diff -ur src.orig/contrib/openbsm/bsm/libbsm.h src/contrib/openbsm/bsm/libbsm.h --- src.orig/contrib/openbsm/bsm/libbsm.h 2012-01-03 05:24:43.000000000 +0200 +++ src/contrib/openbsm/bsm/libbsm.h 2013-01-14 00:19:18.000000000 +0200 @@ -601,6 +601,7 @@ u_int32_t egid; u_int32_t ruid; u_int32_t rgid; + u_int32_t lwpid; u_int32_t pid; u_int32_t sid; au_tid32_t tid; @@ -612,6 +613,7 @@ u_int32_t egid; u_int32_t ruid; u_int32_t rgid; + u_int32_t lwpid; u_int32_t pid; u_int32_t sid; au_tid64_t tid; @@ -636,6 +638,7 @@ u_int32_t egid; u_int32_t ruid; u_int32_t rgid; + u_int32_t lwpid; u_int32_t pid; u_int32_t sid; au_tidaddr32_t tid; @@ -647,6 +650,7 @@ u_int32_t egid; u_int32_t ruid; u_int32_t rgid; + u_int32_t lwpid; u_int32_t pid; u_int32_t sid; au_tidaddr64_t tid; @@ -1088,8 +1092,8 @@ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. */ int audit_write_success(short event_code, token_t *misctok, au_id_t auid, - uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, - au_asid_t sid, au_tid_t *tid); + uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, lwpid_t lwpid, + pid_t pid, au_asid_t sid, au_tid_t *tid); /* * audit_write_success_self() @@ -1158,7 +1162,7 @@ */ int audit_write_failure(short event_code, char *errmsg, int errret, au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, - pid_t pid, au_asid_t sid, au_tid_t *tid); + lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid); /* * audit_write_failure_self() @@ -1215,7 +1219,7 @@ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. */ int audit_write_failure_na(short event_code, char *errmsg, int errret, - uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); + uid_t euid, gid_t egid, lwpid_t lwpid, pid_t pid, au_tid_t *tid); /* END au_write() WRAPPERS */ diff -ur src.orig/contrib/openbsm/libauditd/auditd_lib.c src/contrib/openbsm/libauditd/auditd_lib.c --- src.orig/contrib/openbsm/libauditd/auditd_lib.c 2012-01-03 05:24:43.000000000 +0200 +++ src/contrib/openbsm/libauditd/auditd_lib.c 2013-01-14 00:41:51.000000000 +0200 @@ -44,6 +44,7 @@ #include #include +#include #include @@ -943,10 +944,13 @@ int aufd; uid_t uid; pid_t pid; + long lwpid = -1; char *autext = NULL; token_t *tok; struct auditinfo_addr aia; + thr_self(&lwpid); + if (event == AUE_audit_startup) asprintf(&autext, "%s::Audit startup", getprogname()); else if (event == AUE_audit_shutdown) @@ -965,7 +969,7 @@ bzero(&aia, sizeof(aia)); uid = getuid(); pid = getpid(); if ((tok = au_to_subject32_ex(uid, geteuid(), getegid(), uid, getgid(), - pid, pid, &aia.ai_termid)) != NULL) + (lwpid_t)lwpid, pid, pid, &aia.ai_termid)) != NULL) au_write(aufd, tok); if ((tok = au_to_text(autext)) != NULL) au_write(aufd, tok); diff -ur src.orig/contrib/openbsm/libbsm/bsm_io.c src/contrib/openbsm/libbsm/bsm_io.c --- src.orig/contrib/openbsm/libbsm/bsm_io.c 2012-01-03 05:24:43.000000000 +0200 +++ src/contrib/openbsm/libbsm/bsm_io.c 2013-01-13 22:36:37.000000000 +0200 @@ -544,19 +544,19 @@ fprintf(fp, "tt.subj32.lwpid, tok->len, err); + if (err) + return (-1); + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); if (err) return (-1); @@ -3382,6 +3386,9 @@ open_attr(fp, "rgid"); print_group(fp, tok->tt.subj32.rgid, raw); close_attr(fp); + open_attr(fp, "lwpid"); + print_user(fp, tok->tt.subj32.lwpid, raw); + close_attr(fp); open_attr(fp,"pid"); print_4_bytes(fp, tok->tt.subj32.pid, "%u"); close_attr(fp); @@ -3405,6 +3412,8 @@ print_delim(fp, del); print_group(fp, tok->tt.subj32.rgid, raw); print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj32.lwpid, "%u"); + print_delim(fp, del); print_4_bytes(fp, tok->tt.subj32.pid, "%u"); print_delim(fp, del); print_4_bytes(fp, tok->tt.subj32.sid, "%u"); @@ -3452,6 +3461,10 @@ if (err) return (-1); + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.lwpid, tok->len, err); + if (err) + return (-1); + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); if (err) return (-1); @@ -3494,6 +3507,9 @@ open_attr(fp, "rgid"); print_group(fp, tok->tt.subj64.rgid, raw); close_attr(fp); + open_attr(fp, "lwpid"); + print_4_bytes(fp, tok->tt.subj64.lwpid, "%u"); + close_attr(fp); open_attr(fp, "pid"); print_4_bytes(fp, tok->tt.subj64.pid, "%u"); close_attr(fp); @@ -3517,6 +3533,8 @@ print_delim(fp, del); print_group(fp, tok->tt.subj64.rgid, raw); print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj64.lwpid, "%u"); + print_delim(fp, del); print_4_bytes(fp, tok->tt.subj64.pid, "%u"); print_delim(fp, del); print_4_bytes(fp, tok->tt.subj64.sid, "%u"); @@ -3565,6 +3583,10 @@ if (err) return (-1); + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.lwpid, tok->len, err); + if (err) + return (-1); + READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); if (err) return (-1); @@ -3621,6 +3643,9 @@ open_attr(fp, "rgid"); print_group(fp, tok->tt.subj32_ex.rgid, raw); close_attr(fp); + open_attr(fp, "lwpid"); + print_4_bytes(fp, tok->tt.subj32_ex.lwpid, "%u"); + close_attr(fp); open_attr(fp, "pid"); print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); close_attr(fp); @@ -3645,6 +3670,8 @@ print_delim(fp, del); print_group(fp, tok->tt.subj32_ex.rgid, raw); print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj32_ex.lwpid, "%u"); + print_delim(fp, del); print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); print_delim(fp, del); print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); @@ -3694,6 +3721,10 @@ if (err) return (-1); + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.lwpid, tok->len, err); + if (err) + return (-1); + READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); if (err) return (-1); @@ -3749,6 +3780,9 @@ open_attr(fp, "rgid"); print_group(fp, tok->tt.subj64_ex.rgid, raw); close_attr(fp); + open_attr(fp, "lwpid"); + print_4_bytes(fp, tok->tt.subj64_ex.lwpid, "%u"); + close_attr(fp); open_attr(fp, "pid"); print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); close_attr(fp); @@ -3773,6 +3807,8 @@ print_delim(fp, del); print_group(fp, tok->tt.subj64_ex.rgid, raw); print_delim(fp, del); + print_4_bytes(fp, tok->tt.subj64_ex.lwpid, "%u"); + print_delim(fp, del); print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); print_delim(fp, del); print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); diff -ur src.orig/contrib/openbsm/libbsm/bsm_token.c src/contrib/openbsm/libbsm/bsm_token.c --- src.orig/contrib/openbsm/libbsm/bsm_token.c 2012-01-03 05:24:43.000000000 +0200 +++ src/contrib/openbsm/libbsm/bsm_token.c 2013-01-14 00:16:28.000000000 +0200 @@ -59,6 +59,7 @@ #include #include #include +#include #include @@ -75,6 +76,7 @@ #include #include + #define GET_TOKEN_AREA(t, dptr, length) do { \ (t) = malloc(sizeof(token_t)); \ if ((t) != NULL) { \ @@ -1102,12 +1104,12 @@ */ token_t * au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, - pid_t pid, au_asid_t sid, au_tid_t *tid) + lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid) { token_t *t; u_char *dptr = NULL; - GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * sizeof(u_int32_t)); if (t == NULL) return (NULL); @@ -1117,6 +1119,7 @@ ADD_U_INT32(dptr, egid); ADD_U_INT32(dptr, ruid); ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, lwpid); ADD_U_INT32(dptr, pid); ADD_U_INT32(dptr, sid); ADD_U_INT32(dptr, tid->port); @@ -1127,12 +1130,12 @@ token_t * au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, - pid_t pid, au_asid_t sid, au_tid_t *tid) + lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid) { token_t *t; u_char *dptr = NULL; - GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); if (t == NULL) return (NULL); @@ -1143,6 +1146,7 @@ ADD_U_INT32(dptr, egid); ADD_U_INT32(dptr, ruid); ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, lwpid); ADD_U_INT32(dptr, pid); ADD_U_INT32(dptr, sid); ADD_U_INT64(dptr, tid->port); @@ -1153,11 +1157,11 @@ token_t * au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, - pid_t pid, au_asid_t sid, au_tid_t *tid) + lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid) { - return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, - tid)); + return (au_to_subject32(auid, euid, egid, ruid, rgid, lwpid, pid, + sid, tid)); } /* @@ -1176,16 +1180,16 @@ */ token_t * au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) { token_t *t; u_char *dptr = NULL; if (tid->at_type == AU_IPv4) - GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 11 * sizeof(u_int32_t)); else if (tid->at_type == AU_IPv6) - GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 14 * sizeof(u_int32_t)); else { errno = EINVAL; @@ -1200,6 +1204,7 @@ ADD_U_INT32(dptr, egid); ADD_U_INT32(dptr, ruid); ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, lwpid); ADD_U_INT32(dptr, pid); ADD_U_INT32(dptr, sid); ADD_U_INT32(dptr, tid->at_port); @@ -1214,18 +1219,18 @@ token_t * au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) { token_t *t; u_char *dptr = NULL; if (tid->at_type == AU_IPv4) GET_TOKEN_AREA(t, dptr, sizeof(u_char) + - 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + + 8 * sizeof(u_int32_t) + sizeof(u_int64_t) + 2 * sizeof(u_int32_t)); else if (tid->at_type == AU_IPv6) GET_TOKEN_AREA(t, dptr, sizeof(u_char) + - 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + + 8 * sizeof(u_int32_t) + sizeof(u_int64_t) + 5 * sizeof(u_int32_t)); else { errno = EINVAL; @@ -1240,6 +1245,7 @@ ADD_U_INT32(dptr, egid); ADD_U_INT32(dptr, ruid); ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, lwpid); ADD_U_INT32(dptr, pid); ADD_U_INT32(dptr, sid); ADD_U_INT64(dptr, tid->at_port); @@ -1254,11 +1260,11 @@ token_t * au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) { - return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, - tid)); + return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, lwpid, pid, + sid, tid)); } #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) @@ -1271,6 +1277,9 @@ { auditinfo_t auinfo; auditinfo_addr_t aia; + long lwpid = -1; + + thr_self(&lwpid); /* * Try to use getaudit_addr(2) first. If this kernel does not support @@ -1281,8 +1290,8 @@ if (getaudit(&auinfo) != 0) return (NULL); return (au_to_subject32(auinfo.ai_auid, geteuid(), - getegid(), getuid(), getgid(), getpid(), - auinfo.ai_asid, &auinfo.ai_termid)); + getegid(), getuid(), getgid(), (lwpid_t)lwpid, + getpid(), auinfo.ai_asid, &auinfo.ai_termid)); } else { /* getaudit_addr(2) failed for some other reason. */ return (NULL); @@ -1290,7 +1299,8 @@ } return (au_to_subject32_ex(aia.ai_auid, geteuid(), getegid(), getuid(), - getgid(), getpid(), aia.ai_asid, &aia.ai_termid)); + getgid(), (lwpid_t)lwpid, getpid(), aia.ai_asid, + &aia.ai_termid)); } #endif diff -ur src.orig/contrib/openbsm/libbsm/bsm_wrappers.c src/contrib/openbsm/libbsm/bsm_wrappers.c --- src.orig/contrib/openbsm/libbsm/bsm_wrappers.c 2012-01-03 05:24:43.000000000 +0200 +++ src/contrib/openbsm/libbsm/bsm_wrappers.c 2013-01-14 00:18:12.000000000 +0200 @@ -41,6 +41,7 @@ #endif #include +#include #include @@ -66,6 +67,7 @@ int acond; va_list ap; pid_t pid; + long lwpid = -1; int error, afd, subj_ex; struct auditinfo ai; struct auditinfo_addr aia; @@ -134,14 +136,16 @@ if (aia.ai_termid.at_type == AU_IPv6) subj_ex = 1; pid = getpid(); + thr_self(&lwpid); if (subj_ex == 0) { atid.port = aia.ai_termid.at_port; atid.machine = aia.ai_termid.at_addr[0]; token = au_to_subject32(auid, geteuid(), getegid(), - getuid(), getgid(), pid, pid, &atid); + getuid(), getgid(), (lwpid_t)lwpid, pid, pid, &atid); } else token = au_to_subject_ex(auid, geteuid(), getegid(), - getuid(), getgid(), pid, pid, &aia.ai_termid); + getuid(), getgid(), (lwpid_t)lwpid, pid, pid, + &aia.ai_termid); if (token == NULL) { syslog(LOG_AUTH | LOG_ERR, "audit: unable to build subject token"); @@ -351,14 +355,14 @@ */ int audit_write_success(short event_code, token_t *tok, au_id_t auid, uid_t euid, - gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, + gid_t egid, uid_t ruid, gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid) { char *func = "audit_write_success()"; token_t *subject = NULL; /* Tokenize and save subject. */ - subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, + subject = au_to_subject32(auid, euid, egid, ruid, rgid, lwpid, pid, sid, tid); if (subject == NULL) { syslog(LOG_ERR, "%s: au_to_subject32() failed", func); @@ -395,13 +399,14 @@ */ int audit_write_failure(short event_code, char *errmsg, int errcode, au_id_t auid, - uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, - au_tid_t *tid) + uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, lwpid_t lwpid, pid_t pid, + au_asid_t sid, au_tid_t *tid) { char *func = "audit_write_failure()"; token_t *subject, *errtok; - subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, tid); + subject = au_to_subject32(auid, euid, egid, ruid, rgid, lwpid, pid, + sid, tid); if (subject == NULL) { syslog(LOG_ERR, "%s: au_to_subject32() failed", func); return (kAUMakeSubjectTokErr); @@ -452,11 +457,11 @@ */ int audit_write_failure_na(short event_code, char *errmsg, int errret, uid_t euid, - uid_t egid, pid_t pid, au_tid_t *tid) + uid_t egid, lwpid_t lwpid, pid_t pid, au_tid_t *tid) { return (audit_write_failure(event_code, errmsg, errret, -1, euid, - egid, -1, -1, pid, -1, tid)); + egid, -1, -1, lwpid, pid, -1, tid)); } /* END OF au_write() WRAPPERS */ diff -ur src.orig/sys/bsm/audit_record.h src/sys/bsm/audit_record.h --- src.orig/sys/bsm/audit_record.h 2012-01-03 05:26:45.000000000 +0200 +++ src/sys/bsm/audit_record.h 2013-01-13 21:13:26.000000000 +0200 @@ -258,17 +258,17 @@ token_t *au_to_sock_inet128(struct sockaddr_in6 *so); token_t *au_to_sock_unix(struct sockaddr_un *so); token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid); token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid); token_t *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid); token_t *au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); token_t *au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); token_t *au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); #if defined(_KERNEL) || defined(KERNEL) token_t *au_to_exec_args(char *args, int argc); token_t *au_to_exec_env(char *envs, int envc); diff -ur src.orig/sys/kern/kern_thr.c src/sys/kern/kern_thr.c --- src.orig/sys/kern/kern_thr.c 2012-01-03 05:26:16.000000000 +0200 +++ src/sys/kern/kern_thr.c 2013-08-16 04:47:07.000000000 +0300 @@ -318,6 +318,8 @@ PROC_LOCK(p); racct_sub(p, RACCT_NTHR, 1); + AUDIT_ARG_PROCESS(p); + /* * Shutting down last thread in the proc. This will actually * call exit() in the trampoline when it returns. diff -ur src.orig/sys/kern/uipc_socket.c src/sys/kern/uipc_socket.c --- src.orig/sys/kern/uipc_socket.c 2012-01-03 05:26:16.000000000 +0200 +++ src/sys/kern/uipc_socket.c 2013-09-30 04:01:22.000000000 +0300 @@ -138,6 +138,7 @@ #include +#include #include #include @@ -2399,8 +2400,29 @@ if (valsize > len) sopt->sopt_valsize = valsize = len; + /* This if block indicates a request coming from userland. */ if (sopt->sopt_td != NULL) - return (copyin(sopt->sopt_val, buf, valsize)); + { + int ret = copyin(sopt->sopt_val, buf, valsize); + + /* Unfortunately, there's no AUDIT_ARG_*() macro that can be used + * to copy arbitrary buffers in audit records. However, we can use + * the following switch-case to catch some common valsize values. + */ + switch(valsize) + { + case 1: + AUDIT_ARG_VALUE(*(int8_t *)buf); + break; + case 2: + AUDIT_ARG_VALUE(*(int16_t *)buf); + break; + case 4: + AUDIT_ARG_VALUE(*(int32_t *)buf); + break; + } + return (ret); + } bcopy(sopt->sopt_val, buf, valsize); return (0); diff -ur src.orig/sys/kern/uipc_syscalls.c src/sys/kern/uipc_syscalls.c --- src.orig/sys/kern/uipc_syscalls.c 2012-01-03 05:26:16.000000000 +0200 +++ src/sys/kern/uipc_syscalls.c 2013-09-30 03:20:29.000000000 +0300 @@ -240,6 +240,7 @@ int error; AUDIT_ARG_FD(fd); + AUDIT_ARG_SOCKADDR(td, sa); error = getsock_cap(td->td_proc->p_fd, fd, CAP_BIND, &fp, NULL); if (error) return (error); @@ -440,6 +441,9 @@ (void) fo_ioctl(nfp, FIOASYNC, &tmp, td->td_ucred, td); sa = 0; error = soaccept(so, &sa); + if (sa) + AUDIT_ARG_SOCKADDR(td, sa); + if (error) { /* * return a namelen of zero for older code which might @@ -549,6 +553,7 @@ int interrupted = 0; AUDIT_ARG_FD(fd); + AUDIT_ARG_SOCKADDR(td, sa); error = getsock_cap(td->td_proc->p_fd, fd, CAP_CONNECT, &fp, NULL); if (error) return (error); @@ -1349,9 +1354,16 @@ } AUDIT_ARG_FD(s); + /* There are no specific AUDIT_ARG_*() macros for setsockopt(), but we + * can use AUDIT_ARG_VALUE() and AUDIT_ARG_CMD(). + */ + AUDIT_ARG_CMD(((level & 0xffff) << 16) | (name & 0xffff)); error = getsock_cap(td->td_proc->p_fd, s, CAP_SETSOCKOPT, &fp, NULL); if (error == 0) { so = fp->f_data; + /* To