_FIRST(ar->k_ar.ar_mac_records); + while (head != NULL) { + next = LIST_NEXT(head, records); + free(head->data, M_TEMP); + free(head, M_AUDITMAC); + head = next; + } + + free(ar->k_ar.ar_mac_records, M_AUDITMAC); + } while (0); +#endif + } /* ==== //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit.h#2 (text) ==== @@ -41,6 +41,8 @@ #error "no user-serviceable parts inside" #endif +#include "opt_mac.h" + #include <bsm/audit.h> #include <sys/file.h> @@ -181,6 +183,23 @@ void audit_thread_alloc(struct thread *td); void audit_thread_free(struct thread *td); +#ifdef MAC +/* + * Arbitrary limit on how much data will be logged by the audit entry points. + */ +#define MAC_AUDIT_DATA_LIMIT 1024 + +/* + * audit_mac_data() is the MAC Framework's entry point to the audit subsystem. + * It currently creates only text and data audit tokens. + */ + +#define MAC_AUDIT_DATA_TYPE 0 +#define MAC_AUDIT_TEXT_TYPE 1 + +int audit_mac_data(int type, int len, u_char *data); +#endif + /* * Define a macro to wrap the audit_arg_* calls by checking the global * audit_enabled flag before performing the actual call. ==== //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit_bsm.c#2 (text) ==== @@ -1422,6 +1422,36 @@ return (BSM_NOAUDIT); } +#ifdef MAC + do { + /* Convert the audit data from the MAC policies */ + struct mac_audit_record *mar; + + LIST_FOREACH(mar, ar->ar_mac_records, records) { + switch (mar->type) { + case MAC_AUDIT_DATA_TYPE: + tok = au_to_data(AUP_BINARY, AUR_BYTE, + mar->length, mar->data); + kau_write(rec, tok); + break; + case MAC_AUDIT_TEXT_TYPE: + tok = au_to_text(mar->data); + kau_write(rec, tok); + break; + default: + /* + * XXX: we can either continue, + * skipping this particular entry, + * or we can pre-verify the list and + * abort before writing any records + */ + printf("kaudit_to_bsm(): BSM conversion requested for unknown mac_audit data type %d\n", + mar->type); + } + } + } while (0); +#endif + kau_write(rec, subj_tok); tok = au_to_return32((char)ar->ar_errno, ar->ar_retval); kau_write(rec, tok); /* Every record gets a return token */ ==== //depot/projects/trustedbsd/audit_mac/src/sys/security/audit/audit_private.h#3 (text) ==== @@ -140,6 +140,15 @@ mode_t pipc_mode; }; +#ifdef MAC +struct mac_audit_record { + int type; /* one of the MAC_AUDIT types */ + int length; /* byte length of the data field */ + u_char *data; /* the payload */ + LIST_ENTRY(mac_audit_record) records; +}; +#endif + struct audit_record { /* Audit record header. */ u_int32_t ar_magic; @@ -209,6 +218,14 @@ int ar_arg_exitstatus; int ar_arg_exitretval; struct sockaddr_storage ar_arg_sockaddr; +#ifdef MAC + /* MAC security related fields added by MAC policies + * ar_forced_by_mac is 1 if mac_audit_check_preselect() forced this + * call to be audited, 0 otherwise. + */ + LIST_HEAD(mac_audit_record_list_t, mac_audit_record)* ar_mac_records; + int ar_forced_by_mac; +#endif }; /* ==== //depot/projects/trustedbsd/audit_mac/src/sys/security/mac/mac_audit.c#2 (text+ko) ==== @@ -39,6 +39,7 @@ * $FreeBSD: src/sys/security/mac/mac_audit.c,v 1.3 2007/10/24 19:04:00 rwatson Exp $ */ +#include <sys/libkern.h> #include <sys/param.h> #include <sys/module.h> #include <sys/vnode.h> @@ -113,3 +114,35 @@ return (error); } + +int +mac_audit_text(char *text, struct mac_policy_conf *mpc) +{ + char *sanitized; + const char *name; + int i, size, plen, len; + + name = mpc->mpc_name; + len = strlen(text); + plen = 2 + strlen(name); + if (plen + len >= MAC_AUDIT_DATA_LIMIT) + return (EINVAL); + + /* + * Make sure the text is only composed of only ASCII printable + * characters. + */ + for (i=0; i < len; i++) + if (text[i] < (char) 32 || text[i] > (char) 126) + return (EINVAL); + + size = len + plen + 1; + /* XXX Should we use a malloc area for MAC storage (M_AUDITMAC)? */ + sanitized = (char *)malloc(size, M_TEMP, M_WAITOK); + + strcpy(sanitized, name); + strcat(sanitized, ": "); + strcat(sanitized, text); + + return (audit_mac_data(MAC_AUDIT_TEXT_TYPE, size, sanitized)); +} ==== //depot/projects/trustedbsd/audit_mac/src/sys/security/mac/mac_policy.h#2 (text+ko) ==== @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. - * Copyright (c) 2005-2006 SPARTA, Inc. + * Copyright (c) 2005-2007 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -981,4 +981,10 @@ intptr_t mac_label_get(struct label *l, int slot); void mac_label_set(struct label *l, int slot, intptr_t v); +/* + * This is the entry point a MAC policy will call to add NULL-terminated + * ASCII text to the current audit record. + */ +int mac_audit_text(char *text, struct mac_policy_conf *mpc); + #endif /* !_SYS_SECURITY_MAC_MAC_POLICY_H_ */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803252203.m2PM3npn013678>