d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e4ff3b06bd
freebsd-dev/sys/security/audit/audit_syscalls.c

754 lines
17 KiB
C
Raw Normal View History

Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
/*
* Copyright (c) 1999-2005 Apple Computer, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#include "opt_mac.h"
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
#include <sys/param.h>
Remove use of Giant around vn_open() in audit trail setup. Submitted by: jhb, wsalamon Obtained from: TrustedBSD Project
2006-06-05 22:36:12 +00:00
#include <sys/mount.h>
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
#include <sys/namei.h>
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
#include <sys/priv.h>
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
#include <sys/proc.h>
#include <sys/sysproto.h>
#include <sys/systm.h>
#include <sys/vnode.h>
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel. Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out. This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails. This is a RELENG_6 candidate. Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
2006-10-10 15:49:10 +00:00
#include <sys/jail.h>
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
#include <bsm/audit.h>
#include <bsm/audit_kevents.h>
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
#include <security/audit/audit.h>
#include <security/audit/audit_private.h>
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#include <security/mac/mac_framework.h>
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
#ifdef AUDIT
/*
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
* System call to allow a user space application to submit a BSM audit record
Consistent white space after .'s in comments.
2007-05-30 08:39:16 +00:00
* to the kernel for inclusion in the audit log. This function does little
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
* verification on the audit record that is submitted.
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
*
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
* XXXAUDIT: Audit preselection for user records does not currently work,
* since we pre-select only based on the AUE_audit event type, not the event
* type submitted as part of the user audit data.
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
*/
/* ARGSUSED */
int
audit(struct thread *td, struct audit_args *uap)
{
int error;
void * rec;
struct kaudit_record *ar;
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel. Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out. This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails. This is a RELENG_6 candidate. Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
2006-10-10 15:49:10 +00:00
if (jailed(td->td_ucred))
return (ENOSYS);
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
error = priv_check(td, PRIV_AUDIT_SUBMIT);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
if (error)
return (error);
if ((uap->length <= 0) || (uap->length > audit_qctrl.aq_bufsz))
return (EINVAL);
ar = currecord();
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
/*
* If there's no current audit record (audit() itself not audited)
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
* commit the user audit record.
*/
if (ar == NULL) {
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
/*
* This is not very efficient; we're required to allocate a
* complete kernel audit record just so the user record can
* tag along.
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
*
* XXXAUDIT: Maybe AUE_AUDIT in the system call context and
* special pre-select handling?
*/
td->td_ar = audit_new(AUE_NULL, td);
if (td->td_ar == NULL)
return (ENOTSUP);
ar = td->td_ar;
}
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
if (uap->length > MAX_AUDIT_RECORD_SIZE)
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
return (EINVAL);
rec = malloc(uap->length, M_AUDITDATA, M_WAITOK);
error = copyin(uap->record, rec, uap->length);
if (error)
goto free_out;
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
/* Verify the record. */
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
if (bsm_rec_verify(rec) == 0) {
error = EINVAL;
goto free_out;
}
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#ifdef MAC
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
error = mac_system_check_audit(td->td_ucred, rec, uap->length);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
if (error)
goto free_out;
#endif
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
/*
Consistent white space after .'s in comments.
2007-05-30 08:39:16 +00:00
* Attach the user audit record to the kernel audit record. Because
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
* this system call is an auditable event, we will write the user
* record along with the record for this audit event.
*
* XXXAUDIT: KASSERT appropriate starting values of k_udata, k_ulen,
* k_ar_commit & AR_COMMIT_USER?
