From owner-svn-src-stable-11@freebsd.org Thu Mar 15 02:20:07 2018 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8EB27F2C3C3; Thu, 15 Mar 2018 02:20:07 +0000 (UTC) (envelope-from eadler@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 40FC084AC7; Thu, 15 Mar 2018 02:20:07 +0000 (UTC) (envelope-from eadler@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3AD1B101C3; Thu, 15 Mar 2018 02:20:07 +0000 (UTC) (envelope-from eadler@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w2F2K7B6036530; Thu, 15 Mar 2018 02:20:07 GMT (envelope-from eadler@FreeBSD.org) Received: (from eadler@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w2F2K6ff036525; Thu, 15 Mar 2018 02:20:06 GMT (envelope-from eadler@FreeBSD.org) Message-Id: <201803150220.w2F2K6ff036525@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: eadler set sender to eadler@FreeBSD.org using -f From: Eitan Adler Date: Thu, 15 Mar 2018 02:20:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r330964 - in stable/11/sys: kern sys X-SVN-Group: stable-11 X-SVN-Commit-Author: eadler X-SVN-Commit-Paths: in stable/11/sys: kern sys X-SVN-Commit-Revision: 330964 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 02:20:07 -0000 Author: eadler Date: Thu Mar 15 02:20:06 2018 New Revision: 330964 URL: https://svnweb.freebsd.org/changeset/base/330964 Log: MFC r302525,r302526: Do allow auditing of read(2) and write(2) system calls, by assigning those system calls audit event identifiers AUE_READ and AUE_WRITE. While auditing file-descriptor I/O is not required by the Common Criteria, in practice this proves useful for both live and forensic analysis. NB: freebsd32 already assigns AUE_READ and AUE_WRITE to read(2) and write(2). In process-descriptor close(2) and fstat(2), audit target process information. pgkill(2) already audits target process ID. Modified: stable/11/sys/kern/init_sysent.c stable/11/sys/kern/sys_procdesc.c stable/11/sys/kern/syscalls.master stable/11/sys/sys/sysproto.h Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/kern/init_sysent.c ============================================================================== --- stable/11/sys/kern/init_sysent.c Thu Mar 15 01:07:21 2018 (r330963) +++ stable/11/sys/kern/init_sysent.c Thu Mar 15 02:20:06 2018 (r330964) @@ -48,8 +48,8 @@ struct sysent sysent[] = { { 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, /* 0 = syscall */ { AS(sys_exit_args), (sy_call_t *)sys_sys_exit, AUE_EXIT, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 1 = exit */ { 0, (sy_call_t *)sys_fork, AUE_FORK, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 2 = fork */ - { AS(read_args), (sy_call_t *)sys_read, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 3 = read */ - { AS(write_args), (sy_call_t *)sys_write, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 4 = write */ + { AS(read_args), (sy_call_t *)sys_read, AUE_READ, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 3 = read */ + { AS(write_args), (sy_call_t *)sys_write, AUE_WRITE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 4 = write */ { AS(open_args), (sy_call_t *)sys_open, AUE_OPEN_RWTC, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 5 = open */ { AS(close_args), (sy_call_t *)sys_close, AUE_CLOSE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 6 = close */ { AS(wait4_args), (sy_call_t *)sys_wait4, AUE_WAIT4, NULL, 0, 0, 0, SY_THR_STATIC }, /* 7 = wait4 */ Modified: stable/11/sys/kern/sys_procdesc.c ============================================================================== --- stable/11/sys/kern/sys_procdesc.c Thu Mar 15 01:07:21 2018 (r330963) +++ stable/11/sys/kern/sys_procdesc.c Thu Mar 15 02:20:06 2018 (r330964) @@ -1,10 +1,15 @@ /*- - * Copyright (c) 2009 Robert N. M. Watson + * Copyright (c) 2009, 2016 Robert N. M. Watson * All rights reserved. * * This software was developed at the University of Cambridge Computer * Laboratory with support from a grant from Google, Inc. * + * Portions of this software were developed by BAE Systems, the University of + * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL + * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent + * Computing (TC) research program. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -383,6 +388,7 @@ procdesc_close(struct file *fp, struct thread *td) sx_xunlock(&proctree_lock); } else { PROC_LOCK(p); + AUDIT_ARG_PROCESS(p); if (p->p_state == PRS_ZOMBIE) { /* * If the process is already dead and just awaiting @@ -529,6 +535,7 @@ procdesc_stat(struct file *fp, struct stat *sb, struct sx_slock(&proctree_lock); if (pd->pd_proc != NULL) { PROC_LOCK(pd->pd_proc); + AUDIT_ARG_PROCESS(pd->pd_proc); /* Set birth and [acm] times to process start time. */ pstart = pd->pd_proc->p_stats->p_start; Modified: stable/11/sys/kern/syscalls.master ============================================================================== --- stable/11/sys/kern/syscalls.master Thu Mar 15 01:07:21 2018 (r330963) +++ stable/11/sys/kern/syscalls.master Thu Mar 15 02:20:06 2018 (r330964) @@ -62,9 +62,9 @@ 1 AUE_EXIT STD { void sys_exit(int rval); } exit \ sys_exit_args void 2 AUE_FORK STD { int fork(void); } -3 AUE_NULL STD { ssize_t read(int fd, void *buf, \ +3 AUE_READ STD { ssize_t read(int fd, void *buf, \ size_t nbyte); } -4 AUE_NULL STD { ssize_t write(int fd, const void *buf, \ +4 AUE_WRITE STD { ssize_t write(int fd, const void *buf, \ size_t nbyte); } 5 AUE_OPEN_RWTC STD { int open(char *path, int flags, int mode); } ; XXX should be { int open(const char *path, int flags, ...); } Modified: stable/11/sys/sys/sysproto.h ============================================================================== --- stable/11/sys/sys/sysproto.h Thu Mar 15 01:07:21 2018 (r330963) +++ stable/11/sys/sys/sysproto.h Thu Mar 15 02:20:06 2018 (r330964) @@ -2518,8 +2518,8 @@ int freebsd10_pipe(struct thread *, struct freebsd10_p #define SYS_AUE_syscall AUE_NULL #define SYS_AUE_exit AUE_EXIT #define SYS_AUE_fork AUE_FORK -#define SYS_AUE_read AUE_NULL -#define SYS_AUE_write AUE_NULL +#define SYS_AUE_read AUE_READ +#define SYS_AUE_write AUE_WRITE #define SYS_AUE_open AUE_OPEN_RWTC #define SYS_AUE_close AUE_CLOSE #define SYS_AUE_wait4 AUE_WAIT4