#
331722 |
|
29-Mar-2018 |
eadler |
Revert r330897:
This was intended to be a non-functional change. It wasn't. The commit message was thus wrong. In addition it broke arm, and merged crypto related code.
Revert with prejudice.
This revert skips files touched in r316370 since that commit was since MFCed. This revert also skips files that require $FreeBSD$ property changes.
Thank you to those who helped me get out of this mess including but not limited to gonzo, kevans, rgrimes.
Requested by: gjb (re)
|
#
330897 |
|
14-Mar-2018 |
eadler |
Partial merge of the SPDX changes
These changes are incomplete but are making it difficult to determine what other changes can/should be merged.
No objections from: pfg
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
292522 |
|
20-Dec-2015 |
brueffer |
Merge from contrib/openbsm to bring the kernel audit bits up to date with OpenBSM 1.2 alpha 4:
- remove $P4$ - fix a comment
|
#
255219 |
|
04-Sep-2013 |
pjd |
Change the cap_rights_t type from uint64_t to a structure that we can extend in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to represent one right, but we are running out of spare bits. Currently the new structure provides place for 114 rights (so 50 more than the previous cap_rights_t), but it is possible to grow the structure to hold at least 285 rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights { uint64_t cr_rights[CAP_RIGHTS_VERSION + 2]; };
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total number of elements in the array - 2. This means if those two bits are equal to 0, we have 2 array elements.
The top two bits in all remaining array elements should be 0. The next five bits in all array elements contain array index. Only one bit is used and bit position in this five-bits range defines array index. This means there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL) #define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...); void cap_rights_set(cap_rights_t *rights, ...); void cap_rights_clear(cap_rights_t *rights, ...); bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights); void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src); void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src); bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(), cap_rights_clear() and cap_rights_is_set() functions are provided by separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \ __cap_rights_set((rights), __VA_ARGS__, 0ULL) void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that there are no two rights belonging to different array elements provided together. For example this is illegal and will be detected, because CAP_LOOKUP belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls, but I see no other way to do that. This should be fine as Capsicum is still experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
|
#
244267 |
|
15-Dec-2012 |
rwatson |
Four .c files from OpenBSM are used, in modified form, by the kernel to implement the BSM audit trail format. Rename the kernel versions of the files to match the userspace filenames so that it's easier to work out what they correspond to, and therefore ensure they are kept in-sync.
Obtained from: TrustedBSD Project
|
#
243751 |
|
01-Dec-2012 |
rwatson |
Merge OpenBSM 1.2-alpha2 changes from contrib/openbsm to src/sys/{bsm,security/audit}. There are a few tweaks to help with the FreeBSD build environment that will be merged back to OpenBSM. No significant functional changes appear on the kernel side.
Obtained from: TrustedBSD Project Sponsored by: The FreeBSD Foundation (auditdistd)
|
#
196971 |
|
08-Sep-2009 |
phk |
Having thrown the cat out of the house, add a necessary include.
|
#
196970 |
|
08-Sep-2009 |
phk |
Revert previous commit and add myself to the list of people who should know better than to commit with a cat in the area.
|
#
196969 |
|
08-Sep-2009 |
phk |
Add necessary include.
|
#
195740 |
|
17-Jul-2009 |
rwatson |
Import OpenBSM 1.1p1 from vendor branch to 8-CURRENT, populating contrib/openbsm and a subset also imported into sys/security/audit. This patch release addresses several minor issues:
- Fixes to AUT_SOCKUNIX token parsing. - IPv6 support for au_to_me(3). - Improved robustness in the parsing of audit_control, especially long flags/naflags strings and whitespace in all fields. - Add missing conversion of a number of FreeBSD/Mac OS X errnos to/from BSM error number space.
MFC after: 3 weeks Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. Approved by: re (kib)
|
#
191270 |
|
19-Apr-2009 |
rwatson |
Merge OpenBSM 1.1 changes to the FreeBSD 8.x kernel:
- Add and use mapping of fcntl(2) commands to new BSM constant space. - Adopt (int) rather than (long) arguments to a number of auditon(2) commands, as has happened in Solaris, and add compatibility code to handle the old comments.