*/
ar->k_udata = rec;
ar->k_ulen = uap->length;
ar->k_ar_commit |= AR_COMMIT_USER;
Correct a slight regression which was introduced with the implementation of audit pipes. If the kernel record was not selected for the trail or the pipe, any user supplied record attached to it would be tossed away, resulting in otherwise selected events being lost. - Introduce two new masks: AR_PRESELECT_USER_TRAIL AR_PRESELECT_USER_PIPE, currently we have AR_PRESELECT_TRAIL and AR_PRESELECT_PIPE, which tells the audit worker that we are interested in the kernel record, with the additional masks we can determine if either the pipe or trail is interested in seeing the kernel or user record. - In audit(2), we unconditionally set the AR_PRESELECT_USER_TRAIL and AR_PRESELECT_USER_PIPE masks under the assumption that userspace has done the preselection [1]. Currently, there is work being done that allows the kernel to parse and preselect user supplied records, so in the future preselection could occur in either layer. But there is still a few details to work out here. [1] At some point we need to teach au_preselect(3) about the interests of all the individual audit pipes. This is a RELENG_6 candidate. Reviewed by: rwatson Obtained from: TrustedBSD Project MFC after: 1 week
2006-09-17 17:52:57 +00:00
/*
* Currently we assume that all preselection has been performed in
Consistent white space after .'s in comments.
2007-05-30 08:39:16 +00:00
* userspace. We unconditionally set these masks so that the records
Correct a slight regression which was introduced with the implementation of audit pipes. If the kernel record was not selected for the trail or the pipe, any user supplied record attached to it would be tossed away, resulting in otherwise selected events being lost. - Introduce two new masks: AR_PRESELECT_USER_TRAIL AR_PRESELECT_USER_PIPE, currently we have AR_PRESELECT_TRAIL and AR_PRESELECT_PIPE, which tells the audit worker that we are interested in the kernel record, with the additional masks we can determine if either the pipe or trail is interested in seeing the kernel or user record. - In audit(2), we unconditionally set the AR_PRESELECT_USER_TRAIL and AR_PRESELECT_USER_PIPE masks under the assumption that userspace has done the preselection [1]. Currently, there is work being done that allows the kernel to parse and preselect user supplied records, so in the future preselection could occur in either layer. But there is still a few details to work out here. [1] At some point we need to teach au_preselect(3) about the interests of all the individual audit pipes. This is a RELENG_6 candidate. Reviewed by: rwatson Obtained from: TrustedBSD Project MFC after: 1 week
2006-09-17 17:52:57 +00:00
* get committed both to the trail and pipe. In the future we will
* want to setup kernel based preselection.
*/
ar->k_ar_commit |= (AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
return (0);
free_out:
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
/*
* audit_syscall_exit() will free the audit record on the thread even
* if we allocated it above.
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
*/
free(rec, M_AUDITDATA);
return (error);
}
/*
* System call to manipulate auditing.
*/
/* ARGSUSED */
int
auditon(struct thread *td, struct auditon_args *uap)
{
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
struct ucred *newcred, *oldcred;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
int error;
union auditon_udata udata;
struct proc *tp;
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel. Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out. This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails. This is a RELENG_6 candidate. Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
2006-10-10 15:49:10 +00:00
if (jailed(td->td_ucred))
return (ENOSYS);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
AUDIT_ARG(cmd, uap->cmd);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#ifdef MAC
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
error = mac_system_check_auditon(td->td_ucred, uap->cmd);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
if (error)
return (error);
#endif
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
error = priv_check(td, PRIV_AUDIT_CONTROL);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
if (error)
return (error);
if ((uap->length <= 0) || (uap->length > sizeof(union auditon_udata)))
return (EINVAL);
memset((void *)&udata, 0, sizeof(udata));
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
/*
* Some of the GET commands use the arguments too.
*/
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
switch (uap->cmd) {
case A_SETPOLICY:
case A_SETKMASK:
case A_SETQCTRL:
case A_SETSTAT:
case A_SETUMASK:
case A_SETSMASK:
case A_SETCOND:
case A_SETCLASS:
case A_SETPMASK:
case A_SETFSIZE:
case A_SETKAUDIT:
case A_GETCLASS:
case A_GETPINFO:
case A_GETPINFO_ADDR:
case A_SENDTRIGGER:
error = copyin(uap->data, (void *)&udata, uap->length);
if (error)
return (error);
AUDIT_ARG(auditon, &udata);
break;
}
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
/*
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
* XXXAUDIT: Locking?
