#
faef5371 |
| 08-Jun-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each sys
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS.
Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
show more ...
|
#
d8c0f4dc |
| 01-Jun-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Clean up audit comments--formatting, spelling, etc.
|
#
f0cbfcc4 |
| 13-Apr-2007 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip
Fix the handling of IPv6 addresses for subject and process BSM audit tokens. Currently, we do not support the set{get}audit_addr(2) system calls which allows processes like sshd to set extended or ip6 information for subject tokens.
The approach that was taken was to change the process audit state slightly to use an extended terminal ID in the kernel. This allows us to store both IPv4 IPv6 addresses. In the case that an IPv4 address is in use, we convert the terminal ID from an struct auditinfo_addr to a struct auditinfo.
If getaudit(2) is called when the subject is bound to an ip6 address, we return E2BIG.
- Change the internal audit record to store an extended terminal ID - Introduce ARG_TERMID_ADDR - Change the kaudit <-> BSM conversion process so that we are using the appropriate subject token. If the address associated with the subject is IPv4, we use the standard subject32 token. If the subject has an IPv6 address associated with them, we use an extended subject32 token. - Fix a couple of endian issues where we do a couple of byte swaps when we shouldn't be. IP addresses are already in the correct byte order, so reading the ip6 address 4 bytes at a time and swapping them results in in-correct address data. It should be noted that the same issue was found in the openbsm library and it has been changed there too on the vendor branch - Change A_GETPINFO to use the appropriate structures - Implement A_GETPINFO_ADDR which basically does what A_GETPINFO does, but can also handle ip6 addresses - Adjust get{set}audit(2) syscalls to convert the data auditinfo <-> auditinfo_addr - Fully implement set{get}audit_addr(2)
NOTE: This adds the ability for processes to correctly set extended subject information. The appropriate userspace utilities still need to be updated.
MFC after: 1 month Reviewed by: rwatson Obtained from: TrustedBSD
show more ...
|
#
a1f3b839 |
| 20-Feb-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Update auditing of socket information for the inpcb new world order: so_pcb will always be non-NULL, and lock the inpcb while non-atomically accessing address data.
|
Revision tags: release/6.2.0_cvs, release/6.2.0 |
|
#
9da038ed |
| 06-Jan-2007 |
Robert Watson <rwatson@FreeBSD.org> |
When returning early from audit_arg_file() due to so->so_pcb being NULL (due to an early reset or the like), remember to unlock the socket lock. This will not occur in 7-CURRENT, but could in theory
When returning early from audit_arg_file() due to so->so_pcb being NULL (due to an early reset or the like), remember to unlock the socket lock. This will not occur in 7-CURRENT, but could in theory occur in 6-STABLE.
MFC after: 1 week
show more ...
|
#
dc97e8c7 |
| 29-Dec-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Add a witness sleep warning to canon_path(), which invokes vput() and hence may perform an unbounded sleep. Remove an XXX comment suggesting that one be added.
Obtained from: TrustedBSD Project
|
#
130b1468 |
| 06-Nov-2006 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Change the type of ar_arg_sockaddr from struct sockaddr to struct sockaddr_storage. This structure is defined in RFC 2553 and is a more semantically correct structure for holding IP and IP6 sockaddr
Change the type of ar_arg_sockaddr from struct sockaddr to struct sockaddr_storage. This structure is defined in RFC 2553 and is a more semantically correct structure for holding IP and IP6 sockaddr information. struct sockaddr is not big enough to hold all the required information for IP6, resulting in truncated addresses et al when auditing IP6 sockaddr information.
We also need to assume that the sa->sa_len has been validated before the call to audit_arg_sockaddr() is made, otherwise it could result in a buffer overflow. This is being done to accommodate auditing of network related arguments (like connect, bind et al) that will be added soon.
