Date: Thu, 15 Mar 2018 02:20:06 +0000 (UTC) From: Eitan Adler <eadler@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r330964 - in stable/11/sys: kern sys Message-ID: <201803150220.w2F2K6ff036525@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: eadler Date: Thu Mar 15 02:20:06 2018 New Revision: 330964 URL: https://svnweb.freebsd.org/changeset/base/330964 Log: MFC r302525,r302526: Do allow auditing of read(2) and write(2) system calls, by assigning those system calls audit event identifiers AUE_READ and AUE_WRITE. While auditing file-descriptor I/O is not required by the Common Criteria, in practice this proves useful for both live and forensic analysis. NB: freebsd32 already assigns AUE_READ and AUE_WRITE to read(2) and write(2). In process-descriptor close(2) and fstat(2), audit target process information. pgkill(2) already audits target process ID. Modified: stable/11/sys/kern/init_sysent.c stable/11/sys/kern/sys_procdesc.c stable/11/sys/kern/syscalls.master stable/11/sys/sys/sysproto.h Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/kern/init_sysent.c ============================================================================== --- stable/11/sys/kern/init_sysent.c Thu Mar 15 01:07:21 2018 (r330963) +++ stable/11/sys/kern/init_sysent.c Thu Mar 15 02:20:06 2018 (r330964) @@ -48,8 +48,8 @@ struct sysent sysent[] = { { 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, /* 0 = syscall */ { AS(sys_exit_args), (sy_call_t *)sys_sys_exit, AUE_EXIT, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 1 = exit */ { 0, (sy_call_t *)sys_fork, AUE_FORK, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 2 = fork */ - { AS(read_args), (sy_call_t *)sys_read, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 3 = read */ - { AS(write_args), (sy_call_t *)sys_write, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 4 = write */ + { AS(read_args), (sy_call_t *)sys_read, AUE_READ, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 3 = read */ + { AS(write_args), (sy_call_t *)sys_write, AUE_WRITE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 4 = write */ { AS(open_args), (sy_call_t *)sys_open, AUE_OPEN_RWTC, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 5 = open */ { AS(close_args), (sy_call_t *)sys_close, AUE_CLOSE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 6 = close */ { AS(wait4_args), (sy_call_t *)sys_wait4, AUE_WAIT4, NULL, 0, 0, 0, SY_THR_STATIC }, /* 7 = wait4 */ Modified: stable/11/sys/kern/sys_procdesc.c ============================================================================== --- stable/11/sys/kern/sys_procdesc.c Thu Mar 15 01:07:21 2018 (r330963) +++ stable/11/sys/kern/sys_procdesc.c Thu Mar 15 02:20:06 2018 (r330964) @@ -1,10 +1,15 @@ /*- - * Copyright (c) 2009 Robert N. M. Watson + * Copyright (c) 2009, 2016 Robert N. M. Watson * All rights reserved. * * This software was developed at the University of Cambridge Computer * Laboratory with support from a grant from Google, Inc. * + * Portions of this software were developed by BAE Systems, the University of + * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL + * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent + * Computing (TC) research program. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -383,6 +388,7 @@ procdesc_close(struct file *fp, struct thread *td) sx_xunlock(&proctree_lock); } else { PROC_LOCK(p); + AUDIT_ARG_PROCESS(p); if (p->p_state == PRS_ZOMBIE) { /* * If the process is already dead and just awaiting @@ -529,6 +535,7 @@ procdesc_stat(struct file *fp, struct stat *sb, struct sx_slock(&proctree_lock); if (pd->pd_proc != NULL) { PROC_LOCK(pd->pd_proc); + AUDIT_ARG_PROCESS(pd->pd_proc); /* Set birth and [acm] times to process start time. */ pstart = pd->pd_proc->p_stats->p_start; Modified: stable/11/sys/kern/syscalls.master ============================================================================== --- stable/11/sys/kern/syscalls.master Thu Mar 15 01:07:21 2018 (r330963) +++ stable/11/sys/kern/syscalls.master Thu Mar 15 02:20:06 2018 (r330964) @@ -62,9 +62,9 @@ 1 AUE_EXIT STD { void sys_exit(int rval); } exit \ sys_exit_args void 2 AUE_FORK STD { int fork(void); } -3 AUE_NULL STD { ssize_t read(int fd, void *buf, \ +3 AUE_READ STD { ssize_t read(int fd, void *buf, \ size_t nbyte); } -4 AUE_NULL STD { ssize_t write(int fd, const void *buf, \ +4 AUE_WRITE STD { ssize_t write(int fd, const void *buf, \ size_t nbyte); } 5 AUE_OPEN_RWTC STD { int open(char *path, int flags, int mode); } ; XXX should be { int open(const char *path, int flags, ...); } Modified: stable/11/sys/sys/sysproto.h ============================================================================== --- stable/11/sys/sys/sysproto.h Thu Mar 15 01:07:21 2018 (r330963) +++ stable/11/sys/sys/sysproto.h Thu Mar 15 02:20:06 2018 (r330964) @@ -2518,8 +2518,8 @@ int freebsd10_pipe(struct thread *, struct freebsd10_p #define SYS_AUE_syscall AUE_NULL #define SYS_AUE_exit AUE_EXIT #define SYS_AUE_fork AUE_FORK -#define SYS_AUE_read AUE_NULL -#define SYS_AUE_write AUE_NULL +#define SYS_AUE_read AUE_READ +#define SYS_AUE_write AUE_WRITE #define SYS_AUE_open AUE_OPEN_RWTC #define SYS_AUE_close AUE_CLOSE #define SYS_AUE_wait4 AUE_WAIT4
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803150220.w2F2K6ff036525>