*/
switch (uap->cmd) {
case A_GETPOLICY:
if (!audit_fail_stop)
udata.au_policy |= AUDIT_CNT;
if (audit_panic_on_write_fail)
udata.au_policy |= AUDIT_AHLT;
Audit the argv and env vectors passed in on exec: Add the argument auditing functions for argv and env. Add kernel-specific versions of the tokenizer functions for the arg and env represented as a char array. Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to enable/disable argv/env auditing. Call the argument auditing from the exec system calls. Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
2006-09-01 11:45:40 +00:00
if (audit_argv)
udata.au_policy |= AUDIT_ARGV;
if (audit_arge)
udata.au_policy |= AUDIT_ARGE;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
break;
case A_SETPOLICY:
Audit the argv and env vectors passed in on exec: Add the argument auditing functions for argv and env. Add kernel-specific versions of the tokenizer functions for the arg and env represented as a char array. Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to enable/disable argv/env auditing. Call the argument auditing from the exec system calls. Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
2006-09-01 11:45:40 +00:00
if (udata.au_policy & ~(AUDIT_CNT|AUDIT_AHLT|AUDIT_ARGV|
AUDIT_ARGE))
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
return (EINVAL);
/*
* XXX - Need to wake up waiters if the policy relaxes?
*/
audit_fail_stop = ((udata.au_policy & AUDIT_CNT) == 0);
audit_panic_on_write_fail = (udata.au_policy & AUDIT_AHLT);
Audit the argv and env vectors passed in on exec: Add the argument auditing functions for argv and env. Add kernel-specific versions of the tokenizer functions for the arg and env represented as a char array. Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to enable/disable argv/env auditing. Call the argument auditing from the exec system calls. Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
2006-09-01 11:45:40 +00:00
audit_argv = (udata.au_policy & AUDIT_ARGV);
audit_arge = (udata.au_policy & AUDIT_ARGE);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
break;
case A_GETKMASK:
udata.au_mask = audit_nae_mask;
break;
case A_SETKMASK:
audit_nae_mask = udata.au_mask;
break;
case A_GETQCTRL:
udata.au_qctrl = audit_qctrl;
break;
case A_SETQCTRL:
if ((udata.au_qctrl.aq_hiwater > AQ_MAXHIGH) ||
(udata.au_qctrl.aq_lowater >= udata.au_qctrl.aq_hiwater) ||
(udata.au_qctrl.aq_bufsz > AQ_MAXBUFSZ) ||
(udata.au_qctrl.aq_minfree < 0) ||
(udata.au_qctrl.aq_minfree > 100))
return (EINVAL);
audit_qctrl = udata.au_qctrl;
/* XXX The queue delay value isn't used with the kernel. */
audit_qctrl.aq_delay = -1;
break;
case A_GETCWD:
return (ENOSYS);
break;
case A_GETCAR:
return (ENOSYS);
break;
case A_GETSTAT:
return (ENOSYS);
break;
case A_SETSTAT:
return (ENOSYS);
break;
case A_SETUMASK:
return (ENOSYS);
break;
case A_SETSMASK:
return (ENOSYS);
break;
case A_GETCOND:
if (audit_enabled && !audit_suspended)
udata.au_cond = AUC_AUDITING;
else
udata.au_cond = AUC_NOAUDIT;
break;
case A_SETCOND:
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
if (udata.au_cond == AUC_NOAUDIT)
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
audit_suspended = 1;
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
if (udata.au_cond == AUC_AUDITING)
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
audit_suspended = 0;
if (udata.au_cond == AUC_DISABLED) {
audit_suspended = 1;
audit_shutdown(NULL, 0);
}
break;
case A_GETCLASS:
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
udata.au_evclass.ec_class = au_event_class(
udata.au_evclass.ec_number);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
break;
case A_SETCLASS:
au_evclassmap_insert(udata.au_evclass.ec_number,
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
udata.au_evclass.ec_class);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
break;
case A_GETPINFO:
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
if (udata.au_aupinfo.ap_pid < 1)
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
return (EINVAL);
if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
return (EINVAL);
Use p_cansee() to check that a target process for an audit state manipulation is visible to the subject process. Remove XXX comments suggesting this. Convert one XXX on a difference from Darwin into a note: it's not a bug, it's a feature. Obtained from: TrustedBSD Project
