Clean up a number of aspects of token generation from audit arguments to

system calls:

- Centralize generation of argument tokens for VM addresses in a macro,
  ADDR_TOKEN(), and properly encode 64-bit addresses in 64-bit arguments.
- Fix up argument numbers across a large number of syscalls so that they
  match the numeric argument into the system call.
- Don't audit the address argument to ioctl(2) or ptrace(2), but do keep
  generating tokens for mmap(2), minherit(2), since they relate to passing
  object access across execve(2).

Approved by:	re (audit argument blanket)
Obtained from:	TrustedBSD Project
MFC after:	1 week
This commit is contained in:
rwatson 2009-07-02 09:15:30 +00:00
parent 7d633c8984
commit b803771ae1
2 changed files with 55 additions and 70 deletions

View File

@ -402,7 +402,6 @@ ptrace(struct thread *td, struct ptrace_args *uap)
#endif
AUDIT_ARG_PID(uap->pid);
AUDIT_ARG_CMD(uap->req);
AUDIT_ARG_ADDR(uap->addr);
AUDIT_ARG_VALUE(uap->data);
addr = &r;
switch (uap->req) {

View File

@ -253,7 +253,7 @@ kau_free(struct au_record *rec)
} \
} while (0)
#define EXTATTR_TOKENS do { \
#define EXTATTR_TOKENS(namespace_argnum) do { \
if (ARG_IS_VALID(kar, ARG_VALUE)) { \
switch (ar->ar_arg_value) { \
case EXTATTR_NAMESPACE_USER: \
@ -263,8 +263,8 @@ kau_free(struct au_record *rec)
tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
break; \
default: \
tok = au_to_arg32(3, "attrnamespace", \
ar->ar_arg_value); \
tok = au_to_arg32((namespace_argnum), \
"attrnamespace", ar->ar_arg_value); \
break; \
} \
kau_write(rec, tok); \
@ -276,6 +276,24 @@ kau_free(struct au_record *rec)
} \
} while (0)
/*
* Not all pointer arguments to system calls are of interest, but in some
* cases they reflect delegation of rights, such as mmap(2) falled by
* minherit(2) before execve(2), so do the best we can.
*/
#define ADDR_TOKEN(argnum, argname) do { \
if (ARG_IS_VALID(kar, ARG_ADDR)) { \
if (sizeof(void *) == sizeof(uint32_t)) \
tok = au_to_arg32((argnum), (argname), \
(uint32_t)(uintptr_t)ar->ar_arg_addr); \
else \
tok = au_to_arg64((argnum), (argname), \
(uint64_t)(uintptr_t)ar->ar_arg_addr); \
kau_write(rec, tok); \
} \
} while (0)
/*
* Implement auditing for the auditon() system call. The audit tokens that
* are generated depend on the command that was sent into the auditon()
@ -286,21 +304,20 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
{
struct au_token *tok;
tok = au_to_arg32(3, "length", ar->ar_arg_len);
kau_write(rec, tok);
switch (ar->ar_arg_cmd) {
case A_OLDSETPOLICY:
if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
tok = au_to_arg32(3, "length", ar->ar_arg_len);
kau_write(rec, tok);
tok = au_to_arg64(2, "policy",
ar->ar_arg_auditon.au_policy64);
kau_write(rec, tok);
break;
}
/* FALLTHROUGH */
case A_SETPOLICY:
tok = au_to_arg32(3, "length", ar->ar_arg_len);
kau_write(rec, tok);
tok = au_to_arg32(1, "policy", ar->ar_arg_auditon.au_policy);
tok = au_to_arg32(2, "policy", ar->ar_arg_auditon.au_policy);
kau_write(rec, tok);
break;
@ -315,8 +332,6 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
case A_OLDSETQCTRL:
if ((size_t)ar->ar_arg_len == sizeof(au_qctrl64_t)) {
tok = au_to_arg32(3, "length", ar->ar_arg_len);
kau_write(rec, tok);
tok = au_to_arg64(2, "setqctrl:aq_hiwater",
ar->ar_arg_auditon.au_qctrl64.aq64_hiwater);
kau_write(rec, tok);
@ -335,8 +350,9 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
break;
}
/* FALLTHROUGH */
case A_SETQCTRL:
tok = au_to_arg32(3, "setqctrl:aq_hiwater",
tok = au_to_arg32(2, "setqctrl:aq_hiwater",
ar->ar_arg_auditon.au_qctrl.aq_hiwater);
kau_write(rec, tok);
tok = au_to_arg32(2, "setqctrl:aq_lowater",
