From e5ec733909fb5ebf621dfe5ddc7d041d9535827b Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Sun, 10 Jul 2016 13:42:33 +0000 Subject: [PATCH] Do allow auditing of read(2) and write(2) system calls, by assigning those system calls audit event identifiers AUE_READ and AUE_WRITE. While auditing file-descriptor I/O is not required by the Common Criteria, in practice this proves useful for both live and forensic analysis. NB: freebsd32 already assigns AUE_READ and AUE_WRITE to read(2) and write(2). MFC after: 3 days Sponsored by: DARPA, AFRL --- sys/kern/init_sysent.c | 4 ++-- sys/kern/syscalls.master | 4 ++-- sys/sys/sysproto.h | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sys/kern/init_sysent.c b/sys/kern/init_sysent.c index 20971651e773..e0ecd03da188 100644 --- a/sys/kern/init_sysent.c +++ b/sys/kern/init_sysent.c @@ -49,8 +49,8 @@ struct sysent sysent[] = { { 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0, SY_THR_STATIC }, /* 0 = syscall */ { AS(sys_exit_args), (sy_call_t *)sys_sys_exit, AUE_EXIT, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 1 = exit */ { 0, (sy_call_t *)sys_fork, AUE_FORK, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 2 = fork */ - { AS(read_args), (sy_call_t *)sys_read, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 3 = read */ - { AS(write_args), (sy_call_t *)sys_write, AUE_NULL, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 4 = write */ + { AS(read_args), (sy_call_t *)sys_read, AUE_READ, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 3 = read */ + { AS(write_args), (sy_call_t *)sys_write, AUE_WRITE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 4 = write */ { AS(open_args), (sy_call_t *)sys_open, AUE_OPEN_RWTC, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 5 = open */ { AS(close_args), (sy_call_t *)sys_close, AUE_CLOSE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC }, /* 6 = close */ { AS(wait4_args), (sy_call_t *)sys_wait4, AUE_WAIT4, NULL, 0, 0, 0, SY_THR_STATIC }, /* 7 = wait4 */ diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master index 974cfdfd175d..c9df7788e439 100644 --- a/sys/kern/syscalls.master +++ b/sys/kern/syscalls.master @@ -62,9 +62,9 @@ 1 AUE_EXIT STD { void sys_exit(int rval); } exit \ sys_exit_args void 2 AUE_FORK STD { int fork(void); } -3 AUE_NULL STD { ssize_t read(int fd, void *buf, \ +3 AUE_READ STD { ssize_t read(int fd, void *buf, \ size_t nbyte); } -4 AUE_NULL STD { ssize_t write(int fd, const void *buf, \ +4 AUE_WRITE STD { ssize_t write(int fd, const void *buf, \ size_t nbyte); } 5 AUE_OPEN_RWTC STD { int open(char *path, int flags, int mode); } ; XXX should be { int open(const char *path, int flags, ...); } diff --git a/sys/sys/sysproto.h b/sys/sys/sysproto.h index 60c95b2c5d9a..fe1d4d0032e6 100644 --- a/sys/sys/sysproto.h +++ b/sys/sys/sysproto.h @@ -2508,8 +2508,8 @@ int freebsd10_pipe(struct thread *, struct freebsd10_pipe_args *); #define SYS_AUE_syscall AUE_NULL #define SYS_AUE_exit AUE_EXIT #define SYS_AUE_fork AUE_FORK -#define SYS_AUE_read AUE_NULL -#define SYS_AUE_write AUE_NULL +#define SYS_AUE_read AUE_READ +#define SYS_AUE_write AUE_WRITE #define SYS_AUE_open AUE_OPEN_RWTC #define SYS_AUE_close AUE_CLOSE #define SYS_AUE_wait4 AUE_WAIT4