Discussed with: rwatson Obtained from: TrustedBSD Project MFC after: 2 weeks
show more ...
|
#
ae1078d6 |
| 01-Sep-2006 |
Wayne Salamon <wsalamon@FreeBSD.org> |
Audit the argv and env vectors passed in on exec: Add the argument auditing functions for argv and env. Add kernel-specific versions of the tokenizer functions for the arg and env represented a
Audit the argv and env vectors passed in on exec: Add the argument auditing functions for argv and env. Add kernel-specific versions of the tokenizer functions for the arg and env represented as a char array. Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to enable/disable argv/env auditing. Call the argument auditing from the exec system calls.
Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
show more ...
|
#
814fe9e9 |
| 03-Jul-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Correct a number of problems that were previously commented on:
- Correct audit_arg_socketaddr() argument name from so to sa. - Assert arguments are non-NULL to many argument capture functions rat
Correct a number of problems that were previously commented on:
- Correct audit_arg_socketaddr() argument name from so to sa. - Assert arguments are non-NULL to many argument capture functions rather than testing them. This may trip some bugs. - Assert the process lock is held when auditing process information. - Test currecord in several more places. - Test validity of more arguments with kasserts, such as flag values when auditing vnode information.
Perforce change: 98825 Obtained from: TrustedBSD Project
show more ...
|
#
5619113c |
| 05-Jun-2006 |
Robert Watson <rwatson@FreeBSD.org> |
When generating the process token, need to check whether the process was sucessfully audited. Otherwise, generate the PID token. This change covers the pid < 0 cases, and pid lookup failure cases.
When generating the process token, need to check whether the process was sucessfully audited. Otherwise, generate the PID token. This change covers the pid < 0 cases, and pid lookup failure cases.
Submitted by: wsalamon Obtained from: TrustedBSD Project
show more ...
|
Revision tags: release/5.5.0_cvs, release/5.5.0, release/6.1.0_cvs, release/6.1.0 |
|
#
871499fe |
| 19-Mar-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Merge Perforce change 93581 from TrustedBSD audit3 branch:
Mega-style patch.
Obtained from: TrustedBSD Project
|
#
fac3e318 |
| 04-Feb-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Fix INVARIANTS build on amd64; (unsigned unsigned long) != u_int64_t.
Submitted by: mlaier
|
#
718c8510 |
| 01-Feb-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Import kernel audit framework:
- Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker
Import kernel audit framework:
- Management of audit state on processes. - Audit system calls to configure process and system audit state. - Reliable audit record queue implementation, audit_worker kernel thread to asynchronously store records on disk. - Audit event argument. - Internal audit data structure -> BSM audit trail conversion library. - Audit event pre-selection. - Audit pseudo-device permitting kernel->user upcalls to notify auditd of kernel audit events.
Much work by: wsalamon Obtained from: TrustedBSD Project, Apple Computer, Inc.
show more ...
|
#
412f9500 |
| 12-Jan-2010 |
Brooks Davis <brooks@FreeBSD.org> |
Replace the static NGROUPS=NGROUPS_MAX+1=1024 with a dynamic kern.ngroups+1. kern.ngroups can range from NGROUPS_MAX=1023 to INT_MAX-1. Given that the Windows group limit is 1024, this range should
Replace the static NGROUPS=NGROUPS_MAX+1=1024 with a dynamic kern.ngroups+1. kern.ngroups can range from NGROUPS_MAX=1023 to INT_MAX-1. Given that the Windows group limit is 1024, this range should be sufficient for most applications.
MFC after: 1 month
show more ...
|
#
11e9b8ba |
| 04-Aug-2009 |
Oleksandr Tymoshenko <gonzo@FreeBSD.org> |
- MFC @196061
|
#
791b0ad2 |
| 29-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Eliminate ARG_UPATH[12] arguments to AUDIT_ARG_UPATH() and instead provide specific macros, AUDIT_ARG_UPATH1() and AUDIT_ARG_UPATH2() to capture path information for audit records. This allows us to
Eliminate ARG_UPATH[12] arguments to AUDIT_ARG_UPATH() and instead provide specific macros, AUDIT_ARG_UPATH1() and AUDIT_ARG_UPATH2() to capture path information for audit records. This allows us to move the definitions of ARG_* out of the public audit header file, as they are an implementation detail of our current kernel-internal audit record, which may change.
