From 25e307541069c3a42ce1f95e9b9ef5cd25f9a2f5 Mon Sep 17 00:00:00 2001 From: tappro Date: Wed, 31 Aug 2005 02:11:23 +0000 Subject: [PATCH] b=7390, 7409 changes in auditing of failed operations when audit is set on directory --- lustre/include/linux/lustre_audit.h | 1 + lustre/mds/handler.c | 16 +------ lustre/mds/mds_audit.c | 85 ++++++------------------------------- lustre/mds/mds_internal.h | 3 +- lustre/mds/mds_open.c | 21 ++------- lustre/mds/mds_reint.c | 5 ++- lustre/smfs/audit.c | 62 +++++++++++++++------------ lustre/utils/lctl.c | 2 +- 8 files changed, 60 insertions(+), 135 deletions(-) diff --git a/lustre/include/linux/lustre_audit.h b/lustre/include/linux/lustre_audit.h index fe96a56..c605e3f 100644 --- a/lustre/include/linux/lustre_audit.h +++ b/lustre/include/linux/lustre_audit.h @@ -91,6 +91,7 @@ struct audit_name_record { struct audit_info { struct audit_msg m; + struct inode * child; char * name; __u32 namelen; }; diff --git a/lustre/mds/handler.c b/lustre/mds/handler.c index 04c6f4f..026ce22 100644 --- a/lustre/mds/handler.c +++ b/lustre/mds/handler.c @@ -1695,23 +1695,11 @@ static int mds_getattr_lock(struct ptlrpc_request *req, int offset, GOTO(cleanup, rc); cleanup: - /* audit stuff for getattr */ - if (resent_req == 0 && (dparent || dchild)) { - struct inode * au_inode = NULL; - - if (dchild && dchild->d_inode) { - au_inode = dchild->d_inode; - mds_audit_stat(req, &body->id1, au_inode, - NULL, 0, rc); - } else { - au_inode = dparent->d_inode; - mds_audit_stat(req, &body->id1, au_inode, - name, namesize - 1, rc); - } - } switch (cleanup_phase) { case 2: if (resent_req == 0) { + mds_audit(req, dchild, name, namesize - 1, + AUDIT_STAT, rc); if (rc && DENTRY_VALID(dchild)) ldlm_lock_decref(child_lockh, LCK_PR); if (name) diff --git a/lustre/mds/mds_audit.c b/lustre/mds/mds_audit.c index e03e5f0..3c6c0f3 100644 --- a/lustre/mds/mds_audit.c +++ b/lustre/mds/mds_audit.c @@ -54,43 +54,15 @@ #include #include "mds_internal.h" -int mds_audit_stat(struct ptlrpc_request *req, struct lustre_id * id, - struct inode *inode, char *name, int namelen, int ret) -{ - struct obd_device *obd = req->rq_export->exp_obd; - ptl_nid_t nid = req->rq_peer.peer_id.nid; - struct audit_info info = { - .name = NULL, - .namelen = 0, - }; - int rc = 0, len = sizeof(info); - - ENTRY; - - LASSERT(inode); - LASSERT(id); - info.m.id = *id; - info.m.nid = nid; - info.m.uid = current->uid; - info.m.gid = current->gid; - info.m.result = ret; - info.m.code = AUDIT_STAT; - if (ret) { - info.name = name; - info.namelen = namelen; - } - // send info to local fs - fsfilt_set_info(obd, inode->i_sb, inode, - 10, "audit_info", len, (void*)&info); - - RETURN(rc); -} - -int mds_audit_perm(struct ptlrpc_request *req, struct inode *inode, audit_op op) +int mds_audit(struct ptlrpc_request *req, struct dentry *dentry, + char *name, int namelen, audit_op op, int ret) { struct obd_device *obd = req->rq_export->exp_obd; ptl_nid_t nid = req->rq_peer.peer_id.nid; + struct inode *inode = dentry->d_inode; + struct inode *parent = dentry->d_parent->d_inode; struct audit_info info = { + .child = inode, .name = NULL, .namelen = 0, }; @@ -98,49 +70,21 @@ int mds_audit_perm(struct ptlrpc_request *req, struct inode *inode, audit_op op) ENTRY; - LASSERT(inode); info.m.nid = nid; info.m.uid = current->uid; info.m.gid = current->gid; - info.m.result = -EACCES; + info.m.result = ret; info.m.code = op; - /* failed access, log child id only */ - mds_pack_inode2id(obd, &info.m.id, inode, 1); - - fsfilt_set_info(obd, inode->i_sb, inode, - 