From owner-p4-projects@FreeBSD.ORG Fri Jun 25 12:48:08 2010 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 180021065672; Fri, 25 Jun 2010 12:48:08 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0A57106564A for ; Fri, 25 Jun 2010 12:48:07 +0000 (UTC) (envelope-from gpf@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id BD81E8FC12 for ; Fri, 25 Jun 2010 12:48:07 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id o5PCm7DI008073 for ; Fri, 25 Jun 2010 12:48:07 GMT (envelope-from gpf@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id o5PCm7qI008071 for perforce@freebsd.org; Fri, 25 Jun 2010 12:48:07 GMT (envelope-from gpf@FreeBSD.org) Date: Fri, 25 Jun 2010 12:48:07 GMT Message-Id: <201006251248.o5PCm7qI008071@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to gpf@FreeBSD.org using -f From: Efstratios Karatzas To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 180209 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jun 2010 12:48:08 -0000 http://p4web.freebsd.org/@@180209?ac=10 Change 180209 by gpf@gpf_desktop on 2010/06/25 12:47:41 - audit support for link, rename & null. noop is not actually a rpc so nothing more to be done. Oh and we may also consider changing null's audit class from 'no' to something else so that we may actually keep track of these "pings" to the nfs server. both new & old nfs servers: - I was wondering for some time now why my nfs audit logs nearly always reported successes, even if for example some operation was not supported. To make a long story short, we are not keeping track of the actual reply status of the rpc instead of what the pseudo-syscall returns. Affected files ... .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdkrpc.c#2 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdport.c#6 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#6 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#6 edit .. //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#5 edit Differences ... ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdkrpc.c#2 (text+ko) ==== @@ -42,6 +42,7 @@ #include #include +#include #include NFSDLOCKMUTEX; @@ -233,6 +234,8 @@ cacherep = nfs_proc(&nd, rqst->rq_xid, xprt->xp_socket, xprt->xp_sockref, &rp); } else { + AUDIT_NFS_ENTER(NFSPROC_NULL, nd.nd_cred, curthread); + AUDIT_NFS_EXIT(0, curthread); NFSMGET(nd.nd_mreq); nd.nd_mreq->m_len = 0; cacherep = RC_REPLY; ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdport.c#6 (text+ko) ==== @@ -1121,9 +1121,16 @@ } out: if (!error) { + /* extra verfs to make the audit code less racy */ + vref(fromndp->ni_dvp); + vref(tondp->ni_dvp); error = VOP_RENAME(fromndp->ni_dvp, fromndp->ni_vp, &fromndp->ni_cnd, tondp->ni_dvp, tondp->ni_vp, &tondp->ni_cnd); + nfsrv_auditpath(NULL, fromndp->ni_dvp, fromndp->ni_cnd.cn_pnbuf, NULL, 1); + nfsrv_auditpath(NULL, tondp->ni_dvp, tondp->ni_cnd.cn_pnbuf, NULL, 2); + vrele(fromndp->ni_dvp); + vrele(tondp->ni_dvp); } else { if (tdvp == tvp) vrele(tdvp); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdserv.c#6 (text+ko) ==== @@ -1459,9 +1459,7 @@ /* * Done parsing, now down to business. - */ - if (fromnd.ni_vp != NULL) - AUDIT_ARG_VNODE1(fromnd.ni_vp); + */ nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 1, exp, p, &fdirp); if (nd->nd_repstat) { if (nd->nd_flag & ND_NFSV3) { @@ -1481,6 +1479,8 @@ nfsvno_relpathbuf(&tond); return (0); } + if (fromnd.ni_vp != NULL) + AUDIT_ARG_VNODE1(fromnd.ni_vp); if (vnode_vtype(fromnd.ni_vp) == VDIR) tond.ni_cnd.cn_flags |= WILLBEDIR; nd->nd_repstat = nfsvno_namei(nd, &tond, tdp, 0, &tnes, p, &tdirp); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/fs/nfsserver/nfs_nfsdsocket.c#6 (text+ko) ==== @@ -451,8 +451,16 @@ vrele(AUDIT_vp); } } else if (nfs_retfh[nd->nd_procnum] == 2) { + if (vp != NULL) + vref(vp); error = (*(nfsrv3_procs2[nd->nd_procnum]))(nd, isdgram, vp, NULL, p, &nes, NULL); + if (vp != NULL) { + if (nd->nd_procnum == NFSPROC_LINK) + nfsrv_auditpath(vp, NULL, NULL, + (fhandle_t *)fh.nfsrvfh_data, 2); + vrele(vp); + } } else { if (vp != NULL) vref(vp); @@ -461,14 +469,13 @@ if (vp != NULL) { if (nd->nd_procnum != NFSPROC_CREATE && nd->nd_procnum != NFSPROC_RMDIR && - nd->nd_procnum != NFSPROC_REMOVE) { + nd->nd_procnum != NFSPROC_REMOVE) nfsrv_auditpath(vp, NULL, NULL, (fhandle_t *)fh.nfsrvfh_data, 1); - } vrele(vp); } } - AUDIT_NFS_EXIT(error, curthread); + AUDIT_NFS_EXIT(nd->nd_repstat, curthread); if (mp) { if (nfs_writerpc[nd->nd_procnum]) NFS_ENDWRITE(mp); ==== //depot/projects/soc2010/gpf_audit/freebsd/src/sys/nfsserver/nfs_srvkrpc.c#5 (text+ko) ==== @@ -355,7 +355,7 @@ AUDIT_NFS_ENTER(procnum, nd.nd_cr, td); AUDIT_ARG_SOCKADDR_IN((struct sockaddr_in *)nd.nd_nam); error = proc(&nd, NULL, &mrep); - AUDIT_NFS_EXIT(error, td); + AUDIT_NFS_EXIT(nd.nd_repstat, td); if (nd.nd_cr) crfree(nd.nd_cr);