Implement the zonename token for jailed processes. If
a process has an auditid/preselection masks specified, and is jailed, include the zonename (jailname) token as a part of the audit record. Reviewed by: pjd MFC after: 2 weeks
This commit is contained in:
parent
6fd273a1c0
commit
b7ec793bc8
@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
|
||||
#include <sys/filedesc.h>
|
||||
#include <sys/fcntl.h>
|
||||
#include <sys/ipc.h>
|
||||
#include <sys/jail.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/kthread.h>
|
||||
#include <sys/malloc.h>
|
||||
@ -211,6 +212,7 @@ audit_record_ctor(void *mem, int size, void *arg, int flags)
|
||||
struct kaudit_record *ar;
|
||||
struct thread *td;
|
||||
struct ucred *cred;
|
||||
struct prison *pr;
|
||||
|
||||
KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
|
||||
|
||||
@ -233,6 +235,17 @@ audit_record_ctor(void *mem, int size, void *arg, int flags)
|
||||
ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
|
||||
ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask;
|
||||
ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid;
|
||||
/*
|
||||
* If this process is jailed, make sure we capture the name of the
|
||||
* jail so we can use it to generate a zonename token when we covert
|
||||
* this record to BSM.
|
||||
*/
|
||||
if (jailed(cred)) {
|
||||
pr = cred->cr_prison;
|
||||
(void) strlcpy(ar->k_ar.ar_jailname, pr->pr_name,
|
||||
sizeof(ar->k_ar.ar_jailname));
|
||||
} else
|
||||
ar->k_ar.ar_jailname[0] = '\0';
|
||||
return (0);
|
||||
}
|
||||
|
||||
|
@ -462,7 +462,7 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
|
||||
int
|
||||
kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
|
||||
{
|
||||
struct au_token *tok, *subj_tok;
|
||||
struct au_token *tok, *subj_tok, *jail_tok;
|
||||
struct au_record *rec;
|
||||
au_tid_t tid;
|
||||
struct audit_record *ar;
|
||||
@ -475,8 +475,13 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
|
||||
rec = kau_open();
|
||||
|
||||
/*
|
||||
* Create the subject token.
|
||||
* Create the subject token. If this credential was jailed be sure to
|
||||
* generate a zonename token.
|
||||
*/
|
||||
if (ar->ar_jailname[0] != '\0')
|
||||
jail_tok = au_to_zonename(ar->ar_jailname);
|
||||
else
|
||||
jail_tok = NULL;
|
||||
switch (ar->ar_subj_term_addr.at_type) {
|
||||
case AU_IPv4:
|
||||
tid.port = ar->ar_subj_term_addr.at_port;
|
||||
@ -1623,11 +1628,15 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
|
||||
/*
|
||||
* Write the subject token so it is properly freed here.
|
||||
*/
|
||||
if (jail_tok != NULL)
|
||||
kau_write(rec, jail_tok);
|
||||
kau_write(rec, subj_tok);
|
||||
kau_free(rec);
|
||||
return (BSM_NOAUDIT);
|
||||
}
|
||||
|
||||
if (jail_tok != NULL)
|
||||
kau_write(rec, jail_tok);
|
||||
kau_write(rec, subj_tok);
|
||||
tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
|
||||
kau_write(rec, tok); /* Every record gets a return token */
|
||||
|
@ -230,6 +230,7 @@ struct audit_record {
|
||||
int ar_arg_exitretval;
|
||||
struct sockaddr_storage ar_arg_sockaddr;
|
||||
cap_rights_t ar_arg_rights;
|
||||
char ar_jailname[MAXHOSTNAMELEN];
|
||||
};
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user