audit: Fix logging of IPv6 addresses
ClosedPublic
Actions

Authored by gallatin on Apr 18 2023, 12:22 AM.

Details

Reviewers

glebius
rwatson
csjp

Commits

rG16de94eaf09b: audit: Fix logging of IPv6 addresses

Summary

Our audit logging was not logging the IP/port information for IPv6 accept() syscalls. It turns out there were 2 problems

kaudit_to_bsm: Log IPv6 as well as IPv4 and unix addrs
au_to_sock_inet128: Treat ports the same way as au_to_sock_inet32(). Just pushing a uint16 causes byte ordering problems on little endian systems.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

gallatin created this revision.Apr 18 2023, 12:22 AM

Herald added a subscriber: imp. · View Herald TranscriptApr 18 2023, 12:22 AM

gallatin requested review of this revision.Apr 18 2023, 12:22 AM

a few years late to the party here but have you tested this?

Yes I see the problem.. ADD_U_INT16 calls be16enc(), which assumes the input value is in host byte order and converts it to big-endian. However, sin6_port is already stored in network byte order (big-endian). On a little-endian system (like x86 or ARM), the CPU interprets those bytes as a byte-swapped integer, and then be16enc swaps them again. We just need a memcpy here.

csjp accepted this revision.Sun, Apr 19, 5:35 AM

This revision is now accepted and ready to land.Sun, Apr 19, 5:35 AM

I will open a PR to fix au_to_sock_inet128() upstream as well. Thanks for catching this