When handling msgsys(2), semsys(2), and shmsys(2) multiplex system calls,

map the 'which' argument into a suitable audit event identifier for the specific operation requested. Obtained from: TrustedBSD Project MFC after: 3 weeks Sponsored by: DARPA, AFRL
2017-03-29 23:31:35 +00:00 · 2017-03-29 23:31:35 +00:00 · b783025921
commit b783025921
parent 255bba06cf
8 changed files with 127 additions and 3 deletions
--- a/sys/kern/sysv_msg.c
+++ b/sys/kern/sysv_msg.c
@ -73,6 +73,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/malloc.h>
 #include <sys/jail.h>

+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>

 FEATURE(sysv_msg, "System V message queues support");
@ -1639,6 +1640,7 @@ freebsd32_msgsys(struct thread *td, struct freebsd32_msgsys_args *uap)

 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
    defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	switch (uap->which) {
 	case 0:
 		return (freebsd7_freebsd32_msgctl(td,
@ -1810,6 +1812,7 @@ sys_msgsys(td, uap)
 {
 	int error;

+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	if (uap->which < 0 || uap->which >= nitems(msgcalls))
 		return (EINVAL);
 	error = (*msgcalls[uap->which])(td, &uap->a2);
--- a/sys/kern/sysv_sem.c
+++ b/sys/kern/sysv_sem.c
@ -62,6 +62,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/malloc.h>
 #include <sys/jail.h>

+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>

 FEATURE(sysv_sem, "System V semaphores support");
@ -1692,6 +1693,7 @@ sys_semsys(td, uap)
 {
 	int error;

+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	if (uap->which < 0 || uap->which >= nitems(semcalls))
 		return (EINVAL);
 	error = (*semcalls[uap->which])(td, &uap->a2);
@ -1791,6 +1793,7 @@ freebsd32_semsys(struct thread *td, struct freebsd32_semsys_args *uap)

 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
    defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	switch (uap->which) {
 	case 0:
 		return (freebsd7_freebsd32_semctl(td,
--- a/sys/kern/sysv_shm.c
+++ b/sys/kern/sysv_shm.c
@ -87,6 +87,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/sysproto.h>
 #include <sys/jail.h>

+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>

 #include <vm/vm.h>
@ -1300,6 +1301,7 @@ int
 sys_shmsys(struct thread *td, struct shmsys_args *uap)
 {

+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	if (uap->which < 0 || uap->which >= nitems(shmcalls))
 		return (EINVAL);
 	return ((*shmcalls[uap->which])(td, &uap->a2));
@ -1315,6 +1317,7 @@ freebsd32_shmsys(struct thread *td, struct freebsd32_shmsys_args *uap)

 #if defined(COMPAT_FREEBSD4) || defined(COMPAT_FREEBSD5) || \
    defined(COMPAT_FREEBSD6) || defined(COMPAT_FREEBSD7)
+	AUDIT_ARG_SVIPC_WHICH(uap->which);
 	switch (uap->which) {
 	case 0:	{	/* shmat */
 		struct shmat_args ap;
--- a/sys/security/audit/audit.c
+++ b/sys/security/audit/audit.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 1999-2005 Apple Inc.
- * Copyright (c) 2006-2007, 2016 Robert N. M. Watson
+ * Copyright (c) 2006-2007, 2016-2017 Robert N. M. Watson
 * All rights reserved.
 *
 * Portions of this software were developed by BAE Systems, the University of
@ -472,6 +472,24 @@ audit_commit(struct kaudit_record *ar, int error, int retval)
 		/* Convert the auditon() command to an event. */
 		ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd);
 		break;
+
+	case AUE_MSGSYS:
+		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
+			ar->k_ar.ar_event =
+			    audit_msgsys_to_event(ar->k_ar.ar_arg_svipc_which);
+		break;
+
+	case AUE_SEMSYS:
+		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
+			ar->k_ar.ar_event =
+			    audit_semsys_to_event(ar->k_ar.ar_arg_svipc_which);
+		break;
+
+	case AUE_SHMSYS:
+		if (ARG_IS_VALID(ar, ARG_SVIPC_WHICH))
+			ar->k_ar.ar_event =
+			    audit_shmsys_to_event(ar->k_ar.ar_arg_svipc_which);
+		break;
 	}

