272461 |
03-Oct-2014 |
gjb |
Copy stable/10@r272459 to releng/10.1 as part of the 10.1-RELEASE process.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
263960 |
31-Mar-2014 |
mjg |
MFC r263458: audit: plug FILEDESC_LOCK leak in audit_canon_path.
|
259917 |
26-Dec-2013 |
jhb |
MFC 259014: There is no sysctl with the MIB { CTL_KERN, KERN_MAXID }.
|
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
255359 |
07-Sep-2013 |
davide |
- Use make_dev_credf(MAKEDEV_REF) instead of the race-prone make_dev()+ dev_ref() in the clone handlers that still use it. - Don't set SI_CHEAPCLONE flag, it's not used anywhere neither in devfs (for anything real)
Reviewed by: kib
|
255240 |
05-Sep-2013 |
pjd |
Handle cases where capability rights are not provided.
Reported by: kib
|
255219 |
05-Sep-2013 |
pjd |
Change the cap_rights_t type from uint64_t to a structure that we can extend in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to represent one right, but we are running out of spare bits. Currently the new structure provides place for 114 rights (so 50 more than the previous cap_rights_t), but it is possible to grow the structure to hold at least 285 rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights { uint64_t cr_rights[CAP_RIGHTS_VERSION + 2]; };
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total number of elements in the array - 2. This means if those two bits are equal to 0, we have 2 array elements.
The top two bits in all remaining array elements should be 0. The next five bits in all array elements contain array index. Only one bit is used and bit position in this five-bits range defines array index. This means there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL) #define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...); void cap_rights_set(cap_rights_t *rights, ...); void cap_rights_clear(cap_rights_t *rights, ...); bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights); void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src); void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src); bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(), cap_rights_clear() and cap_rights_is_set() functions are provided by separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \ __cap_rights_set((rights), __VA_ARGS__, 0ULL) void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that there are no two rights belonging to different array elements provided together. For example this is illegal and will be detected, because CAP_LOOKUP belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls, but I see no other way to do that. This should be fine as Capsicum is still experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
|
253078 |
09-Jul-2013 |
avg |
audit_proc_coredump: check return value of audit_new
audit_new may return NULL if audit is disabled or suspended.
Sponsored by: HybridCluster MFC after: 7 days
|
247667 |
02-Mar-2013 |
pjd |
- Implement two new system calls:
int bindat(int fd, int s, const struct sockaddr *addr, socklen_t addrlen); int connectat(int fd, int s, const struct sockaddr *name, socklen_t namelen);
which allow to bind and connect respectively to a UNIX domain socket with a path relative to the directory associated with the given file descriptor 'fd'.
- Add manual pages for the new syscalls.
- Make the new syscalls available for processes in capability mode sandbox.
- Add capability rights CAP_BINDAT and CAP_CONNECTAT that has to be present on the directory descriptor for the syscalls to work.
- Update audit(4) to support those two new syscalls and to handle path in sockaddr_un structure relative to the given directory descriptor.
- Update procstat(1) to recognize the new capability rights.
- Document the new capability rights in cap_rights_limit(2).
Sponsored by: The FreeBSD Foundation Discussed with: rwatson, jilles, kib, des
|
247602 |
02-Mar-2013 |
pjd |
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of cap_new(2), which limits capability rights of the given descriptor without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls that can be used with the new cap_fcntls_limit(2) syscall and retrive them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was heavly modified.
- The audit subsystem, kdump and procstat tools were updated to recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide backward API and ABI compatibility there are some incompatible changes that are described in detail below:
CAP_CREATE old behaviour: - Allow for openat(2)+O_CREAT. - Allow for linkat(2). - Allow for symlinkat(2). CAP_CREATE new behaviour: - Allow for openat(2)+O_CREAT.
Added CAP_LINKAT: - Allow for linkat(2). ABI: Reuses CAP_RMDIR bit. - Allow to be target for renameat(2).
Added CAP_SYMLINKAT: - Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour: - Allow for unlinkat(2) when removing non-directory object. - Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour: - Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT: - Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR): - Allow for unlinkat(2) on any object. - Required if target of renameat(2) exists and will be removed by this call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour: - Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and PROT_WRITE. CAP_MMAP new behaviour: - Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R: - Allow for mmap(PROT_READ). Added CAP_MMAP_W: - Allow for mmap(PROT_WRITE). Added CAP_MMAP_X: - Allow for mmap(PROT_EXEC). Added CAP_MMAP_RW: - Allow for mmap(PROT_READ | PROT_WRITE). Added CAP_MMAP_RX: - Allow for mmap(PROT_READ | PROT_EXEC). Added CAP_MMAP_WX: - Allow for mmap(PROT_WRITE | PROT_EXEC). Added CAP_MMAP_RWX: - Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT. Renamed CAP_MKFIFO to CAP_MKFIFOAT. Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour: - Allow pread(2). - Disallow read(2), readv(2) (if there is no CAP_SEEK). CAP_READ new behaviour: - Allow read(2), readv(2). - Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour: - Allow pwrite(2). - Disallow write(2), writev(2) (if there is no CAP_SEEK). CAP_WRITE new behaviour: - Allow write(2), writev(2). - Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ) #define CAP_PWRITE (CAP_SEEK | CAP_WRITE) #define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ) #define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE) #define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL) #define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W) #define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X) #define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X) #define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X) #define CAP_RECV CAP_READ #define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \ (CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \ CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN) #define CAP_SOCK_SERVER \ (CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \ CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \ CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X #define CAP_DELETE CAP_UNLINKAT #define CAP_MKDIR CAP_MKDIRAT #define CAP_RMDIR CAP_UNLINKAT #define CAP_MKFIFO CAP_MKFIFOAT #define CAP_MKNOD CAP_MKNODAT #define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation Reviewed by: Christoph Mallon <christoph.mallon@gmx.de> Many aspects discussed with: rwatson, benl, jonathan ABI compatibility discussed with: kib
|
246911 |
17-Feb-2013 |
pjd |
Remove redundant check.
|
246691 |
11-Feb-2013 |
pjd |
Style.
|
246446 |
07-Feb-2013 |
pjd |
Add AUDIT_ARG_SOCKADDR() macro so we can start using the audit_arg_sockaddr() function, which is currently unused.
Sponsored by: The FreeBSD Foundation
|
245573 |
17-Jan-2013 |
csjp |
Implement the zonename token for jailed processes. If a process has an auditid/preselection masks specified, and is jailed, include the zonename (jailname) token as a part of the audit record.
Reviewed by: pjd MFC after: 2 weeks
|
244267 |
15-Dec-2012 |
rwatson |
Four .c files from OpenBSM are used, in modified form, by the kernel to implement the BSM audit trail format. Rename the kernel versions of the files to match the userspace filenames so that it's easier to work out what they correspond to, and therefore ensure they are kept in-sync.
Obtained from: TrustedBSD Project
|
243751 |
01-Dec-2012 |
rwatson |
Merge OpenBSM 1.2-alpha2 changes from contrib/openbsm to src/sys/{bsm,security/audit}. There are a few tweaks to help with the FreeBSD build environment that will be merged back to OpenBSM. No significant functional changes appear on the kernel side.
Obtained from: TrustedBSD Project Sponsored by: The FreeBSD Foundation (auditdistd)
|
243745 |
01-Dec-2012 |
pjd |
IFp4 @219811:
VFS is now fully MPSAFE, fix compilation.
|
243727 |
30-Nov-2012 |
pjd |
IFp4 @208452:
Audit handling for missing events: - AUE_READLINKAT - AUE_FACCESSAT - AUE_MKDIRAT - AUE_MKFIFOAT - AUE_MKNODAT - AUE_SYMLINKAT
Sponsored by: FreeBSD Foundation (auditdistd) MFC after: 2 weeks
|
243726 |
30-Nov-2012 |
pjd |
IFp4 @208451:
Fix path handling for *at() syscalls.
Before the change directory descriptor was totally ignored, so the relative path argument was appended to current working directory path and not to the path provided by descriptor, thus wrong paths were stored in audit logs.
Now that we use directory descriptor in vfs_lookup, move AUDIT_ARG_UPATH1() and AUDIT_ARG_UPATH2() calls to the place where we hold file descriptors table lock, so we are sure paths will be resolved according to the same directory in audit record and in actual operation.
Sponsored by: FreeBSD Foundation (auditdistd) Reviewed by: rwatson MFC after: 2 weeks
|
243723 |
30-Nov-2012 |
pjd |
IFp4 @208383:
Currently when we discover that trail file is greater than configured limit we send AUDIT_TRIGGER_ROTATE_KERNEL trigger to the auditd daemon once. If for some reason auditd didn't rotate trail file it will never be rotated.
Change it by sending the trigger when trail file size grows by the configured limit. For example if the limit is 1MB, we will send trigger on 1MB, 2MB, 3MB, etc.
This is also needed for the auditd change that will be committed soon where auditd may ignore the trigger - it might be ignored if kernel requests the trail file to be rotated too quickly (often than once a second) which would result in overwriting previous trail file.
Sponsored by: FreeBSD Foundation (auditdistd) MFC after: 2 weeks
|
243722 |
30-Nov-2012 |
pjd |
IFp4 @208382:
Currently on each record write we call VFS_STATFS() to get available space on the file system as well as VOP_GETATTR() to get trail file size.
We can assume that trail file is only updated by the audit worker, so instead of asking for file size on every write, get file size on trail switch only (it should be zero, but it's not expensive) and use global variable audit_size protected by the audit worker lock to keep track of trail file's size.
This eliminates VOP_GETATTR() call for every write. VFS_STATFS() is satisfied from in-memory data (mount->mnt_stat), so shouldn't be expensive.
Sponsored by: FreeBSD Foundation (auditdistd) MFC after: 2 weeks
|
243720 |
30-Nov-2012 |
pjd |
IFp4 @208381:
For VOP_GETATTR() we just need vnode to be shared-locked.
Sponsored by: FreeBSD Foundation (auditdistd) MFC after: 2 weeks
|
241896 |
22-Oct-2012 |
kib |
Remove the support for using non-mpsafe filesystem modules.
In particular, do not lock Giant conditionally when calling into the filesystem module, remove the VFS_LOCK_GIANT() and related macros. Stop handling buffers belonging to non-mpsafe filesystems.
The VFS_VERSION is bumped to indicate the interface change which does not result in the interface signatures changes.
Conducted and reviewed by: attilio Tested by: pho
|
227309 |
07-Nov-2011 |
ed |
Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.