@ -354,17 +370,15 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
break;
case A_SETUMASK:
tok = au_to_arg32(3, "setumask:as_success",
tok = au_to_arg32(2, "setumask:as_success",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
kau_write(rec, tok);
tok = au_to_arg32(3, "setumask:as_failure",
tok = au_to_arg32(2, "setumask:as_failure",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_failure);
kau_write(rec, tok);
break;
case A_SETSMASK:
tok = au_to_arg32(3, "length", ar->ar_arg_len);
kau_write(rec, tok);
tok = au_to_arg32(2, "setsmask:as_success",
ar->ar_arg_auditon.au_auinfo.ai_mask.am_success);
kau_write(rec, tok);
@ -375,23 +389,19 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
case A_OLDSETCOND:
if ((size_t)ar->ar_arg_len == sizeof(int64_t)) {
tok = au_to_arg32(3, "length", ar->ar_arg_len);
kau_write(rec, tok);
tok = au_to_arg64(2, "setcond",
ar->ar_arg_auditon.au_cond64);
kau_write(rec, tok);
break;
}
/* FALLTHROUGH */
case A_SETCOND:
tok = au_to_arg32(3, "length", ar->ar_arg_len);
kau_write(rec, tok);
tok = au_to_arg32(3, "setcond", ar->ar_arg_auditon.au_cond);
tok = au_to_arg32(2, "setcond", ar->ar_arg_auditon.au_cond);
kau_write(rec, tok);
break;
case A_SETCLASS:
tok = au_to_arg32(3, "length", ar->ar_arg_len);
kau_write(rec, tok);
tok = au_to_arg32(2, "setclass:ec_event",
ar->ar_arg_auditon.au_evclass.ec_number);
@ -402,8 +412,6 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
break;
case A_SETPMASK:
tok = au_to_arg32(3, "length", ar->ar_arg_len);
kau_write(rec, tok);
tok = au_to_arg32(2, "setpmask:as_success",
ar->ar_arg_auditon.au_aupinfo.ap_mask.am_success);
kau_write(rec, tok);
@ -413,8 +421,6 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
break;
case A_SETFSIZE:
tok = au_to_arg32(3, "length", ar->ar_arg_len);
kau_write(rec, tok);
tok = au_to_arg32(2, "setfsize:filesize",
ar->ar_arg_auditon.au_fstat.af_filesz);
kau_write(rec, tok);
@ -530,13 +536,13 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_SOCKET:
case AUE_SOCKETPAIR:
if (ARG_IS_VALID(kar, ARG_SOCKINFO)) {
tok = au_to_arg32(1,"domain",
tok = au_to_arg32(1, "domain",
ar->ar_arg_sockinfo.so_domain);
kau_write(rec, tok);
tok = au_to_arg32(2,"type",
tok = au_to_arg32(2, "type",
ar->ar_arg_sockinfo.so_type);
kau_write(rec, tok);
tok = au_to_arg32(3,"protocol",
tok = au_to_arg32(3, "protocol",
ar->ar_arg_sockinfo.so_protocol);
kau_write(rec, tok);
}
@ -734,7 +740,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_EACCESS:
UPATH1_VNODE1_TOKENS;
if (ARG_IS_VALID(kar, ARG_VALUE)) {
tok = au_to_arg32(1, "mode", ar->ar_arg_value);
tok = au_to_arg32(2, "mode", ar->ar_arg_value);
kau_write(rec, tok);
}
break;
@ -784,7 +790,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_CLOSE:
if (ARG_IS_VALID(kar, ARG_FD)) {
tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
kau_write(rec, tok);
}
UPATH1_VNODE1_TOKENS;
@ -792,7 +798,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_CORE:
if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
tok = au_to_arg32(0, "signal", ar->ar_arg_signum);
tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
kau_write(rec, tok);
}
UPATH1_VNODE1_TOKENS;
@ -807,7 +813,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
/* extattrctl(2) filename parameter is in upath2/vnode2 */
UPATH2_TOKENS;
VNODE2_TOKENS;
EXTATTR_TOKENS;
EXTATTR_TOKENS(4);
break;
case AUE_EXTATTR_GET_FILE:
@ -819,7 +825,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_EXTATTR_LIST_LINK:
case AUE_EXTATTR_DELETE_LINK:
UPATH1_VNODE1_TOKENS;
EXTATTR_TOKENS;
EXTATTR_TOKENS(2);
break;
case AUE_EXTATTR_GET_FD:
@ -830,7 +836,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
