audit(4): Syscalls dealing with file access via file-handles
ClosedPublic

Authored by aniketp on Thu, Jun 14, 4:54 AM.

Details

Summary

The following change introduces 3 system calls dealing with retrieving file information
with the help of file handles. The system calls are categorized as audit events
within file-attribute-access audit class

List of system calls:

  • fhopen(2)
  • fhstat(2)
  • fhstatfs(2)
Test Plan

Execute make && make install from test/sys/audit.
Execute kyua test from /usr/tests/sys/audit. All testcases should succeed.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
aniketp created this revision.Thu, Jun 14, 4:54 AM
asomers requested changes to this revision.Thu, Jun 14, 1:30 PM
asomers added inline comments.
tests/sys/audit/file-attribute-access.c
389 ↗(On Diff #43743)

Do you have a test for getfh itself anywhere?

417 ↗(On Diff #43743)

This is a read from uninitialized memory, and isn't guaranteed to fail. Better would be to deliberately construct an invalid fhandle_t. However, I don't see any obvious way to do that. So a better test might be to call fhopen with a valid fhandle_t, but make it fail for some other reason. For example, the man page says it will fail if O_CREAT is set.

468 ↗(On Diff #43743)

Another read from uninitialized memory here.

519 ↗(On Diff #43743)

And here.

This revision now requires changes to proceed.Thu, Jun 14, 1:30 PM
aniketp added inline comments.Thu, Jun 14, 1:50 PM
tests/sys/audit/file-attribute-access.c
389 ↗(On Diff #43743)

Yes @asomers, I have tested getfh(2) which is weirdly audited as nfs_getfh(2), and that too in administrative audit class.
Here is the test for nfs_getfh(2) : https://github.com/aniketp/AuditTestSuite/blob/master/audit/administrative.c#L157

aniketp updated this revision to Diff 43753.Thu, Jun 14, 2:06 PM

Replace uninitialized buffers with NULL for the failure cases

You also need to update Makefile.

@asomers, I'm adding these tests on top of already existing tests in file-attribute-access. Why would updating the Makefile be necessary here?

@asomers, I'm adding these tests on top of already existing tests in file-attribute-access. Why would updating the Makefile be necessary here?

Oh, I see the real problem now. Your last submission accidentally disabled these tests: https://reviews.freebsd.org/D15795#inline-96266 .

asomers accepted this revision.Thu, Jun 14, 3:02 PM
This revision is now accepted and ready to land.Thu, Jun 14, 3:02 PM
This revision was automatically updated to reflect the committed changes.