Add BSM record conversion for a number of syscalls:

- thr_kill(2) and thr_exit(2) generally (no argument auditing here. - A set of syscalls for the process descriptor family, specifically: pdfork(2), pdgetpid(2) and pdkill(2) For these syscalls, audit the file descriptor. In the case of pdfork(2) a pointer to an integer (file descriptor) is passed in as an argument. We audit the post initialized file descriptor (not the random garbage that would have been passed in). We will also audit the child process which was created from the fork operation (similar to what is done for the fork(2) syscall). pdkill(2) we audit the signal value and fd, and finally pdgetpid(2) just the file descriptor: - Following is a sample of the produced audit trails: header,111,11,pdfork(2),0,Sat May 16 03:07:50 2020, + 394 msec argument,0,0x39d,child PID argument,2,0x2,flags argument,1,0x8,fd subject,root,root,0,root,0,924,0,0,0.0.0.0 return,success,925 header,79,11,pdgetpid(2),0,Sat May 16 03:07:50 2020, + 394 msec argument,1,0x8,fd subject,root,root,0,root,0,924,0,0,0.0.0.0 return,success,0 trailer,79 header,135,11,pdkill(2),0,Sat May 16 03:07:50 2020, + 395 msec argument,1,0x8,fd argument,2,0xf,signal process_ex,root,root,0,root,0,925,0,0,0.0.0.0 subject,root,root,0,root,0,924,0,0,0.0.0.0 return,success,0 trailer,135 MFC after: 1 week
svn path=/head/; revision=361103
2020-05-16 03:45:15 +00:00 · 2020-05-16 03:45:15 +00:00 · 757a564248 · 2020-12-20 02:59:44 +00:00
commit 757a564248
parent 26644b0125
2 changed files with 36 additions and 0 deletions
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@ -128,6 +128,7 @@ sys_pdfork(struct thread *td, struct pdfork_args *uap)
 	fr.fr_pidp = &pid;
 	fr.fr_pd_fd = &fd;
 	fr.fr_pd_flags = uap->flags;
+	AUDIT_ARG_FFLAGS(uap->flags);
 	/*
 	 * It is necessary to return fd by reference because 0 is a valid file
 	 * descriptor number, and the child needs to be able to distinguish
@ -909,6 +910,7 @@ fork1(struct thread *td, struct fork_req *fr)
 		    fr->fr_pd_flags, fr->fr_pd_fcaps);
 		if (error != 0)
 			goto fail2;
+		AUDIT_ARG_FD(*fr->fr_pd_fd);
 	}

 	mem_charged = 0;
--- a/sys/security/audit/audit_bsm.c
+++ b/sys/security/audit/audit_bsm.c
@ -1317,6 +1317,38 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		UPATH1_VNODE1_TOKENS;
 		break;

+	case AUE_PDKILL:
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
+			tok = au_to_arg32(2, "signal", ar->ar_arg_signum);
+			kau_write(rec, tok);
+		}
+		PROCESS_PID_TOKENS(1);
+		break;
+	case AUE_PDFORK:
+		if (ARG_IS_VALID(kar, ARG_PID)) {
+			tok = au_to_arg32(0, "child PID", ar->ar_arg_pid);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
+			tok = au_to_arg32(2, "flags", ar->ar_arg_fflags);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		break;
+	case AUE_PDGETPID:
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		break;
+
 	case AUE_PROCCTL:
 		if (ARG_IS_VALID(kar, ARG_VALUE)) {
 			tok = au_to_arg32(1, "idtype", ar->ar_arg_value);
@ -1747,6 +1779,8 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		break;

 	case AUE_THR_NEW:
+	case AUE_THR_KILL:
+	case AUE_THR_EXIT:
 		break;

 	case AUE_NULL: