s3:modules:full_audit - avoid log spam

Due to continuing work on Samba's VFS, some operations have changed
name. For example unlink -> unlinkat, mkdir -> mkdirat. The original
design of vfs_full_audit was to log _all_ vfs operations if it
encountered one that was not in its lookup table for ops. This results in
a massive increase in the amount of logging being generated.

This commit expands the lookup table to include an `oldname` string that
the user's configuration can be checked against so that the old name,
e.g. `unlink`, will continue to log the appropriate VFS operation without
configuration change. In the case of totally unknown parameters, deny access
to the share with a log message that auditing is significantly misconfigured.
The reasoning for this is that auditing failure is a significant error and
users should not be granted access until it is resolved.

net/samba/Makefile

@@ -3,7 +3,7 @@
 
 PORTNAME=			${SAMBA4_BASENAME}
 PORTVERSION=			${SAMBA4_VERSION}
-PORTREVISION=			7
+PORTREVISION=			8
 CATEGORIES?=			net
 MASTER_SITES=			SAMBA/samba/stable SAMBA/samba/rc
 DISTNAME=			${SAMBA4_DISTNAME}

net/samba/files/patch-source3__modules__vfs_full_audit.c

@@ -0,0 +1,269 @@
+--- source3/modules/vfs_full_audit.c.orig	2021-01-20 10:52:20.290040000 -0500
++++ source3/modules/vfs_full_audit.c	2021-01-20 10:52:31.113055000 -0500
+@@ -240,124 +240,125 @@ typedef enum _vfs_op_type {
+
+ static struct {
+ 	vfs_op_type type;
++	const char *oldname;
+ 	const char *name;
+ } vfs_op_names[] = {
+-	{ SMB_VFS_OP_CONNECT,	"connect" },
+-	{ SMB_VFS_OP_DISCONNECT,	"disconnect" },
+-	{ SMB_VFS_OP_DISK_FREE,	"disk_free" },
+-	{ SMB_VFS_OP_GET_QUOTA,	"get_quota" },
+-	{ SMB_VFS_OP_SET_QUOTA,	"set_quota" },
+-	{ SMB_VFS_OP_GET_SHADOW_COPY_DATA,	"get_shadow_copy_data" },
+-	{ SMB_VFS_OP_STATVFS,	"statvfs" },
+-	{ SMB_VFS_OP_FS_CAPABILITIES,	"fs_capabilities" },
+-	{ SMB_VFS_OP_GET_DFS_REFERRALS,	"get_dfs_referrals" },
+-	{ SMB_VFS_OP_CREATE_DFS_PATHAT,	"create_dfs_pathat" },
+-	{ SMB_VFS_OP_READ_DFS_PATHAT,	"read_dfs_pathat" },
+-	{ SMB_VFS_OP_OPENDIR,	"opendir" },
+-	{ SMB_VFS_OP_FDOPENDIR,	"fdopendir" },
+-	{ SMB_VFS_OP_READDIR,	"readdir" },
+-	{ SMB_VFS_OP_SEEKDIR,   "seekdir" },
+-	{ SMB_VFS_OP_TELLDIR,   "telldir" },
+-	{ SMB_VFS_OP_REWINDDIR, "rewinddir" },