The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
|
226500 |
18-Oct-2011 |
ed |
Get rid of D_PSEUDO.
It seems the D_PSEUDO flag was meant to allow make_dev() to return NULL. Nowadays we have a different interface for that; make_dev_p(). There's no need to keep it there.
While there, remove an unneeded D_NEEDMINOR from the gpio driver.
Discussed with: gonzo@ (gpio)
|
225617 |
16-Sep-2011 |
kmacy |
In order to maximize the re-usability of kernel code in user space this patch modifies makesyscalls.sh to prefix all of the non-compatibility calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel entry points and all places in the code that use them. It also fixes an additional name space collision between the kernel function psignal and the libc function of the same name by renaming the kernel psignal kern_psignal(). By introducing this change now we will ease future MFCs that change syscalls.
Reviewed by: rwatson Approved by: re (bz)
|
225177 |
25-Aug-2011 |
attilio |
Fix a deficiency in the selinfo interface: If a selinfo object is recorded (via selrecord()) and then it is quickly destroyed, with the waiters missing the opportunity to awake, at the next iteration they will find the selinfo object destroyed, causing a PF#.
That happens because the selinfo interface has no way to drain the waiters before to destroy the registered selinfo object. Also this race is quite rare to get in practice, because it would require a selrecord(), a poll request by another thread and a quick destruction of the selrecord()'ed selinfo object.
Fix this by adding the seldrain() routine which should be called before to destroy the selinfo objects (in order to avoid such case), and fix the present cases where it might have already been called. Sometimes, the context is safe enough to prevent this type of race, like it happens in device drivers which installs selinfo objects on poll callbacks. There, the destruction of the selinfo object happens at driver detach time, when all the filedescriptors should be already closed, thus there cannot be a race. For this case, mfi(4) device driver can be set as an example, as it implements a full correct logic for preventing this from happening.
Sponsored by: Sandvine Incorporated Reported by: rstone Tested by: pluknet Reviewed by: jhb, kib Approved by: re (bz) MFC after: 3 weeks
|
224778 |
11-Aug-2011 |
rwatson |
Second-to-last commit implementing Capsicum capabilities in the FreeBSD kernel for FreeBSD 9.0:
Add a new capability mask argument to fget(9) and friends, allowing system call code to declare what capabilities are required when an integer file descriptor is converted into an in-kernel struct file *. With options CAPABILITIES compiled into the kernel, this enforces capability protection; without, this change is effectively a no-op.
Some cases require special handling, such as mmap(2), which must preserve information about the maximum rights at the time of mapping in the memory map so that they can later be enforced in mprotect(2) -- this is done by narrowing the rights in the existing max_protection field used for similar purposes with file permissions.
In namei(9), we assert that the code is not reached from within capability mode, as we're not yet ready to enforce namespace capabilities there. This will follow in a later commit.
Update two capability names: CAP_EVENT and CAP_KEVENT become CAP_POST_KEVENT and CAP_POLL_KEVENT to more accurately indicate what they represent.
Approved by: re (bz) Submitted by: jonathan Sponsored by: Google Inc
|
224181 |
18-Jul-2011 |
jonathan |
Provide ability to audit cap_rights_t arguments.
We wish to be able to audit capability rights arguments; this code provides the necessary infrastructure.
This commit does not, of itself, turn on such auditing for any system call; that should follow shortly.
Approved by: mentor (rwatson), re (Capsicum blanket) Sponsored by: Google Inc
|
219128 |
01-Mar-2011 |
rwatson |
Add ECAPMODE, "Not permitted in capability mode", a new kernel errno constant to indicate that a system call (or perhaps an operation requested via a system call) is not permitted for a capability mode process.
Submitted by: anderson Sponsored by: Google, Inc. Obtained from: Capsicum Project MFC after: 1 week
|
219028 |
25-Feb-2011 |
netchild |
Add some FEATURE macros for various features (AUDIT/CAM/IPC/KTR/MAC/NFS/NTP/ PMC/SYSV/...).
No FreeBSD version bump, the userland application to query the features will be committed last and can serve as an indication of the availablility if needed.
Sponsored by: Google Summer of Code 2010 Submitted by: kibab Reviewed by: arch@ (parts by rwatson, trasz, jhb) X-MFC after: to be determined in last commit with code from this project
|
212425 |
10-Sep-2010 |
mdf |
Replace sbuf_overflowed() with sbuf_error(), which returns any error code associated with overflow or with the drain function. While this function is not expected to be used often, it produces more information in the form of an errno that sbuf_overflowed() did.
|
207615 |
04-May-2010 |
csjp |
Add a case to make sure that internal audit records get converted to BSM format for lpathconf(2) events.
MFC after: 2 weeks
|
203328 |
31-Jan-2010 |
csjp |
Make sure we convert audit records that were produced as the result of the closefrom(2) syscall.
|
202143 |
12-Jan-2010 |
brooks |
Replace the static NGROUPS=NGROUPS_MAX+1=1024 with a dynamic kern.ngroups+1. kern.ngroups can range from NGROUPS_MAX=1023 to INT_MAX-1. Given that the Windows group limit is 1024, this range should be sufficient for most applications.
MFC after: 1 month
|
196971 |
08-Sep-2009 |
phk |
Having thrown the cat out of the house, add a necessary include.
|
196970 |
08-Sep-2009 |
phk |
Revert previous commit and add myself to the list of people who should know better than to commit with a cat in the area.
|
196969 |
08-Sep-2009 |
phk |
Add necessary include.
|
196122 |
12-Aug-2009 |
rwatson |
Correctly audit real gids following changes to the audit record argument interface.
Approved by: re (kib)
|
195939 |
29-Jul-2009 |
rwatson |
Eliminate ARG_UPATH[12] arguments to AUDIT_ARG_UPATH() and instead provide specific macros, AUDIT_ARG_UPATH1() and AUDIT_ARG_UPATH2() to capture path information for audit records. This allows us to move the definitions of ARG_* out of the public audit header file, as they are an implementation detail of our current kernel-internal audit record, which may change.
Approved by: re (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
|
195926 |
28-Jul-2009 |
rwatson |
Rework vnode argument auditing to follow the same structure, in order to avoid exposing ARG_ macros/flag values outside of the audit code in order to name which one of two possible vnodes will be audited for a system call.
Approved by: re (kib) Obtained from: TrustedBSD Project MFC after: 1 month
|
195925 |
28-Jul-2009 |
rwatson |
Audit file descriptors passed to fooat(2) system calls, which are used instead of the root/current working directory as the starting point for lookups. Up to two such descriptors can be audited. Add audit record BSM encoding for fooat(2).
Note: due to an error in the OpenBSM 1.1p1 configuration file, a further change is required to that file in order to fix openat(2) auditing.
Approved by: re (kib) Reviewed by: rdivacky (fooat(2) portions) Obtained from: TrustedBSD Project MFC after: 1 month
|
195740 |
17-Jul-2009 |
rwatson |
Import OpenBSM 1.1p1 from vendor branch to 8-CURRENT, populating contrib/openbsm and a subset also imported into sys/security/audit. This patch release addresses several minor issues:
- Fixes to AUT_SOCKUNIX token parsing. - IPv6 support for au_to_me(3). - Improved robustness in the parsing of audit_control, especially long flags/naflags strings and whitespace in all fields. - Add missing conversion of a number of FreeBSD/Mac OS X errnos to/from BSM error number space.
MFC after: 3 weeks Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. Approved by: re (kib)
|
195291 |
02-Jul-2009 |
rwatson |
Create audit records for AUE_POSIX_OPENPT, currently w/o arguments.
Approved by: re (audit argument blanket)
|
195282 |
02-Jul-2009 |
rwatson |
Fix comment misthink.
Submitted by: b. f. <bf1783 at googlemail.com> Approved by: re (audit argument blanket) MFC after: 1 week
|
195280 |
02-Jul-2009 |
rwatson |
Clean up a number of aspects of token generation from audit arguments to system calls:
- Centralize generation of argument tokens for VM addresses in a macro, ADDR_TOKEN(), and properly encode 64-bit addresses in 64-bit arguments. - Fix up argument numbers across a large number of syscalls so that they match the numeric argument into the system call. - Don't audit the address argument to ioctl(2) or ptrace(2), but do keep generating tokens for mmap(2), minherit(2), since they relate to passing object access across execve(2).
Approved by: re (audit argument blanket) Obtained from: TrustedBSD Project MFC after: 1 week
|
195267 |
01-Jul-2009 |
rwatson |
For access(2) and eaccess(2), audit the requested access mode.
Approved by: re (audit argument blanket) MFC after: 3 days
|
195252 |
01-Jul-2009 |
rwatson |
Define missing audit argument macro AUDIT_ARG_SOCKET(), and capture the domain, type, and protocol arguments to socket(2) and socketpair(2).
Approved by: re (audit argument blanket) MFC after: 3 days
|
195247 |
01-Jul-2009 |
rwatson |
When auditing unmount(2), capture FSID arguments as regular text strings rather than as paths, which would lead to them being treated as relative pathnames and hence confusingly converted into absolute pathnames.
Capture flags to unmount(2) via an argument token.
Approved by: re (audit argument blanket) MFC after: 3 days
|
195242 |
01-Jul-2009 |
rwatson |
Audit the file descriptor number passed to lseek(2).
Approved by: re (kib) MFC after: 3 days
|
195235 |
01-Jul-2009 |
rwatson |
udit the 'options' argument to wait4(2).
Approved by: re (kib) MFC after: 3 days
|
195177 |
29-Jun-2009 |
sson |
Dynamically allocate the gidset field in audit record.
This fixes a problem created by the recent change that allows a large number of groups per user. The gidset field in struct kaudit_record is now dynamically allocated to the size needed rather than statically (using NGROUPS).
Approved by: re@ (kensmith, rwatson), gnn (mentor)
|
195104 |
27-Jun-2009 |
rwatson |
Replace AUDIT_ARG() with variable argument macros with a set more more specific macros for each audit argument type. This makes it easier to follow call-graphs, especially for automated analysis tools (such as fxr).
In MFC, we should leave the existing AUDIT_ARG() macros as they may be used by third-party kernel modules.
Suggested by: brooks Approved by: re (kib) Obtained from: TrustedBSD Project MFC after: 1 week
|
193951 |
10-Jun-2009 |
kib |
Adapt vfs kqfilter to the shared vnode lock used by zfs write vop. Use vnode interlock to protect the knote fields [1]. The locking assumes that shared vnode lock is held, thus we get exclusive access to knote either by exclusive vnode lock protection, or by shared vnode lock + vnode interlock.