2006-12-29 10:49:13 +00:00
if (p_cansee(td, tp) != 0) {
PROC_UNLOCK(tp);
return (EINVAL);
}
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
if (tp->p_ucred->cr_audit.ai_termid.at_type == AU_IPv6) {
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
PROC_UNLOCK(tp);
return (EINVAL);
}
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
udata.au_aupinfo.ap_auid =
tp->p_ucred->cr_audit.ai_auid;
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
udata.au_aupinfo.ap_mask.am_success =
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
tp->p_ucred->cr_audit.ai_mask.am_success;
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
udata.au_aupinfo.ap_mask.am_failure =
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
tp->p_ucred->cr_audit.ai_mask.am_failure;
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
udata.au_aupinfo.ap_termid.machine =
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
tp->p_ucred->cr_audit.ai_termid.at_addr[0];
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
udata.au_aupinfo.ap_termid.port =
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
(dev_t)tp->p_ucred->cr_audit.ai_termid.at_port;
udata.au_aupinfo.ap_asid =
tp->p_ucred->cr_audit.ai_asid;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
PROC_UNLOCK(tp);
break;
case A_SETPMASK:
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
if (udata.au_aupinfo.ap_pid < 1)
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
return (EINVAL);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
newcred = crget();
if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL) {
crfree(newcred);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
return (EINVAL);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
}
Use p_cansee() to check that a target process for an audit state manipulation is visible to the subject process. Remove XXX comments suggesting this. Convert one XXX on a difference from Darwin into a note: it's not a bug, it's a feature. Obtained from: TrustedBSD Project
2006-12-29 10:49:13 +00:00
if (p_cansee(td, tp) != 0) {
PROC_UNLOCK(tp);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
crfree(newcred);
Use p_cansee() to check that a target process for an audit state manipulation is visible to the subject process. Remove XXX comments suggesting this. Convert one XXX on a difference from Darwin into a note: it's not a bug, it's a feature. Obtained from: TrustedBSD Project
2006-12-29 10:49:13 +00:00
return (EINVAL);
}
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
oldcred = tp->p_ucred;
crcopy(newcred, oldcred);
newcred->cr_audit.ai_mask.am_success =
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
udata.au_aupinfo.ap_mask.am_success;
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
newcred->cr_audit.ai_mask.am_failure =
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
udata.au_aupinfo.ap_mask.am_failure;
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
td->td_proc->p_ucred = newcred;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
PROC_UNLOCK(tp);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
crfree(oldcred);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
break;
case A_SETFSIZE:
if ((udata.au_fstat.af_filesz != 0) &&
(udata.au_fstat.af_filesz < MIN_AUDIT_FILE_SIZE))
return (EINVAL);
audit_fstat.af_filesz = udata.au_fstat.af_filesz;
break;
case A_GETFSIZE:
udata.au_fstat.af_filesz = audit_fstat.af_filesz;
udata.au_fstat.af_currsz = audit_fstat.af_currsz;
break;
case A_GETPINFO_ADDR:
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
if (udata.au_aupinfo_addr.ap_pid < 1)
return (EINVAL);
if ((tp = pfind(udata.au_aupinfo_addr.ap_pid)) == NULL)
return (EINVAL);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
udata.au_aupinfo_addr.ap_auid =
tp->p_ucred->cr_audit.ai_auid;
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
udata.au_aupinfo_addr.ap_mask.am_success =
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
tp->p_ucred->cr_audit.ai_mask.am_success;
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
udata.au_aupinfo_addr.ap_mask.am_failure =
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
tp->p_ucred->cr_audit.ai_mask.am_failure;