+-	{ SMB_VFS_OP_MKDIRAT,	"mkdirat" },
+-	{ SMB_VFS_OP_CLOSEDIR,	"closedir" },
+-	{ SMB_VFS_OP_OPEN,	"open" },
+-	{ SMB_VFS_OP_CREATE_FILE, "create_file" },
+-	{ SMB_VFS_OP_CLOSE,	"close" },
+-	{ SMB_VFS_OP_READ,	"read" },
+-	{ SMB_VFS_OP_PREAD,	"pread" },
+-	{ SMB_VFS_OP_PREAD_SEND,	"pread_send" },
+-	{ SMB_VFS_OP_PREAD_RECV,	"pread_recv" },
+-	{ SMB_VFS_OP_WRITE,	"write" },
+-	{ SMB_VFS_OP_PWRITE,	"pwrite" },
+-	{ SMB_VFS_OP_PWRITE_SEND,	"pwrite_send" },
+-	{ SMB_VFS_OP_PWRITE_RECV,	"pwrite_recv" },
+-	{ SMB_VFS_OP_LSEEK,	"lseek" },
+-	{ SMB_VFS_OP_SENDFILE,	"sendfile" },
+-	{ SMB_VFS_OP_RECVFILE,  "recvfile" },
+-	{ SMB_VFS_OP_RENAMEAT,	"renameat" },
+-	{ SMB_VFS_OP_FSYNC,	"fsync" },
+-	{ SMB_VFS_OP_FSYNC_SEND,	"fsync_send" },
+-	{ SMB_VFS_OP_FSYNC_RECV,	"fsync_recv" },
+-	{ SMB_VFS_OP_STAT,	"stat" },
+-	{ SMB_VFS_OP_FSTAT,	"fstat" },
+-	{ SMB_VFS_OP_LSTAT,	"lstat" },
+-	{ SMB_VFS_OP_GET_ALLOC_SIZE,	"get_alloc_size" },
+-	{ SMB_VFS_OP_UNLINKAT,	"unlinkat" },
+-	{ SMB_VFS_OP_CHMOD,	"chmod" },
+-	{ SMB_VFS_OP_FCHMOD,	"fchmod" },
+-	{ SMB_VFS_OP_FCHOWN,	"fchown" },
+-	{ SMB_VFS_OP_LCHOWN,	"lchown" },
+-	{ SMB_VFS_OP_CHDIR,	"chdir" },
+-	{ SMB_VFS_OP_GETWD,	"getwd" },
+-	{ SMB_VFS_OP_NTIMES,	"ntimes" },
+-	{ SMB_VFS_OP_FTRUNCATE,	"ftruncate" },
+-	{ SMB_VFS_OP_FALLOCATE,"fallocate" },
+-	{ SMB_VFS_OP_LOCK,	"lock" },
+-	{ SMB_VFS_OP_KERNEL_FLOCK,	"kernel_flock" },
+-	{ SMB_VFS_OP_FCNTL,	"fcntl" },
+-	{ SMB_VFS_OP_LINUX_SETLEASE, "linux_setlease" },
+-	{ SMB_VFS_OP_GETLOCK,	"getlock" },
+-	{ SMB_VFS_OP_SYMLINKAT,	"symlinkat" },
+-	{ SMB_VFS_OP_READLINKAT,"readlinkat" },
+-	{ SMB_VFS_OP_LINKAT,	"linkat" },
+-	{ SMB_VFS_OP_MKNODAT,	"mknodat" },
+-	{ SMB_VFS_OP_REALPATH,	"realpath" },
+-	{ SMB_VFS_OP_CHFLAGS,	"chflags" },
+-	{ SMB_VFS_OP_FILE_ID_CREATE,	"file_id_create" },
+-	{ SMB_VFS_OP_FS_FILE_ID,	"fs_file_id" },
+-	{ SMB_VFS_OP_STREAMINFO,	"streaminfo" },
+-	{ SMB_VFS_OP_GET_REAL_FILENAME, "get_real_filename" },
+-	{ SMB_VFS_OP_CONNECTPATH,	"connectpath" },
+-	{ SMB_VFS_OP_BRL_LOCK_WINDOWS,  "brl_lock_windows" },
+-	{ SMB_VFS_OP_BRL_UNLOCK_WINDOWS, "brl_unlock_windows" },
+-	{ SMB_VFS_OP_STRICT_LOCK_CHECK, "strict_lock_check" },
+-	{ SMB_VFS_OP_TRANSLATE_NAME,	"translate_name" },
+-	{ SMB_VFS_OP_FSCTL,		"fsctl" },
+-	{ SMB_VFS_OP_OFFLOAD_READ_SEND,	"offload_read_send" },