Do not use kl_locked() method to assert either lock ownership or the fact that curthread does not own the lock. For shared locks, ownership is not recorded, e.g. VOP_ISLOCKED can return LK_SHARED for the shared lock not owned by curthread, causing false positives in kqueue subsystem assertions about knlist lock.
Remove kl_locked method from knlist lock vector, and add two separate assertion methods kl_assert_locked and kl_assert_unlocked, that are supposed to use proper asserts. Change knlist_init accordingly.
Add convenience function knlist_init_mtx to reduce number of arguments for typical knlist initialization.
Submitted by: jhb [1] Noted by: jhb [2] Reviewed by: jhb Tested by: rnoland
|
193511 |
05-Jun-2009 |
rwatson |
Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERIC and used in a large number of files, but also because an increasing number of incorrect uses of MAC calls were sneaking in due to copy-and-paste of MAC-aware code without the associated opt_mac.h include.
Discussed with: pjd
|
191990 |
11-May-2009 |
attilio |
Remove the thread argument from the FSD (File-System Dependent) parts of the VFS. Now all the VFS_* functions and relating parts don't want the context as long as it always refers to curthread.
In some points, in particular when dealing with VOPs and functions living in the same namespace (eg. vflush) which still need to be converted, pass curthread explicitly in order to retain the old behaviour. Such loose ends will be fixed ASAP.
While here fix a bug: now, UFS_EXTATTR can be compiled alone without the UFS_EXTATTR_AUTOSTART option.
VFS KPI is heavilly changed by this commit so thirdy parts modules needs to be recompiled. Bump __FreeBSD_version in order to signal such situation.
|
191296 |
19-Apr-2009 |
rwatson |
Temporarily relax the constraints on argument size checking for A_GETCOND; login(1) isn't quite ready for them yet on 64-bit systems as it continues to use the conventions of the old version of the API.
Reported by: stas, Jakub Lach <jakub_lach at mailplus.pl>
|
191270 |
19-Apr-2009 |
rwatson |
Merge OpenBSM 1.1 changes to the FreeBSD 8.x kernel:
- Add and use mapping of fcntl(2) commands to new BSM constant space. - Adopt (int) rather than (long) arguments to a number of auditon(2) commands, as has happened in Solaris, and add compatibility code to handle the old comments.
Note that BSM_PF_IEEE80211 is partially but not fully removed, as the userspace OpenBSM 1.1alpha5 code still depends on it. Once userspace is updated, I'll GCC the kernel constant.
MFC after: 2 weeks Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project Portions submitted by: sson
|
191147 |
16-Apr-2009 |
rwatson |
Merge new kernel files from OpenBSM 1.1: audit_fcntl.h and audit_bsm_fcntl.c contain utility routines to map local fcntl commands into BSM constants. Adaptation to the FreeBSD kernel environment will follow in a future commit.
Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project MFC after: 2 weeks
|
191143 |
16-Apr-2009 |
rwatson |
Remove D_NEEDGIANT from audit pipes. I'm actually not sure why this was here, but isn't needed.
MFC after: 2 weeks Sponsored by: Apple, Inc.
|
189570 |
09-Mar-2009 |
rwatson |
Add a new thread-private flag, TDP_AUDITREC, to indicate whether or not there is an audit record hung off of td_ar on the current thread. Test this flag instead of td_ar when auditing syscall arguments or checking for an audit record to commit on syscall return. Under these circumstances, td_pflags is much more likely to be in the cache (especially if there is no auditing of the current system call), so this should help reduce cache misses in the system call return path.
MFC after: 1 week Reported by: kris Obtained from: TrustedBSD Project
|
189529 |
08-Mar-2009 |
rwatson |
Improve the consistency of MAC Framework and MAC policy entry point naming by renaming certain "proc" entry points to "cred" entry points, reflecting their manipulation of credentials. For some entry points, the process was passed into the framework but not into policies; in these cases, stop passing in the process since we don't need it.
mac_proc_check_setaudit -> mac_cred_check_setaudit mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr mac_proc_check_setauid -> mac_cred_check_setauid mac_proc_check_setegid -> mac_cred_check_setegid mac_proc_check_seteuid -> mac_cred_check_seteuid mac_proc_check_setgid -> mac_cred_check_setgid mac_proc_check_setgroups -> mac_cred_ceck_setgroups mac_proc_check_setregid -> mac_cred_check_setregid mac_proc_check_setresgid -> mac_cred_check_setresgid mac_proc_check_setresuid -> mac_cred_check_setresuid mac_proc_check_setreuid -> mac_cred_check_setreuid mac_proc_check_setuid -> mac_cred_check_setuid
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
189279 |
02-Mar-2009 |
rwatson |
Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge).
OpenBSM history for imported revision below for reference.
MFC after: 1 month Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes. For legacy support no suffix defaults to bytes. - Audit trail log expiration support added. It is configured in audit_control(5) with the expire-after parameter. If there is no expire-after parameter in audit_control(5), the default, then the audit trail files are not expired and removed. See audit_control(5) for more information. - Change defaults in audit_control: warn at 5% rather than 20% free for audit partitions, rotate automatically at 2mb, and set the default policy to cnt,argv rather than cnt so that execve(2) arguments are captured if AUE_EXECVE events are audited. These may provide more usable defaults for many users. - Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert au_to_socket_ex(3) arguments to BSM format. - Fix error encoding AUT_IPC_PERM tokens.
|
188315 |
08-Feb-2009 |
rwatson |
Set the lower bound on queue size for an audit pipe to 1 instead of 0, as an audit pipe with a queue length of 0 is less useful.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. MFC after: 1 week
|
188313 |
08-Feb-2009 |
rwatson |
Change various routines that are responsible for transforming audit event IDs based on arguments to return au_event_t rather than int.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. MFC after: 1 week
|
188312 |
08-Feb-2009 |
rwatson |
Audit AUE_MAC_EXECVE; currently just the standard AUE_EXECVE arguments and not the label.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. MFC after: 1 week
|
188311 |
08-Feb-2009 |
rwatson |
Audit the flag argument to the nfssvc(2) system call.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
188122 |
04-Feb-2009 |
rwatson |
Eliminate the local variable 'ape' in audit_pipe_kqread(), as it's only used for an assertion that we don't really need anymore.
MFC after: 1 week Reported by: Christoph Mallon <christoph dot mallon at gmx dot de>
|
187215 |
14-Jan-2009 |
rwatson |
Update copyright, P4 version number as audit_bsm_token.c reflects changes in bsm_token.c through #86 from OpenBSM.
MFC after: 1 month Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project
|
187214 |
14-Jan-2009 |
rwatson |
Merge OpenBSM alpha 5 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge). Hook up bsm_domain.c and bsm_socket_type.c to the libbsm build along with man pages, add audit_bsm_domain.c and audit_bsm_socket_type.c to the kernel environment.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
OpenBSM 1.1 alpha 5
- Stub libauditd(3) man page added. - All BSM error number constants with BSM_ERRNO_. - Interfaces to convert between local and BSM socket types and protocol families have been added: au_bsm_to_domain(3), au_bsm_to_socket_type(3), au_domain_to_bsm(3), and au_socket_type_to_bsm(3), along with definitions of constants in audit_domain.h and audit_socket_type.h. This improves interoperability by converting local constant spaces, which vary by OS, to and from Solaris constants (where available) or OpenBSM constants for protocol domains not present in Solaris (a fair number). These routines should be used when generating and interpreting extended socket tokens. - Fix build warnings with full gcc warnings enabled on most supported platforms. - Don't compile error strings into bsm_errno.c when building it in the kernel environment. - When started by launchd, use the label com.apple.auditd rather than org.trustedbsd.auditd.
|
186825 |
06-Jan-2009 |
rwatson |
Do a lockless read of the audit pipe list before grabbing the audit pipe lock in order to avoid the lock acquire hit if the pipe list is very likely empty.
Obtained from: TrustedBSD Project MFC after: 3 weeks Sponsored by: Apple, Inc.
|
186822 |
06-Jan-2009 |
rwatson |
In AUDIT_SYSCALL_EXIT(), invoke audit_syscall_exit() only if an audit record is active on the current thread--historically we may always have wanted to enter the audit code if auditing was enabled, but now we just commit the audit record so don't need to enter if there isn't one.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
186662 |
31-Dec-2008 |
rwatson |
Fix white space botch: use carriage returns rather than tabs.
|
186650 |
31-Dec-2008 |
rwatson |
Commit two files missed in previous commit: hook up audit_bsm_errno.c and adapt for kernel build environment.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
186649 |
31-Dec-2008 |
rwatson |
Call au_errno_to_bsm() on the errno value passed into au_to_return32() to convert local FreeBSD error numbers into BSM error numbers.
Obtained from: TrustedBSD Project
|
186647 |
31-Dec-2008 |
rwatson |
Merge OpenBSM alpha 4 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge). Add libauditd build parts and add to auditd's linkage; force libbsm to build before libauditd.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the local error number passed to audit_submit(3) to a BSM error number, rather than have the caller perform that conversion. - Reallocate user audit events to avoid collisions with Solaris; adopt a more formal allocation scheme, and add some events allocated in Solaris that will be of immediate use on other platforms. - Add an event for Calife. - Add au_strerror(3), which allows generating strings for BSM errors directly, rather than requiring applications to map to the local error space, which might not be able to entirely represent the BSM error number space. - Major auditd rewrite for launchd(8) support. Add libauditd library that is shared between launchd and auditd. - Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for (re)starting auditing under launchd(8) on Mac OS X. - Add 'current' symlink to active audit trail. - Add crash recovery of previous audit trail file when detected on audit startup that it has not been properly terminated. - Add the event AUE_audit_recovery to indicated when an audit trail file has been recovered from not being properly terminated. This event is stored in the new audit trail file and includes the path of recovered audit trail file. - Mac OS X and FreeBSD dependent code in auditd.c is separated into auditd_darwin.c and auditd_fbsd.c files. - Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system calls. - For Mac OS X, we use ASL(3) instead of syslog(3) for logging. - Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map between BSM error numbers (largely the Solaris definitions) and local errno(2) values for 32-bit and 64-bit return tokens. This is required as operating systems don't agree on some of the values of more recent error numbers. - Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total size for the token. This buge. - Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
|
185573 |
02-Dec-2008 |
rwatson |
Merge OpenBSM 1.1 alpha 2 from the OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).
- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8). - Merge support for new tokens, fixes to existing token generation to audit_bsm_token.c. - Synchronize bsm includes and definitions.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
--
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds required solely for user space, and system includes, which may also be required for use in the kernels of systems integrating OpenBSM. Submitted by Stacey Son. - Configure option --with-native-includes allows forcing the use of native include for system includes, rather than the versions bundled with OpenBSM. This is intended specifically for platforms that ship OpenBSM, have adapted versions of the system includes in a kernel source tree, and will use the OpenBSM build infrastructure with an unmodified OpenBSM distribution, allowing the customized system includes to be used with the OpenBSM build. Submitted by Stacey Son. - Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s or asprintf(). Added compat/strlcpy.h for Linux. - Remove compatibility defines for old Darwin token constant names; now only BSM token names are provided and used. - Add support for extended header tokens, which contain space for information on the host generating the record. - Add support for setting extended host information in the kernel, which is used for setting host information in extended header tokens. The audit_control file now supports a "host" parameter which can be used by auditd to set the information; if not present, the kernel parameters won't be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of matching, such that BSM records that do not match, are selected. - Fix bug in audit_write() where we commit an incomplete record in the event there is an error writing the subject token. This was submitted by Diego Giagio. - Build support for Mac OS X 10.5.1 submitted by Eric Hall. - Fix a bug which resulted in host XML attributes not being arguments so that const strings can be passed as arguments to tokens. This patch was submitted by Xin LI. - Modify the -m option so users can select more then one audit event. - For Mac OS X, added Mach IPC support for audit trigger messages. - Fixed a bug in getacna() which resulted in a locking problem on Mac OS X. - Added LOG_PERROR flag to openlog when -d option is used with auditd. - AUE events added for Mac OS X Leopard system calls.
|
185484 |
30-Nov-2008 |
csjp |
Partially roll back a revision which changed the error code being returned by getaudit(2). Some applications such has su, id will interpret E2BIG as requiring the use of getaudit_addr(2) to pull extended audit state (ip6) from the kernel.
This change un-breaks the ABI when auditing has been activated on a system and the users are logged in via ip6.
This is a RELENG_7_1 candidate.
MFC after: 1 day Discussed with: rwatson
|
185293 |
25-Nov-2008 |
rwatson |
Regularize /* FALLTHROUGH */ comments in the BSM event type switch, and add one that was missing.
MFC after: 3 weeks Coverity ID: 3960
|
184948 |
14-Nov-2008 |
rwatson |
When repeatedly accessing a thread credential, cache the credential pointer in a local thread. While this is unlikely to significantly improve performance given modern compiler behavior, it makes the code more readable and reduces diffs to the Mac OS X version of the same code (which stores things in creds in the same way, but where the cred for a thread is reached quite differently).
Discussed with: sson MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
|
184904 |
13-Nov-2008 |
rwatson |
The audit queue limit variables are size_t, so use size_t for the audit queue length variables as well, avoiding storing the limit in a larger type than the length.
Submitted by: sson Sponsored by: Apple Inc. MFC after: 1 week
|
184858 |
11-Nov-2008 |
rwatson |
Move audit-internal function definitions for getting and setting audit kinfo state to audit_private.h.
|
184857 |
11-Nov-2008 |
rwatson |
Minor style tweaks and change lock name string to use _'s and not spaces to improve parseability.
|
184856 |
11-Nov-2008 |
csjp |
Add support for extended header BSM tokens. Currently we use the regular header tokens. The extended header tokens contain an IP or IPv6 address which makes it possible to identify which host an audit record came from when audit records are centralized.
If the host information has not been specified, the system will default to the old style headers. Otherwise, audit records that are created as a result of system calls will contain host information.
This implemented has been designed to be consistent with the Solaris implementation. Host information is set/retrieved using the A_GETKAUDIT and A_SETKAUDIT auditon(2) commands. These commands require that a pointer to a auditinfo_addr_t object is passed. Currently only IP and IPv6 address families are supported.
The users pace bits associated with this change will follow in an openbsm import.
Reviewed by: rwatson, (sson, wsalamon (older version)) MFC after: 1 month
|
184825 |
10-Nov-2008 |
rwatson |
Wrap sx locking of the audit worker sleep lock in macros, update comments.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184661 |
04-Nov-2008 |
jhb |
Use shared vnode locks for auditing vnode arguments as auditing only does a VOP_GETATTR() which does not require an exclusive lock.
Reviewed by: csjp, rwatson
|
184660 |
04-Nov-2008 |
jhb |
Don't lock the vnode around calls to vn_fullpath().
Reviewed by: csjp, rwatson
|
184545 |
02-Nov-2008 |
rwatson |
Update introductory comment for audit pipes.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184544 |
02-Nov-2008 |
rwatson |
Remove stale comment about filtering in audit pipe ioctl routine: we do support filtering now, although we may want to make it more interesting in the future.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184540 |
01-Nov-2008 |
rwatson |
Add comment for per-pipe stats.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184536 |
01-Nov-2008 |
rwatson |
We only allow a partial read of the first record in an audit pipe record queue, so move the offset field from the per-record audit_pipe_entry structure to the audit_pipe structure.
Now that we support reading more than one record at a time, add a new summary field to audit_pipe, ap_qbyteslen, which tracks the total number of bytes present in a pipe, and return that (minus the current offset) via FIONREAD and kqueue's data variable for the pending byte count rather than the number of bytes remaining in only the first record.
Add a number of asserts to confirm that these counts and offsets following the expected rules.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184534 |
01-Nov-2008 |
rwatson |
Allow a single read(2) system call on an audit pipe to retrieve data from more than one audit record at a time in order to improve efficiency.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184510 |
31-Oct-2008 |
rwatson |
Since there is no longer the opportunity for record truncation, just return 0 if the truncation counter is queried on an audit pipe.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184508 |
31-Oct-2008 |
rwatson |
Historically, /dev/auditpipe has allows only whole records to be read via read(2), which meant that records longer than the buffer passed to read(2) were dropped. Instead take the approach of allowing partial reads to be continued across multiple system calls more in the style of streaming character device.
This means retaining a record on the per-pipe queue in a partially read state, so maintain a current offset into the record. Keep the record on the queue during a read, so add a new lock, ap_sx, to serialize removal of records from the queue by either read(2) or ioctl(2) requesting a pipe flush. Modify the kqueue handler to return bytes left in the current record rather than simply the size of the current record.
It is now possible to use praudit, which used the standard FILE * buffer sizes, to track much larger record sizes from /dev/auditpipe, such as very long command lines to execve(2).
MFC after: 2 months Sponsored by: Apple, Inc.
|
184489 |
30-Oct-2008 |
rwatson |
When we drop an audit record going to and audit pipe because the audit pipe has overflowed, drop the newest, rather than oldest, record. This makes overflow drop behavior consistent with memory allocation failure leading to drop, avoids touching the consumer end of the queue from a producer, and lowers the CPU overhead of dropping a record by dropping before memory allocation and copying.
Obtained from: Apple, Inc. MFC after: 2 months
|
184488 |
30-Oct-2008 |
rwatson |
Break out single audit_pipe_mtx into two types of locks: a global rwlock protecting the list of audit pipes, and a per-pipe mutex protecting the queue.
Likewise, replace the single global condition variable used to signal delivery of a record to one or more pipes, and add a per-pipe condition variable to avoid spurious wakeups when event subscriptions differ across multiple pipes.
This slightly increases the cost of delivering to audit pipes, but should reduce lock contention in the presence of multiple readers as only the per-pipe lock is required to read from a pipe, as well as avoid overheading when different pipes are used in different ways.
MFC after: 2 months Sponsored by: Apple, Inc.
|
184482 |
30-Oct-2008 |
rwatson |
Protect the event->class lookup database using an rwlock instead of a mutex, as it's rarely changed but frequently accessed read-only from multiple threads, so a potentially significant source of contention.
MFC after: 1 month Sponsored by: Apple, Inc.
|
183381 |
26-Sep-2008 |
ed |
Remove unit2minor() use from kernel code.
When I changed kern_conf.c three months ago I made device unit numbers equal to (unneeded) device minor numbers. We used to require bitshifting, because there were eight bits in the middle that were reserved for a device major number. Not very long after I turned dev2unit(), minor(), unit2minor() and minor2unit() into macro's. The unit2minor() and minor2unit() macro's were no-ops.
We'd better not remove these four macro's from the kernel, because there is a lot of (external) code that may still depend on them. For now it's harmless to remove all invocations of unit2minor() and minor2unit().
Reviewed by: kib
|
182754 |
04-Sep-2008 |
des |
Unbreak the build.
Pointy hat to: kevlo
|
182750 |
04-Sep-2008 |
kevlo |
If the process id specified is invalid, the system call returns ESRCH
|
182371 |
28-Aug-2008 |
attilio |
Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread was always curthread and totally unuseful.
Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
|
182158 |
25-Aug-2008 |
rwatson |
More fully audit fexecve(2) and its arguments.
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
182118 |
24-Aug-2008 |
rwatson |
Use ERANGE instead of EOVERFLOW selected in r182059, this seems more appropriate even if Solaris doesn't document it (E2BIG) or use it (EOVERFLOW).
Submitted by: nectar at apple dot com Sponsored by: Apple, Inc. MFC after: 3 days
|
182090 |
24-Aug-2008 |
csjp |
Use sbuf_putc instead of sbuf_cat. This makes more sense, since we are appending a single character to the buffer.
MFC after: 2 weeks
|
182059 |
23-Aug-2008 |
rwatson |
When getaudit(2) is unable to fit the terminal IPv6 address into the space provided by its argument structure, return EOVERFLOW instead of E2BIG. The latter is documented in Solaris's man page, but the former is implemented. In either case, the caller should use getaudit_addr(2) to return the IPv6 address.
Submitted by: sson Obtained from: Apple, Inc. MFC after: 3 days
|
181604 |
11-Aug-2008 |
csjp |
Make sure we check the preselection masks present for all audit pipes. It is possible that the audit pipe(s) have different preselection configs then the global preselection mask.
Spotted by: Vincenzo Iozzo MFC after: 2 weeks
|
181060 |
31-Jul-2008 |
csjp |
Currently, BSM audit pathname token generation for chrooted or jailed processes are not producing absolute pathname tokens. It is required that audited pathnames are generated relative to the global root mount point. This modification changes our implementation of audit_canon_path(9) and introduces a new function: vn_fullpath_global(9) which performs a vnode -> pathname translation relative to the global mount point based on the contents of the name cache. Much like vn_fullpath, vn_fullpath_global is a wrapper function which called vn_fullpath1.