kau_write(rec, tok);
}
EXTATTR_TOKENS;
EXTATTR_TOKENS(2);
break;
case AUE_FEXECVE:
@ -945,11 +951,6 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
kau_write(rec, tok);
}
if (ARG_IS_VALID(kar, ARG_ADDR)) {
tok = au_to_arg32(1, "arg",
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
kau_write(rec, tok);
}
if (ARG_IS_VALID(kar, ARG_VNODE1))
FD_VNODE1_TOKENS;
else {
@ -995,11 +996,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
break;
case AUE_LOADSHFILE:
if (ARG_IS_VALID(kar, ARG_ADDR)) {
tok = au_to_arg32(4, "base addr",
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
kau_write(rec, tok);
}
ADDR_TOKEN(4, "base addr");
UPATH1_VNODE1_TOKENS;
break;
@ -1029,11 +1026,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_MLOCK:
case AUE_MUNLOCK:
case AUE_MINHERIT:
if (ARG_IS_VALID(kar, ARG_ADDR)) {
tok = au_to_arg32(1, "addr",
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
kau_write(rec, tok);
}
ADDR_TOKEN(1, "addr");
if (ARG_IS_VALID(kar, ARG_LEN)) {
tok = au_to_arg32(2, "len", ar->ar_arg_len);
kau_write(rec, tok);
@ -1071,14 +1064,14 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_NFS_SVC:
if (ARG_IS_VALID(kar, ARG_CMD)) {
tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
tok = au_to_arg32(1, "flags", ar->ar_arg_cmd);
kau_write(rec, tok);
}
break;
case AUE_UMOUNT:
if (ARG_IS_VALID(kar, ARG_VALUE)) {
tok = au_to_arg32(1, "flags", ar->ar_arg_value);
tok = au_to_arg32(2, "flags", ar->ar_arg_value);
kau_write(rec, tok);
}
UPATH1_VNODE1_TOKENS;
@ -1113,11 +1106,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
break;
case AUE_RESETSHFILE:
if (ARG_IS_VALID(kar, ARG_ADDR)) {
tok = au_to_arg32(1, "base addr",
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
kau_write(rec, tok);
}
ADDR_TOKEN(1, "base addr");
break;
case AUE_OPEN_RC:
@ -1151,11 +1140,6 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
tok = au_to_arg32(1, "request", ar->ar_arg_cmd);
kau_write(rec, tok);
}
if (ARG_IS_VALID(kar, ARG_ADDR)) {
tok = au_to_arg32(3, "addr",
(u_int32_t)(uintptr_t)ar->ar_arg_addr);
kau_write(rec, tok);
}
if (ARG_IS_VALID(kar, ARG_VALUE)) {
tok = au_to_arg32(4, "data", ar->ar_arg_value);
kau_write(rec, tok);
@ -1172,6 +1156,10 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
tok = au_to_arg32(3, "uid", ar->ar_arg_uid);
kau_write(rec, tok);
}
if (ARG_IS_VALID(kar, ARG_GID)) {
tok = au_to_arg32(3, "gid", ar->ar_arg_gid);
kau_write(rec, tok);
}
UPATH1_VNODE1_TOKENS;
break;
@ -1210,14 +1198,14 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
case AUE_SETEGID:
if (ARG_IS_VALID(kar, ARG_EGID)) {
tok = au_to_arg32(1, "gid", ar->ar_arg_egid);
tok = au_to_arg32(1, "egid", ar->ar_arg_egid);
kau_write(rec, tok);
}
break;
case AUE_SETEUID:
if (ARG_IS_VALID(kar, ARG_EUID)) {
tok = au_to_arg32(1, "uid", ar->ar_arg_euid);
tok = au_to_arg32(1, "euid", ar->ar_arg_euid);
kau_write(rec, tok);
}
break;
@ -1315,8 +1303,9 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
tok = au_to_arg32(2, "who", ar->ar_arg_uid);
kau_write(rec, tok);
}
PROCESS_PID_TOKENS(2);
if (ARG_IS_VALID(kar, ARG_VALUE)) {
tok = au_to_arg32(2, "priority", ar->ar_arg_value);
tok = au_to_arg32(3, "priority", ar->ar_arg_value);
kau_write(rec, tok);
}
break;
@ -1509,12 +1498,9 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
break;
case AUE_WAIT4:
if (ARG_IS_VALID(kar, ARG_PID)) {
tok = au_to_arg32(0, "pid", ar->ar_arg_pid);
kau_write(rec, tok);
}
PROCESS_PID_TOKENS(1);
if (ARG_IS_VALID(kar, ARG_VALUE)) {
tok = au_to_arg32(0, "options", ar->ar_arg_value);
tok = au_to_arg32(3, "options", ar->ar_arg_value);
kau_write(rec, tok);
}
break;