+-	{ SMB_VFS_OP_OFFLOAD_READ_RECV,	"offload_read_recv" },
+-	{ SMB_VFS_OP_OFFLOAD_WRITE_SEND,	"offload_write_send" },
+-	{ SMB_VFS_OP_OFFLOAD_WRITE_RECV,	"offload_write_recv" },
+-	{ SMB_VFS_OP_GET_COMPRESSION,	"get_compression" },
+-	{ SMB_VFS_OP_SET_COMPRESSION,	"set_compression" },
+-	{ SMB_VFS_OP_SNAP_CHECK_PATH, "snap_check_path" },
+-	{ SMB_VFS_OP_SNAP_CREATE, "snap_create" },
+-	{ SMB_VFS_OP_SNAP_DELETE, "snap_delete" },
+-	{ SMB_VFS_OP_GET_DOS_ATTRIBUTES, "get_dos_attributes" },
+-	{ SMB_VFS_OP_GET_DOS_ATTRIBUTES_SEND, "get_dos_attributes_send" },
+-	{ SMB_VFS_OP_GET_DOS_ATTRIBUTES_RECV, "get_dos_attributes_recv" },
+-	{ SMB_VFS_OP_FGET_DOS_ATTRIBUTES, "fget_dos_attributes" },
+-	{ SMB_VFS_OP_SET_DOS_ATTRIBUTES, "set_dos_attributes" },
+-	{ SMB_VFS_OP_FSET_DOS_ATTRIBUTES, "fset_dos_attributes" },
+-	{ SMB_VFS_OP_FGET_NT_ACL,	"fget_nt_acl" },
+-	{ SMB_VFS_OP_GET_NT_ACL,	"get_nt_acl" },
+-	{ SMB_VFS_OP_FSET_NT_ACL,	"fset_nt_acl" },
+-	{ SMB_VFS_OP_AUDIT_FILE,	"audit_file" },
+-	{ SMB_VFS_OP_SYS_ACL_GET_FILE,	"sys_acl_get_file" },
+-	{ SMB_VFS_OP_SYS_ACL_GET_FD,	"sys_acl_get_fd" },
+-	{ SMB_VFS_OP_SYS_ACL_BLOB_GET_FILE,	"sys_acl_blob_get_file" },
+-	{ SMB_VFS_OP_SYS_ACL_BLOB_GET_FD,	"sys_acl_blob_get_fd" },
+-	{ SMB_VFS_OP_SYS_ACL_SET_FILE,	"sys_acl_set_file" },
+-	{ SMB_VFS_OP_SYS_ACL_SET_FD,	"sys_acl_set_fd" },
+-	{ SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE,	"sys_acl_delete_def_file" },
+-	{ SMB_VFS_OP_GETXATTR,	"getxattr" },
+-	{ SMB_VFS_OP_GETXATTRAT_SEND, "getxattrat_send" },
+-	{ SMB_VFS_OP_GETXATTRAT_RECV, "getxattrat_recv" },
+-	{ SMB_VFS_OP_FGETXATTR,	"fgetxattr" },
+-	{ SMB_VFS_OP_LISTXATTR,	"listxattr" },
+-	{ SMB_VFS_OP_FLISTXATTR,	"flistxattr" },
+-	{ SMB_VFS_OP_REMOVEXATTR,	"removexattr" },
+-	{ SMB_VFS_OP_FREMOVEXATTR,	"fremovexattr" },
+-	{ SMB_VFS_OP_SETXATTR,	"setxattr" },
+-	{ SMB_VFS_OP_FSETXATTR,	"fsetxattr" },
+-	{ SMB_VFS_OP_AIO_FORCE, "aio_force" },
+-	{ SMB_VFS_OP_IS_OFFLINE, "is_offline" },
+-	{ SMB_VFS_OP_SET_OFFLINE, "set_offline" },
+-	{ SMB_VFS_OP_DURABLE_COOKIE, "durable_cookie" },
+-	{ SMB_VFS_OP_DURABLE_DISCONNECT, "durable_disconnect" },
+-	{ SMB_VFS_OP_DURABLE_RECONNECT, "durable_reconnect" },
+-	{ SMB_VFS_OP_READDIR_ATTR,      "readdir_attr" },
+-	{ SMB_VFS_OP_LAST, NULL }
++	{ SMB_VFS_OP_CONNECT, NULL,	"connect" },
