#
336207 |
|
11-Jul-2018 |
asomers |
MFC r334296:
Fix "Bad tailq" panic when auditing auditon(A_SETCLASS, ...)
Due to an oversight in r195280, auditon(A_SETCLASS, ...) would cause a tailq element to get added to the tailq twice, resulting in a circular tailq. This panics when INVARIANTS are on.
Differential Revision: https://reviews.freebsd.org/D15381
|
#
331722 |
|
29-Mar-2018 |
eadler |
Revert r330897:
This was intended to be a non-functional change. It wasn't. The commit message was thus wrong. In addition it broke arm, and merged crypto related code.
Revert with prejudice.
This revert skips files touched in r316370 since that commit was since MFCed. This revert also skips files that require $FreeBSD$ property changes.
Thank you to those who helped me get out of this mess including but not limited to gonzo, kevans, rgrimes.
Requested by: gjb (re)
|
#
330897 |
|
14-Mar-2018 |
eadler |
Partial merge of the SPDX changes
These changes are incomplete but are making it difficult to determine what other changes can/should be merged.
No objections from: pfg
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
301867 |
|
13-Jun-2016 |
rwatson |
Implement AUE_PREAD and AUE_PWRITE BSM conversion support, eliminating console warnings when pread(2) and pwrite(2) are used with full system-call auditing enabled. We audit the same file-descriptor data for these calls as we do read(2) and write(2).
Approved by: re (kib) MFC after: 3 days Sponsored by: DARPA, AFRL
|
#
255219 |
|
04-Sep-2013 |
pjd |
Change the cap_rights_t type from uint64_t to a structure that we can extend in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to represent one right, but we are running out of spare bits. Currently the new structure provides place for 114 rights (so 50 more than the previous cap_rights_t), but it is possible to grow the structure to hold at least 285 rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights { uint64_t cr_rights[CAP_RIGHTS_VERSION + 2]; };
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total number of elements in the array - 2. This means if those two bits are equal to 0, we have 2 array elements.
The top two bits in all remaining array elements should be 0. The next five bits in all array elements contain array index. Only one bit is used and bit position in this five-bits range defines array index. This means there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL) #define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...); void cap_rights_set(cap_rights_t *rights, ...); void cap_rights_clear(cap_rights_t *rights, ...); bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights); void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src); void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src); bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(), cap_rights_clear() and cap_rights_is_set() functions are provided by separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \ __cap_rights_set((rights), __VA_ARGS__, 0ULL) void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that there are no two rights belonging to different array elements provided together. For example this is illegal and will be detected, because CAP_LOOKUP belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls, but I see no other way to do that. This should be fine as Capsicum is still experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
|
#
247667 |
|
02-Mar-2013 |
pjd |
- Implement two new system calls:
int bindat(int fd, int s, const struct sockaddr *addr, socklen_t addrlen); int connectat(int fd, int s, const struct sockaddr *name, socklen_t namelen);
which allow to bind and connect respectively to a UNIX domain socket with a path relative to the directory associated with the given file descriptor 'fd'.
- Add manual pages for the new syscalls.
- Make the new syscalls available for processes in capability mode sandbox.
- Add capability rights CAP_BINDAT and CAP_CONNECTAT that has to be present on the directory descriptor for the syscalls to work.
- Update audit(4) to support those two new syscalls and to handle path in sockaddr_un structure relative to the given directory descriptor.
- Update procstat(1) to recognize the new capability rights.
- Document the new capability rights in cap_rights_limit(2).
Sponsored by: The FreeBSD Foundation Discussed with: rwatson, jilles, kib, des
|
#
247602 |
|
01-Mar-2013 |
pjd |
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of cap_new(2), which limits capability rights of the given descriptor without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls that can be used with the new cap_fcntls_limit(2) syscall and retrive them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was heavly modified.
- The audit subsystem, kdump and procstat tools were updated to recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide backward API and ABI compatibility there are some incompatible changes that are described in detail below:
CAP_CREATE old behaviour: - Allow for openat(2)+O_CREAT. - Allow for linkat(2). - Allow for symlinkat(2). CAP_CREATE new behaviour: - Allow for openat(2)+O_CREAT.
Added CAP_LINKAT: - Allow for linkat(2). ABI: Reuses CAP_RMDIR bit. - Allow to be target for renameat(2).
