- Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2)

- In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK,
  and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done
  for both setaudit and setaudit_addr.
- Audit the arguments passed to setaudit_addr(2)
- AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the
  audit token is created with the correct type. This fixes the processing of the
  in_addr_ex token in users pace.
- Change the size of the token (as generated by the kernel) from 5*4 bytes to
  4*4 bytes (the correct size of an ip6 address)
- Correct regression from ucred work which resulted in getaudit() not returning
  E2BIG if the subject had an ip6 termid
- Correct slight regression in getaudit(2) which resulted in the size of a pointer
  being passed instead of the size of the structure. (This resulted in invalid
  auditinfo data being returned via getaudit(2))

Reviewed by:	rwatson
Approved by:	re@ (kensmith)
Obtained from:	TrustedBSD Project
MFC after:	1 month

sys/security/audit/audit.h

@@ -157,6 +157,7 @@ void	 audit_arg_socket(int sodomain, int sotype, int soprotocol);
 void	 audit_arg_sockaddr(struct thread *td, struct sockaddr *sa);
 void	 audit_arg_auid(uid_t auid);
 void	 audit_arg_auditinfo(struct auditinfo *au_info);
+void	 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info);
 void	 audit_arg_upath(struct thread *td, char *upath, u_int64_t flags);
 void	 audit_arg_vnode(struct vnode *vp, u_int64_t flags);
 void	 audit_arg_text(char *text);

sys/security/audit/audit_arg.c

@@ -466,6 +466,28 @@ audit_arg_auditinfo(struct auditinfo *au_info)
 	ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
 }
 
+void
+audit_arg_auditinfo_addr(struct auditinfo_addr *au_info)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	ar->k_ar.ar_arg_auid = au_info->ai_auid;
+	ar->k_ar.ar_arg_asid = au_info->ai_asid;
+	ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
+	ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
+	ar->k_ar.ar_arg_termid_addr.at_type = au_info->ai_termid.at_type;
+	ar->k_ar.ar_arg_termid_addr.at_port = au_info->ai_termid.at_port;
+	ar->k_ar.ar_arg_termid_addr.at_addr[0] = au_info->ai_termid.at_addr[0];
+	ar->k_ar.ar_arg_termid_addr.at_addr[1] = au_info->ai_termid.at_addr[1];
+	ar->k_ar.ar_arg_termid_addr.at_addr[2] = au_info->ai_termid.at_addr[2];
+	ar->k_ar.ar_arg_termid_addr.at_addr[3] = au_info->ai_termid.at_addr[3];
+	ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID_ADDR);
+}
+
 void
 audit_arg_text(char *text)
 {

sys/security/audit/audit_bsm.c

@@ -499,7 +499,10 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		break;
 
 	case AUE_SETAUDIT:
-		if (ARG_IS_VALID(kar, ARG_AUID)) {
+		if (ARG_IS_VALID(kar, ARG_AUID) &&
+		    ARG_IS_VALID(kar, ARG_ASID) &&
+		    ARG_IS_VALID(kar, ARG_AMASK) &&
+		    ARG_IS_VALID(kar, ARG_TERMID)) {
 			tok = au_to_arg32(1, "setaudit:auid",
 			    ar->ar_arg_auid);
 			kau_write(rec, tok);
@@ -522,7 +525,37 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		break;
 
 	case AUE_SETAUDIT_ADDR:
-		break;		/* XXX need to add arguments */
+		if (ARG_IS_VALID(kar, ARG_AUID) &&
+		    ARG_IS_VALID(kar, ARG_ASID) &&
+		    ARG_IS_VALID(kar, ARG_AMASK) &&
+		    ARG_IS_VALID(kar, ARG_TERMID_ADDR)) {
+			tok = au_to_arg32(1, "setaudit_addr:auid",
+			    ar->ar_arg_auid);
+			kau_write(rec, tok);
+			tok = au_to_arg32(1, "setaudit_addr:as_success",
+			    ar->ar_arg_amask.am_success);
+			kau_write(rec, tok);
+			tok = au_to_arg32(1, "setaudit_addr:as_failure",
+			    ar->ar_arg_amask.am_failure);
+			kau_write(rec, tok);
+			tok = au_to_arg32(1, "setaudit_addr:asid",
+			    ar->ar_arg_asid);
+			kau_write(rec, tok);
+			tok = au_to_arg32(1, "setaudit_addr:type",
+			    ar->ar_arg_termid_addr.at_type);
+			kau_write(rec, tok);
+			tok = au_to_arg32(1, "setaudit_addr:port",
+			    ar->ar_arg_termid_addr.at_port);
+			kau_write(rec, tok);
+			if (ar->ar_arg_termid_addr.at_type == AU_IPv6)
+				tok = au_to_in_addr_ex((struct in6_addr *)
+				    &ar->ar_arg_termid_addr.at_addr[0]);
+			if (ar->ar_arg_termid_addr.at_type == AU_IPv4)
+				tok = au_to_in_addr((struct in_addr *)
+				    &ar->ar_arg_termid_addr.at_addr[0]);
+			kau_write(rec, tok);
+		}
+		break;
 
 	case AUE_AUDITON:
 		/*

sys/security/audit/audit_bsm_token.c

@@ -358,13 +358,13 @@ au_to_in_addr_ex(struct in6_addr *internet_addr)
 {
 	token_t *t;
 	u_char *dptr = NULL;
-	u_int32_t type = AF_INET6;
+	u_int32_t type = AU_IPv6;
 
 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(uint32_t));
 
 	ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
 	ADD_U_INT32(dptr, type);
-	ADD_MEM(dptr, internet_addr, 5 * sizeof(uint32_t));
+	ADD_MEM(dptr, internet_addr, 4 * sizeof(uint32_t));
 
 	return (t);
 }

sys/security/audit/audit_syscalls.c

@@ -503,13 +503,15 @@ getaudit(struct thread *td, struct getaudit_args *uap)
 	error = priv_check(td, PRIV_AUDIT_GETAUDIT);
 	if (error)
 		return (error);
+	if (td->td_ucred->cr_audit.ai_termid.at_type == AU_IPv6)
+		return (E2BIG);
 	bzero(&ai, sizeof(ai));
 	ai.ai_auid = td->td_ucred->cr_audit.ai_auid;
 	ai.ai_mask = td->td_ucred->cr_audit.ai_mask;
 	ai.ai_asid = td->td_ucred->cr_audit.ai_asid;
 	ai.ai_termid.machine = td->td_ucred->cr_audit.ai_termid.at_addr[0];
 	ai.ai_termid.port = td->td_ucred->cr_audit.ai_termid.at_port;
-	return (copyout(&ai, uap->auditinfo, sizeof(&ai)));
+	return (copyout(&ai, uap->auditinfo, sizeof(ai)));
 }
 
 /* ARGSUSED */
@@ -585,7 +587,10 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
 	error = copyin(uap->auditinfo_addr, &aia, sizeof(aia));
 	if (error)
 		return (error);
-	/* XXXRW: Audit argument. */
+	audit_arg_auditinfo_addr(&aia);
+	if (aia.ai_termid.at_type != AU_IPv6 &&
+	    aia.ai_termid.at_type != AU_IPv4)
+		return (EINVAL);
 	newcred = crget();
 	PROC_LOCK(td->td_proc);	
 	oldcred = td->td_proc->p_ucred;