++	{ SMB_VFS_OP_DISCONNECT, NULL,	"disconnect" },
++	{ SMB_VFS_OP_DISK_FREE, NULL,	"disk_free" },
++	{ SMB_VFS_OP_GET_QUOTA, NULL,	"get_quota" },
++	{ SMB_VFS_OP_SET_QUOTA, NULL,	"set_quota" },
++	{ SMB_VFS_OP_GET_SHADOW_COPY_DATA, NULL,	"get_shadow_copy_data" },
++	{ SMB_VFS_OP_STATVFS, NULL,	"statvfs" },
++	{ SMB_VFS_OP_FS_CAPABILITIES, NULL,	"fs_capabilities" },
++	{ SMB_VFS_OP_GET_DFS_REFERRALS, NULL,	"get_dfs_referrals" },
++	{ SMB_VFS_OP_CREATE_DFS_PATHAT, NULL,	"create_dfs_pathat" },
++	{ SMB_VFS_OP_READ_DFS_PATHAT, NULL,	"read_dfs_pathat" },
++	{ SMB_VFS_OP_OPENDIR, NULL,	"opendir" },
++	{ SMB_VFS_OP_FDOPENDIR, NULL,	"fdopendir" },
++	{ SMB_VFS_OP_READDIR, NULL,	"readdir" },
++	{ SMB_VFS_OP_SEEKDIR, NULL,   "seekdir" },
++	{ SMB_VFS_OP_TELLDIR, NULL,   "telldir" },
++	{ SMB_VFS_OP_REWINDDIR, NULL, "rewinddir" },
++	{ SMB_VFS_OP_MKDIRAT, "mkdir",	"mkdirat" },
++	{ SMB_VFS_OP_CLOSEDIR, NULL,	"closedir" },
++	{ SMB_VFS_OP_OPEN, NULL,	"open" },
++	{ SMB_VFS_OP_CREATE_FILE, NULL, "create_file" },
++	{ SMB_VFS_OP_CLOSE, NULL,	"close" },
++	{ SMB_VFS_OP_READ, NULL,	"read" },
++	{ SMB_VFS_OP_PREAD, NULL,	"pread" },
++	{ SMB_VFS_OP_PREAD_SEND, NULL,	"pread_send" },
++	{ SMB_VFS_OP_PREAD_RECV, NULL,	"pread_recv" },
++	{ SMB_VFS_OP_WRITE, NULL,	"write" },
++	{ SMB_VFS_OP_PWRITE, NULL,	"pwrite" },
++	{ SMB_VFS_OP_PWRITE_SEND, NULL,	"pwrite_send" },
++	{ SMB_VFS_OP_PWRITE_RECV, NULL,	"pwrite_recv" },
++	{ SMB_VFS_OP_LSEEK, NULL,	"lseek" },
++	{ SMB_VFS_OP_SENDFILE, NULL,	"sendfile" },
++	{ SMB_VFS_OP_RECVFILE, NULL,  "recvfile" },
++	{ SMB_VFS_OP_RENAMEAT, "rename",	"renameat" },
++	{ SMB_VFS_OP_FSYNC, NULL,	"fsync" },
++	{ SMB_VFS_OP_FSYNC_SEND, NULL,	"fsync_send" },
++	{ SMB_VFS_OP_FSYNC_RECV, NULL,	"fsync_recv" },
++	{ SMB_VFS_OP_STAT, NULL,	"stat" },
++	{ SMB_VFS_OP_FSTAT, NULL,	"fstat" },
++	{ SMB_VFS_OP_LSTAT, NULL,	"lstat" },
++	{ SMB_VFS_OP_GET_ALLOC_SIZE, NULL,	"get_alloc_size" },
++	{ SMB_VFS_OP_UNLINKAT, "unlink",	"unlinkat" },
++	{ SMB_VFS_OP_CHMOD, NULL,	"chmod" },
++	{ SMB_VFS_OP_FCHMOD, NULL,	"fchmod" },
++	{ SMB_VFS_OP_FCHOWN, NULL,	"fchown" },
++	{ SMB_VFS_OP_LCHOWN, NULL,	"lchown" },
++	{ SMB_VFS_OP_CHDIR, NULL,	"chdir" },
++	{ SMB_VFS_OP_GETWD, NULL,	"getwd" },
++	{ SMB_VFS_OP_NTIMES, NULL,	"ntimes" },
++	{ SMB_VFS_OP_FTRUNCATE, NULL,	"ftruncate" },