audit the option itself we need to issue a copyin(). Postpone + * that until sooptcopyin() is called. + */ error = sosetopt(so, &sopt); fdrop(fp, td); } @@ -1428,6 +1440,8 @@ } AUDIT_ARG_FD(s); + /* See kern_setsockopt() above... */ + AUDIT_ARG_CMD(((level & 0xffff) << 16) | (name & 0xffff)); error = getsock_cap(td->td_proc->p_fd, s, CAP_GETSOCKOPT, &fp, NULL); if (error == 0) { so = fp->f_data; diff -ur src.orig/sys/security/audit/audit.c src/sys/security/audit/audit.c --- src.orig/sys/security/audit/audit.c 2012-01-03 05:26:57.000000000 +0200 +++ src/sys/security/audit/audit.c 2013-09-29 22:42:05.000000000 +0300 @@ -220,6 +220,11 @@ ar->k_ar.ar_magic = AUDIT_RECORD_MAGIC; nanotime(&ar->k_ar.ar_starttime); + /* I think this is the most appropriate place to initialize k_uthread + * which otherwise remains unused. + */ + ar->k_uthread = (struct uthread *)td; + /* * Export the subject credential. */ diff -ur src.orig/sys/security/audit/audit.h src/sys/security/audit/audit.h --- src.orig/sys/security/audit/audit.h 2012-01-03 05:26:57.000000000 +0200 +++ src/sys/security/audit/audit.h 2013-09-22 21:06:11.000000000 +0300 @@ -191,6 +191,11 @@ audit_arg_fd((fd)); \ } while (0) +#define AUDIT_ARG_SOCKADDR(td, sa) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_sockaddr((td), (sa)); \ +} while(0) + #define AUDIT_ARG_FILE(p, fp) do { \ if (AUDITING_TD(curthread)) \ audit_arg_file((p), (fp)); \ diff -ur src.orig/sys/security/audit/audit_bsm.c src/sys/security/audit/audit_bsm.c --- src.orig/sys/security/audit/audit_bsm.c 2012-01-03 05:26:57.000000000 +0200 +++ src/sys/security/audit/audit_bsm.c 2013-09-30 03:55:24.000000000 +0300 @@ -41,6 +41,7 @@ #include #include #include +#include #include #include @@ -486,6 +487,7 @@ ar->ar_subj_egid, /* eff group id */ ar->ar_subj_ruid, /* real uid */ ar->ar_subj_rgid, /* real group id */ + ((struct thread *)kar->k_uthread)->td_tid, ar->ar_subj_pid, /* process id */ ar->ar_subj_asid, /* session ID */ &tid); @@ -496,6 +498,7 @@ ar->ar_subj_egid, ar->ar_subj_ruid, ar->ar_subj_rgid, + ((struct thread *)kar->k_uthread)->td_tid, ar->ar_subj_pid, ar->ar_subj_asid, &ar->ar_subj_term_addr); @@ -507,6 +510,7 @@ ar->ar_subj_egid, ar->ar_subj_ruid, ar->ar_subj_rgid, + ((struct thread *)kar->k_uthread)->td_tid, ar->ar_subj_pid, ar->ar_subj_asid, &tid); @@ -548,7 +552,14 @@ kau_write(rec, tok); UPATH1_TOKENS; } - /* XXX Need to handle ARG_SADDRINET6 */ + /* XXX: I think it would be better to modify au_to_sock_inet() + * rather than calling au_to_sock_inet128() directly here. + */ + if (ARG_IS_VALID(kar, ARG_SADDRINET6)) { + tok = au_to_sock_inet128((struct sockaddr_in6 *) + &ar->ar_arg_sockaddr); + kau_write(rec, tok); + } break; case AUE_SOCKET: @@ -567,6 +578,20 @@ break; case AUE_SETSOCKOPT: + if (ARG_IS_VALID(kar, ARG_FD)) { + tok = au_to_arg32(1, "fd", ar->ar_arg_fd); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_CMD)) { + tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_VALUE)) { + tok = au_to_arg32(3, "value", ar->ar_arg_value); + kau_write(rec, tok); + } + break; + case AUE_SHUTDOWN: if (ARG_IS_VALID(kar, ARG_FD)) { tok = au_to_arg32(1, "fd", ar->ar_arg_fd); diff -ur src.orig/sys/security/audit/audit_bsm_token.c src/sys/security/audit/audit_bsm_token.c --- src.orig/sys/security/audit/audit_bsm_token.c 2012-01-03 