Audit file-descriptor arguments to I/O system calls such as

read(2), write(2), dup(2), and mmap(2). This auditing is not required by the Common Criteria (and hence was not being performed), but is valuable in both contemporary live analysis and forensic use cases. MFC after: 3 days Sponsored by: DARPA, AFRL
2016-07-10 08:04:02 +00:00 · 2016-07-10 08:04:02 +00:00 · 51d1f69069
commit 51d1f69069
parent 5a5807dd4c
3 changed files with 8 additions and 0 deletions
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@ -820,6 +820,9 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new)
 	MPASS((flags & ~(FDDUP_FLAG_CLOEXEC)) == 0);
 	MPASS(mode < FDDUP_LASTMODE);

+	AUDIT_ARG_FD(old);
+	/* XXXRW: if (flags & FDDUP_FIXED) AUDIT_ARG_FD2(new); */
+
 	/*
 	 * Verify we have a valid descriptor to dup from and possibly to
 	 * dup to. Unlike dup() and dup2(), fcntl()'s F_DUPFD should
--- a/sys/kern/sys_generic.c
+++ b/sys/kern/sys_generic.c
@ -363,6 +363,8 @@ dofileread(td, fd, fp, auio, offset, flags)
 	struct uio *ktruio = NULL;
 #endif

+	AUDIT_ARG_FD(fd);
+
 	/* Finish zero length reads right here */
 	if (auio->uio_resid == 0) {
 		td->td_retval[0] = 0;
@ -576,6 +578,7 @@ dofilewrite(td, fd, fp, auio, offset, flags)
 	struct uio *ktruio = NULL;
 #endif

+	AUDIT_ARG_FD(fd);
 	auio->uio_rw = UIO_WRITE;
 	auio->uio_td = td;
 	auio->uio_offset = offset;
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@ -74,6 +74,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/sysent.h>
 #include <sys/vmmeter.h>

+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>

 #include <vm/vm.h>
@ -206,6 +207,7 @@ sys_mmap(td, uap)
 	pos = uap->pos;

 	fp = NULL;
+	AUDIT_ARG_FD(uap->fd);

 	/*
 	 * Ignore old flags that used to be defined but did not do anything.