Added CAP_SYMLINKAT: - Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour: - Allow for unlinkat(2) when removing non-directory object. - Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour: - Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT: - Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR): - Allow for unlinkat(2) on any object. - Required if target of renameat(2) exists and will be removed by this call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour: - Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and PROT_WRITE. CAP_MMAP new behaviour: - Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R: - Allow for mmap(PROT_READ). Added CAP_MMAP_W: - Allow for mmap(PROT_WRITE). Added CAP_MMAP_X: - Allow for mmap(PROT_EXEC). Added CAP_MMAP_RW: - Allow for mmap(PROT_READ | PROT_WRITE). Added CAP_MMAP_RX: - Allow for mmap(PROT_READ | PROT_EXEC). Added CAP_MMAP_WX: - Allow for mmap(PROT_WRITE | PROT_EXEC). Added CAP_MMAP_RWX: - Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT. Renamed CAP_MKFIFO to CAP_MKFIFOAT. Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour: - Allow pread(2). - Disallow read(2), readv(2) (if there is no CAP_SEEK). CAP_READ new behaviour: - Allow read(2), readv(2). - Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour: - Allow pwrite(2). - Disallow write(2), writev(2) (if there is no CAP_SEEK). CAP_WRITE new behaviour: - Allow write(2), writev(2). - Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ) #define CAP_PWRITE (CAP_SEEK | CAP_WRITE) #define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ) #define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE) #define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL) #define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W) #define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X) #define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X) #define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X) #define CAP_RECV CAP_READ #define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \ (CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \ CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN) #define CAP_SOCK_SERVER \ (CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \ CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \ CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X #define CAP_DELETE CAP_UNLINKAT #define CAP_MKDIR CAP_MKDIRAT #define CAP_RMDIR CAP_UNLINKAT #define CAP_MKFIFO CAP_MKFIFOAT #define CAP_MKNOD CAP_MKNODAT #define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation Reviewed by: Christoph Mallon <christoph.mallon@gmx.de> Many aspects discussed with: rwatson, benl, jonathan ABI compatibility discussed with: kib
|
#
246911 |
|
17-Feb-2013 |
pjd |
Remove redundant check.
|
#
245573 |
|
17-Jan-2013 |
csjp |
Implement the zonename token for jailed processes. If a process has an auditid/preselection masks specified, and is jailed, include the zonename (jailname) token as a part of the audit record.
Reviewed by: pjd MFC after: 2 weeks
|
#
243727 |
|
30-Nov-2012 |
pjd |
IFp4 @208452:
Audit handling for missing events: - AUE_READLINKAT - AUE_FACCESSAT - AUE_MKDIRAT - AUE_MKFIFOAT - AUE_MKNODAT - AUE_SYMLINKAT
Sponsored by: FreeBSD Foundation (auditdistd) MFC after: 2 weeks
|
#
224181 |
|
18-Jul-2011 |
jonathan |
Provide ability to audit cap_rights_t arguments.
We wish to be able to audit capability rights arguments; this code provides the necessary infrastructure.
This commit does not, of itself, turn on such auditing for any system call; that should follow shortly.
Approved by: mentor (rwatson), re (Capsicum blanket) Sponsored by: Google Inc
|
#
207615 |
|
04-May-2010 |
csjp |
Add a case to make sure that internal audit records get converted to BSM format for lpathconf(2) events.
MFC after: 2 weeks
|
#
203328 |
|
31-Jan-2010 |
csjp |
Make sure we convert audit records that were produced as the result of the closefrom(2) syscall.
|
#
195925 |
|
28-Jul-2009 |
rwatson |
Audit file descriptors passed to fooat(2) system calls, which are used instead of the root/current working directory as the starting point for lookups. Up to two such descriptors can be audited. Add audit record BSM encoding for fooat(2).
Note: due to an error in the OpenBSM 1.1p1 configuration file, a further change is required to that file in order to fix openat(2) auditing.
Approved by: re (kib) Reviewed by: rdivacky (fooat(2) portions) Obtained from: TrustedBSD Project MFC after: 1 month
|
#
195291 |
|
02-Jul-2009 |
rwatson |
Create audit records for AUE_POSIX_OPENPT, currently w/o arguments.
Approved by: re (audit argument blanket)
|
#
195282 |
|
02-Jul-2009 |
rwatson |
Fix comment misthink.