Note that BSM_PF_IEEE80211 is partially but not fully removed, as the userspace OpenBSM 1.1alpha5 code still depends on it. Once userspace is updated, I'll GCC the kernel constant.
MFC after: 2 weeks Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project Portions submitted by: sson
|
#
189279 |
|
02-Mar-2009 |
rwatson |
Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge).
OpenBSM history for imported revision below for reference.
MFC after: 1 month Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes. For legacy support no suffix defaults to bytes. - Audit trail log expiration support added. It is configured in audit_control(5) with the expire-after parameter. If there is no expire-after parameter in audit_control(5), the default, then the audit trail files are not expired and removed. See audit_control(5) for more information. - Change defaults in audit_control: warn at 5% rather than 20% free for audit partitions, rotate automatically at 2mb, and set the default policy to cnt,argv rather than cnt so that execve(2) arguments are captured if AUE_EXECVE events are audited. These may provide more usable defaults for many users. - Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert au_to_socket_ex(3) arguments to BSM format. - Fix error encoding AUT_IPC_PERM tokens.
|
#
187215 |
|
14-Jan-2009 |
rwatson |
Update copyright, P4 version number as audit_bsm_token.c reflects changes in bsm_token.c through #86 from OpenBSM.
MFC after: 1 month Sponsored by: Apple, Inc. Obtained from: TrustedBSD Project
|
#
187214 |
|
14-Jan-2009 |
rwatson |
Merge OpenBSM alpha 5 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge). Hook up bsm_domain.c and bsm_socket_type.c to the libbsm build along with man pages, add audit_bsm_domain.c and audit_bsm_socket_type.c to the kernel environment.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
OpenBSM 1.1 alpha 5
- Stub libauditd(3) man page added. - All BSM error number constants with BSM_ERRNO_. - Interfaces to convert between local and BSM socket types and protocol families have been added: au_bsm_to_domain(3), au_bsm_to_socket_type(3), au_domain_to_bsm(3), and au_socket_type_to_bsm(3), along with definitions of constants in audit_domain.h and audit_socket_type.h. This improves interoperability by converting local constant spaces, which vary by OS, to and from Solaris constants (where available) or OpenBSM constants for protocol domains not present in Solaris (a fair number). These routines should be used when generating and interpreting extended socket tokens. - Fix build warnings with full gcc warnings enabled on most supported platforms. - Don't compile error strings into bsm_errno.c when building it in the kernel environment. - When started by launchd, use the label com.apple.auditd rather than org.trustedbsd.auditd.
|
#
186647 |
|
31-Dec-2008 |
rwatson |
Merge OpenBSM alpha 4 from OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual merge). Add libauditd build parts and add to auditd's linkage; force libbsm to build before libauditd.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the local error number passed to audit_submit(3) to a BSM error number, rather than have the caller perform that conversion. - Reallocate user audit events to avoid collisions with Solaris; adopt a more formal allocation scheme, and add some events allocated in Solaris that will be of immediate use on other platforms. - Add an event for Calife. - Add au_strerror(3), which allows generating strings for BSM errors directly, rather than requiring applications to map to the local error space, which might not be able to entirely represent the BSM error number space. - Major auditd rewrite for launchd(8) support. Add libauditd library that is shared between launchd and auditd. - Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for (re)starting auditing under launchd(8) on Mac OS X. - Add 'current' symlink to active audit trail. - Add crash recovery of previous audit trail file when detected on audit startup that it has not been properly terminated. - Add the event AUE_audit_recovery to indicated when an audit trail file has been recovered from not being properly terminated. This event is stored in the new audit trail file and includes the path of recovered audit trail file. - Mac OS X and FreeBSD dependent code in auditd.c is separated into auditd_darwin.c and auditd_fbsd.c files. - Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system calls. - For Mac OS X, we use ASL(3) instead of syslog(3) for logging. - Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map between BSM error numbers (largely the Solaris definitions) and local errno(2) values for 32-bit and 64-bit return tokens. This is required as operating systems don't agree on some of the values of more recent error numbers. - Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total size for the token. This buge. - Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
|
#
185573 |
|
02-Dec-2008 |
rwatson |
Merge OpenBSM 1.1 alpha 2 from the OpenBSM vendor branch to head, both contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).
- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8). - Merge support for new tokens, fixes to existing token generation to audit_bsm_token.c. - Synchronize bsm includes and definitions.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
--
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds required solely for user space, and system includes, which may also be required for use in the kernels of systems integrating OpenBSM. Submitted by Stacey Son. - Configure option --with-native-includes allows forcing the use of native include for system includes, rather than the versions bundled with OpenBSM. This is intended specifically for platforms that ship OpenBSM, have adapted versions of the system includes in a kernel source tree, and will use the OpenBSM build infrastructure with an unmodified OpenBSM distribution, allowing the customized system includes to be used with the OpenBSM build. Submitted by Stacey Son. - Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s or asprintf(). Added compat/strlcpy.h for Linux. - Remove compatibility defines for old Darwin token constant names; now only BSM token names are provided and used. - Add support for extended header tokens, which contain space for information on the host generating the record. - Add support for setting extended host information in the kernel, which is used for setting host information in extended header tokens. The audit_control file now supports a "host" parameter which can be used by auditd to set the information; if not present, the kernel parameters won't be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of matching, such that BSM records that do not match, are selected. - Fix bug in audit_write() where we commit an incomplete record in the event there is an error writing the subject token. This was submitted by Diego Giagio. - Build support for Mac OS X 10.5.1 submitted by Eric Hall. - Fix a bug which resulted in host XML attributes not being arguments so that const strings can be passed as arguments to tokens. This patch was submitted by Xin LI. - Modify the -m option so users can select more then one audit event. - For Mac OS X, added Mach IPC support for audit trigger messages. - Fixed a bug in getacna() which resulted in a locking problem on Mac OS X. - Added LOG_PERROR flag to openlog when -d option is used with auditd. - AUE events added for Mac OS X Leopard system calls.
|
#
184856 |
|
11-Nov-2008 |
csjp |
Add support for extended header BSM tokens. Currently we use the regular header tokens. The extended header tokens contain an IP or IPv6 address which makes it possible to identify which host an audit record came from when audit records are centralized.
If the host information has not been specified, the system will default to the old style headers. Otherwise, audit records that are created as a result of system calls will contain host information.
This implemented has been designed to be consistent with the Solaris implementation. Host information is set/retrieved using the A_GETKAUDIT and A_SETKAUDIT auditon(2) commands. These commands require that a pointer to a auditinfo_addr_t object is passed. Currently only IP and IPv6 address families are supported.
The users pace bits associated with this change will follow in an openbsm import.
Reviewed by: rwatson, (sson, wsalamon (older version)) MFC after: 1 month
|
#
181053 |
|
31-Jul-2008 |
rwatson |
Further synchronization of copyrights, licenses, white space, etc from Apple and from the OpenBSM vendor tree.
Obtained from: Apple Inc., TrustedBSD Project MFC after: 3 days
|
#
180709 |
|
22-Jul-2008 |
rwatson |
Generally avoid <space><tab> as a white space anomoly.
Obtained from: Apple Inc. MFC after: 3 days
|
#
180701 |
|
22-Jul-2008 |
rwatson |
In preparation to sync Apple and FreeBSD versions of security audit, pick up the Apple Computer -> Apple change in their copyright and license templates.
Obtained from: Apple Inc. MFC after: 3 days
|
#
178186 |
|
13-Apr-2008 |
rwatson |
Use __FBSDID() for $FreeBSD$ IDs in the audit code.