Further, the string parsing routines have been converted to use the sbuf(9) framework. This change also removes the conditional acquisition of Giant, since the vn_fullpath1 method will not dip into file system dependent code.
The vnode locking was modified to use vhold()/vdrop() instead the vref() and vrele(). This will modify the hold count instead of modifying the user count. This makes more sense since it's the kernel that requires the reference to the vnode. This also makes sure that the vnode does not get recycled we hold the reference to it. [1]
Discussed with: rwatson Reviewed by: kib [1] MFC after: 2 weeks
|
181053 |
31-Jul-2008 |
rwatson |
Further synchronization of copyrights, licenses, white space, etc from Apple and from the OpenBSM vendor tree.
Obtained from: Apple Inc., TrustedBSD Project MFC after: 3 days
|
180735 |
23-Jul-2008 |
rwatson |
Minor white space tweak.
Obtained from: Apple Inc. MFC after: 3 days
|
180716 |
22-Jul-2008 |
rwatson |
If an AUE_SYSCTL_NONADMIN audit event is selected, generate a record with equivilent content to AUE_SYSCTL.
Obtained from: Apple Inc. MFC after: 3 days
|
180715 |
22-Jul-2008 |
rwatson |
Further minor style fixes to audit.
Obtained from: Apple Inc. MFC after: 3 days
|
180712 |
22-Jul-2008 |
rwatson |
Remove unneeded \ at the end of a macro.
Obtained from: Apple Inc. MFC after: 3 days
|
180711 |
22-Jul-2008 |
rwatson |
Further minor white space tweaks.
Obtained from: Apple Inc. MFC after: 3 days
|
180709 |
22-Jul-2008 |
rwatson |
Generally avoid <space><tab> as a white space anomoly.
Obtained from: Apple Inc. MFC after: 3 days
|
180708 |
22-Jul-2008 |
rwatson |
Use #define<tab> rather than #define<space>.
Obtained from: Apple Inc. MFC after: 3 days
|
180706 |
22-Jul-2008 |
rwatson |
Comment fix.
Obtained from: Apple Inc. MFC after: 3 days
|
180704 |
22-Jul-2008 |
rwatson |
Comment typo fix.
Obtained from: Apple Inc. MFC after: 3 days
|
180703 |
22-Jul-2008 |
rwatson |
Minor white space synchronization to Apple version of security audit.
Obtained from: Apple Inc. MFC after: 3 days
|
180701 |
22-Jul-2008 |
rwatson |
In preparation to sync Apple and FreeBSD versions of security audit, pick up the Apple Computer -> Apple change in their copyright and license templates.
Obtained from: Apple Inc. MFC after: 3 days
|
180699 |
22-Jul-2008 |
rwatson |
Use unsigned int when iterating over groupsets in audit_arg_groupset().
Obtained from: Apple Inc. MFC after: 3 days
|
179726 |
11-Jun-2008 |
ed |
Don't enforce unique device minor number policy anymore.
Except for the case where we use the cloner library (clone_create() and friends), there is no reason to enforce a unique device minor number policy. There are various drivers in the source tree that allocate unr pools and such to provide minor numbers, without using them themselves.
Because we still need to support unique device minor numbers for the cloner library, introduce a new flag called D_NEEDMINOR. All cdevsw's that are used in combination with the cloner library should be marked with this flag to make the cloning work.
This means drivers can now freely use si_drv0 to store their own flags and state, making it effectively the same as si_drv1 and si_drv2. We still keep the minor() and dev2unit() routines around to make drivers happy.
The NTFS code also used the minor number in its hash table. We should not do this anymore. If the si_drv0 field would be changed, it would no longer end up in the same list.
Approved by: philip (mentor)
|
179715 |
10-Jun-2008 |
simon |
When the file-system containing the audit log file is running low on disk space a warning is printed. Make this warning a bit more informative.
Approved by: rwatson
|
179517 |
03-Jun-2008 |
rwatson |
Add an XXX comment regarding a bug I introduced when modifying the behavior of audit log vnode rotation: on shutdown, we may not properly drain all pending records, which could lead to lost records during system shutdown.
|
179178 |
21-May-2008 |
rwatson |
Don't use LK_DRAIN before calling VOP_FSYNC() in the two further panic cases for audit trail failure -- this doesn't contribute anything, and might arguably be wrong.
MFC after: 1 week Requested by: attilio
|
179176 |
21-May-2008 |
rwatson |
Don't use LK_DRAIN before calling VOP_FSYNC() in the panic case for audit trail failure -- this doesn't contribute anything, and might arguably be wrong.
MFC after: 1 week Requested by: attilio
|
178802 |
06-May-2008 |
rwatson |
When testing whether to enter the audit argument gathering code, rather than checking whether audit is enabled globally, instead check whether the current thread has an audit record. This avoids entering the audit code to collect argument data if auditing is enabled but the current system call is not of interest to audit.
MFC after: 1 week Sponsored by: Apple, Inc.
|
178617 |
27-Apr-2008 |
rwatson |
Fix include guard spelling.
MFC after: 3 days Submitted by: diego
|
178461 |
24-Apr-2008 |
rwatson |
Use logic or, not binary or, when deciding whether or not a system call exit requires entering the audit code. The result is much the same, but they mean different things.
MFC afer: 3 days Submitted by: Diego Giagio <dgiagio at gmail dot com>
|
178322 |
19-Apr-2008 |
rwatson |
When auditing state from an IPv4 or IPv6 socket, use read locks on the inpcb rather than write locks.
MFC after: 3 months
|
178285 |
17-Apr-2008 |
rwatson |
Convert pcbinfo and inpcb mutexes to rwlocks, and modify macros to explicitly select write locking for all use of the inpcb mutex. Update some pcbinfo lock assertions to assert locked rather than write-locked, although in practice almost all uses of the pcbinfo rwlock main exclusive, and all instances of inpcb lock acquisition are exclusive.
This change should introduce (ideally) little functional change. However, it lays the groundwork for significantly increased parallelism in the TCP/IP code.
MFC after: 3 months Tested by: kris (superset of committered patch)
|
178186 |
13-Apr-2008 |
rwatson |
Use __FBSDID() for $FreeBSD$ IDs in the audit code.
MFC after: 3 days
|
177253 |
16-Mar-2008 |
rwatson |
In keeping with style(9)'s recommendations on macros, use a ';' after each SYSINIT() macro invocation. This makes a number of lightweight C parsers much happier with the FreeBSD kernel source, including cflow's prcc and lxr.
MFC after: 1 month Discussed with: imp, rink
|
177033 |
10-Mar-2008 |
rwatson |
Remove XXX to remind me to check the free space calculation, which to my eyes appears right following a check.
MFC after: 3 days
|
176887 |
06-Mar-2008 |
csjp |
Change auditon(2) so that if somebody supplies an invalid command, it returns EINVAL. Right now we return 0 or success for invalid commands, which could be quite problematic in certain conditions.
MFC after: 1 week Discussed with: rwatson
|
176749 |
02-Mar-2008 |
rwatson |
Rather than copying out the full audit trigger record, which includes a queue entry field, just copy out the unsigned int that is the trigger message. In practice, auditd always requested sizeof(unsigned int), so the extra bytes were ignored, but copying them out was not the intent.
MFC after: 1 month
|
176690 |
01-Mar-2008 |
rwatson |
Add audit_prefixes to two more globally visible functions in the Audit implementation.
MFC after: 1 month
|
176686 |
01-Mar-2008 |
rwatson |
Rename globally exposed symbol send_trigger() to audit_send_trigger().
MFC after: 1 month
|
176627 |
27-Feb-2008 |
rwatson |
Replace somewhat awkward audit trail rotation scheme, which involved the global audit mutex and condition variables, with an sx lock which protects the trail vnode and credential while in use, and is acquired by the system call code when rotating the trail. Previously, a "message" would be sent to the kernel audit worker, which did the rotation, but the new code is simpler and (hopefully) less error-prone.
Obtained from: TrustedBSD Project MFC after: 1 month
|
176565 |
25-Feb-2008 |
rwatson |
Rename several audit functions in the global kernel symbol namespace to have audit_ on the front:
- canon_path -> audit_canon_path - msgctl_to_event -> audit_msgctl_to_event - semctl_to_event -> audit_semctl_to_event
MFC after: 1 month
|
175763 |
28-Jan-2008 |
csjp |
Make sure that the termid type is initialized to AU_IPv4 by default. This makes sure that process tokens credentials with un-initialized audit contexts are handled correctly. Currently, when invariants are enabled, this change fixes a panic by ensuring that we have a valid termid family. Also, this fixes token generation for process tokens making sure that userspace is always getting a valid token.
This is consistent with what Solaris does when an audit context is un-initialized.
Obtained from: TrustedBSD Project MFC after: 1 week
|
175456 |
18-Jan-2008 |
csjp |
Fix gratuitous whitespace bug
MFC after: 1 week Obtained from: TrustedBSD Project
|
175455 |
18-Jan-2008 |
csjp |
Add a case for AUE_LISTEN. This removes the following console error message:
"BSM conversion requested for unknown event 43140"
It should be noted that we need to audit the fd argument for this system call.
Obtained from: TrustedBSD Project MFC after: 1 week
|
175294 |
13-Jan-2008 |
attilio |
VOP_LOCK1() (and so VOP_LOCK()) and VOP_UNLOCK() are only used in conjuction with 'thread' argument passing which is always curthread. Remove the unuseful extra-argument and pass explicitly curthread to lower layer functions, when necessary.
KPI results broken by this change, which should affect several ports, so version bumping and manpage update will be further committed.
Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
|
175202 |
10-Jan-2008 |
attilio |
vn_lock() is currently only used with the 'curthread' passed as argument. Remove this argument and pass curthread directly to underlying VOP_LOCK1() VFS method. This modify makes the code cleaner and in particular remove an annoying dependence helping next lockmgr() cleanup. KPI results, obviously, changed.
Manpage and FreeBSD_version will be updated through further commits.
As a side note, would be valuable to say that next commits will address a similar cleanup about VFS methods, in particular vop_lock1 and vop_unlock.
Tested by: Diego Sardina <siarodx at gmail dot com>, Andrea Di Pasquale <whyx dot it at gmail dot com>
|
174894 |
25-Dec-2007 |
wkoszek |
Change "audit_pipe_preselect" to "audit_pipe_presel" to make it print with proper alignment in ddb(4) and vmstat(8).