10, "audit_info", sizeof(info), (void*)&info); - - RETURN(rc); -} - -int mds_audit_open(struct ptlrpc_request *req, struct lustre_id * id, - struct inode *inode, char *name, int namelen, int ret) -{ - struct obd_device *obd = req->rq_export->exp_obd; - ptl_nid_t nid = req->rq_peer.peer_id.nid; - struct audit_info info = { - .name = NULL, - .namelen = 0, - }; - int rc = 0, len = sizeof(info); - - ENTRY; - - LASSERT(inode); - info.m.id = (*id); - info.m.nid = nid; - info.m.uid = current->uid; - info.m.gid = current->gid; - info.m.result = ret; - info.m.code = AUDIT_OPEN; - if (ret) { + if (!inode) { + inode = parent; info.name = name; info.namelen = namelen; } - - fsfilt_set_info(obd, inode->i_sb, inode, - 10, "audit_info", len, (void*)&info); + mds_pack_inode2id(obd, &info.m.id, inode, 1); + + fsfilt_set_info(obd, parent->i_sb, parent, + 10, "audit_info", sizeof(info), (void*)&info); RETURN(rc); } @@ -178,10 +122,7 @@ int mds_audit_auth(struct ptlrpc_request *req, struct lvfs_ucred * uc, if (name && namelen > 0) { dchild = ll_lookup_one_len(name, dparent, namelen); if (!IS_ERR(dchild)) { - if (dchild->d_flags & DCACHE_CROSS_REF) { - //TODO: we should know audit setting for this - //so remote call is needed - } else { + if (!dchild->d_flags & DCACHE_CROSS_REF) { inode = dchild->d_inode; info.name = NULL; info.namelen = 0; diff --git a/lustre/mds/mds_internal.h b/lustre/mds/mds_internal.h index 2e1e7b1..d730ded 100644 --- a/lustre/mds/mds_internal.h +++ b/lustre/mds/mds_internal.h @@ -348,7 +348,8 @@ int mds_audit_stat(struct ptlrpc_request *, struct lustre_id *, int mds_audit_open(struct ptlrpc_request *, struct lustre_id *, struct inode *, char*, int, int); int mds_audit_reint(struct ptlrpc_request *, struct mds_update_record *); -int mds_audit_perm(struct ptlrpc_request *, struct inode *, audit_op); +int mds_audit(struct ptlrpc_request *, struct dentry *, char *, + int, audit_op, int); /* mds_acl.c */ struct upcall_cache *__mds_get_global_rmtacl_upcall_cache(void); int mds_init_rmtacl_upcall_cache(void); diff --git a/lustre/mds/mds_open.c b/lustre/mds/mds_open.c index f96835e..8b7a9f5 100644 --- a/lustre/mds/mds_open.c +++ b/lustre/mds/mds_open.c @@ -1459,24 +1459,9 @@ cleanup_no_trans: mds_lock_new_child(obd, dchild->d_inode, NULL); } /* audit stuff for OPEN */ - if (offset == 3 && (dchild->d_inode || dparent)) { - struct lustre_id au_id; - struct inode * au_inode = dchild->d_inode; - - if (au_inode == NULL) { - au_inode = dparent->d_inode; - au_id = *(rec->ur_id1); - mds_audit_open(req, &au_id, au_inode, - rec->ur_name, rec->ur_namelen - 1, - rc); - } else { - if (fid == 0) - mds_read_inode_sid(obd, au_inode, &au_id); - else - mds_inode2id(obd, &au_id, au_inode, fid); - mds_audit_open(req, &au_id, au_inode, - NULL, 0, rc); - } + if (offset == 3) { + mds_audit(req, dchild, rec->ur_name, + rec->ur_namelen - 1, AUDIT_OPEN, rc); } l_dput(dchild); diff --git a/lustre/mds/mds_reint.c b/lustre/mds/mds_reint.c index b5a3dc3..4377f09 100644 --- a/lustre/mds/mds_reint.c +++ b/lustre/mds/mds_reint.c @@ -1315,7 +1315,8 @@ cleanup: switch (cleanup_phase) { case 2: /* child dentry */ if (rc == -EACCES) - mds_audit_perm(req, dchild->d_inode, AUDIT_CREATE); + mds_audit(req, dchild, rec->ur_name, + rec->ur_namelen - 1, AUDIT_CREATE, rc); l_dput(dchild); case 1: /* locked parent dentry */ #ifdef S_PDIROPS @@ -2469,7 +2470,7 @@ cleanup: /* catching failed permissions check for audit */ if (rc == -EACCES) - mds_audit_perm(req, dchild->d_inode, AUDIT_UNLINK); + mds_audit(req, dchild, NULL, 0, AUDIT_UNLINK, rc); l_dput(dchild); l_dput(dchild); diff --git a/lustre/smfs/audit.c b/lustre/smfs/audit.c index 593d88a..bd6e2c2 100644 --- a/lustre/smfs/audit.c +++ b/lustre/smfs/audit.c @@ -132,16 +132,22 @@ static inline int smfs_get_inode_audit(struct inode *inode, __u64 *mask) struct smfs_inode_info * smi = I2SMI(inode); int rc = 0; + /* omit __iopen__ dir */ + if (inode->i_ino == SMFS_IOPEN_INO) { + *mask = AUDIT_OFF; + RETURN(-ENOENT); + } if (smi->au_info.au_valid) *mask = smi->au_info.au_mask; else { - rc = fsfilt->fs_get_xattr(I2CI(inode), AUDIT_ATTR_EA, mask, sizeof(*mask)); + rc = fsfilt->fs_get_xattr(I2CI(inode), AUDIT_ATTR_EA, + mask, sizeof(*mask)); if (rc <= 0) *mask = AUDIT_OFF; smi->au_info.au_valid = 1; smi->au_info.au_mask = *mask; } - return 0; + RETURN(0); } /* is called also from fsfilt_smfs_get_info */ @@ -159,10 +165,6 @@ int smfs_get_audit(struct super_block * sb, struct inode * parent, priv = smfs_get_plg_priv(S2SMI(sb), SMFS_PLG_AUDIT); - /* omit __iopen__ dir */ - if (parent->i_ino == SMFS_IOPEN_INO) - RETURN(-ENOENT); - if (!priv) RETURN(-ENOENT); @@ -174,18 +176,20 @@ int smfs_get_audit(struct super_block * sb, struct inode * parent, (*mask) = priv->a_mask; RETURN(0); } - /* get inode audit EA */ - smfs_get_inode_audit(parent, mask); - /* check if parent has audit */ - if (IS_AUDIT(*mask)) - RETURN(0); - if (!inode) - RETURN(-ENOENT); + /* get inode audit EA */ + if (parent) { + smfs_get_inode_audit(parent, mask); + /* check if parent has audit */ + if (IS_AUDIT(*mask)) + RETURN(0); + } - smfs_get_inode_audit(inode, mask); - if (IS_AUDIT(*mask)) - RETURN(0); + if (inode) { + smfs_get_inode_audit(inode, mask); + if (IS_AUDIT(*mask)) + RETURN(0); + } RETURN(-ENODATA); } @@ -194,6 +198,7 @@ int smfs_audit_check(struct inode * parent, hook_op hook, int ret, struct audit_priv * priv, void * msg) { audit_op code; + struct inode * inode = NULL; __u64 mask = 0; int rc = 0; @@ -202,15 +207,18 @@ int smfs_audit_check(struct inode * parent, hook_op hook, int ret, if (hook == HOOK_SPECIAL) { struct audit_info * info = msg; code = info->m.code; + inode = info->child; } - else + else { + inode = get_inode_from_hook(hook, msg); code = hook2audit(hook); - - rc = smfs_get_audit(parent->i_sb, parent, - get_inode_from_hook(hook, msg), - &mask); + } + + rc = smfs_get_audit(parent->i_sb, parent, inode, &mask); + if (rc < 0) RETURN(0); + //should only failures be audited? if (ret >= 0 && IS_AUDIT_OP(mask, AUDIT_FAIL)) RETURN(0); @@ -280,6 +288,12 @@ int smfs_set_audit(struct super_block * sb, struct inode * inode, LASSERT(inode); smi = I2SMI(inode); + /* save audit EA in inode_info */ + if (rc >= 0) { + smi->au_info.au_mask = *mask; + smi->au_info.au_valid = 1; + } + handle = fsfilt->fs_start(inode, FSFILT_OP_SETATTR, NULL, 0); if (IS_ERR(handle)) RETURN(PTR_ERR(handle)); @@ -287,12 +301,6 @@ int smfs_set_audit(struct super_block * sb, struct inode * inode, if (fsfilt->fs_set_xattr) rc = fsfilt->fs_set_xattr(inode, handle, AUDIT_ATTR_EA, mask, sizeof(*mask)); - /* save audit EA in inode_info */ - if (rc >= 0) { - smi->au_info.au_mask = *mask; - smi->au_info.au_valid = 1; - } - fsfilt->fs_commit(inode->i_sb, inode, handle, 1); RETURN(rc); diff --git a/lustre/utils/lctl.c b/lustre/utils/lctl.c index d6b1f24..8a3cfcf 100644 --- a/lustre/utils/lctl.c +++ b/lustre/utils/lctl.c @@ -182,7 +182,7 @@ static int set_audit(int argc, char **argv, int fs) else { //if dir then set audit for childs also if (S_ISDIR(st.st_mode)) { - rc = set_dir_audit(argv[3], mask); + //rc = set_dir_audit(argv[3], mask | AUD_BIT(AUDIT_DIR)); } } //set audit for file/dir itself -- 1.8.3.1