05:26:57.000000000 +0200 +++ src/sys/security/audit/audit_bsm_token.c 2013-09-30 04:30:03.000000000 +0300 @@ -1003,7 +1003,11 @@ ADD_U_CHAR(dptr, 0); ADD_U_CHAR(dptr, so->sin6_family); - ADD_U_INT16(dptr, so->sin6_port); + /* No, it should be ADD_MEM() instead, otherwise AF_INET6 related + * tokens, get a port number with reversed endianness. + */ + /* ADD_U_INT16(dptr, so->sin6_port); */ + ADD_MEM(dptr, &so->sin6_port, sizeof(uint16_t)); ADD_MEM(dptr, &so->sin6_addr, 4 * sizeof(uint32_t)); return (t); @@ -1031,12 +1035,12 @@ */ token_t * au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, - pid_t pid, au_asid_t sid, au_tid_t *tid) + lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid) { token_t *t; u_char *dptr = NULL; - GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t)); + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * sizeof(u_int32_t)); ADD_U_CHAR(dptr, AUT_SUBJECT32); ADD_U_INT32(dptr, auid); @@ -1044,6 +1048,7 @@ ADD_U_INT32(dptr, egid); ADD_U_INT32(dptr, ruid); ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, lwpid); ADD_U_INT32(dptr, pid); ADD_U_INT32(dptr, sid); ADD_U_INT32(dptr, tid->port); @@ -1054,12 +1059,12 @@ token_t * au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, - pid_t pid, au_asid_t sid, au_tid_t *tid) + lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid) { token_t *t; u_char *dptr = NULL; - GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) + + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t)); ADD_U_CHAR(dptr, AUT_SUBJECT64); @@ -1068,6 +1073,7 @@ ADD_U_INT32(dptr, egid); ADD_U_INT32(dptr, ruid); ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, lwpid); ADD_U_INT32(dptr, pid); ADD_U_INT32(dptr, sid); ADD_U_INT64(dptr, tid->port); @@ -1078,11 +1084,11 @@ token_t * au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, - pid_t pid, au_asid_t sid, au_tid_t *tid) + lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_t *tid) { - return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, - tid)); + return (au_to_subject32(auid, euid, egid, ruid, rgid, lwpid, pid, + sid, tid)); } /* @@ -1101,7 +1107,7 @@ */ token_t * au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) { token_t *t; u_char *dptr = NULL; @@ -1110,10 +1116,10 @@ ("au_to_subject32_ex: type %u", (unsigned int)tid->at_type)); if (tid->at_type == AU_IPv4) - GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 10 * + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 11 * sizeof(u_int32_t)); else - GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * + GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 14 * sizeof(u_int32_t)); ADD_U_CHAR(dptr, AUT_SUBJECT32_EX); @@ -1122,6 +1128,7 @@ ADD_U_INT32(dptr, egid); ADD_U_INT32(dptr, ruid); ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, lwpid); ADD_U_INT32(dptr, pid); ADD_U_INT32(dptr, sid); ADD_U_INT32(dptr, tid->at_port); @@ -1136,7 +1143,7 @@ token_t * au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) { token_t *t; u_char *dptr = NULL; @@ -1146,11 +1153,11 @@ if (tid->at_type == AU_IPv4) GET_TOKEN_AREA(t, dptr, sizeof(u_char) + - 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + + 8 * sizeof(u_int32_t) + sizeof(u_int64_t) + 2 * sizeof(u_int32_t)); else GET_TOKEN_AREA(t, dptr, sizeof(u_char) + - 7 * sizeof(u_int32_t) + sizeof(u_int64_t) + + 8 * sizeof(u_int32_t) + sizeof(u_int64_t) + 5 * sizeof(u_int32_t)); ADD_U_CHAR(dptr, AUT_SUBJECT64_EX); @@ -1159,6 +1166,7 @@ ADD_U_INT32(dptr, egid); ADD_U_INT32(dptr, ruid); ADD_U_INT32(dptr, rgid); + ADD_U_INT32(dptr, lwpid); ADD_U_INT32(dptr, pid); ADD_U_INT32(dptr, sid); ADD_U_INT64(dptr, tid->at_port); @@ -1173,11 +1181,11 @@ token_t * au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, - gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) + gid_t rgid, lwpid_t lwpid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid) { - return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid, - tid)); + return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, lwpid, pid, + sid, tid)); } #if !defined(_KERNEL) && !defined(KERNEL) && defined(HAVE_AUDIT_SYSCALLS) diff -ur src.orig/usr.bin/login/login_audit.c src/usr.bin/login/login_audit.c --- src.orig/usr.bin/login/login_audit.c 2012-01-03 05:23:42.000000000 +0200 +++ src/usr.bin/login/login_audit.c 2013-01-14 00:48:55.000000000 +0200 @@ -35,6 +35,7 @@ __FBSDID("$FreeBSD: release/9.0.0/usr.bin/login/login_audit.c 191297 2009-04-19 23:34:22Z rwatson $"); #include +#include #include #include @@ -67,8 +68,11 @@ uid_t uid = pwd->pw_uid; gid_t gid = pwd->pw_gid; pid_t pid = getpid(); + long lwpid = -1; int au_cond; + thr_self(&lwpid); + /* If we are not auditing, don't cut an audit record; just return. */ if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) { if (errno == ENOSYS) @@ -93,8 +97,8 @@ if ((aufd = au_open()) == -1) errx(1,"login: Audit Error: au_open() failed"); - if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid, - pid, &tid)) == NULL) + if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, + (lwpid_t)lwpid, pid, pid, &tid)) == NULL) errx(1, "login: Audit Error: au_to_subject32() failed"); au_write(aufd, tok); @@ -119,6 +123,9 @@ uid_t uid; gid_t gid; pid_t pid = getpid(); + long lwpid = -1; + + thr_self(&lwpid); /* If we are not auditing, don't cut an audit record; just return. */ if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) { @@ -138,14 +145,14 @@ * within a user's session => auid,asid == -1. */ if ((tok = au_to_subject32(-1, geteuid(), getegid(), -1, -1, - pid, -1, &tid)) == NULL) + (lwpid_t)lwpid, pid, -1, &tid)) == NULL) errx(1, "login: Audit Error: au_to_subject32() failed"); } else { /* We know the subject -- so use its value instead. */ uid = pwd->pw_uid; gid = pwd->pw_gid; if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, - gid, pid, pid, &tid)) == NULL) + gid, (lwpid_t)lwpid, pid, pid, &tid)) == NULL) errx(1, "login: Audit Error: au_to_subject32() failed"); } au_write(aufd, tok); @@ -175,8 +182,11 @@ uid_t uid = pwd->pw_uid; gid_t gid = pwd->pw_gid; pid_t pid = getpid(); + long lwpid = -1; int au_cond; + thr_self(&lwpid); + /* If we are not auditing, don't cut an audit record; just return. */ if (auditon(A_GETCOND, &au_cond, sizeof(int)) < 0) { if (errno == ENOSYS) @@ -190,8 +200,8 @@ errx(1, "login: Audit Error: au_open() failed"); /* The subject that is created (euid, egid of the current process). */ - if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid, - pid, &tid)) == NULL) + if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, + (lwpid_t)lwpid, pid, pid, &tid)) == NULL) errx(1, "login: Audit Error: au_to_subject32() failed"); au_write(aufd, tok);