Commit Graph

10 Commits

Author SHA1 Message Date
Christian S.J. Peron
f0cbfcc468 Fix the handling of IPv6 addresses for subject and process BSM audit
tokens. Currently, we do not support the set{get}audit_addr(2) system
calls which allows processes like sshd to set extended or ip6
information for subject tokens.

The approach that was taken was to change the process audit state
slightly to use an extended terminal ID in the kernel. This allows
us to store both IPv4 IPv6 addresses. In the case that an IPv4 address
is in use, we convert the terminal ID from an struct auditinfo_addr to
a struct auditinfo.

If getaudit(2) is called when the subject is bound to an ip6 address,
we return E2BIG.

- Change the internal audit record to store an extended terminal ID
- Introduce ARG_TERMID_ADDR
- Change the kaudit <-> BSM conversion process so that we are using
  the appropriate subject token. If the address associated with the
  subject is IPv4, we use the standard subject32 token. If the subject
  has an IPv6 address associated with them, we use an extended subject32
  token.
- Fix a couple of endian issues where we do a couple of byte swaps when
  we shouldn't be. IP addresses are already in the correct byte order,
  so reading the ip6 address 4 bytes at a time and swapping them results
  in in-correct address data. It should be noted that the same issue was
  found in the openbsm library and it has been changed there too on the
  vendor branch
- Change A_GETPINFO to use the appropriate structures
- Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does,
  but can also handle ip6 addresses
- Adjust get{set}audit(2) syscalls to convert the data
  auditinfo <-> auditinfo_addr
- Fully implement set{get}audit_addr(2)

NOTE: This adds the ability for processes to correctly set extended subject
information. The appropriate userspace utilities still need to be updated.

MFC after:	1 month
Reviewed by:	rwatson
Obtained from:	TrustedBSD
2007-04-13 14:55:19 +00:00
Robert Watson
f9b1dc578a White space cleanup, no functional change. 2006-09-04 06:06:23 +00:00
Wayne Salamon
ae1078d657 Audit the argv and env vectors passed in on exec:
Add the argument auditing functions for argv and env.
  Add kernel-specific versions of the tokenizer functions for the
  arg and env represented as a char array.
  Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to
  enable/disable argv/env auditing.
  Call the argument auditing from the exec system calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)
2006-09-01 11:45:40 +00:00
Robert Watson
814fe9e98e Correct a number of problems that were previously commented on:
- Correct audit_arg_socketaddr() argument name from so to sa.
- Assert arguments are non-NULL to many argument capture functions
  rather than testing them.  This may trip some bugs.
- Assert the process lock is held when auditing process
  information.
- Test currecord in several more places.
- Test validity of more arguments with kasserts, such as flag
  values when auditing vnode information.

Perforce change:	98825
Obtained from:		TrustedBSD Project
2006-07-03 14:55:55 +00:00
Robert Watson
871499fef5 Merge Perforce change 93581 from TrustedBSD audit3 branch:
Mega-style patch.

Obtained from:	TrustedBSD Project
2006-03-19 17:34:00 +00:00
Robert Watson
17363e6da7 Merge Perforce change 93568 from TrustedBSD audit3 branch:
Normalize nested include guards.

Obtained from:	TrustedBSD Project
2006-03-19 15:37:04 +00:00
Robert Watson
6e8525ce84 When GC'ing a thread, assert that it has no active audit record.
This should not happen, but with this assert, brueffer and I would
not have spent 45 minutes trying to figure out why he wasn't
seeing audit records with the audit version in CVS.

Obtained from:	TrustedBSD Project
2006-02-05 21:06:09 +00:00
Robert Watson
563267dae3 Remove user.h include in audit.h, it is unneeded, and also can cause
build problems for other components that include audit.h.
2006-02-03 15:49:07 +00:00
Robert Watson
911b84b08d Add new fields to process-related data structures:
- td_ar to struct thread, which holds the in-progress audit record during
  a system call.

- p_au to struct proc, which holds per-process audit state, such as the
  audit identifier, audit terminal, and process audit masks.

In the earlier implementation, td_ar was added to the zero'd section of
struct thread.  In order to facilitate merging to RELENG_6, it has been
moved to the end of the data structure, requiring explicit
initalization in the thread constructor.

Much help from:	wsalamon
Obtained from:	TrustedBSD Project
2006-02-02 00:37:05 +00:00
Robert Watson
718c851086 Import kernel audit framework:
- Management of audit state on processes.
- Audit system calls to configure process and system audit state.
- Reliable audit record queue implementation, audit_worker kernel
  thread to asynchronously store records on disk.
- Audit event argument.
- Internal audit data structure -> BSM audit trail conversion library.
- Audit event pre-selection.
- Audit pseudo-device permitting kernel->user upcalls to notify auditd
  of kernel audit events.

Much work by:	wsalamon
Obtained from:	TrustedBSD Project, Apple Computer, Inc.
2006-02-01 20:01:18 +00:00