aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2020-12-01 19:34:45 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2020-12-01 19:34:45 +0000
commit8f817ae5aa4e10364643e89231da7a996958c8b3 (patch)
tree07e7534f6c55d0e8f611b056e54722b5c04a2674
parent554a831b7dc9780b9df148c8c256bb4eaa12d1d3 (diff)
downloadsrc-8f817ae5aa4e10364643e89231da7a996958c8b3.tar.gz
src-8f817ae5aa4e10364643e89231da7a996958c8b3.zip
Fix execve/fexecve system call auditing.
Approved by: so Security: FreeBSD-EN-20:19.audit
Notes
Notes: svn path=/releng/12.1/; revision=368249
-rw-r--r--sys/amd64/linux/linux_machdep.c3
-rw-r--r--sys/amd64/linux32/linux32_machdep.c3
-rw-r--r--sys/arm64/linux/linux_machdep.c3
-rw-r--r--sys/compat/freebsd32/freebsd32_misc.c2
-rw-r--r--sys/i386/linux/linux_machdep.c3
-rw-r--r--sys/kern/kern_exec.c3
-rw-r--r--sys/kern/subr_syscall.c10
7 files changed, 27 insertions, 0 deletions
diff --git a/sys/amd64/linux/linux_machdep.c b/sys/amd64/linux/linux_machdep.c
index d52ad37a3469..bb7088f805f7 100644
--- a/sys/amd64/linux/linux_machdep.c
+++ b/sys/amd64/linux/linux_machdep.c
@@ -81,6 +81,8 @@ __FBSDID("$FreeBSD$");
#include <x86/ifunc.h>
#include <x86/sysarch.h>
+#include <security/audit/audit.h>
+
#include <amd64/linux/linux.h>
#include <amd64/linux/linux_proto.h>
#include <compat/linux/linux_emul.h>
@@ -107,6 +109,7 @@ linux_execve(struct thread *td, struct linux_execve_args *args)
free(path, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
diff --git a/sys/amd64/linux32/linux32_machdep.c b/sys/amd64/linux32/linux32_machdep.c
index c498d548e2f5..d8fb0e1ba776 100644
--- a/sys/amd64/linux32/linux32_machdep.c
+++ b/sys/amd64/linux32/linux32_machdep.c
@@ -69,6 +69,8 @@ __FBSDID("$FreeBSD$");
#include <vm/vm.h>
#include <vm/vm_map.h>
+#include <security/audit/audit.h>
+
#include <compat/freebsd32/freebsd32_util.h>
#include <amd64/linux32/linux.h>
#include <amd64/linux32/linux32_proto.h>
@@ -143,6 +145,7 @@ linux_execve(struct thread *td, struct linux_execve_args *args)
free(path, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
diff --git a/sys/arm64/linux/linux_machdep.c b/sys/arm64/linux/linux_machdep.c
index ef6faf275452..32518d7d90e3 100644
--- a/sys/arm64/linux/linux_machdep.c
+++ b/sys/arm64/linux/linux_machdep.c
@@ -38,6 +38,8 @@ __FBSDID("$FreeBSD$");
#include <sys/proc.h>
#include <sys/sdt.h>
+#include <security/audit/audit.h>
+
#include <arm64/linux/linux.h>
#include <arm64/linux/linux_proto.h>
#include <compat/linux/linux_dtrace.h>
@@ -74,6 +76,7 @@ linux_execve(struct thread *td, struct linux_execve_args *uap)
free(path, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c
index 3585bc6191d2..dc96d8f32152 100644
--- a/sys/compat/freebsd32/freebsd32_misc.c
+++ b/sys/compat/freebsd32/freebsd32_misc.c
@@ -440,6 +440,7 @@ freebsd32_execve(struct thread *td, struct freebsd32_execve_args *uap)
if (error == 0)
error = kern_execve(td, &eargs, NULL);
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
@@ -460,6 +461,7 @@ freebsd32_fexecve(struct thread *td, struct freebsd32_fexecve_args *uap)
error = kern_execve(td, &eargs, NULL);
}
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
diff --git a/sys/i386/linux/linux_machdep.c b/sys/i386/linux/linux_machdep.c
index 0753986182b4..4ab10f2cf1d6 100644
--- a/sys/i386/linux/linux_machdep.c
+++ b/sys/i386/linux/linux_machdep.c
@@ -61,6 +61,8 @@ __FBSDID("$FreeBSD$");
#include <vm/vm.h>
#include <vm/vm_map.h>
+#include <security/audit/audit.h>
+
#include <i386/linux/linux.h>
#include <i386/linux/linux_proto.h>
#include <compat/linux/linux_emul.h>
@@ -116,6 +118,7 @@ linux_execve(struct thread *td, struct linux_execve_args *args)
free(newpath, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 7a125fc98933..d06c0aef4d91 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -224,6 +224,7 @@ sys_execve(struct thread *td, struct execve_args *uap)
if (error == 0)
error = kern_execve(td, &args, NULL);
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
@@ -251,6 +252,7 @@ sys_fexecve(struct thread *td, struct fexecve_args *uap)
error = kern_execve(td, &args, NULL);
}
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
@@ -279,6 +281,7 @@ sys___mac_execve(struct thread *td, struct __mac_execve_args *uap)
if (error == 0)
error = kern_execve(td, &args, uap->mac_p);
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
#else
return (ENOSYS);
diff --git a/sys/kern/subr_syscall.c b/sys/kern/subr_syscall.c
index 6c70ddc9f789..877a8c968427 100644
--- a/sys/kern/subr_syscall.c
+++ b/sys/kern/subr_syscall.c
@@ -133,6 +133,16 @@ syscallenter(struct thread *td)
AUDIT_SYSCALL_ENTER(sa->code, td);
error = (sa->callp->sy_call)(td, sa->args);
+
+ /*
+ * Note that some syscall implementations (e.g., sys_execve)
+ * will commit the audit record just before their final return.
+ * These were done under the assumption that nothing of interest
+ * would happen between their return and here, where we would
+ * normally commit the audit record. These assumptions will
+ * need to be revisited should any substantial logic be added
+ * above.
+ */
AUDIT_SYSCALL_EXIT(error, td);
/* Save the latest error return value. */