udata.au_aupinfo_addr.ap_termid =
tp->p_ucred->cr_audit.ai_termid;
udata.au_aupinfo_addr.ap_asid =
tp->p_ucred->cr_audit.ai_asid;
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
PROC_UNLOCK(tp);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
break;
case A_GETKAUDIT:
return (ENOSYS);
break;
case A_SETKAUDIT:
return (ENOSYS);
break;
case A_SENDTRIGGER:
if ((udata.au_trigger < AUDIT_TRIGGER_MIN) ||
(udata.au_trigger > AUDIT_TRIGGER_MAX))
return (EINVAL);
Merge perforce change 93199: Change send_trigger() prototype to return an int, so that user space callers can tell if the message was successfully placed in the trigger queue. This isn't quite the same as it being successfully received, but is close enough that we can generate a more useful warning message in audit(8). Obtained from: TrustedBSD Project
2006-03-18 18:31:24 +00:00
return (send_trigger(udata.au_trigger));
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
}
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
/*
* Copy data back to userspace for the GET comands.
*/
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
switch (uap->cmd) {
case A_GETPOLICY:
case A_GETKMASK:
case A_GETQCTRL:
case A_GETCWD:
case A_GETCAR:
case A_GETSTAT:
case A_GETCOND:
case A_GETCLASS:
case A_GETPINFO:
case A_GETFSIZE:
case A_GETPINFO_ADDR:
case A_GETKAUDIT:
error = copyout((void *)&udata, uap->data, uap->length);
if (error)
return (error);
break;
}
return (0);
}
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
/*
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
* System calls to manage the user audit information.
*/
/* ARGSUSED */
int
getauid(struct thread *td, struct getauid_args *uap)
{
int error;
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel. Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out. This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails. This is a RELENG_6 candidate. Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
2006-10-10 15:49:10 +00:00
if (jailed(td->td_ucred))
return (ENOSYS);
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
if (error)
return (error);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
return (copyout(&td->td_ucred->cr_audit.ai_auid, uap->auid,
sizeof(td->td_ucred->cr_audit.ai_auid)));
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
}
/* ARGSUSED */
int
setauid(struct thread *td, struct setauid_args *uap)
{
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
struct ucred *newcred, *oldcred;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
au_id_t id;
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
int error;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel. Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out. This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails. This is a RELENG_6 candidate. Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
2006-10-10 15:49:10 +00:00
if (jailed(td->td_ucred))
return (ENOSYS);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
error = copyin(uap->auid, &id, sizeof(id));
if (error)
return (error);
audit_arg_auid(id);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
newcred = crget();
PROC_LOCK(td->td_proc);
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#ifdef MAC
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
error = mac_proc_check_setauid(oldcred, id);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
if (error)
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
goto fail;
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#endif
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT, 0);
if (error)
goto fail;
newcred->cr_audit.ai_auid = id;
td->td_proc->p_ucred = newcred;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
PROC_UNLOCK(td->td_proc);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
crfree(oldcred);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
return (0);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
fail:
PROC_UNLOCK(td->td_proc);
crfree(newcred);
return (error);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
}
/*
Merge Perforce change 93581 from TrustedBSD audit3 branch: Mega-style patch. Obtained from: TrustedBSD Project
2006-03-19 17:34:00 +00:00
* System calls to get and set process audit information.
