Author: csjp
Date: Thu Jan 17 21:02:53 2013
New Revision: 245573
URL: http://svnweb.freebsd.org/changeset/base/245573
Log:
Implement the zonename token for jailed processes. If
a process has an auditid/preselection masks specified, and
is jailed, include the zonename (jailname) token as a
part of the audit record.
Reviewed by: pjd
MFC after: 2 weeks
Modified:
head/sys/security/audit/audit.c
head/sys/security/audit/audit_bsm.c
head/sys/security/audit/audit_private.h
Modified: head/sys/security/audit/audit.c
==============================================================================
--- head/sys/security/audit/audit.c Thu Jan 17 20:21:56 2013
(r245572)
+++ head/sys/security/audit/audit.c Thu Jan 17 21:02:53 2013
(r245573)
@@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
#include <sys/filedesc.h>
#include <sys/fcntl.h>
#include <sys/ipc.h>
+#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/kthread.h>
#include <sys/malloc.h>
@@ -211,6 +212,7 @@ audit_record_ctor(void *mem, int size, v
struct kaudit_record *ar;
struct thread *td;
struct ucred *cred;
+ struct prison *pr;
KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
@@ -233,6 +235,17 @@ audit_record_ctor(void *mem, int size, v
ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask;
ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid;
+ /*
+ * If this process is jailed, make sure we capture the name of the
+ * jail so we can use it to generate a zonename token when we covert
+ * this record to BSM.
+ */
+ if (jailed(cred)) {
+ pr = cred->cr_prison;
+ (void) strlcpy(ar->k_ar.ar_jailname, pr->pr_name,
+ sizeof(ar->k_ar.ar_jailname));
+ } else
+ ar->k_ar.ar_jailname[0] = '\0';
return (0);
}
Modified: head/sys/security/audit/audit_bsm.c
==============================================================================
--- head/sys/security/audit/audit_bsm.c Thu Jan 17 20:21:56 2013
(r245572)
+++ head/sys/security/audit/audit_bsm.c Thu Jan 17 21:02:53 2013
(r245573)
@@ -462,7 +462,7 @@ audit_sys_auditon(struct audit_record *a
int
kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
{
- struct au_token *tok, *subj_tok;
+ struct au_token *tok, *subj_tok, *jail_tok;
struct au_record *rec;
au_tid_t tid;
struct audit_record *ar;
@@ -475,8 +475,13 @@ kaudit_to_bsm(struct kaudit_record *kar,
rec = kau_open();
/*
- * Create the subject token.
+ * Create the subject token. If this credential was jailed be sure to
+ * generate a zonename token.
*/
+ if (ar->ar_jailname[0] != '\0')
+ jail_tok = au_to_zonename(ar->ar_jailname);
+ else
+ jail_tok = NULL;
switch (ar->ar_subj_term_addr.at_type) {
case AU_IPv4:
tid.port = ar->ar_subj_term_addr.at_port;
@@ -1623,11 +1628,15 @@ kaudit_to_bsm(struct kaudit_record *kar,
/*
* Write the subject token so it is properly freed here.
*/
+ if (jail_tok != NULL)
+ kau_write(rec, jail_tok);
kau_write(rec, subj_tok);
kau_free(rec);
return (BSM_NOAUDIT);
}
+ if (jail_tok != NULL)
+ kau_write(rec, jail_tok);
kau_write(rec, subj_tok);
tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
kau_write(rec, tok); /* Every record gets a return token */
Modified: head/sys/security/audit/audit_private.h
==============================================================================
--- head/sys/security/audit/audit_private.h Thu Jan 17 20:21:56 2013
(r245572)
+++ head/sys/security/audit/audit_private.h Thu Jan 17 21:02:53 2013
(r245573)
@@ -230,6 +230,7 @@ struct audit_record {
int ar_arg_exitretval;
struct sockaddr_storage ar_arg_sockaddr;
cap_rights_t ar_arg_rights;
+ char ar_jailname[MAXHOSTNAMELEN];
};
/*
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
