diff options
| author | rwatson <rwatson@FreeBSD.org> | 2006-02-05 15:42:01 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2006-02-05 15:42:01 +0000 |
| commit | 62220258e1e26460aa7a969a82eba11a75a90b1e (patch) | |
| tree | 5d5c2b3b61a9b834826d0941c3fd30e8d8d5f0fd | |
| parent | e1e7fa68bea591d4b2dc9b34099de7fcb1821e9a (diff) | |
| download | FreeBSD-src-62220258e1e26460aa7a969a82eba11a75a90b1e.zip FreeBSD-src-62220258e1e26460aa7a969a82eba11a75a90b1e.tar.gz | |
Add AUDITVNODE[12] flags to namei(), which cause namei() to audit path
and vnode attribute information for looked up vnodes during the lookup
operation. This will allow consumers of namei() to specify that this
information be added to the in-process audit record.
Submitted by: wsalamon
Obtained from: TrustedBSD Project
| -rw-r--r-- | sys/kern/vfs_lookup.c | 19 | ||||
| -rw-r--r-- | sys/sys/namei.h | 4 |
2 files changed, 22 insertions, 1 deletions
diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index 42327ca..de8be72 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -58,6 +58,8 @@ __FBSDID("$FreeBSD$"); #include <sys/ktrace.h> #endif +#include <security/audit/audit.h> + #include <vm/uma.h> #define NAMEI_DIAGNOSTIC 1 @@ -145,6 +147,12 @@ namei(ndp) error = copyinstr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN, (size_t *)&ndp->ni_pathlen); + /* If we are auditing the kernel pathname, save the user pathname. */ + if (cnp->cn_flags & AUDITVNODE1) + AUDIT_ARG(upath, td, cnp->cn_pnbuf, ARG_UPATH1); + if (cnp->cn_flags & AUDITVNODE2) + AUDIT_ARG(upath, td, cnp->cn_pnbuf, ARG_UPATH2); + /* * Don't allow empty pathnames. */ @@ -460,6 +468,12 @@ dirloop: VREF(dp); } ndp->ni_vp = dp; + + if (cnp->cn_flags & AUDITVNODE1) + AUDIT_ARG(vnode, dp, ARG_VNODE1); + else if (cnp->cn_flags & AUDITVNODE2) + AUDIT_ARG(vnode, dp, ARG_VNODE2); + if (!(cnp->cn_flags & (LOCKPARENT | LOCKLEAF))) VOP_UNLOCK(dp, 0, td); /* XXX This should probably move to the top of function. */ @@ -714,6 +728,11 @@ nextname: } else if ((cnp->cn_flags & LOCKPARENT) == 0 && ndp->ni_dvp != dp) VOP_UNLOCK(ndp->ni_dvp, 0, td); + if (cnp->cn_flags & AUDITVNODE1) + AUDIT_ARG(vnode, dp, ARG_VNODE1); + else if (cnp->cn_flags & AUDITVNODE2) + AUDIT_ARG(vnode, dp, ARG_VNODE2); + if ((cnp->cn_flags & LOCKLEAF) == 0) VOP_UNLOCK(dp, 0, td); success: diff --git a/sys/sys/namei.h b/sys/sys/namei.h index 9b62a3d..69148cc 100644 --- a/sys/sys/namei.h +++ b/sys/sys/namei.h @@ -139,7 +139,9 @@ struct nameidata { #define NOMACCHECK 0x0800000 /* do not perform MAC checks */ #define MPSAFE 0x1000000 /* namei() must acquire Giant if needed. */ #define GIANTHELD 0x2000000 /* namei() is holding giant. */ -#define PARAMASK 0x3fffe00 /* mask of parameter descriptors */ +#define AUDITVNODE1 0x4000000 /* audit the looked up vnode information */ +#define AUDITVNODE2 0x8000000 /* audit the looked up vnode information */ +#define PARAMASK 0xffffe00 /* mask of parameter descriptors */ #define NDHASGIANT(NDP) (((NDP)->ni_cnd.cn_flags & GIANTHELD) != 0) |