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
*/
/* ARGSUSED */
int
getaudit(struct thread *td, struct getaudit_args *uap)
{
struct auditinfo ai;
int error;
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel. Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out. This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails. This is a RELENG_6 candidate. Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
2006-10-10 15:49:10 +00:00
if (jailed(td->td_ucred))
return (ENOSYS);
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
if (error)
return (error);
- Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2) - In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK, and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done for both setaudit and setaudit_addr. - Audit the arguments passed to setaudit_addr(2) - AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the audit token is created with the correct type. This fixes the processing of the in_addr_ex token in users pace. - Change the size of the token (as generated by the kernel) from 5*4 bytes to 4*4 bytes (the correct size of an ip6 address) - Correct regression from ucred work which resulted in getaudit() not returning E2BIG if the subject had an ip6 termid - Correct slight regression in getaudit(2) which resulted in the size of a pointer being passed instead of the size of the structure. (This resulted in invalid auditinfo data being returned via getaudit(2)) Reviewed by: rwatson Approved by: re@ (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
2007-06-27 17:01:15 +00:00
if (td->td_ucred->cr_audit.ai_termid.at_type == AU_IPv6)
return (E2BIG);
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
bzero(&ai, sizeof(ai));
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
ai.ai_auid = td->td_ucred->cr_audit.ai_auid;
ai.ai_mask = td->td_ucred->cr_audit.ai_mask;
ai.ai_asid = td->td_ucred->cr_audit.ai_asid;
ai.ai_termid.machine = td->td_ucred->cr_audit.ai_termid.at_addr[0];
ai.ai_termid.port = td->td_ucred->cr_audit.ai_termid.at_port;
- Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2) - In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK, and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done for both setaudit and setaudit_addr. - Audit the arguments passed to setaudit_addr(2) - AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the audit token is created with the correct type. This fixes the processing of the in_addr_ex token in users pace. - Change the size of the token (as generated by the kernel) from 5*4 bytes to 4*4 bytes (the correct size of an ip6 address) - Correct regression from ucred work which resulted in getaudit() not returning E2BIG if the subject had an ip6 termid - Correct slight regression in getaudit(2) which resulted in the size of a pointer being passed instead of the size of the structure. (This resulted in invalid auditinfo data being returned via getaudit(2)) Reviewed by: rwatson Approved by: re@ (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
2007-06-27 17:01:15 +00:00
return (copyout(&ai, uap->auditinfo, sizeof(ai)));
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
}
/* ARGSUSED */
int
setaudit(struct thread *td, struct setaudit_args *uap)
{
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
struct ucred *newcred, *oldcred;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
struct auditinfo ai;
int error;
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel. Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out. This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails. This is a RELENG_6 candidate. Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
2006-10-10 15:49:10 +00:00
if (jailed(td->td_ucred))
return (ENOSYS);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
error = copyin(uap->auditinfo, &ai, sizeof(ai));
if (error)
return (error);
audit_arg_auditinfo(&ai);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
newcred = crget();
PROC_LOCK(td->td_proc);
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#ifdef MAC
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
error = mac_proc_check_setaudit(oldcred, &ai);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
if (error)
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
goto fail;
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#endif
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT, 0);
if (error)
goto fail;
bzero(&newcred->cr_audit, sizeof(newcred->cr_audit));
newcred->cr_audit.ai_auid = ai.ai_auid;
newcred->cr_audit.ai_mask = ai.ai_mask;
newcred->cr_audit.ai_asid = ai.ai_asid;
newcred->cr_audit.ai_termid.at_addr[0] = ai.ai_termid.machine;
newcred->cr_audit.ai_termid.at_port = ai.ai_termid.port;
newcred->cr_audit.ai_termid.at_type = AU_IPv4;
td->td_proc->p_ucred = newcred;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
PROC_UNLOCK(td->td_proc);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
crfree(oldcred);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
return (0);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
fail:
PROC_UNLOCK(td->td_proc);
crfree(newcred);
return (error);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
}
/* ARGSUSED */
int
getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
{
int error;
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel. Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out. This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails. This is a RELENG_6 candidate. Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