 	auid = ar->k_ar.ar_subj_auid;
--- a/sys/security/audit/audit.h
+++ b/sys/security/audit/audit.h
@ -1,7 +1,13 @@
 /*-
 * Copyright (c) 1999-2005 Apple Inc.
+ * Copyright (c) 2016-2017 Robert N. M. Watson
 * All rights reserved.
 *
+ * This software was developed by BAE Systems, the University of Cambridge
+ * Computer Laboratory, and Memorial University under DARPA/AFRL contract
+ * FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing
+ * (TC) research program.
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -109,6 +115,7 @@ void	 audit_arg_svipc_cmd(int cmd);
 void	 audit_arg_svipc_perm(struct ipc_perm *perm);
 void	 audit_arg_svipc_id(int id);
 void	 audit_arg_svipc_addr(void *addr);
+void	 audit_arg_svipc_which(int which);
 void	 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode);
 void	 audit_arg_auditon(union auditon_udata *udata);
 void	 audit_arg_file(struct proc *p, struct file *fp);
@ -282,6 +289,11 @@ void	 audit_thread_free(struct thread *td);
 		audit_arg_suid((suid));					\
 } while (0)

+#define	AUDIT_ARG_SVIPC_WHICH(which) do {				\
+	if (AUDITING_TD(curthread))					\
+		audit_arg_svipc_which((which));				\
+} while (0)
+
 #define	AUDIT_ARG_TEXT(text) do {					\
 	if (AUDITING_TD(curthread))					\
 		audit_arg_text((text));					\
@ -373,6 +385,7 @@ void	 audit_thread_free(struct thread *td);
 #define	AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol)
 #define	AUDIT_ARG_SOCKADDR(td, dirfd, sa)
 #define	AUDIT_ARG_SUID(suid)
+#define	AUDIT_ARG_SVIPC_WHICH(which)
 #define	AUDIT_ARG_TEXT(text)
 #define	AUDIT_ARG_UID(uid)
 #define	AUDIT_ARG_UPATH1(td, dirfd, upath)
--- a/sys/security/audit/audit_arg.c
+++ b/sys/security/audit/audit_arg.c
@ -1,7 +1,13 @@
 /*-
 * Copyright (c) 1999-2005 Apple Inc.
+ * Copyright (c) 2016-2017 Robert N. M. Watson
 * All rights reserved.
 *
+ * Portions of this software were developed by BAE Systems, the University of
+ * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
+ * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
+ * Computing (TC) research program.
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -615,6 +621,19 @@ audit_arg_svipc_addr(void * addr)
 	ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
 }

+void
+audit_arg_svipc_which(int which)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	ar->k_ar.ar_arg_svipc_which = which;
+	ARG_SET_VALID(ar, ARG_SVIPC_WHICH);
+}
+
 void
 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
 {
--- a/sys/security/audit/audit_bsm_klib.c
+++ b/sys/security/audit/audit_bsm_klib.c
@ -1,6 +1,6 @@
 /*
 * Copyright (c) 1999-2009 Apple Inc.
- * Copyright (c) 2005, 2016 Robert N. M. Watson
+ * Copyright (c) 2005, 2016-2017 Robert N. M. Watson
 * All rights reserved.
 *
 * Portions of this software were developed by BAE Systems, the University of
@ -141,6 +141,29 @@ static const struct aue_open_event aue_openat[] = {
 	{ (O_WRONLY | O_TRUNC),				AUE_OPENAT_WT },
 };