Approved by: re (kensmith) Obtained from: TrustedBSD Project MFC after: 1 month
show more ...
|
#
b146fc1b |
| 28-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Rework vnode argument auditing to follow the same structure, in order to avoid exposing ARG_ macros/flag values outside of the audit code in order to name which one of two possible vnodes will be aud
Rework vnode argument auditing to follow the same structure, in order to avoid exposing ARG_ macros/flag values outside of the audit code in order to name which one of two possible vnodes will be audited for a system call.
Approved by: re (kib) Obtained from: TrustedBSD Project MFC after: 1 month
show more ...
|
#
e4b4bbb6 |
| 28-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Audit file descriptors passed to fooat(2) system calls, which are used instead of the root/current working directory as the starting point for lookups. Up to two such descriptors can be audited. Ad
Audit file descriptors passed to fooat(2) system calls, which are used instead of the root/current working directory as the starting point for lookups. Up to two such descriptors can be audited. Add audit record BSM encoding for fooat(2).
Note: due to an error in the OpenBSM 1.1p1 configuration file, a further change is required to that file in order to fix openat(2) auditing.
Approved by: re (kib) Reviewed by: rdivacky (fooat(2) portions) Obtained from: TrustedBSD Project MFC after: 1 month
show more ...
|
#
09c817ba |
| 03-Jul-2009 |
Oleksandr Tymoshenko <gonzo@FreeBSD.org> |
- MFC
|
#
86120afa |
| 29-Jun-2009 |
Stacey Son <sson@FreeBSD.org> |
Dynamically allocate the gidset field in audit record.
This fixes a problem created by the recent change that allows a large number of groups per user. The gidset field in struct kaudit_record is n
Dynamically allocate the gidset field in audit record.
This fixes a problem created by the recent change that allows a large number of groups per user. The gidset field in struct kaudit_record is now dynamically allocated to the size needed rather than statically (using NGROUPS).
Approved by: re@ (kensmith, rwatson), gnn (mentor)
show more ...
|
Revision tags: release/6.4.0_cvs, release/6.4.0 |
|
#
e6870c95 |
| 14-Nov-2008 |
Robert Watson <rwatson@FreeBSD.org> |
When repeatedly accessing a thread credential, cache the credential pointer in a local thread. While this is unlikely to significantly improve performance given modern compiler behavior, it makes th
When repeatedly accessing a thread credential, cache the credential pointer in a local thread. While this is unlikely to significantly improve performance given modern compiler behavior, it makes the code more readable and reduces diffs to the Mac OS X version of the same code (which stores things in creds in the same way, but where the cred for a thread is reached quite differently).
Discussed with: sson MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project
show more ...
|
#
927edcc9 |
| 04-Nov-2008 |
John Baldwin <jhb@FreeBSD.org> |
Use shared vnode locks for auditing vnode arguments as auditing only does a VOP_GETATTR() which does not require an exclusive lock.
Reviewed by: csjp, rwatson
|
#
0359a12e |
| 28-Aug-2008 |
Attilio Rao <attilio@FreeBSD.org> |
Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread was always curthread and totally unuseful.
Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
|
#
f6d4a8a7 |
| 31-Jul-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Further synchronization of copyrights, licenses, white space, etc from Apple and from the OpenBSM vendor tree.
Obtained from: Apple Inc., TrustedBSD Project MFC after: 3 days
|
#
c2f027ff |
| 22-Jul-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Minor white space synchronization to Apple version of security audit.
Obtained from: Apple Inc. MFC after: 3 days
|