2006-10-10 15:49:10 +00:00
if (jailed(td->td_ucred))
return (ENOSYS);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
if (uap->length < sizeof(*uap->auditinfo_addr))
return (EOVERFLOW);
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
if (error)
return (error);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
return (copyout(&td->td_ucred->cr_audit, uap->auditinfo_addr,
sizeof(*uap->auditinfo_addr)));
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
}
/* ARGSUSED */
int
setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
{
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
struct ucred *newcred, *oldcred;
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
struct auditinfo_addr aia;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
int error;
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel. Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out. This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails. This is a RELENG_6 candidate. Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
2006-10-10 15:49:10 +00:00
if (jailed(td->td_ucred))
return (ENOSYS);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
error = copyin(uap->auditinfo_addr, &aia, sizeof(aia));
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
if (error)
return (error);
- Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2) - In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK, and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done for both setaudit and setaudit_addr. - Audit the arguments passed to setaudit_addr(2) - AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the audit token is created with the correct type. This fixes the processing of the in_addr_ex token in users pace. - Change the size of the token (as generated by the kernel) from 5*4 bytes to 4*4 bytes (the correct size of an ip6 address) - Correct regression from ucred work which resulted in getaudit() not returning E2BIG if the subject had an ip6 termid - Correct slight regression in getaudit(2) which resulted in the size of a pointer being passed instead of the size of the structure. (This resulted in invalid auditinfo data being returned via getaudit(2)) Reviewed by: rwatson Approved by: re@ (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
2007-06-27 17:01:15 +00:00
audit_arg_auditinfo_addr(&aia);
if (aia.ai_termid.at_type != AU_IPv6 &&
aia.ai_termid.at_type != AU_IPv4)
return (EINVAL);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
newcred = crget();
PROC_LOCK(td->td_proc);
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#ifdef MAC
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
error = mac_proc_check_setaudit_addr(oldcred, &aia);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
if (error)
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
goto fail;
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#endif
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
error = priv_check_cred(oldcred, PRIV_AUDIT_SETAUDIT, 0);
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
if (error)
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
goto fail;
newcred->cr_audit = aia;
td->td_proc->p_ucred = newcred;
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
PROC_UNLOCK(td->td_proc);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
crfree(oldcred);
return (0);
fail:
In setaudit_addr(), drop the process lock in error cases. Submitted by: Peter Holm <peter@holm.cc> (BugMaster)
2007-06-15 15:20:56 +00:00
PROC_UNLOCK(td->td_proc);
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
2007-06-07 22:27:15 +00:00
crfree(newcred);
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens. The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo. If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG. - Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2) NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated. MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
2007-04-13 14:55:19 +00:00
return (error);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
}
/*
* Syscall to manage audit files.
*/
/* ARGSUSED */
int
auditctl(struct thread *td, struct auditctl_args *uap)
{
struct nameidata nd;
struct ucred *cred;
struct vnode *vp;
int error = 0;
Remove use of Giant around vn_open() in audit trail setup. Submitted by: jhb, wsalamon Obtained from: TrustedBSD Project
2006-06-05 22:36:12 +00:00
int flags, vfslocked;
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel. Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out. This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails. This is a RELENG_6 candidate. Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
2006-10-10 15:49:10 +00:00
if (jailed(td->td_ucred))
return (ENOSYS);
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
error = priv_check(td, PRIV_AUDIT_CONTROL);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
if (error)
return (error);
vp = NULL;
cred = NULL;
/*
* If a path is specified, open the replacement vnode, perform
* validity checks, and grab another reference to the current
* credential.
*
Use p_cansee() to check that a target process for an audit state manipulation is visible to the subject process. Remove XXX comments suggesting this. Convert one XXX on a difference from Darwin into a note: it's not a bug, it's a feature. Obtained from: TrustedBSD Project
2006-12-29 10:49:13 +00:00
* On Darwin, a NULL path argument is also used to disable audit.