+static const int aue_msgsys[] = {
+	/* 0 */ AUE_MSGCTL,
+	/* 1 */ AUE_MSGGET,
+	/* 2 */ AUE_MSGSND,
+	/* 3 */ AUE_MSGRCV,
+};
+static const int aue_msgsys_count = sizeof(aue_msgsys) / sizeof(int);
+
+static const int aue_semsys[] = {
+	/* 0 */ AUE_SEMCTL,
+	/* 1 */ AUE_SEMGET,
+	/* 2 */ AUE_SEMOP,
+};
+static const int aue_semsys_count = sizeof(aue_semsys) / sizeof(int);
+
+static const int aue_shmsys[] = {
+	/* 0 */ AUE_SHMAT,
+	/* 1 */ AUE_SHMDT,
+	/* 2 */ AUE_SHMGET,
+	/* 3 */ AUE_SHMCTL,
+};
+static const int aue_shmsys_count = sizeof(aue_shmsys) / sizeof(int);
+
 /*
 * Look up the class for an audit event in the class mapping table.
 */
@ -554,6 +577,43 @@ audit_semctl_to_event(int cmd)
 	}
 }

+/*
+ * Convert msgsys(2), semsys(2), and shmsys(2) system-call variations into
+ * audit events, if possible.
+ */
+au_event_t
+audit_msgsys_to_event(int which)
+{
+
+	if ((which >= 0) && (which < aue_msgsys_count))
+		return (aue_msgsys[which]);
+
+	/* Audit a bad command. */
+	return (AUE_MSGSYS);
+}
+
+au_event_t
+audit_semsys_to_event(int which)
+{
+
+	if ((which >= 0) && (which < aue_semsys_count))
+		return (aue_semsys[which]);
+
+	/* Audit a bad command. */
+	return (AUE_SEMSYS);
+}
+
+au_event_t
+audit_shmsys_to_event(int which)
+{
+
+	if ((which >= 0) && (which < aue_shmsys_count))
+		return (aue_shmsys[which]);
+
+	/* Audit a bad command. */
+	return (AUE_SHMSYS);
+}
+
 /*
 * Convert a command for the auditon() system call to a audit event.
 */
--- a/sys/security/audit/audit_private.h
+++ b/sys/security/audit/audit_private.h
@ -226,6 +226,7 @@ struct audit_record {
 	struct vnode_au_info	ar_arg_vnode1;
 	struct vnode_au_info	ar_arg_vnode2;
 	int			ar_arg_cmd;
+	int			ar_arg_svipc_which;
 	int			ar_arg_svipc_cmd;
 	struct ipc_perm		ar_arg_svipc_perm;
 	int			ar_arg_svipc_id;
@ -303,6 +304,7 @@ struct audit_record {
 #define	ARG_ATFD2		0x0008000000000000ULL
 #define	ARG_RIGHTS		0x0010000000000000ULL
 #define	ARG_FCNTL_RIGHTS	0x0020000000000000ULL
+#define	ARG_SVIPC_WHICH		0x0200000000000000ULL
 #define	ARG_NONE		0x0000000000000000ULL
 #define	ARG_ALL			0xFFFFFFFFFFFFFFFFULL

@ -463,7 +465,10 @@ au_event_t	 audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg);
 au_event_t	 audit_flags_and_error_to_openevent(int oflags, int error);
 au_event_t	 audit_flags_and_error_to_openatevent(int oflags, int error);
 au_event_t	 audit_msgctl_to_event(int cmd);
-au_event_t	 audit_semctl_to_event(int cmr);
+au_event_t	 audit_msgsys_to_event(int which);
+au_event_t	 audit_semctl_to_event(int cmd);
+au_event_t	 audit_semsys_to_event(int which);
+au_event_t	 audit_shmsys_to_event(int which);
 void		 audit_canon_path(struct thread *td, int dirfd, char *path,
 		    char *cpath);
 au_event_t	 auditon_command_event(int cmd);