diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2009-06-27 13:58:44 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2009-06-27 13:58:44 +0000 |
commit | 14961ba789be428e9cedb60493ea26e0abcc3071 (patch) | |
tree | 18c823b27ab8bd9a1cd03dcca0ea5348975f3971 | |
parent | f291b9cd384488ded41f6dbff874e889e8e0c42c (diff) | |
download | src-14961ba789be428e9cedb60493ea26e0abcc3071.tar.gz src-14961ba789be428e9cedb60493ea26e0abcc3071.zip |
Notes
-rw-r--r-- | sys/amd64/amd64/sys_machdep.c | 2 | ||||
-rw-r--r-- | sys/compat/freebsd32/freebsd32_misc.c | 2 | ||||
-rw-r--r-- | sys/compat/linux/linux_signal.c | 6 | ||||
-rw-r--r-- | sys/i386/i386/sys_machdep.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_descrip.c | 6 | ||||
-rw-r--r-- | sys/kern/kern_exec.c | 8 | ||||
-rw-r--r-- | sys/kern/kern_exit.c | 4 | ||||
-rw-r--r-- | sys/kern/kern_fork.c | 4 | ||||
-rw-r--r-- | sys/kern/kern_prot.c | 30 | ||||
-rw-r--r-- | sys/kern/kern_sig.c | 10 | ||||
-rw-r--r-- | sys/kern/kern_thr.c | 4 | ||||
-rw-r--r-- | sys/kern/sys_generic.c | 4 | ||||
-rw-r--r-- | sys/kern/sys_process.c | 10 | ||||
-rw-r--r-- | sys/kern/vfs_extattr.c | 56 | ||||
-rw-r--r-- | sys/kern/vfs_lookup.c | 15 | ||||
-rw-r--r-- | sys/kern/vfs_mount.c | 8 | ||||
-rw-r--r-- | sys/kern/vfs_syscalls.c | 64 | ||||
-rw-r--r-- | sys/nfs/nfs_nfssvc.c | 2 | ||||
-rw-r--r-- | sys/security/audit/audit.h | 185 | ||||
-rw-r--r-- | sys/security/audit/audit_syscalls.c | 4 |
20 files changed, 291 insertions, 135 deletions
diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c index 834dd2c87043..bfc7c915b3b8 100644 --- a/sys/amd64/amd64/sys_machdep.c +++ b/sys/amd64/amd64/sys_machdep.c @@ -87,7 +87,7 @@ sysarch_ldt(struct thread *td, struct sysarch_args *uap, int uap_space) * XXXKIB check that the BSM generation code knows to encode * the op argument. */ - AUDIT_ARG(cmd, uap->op); + AUDIT_ARG_CMD(uap->op); if (uap_space == UIO_USERSPACE) { error = copyin(uap->parms, &la, sizeof(struct i386_ldt_args)); if (error != 0) diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c index 7509c45d8f17..d03411ab122a 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -2924,7 +2924,7 @@ freebsd32_nmount(struct thread *td, struct uio *auio; int error; - AUDIT_ARG(fflags, uap->flags); + AUDIT_ARG_FFLAGS(uap->flags); /* * Filter out MNT_ROOTFS. We do not want clients of nmount() in diff --git a/sys/compat/linux/linux_signal.c b/sys/compat/linux/linux_signal.c index 9bbc268131ef..5910d627d8de 100644 --- a/sys/compat/linux/linux_signal.c +++ b/sys/compat/linux/linux_signal.c @@ -546,8 +546,8 @@ linux_do_tkill(struct thread *td, l_int tgid, l_int pid, l_int signum) ksiginfo_t ksi; int error; - AUDIT_ARG(signum, signum); - AUDIT_ARG(pid, pid); + AUDIT_ARG_SIGNUM(signum); + AUDIT_ARG_PID(pid); /* * Allow signal 0 as a means to check for privileges @@ -563,7 +563,7 @@ linux_do_tkill(struct thread *td, l_int tgid, l_int pid, l_int signum) return (ESRCH); } - AUDIT_ARG(process, p); + AUDIT_ARG_PROCESS(p); error = p_cansignal(td, p, signum); if (error) goto out; diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c index 87b563de94ca..2e7abdde25a8 100644 --- a/sys/i386/i386/sys_machdep.c +++ b/sys/i386/i386/sys_machdep.c @@ -107,7 +107,7 @@ sysarch(td, uap) uint32_t base; struct segment_descriptor sd, *sdp; - AUDIT_ARG(cmd, uap->op); + AUDIT_ARG_CMD(uap->op); switch (uap->op) { case I386_GET_IOPERM: case I386_SET_IOPERM: diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index 698d42e7fd6f..91733db35d74 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -1144,7 +1144,7 @@ closefrom(struct thread *td, struct closefrom_args *uap) int fd; fdp = td->td_proc->p_fd; - AUDIT_ARG(fd, uap->lowfd); + AUDIT_ARG_FD(uap->lowfd); /* * Treat negative starting file descriptor values identical to @@ -1219,12 +1219,12 @@ kern_fstat(struct thread *td, int fd, struct stat *sbp) struct file *fp; int error; - AUDIT_ARG(fd, fd); + AUDIT_ARG_FD(fd); if ((error = fget(td, fd, &fp)) != 0) return (error); - AUDIT_ARG(file, td->td_proc, fp); + AUDIT_ARG_FILE(td->td_proc, fp); error = fo_stat(fp, sbp, td->td_ucred, td); fdrop(fp, td); diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 8e37dbae0023..3f366582905c 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -274,9 +274,9 @@ kern_execve(td, args, mac_p) struct proc *p = td->td_proc; int error; - AUDIT_ARG(argv, args->begin_argv, args->argc, + AUDIT_ARG_ARGV(args->begin_argv, args->argc, args->begin_envv - args->begin_argv); - AUDIT_ARG(envv, args->begin_envv, args->envc, + AUDIT_ARG_ENVV(args->begin_envv, args->envc, args->endp - args->begin_envv); if (p->p_flag & P_HADTHREADS) { PROC_LOCK(p); @@ -413,13 +413,13 @@ interpret: binvp = nd.ni_vp; imgp->vp = binvp; } else { - AUDIT_ARG(fd, args->fd); + AUDIT_ARG_FD(args->fd); error = fgetvp(td, args->fd, &binvp); if (error) goto exec_fail; vfslocked = VFS_LOCK_GIANT(binvp->v_mount); vn_lock(binvp, LK_EXCLUSIVE | LK_RETRY); - AUDIT_ARG(vnode, binvp, ARG_VNODE1); + AUDIT_ARG_VNODE(binvp, ARG_VNODE1); imgp->vp = binvp; } diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index bc2b8810c4a7..ae060da12f8a 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -211,7 +211,7 @@ exit1(struct thread *td, int rv) * it was. The exit status is WEXITSTATUS(rv), but it's not clear * what the return value is. */ - AUDIT_ARG(exit, WEXITSTATUS(rv), 0); + AUDIT_ARG_EXIT(WEXITSTATUS(rv), 0); AUDIT_SYSCALL_EXIT(0, td); #endif @@ -803,7 +803,7 @@ kern_wait(struct thread *td, pid_t pid, int *status, int options, struct proc *p, *q; int error, nfound; - AUDIT_ARG(pid, pid); + AUDIT_ARG_PID(pid); q = td->td_proc; if (pid == 0) { diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index bfa43a92d80a..65fd09dceaf5 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -146,7 +146,7 @@ rfork(td, uap) if ((uap->flags & RFKERNELONLY) != 0) return (EINVAL); - AUDIT_ARG(fflags, uap->flags); + AUDIT_ARG_FFLAGS(uap->flags); error = fork1(td, uap->flags, 0, &p2); if (error == 0) { td->td_retval[0] = p2 ? p2->p_pid : 0; @@ -452,7 +452,7 @@ again: thread_lock(td); sched_fork(td, td2); thread_unlock(td); - AUDIT_ARG(pid, p2->p_pid); + AUDIT_ARG_PID(p2->p_pid); LIST_INSERT_HEAD(&allproc, p2, p_list); LIST_INSERT_HEAD(PIDHASH(p2->p_pid), p2, p_hash); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index d286738e2cdc..76254143e0fb 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -489,7 +489,7 @@ setuid(struct thread *td, struct setuid_args *uap) int error; uid = uap->uid; - AUDIT_ARG(uid, uid); + AUDIT_ARG_UID(uid); newcred = crget(); uip = uifind(uid); PROC_LOCK(p); @@ -600,7 +600,7 @@ seteuid(struct thread *td, struct seteuid_args *uap) int error; euid = uap->euid; - AUDIT_ARG(euid, euid); + AUDIT_ARG_EUID(euid); newcred = crget(); euip = uifind(euid); PROC_LOCK(p); @@ -656,7 +656,7 @@ setgid(struct thread *td, struct setgid_args *uap) int error; gid = uap->gid; - AUDIT_ARG(gid, gid); + AUDIT_ARG_GID(gid); newcred = crget(); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); @@ -754,7 +754,7 @@ setegid(struct thread *td, struct setegid_args *uap) int error; egid = uap->egid; - AUDIT_ARG(egid, egid); + AUDIT_ARG_EGID(egid); newcred = crget(); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); @@ -819,7 +819,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) if (ngrp > NGROUPS) return (EINVAL); - AUDIT_ARG(groupset, groups, ngrp); + AUDIT_ARG_GROUPSET(groups, ngrp); newcred = crget(); crextend(newcred, ngrp); PROC_LOCK(p); @@ -876,8 +876,8 @@ setreuid(register struct thread *td, struct setreuid_args *uap) euid = uap->euid; ruid = uap->ruid; - AUDIT_ARG(euid, euid); - AUDIT_ARG(ruid, ruid); + AUDIT_ARG_EUID(euid); + AUDIT_ARG_RUID(ruid); newcred = crget(); euip = uifind(euid); ruip = uifind(ruid); @@ -942,8 +942,8 @@ setregid(register struct thread *td, struct setregid_args *uap) egid = uap->egid; rgid = uap->rgid; - AUDIT_ARG(egid, egid); - AUDIT_ARG(rgid, rgid); + AUDIT_ARG_EGID(egid); + AUDIT_ARG_RGID(rgid); newcred = crget(); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); @@ -1009,9 +1009,9 @@ setresuid(register struct thread *td, struct setresuid_args *uap) euid = uap->euid; ruid = uap->ruid; suid = uap->suid; - AUDIT_ARG(euid, euid); - AUDIT_ARG(ruid, ruid); - AUDIT_ARG(suid, suid); + AUDIT_ARG_EUID(euid); + AUDIT_ARG_RUID(ruid); + AUDIT_ARG_SUID(suid); newcred = crget(); euip = uifind(euid); ruip = uifind(ruid); @@ -1087,9 +1087,9 @@ setresgid(register struct thread *td, struct setresgid_args *uap) egid = uap->egid; rgid = uap->rgid; sgid = uap->sgid; - AUDIT_ARG(egid, egid); - AUDIT_ARG(rgid, rgid); - AUDIT_ARG(sgid, sgid); + AUDIT_ARG_EGID(egid); + AUDIT_ARG_RGID(rgid); + AUDIT_ARG_SGID(sgid); newcred = crget(); PROC_LOCK(p); oldcred = crcopysafe(p, newcred); diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index f4a14c372bb9..3225754ddf4a 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -1674,8 +1674,8 @@ kill(td, uap) register struct proc *p; int error; - AUDIT_ARG(signum, uap->signum); - AUDIT_ARG(pid, uap->pid); + AUDIT_ARG_SIGNUM(uap->signum); + AUDIT_ARG_PID(uap->pid); if ((u_int)uap->signum > _SIG_MAXSIG) return (EINVAL); @@ -1685,7 +1685,7 @@ kill(td, uap) if ((p = zpfind(uap->pid)) == NULL) return (ESRCH); } - AUDIT_ARG(process, p); + AUDIT_ARG_PROCESS(p); error = p_cansignal(td, p, uap->signum); if (error == 0 && uap->signum) psignal(p, uap->signum); @@ -1717,8 +1717,8 @@ okillpg(td, uap) register struct okillpg_args *uap; { - AUDIT_ARG(signum, uap->signum); - AUDIT_ARG(pid, uap->pgid); + AUDIT_ARG_SIGNUM(uap->signum); + AUDIT_ARG_PID(uap->pgid); if ((u_int)uap->signum > _SIG_MAXSIG) return (EINVAL); diff --git a/sys/kern/kern_thr.c b/sys/kern/kern_thr.c index 4059443194be..c478c63bd9bc 100644 --- a/sys/kern/kern_thr.c +++ b/sys/kern/kern_thr.c @@ -350,7 +350,7 @@ thr_kill2(struct thread *td, struct thr_kill2_args *uap) struct proc *p; int error; - AUDIT_ARG(signum, uap->sig); + AUDIT_ARG_SIGNUM(uap->sig); if (uap->pid == td->td_proc->p_pid) { p = td->td_proc; @@ -358,7 +358,7 @@ thr_kill2(struct thread *td, struct thr_kill2_args *uap) } else if ((p = pfind(uap->pid)) == NULL) { return (ESRCH); } - AUDIT_ARG(process, p); + AUDIT_ARG_PROCESS(p); error = p_cansignal(td, p, uap->sig); if (error == 0) { diff --git a/sys/kern/sys_generic.c b/sys/kern/sys_generic.c index 616c5b79e11f..b9fd77034d60 100644 --- a/sys/kern/sys_generic.c +++ b/sys/kern/sys_generic.c @@ -561,13 +561,13 @@ kern_ftruncate(td, fd, length) struct file *fp; int error; - AUDIT_ARG(fd, fd); + AUDIT_ARG_FD(fd); if (length < 0) return (EINVAL); error = fget(td, fd, &fp); if (error) return (error); - AUDIT_ARG(file, td->td_proc, fp); + AUDIT_ARG_FILE(td->td_proc, fp); if (!(fp->f_flag & FWRITE)) { fdrop(fp, td); return (EINVAL); diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c index 0cce9056ad52..3c7b52c1e32c 100644 --- a/sys/kern/sys_process.c +++ b/sys/kern/sys_process.c @@ -400,10 +400,10 @@ ptrace(struct thread *td, struct ptrace_args *uap) if (SV_CURPROC_FLAG(SV_ILP32)) wrap32 = 1; #endif - AUDIT_ARG(pid, uap->pid); - AUDIT_ARG(cmd, uap->req); - AUDIT_ARG(addr, uap->addr); - AUDIT_ARG(value, uap->data); + AUDIT_ARG_PID(uap->pid); + AUDIT_ARG_CMD(uap->req); + AUDIT_ARG_ADDR(uap->addr); + AUDIT_ARG_VALUE(uap->data); addr = &r; switch (uap->req) { case PT_GETREGS: @@ -549,7 +549,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data) pid = p->p_pid; } } - AUDIT_ARG(process, p); + AUDIT_ARG_PROCESS(p); if ((p->p_flag & P_WEXIT) != 0) { error = ESRCH; diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 5f024a83706e..e7bf2d19d7d3 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -70,8 +70,8 @@ extattrctl(td, uap) char attrname[EXTATTR_MAXNAMELEN]; int vfslocked, fnvfslocked, error; - AUDIT_ARG(cmd, uap->cmd); - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_CMD(uap->cmd); + AUDIT_ARG_VALUE(uap->attrnamespace); /* * uap->attrname is not always defined. We check again later when we * invoke the VFS call so as to pass in NULL there if needed. @@ -82,7 +82,7 @@ extattrctl(td, uap) if (error) return (error); } - AUDIT_ARG(text, attrname); + AUDIT_ARG_TEXT(attrname); vfslocked = fnvfslocked = 0; mp = NULL; @@ -223,12 +223,12 @@ extattr_set_fd(td, uap) char attrname[EXTATTR_MAXNAMELEN]; int