src - FreeBSD source tree

diff options


context:
space:
mode:

author	Robert Watson <rwatson@FreeBSD.org>	2017-03-31 13:43:00 +0000
committer	Robert Watson <rwatson@FreeBSD.org>	2017-03-31 13:43:00 +0000
commit	15bcf785ba268a1fb2b270233a7ae56d9e0ebc3a (patch)
tree	c1256bc0e58074fd3b7b1fe98a8148f625289b73 /sys/security
parent	788e62864f8684da8459c5cbb5b88c34ee1c4bf5 (diff)
download	src-15bcf785ba268a1fb2b270233a7ae56d9e0ebc3a.tar.gz src-15bcf785ba268a1fb2b270233a7ae56d9e0ebc3a.zip

Notes

Diffstat (limited to 'sys/security')

-rw-r--r--

sys/security/audit/audit.h

-rw-r--r--

sys/security/audit/audit_arg.c

2 files changed, 56 insertions, 0 deletions

diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h
index 181fc725f76d..184e79ae3765 100644
--- a/sys/security/audit/audit.h
+++ b/sys/security/audit/audit.h

@@ -106,7 +106,9 @@ void audit_arg_auid(uid_t auid);

void audit_arg_auditinfo(struct auditinfo *au_info);

void audit_arg_auditinfo_addr(struct auditinfo_addr *au_info);

void audit_arg_upath1(struct thread *td, int dirfd, char *upath);

+void audit_arg_upath1_canon(char *upath);

void audit_arg_upath2(struct thread *td, int dirfd, char *upath);

+void audit_arg_upath2_canon(char *upath);

void audit_arg_vnode1(struct vnode *vp);

void audit_arg_vnode2(struct vnode *vp);

void audit_arg_text(char *text);

@@ -334,11 +336,21 @@ void audit_thread_free(struct thread *td);

audit_arg_upath1((td), (dirfd), (upath)); \

} while (0)

+#define AUDIT_ARG_UPATH1_CANON(upath) do { \

+ if (AUDITING_TD(curthread)) \

+ audit_arg_upath1_canon((upath)); \

+} while (0)

#define AUDIT_ARG_UPATH2(td, dirfd, upath) do { \

if (AUDITING_TD(curthread)) \

audit_arg_upath2((td), (dirfd), (upath)); \

} while (0)

+#define AUDIT_ARG_UPATH2_CANON(upath) do { \

+ if (AUDITING_TD(curthread)) \

+ audit_arg_upath2_canon((upath)); \

+} while (0)

#define AUDIT_ARG_VALUE(value) do { \

if (AUDITING_TD(curthread)) \

audit_arg_value((value)); \

@@ -419,7 +431,9 @@ void audit_thread_free(struct thread *td);

#define AUDIT_ARG_TEXT(text)

#define AUDIT_ARG_UID(uid)

#define AUDIT_ARG_UPATH1(td, dirfd, upath)

+#define AUDIT_ARG_UPATH1_NONCANON(td, upath)

#define AUDIT_ARG_UPATH2(td, dirfd, upath)

+#define AUDIT_ARG_UPATH2_NONCANON(td, upath)

#define AUDIT_ARG_VALUE(value)

#define AUDIT_ARG_VNODE1(vp)

#define AUDIT_ARG_VNODE2(vp)

diff --git a/sys/security/audit/audit_arg.c b/sys/security/audit/audit_arg.c
index c5da731c4691..0c106bfecbd1 100644
--- a/sys/security/audit/audit_arg.c
+++ b/sys/security/audit/audit_arg.c

@@ -766,6 +766,48 @@ audit_arg_upath2(struct thread *td, int dirfd, char *upath)

}

+ * Variants on path auditing that do not canonicalise the path passed in;

+ * these are for use with filesystem-like subsystems that employ string names,

+ * but do not support a hierarchical namespace -- for example, POSIX IPC

+ * objects. The subsystem should have performed any necessary

+ * canonicalisation required to make the paths useful to audit analysis.

+ */

+static void

+audit_arg_upath_canon(char *upath, char **pathp)

+ if (*pathp == NULL)

+ *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);

+ (void)snprintf(*pathp, MAXPATHLEN, "%s", upath);

+void

+audit_arg_upath1_canon(char *upath)

+ struct kaudit_record *ar;

+ ar = currecord();

+ if (ar == NULL)

+ return;

+ audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath1);

+ ARG_SET_VALID(ar, ARG_UPATH1);

+void

+audit_arg_upath2_canon(char *upath)

+ struct kaudit_record *ar;

+ ar = currecord();

+ if (ar == NULL)

+ return;

+ audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath2);

+ ARG_SET_VALID(ar, ARG_UPATH2);

+/*

* Function to save the path and vnode attr information into the audit

* record.