summaryrefslogtreecommitdiffstats
path: root/sys
diff options
context:
space:
mode:
Diffstat (limited to 'sys')
-rw-r--r--sys/security/audit/audit.c13
-rw-r--r--sys/security/audit/audit_bsm.c13
-rw-r--r--sys/security/audit/audit_private.h1
3 files changed, 25 insertions, 2 deletions
diff --git a/sys/security/audit/audit.c b/sys/security/audit/audit.c
index 2063c9d..cb3406d 100644
--- a/sys/security/audit/audit.c
+++ b/sys/security/audit/audit.c
@@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
#include <sys/filedesc.h>
#include <sys/fcntl.h>
#include <sys/ipc.h>
+#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/kthread.h>
#include <sys/malloc.h>
@@ -211,6 +212,7 @@ audit_record_ctor(void *mem, int size, void *arg, int flags)
struct kaudit_record *ar;
struct thread *td;
struct ucred *cred;
+ struct prison *pr;
KASSERT(sizeof(*ar) == size, ("audit_record_ctor: wrong size"));
@@ -233,6 +235,17 @@ audit_record_ctor(void *mem, int size, void *arg, int flags)
ar->k_ar.ar_subj_pid = td->td_proc->p_pid;
ar->k_ar.ar_subj_amask = cred->cr_audit.ai_mask;
ar->k_ar.ar_subj_term_addr = cred->cr_audit.ai_termid;
+ /*
+ * If this process is jailed, make sure we capture the name of the
+ * jail so we can use it to generate a zonename token when we covert
+ * this record to BSM.
+ */
+ if (jailed(cred)) {
+ pr = cred->cr_prison;
+ (void) strlcpy(ar->k_ar.ar_jailname, pr->pr_name,
+ sizeof(ar->k_ar.ar_jailname));
+ } else
+ ar->k_ar.ar_jailname[0] = '\0';
return (0);
}
diff --git a/sys/security/audit/audit_bsm.c b/sys/security/audit/audit_bsm.c
index 6e49b51..b02d677 100644
--- a/sys/security/audit/audit_bsm.c
+++ b/sys/security/audit/audit_bsm.c
@@ -462,7 +462,7 @@ audit_sys_auditon(struct audit_record *ar, struct au_record *rec)
int
kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
{
- struct au_token *tok, *subj_tok;
+ struct au_token *tok, *subj_tok, *jail_tok;
struct au_record *rec;
au_tid_t tid;
struct audit_record *ar;
@@ -475,8 +475,13 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
rec = kau_open();
/*
- * Create the subject token.
+ * Create the subject token. If this credential was jailed be sure to
+ * generate a zonename token.
*/
+ if (ar->ar_jailname[0] != '\0')
+ jail_tok = au_to_zonename(ar->ar_jailname);
+ else
+ jail_tok = NULL;
switch (ar->ar_subj_term_addr.at_type) {
case AU_IPv4:
tid.port = ar->ar_subj_term_addr.at_port;
@@ -1623,11 +1628,15 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
/*
* Write the subject token so it is properly freed here.
*/
+ if (jail_tok != NULL)
+ kau_write(rec, jail_tok);
kau_write(rec, subj_tok);
kau_free(rec);
return (BSM_NOAUDIT);
}
+ if (jail_tok != NULL)
+ kau_write(rec, jail_tok);
kau_write(rec, subj_tok);
tok = au_to_return32(au_errno_to_bsm(ar->ar_errno), ar->ar_retval);
kau_write(rec, tok); /* Every record gets a return token */
diff --git a/sys/security/audit/audit_private.h b/sys/security/audit/audit_private.h
index ad931c0..a5716d0 100644
--- a/sys/security/audit/audit_private.h
+++ b/sys/security/audit/audit_private.h
@@ -230,6 +230,7 @@ struct audit_record {
int ar_arg_exitretval;
struct sockaddr_storage ar_arg_sockaddr;
cap_rights_t ar_arg_rights;
+ char ar_jailname[MAXHOSTNAMELEN];
};
/*
OpenPOWER on IntegriCloud