Submitted by: b. f. <bf1783 at googlemail.com> Approved by: re (audit argument blanket) MFC after: 1 week
|
#
195280 |
|
02-Jul-2009 |
rwatson |
Clean up a number of aspects of token generation from audit arguments to system calls:
- Centralize generation of argument tokens for VM addresses in a macro, ADDR_TOKEN(), and properly encode 64-bit addresses in 64-bit arguments. - Fix up argument numbers across a large number of syscalls so that they match the numeric argument into the system call. - Don't audit the address argument to ioctl(2) or ptrace(2), but do keep generating tokens for mmap(2), minherit(2), since they relate to passing object access across execve(2).
Approved by: re (audit argument blanket) Obtained from: TrustedBSD Project MFC after: 1 week
|
#
195267 |
|
01-Jul-2009 |
rwatson |
For access(2) and eaccess(2), audit the requested access mode.
Approved by: re (audit argument blanket) MFC after: 3 days
|
#
195247 |
|
01-Jul-2009 |
rwatson |
When auditing unmount(2), capture FSID arguments as regular text strings rather than as paths, which would lead to them being treated as relative pathnames and hence confusingly converted into absolute pathnames.
Capture flags to unmount(2) via an argument token.
Approved by: re (audit argument blanket) MFC after: 3 days
|
#
195242 |
|
01-Jul-2009 |
rwatson |
Audit the file descriptor number passed to lseek(2).
Approved by: re (kib) MFC after: 3 days
|
#
195235 |
|
01-Jul-2009 |
rwatson |
udit the 'options' argument to wait4(2).
Approved by: re (kib) MFC after: 3 days
|
#
191270 |
|
19-Apr-2009 |
rwatson |
Merge OpenBSM 1.1 changes to the FreeBSD 8.x kernel:
- Add and use mapping of fcntl(2) commands to new BSM constant space. - Adopt (int) rather than (long) arguments to a number of auditon(2) commands, as has happened in Solaris, and add compatibility code to handle the old comments.
Note that BSM_PF_IEEE80211 is partially but not fully removed, as the userspace OpenBSM 1.1alpha5 code still depends on it. Once userspace is updated, I'll GCC the kernel constant.
MFC after: 2 weeks Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project Portions submitted by: sson
|
#
188312 |
|
08-Feb-2009 |
rwatson |
Audit AUE_MAC_EXECVE; currently just the standard AUE_EXECVE arguments and not the label.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. MFC after: 1 week
|
#
188311 |
|
08-Feb-2009 |
rwatson |
Audit the flag argument to the nfssvc(2) system call.
Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
|
#
186649 |
|
31-Dec-2008 |
rwatson |
Call au_errno_to_bsm() on the errno value passed into au_to_return32() to convert local FreeBSD error numbers into BSM error numbers.
Obtained from: TrustedBSD Project
|
#
185293 |
|
25-Nov-2008 |
rwatson |
Regularize /* FALLTHROUGH */ comments in the BSM event type switch, and add one that was missing.
MFC after: 3 weeks Coverity ID: 3960
|
#
184856 |
|
11-Nov-2008 |
csjp |
Add support for extended header BSM tokens. Currently we use the regular header tokens. The extended header tokens contain an IP or IPv6 address which makes it possible to identify which host an audit record came from when audit records are centralized.
If the host information has not been specified, the system will default to the old style headers. Otherwise, audit records that are created as a result of system calls will contain host information.
This implemented has been designed to be consistent with the Solaris implementation. Host information is set/retrieved using the A_GETKAUDIT and A_SETKAUDIT auditon(2) commands. These commands require that a pointer to a auditinfo_addr_t object is passed. Currently only IP and IPv6 address families are supported.
The users pace bits associated with this change will follow in an openbsm import.
Reviewed by: rwatson, (sson, wsalamon (older version)) MFC after: 1 month
|
#
182158 |
|
25-Aug-2008 |
rwatson |
More fully audit fexecve(2) and its arguments.
Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
#
180716 |
|
22-Jul-2008 |
rwatson |
If an AUE_SYSCTL_NONADMIN audit event is selected, generate a record with equivilent content to AUE_SYSCTL.
Obtained from: Apple Inc. MFC after: 3 days
|
#
180715 |
|
22-Jul-2008 |
rwatson |
Further minor style fixes to audit.
Obtained from: Apple Inc. MFC after: 3 days
|
#
180712 |
|
22-Jul-2008 |
rwatson |
Remove unneeded \ at the end of a macro.
Obtained from: Apple Inc. MFC after: 3 days
|
#
180711 |
|
22-Jul-2008 |
rwatson |
Further minor white space tweaks.