Reviewed by: rwatson@
|
174267 |
04-Dec-2007 |
wkoszek |
Explicitly initialize 'ret' to 0'. It lets one to build tmpfs from the latest source tree with older compiler--gcc3.
Approved by: cognet (mentor)
|
173142 |
29-Oct-2007 |
rwatson |
Replace use of AU_NULL with 0 when no audit classes are in use; this supports the removal of hard-coded audit class constants in OpenBSM 1.0. All audit classes are now dynamically configured via the audit_class database.
Obtained from: TrustedBSD Project
|
173083 |
27-Oct-2007 |
csjp |
Make sure we are incrementing the read count for each audit pipe read.
MFC after: 1 week
|
172995 |
26-Oct-2007 |
csjp |
Implement AUE_CORE, which adds process core dump support into the kernel. This change introduces audit_proc_coredump() which is called by coredump(9) to create an audit record for the coredump event. When a process dumps a core, it could be security relevant. It could be an indicator that a stack within the process has been overflowed with an incorrectly constructed malicious payload or a number of other events.
The record that is generated looks like this:
header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec argument,0,0xb,signal path,/usr/home/csjp/test.core subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2 return,success,1 trailer,111
- We allocate a completely new record to make sure we arent clobbering the audit data associated with the syscall that produced the core (assuming the core is being generated in response to SIGABRT and not an invalid memory access). - Shuffle around expand_name() so we can use the coredump name at the very beginning of the coredump call. Make sure we free the storage referenced by "name" if we need to bail out early. - Audit both successful and failed coredump creation efforts
Obtained from: TrustedBSD Project Reviewed by: rwatson MFC after: 1 month
|
172930 |
24-Oct-2007 |
rwatson |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms:
mac_<object>_<method/action> mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names.
All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
172915 |
24-Oct-2007 |
csjp |
Use extended process token. The in kernel process audit state is stored in an extended subject token now. Make sure that we are using the extended data. This fixes the termID for process tokens.
Obtained from: TrustedBSD Project Discussed with: rwatson MFC after: 1 week
|
172836 |
20-Oct-2007 |
julian |
Rename the kthread_xxx (e.g. kthread_create()) calls to kproc_xxx as they actually make whole processes. Thos makes way for us to add REAL kthread_create() and friends that actually make theads. it turns out that most of these calls actually end up being moved back to the thread version when it's added. but we need to make this cosmetic change first.
I'd LOVE to do this rename in 7.0 so that we can eventually MFC the new kthread_xxx() calls.
|
172583 |
12-Oct-2007 |
csjp |
- Change the wakeup logic associated with having multiple sleepers on multiple different audit pipes. The old method used cv_signal() which would result in only one thread being woken up after we appended a record to it's queue. This resulted in un-timely wake-ups when processing audit records real-time.
- Assign PSOCK priority to threads that have been sleeping on a read(2). This is the same priority threads are woken up with when they select(2) or poll(2). This yields fairness between various forms of sleep on the audit pipes.
Obtained from: TrustedBSD Project Discussed with: rwatson MFC after: 1 week
|
171144 |
01-Jul-2007 |
rwatson |
Remove two boot printfs generated by Audit to announce it's presence, and replace with software-testable sysctl node (security.audit) that can be used to detect kernel audit support.
Obtained from: TrustedBSD Project Approved by: re (kensmith)
|
171066 |
27-Jun-2007 |
csjp |
- Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2) - In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK, and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done for both setaudit and setaudit_addr. - Audit the arguments passed to setaudit_addr(2) - AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the audit token is created with the correct type. This fixes the processing of the in_addr_ex token in users pace. - Change the size of the token (as generated by the kernel) from 5*4 bytes to 4*4 bytes (the correct size of an ip6 address) - Correct regression from ucred work which resulted in getaudit() not returning E2BIG if the subject had an ip6 termid - Correct slight regression in getaudit(2) which resulted in the size of a pointer being passed instead of the size of the structure. (This resulted in invalid auditinfo data being returned via getaudit(2))
Reviewed by: rwatson Approved by: re@ (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
|
171047 |
26-Jun-2007 |
rwatson |
Add a new MAC framework and policy entry point, mpo_check_proc_setaudit_addr to be used when controlling use of setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a different argument type.
Reviewed by: csjp Approved by: re (kensmith)
|
170777 |
15-Jun-2007 |
rwatson |
In setaudit_addr(), drop the process lock in error cases.
Submitted by: Peter Holm <peter@holm.cc> (BugMaster)
|
170691 |
14-Jun-2007 |
rwatson |
Spell statistics more correctly in comments.
|
170687 |
13-Jun-2007 |
rwatson |
Close a very narrow race that might cause a trigger allocation to be leaked if a trigger is delivered as the trigger device is closed.
Obtained from: TrustedBSD Project
|
170585 |
11-Jun-2007 |
rwatson |
Clean up, and sometimes remove, a number of audit-related implementation comments.
Obtained from: TrutstedBSD Project
|
170407 |
07-Jun-2007 |
rwatson |
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS.
Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
|
170196 |
01-Jun-2007 |
rwatson |
Clean up audit comments--formatting, spelling, etc.
|
170183 |
01-Jun-2007 |
kib |
Change the VOP_OPEN(), vn_open() vnode operation and d_fdopen() cdev operation argument from being file descriptor index into the pointer to struct file: part 2. Convert calls missed in the first big commit.
Noted by: rwatson Pointy hat to: kib
|
170182 |
01-Jun-2007 |
rwatson |
Remove AUDIT_PRINTF() debugging statements and definition; clean up or remove associated comments.
Slip audit_file_rotate_wait assignment in audit_rotate_vnode() before the drop of the global audit mutex.
Obtained from: TrustedBSD Project
|
170132 |
30-May-2007 |
rwatson |
Remove unused !AUDIT audit_proc_*() prototypes: unlike in Mac OS X, we don't define or use these functions if AUDIT isn't configured.
Obtained from: TrustedBSD Project
|
170131 |
30-May-2007 |
rwatson |
Synchronize white space to congruent user-space code in OpenBSM.
Obtained from: TrustedBSD Project
|
170130 |
30-May-2007 |
rwatson |
Remove unused ar_subj_comm field from in-kernel audit record; we never export this via BSM, so don't pay space/time cost of maintaining it.
Obtained from: TrustedBSD Project
|
170127 |
30-May-2007 |
rwatson |
Consistent white space after .'s in comments.
|
169896 |
23-May-2007 |
rwatson |
No need to force __inline__ of currecord(), as the compiler will usefully inline it when needed already, and the symbol is also required outside of audit.c. This silences a new gcc warning on the topic of using __inline__ instead of __inline.
MFC after: 3 days
|
169831 |
21-May-2007 |
rwatson |
Short name of kernel audit worker thread from "audit_worker" to "audit".
MFC after: 3 days
|
169097 |
29-Apr-2007 |
rwatson |
Don't expose #ifdef NOTYET parts to userspace via audit_ioctl.h, just remove them, since the functionality they are associated with isn't there yet.
MFC after: 3 days
|
168933 |
21-Apr-2007 |
rwatson |
Allow MAC policy modules to control access to audit configuration system calls. Add MAC Framework entry points and MAC policy entry points for audit(), auditctl(), auditon(), setaudit(), aud setauid().
MAC Framework entry points are only added for audit system calls where additional argument context may be useful for policy decision-making; other audit system calls without arguments may be controlled via the priv(9) entry points.
Update various policy modules to implement audit-related checks, and in some cases, other missing system-related checks.
Obtained from: TrustedBSD Project Sponsored by: SPARTA, Inc.
|
168814 |
17-Apr-2007 |
rwatson |
Remove $P4$ that snuck into CVS from Perforce.
|
168783 |
16-Apr-2007 |
rwatson |
Merge OpenBSM 1.0 alpha 14 changes to src/sys/security/audit:
- au_to_attr64(), au_to_process64(), au_to_subject64(), au_to_subject64_ex(), au_to_zonename(), au_to_header64_tm(). - Extended address token fixes.
Obtained from: TrustedBSD Project
|
168688 |
13-Apr-2007 |
csjp |
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens.
The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo.
If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG.
- Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2)
NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated.
MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
|
168355 |
04-Apr-2007 |
rwatson |
Replace custom file descriptor array sleep lock constructed using a mutex and flags with an sxlock. This leads to a significant and measurable performance improvement as a result of access to shared locking for frequent lookup operations, reduced general overhead, and reduced overhead in the event of contention. All of these are imported for threaded applications where simultaneous access to a shared file descriptor array occurs frequently. Kris has reported 2x-4x transaction rate improvements on 8-core MySQL benchmarks; smaller improvements can be expected for many workloads as a result of reduced overhead.
- Generally eliminate the distinction between "fast" and regular acquisisition of the filedesc lock; the plan is that they will now all be fast. Change all locking instances to either shared or exclusive locks.
- Correct a bug (pointed out by kib) in fdfree() where previously msleep() was called without the mutex held; sx_sleep() is now always called with the sxlock held exclusively.
- Universally hold the struct file lock over changes to struct file, rather than the filedesc lock or no lock. Always update the f_ops field last. A further memory barrier is required here in the future (discussed with jhb).
- Improve locking and reference management in linux_at(), which fails to properly acquire vnode references before using vnode pointers. Annotate improper use of vn_fullpath(), which will be replaced at a future date.
In fcntl(), we conservatively acquire an exclusive lock, even though in some cases a shared lock may be sufficient, which should be revisited. The dropping of the filedesc lock in fdgrowtable() is no longer required as the sxlock can be held over the sleep operation; we should consider removing that (pointed out by attilio).
Tested by: kris Discussed with: jhb, kris, attilio, jeff
|
167211 |
04-Mar-2007 |
rwatson |
Remove 'MPSAFE' annotations from the comments above most system calls: all system calls now enter without Giant held, and then in some cases, acquire Giant explicitly.
Remove a number of other MPSAFE annotations in the credential code and tweak one or two other adjacent comments.
|
166845 |
20-Feb-2007 |
rwatson |
Update auditing of socket information for the inpcb new world order: so_pcb will always be non-NULL, and lock the inpcb while non-atomically accessing address data.
|
165845 |
06-Jan-2007 |
rwatson |
When returning early from audit_arg_file() due to so->so_pcb being NULL (due to an early reset or the like), remember to unlock the socket lock. This will not occur in 7-CURRENT, but could in theory occur in 6-STABLE.
