aboutsummaryrefslogtreecommitdiff
path: root/sys/security
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security')
-rw-r--r--sys/security/audit/audit.h14
-rw-r--r--sys/security/audit/audit_arg.c42
2 files changed, 56 insertions, 0 deletions
diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h
index 181fc725f76d..184e79ae3765 100644
--- a/sys/security/audit/audit.h
+++ b/sys/security/audit/audit.h
@@ -106,7 +106,9 @@ void audit_arg_auid(uid_t auid);
void audit_arg_auditinfo(struct auditinfo *au_info);
void audit_arg_auditinfo_addr(struct auditinfo_addr *au_info);
void audit_arg_upath1(struct thread *td, int dirfd, char *upath);
+void audit_arg_upath1_canon(char *upath);
void audit_arg_upath2(struct thread *td, int dirfd, char *upath);
+void audit_arg_upath2_canon(char *upath);
void audit_arg_vnode1(struct vnode *vp);
void audit_arg_vnode2(struct vnode *vp);
void audit_arg_text(char *text);
@@ -334,11 +336,21 @@ void audit_thread_free(struct thread *td);
audit_arg_upath1((td), (dirfd), (upath)); \
} while (0)
+#define AUDIT_ARG_UPATH1_CANON(upath) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_upath1_canon((upath)); \
+} while (0)
+
#define AUDIT_ARG_UPATH2(td, dirfd, upath) do { \
if (AUDITING_TD(curthread)) \
audit_arg_upath2((td), (dirfd), (upath)); \
} while (0)
+#define AUDIT_ARG_UPATH2_CANON(upath) do { \
+ if (AUDITING_TD(curthread)) \
+ audit_arg_upath2_canon((upath)); \
+} while (0)
+
#define AUDIT_ARG_VALUE(value) do { \
if (AUDITING_TD(curthread)) \
audit_arg_value((value)); \
@@ -419,7 +431,9 @@ void audit_thread_free(struct thread *td);
#define AUDIT_ARG_TEXT(text)
#define AUDIT_ARG_UID(uid)
#define AUDIT_ARG_UPATH1(td, dirfd, upath)
+#define AUDIT_ARG_UPATH1_NONCANON(td, upath)
#define AUDIT_ARG_UPATH2(td, dirfd, upath)
+#define AUDIT_ARG_UPATH2_NONCANON(td, upath)
#define AUDIT_ARG_VALUE(value)
#define AUDIT_ARG_VNODE1(vp)
#define AUDIT_ARG_VNODE2(vp)
diff --git a/sys/security/audit/audit_arg.c b/sys/security/audit/audit_arg.c
index c5da731c4691..0c106bfecbd1 100644
--- a/sys/security/audit/audit_arg.c
+++ b/sys/security/audit/audit_arg.c
@@ -766,6 +766,48 @@ audit_arg_upath2(struct thread *td, int dirfd, char *upath)
}
/*
+ * Variants on path auditing that do not canonicalise the path passed in;
+ * these are for use with filesystem-like subsystems that employ string names,
+ * but do not support a hierarchical namespace -- for example, POSIX IPC
+ * objects. The subsystem should have performed any necessary
+ * canonicalisation required to make the paths useful to audit analysis.
+ */
+static void
+audit_arg_upath_canon(char *upath, char **pathp)
+{
+
+ if (*pathp == NULL)
+ *pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
+ (void)snprintf(*pathp, MAXPATHLEN, "%s", upath);
+}
+
+void
+audit_arg_upath1_canon(char *upath)
+{
+ struct kaudit_record *ar;
+
+ ar = currecord();
+ if (ar == NULL)
+ return;
+
+ audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath1);
+ ARG_SET_VALID(ar, ARG_UPATH1);
+}
+
+void
+audit_arg_upath2_canon(char *upath)
+{
+ struct kaudit_record *ar;
+
+ ar = currecord();
+ if (ar == NULL)
+ return;
+
+ audit_arg_upath_canon(upath, &ar->k_ar.ar_arg_upath2);
+ ARG_SET_VALID(ar, ARG_UPATH2);
+}
+
+/*
* Function to save the path and vnode attr information into the audit
* record.
*
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 23:27:09 +0000