Obtained from: Apple Inc. MFC after: 3 days
|
#
180709 |
|
22-Jul-2008 |
rwatson |
Generally avoid <space><tab> as a white space anomoly.
Obtained from: Apple Inc. MFC after: 3 days
|
#
180708 |
|
22-Jul-2008 |
rwatson |
Use #define<tab> rather than #define<space>.
Obtained from: Apple Inc. MFC after: 3 days
|
#
180706 |
|
22-Jul-2008 |
rwatson |
Comment fix.
Obtained from: Apple Inc. MFC after: 3 days
|
#
180704 |
|
22-Jul-2008 |
rwatson |
Comment typo fix.
Obtained from: Apple Inc. MFC after: 3 days
|
#
180701 |
|
22-Jul-2008 |
rwatson |
In preparation to sync Apple and FreeBSD versions of security audit, pick up the Apple Computer -> Apple change in their copyright and license templates.
Obtained from: Apple Inc. MFC after: 3 days
|
#
178186 |
|
13-Apr-2008 |
rwatson |
Use __FBSDID() for $FreeBSD$ IDs in the audit code.
MFC after: 3 days
|
#
176565 |
|
25-Feb-2008 |
rwatson |
Rename several audit functions in the global kernel symbol namespace to have audit_ on the front:
- canon_path -> audit_canon_path - msgctl_to_event -> audit_msgctl_to_event - semctl_to_event -> audit_semctl_to_event
MFC after: 1 month
|
#
175456 |
|
18-Jan-2008 |
csjp |
Fix gratuitous whitespace bug
MFC after: 1 week Obtained from: TrustedBSD Project
|
#
175455 |
|
18-Jan-2008 |
csjp |
Add a case for AUE_LISTEN. This removes the following console error message:
"BSM conversion requested for unknown event 43140"
It should be noted that we need to audit the fd argument for this system call.
Obtained from: TrustedBSD Project MFC after: 1 week
|
#
172995 |
|
25-Oct-2007 |
csjp |
Implement AUE_CORE, which adds process core dump support into the kernel. This change introduces audit_proc_coredump() which is called by coredump(9) to create an audit record for the coredump event. When a process dumps a core, it could be security relevant. It could be an indicator that a stack within the process has been overflowed with an incorrectly constructed malicious payload or a number of other events.
The record that is generated looks like this:
header,111,10,process dumped core,0,Thu Oct 25 19:36:29 2007, + 179 msec argument,0,0xb,signal path,/usr/home/csjp/test.core subject,csjp,csjp,staff,csjp,staff,1101,1095,50457,10.37.129.2 return,success,1 trailer,111
- We allocate a completely new record to make sure we arent clobbering the audit data associated with the syscall that produced the core (assuming the core is being generated in response to SIGABRT and not an invalid memory access). - Shuffle around expand_name() so we can use the coredump name at the very beginning of the coredump call. Make sure we free the storage referenced by "name" if we need to bail out early. - Audit both successful and failed coredump creation efforts
Obtained from: TrustedBSD Project Reviewed by: rwatson MFC after: 1 month
|
#
172915 |
|
23-Oct-2007 |
csjp |
Use extended process token. The in kernel process audit state is stored in an extended subject token now. Make sure that we are using the extended data. This fixes the termID for process tokens.
Obtained from: TrustedBSD Project Discussed with: rwatson MFC after: 1 week
|
#
171144 |
|
01-Jul-2007 |
rwatson |
Remove two boot printfs generated by Audit to announce it's presence, and replace with software-testable sysctl node (security.audit) that can be used to detect kernel audit support.
Obtained from: TrustedBSD Project Approved by: re (kensmith)
|
#
171066 |
|
27-Jun-2007 |
csjp |
- Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2) - In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK, and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done for both setaudit and setaudit_addr. - Audit the arguments passed to setaudit_addr(2) - AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the audit token is created with the correct type. This fixes the processing of the in_addr_ex token in users pace. - Change the size of the token (as generated by the kernel) from 5*4 bytes to 4*4 bytes (the correct size of an ip6 address) - Correct regression from ucred work which resulted in getaudit() not returning E2BIG if the subject had an ip6 termid - Correct slight regression in getaudit(2) which resulted in the size of a pointer being passed instead of the size of the structure. (This resulted in invalid auditinfo data being returned via getaudit(2))
Reviewed by: rwatson Approved by: re@ (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
|
#
170585 |
|
11-Jun-2007 |
rwatson |
Clean up, and sometimes remove, a number of audit-related implementation comments.