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
*/
if (uap->path == NULL)
return (EINVAL);
Audit path argument when changing audit trails. Call NDFREE(), which while not currently strictly necessary, isn't a bad idea. MFC after: 3 days Obtained from: TrustedBSD Project
2006-10-02 06:56:10 +00:00
NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | MPSAFE | AUDITVNODE1,
UIO_USERSPACE, uap->path, td);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
flags = AUDIT_OPEN_FLAGS;
Change the VOP_OPEN(), vn_open() vnode operation and d_fdopen() cdev operation argument from being file descriptor index into the pointer to struct file: part 2. Convert calls missed in the first big commit. Noted by: rwatson Pointy hat to: kib
2007-06-01 14:33:11 +00:00
error = vn_open(&nd, &flags, 0, NULL);
Remove use of Giant around vn_open() in audit trail setup. Submitted by: jhb, wsalamon Obtained from: TrustedBSD Project
2006-06-05 22:36:12 +00:00
if (error)
return (error);
vfslocked = NDHASGIANT(&nd);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
vp = nd.ni_vp;
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#ifdef MAC
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
error = mac_system_check_auditctl(td->td_ucred, vp);
VOP_LOCK1() (and so VOP_LOCK()) and VOP_UNLOCK() are only used in conjuction with 'thread' argument passing which is always curthread. Remove the unuseful extra-argument and pass explicitly curthread to lower layer functions, when necessary. KPI results broken by this change, which should affect several ports, so version bumping and manpage update will be further committed. Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
2008-01-13 14:44:15 +00:00
VOP_UNLOCK(vp, 0);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
if (error) {
vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
VFS_UNLOCK_GIANT(vfslocked);
return (error);
}
#else
VOP_LOCK1() (and so VOP_LOCK()) and VOP_UNLOCK() are only used in conjuction with 'thread' argument passing which is always curthread. Remove the unuseful extra-argument and pass explicitly curthread to lower layer functions, when necessary. KPI results broken by this change, which should affect several ports, so version bumping and manpage update will be further committed. Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
2008-01-13 14:44:15 +00:00
VOP_UNLOCK(vp, 0);
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid(). MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points. Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks. Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
2007-04-21 22:08:48 +00:00
#endif
Audit path argument when changing audit trails. Call NDFREE(), which while not currently strictly necessary, isn't a bad idea. MFC after: 3 days Obtained from: TrustedBSD Project
2006-10-02 06:56:10 +00:00
NDFREE(&nd, NDF_ONLY_PNBUF);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
if (vp->v_type != VREG) {
vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
Remove use of Giant around vn_open() in audit trail setup. Submitted by: jhb, wsalamon Obtained from: TrustedBSD Project
2006-06-05 22:36:12 +00:00
VFS_UNLOCK_GIANT(vfslocked);
return (EINVAL);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
}
Remove use of Giant around vn_open() in audit trail setup. Submitted by: jhb, wsalamon Obtained from: TrustedBSD Project
2006-06-05 22:36:12 +00:00
VFS_UNLOCK_GIANT(vfslocked);
Import kernel audit framework: - Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events. Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00
cred = td->td_ucred;
crhold(cred);
/*
* XXXAUDIT: Should audit_suspended actually be cleared by
* audit_worker?
*/
audit_suspended = 0;
audit_rotate_vnode(cred, vp);
return (error);
}
#else /* !AUDIT */
int
audit(struct thread *td, struct audit_args *uap)
{
return (ENOSYS);
}
int
auditon(struct thread *td, struct auditon_args *uap)
{
return (ENOSYS);
}
int
getauid(struct thread *td, struct getauid_args *uap)
{
return (ENOSYS);
}
int
setauid(struct thread *td, struct setauid_args *uap)
{
return (ENOSYS);
}
int
getaudit(struct thread *td, struct getaudit_args *uap)
{
return (ENOSYS);
}
int
setaudit(struct thread *td, struct setaudit_args *uap)
{
return (ENOSYS);
}
int
getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
{
return (ENOSYS);
}
int
setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
{
return (ENOSYS);
}
int
auditctl(struct thread *td, struct auditctl_args *uap)
{
return (ENOSYS);
}
#endif /* AUDIT */
Reference in New Issue Copy Permalink