Audit file-descriptor arguments to I/O system calls such as

read(2), write(2), dup(2), and mmap(2). This auditing is not required by the Common Criteria (and hence was not being performed), but is valuable in both contemporary live analysis and forensic use cases. MFC after: 3 days Sponsored by: DARPA, AFRL
2016-07-10 08:04:02 +00:00 · 2016-07-10 08:04:02 +00:00 · 6c02e936c3
commit 6c02e936c3
parent ea21df9888
3 changed files with 8 additions and 0 deletions
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@ -820,6 +820,9 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new)
 	MPASS((flags & ~(FDDUP_FLAG_CLOEXEC)) == 0);
 	MPASS(mode < FDDUP_LASTMODE);

+	AUDIT_ARG_FD(old);
+	/* XXXRW: if (flags & FDDUP_FIXED) AUDIT_ARG_FD2(new); */
+
 	/*
 	 * Verify we have a valid descriptor to dup from and possibly to
 	 * dup to. Unlike dup() and dup2(), fcntl()'s F_DUPFD should
--- a/sys/kern/sys_generic.c
+++ b/sys/kern/sys_generic.c
@ -363,6 +363,8 @@ dofileread(td, fd, fp, auio, offset, flags)
 	struct uio *ktruio = NULL;
 #endif

+	AUDIT_ARG_FD(fd);
+
 	/* Finish zero length reads right here */
 	if (auio->uio_resid == 0) {
 		td->td_retval[0] = 0;
@ -576,6 +578,7 @@ dofilewrite(td, fd, fp, auio, offset, flags)
 	struct uio *ktruio = NULL;
 #endif

+	AUDIT_ARG_FD(fd);
 	auio->uio_rw = UIO_WRITE;
 	auio->uio_td = td;
 	auio->uio_offset = offset;
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@ -74,6 +74,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/sysent.h>
 #include <sys/vmmeter.h>

+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>

 #include <vm/vm.h>
@ -206,6 +207,7 @@ sys_mmap(td, uap)
 	pos = uap->pos;

 	fp = NULL;
+	AUDIT_ARG_FD(uap->fd);

 	/*
 	 * Ignore old flags that used to be defined but did not do anything.