Obtained from: TrutstedBSD Project
|
#
170196 |
|
01-Jun-2007 |
rwatson |
Clean up audit comments--formatting, spelling, etc.
|
#
168688 |
|
13-Apr-2007 |
csjp |
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens.
The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo.
If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG.
- Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2)
NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated.
MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
|
#
162990 |
|
03-Oct-2006 |
rwatson |
Add BSM conversion switch entries for a number of system calls, many administrative, to prevent console warnings and enable basic event auditing (generally without arguments).
MFC after: 3 days Obtained from: TrustedBSD Project
|
#
162466 |
|
20-Sep-2006 |
rwatson |
Rather than allocating all buffer memory for the completed BSM record when allocating the record in the first place, allocate the final buffer when closing the BSM record. At that point, more size information is available, so a sufficiently large buffer can be allocated.
This allows the kernel to generate audit records in excess of MAXAUDITDATA bytes, but is consistent with Solaris's behavior. This only comes up when auditing command line arguments, in which case we presume the administrator really does want the data as they have specified the policy flag to gather them.
Obtained from: TrustedBSD Project MFC after: 3 days
|
#
162419 |
|
18-Sep-2006 |
csjp |
Make sure that lutimes(2) gets processed and converted into a BSM record.
Submitted by: rwatson MFC after: 1 day
|
#
162372 |
|
17-Sep-2006 |
rwatson |
Add AUE_SYSARCH to the list of audit events during BSM conversion to prevent a console warning. Eventually, we will capture more arguments for sysarch.
Obtained from: TrustedBSD Project MFC after: 3 days
|
#
162177 |
|
09-Sep-2006 |
rwatson |
Add a BSM conversion switch case for AUE_GETCWD, so that a console warning isn't generated when __getcwd() is invoked.
MFC after: 3 days Obtained from: TrustedBSD Project
|
#
161813 |
|
01-Sep-2006 |
wsalamon |
Audit the argv and env vectors passed in on exec: Add the argument auditing functions for argv and env. Add kernel-specific versions of the tokenizer functions for the arg and env represented as a char array. Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to enable/disable argv/env auditing. Call the argument auditing from the exec system calls.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
#
161635 |
|
26-Aug-2006 |
rwatson |
Update kernel OpenBSM parts, especially src/sys/bsm, for the OpenBSM 1.0 alpha 9 import. See the OpenBSM import commit message for a detailed summary of changes.
Obtained from: TrustedBSD Project
|
#
160136 |
|
06-Jul-2006 |
wsalamon |
Audit the remaining parameters to the extattr system calls. Generate the audit records for those calls.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
#
159278 |
|
05-Jun-2006 |
rwatson |
When generating BSM tokens for mkfifo(), include mode argument.
Submitted by: wsalamon Obtained from: TrustedBSD Project
|
#
159277 |
|
05-Jun-2006 |
rwatson |
When generating the process token, need to check whether the process was sucessfully audited. Otherwise, generate the PID token. This change covers the pid < 0 cases, and pid lookup failure cases.
Submitted by: wsalamon Obtained from: TrustedBSD Project
|
#
159259 |
|
05-Jun-2006 |
rwatson |
Merge OpenBSM 1.0 alpha 6 changes for BSM token creation to src/sys/security/audit:
- Clarify and clean up AUR_ types to match Solaris. - Clean up use of host vs. network byte order for IP addresses. - Remove combined user/kernel implementations of some token creation calls, such as au_to_file(), header calls, etc.
Obtained from: TrustedBSD Project
|
#
156889 |
|
19-Mar-2006 |
rwatson |
Merge Perforce change 93581 from TrustedBSD audit3 branch:
Mega-style patch.
Obtained from: TrustedBSD Project
|
#
155559 |
|
11-Feb-2006 |
rwatson |
Add stub AUE_EACCESS entry.
Obtained from: TrustedBSD Project
|
#
155271 |
|
03-Feb-2006 |
rwatson |
Cast pointers to (uintptr_t) before down-casting to (int). This avoids an incompatible conversion from a 64-bit pointer to a 32-bit integer on 64-bit platforms. We will investigate whether Solaris uses a 64-bit token here, or a new record here, in order to avoid truncating user pointers that are 64-bit. However, in the mean time, truncation is fine as these are rarely/never used fields in audit records.
Obtained from: TrustedBSD Project
|
#
155192 |
|
01-Feb-2006 |
rwatson |
Import kernel audit framework:
- Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events.
Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
|