Date: Fri, 25 Jun 2010 12:48:07 GMT From: Efstratios Karatzas <gpf@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 180209 for review Message-ID: <201006251248.o5PCm7qI008071@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@180209?ac=10 Change 180209 by gpf@gpf_desktop on 2010/06/25 12:47:41 - audit support for link, rename & null. noop is not actually a rpc so nothing more to be done. Oh and we may also consider changing null's audit class from 'no' to something else so that we may actually keep track of these "pings" to the nfs server. both new & old nfs servers: - I was wondering for some time now why my nfs audit logs nearly always reported successes, even if for example some operation was not supported. To make a long story short, we are not keeping track of the actual reply status of the rpc instead of what the pseudo-syscall returns. Affected files ... .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdkrpc.c#2 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdport.c#6 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#6 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#6 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#5 edit Differences ... ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdkrpc.c#2 (text+ko) ==== @@ -42,6 +42,7 @@ #include <rpc/rpc.h> #include <rpc/rpcsec_gss.h> +#include <security/audit/audit.h> #include <security/mac/mac_framework.h> NFSDLOCKMUTEX; @@ -233,6 +234,8 @@ cacherep = nfs_proc(&nd, rqst->rq_xid, xprt->xp_socket, xprt->xp_sockref, &rp); } else { + AUDIT_NFS_ENTER(NFSPROC_NULL, nd.nd_cred, curthread); + AUDIT_NFS_EXIT(0, curthread); NFSMGET(nd.nd_mreq); nd.nd_mreq->m_len = 0; cacherep = RC_REPLY; ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdport.c#6 (text+ko) ==== @@ -1121,9 +1121,16 @@ } out: if (!error) { + /* extra verfs to make the audit code less racy */ + vref(fromndp->ni_dvp); + vref(tondp->ni_dvp); error = VOP_RENAME(fromndp->ni_dvp, fromndp->ni_vp, &fromndp->ni_cnd, tondp->ni_dvp, tondp->ni_vp, &tondp->ni_cnd); + nfsrv_auditpath(NULL, fromndp->ni_dvp, fromndp->ni_cnd.cn_pnbuf, NULL, 1); + nfsrv_auditpath(NULL, tondp->ni_dvp, tondp->ni_cnd.cn_pnbuf, NULL, 2); + vrele(fromndp->ni_dvp); + vrele(tondp->ni_dvp); } else { if (tdvp == tvp) vrele(tdvp); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#6 (text+ko) ==== @@ -1459,9 +1459,7 @@ /* * Done parsing, now down to business. - */ - if (fromnd.ni_vp != NULL) - AUDIT_ARG_VNODE1(fromnd.ni_vp); + */ nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 1, exp, p, &fdirp); if (nd->nd_repstat) { if (nd->nd_flag & ND_NFSV3) { @@ -1481,6 +1479,8 @@ nfsvno_relpathbuf(&tond); return (0); } + if (fromnd.ni_vp != NULL) + AUDIT_ARG_VNODE1(fromnd.ni_vp); if (vnode_vtype(fromnd.ni_vp) == VDIR) tond.ni_cnd.cn_flags |= WILLBEDIR; nd->nd_repstat = nfsvno_namei(nd, &tond, tdp, 0, &tnes, p, &tdirp); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#6 (text+ko) ==== @@ -451,8 +451,16 @@ vrele(AUDIT_vp); } } else if (nfs_retfh[nd->nd_procnum] == 2) { + if (vp != NULL) + vref(vp); error = (*(nfsrv3_procs2[nd->nd_procnum]))(nd, isdgram, vp, NULL, p, &nes, NULL); + if (vp != NULL) { + if (nd->nd_procnum == NFSPROC_LINK) + nfsrv_auditpath(vp, NULL, NULL, + (fhandle_t *)fh.nfsrvfh_data, 2); + vrele(vp); + } } else { if (vp != NULL) vref(vp); @@ -461,14 +469,13 @@ if (vp != NULL) { if (nd->nd_procnum != NFSPROC_CREATE && nd->nd_procnum != NFSPROC_RMDIR && - nd->nd_procnum != NFSPROC_REMOVE) { + nd->nd_procnum != NFSPROC_REMOVE) nfsrv_auditpath(vp, NULL, NULL, (fhandle_t *)fh.nfsrvfh_data, 1); - } vrele(vp); } } - AUDIT_NFS_EXIT(error, curthread); + AUDIT_NFS_EXIT(nd->nd_repstat, curthread); if (mp) { if (nfs_writerpc[nd->nd_procnum]) NFS_ENDWRITE(mp); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#5 (text+ko) ==== @@ -355,7 +355,7 @@ AUDIT_NFS_ENTER(procnum, nd.nd_cr, td); AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam); error = proc(&nd, NULL, &mrep); - AUDIT_NFS_EXIT(error, td); + AUDIT_NFS_EXIT(nd.nd_repstat, td); if (nd.nd_cr) crfree(nd.nd_cr);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201006251248.o5PCm7qI008071>