MFC after: 1 week
|
165625 |
29-Dec-2006 |
rwatson |
Remove two XXX comments that no longer apply.
Obtained from: TrustedBSD Project
|
165624 |
29-Dec-2006 |
rwatson |
Use p_cansee() to check that a target process for an audit state manipulation is visible to the subject process. Remove XXX comments suggesting this.
Convert one XXX on a difference from Darwin into a note: it's not a bug, it's a feature.
Obtained from: TrustedBSD Project
|
165621 |
29-Dec-2006 |
rwatson |
Add a witness sleep warning to canon_path(), which invokes vput() and hence may perform an unbounded sleep. Remove an XXX comment suggesting that one be added.
Obtained from: TrustedBSD Project
|
165604 |
28-Dec-2006 |
rwatson |
Update a number of comments:
- Replace XXX with Note: in several cases where observations are made about future functionality rather than problems or bugs.
- Remove an XXX comment about byte order and au_to_ip() -- IP headers must be submitted in network byte order. Add a comment to this effect.
- Mention that we don't implement select/poll for /dev/audit.
Obtained from: TrustedBSD Project
|
164033 |
06-Nov-2006 |
rwatson |
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking.
Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|
164011 |
06-Nov-2006 |
csjp |
Change the type of ar_arg_sockaddr from struct sockaddr to struct sockaddr_storage. This structure is defined in RFC 2553 and is a more semantically correct structure for holding IP and IP6 sockaddr information. struct sockaddr is not big enough to hold all the required information for IP6, resulting in truncated addresses et al when auditing IP6 sockaddr information.
We also need to assume that the sa->sa_len has been validated before the call to audit_arg_sockaddr() is made, otherwise it could result in a buffer overflow. This is being done to accommodate auditing of network related arguments (like connect, bind et al) that will be added soon.
Discussed with: rwatson Obtained from: TrustedBSD Project MFC after: 2 weeks
|
163207 |
10-Oct-2006 |
csjp |
Mark the audit system calls as being un-implemented in jails. Currently we do not trust jails enough to execute audit related system calls. An example of this is with su(1), or login(1) within prisons. So, if the syscall request comes from a jail return ENOSYS. This will cause these utilities to operate as if audit is not present in the kernel.
Looking forward, this problem will be remedied by allowing non privileged users to maintain and their own audit streams, but the details on exactly how this will be implemented needs to be worked out.
This change should fix situations when options AUDIT has been compiled into the kernel, and utilities like su(1), or login(1) fail due to audit system call failures within jails.
This is a RELENG_6 candidate.
Reported by: Christian Brueffer Discussed with: rwatson MFC after: 3 days
|
162990 |
03-Oct-2006 |
rwatson |
Add BSM conversion switch entries for a number of system calls, many administrative, to prevent console warnings and enable basic event auditing (generally without arguments).
MFC after: 3 days Obtained from: TrustedBSD Project
|
162950 |
02-Oct-2006 |
rwatson |
Trim some no longer XXX comments. Remove some commented out debugging printfs.
MFC after: 3 days Obtained from: TrustedBSD Project
|
162944 |
02-Oct-2006 |
rwatson |
Audit path argument when changing audit trails.
Call NDFREE(), which while not currently strictly necessary, isn't a bad idea.
MFC after: 3 days Obtained from: TrustedBSD Project
|
162599 |
24-Sep-2006 |
rwatson |
Rework the way errors are handled with respect to how audit records are written to the audit trail file:
- audit_record_write() now returns void, and all file system specific error handling occurs inside this function. This pushes error handling complexity out of the record demux routine that hands off to both the trail and audit pipes, and makes trail behavior more consistent with pipes as a record destination.
- Rate limit kernel printfs associated with running low on space. Rate limit audit triggers for low space. Rate limit printfs for fail stop events. Rate limit audit worker write error printfs.
- Document in detail the types of limits and space checks we perform, and combine common cases.
This improves the audit subsystems tolerance to low space conditions by avoiding toasting the console with printfs are waking up the audit daemon continuously.
MFC after: 3 days Obtained from: TrustedBSD Project
|
162508 |
21-Sep-2006 |
rwatson |
Merge OpenBSM 1.0 alpha 11 changes into src/sys/bsm and src/sys/security; primarily, add new event identifiers and update trigger names.
Obtained from: TrustedBSD Project
|
162466 |
20-Sep-2006 |
rwatson |
Rather than allocating all buffer memory for the completed BSM record when allocating the record in the first place, allocate the final buffer when closing the BSM record. At that point, more size information is available, so a sufficiently large buffer can be allocated.
This allows the kernel to generate audit records in excess of MAXAUDITDATA bytes, but is consistent with Solaris's behavior. This only comes up when auditing command line arguments, in which case we presume the administrator really does want the data as they have specified the policy flag to gather them.
Obtained from: TrustedBSD Project MFC after: 3 days
|
162465 |
20-Sep-2006 |
rwatson |
Add missing white space in au_to_exec_{args,env}().
MFC after: 3 days
|
162419 |
18-Sep-2006 |
csjp |
Make sure that lutimes(2) gets processed and converted into a BSM record.
Submitted by: rwatson MFC after: 1 day
|
162380 |
17-Sep-2006 |
csjp |
Correct a slight regression which was introduced with the implementation of audit pipes. If the kernel record was not selected for the trail or the pipe, any user supplied record attached to it would be tossed away, resulting in otherwise selected events being lost.
- Introduce two new masks: AR_PRESELECT_USER_TRAIL AR_PRESELECT_USER_PIPE, currently we have AR_PRESELECT_TRAIL and AR_PRESELECT_PIPE, which tells the audit worker that we are interested in the kernel record, with the additional masks we can determine if either the pipe or trail is interested in seeing the kernel or user record.
- In audit(2), we unconditionally set the AR_PRESELECT_USER_TRAIL and AR_PRESELECT_USER_PIPE masks under the assumption that userspace has done the preselection [1].
Currently, there is work being done that allows the kernel to parse and preselect user supplied records, so in the future preselection could occur in either layer. But there is still a few details to work out here.
[1] At some point we need to teach au_preselect(3) about the interests of all the individual audit pipes.
This is a RELENG_6 candidate.
Reviewed by: rwatson Obtained from: TrustedBSD Project MFC after: 1 week
|
162372 |
17-Sep-2006 |
rwatson |
Add AUE_SYSARCH to the list of audit events during BSM conversion to prevent a console warning. Eventually, we will capture more arguments for sysarch.
Obtained from: TrustedBSD Project MFC after: 3 days
|
162177 |
09-Sep-2006 |
rwatson |
Add a BSM conversion switch case for AUE_GETCWD, so that a console warning isn't generated when __getcwd() is invoked.
MFC after: 3 days Obtained from: TrustedBSD Project
|
162176 |
09-Sep-2006 |
rwatson |
Small style cleanup.
MFC after: 3 days
|
161970 |
04-Sep-2006 |
rwatson |
White space cleanup, no functional change.
|
161813 |
01-Sep-2006 |
wsalamon |
Audit the argv and env vectors passed in on exec: Add the argument auditing functions for argv and env. Add kernel-specific versions of the tokenizer functions for the arg and env represented as a char array. Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to enable/disable argv/env auditing. Call the argument auditing from the exec system calls.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
161646 |
26-Aug-2006 |
rwatson |
Allow the user process to query the kernel's notion of a maximum audit record size at run-time, which can be used by the user process to size the user space buffer it reads into from the audit pipe.
Perforce change: 105098 Obtained from: TrustedBSD Project
|
161635 |
26-Aug-2006 |
rwatson |
Update kernel OpenBSM parts, especially src/sys/bsm, for the OpenBSM 1.0 alpha 9 import. See the OpenBSM import commit message for a detailed summary of changes.
Obtained from: TrustedBSD Project
|
161601 |
25-Aug-2006 |
rwatson |
Remove $P4$ from this file; other then temporarily P4-local work in progress the kernel audit code in CVS is considered authoritative. This will ease $P4$-related merging issues during the CVS loopback.
Obtained from: TrustedBSD Project
|
161582 |
24-Aug-2006 |
rwatson |
Add kqueue support to audit pipe pseudo-devices.
Obtained from: TrustedBSD Project
|
160136 |
06-Jul-2006 |
wsalamon |
Audit the remaining parameters to the extattr system calls. Generate the audit records for those calls.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
160086 |
03-Jul-2006 |
rwatson |
Correct a number of problems that were previously commented on:
- Correct audit_arg_socketaddr() argument name from so to sa. - Assert arguments are non-NULL to many argument capture functions rather than testing them. This may trip some bugs. - Assert the process lock is held when auditing process information. - Test currecord in several more places. - Test validity of more arguments with kasserts, such as flag values when auditing vnode information.
Perforce change: 98825 Obtained from: TrustedBSD Project
|
159686 |
17-Jun-2006 |
wsalamon |
Make the size of the subject32_ex and process32_ex tokens depend on whether we have an IPv6 address. Write the term ID as 4 or 16 bytes depending on address type. This change matches the recent OpenBSM change, and what Solaris does.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
159415 |
08-Jun-2006 |
rwatson |
Lock process when copying fields from process structure so as to get a consistent snapshot, as well as get consistent values (i.e., that p_comm is properly nul-terminated).
Perforce CID: 98824 Obtained from: TrustedBSD Project
|
159414 |
08-Jun-2006 |
rwatson |
Prefer C to C++ comments per style(9).
Perforce CID: 98826 Obtained from: TrustedBSD Project
|
159332 |
06-Jun-2006 |
rwatson |
Extract pointer value for mnt_stat from vp after the NULL check, not before.
Coverity ID: 134394 Found with: Coverity Prevent (tm)
|
159318 |
05-Jun-2006 |
rwatson |
Remove use of Giant around vn_open() in audit trail setup.
Submitted by: jhb, wsalamon Obtained from: TrustedBSD Project
|
159278 |
05-Jun-2006 |
rwatson |
When generating BSM tokens for mkfifo(), include mode argument.
Submitted by: wsalamon Obtained from: TrustedBSD Project
|
159277 |
05-Jun-2006 |
rwatson |
When generating the process token, need to check whether the process was sucessfully audited. Otherwise, generate the PID token. This change covers the pid < 0 cases, and pid lookup failure cases.
Submitted by: wsalamon Obtained from: TrustedBSD Project
|
159275 |
05-Jun-2006 |
rwatson |
Consistently use audit_free() to free records, rather than directly invoking uma_zfree().