vfslocked, error; - AUDIT_ARG(fd, uap->fd); - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_FD(uap->fd); + AUDIT_ARG_VALUE(uap->attrnamespace); error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); - AUDIT_ARG(text, attrname); + AUDIT_ARG_TEXT(attrname); error = getvnode(td->td_proc->p_fd, uap->fd, &fp); if (error) @@ -258,11 +258,11 @@ extattr_set_file(td, uap) char attrname[EXTATTR_MAXNAMELEN]; int vfslocked, error; - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_VALUE(uap->attrnamespace); error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); - AUDIT_ARG(text, attrname); + AUDIT_ARG_TEXT(attrname); NDINIT(&nd, LOOKUP, MPSAFE | FOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td); @@ -295,11 +295,11 @@ extattr_set_link(td, uap) char attrname[EXTATTR_MAXNAMELEN]; int vfslocked, error; - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_VALUE(uap->attrnamespace); error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); - AUDIT_ARG(text, attrname); + AUDIT_ARG_TEXT(attrname); NDINIT(&nd, LOOKUP, MPSAFE | NOFOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td); @@ -403,12 +403,12 @@ extattr_get_fd(td, uap) char attrname[EXTATTR_MAXNAMELEN]; int vfslocked, error; - AUDIT_ARG(fd, uap->fd); - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_FD(uap->fd); + AUDIT_ARG_VALUE(uap->attrnamespace); error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); - AUDIT_ARG(text, attrname); + AUDIT_ARG_TEXT(attrname); error = getvnode(td->td_proc->p_fd, uap->fd, &fp); if (error) @@ -438,11 +438,11 @@ extattr_get_file(td, uap) char attrname[EXTATTR_MAXNAMELEN]; int vfslocked, error; - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_VALUE(uap->attrnamespace); error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); - AUDIT_ARG(text, attrname); + AUDIT_ARG_TEXT(attrname); NDINIT(&nd, LOOKUP, MPSAFE | FOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td); @@ -475,11 +475,11 @@ extattr_get_link(td, uap) char attrname[EXTATTR_MAXNAMELEN]; int vfslocked, error; - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_VALUE(uap->attrnamespace); error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); - AUDIT_ARG(text, attrname); + AUDIT_ARG_TEXT(attrname); NDINIT(&nd, LOOKUP, MPSAFE | NOFOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td); @@ -553,12 +553,12 @@ extattr_delete_fd(td, uap) char attrname[EXTATTR_MAXNAMELEN]; int vfslocked, error; - AUDIT_ARG(fd, uap->fd); - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_FD(uap->fd); + AUDIT_ARG_VALUE(uap->attrnamespace); error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return (error); - AUDIT_ARG(text, attrname); + AUDIT_ARG_TEXT(attrname); error = getvnode(td->td_proc->p_fd, uap->fd, &fp); if (error) @@ -585,11 +585,11 @@ extattr_delete_file(td, uap) char attrname[EXTATTR_MAXNAMELEN]; int vfslocked, error; - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_VALUE(uap->attrnamespace); error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return(error); - AUDIT_ARG(text, attrname); + AUDIT_ARG_TEXT(attrname); NDINIT(&nd, LOOKUP, MPSAFE | FOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td); @@ -618,11 +618,11 @@ extattr_delete_link(td, uap) char attrname[EXTATTR_MAXNAMELEN]; int vfslocked, error; - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_VALUE(uap->attrnamespace); error = copyinstr(uap->attrname, attrname, EXTATTR_MAXNAMELEN, NULL); if (error) return(error); - AUDIT_ARG(text, attrname); + AUDIT_ARG_TEXT(attrname); NDINIT(&nd, LOOKUP, MPSAFE | NOFOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td); @@ -717,8 +717,8 @@ extattr_list_fd(td, uap) struct file *fp; int vfslocked, error; - AUDIT_ARG(fd, uap->fd); - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_FD(uap->fd); + AUDIT_ARG_VALUE(uap->attrnamespace); error = getvnode(td->td_proc->p_fd, uap->fd, &fp); if (error) return (error); @@ -745,7 +745,7 @@ extattr_list_file(td, uap) struct nameidata nd; int vfslocked, error; - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_VALUE(uap->attrnamespace); NDINIT(&nd, LOOKUP, MPSAFE | FOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td); error = namei(&nd); @@ -775,7 +775,7 @@ extattr_list_link(td, uap) struct nameidata nd; int vfslocked, error; - AUDIT_ARG(value, uap->attrnamespace); + AUDIT_ARG_VALUE(uap->attrnamespace); NDINIT(&nd, LOOKUP, MPSAFE | NOFOLLOW | AUDITVNODE1, UIO_USERSPACE, uap->path, td); error = namei(&nd); diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index 85173edab043..e154c5662c63 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -164,9 +164,9 @@ namei(struct nameidata *ndp) /* If we are auditing the kernel pathname, save the user pathname. */ if (cnp->cn_flags & AUDITVNODE1) - AUDIT_ARG(upath, td, cnp->cn_pnbuf, ARG_UPATH1); + AUDIT_ARG_UPATH(td, cnp->cn_pnbuf, ARG_UPATH1); if (cnp->cn_flags & AUDITVNODE2) - AUDIT_ARG(upath, td, cnp->cn_pnbuf, ARG_UPATH2); + AUDIT_ARG_UPATH(td, cnp->cn_pnbuf, ARG_UPATH2); /* * Don't allow empty pathnames. @@ -460,9 +460,6 @@ lookup(struct nameidata *ndp) int dvfslocked; /* VFS Giant state for parent */ int tvfslocked; int lkflags_save; -#ifdef AUDIT - struct thread *td = curthread; -#endif /* * Setup: break out flag bits into variables. @@ -572,9 +569,9 @@ dirloop: ndp->ni_vp = dp; if (cnp->cn_flags & AUDITVNODE1) - AUDIT_ARG(vnode, dp, ARG_VNODE1); + AUDIT_ARG_VNODE(dp, ARG_VNODE1); else if (cnp->cn_flags & AUDITVNODE2) - AUDIT_ARG(vnode, dp, ARG_VNODE2); + AUDIT_ARG_VNODE(dp, ARG_VNODE2); if (!(cnp->cn_flags & (LOCKPARENT | LOCKLEAF))) VOP_UNLOCK(dp, 0); @@ -857,9 +854,9 @@ nextname: VOP_UNLOCK(ndp->ni_dvp, 0); if (cnp->cn_flags & AUDITVNODE1) - AUDIT_ARG(vnode, dp, ARG_VNODE1); + AUDIT_ARG_VNODE(dp, ARG_VNODE1); else if (cnp->cn_flags & AUDITVNODE2) - AUDIT_ARG(vnode, dp, ARG_VNODE2); + AUDIT_ARG_VNODE(dp, ARG_VNODE2); if ((cnp->cn_flags & LOCKLEAF) == 0) VOP_UNLOCK(dp, 0); diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c index 19a602607710..10691a4e3dc0 100644 --- a/sys/kern/vfs_mount.c +++ b/sys/kern/vfs_mount.c @@ -388,7 +388,7 @@ nmount(td, uap) int error; u_int iovcnt; - AUDIT_ARG(fflags, uap->flags); + AUDIT_ARG_FFLAGS(uap->flags); CTR4(KTR_VFS, "%s: iovp %p with iovcnt %d and flags %d", __func__, uap->iovp, uap->iovcnt, uap->flags); @@ -750,7 +750,7 @@ mount(td, uap) struct mntarg *ma = NULL; int error; - AUDIT_ARG(fflags, uap->flags); + AUDIT_ARG_FFLAGS(uap->flags); /* * Filter out MNT_ROOTFS. We do not want clients of mount() in @@ -767,7 +767,7 @@ mount(td, uap) return (error); } - AUDIT_ARG(text, fstype); + AUDIT_ARG_TEXT(fstype); mtx_lock(&Giant); vfsp = vfs_byname_kld(fstype, td, &error); free(fstype, M_TEMP); @@ -1125,7 +1125,7 @@ unmount(td, uap) free(pathbuf, M_TEMP); return (error); } - AUDIT_ARG(upath, td, pathbuf, ARG_UPATH1); + AUDIT_ARG_UPATH(td, pathbuf, ARG_UPATH1); mtx_lock(&Giant); if (uap->flags & MNT_BYFSID) { /* Decode the filesystem ID. */ diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 9fa2a4c9dee8..496cecf6027c 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -189,8 +189,8 @@ quotactl(td, uap) int error; struct nameidata nd; - AUDIT_ARG(cmd, uap->cmd); - AUDIT_ARG(uid, uap->uid); + AUDIT_ARG_CMD(uap->cmd); + AUDIT_ARG_UID(uap->uid); if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS)) return (EPERM); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | MPSAFE | AUDITVNODE1, @@ -371,7 +371,7 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf) struct vnode *vp; int error; - AUDIT_ARG(fd, fd); + AUDIT_ARG_FD(fd); error = getvnode(td->td_proc->p_fd, fd, &fp); if (error) return (error); @@ -379,7 +379,7 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf) vfslocked = VFS_LOCK_GIANT(vp->v_mount); vn_lock(vp, LK_SHARED | LK_RETRY); #ifdef AUDIT - AUDIT_ARG(vnode, vp, ARG_VNODE1); + AUDIT_ARG_VNODE(vp, ARG_VNODE1); #endif mp = vp->v_mount; if (mp) @@ -744,7 +744,7 @@ fchdir(td, uap) int vfslocked; int error; - AUDIT_ARG(fd, uap->fd); + AUDIT_ARG_FD(uap->fd); if ((error = getvnode(fdp, uap->fd, &fp)) != 0) return (error); vp = fp->f_vnode; @@ -752,7 +752,7 @@ fchdir(td, uap) fdrop(fp, td); vfslocked = VFS_LOCK_GIANT(vp->v_mount); vn_lock(vp, LK_SHARED | LK_RETRY); - AUDIT_ARG(vnode, vp, ARG_VNODE1); + AUDIT_ARG_VNODE(vp, ARG_VNODE1); error = change_dir(vp, td); while (!error && (mp = vp->v_mountedhere) != NULL) { int tvfslocked; @@ -1055,8 +1055,8 @@ kern_openat(struct thread *td, int fd, char *path, enum uio_seg pathseg, struct nameidata nd; int vfslocked; - AUDIT_ARG(fflags, flags); - AUDIT_ARG(mode, mode); + AUDIT_ARG_FFLAGS(flags); + AUDIT_ARG_MODE(mode); /* XXX: audit dirfd */ /* * Only one of the O_EXEC, O_RDONLY, O_WRONLY and O_RDWR may @@ -1265,8 +1265,8 @@ kern_mknodat(struct thread *td, int fd, char *path, enum uio_seg pathseg, struct nameidata nd; int vfslocked; - AUDIT_ARG(mode, mode); - AUDIT_ARG(dev, dev); + AUDIT_ARG_MODE(mode); + AUDIT_ARG_DEV(dev); switch (mode & S_IFMT) { case S_IFCHR: case S_IFBLK: @@ -1414,7 +1414,7 @@ kern_mkfifoat(struct thread *td, int fd, char *path, enum uio_seg pathseg, struct nameidata nd; int vfslocked; - AUDIT_ARG(mode, mode); + AUDIT_ARG_MODE(mode); restart: bwillwrite(); NDINIT_AT(&nd, CREATE, LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1, @@ -1677,7 +1677,7 @@ kern_symlinkat(struct thread *td, char *path1, int fd, char *path2, if ((error = copyinstr(path1, syspath, MAXPATHLEN, NULL)) != 0) goto out; } - AUDIT_ARG(text, syspath); + AUDIT_ARG_TEXT(syspath); restart: bwillwrite(); NDINIT_AT(&nd, CREATE, LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1, @@ -2689,7 +2689,7 @@ chflags(td, uap) struct nameidata nd; int vfslocked; - AUDIT_ARG(fflags, uap->flags); + AUDIT_ARG_FFLAGS(uap->flags); NDINIT(&nd, LOOKUP, FOLLOW | MPSAFE | AUDITVNODE1, UIO_USERSPACE, uap->path, td); if ((error = namei(&nd)) != 0) @@ -2717,7 +2717,7 @@ lchflags(td, uap) struct nameidata nd; int vfslocked; - AUDIT_ARG(fflags, uap->flags); + AUDIT_ARG_FFLAGS(uap->flags); NDINIT(&nd, LOOKUP, NOFOLLOW | MPSAFE | AUDITVNODE1, UIO_USERSPACE, uap->path, td); if ((error = namei(&nd)) != 0) @@ -2751,14 +2751,14 @@ fchflags(td, uap) int vfslocked; int error; - AUDIT_ARG(fd, uap->fd); - AUDIT_ARG(fflags, uap->flags); + AUDIT_ARG_FD(uap->fd); + AUDIT_ARG_FFLAGS(uap->flags); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount); #ifdef AUDIT vn_lock(fp->f_vnode, LK_SHARED | LK_RETRY); - AUDIT_ARG(vnode, fp->f_vnode, ARG_VNODE1); + AUDIT_ARG_VNODE(fp->f_vnode, ARG_VNODE1); VOP_UNLOCK(fp->f_vnode, 0); #endif error = setfflags(td, fp->f_vnode, uap->flags); @@ -2877,7 +2877,7 @@ kern_fchmodat(struct thread *td, int fd, char *path, enum uio_seg pathseg, int vfslocked; int follow; - AUDIT_ARG(mode, mode); + AUDIT_ARG_MODE(mode); follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; NDINIT_AT(&nd, LOOKUP, follow | MPSAFE | AUDITVNODE1, pathseg, path, fd, td); @@ -2912,14 +2912,14 @@ fchmod(td, uap) int vfslocked; int error; - AUDIT_ARG(fd, uap->fd); - AUDIT_ARG(mode, uap->mode); + AUDIT_ARG_FD(uap->fd); + AUDIT_ARG_MODE(uap->mode); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount); #ifdef AUDIT vn_lock(fp->f_vnode, LK_SHARED | LK_RETRY); - AUDIT_ARG(vnode, fp->f_vnode, ARG_VNODE1); + AUDIT_ARG_VNODE(fp->f_vnode, ARG_VNODE1); VOP_UNLOCK(fp->f_vnode, 0); #endif error = setfmode(td, fp->f_vnode, uap->mode); @@ -3019,7 +3019,7 @@ kern_fchownat(struct thread *td, int fd, char *path, enum uio_seg pathseg, struct nameidata nd; int error, vfslocked, follow; - AUDIT_ARG(owner, uid, gid); + AUDIT_ARG_OWNER(uid, gid); follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; NDINIT_AT(&nd, LOOKUP, follow | MPSAFE | AUDITVNODE1, pathseg, path, fd, td); @@ -3089,14 +3089,14 @@ fchown(td, uap) int vfslocked; int error; - AUDIT_ARG(fd, uap->fd); - AUDIT_ARG(owner, uap->uid, uap->gid); + AUDIT_ARG_FD(uap->fd); + AUDIT_ARG_OWNER(uap->uid, uap->gid); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount); #ifdef AUDIT vn_lock(fp->f_vnode, LK_SHARED | LK_RETRY); - AUDIT_ARG(vnode, fp->f_vnode, ARG_VNODE1); + AUDIT_ARG_VNODE(fp->f_vnode, ARG_VNODE1); VOP_UNLOCK(fp->f_vnode, 0); #endif error = setfown(td, fp->f_vnode, uap->uid, uap->gid); @@ -3324,7 +3324,7 @@ kern_futimes(struct thread *td, int fd, struct timeval *tptr, int vfslocked; int error; - AUDIT_ARG(fd, fd); + AUDIT_ARG_FD(fd); if ((error = getutimes(tptr, tptrseg, ts)) != 0) return (error); if ((error = getvnode(td->td_proc->p_fd, fd, &fp)) != 0) @@ -3332,7 +3332,7 @@ kern_futimes(struct thread *td, int fd, struct timeval *tptr, vfslocked = VFS_LOCK_GIANT(fp->f_vnode->v_mount); #ifdef AUDIT vn_lock(fp->f_vnode, LK_SHARED | LK_RETRY); - AUDIT_ARG(vnode, fp->f_vnode, ARG_VNODE1); + AUDIT_ARG_VNODE(fp->f_vnode, ARG_VNODE1); VOP_UNLOCK(fp->f_vnode, 0); #endif error = setutimes(td, fp->f_vnode, ts, 2, tptr == NULL); @@ -3478,7 +3478,7 @@ fsync(td, uap) int vfslocked; int error, lock_flags; - AUDIT_ARG(fd, uap->fd); + AUDIT_ARG_FD(uap->fd); if ((error = getvnode(td->td_proc->p_fd, uap->fd, &fp)) != 0) return (error); vp = fp->f_vnode; @@ -3492,7 +3492,7 @@ fsync(td, uap) lock_flags = LK_EXCLUSIVE; } vn_lock(vp, lock_flags | LK_RETRY); - AUDIT_ARG(vnode, vp, ARG_VNODE1); + AUDIT_ARG_VNODE(vp, ARG_VNODE1); if (vp->v_object != NULL) { VM_OBJECT_LOCK(vp->v_object); vm_object_page_clean(vp->v_object, 0, 0, 0); @@ -3717,7 +3717,7 @@ kern_mkdirat(struct thread *td, int fd, char *path, enum uio_seg segflg, struct nameidata nd; int vfslocked; - AUDIT_ARG(mode, mode); + AUDIT_ARG_MODE(mode); restart: bwillwrite(); NDINIT_AT(&nd, CREATE, LOCKPARENT | SAVENAME | MPSAFE | AUDITVNODE1, @@ -4056,7 +4056,7 @@ kern_getdirentries(struct thread *td, int fd, char *buf, u_int count, long loff; int error, eofflag; - AUDIT_ARG(fd, fd); + AUDIT_ARG_FD(fd); if (count > INT_MAX) return (EINVAL); if ((error = getvnode(td->td_proc->p_fd, fd, &fp)) != 0) @@ -4082,7 +4082,7 @@ unionread: auio.uio_td = td; auio.uio_resid = count; vn_lock(vp, LK_SHARED | LK_RETRY); - AUDIT_ARG(vnode, vp, ARG_VNODE1); + AUDIT_ARG_VNODE(vp, ARG_VNODE1); loff = auio.uio_offset = fp->f_offset; #ifdef MAC error = mac_vnode_check_readdir(td->td_ucred, vp); diff --git a/sys/nfs/nfs_nfssvc.c b/sys/nfs/nfs_nfssvc.c index 9379fbe77463..b9186be7eee3 100644 --- a/sys/nfs/nfs_nfssvc.c +++ b/sys/nfs/nfs_nfssvc.c @@ -79,7 +79,7 @@ nfssvc(struct thread *td, struct nfssvc_args *uap) KASSERT(!mtx_owned(&Giant), ("nfssvc(): called with Giant")); - AUDIT_ARG(cmd, uap->flag); + AUDIT_ARG_CMD(uap->flag); error = priv_check(td, PRIV_NFS_DAEMON); if (error) diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h index 5ba2aee5dc42..e94121dac161 100644 --- a/sys/security/audit/audit.h +++ b/sys/security/audit/audit.h @@ -182,12 +182,149 @@ void audit_thread_alloc(struct thread *td); void audit_thread_free(struct thread *td); /* - * Define a macro to wrap the audit_arg_* calls by checking the global + * Define macros to wrap the audit_arg_* calls by checking the global * audit_enabled flag before performing the actual call. */ -#define AUDIT_ARG(op, args...) do { \ - if (td->td_pflags & TDP_AUDITREC) \ - audit_arg_ ## op (args); \ +#define AUDITING_TD(td) ((td)->td_pflags & TDP_AUDITREC) + +#define AUDIT_ARG_ADDR(addr) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_addr((addr)); \ +} while (0) + +#define AUDIT_ARG_ARGV(argv, argc, length) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_argv((argv), (argc), (length)); \ +} while (0) + +#define AUDIT_ARG_AUDITON(udata) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_auditon((udata)); \ +} while (0) + +#define AUDIT_ARG_CMD(cmd) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_cmd((cmd)); \ +} while (0) + +#define AUDIT_ARG_DEV(dev) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_dev((dev)); \ +} while (0) + +#define AUDIT_ARG_EGID(egid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_egid((egid)); \ +} while (0) + +#define AUDIT_ARG_ENVV(envv, envc, length) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_envv((envv), (envc), (length)); \ +} while (0) + +#define AUDIT_ARG_EXIT(status, retval) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_exit((status), (retval)); \ +} while (0) + +#define AUDIT_ARG_EUID(euid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_euid((euid)); \ +} while (0) + +#define AUDIT_ARG_FD(fd) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_fd((fd)); \ +} while (0) + +#define AUDIT_ARG_FILE(p, fp) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_file((p), (fp)); \ +} while (0) + +#define AUDIT_ARG_FFLAGS(fflags) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_fflags((fflags)); \ +} while (0) + +#define AUDIT_ARG_GID(gid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_gid((gid)); \ +} while (0) + +#define AUDIT_ARG_GROUPSET(gidset, gidset_size) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_groupset((gidset), (gidset_size)); \ +} while (0) + +#define AUDIT_ARG_MODE(mode) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_mode((mode)); \ +} while (0) + +#define AUDIT_ARG_OWNER(uid, gid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_owner((uid), (gid)); \ +} while (0) + +#define AUDIT_ARG_PID(pid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_pid((pid)); \ +} while (0) + +#define AUDIT_ARG_PROCESS(p) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_process((p)); \ +} while (0) + +#define AUDIT_ARG_RGID(rgid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_gid((rgid)); \ +} while (0) + +#define AUDIT_ARG_RUID(ruid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_ruid((ruid)); \ +} while (0) + +#define AUDIT_ARG_SIGNUM(signum) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_signum((signum)); \ +} while (0) + +#define AUDIT_ARG_SGID(sgid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_sgid((sgid)); \ +} while (0) + +#define AUDIT_ARG_SUID(suid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_suid((suid)); \ +} while (0) + +#define AUDIT_ARG_TEXT(text) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_text((text)); \ +} while (0) + +#define AUDIT_ARG_UID(uid) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_uid((uid)); \ +} while (0) + +#define AUDIT_ARG_UPATH(td, upath, flags) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_upath((td), (upath), (flags)); \ +} while (0) + +#define AUDIT_ARG_VALUE(value) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_value((value)); \ +} while (0) + +#define AUDIT_ARG_VNODE(vp, flags) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_vnode((vp), (flags)); \ } while (0) #define AUDIT_SYSCALL_ENTER(code, td) do { \ @@ -216,17 +353,39 @@ void audit_thread_free(struct thread *td); #else /* !AUDIT */ -#define AUDIT_ARG(op, args...) do { \ -} while (0) +#define AUDIT_ARG_ADDR(addr) +#define AUDIT_ARG_ARGV(argv, argc, length) +#define AUDIT_ARG_AUDITON(udata) +#define AUDIT_ARG_CMD(cmd) +#define AUDIT_ARG_DEV(dev) +#define AUDIT_ARG_EGID(egid) +#define AUDIT_ARG_ENVV(envv, envc, length) +#define AUDIT_ARG_EXIT(status, retval) +#define AUDIT_ARG_EUID(euid) +#define AUDIT_ARG_FD(fd) +#define AUDIT_ARG_FILE(p, fp) +#define AUDIT_ARG_FFLAGS(fflags) +#define AUDIT_ARG_GID(gid) +#define AUDIT_ARG_GROUPSET(gidset, gidset_size) +#define AUDIT_ARG_MODE(mode) +#define AUDIT_ARG_OWNER(uid, gid) +#define AUDIT_ARG_PID(pid) +#define AUDIT_ARG_PROCESS(p) +#define AUDIT_ARG_RGID(rgid) +#define AUDIT_ARG_RUID(ruid) +#define AUDIT_ARG_SIGNUM(signum) +#define AUDIT_ARG_SGID(sgid) +#define AUDIT_ARG_SUID(suid) +#define AUDIT_ARG_TEXT(text) +#define AUDIT_ARG_UID(uid) +#define AUDIT_ARG_UPATH(td, upath, flags) +#define AUDIT_ARG_VALUE(value) +#define AUDIT_ARG_VNODE(vp, flags) -#define AUDIT_SYSCALL_ENTER(code, td) do { \ -} while (0) +#define AUDIT_SYSCALL_ENTER(code, td) +#define AUDIT_SYSCALL_EXIT(error, td) -#define AUDIT_SYSCALL_EXIT(error, td) do { \ -} while (0) - -#define AUDIT_SYSCLOSE(p, fd) do { \ -} while (0) +#define AUDIT_SYSCLOSE(p, fd) #endif /* AUDIT */ diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c index 18116609038f..075aac549ac9 100644 --- a/sys/security/audit/audit_syscalls.c +++ b/sys/security/audit/audit_syscalls.c @@ -163,7 +163,7 @@ auditon(struct thread *td, struct auditon_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); - AUDIT_ARG(cmd, uap->cmd); + AUDIT_ARG_CMD(uap->cmd); #ifdef MAC error = mac_system_check_auditon(td->td_ucred, uap->cmd); @@ -205,7 +205,7 @@ auditon(struct thread *td, struct auditon_args *uap) error = copyin(uap->data, (void *)&udata, uap->length); if (error) return (error); - AUDIT_ARG(auditon, &udata); + AUDIT_ARG_AUDITON(&udata); break; } |