Changeset View
Standalone View
sys/security/audit/audit_bsm.c
Show First 20 Lines • Show All 1,777 Lines • ▼ Show 20 Lines | |||||
case AUE_CAP_GETMODE: | case AUE_CAP_GETMODE: | ||||
break; | break; | ||||
case AUE_THR_NEW: | case AUE_THR_NEW: | ||||
case AUE_THR_KILL: | case AUE_THR_KILL: | ||||
case AUE_THR_EXIT: | case AUE_THR_EXIT: | ||||
break; | break; | ||||
/* TODO XXX: Should I also log NFS file handle? The sycalls events generally log | |||||
asomers: Users will want to see the file name. Can you log that, or at least log enough information… | |||||
Not Done Inline ActionsNot all RPCs have a filename in their arguments. How can I extract the filename rpc request in NFS server-side? for instance, some nfsrvd_read/write have filehandle as an argument for referencing the file. shivank: Not all RPCs have a filename in their arguments. How can I extract the filename rpc request in… | |||||
Not Done Inline ActionsIt's hard and not always possible. And we want to avoid doing too much work while auditing. That's why it would be acceptable merely to log enough information that a user can reconstruct the file name later. For example, if LOOKUP supplies a filename and returns some kind of opaque file handle, then READ supplies that same file handle, the user can deduce what was read as long as the audit trail contains the filename for LOOKUP and the file handle for both LOOKUP and READ. asomers: It's hard and not always possible. And we want to avoid doing too much work while auditing. | |||||
Not Done Inline ActionsCan vattr.va_fileid from the vnode attr token be used to reconstruct the file name later? In that case, filehandle info would not be needed. shivank: Can `vattr.va_fileid` from the vnode attr token be used to reconstruct the file name later? In… | |||||
* FD VNODE and UPATH tokens. Following that analogy the NFS RPC event can | |||||
* can log filehandle. */ | |||||
case AUE_NFSRPC_GETATTR: | |||||
case AUE_NFSRPC_SETATTR: | |||||
if (ARG_IS_VALID(kar, ARG_VNODE1)) { | |||||
tok = au_to_attr32(&ar->ar_arg_vnode1); | |||||
kau_write(rec, tok); | |||||
} | |||||
break; | |||||
case AUE_NFSRPC_LOOKUP: | |||||
UPATH1_VNODE1_TOKENS; | |||||
break; | |||||
case AUE_NFSRPC_ACCESS: | |||||
if (ARG_IS_VALID(kar, ARG_VNODE1)) { | |||||
tok = au_to_attr32(&ar->ar_arg_vnode1); | |||||
kau_write(rec, tok); | |||||
} | |||||
/* XXX: argument # in this case? */ | |||||
if (ARG_IS_VALID(kar, ARG_MODE)) { | |||||
tok = au_to_arg32(3, "mode", ar->ar_arg_mode); | |||||
kau_write(rec, tok); | |||||
} | |||||
break; | |||||
case AUE_NFSRPC_READLINK: | |||||
case AUE_NFSRPC_READ: | |||||
case AUE_NFSRPC_WRITE: | |||||
if (ARG_IS_VALID(kar, ARG_VNODE1)) { | |||||
tok = au_to_attr32(&ar->ar_arg_vnode1); | |||||
kau_write(rec, tok); | |||||
} | |||||
break; | |||||
case AUE_NFSRPC_CREATE: | |||||
case AUE_NFSRPC_MKDIR: | |||||
if (ARG_IS_VALID(kar, ARG_MODE)) { | |||||
tok = au_to_arg32(3, "mode", ar->ar_arg_mode); | |||||
kau_write(rec, tok); | |||||
} | |||||
UPATH1_VNODE1_TOKENS; | |||||
break; | |||||
case AUE_NFSRPC_SYMLINK: | |||||
UPATH1_VNODE1_TOKENS; | |||||
break; | |||||
case AUE_NFSRPC_MKNOD: | |||||
if (ARG_IS_VALID(kar, ARG_MODE)) { | |||||
tok = au_to_arg32(2, "mode", ar->ar_arg_mode); | |||||
kau_write(rec, tok); | |||||
} | |||||
if (ARG_IS_VALID(kar, ARG_DEV)) { | |||||
tok = au_to_arg32(3, "dev", ar->ar_arg_dev); | |||||
kau_write(rec, tok); | |||||
} | |||||
UPATH1_VNODE1_TOKENS; | |||||
break; | |||||
case AUE_NFSRPC_REMOVE: | |||||
case AUE_NFSRPC_RMDIR: | |||||
UPATH1_VNODE1_TOKENS; | |||||
break; | |||||
case AUE_NFSRPC_RENAME: | |||||
UPATH1_VNODE1_TOKENS; | |||||
UPATH2_TOKENS; | |||||
break; | |||||
case AUE_NFSRPC_LINK: | |||||
UPATH1_VNODE1_TOKENS; | |||||
break; | |||||
case AUE_NFSRPC_READDIR: | |||||
case AUE_NFSRPC_READDIRPLUS: | |||||
case AUE_NFSRPC_FSSTAT: | |||||
case AUE_NFSRPC_FSINFO: | |||||
case AUE_NFSRPC_PATHCONF: | |||||
case AUE_NFSRPC_COMMIT: | |||||
if (ARG_IS_VALID(kar, ARG_VNODE1)) { | |||||
tok = au_to_attr32(&ar->ar_arg_vnode1); | |||||
kau_write(rec, tok); | |||||
} | |||||
break; | |||||
case AUE_NULL: | case AUE_NULL: | ||||
default: | default: | ||||
printf("BSM conversion requested for unknown event %d\n", | printf("BSM conversion requested for unknown event %d\n", | ||||
ar->ar_event); | ar->ar_event); | ||||
/* | /* | ||||
* Write the subject token so it is properly freed here. | * Write the subject token so it is properly freed here. | ||||
*/ | */ | ||||
if (jail_tok != NULL) | if (jail_tok != NULL) | ||||
kau_write(rec, jail_tok); | kau_write(rec, jail_tok); | ||||
kau_write(rec, subj_tok); | kau_write(rec, subj_tok); | ||||
kau_free(rec); | kau_free(rec); | ||||
return (BSM_NOAUDIT); | return (BSM_NOAUDIT); | ||||
} | |||||
/* | |||||
* Write common tokens for NFS RPCs. | |||||
*/ | |||||
if (kar->kaudit_record_type == AUDIT_NFSRPC_RECORD) { | |||||
if (ARG_IS_VALID(kar, ARG_SADDRINET)) { | |||||
tok = au_to_sock_inet((struct sockaddr_in *) | |||||
&ar->ar_arg_sockaddr); | |||||
kau_write(rec, tok); | |||||
} | |||||
} | } | ||||
if (jail_tok != NULL) | if (jail_tok != NULL) | ||||
kau_write(rec, jail_tok); | kau_write(rec, jail_tok); | ||||
kau_write(rec, subj_tok); | kau_write(rec, subj_tok); | ||||
tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); | tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval); | ||||
kau_write(rec, tok); /* Every record gets a return token */ | kau_write(rec, tok); /* Every record gets a return token */ | ||||
Show All 28 Lines |
Users will want to see the file name. Can you log that, or at least log enough information that the user can reconstruct it?