MFC after: 3 days
|
#
171066 |
|
27-Jun-2007 |
csjp |
- Add audit_arg_audinfo_addr() for auditing the arguments for setaudit_addr(2) - In audit_bsm.c, make sure all the arguments: ARG_AUID, ARG_ASID, ARG_AMASK, and ARG_TERMID{_ADDR} are valid before auditing their arguments. (This is done for both setaudit and setaudit_addr. - Audit the arguments passed to setaudit_addr(2) - AF_INET6 does not equate to AU_IPv6. Change this in au_to_in_addr_ex() so the audit token is created with the correct type. This fixes the processing of the in_addr_ex token in users pace. - Change the size of the token (as generated by the kernel) from 5*4 bytes to 4*4 bytes (the correct size of an ip6 address) - Correct regression from ucred work which resulted in getaudit() not returning E2BIG if the subject had an ip6 termid - Correct slight regression in getaudit(2) which resulted in the size of a pointer being passed instead of the size of the structure. (This resulted in invalid auditinfo data being returned via getaudit(2))
Reviewed by: rwatson Approved by: re@ (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
|
#
170131 |
|
30-May-2007 |
rwatson |
Synchronize white space to congruent user-space code in OpenBSM.
Obtained from: TrustedBSD Project
|
#
168814 |
|
17-Apr-2007 |
rwatson |
Remove $P4$ that snuck into CVS from Perforce.
|
#
168783 |
|
16-Apr-2007 |
rwatson |
Merge OpenBSM 1.0 alpha 14 changes to src/sys/security/audit:
- au_to_attr64(), au_to_process64(), au_to_subject64(), au_to_subject64_ex(), au_to_zonename(), au_to_header64_tm(). - Extended address token fixes.
Obtained from: TrustedBSD Project
|
#
168688 |
|
13-Apr-2007 |
csjp |
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens.
The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo.
If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG.
- Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2)
NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated.
MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
|
#
165604 |
|
28-Dec-2006 |
rwatson |
Update a number of comments:
- Replace XXX with Note: in several cases where observations are made about future functionality rather than problems or bugs.
- Remove an XXX comment about byte order and au_to_ip() -- IP headers must be submitted in network byte order. Add a comment to this effect.
- Mention that we don't implement select/poll for /dev/audit.
Obtained from: TrustedBSD Project
|
#
162465 |
|
20-Sep-2006 |
rwatson |
Add missing white space in au_to_exec_{args,env}().
MFC after: 3 days
|
#
161813 |
|
01-Sep-2006 |
wsalamon |
Audit the argv and env vectors passed in on exec: Add the argument auditing functions for argv and env. Add kernel-specific versions of the tokenizer functions for the arg and env represented as a char array. Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to enable/disable argv/env auditing. Call the argument auditing from the exec system calls.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
#
161635 |
|
26-Aug-2006 |
rwatson |
Update kernel OpenBSM parts, especially src/sys/bsm, for the OpenBSM 1.0 alpha 9 import. See the OpenBSM import commit message for a detailed summary of changes.
Obtained from: TrustedBSD Project
|
#
161601 |
|
25-Aug-2006 |
rwatson |
Remove $P4$ from this file; other then temporarily P4-local work in progress the kernel audit code in CVS is considered authoritative. This will ease $P4$-related merging issues during the CVS loopback.
Obtained from: TrustedBSD Project
|
#
159686 |
|
17-Jun-2006 |
wsalamon |
Make the size of the subject32_ex and process32_ex tokens depend on whether we have an IPv6 address. Write the term ID as 4 or 16 bytes depending on address type. This change matches the recent OpenBSM change, and what Solaris does.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
#
159259 |
|
05-Jun-2006 |
rwatson |
Merge OpenBSM 1.0 alpha 6 changes for BSM token creation to src/sys/security/audit:
- Clarify and clean up AUR_ types to match Solaris. - Clean up use of host vs. network byte order for IP addresses. - Remove combined user/kernel implementations of some token creation calls, such as au_to_file(), header calls, etc.
Obtained from: TrustedBSD Project
|
#
156291 |
|
04-Mar-2006 |
rwatson |
Update src/sys/security/audit for OpenBSM 1.0 alpha 5:
- Include audit_internal.h to get definition of internal audit record structures, as it's no longer in audit.h. Forward declare au_record in audit_private.h as not all audit_private.h consumers care about it.
- Remove __APPLE__ compatibility bits that are subsumed by configure for user space.
- Don't expose in6_addr internals (non-portable, but also cleaner looking).
- Avoid nested include of audit.h in audit_private.h.
Obtained from: TrustedBSD Project
|
#
155192 |
|
01-Feb-2006 |
rwatson |
Import kernel audit framework:
- Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events.
Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
|