Add AUDITVNODE[12] flags to namei(), which cause namei() to audit path

and vnode attribute information for looked up vnodes during the lookup operation. This will allow consumers of namei() to specify that this information be added to the in-process audit record. Submitted by: wsalamon Obtained from: TrustedBSD Project
2006-02-05 15:42:01 +00:00 · 2006-02-05 15:42:01 +00:00 · 95fea57c65
commit 95fea57c65
parent 8c76311215
2 changed files with 22 additions and 1 deletions
--- a/sys/kern/vfs_lookup.c
+++ b/sys/kern/vfs_lookup.c
@ -58,6 +58,8 @@ __FBSDID("$FreeBSD$");
 #include <sys/ktrace.h>
 #endif

+#include <security/audit/audit.h>
+
 #include <vm/uma.h>

 #define	NAMEI_DIAGNOSTIC 1
@ -145,6 +147,12 @@ namei(ndp)
 		error = copyinstr(ndp->ni_dirp, cnp->cn_pnbuf,
 			    MAXPATHLEN, (size_t *)&ndp->ni_pathlen);

+	/* If we are auditing the kernel pathname, save the user pathname. */
+	if (cnp->cn_flags & AUDITVNODE1)
+		AUDIT_ARG(upath, td, cnp->cn_pnbuf, ARG_UPATH1);
+	if (cnp->cn_flags & AUDITVNODE2)
+		AUDIT_ARG(upath, td, cnp->cn_pnbuf, ARG_UPATH2);
+
 	/*
 	 * Don't allow empty pathnames.
 	 */
@ -460,6 +468,12 @@ dirloop:
 			VREF(dp);
 		}
 		ndp->ni_vp = dp;
+
+		if (cnp->cn_flags & AUDITVNODE1)
+			AUDIT_ARG(vnode, dp, ARG_VNODE1);
+		else if (cnp->cn_flags & AUDITVNODE2)
+			AUDIT_ARG(vnode, dp, ARG_VNODE2);
+
 		if (!(cnp->cn_flags & (LOCKPARENT | LOCKLEAF)))
 			VOP_UNLOCK(dp, 0, td);
 		/* XXX This should probably move to the top of function. */
@ -714,6 +728,11 @@ nextname:
 	} else if ((cnp->cn_flags & LOCKPARENT) == 0 && ndp->ni_dvp != dp)
 		VOP_UNLOCK(ndp->ni_dvp, 0, td);

+	if (cnp->cn_flags & AUDITVNODE1)
+		AUDIT_ARG(vnode, dp, ARG_VNODE1);
+	else if (cnp->cn_flags & AUDITVNODE2)
+		AUDIT_ARG(vnode, dp, ARG_VNODE2);
+
 	if ((cnp->cn_flags & LOCKLEAF) == 0)
 		VOP_UNLOCK(dp, 0, td);
 success:
--- a/sys/sys/namei.h
+++ b/sys/sys/namei.h
@ -139,7 +139,9 @@ struct nameidata {
 #define	NOMACCHECK	0x0800000 /* do not perform MAC checks */
 #define	MPSAFE		0x1000000 /* namei() must acquire Giant if needed. */
 #define	GIANTHELD	0x2000000 /* namei() is holding giant. */
-#define	PARAMASK	0x3fffe00 /* mask of parameter descriptors */
+#define	AUDITVNODE1	0x4000000 /* audit the looked up vnode information */
+#define	AUDITVNODE2 	0x8000000 /* audit the looked up vnode information */
+#define	PARAMASK	0xffffe00 /* mask of parameter descriptors */

 #define	NDHASGIANT(NDP)	(((NDP)->ni_cnd.cn_flags & GIANTHELD) != 0)