Perforce change: 96652 Obtained from: TrustedBSD Project
|
159269 |
05-Jun-2006 |
rwatson |
Introduce support for per-audit pipe preselection independent from the global audit trail configuration. This allows applications consuming audit trails to specify parameters for which audit records are of interest, including selecting records not required by the global trail. Allowing application interest specification without changing the global configuration allows intrusion detection systems to run without interfering with global auditing or each other (if multiple are present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have been selected by the global trail or by the audit pipe subsystem, set during record commit, so that this information is available after BSM conversion when delivering the BSM to the trail and audit pipes in the audit worker thread asynchronously. Preselection by either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created when the system call is entering: consult both the global trail and pipes.
- au_preselect() now accepts the class in order to avoid repeatedly looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether they want to track the global trail, or program their own preselection parameters: they may specify their own flags and naflags masks, similar to the global masks of the same name, as well as a set of per-auid masks. They also set a per-pipe mode specifying whether they track the global trail, or user their own -- the door is left open for future additional modes. A new ioctl is defined to allow a user process to flush the current audit pipe queue, which can be used after reprogramming pre-selection to make sure that only records of interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields necessary to support preselection. By default, audit pipes track the global trail, so "praudit /dev/auditpipe" will track the global audit trail even though praudit doesn't program the audit pipe selection model.
- Comment about the complexities of potentially adding partial read support to audit pipes.
By using a set of ioctls, applications can select which records are of interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
|
159266 |
05-Jun-2006 |
rwatson |
Shorten audit record zone name.
Perforce change: 93598 Obtained from: TrustedBSD Project
|
159265 |
05-Jun-2006 |
rwatson |
No longer unconditionally drain the audit record queue if there is not an active audit trail: instead, continue to iterate through each record in case an audit pipe is interested.
Obtained from: TrustedBSD Project
|
159264 |
05-Jun-2006 |
rwatson |
Pull BSM conversion logic out of audit_record_write(), as well as knowledge of user vs. kernel audit records into audit_worker_process_record(). This largely confines vnode knowledge to audit_record_write(), but avoids that logic knowing about BSM as opposed to byte streams. This will allow us to improve our ability to support real-time audit stream processing by audit pipe consumers while auditing is disabled, but this support is not yet complete.
Obtained from: TrustedBSD Project
|
159263 |
05-Jun-2006 |
rwatson |
Assert audit mtx in audit_worker_drain().
Break out logic to call audit_record_write() and handle error conditions into audit_worker_process_record(). This will be the future home of some logic now present in audit_record_write() also.
Obtained from: TrustedBSD Project
|
159262 |
05-Jun-2006 |
rwatson |
Use struct kaudit_queue instead of a hand-crafted queue type for audit records in the audit_worker thread.
Obtained from: TrustedBSD Project
|
159261 |
05-Jun-2006 |
rwatson |
Rename audit_cv to audit_worker_cv, as it wakes up the audit worker.
Rename audit_commit_cv to audit_watermark_cv, since it is there to wake up threads waiting on hitting the low watermark. Describe properly in comment.
Obtained from: TrustedBSD Project
|
159259 |
05-Jun-2006 |
rwatson |
Merge OpenBSM 1.0 alpha 6 changes for BSM token creation to src/sys/security/audit:
- Clarify and clean up AUR_ types to match Solaris. - Clean up use of host vs. network byte order for IP addresses. - Remove combined user/kernel implementations of some token creation calls, such as au_to_file(), header calls, etc.
Obtained from: TrustedBSD Project
|
159143 |
01-Jun-2006 |
csjp |
Check to see if the rootdir is the same as the current working directory. If it is, and the pathname was relative, do not separate the componenets with a '/' character.
Obtained from: TrustedBSD Project
|
156889 |
19-Mar-2006 |
rwatson |
Merge Perforce change 93581 from TrustedBSD audit3 branch:
Mega-style patch.
Obtained from: TrustedBSD Project
|
156888 |
19-Mar-2006 |
rwatson |
Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3 branch:
Integrate audit.c to audit_worker.c, so as to migrate the worker thread implementation to its own .c file.
Populate audit_worker.c using parts now removed from audit.c:
- Move audit rotation global variables. - Move audit_record_write(), audit_worker_rotate(), audit_worker_drain(), audit_worker(), audit_rotate_vnode(). - Create audit_worker_init() from relevant parts of audit_init(), which now calls this routine. - Recreate audit_free(), which wraps uma_zfree() so that audit_record_zone can be static to audit.c. - Unstaticize various types and variables relating to the audit record queue so that audit_worker can get to them. We may want to wrap these in accessor methods at some point. - Move AUDIT_PRINTF() to audit_private.h.
Addition of audit_worker.c to kernel configuration, missed in earlier submit.
Obtained from: TrustedBSD Project
|
156884 |
19-Mar-2006 |
rwatson |
Merge Perforce change 93570 from TrustedBSD audit3 branch:
Add audit pipe ioctls to query minimum and maximum audit queue lengths.
Obtained from: TrustedBSD Project
|
156883 |
19-Mar-2006 |
rwatson |
Merge Perforce change 93567 from TrustedBSD audit3 branch:
Bump default queue limit for audit pipes from 32 to 128, since 32 is pretty small.
Obtained from: TrustedBSD Project
|
156882 |
19-Mar-2006 |
rwatson |
Merge Perforce change 93568 from TrustedBSD audit3 branch:
Normalize nested include guards.
Obtained from: TrustedBSD Project
|
156880 |
19-Mar-2006 |
rwatson |
Merge Perforce change 93506 from TrustedBSD audit3 branch:
Add ioctls to audit pipes in order to allow querying of the current record queue state, setting of the queue limit, and querying of pipe statistics.
Obtained from: TrustedBSD Project
|
156846 |
18-Mar-2006 |
rwatson |
Merge perforce 93507:
Correct comment: this print is now from audit_record_write(), not audit_worker().
Obtained from: TrustedBSD Project
|
156845 |
18-Mar-2006 |
rwatson |
Merge perforce change 93199:
Change send_trigger() prototype to return an int, so that user space callers can tell if the message was successfully placed in the trigger queue. This isn't quite the same as it being successfully received, but is close enough that we can generate a more useful warning message in audit(8).
Obtained from: TrustedBSD Project
|
156292 |
04-Mar-2006 |
rwatson |
Count drops when the first of two pipe mallocs fails.
Obtained from: TrustedBSD Project
|
156291 |
04-Mar-2006 |
rwatson |
Update src/sys/security/audit for OpenBSM 1.0 alpha 5:
- Include audit_internal.h to get definition of internal audit record structures, as it's no longer in audit.h. Forward declare au_record in audit_private.h as not all audit_private.h consumers care about it.
- Remove __APPLE__ compatibility bits that are subsumed by configure for user space.
- Don't expose in6_addr internals (non-portable, but also cleaner looking).
- Avoid nested include of audit.h in audit_private.h.
Obtained from: TrustedBSD Project
|
155559 |
11-Feb-2006 |
rwatson |
Add stub AUE_EACCESS entry.
Obtained from: TrustedBSD Project
|
155558 |
11-Feb-2006 |
rwatson |
Initialize user process audit ID to AU_DEFAUDITID so that init and its pre-authentication children are covered by naflags.
Obtained from: TrustedBSD Project
|
155448 |
07-Feb-2006 |
rwatson |
Acquire vnode lock around call to VOP_GETATTR() in audit_record_write(). In the future, we may want to acquire the lock early in the function and hold it across calls to vn_rdwr(), etc, to avoid multiple acquires.
Spotted by: kris (bugmagnet) Obtained from: TrustedBSD Project
|
155428 |
07-Feb-2006 |
rwatson |
Fix queue drop logic when the queue overflows: decrement queue length.
Obtained from: TrustedBSD Project
|
155408 |
06-Feb-2006 |
rwatson |
Add support for audit pipe special devices, which allow user space applications to insert a "tee" in the live audit event stream. Records are inserted into a per-clone queue so that user processes can pull discreet records out of the queue. Unlike delivery to disk, audit pipes are "lossy", dropping records in low memory conditions or when the process falls behind real-time events. This mechanism is appropriate for use by live monitoring systems, host-based intrusion detection, etc, and avoids applications having to dig through active on-disk trails that are owned by the audit daemon.
Obtained from: TrustedBSD Project
|
155406 |
06-Feb-2006 |
rwatson |
Manage audit record memory with the slab allocator, turning initialization routines into a ctor, tear-down to a dtor, cleaning up, etc. This will allow audit records to be allocated from per-cpu caches.
On recent FreeBSD, dropping the audit_mtx around freeing to UMA is no longer required (at one point it was possible to acquire Giant on that path), so a mutex-free thread-local drain is no longer required.
Obtained from: TrustedBSD Project
|
155353 |
05-Feb-2006 |
rwatson |
When GC'ing a thread, assert that it has no active audit record. This should not happen, but with this assert, brueffer and I would not have spent 45 minutes trying to figure out why he wasn't seeing audit records with the audit version in CVS.
Obtained from: TrustedBSD Project
|
155271 |
04-Feb-2006 |
rwatson |
Cast pointers to (uintptr_t) before down-casting to (int). This avoids an incompatible conversion from a 64-bit pointer to a 32-bit integer on 64-bit platforms. We will investigate whether Solaris uses a 64-bit token here, or a new record here, in order to avoid truncating user pointers that are 64-bit. However, in the mean time, truncation is fine as these are rarely/never used fields in audit records.
Obtained from: TrustedBSD Project
|
155270 |
03-Feb-2006 |
rwatson |
Fix INVARIANTS build on amd64; (unsigned unsigned long) != u_int64_t.
Submitted by: mlaier
|
155258 |
03-Feb-2006 |
rwatson |
Remove user.h include in audit.h, it is unneeded, and also can cause build problems for other components that include audit.h.
|
155195 |
02-Feb-2006 |
rwatson |
Add new fields to process-related data structures:
- td_ar to struct thread, which holds the in-progress audit record during a system call.
- p_au to struct proc, which holds per-process audit state, such as the audit identifier, audit terminal, and process audit masks.
In the earlier implementation, td_ar was added to the zero'd section of struct thread. In order to facilitate merging to RELENG_6, it has been moved to the end of the data structure, requiring explicit initalization in the thread constructor.
Much help from: wsalamon Obtained from: TrustedBSD Project
|
155192 |
01-Feb-2006 |
rwatson |
Import kernel audit framework:
- Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events.
Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
|