diff options
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/audit/audit.h | 14 | ||||
-rw-r--r-- | sys/security/audit/audit_arg.c | 42 |
2 files changed, 56 insertions, 0 deletions
diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h index 181fc725f76d..184e79ae3765 100644 --- a/sys/security/audit/audit.h +++ b/sys/security/audit/audit.h @@ -106,7 +106,9 @@ void audit_arg_auid(uid_t auid); void audit_arg_auditinfo(struct auditinfo *au_info); void audit_arg_auditinfo_addr(struct auditinfo_addr *au_info); void audit_arg_upath1(struct thread *td, int dirfd, char *upath); +void audit_arg_upath1_canon(char *upath); void audit_arg_upath2(struct thread *td, int dirfd, char *upath); +void audit_arg_upath2_canon(char *upath); void audit_arg_vnode1(struct vnode *vp); void audit_arg_vnode2(struct vnode *vp); void audit_arg_text(char *text); @@ -334,11 +336,21 @@ void audit_thread_free(struct thread *td); audit_arg_upath1((td), (dirfd), (upath)); \ } while (0) +#define AUDIT_ARG_UPATH1_CANON(upath) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_upath1_canon((upath)); \ +} while (0) + #define AUDIT_ARG_UPATH2(td, dirfd, upath) do { \ if (AUDITING_TD(curthread)) \ audit_arg_upath2((td), (dirfd), (upath)); \ } while (0) +#define AUDIT_ARG_UPATH2_CANON(upath) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_upath2_canon((upath)); \ +} while (0) + #define AUDIT_ARG_VALUE(value) do { \ if (AUDITING_TD(curthread)) \ audit_arg_value((value)); \ @@ -419,7 +431,9 @@ void audit_thread_free(struct thread *td); #define AUDIT_ARG_TEXT(text) #define AUDIT_ARG_UID(uid) #define AUDIT_ARG_UPATH1(td, dirfd, upath) +#define AUDIT_ARG_UPATH1_NONCANON(td, upath) #define AUDIT_ARG_UPATH2(td, dirfd, upath) +#define AUDIT_ARG_UPATH2_NONCANON(td, upath) #define AUDIT_ARG_VALUE(value) #define AUDIT_ARG_VNODE1(vp) #define AUDIT_ARG_VNODE2(vp) diff --git a/sys/security/audit/audit_arg.c b/sys/security/audit/audit_arg.c index c5da731c4691..0c106bfecbd1 100644 --- a/sys/security/audit/audit_arg.c +++ b/sys/security/audit/audit_arg.c @@ -766,6 +766,48 @@ audit_arg_upath2(struct thread *td, int dirfd, char *upath) } /* + * Variants on path auditing that do not canonicalise the path passed in; + * these are for use with filesystem-like subsystems that employ string names, + * but do not support a hierarchical namespace -- for example, POSIX IPC + * objects. The subsystem should have performed any necessary + * canonicalisation required to make the paths useful to audit analysis. + */ +static void +audit_arg_upath_canon(char *upath, char **pathp) +{ + + if (*pathp == NULL) + *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK); + (void)snprintf(*pathp, MAXPATHLEN, "%s", upath); +} + +void +audit_arg_upath1_canon(char *upath) +{ + struct kaudit_record *ar; + + ar = currecord(); + if (ar == NULL) + return; + + audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath1); + ARG_SET_VALID(ar, ARG_UPATH1); +} + +void +audit_arg_upath2_canon(char *upath) +{ + struct kaudit_record *ar; + + ar = currecord(); + if (ar == NULL) + return; + + audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath2); + ARG_SET_VALID(ar, ARG_UPATH2); +} + +/* * Function to save the path and vnode attr information into the audit * record. * |