++	{ SMB_VFS_OP_FALLOCATE, NULL,"fallocate" },
++	{ SMB_VFS_OP_LOCK, NULL,	"lock" },
++	{ SMB_VFS_OP_KERNEL_FLOCK, NULL,	"kernel_flock" },
++	{ SMB_VFS_OP_FCNTL, NULL,	"fcntl" },
++	{ SMB_VFS_OP_LINUX_SETLEASE, NULL, "linux_setlease" },
++	{ SMB_VFS_OP_GETLOCK, NULL,	"getlock" },
++	{ SMB_VFS_OP_SYMLINKAT, "symlink",	"symlinkat" },
++	{ SMB_VFS_OP_READLINKAT, "readlink","readlinkat" },
++	{ SMB_VFS_OP_LINKAT, "link",	"linkat" },
++	{ SMB_VFS_OP_MKNODAT, "mknod",	"mknodat" },
++	{ SMB_VFS_OP_REALPATH, NULL,	"realpath" },
++	{ SMB_VFS_OP_CHFLAGS, NULL,	"chflags" },
++	{ SMB_VFS_OP_FILE_ID_CREATE, NULL,	"file_id_create" },
++	{ SMB_VFS_OP_FS_FILE_ID, NULL,	"fs_file_id" },
++	{ SMB_VFS_OP_STREAMINFO, NULL,	"streaminfo" },
++	{ SMB_VFS_OP_GET_REAL_FILENAME, NULL, "get_real_filename" },
++	{ SMB_VFS_OP_CONNECTPATH, NULL,	"connectpath" },
++	{ SMB_VFS_OP_BRL_LOCK_WINDOWS, NULL,  "brl_lock_windows" },
++	{ SMB_VFS_OP_BRL_UNLOCK_WINDOWS, NULL, "brl_unlock_windows" },
++	{ SMB_VFS_OP_STRICT_LOCK_CHECK, NULL, "strict_lock_check" },
++	{ SMB_VFS_OP_TRANSLATE_NAME, NULL,	"translate_name" },
++	{ SMB_VFS_OP_FSCTL, NULL,		"fsctl" },
++	{ SMB_VFS_OP_OFFLOAD_READ_SEND, NULL,	"offload_read_send" },
++	{ SMB_VFS_OP_OFFLOAD_READ_RECV, NULL,	"offload_read_recv" },
++	{ SMB_VFS_OP_OFFLOAD_WRITE_SEND, NULL,	"offload_write_send" },
++	{ SMB_VFS_OP_OFFLOAD_WRITE_RECV, NULL,	"offload_write_recv" },
++	{ SMB_VFS_OP_GET_COMPRESSION, NULL,	"get_compression" },
++	{ SMB_VFS_OP_SET_COMPRESSION, NULL,	"set_compression" },
++	{ SMB_VFS_OP_SNAP_CHECK_PATH, NULL, "snap_check_path" },
++	{ SMB_VFS_OP_SNAP_CREATE, NULL, "snap_create" },
++	{ SMB_VFS_OP_SNAP_DELETE, NULL, "snap_delete" },
++	{ SMB_VFS_OP_GET_DOS_ATTRIBUTES, NULL, "get_dos_attributes" },
++	{ SMB_VFS_OP_GET_DOS_ATTRIBUTES_SEND, NULL, "get_dos_attributes_send" },
++	{ SMB_VFS_OP_GET_DOS_ATTRIBUTES_RECV, NULL, "get_dos_attributes_recv" },
++	{ SMB_VFS_OP_FGET_DOS_ATTRIBUTES, NULL, "fget_dos_attributes" },
++	{ SMB_VFS_OP_SET_DOS_ATTRIBUTES, NULL, "set_dos_attributes" },
++	{ SMB_VFS_OP_FSET_DOS_ATTRIBUTES, NULL, "fset_dos_attributes" },
++	{ SMB_VFS_OP_FGET_NT_ACL, NULL,	"fget_nt_acl" },
++	{ SMB_VFS_OP_GET_NT_ACL, NULL,	"get_nt_acl" },
++	{ SMB_VFS_OP_FSET_NT_ACL, NULL,	"fset_nt_acl" },
++	{ SMB_VFS_OP_AUDIT_FILE, NULL,	"audit_file" },
++	{ SMB_VFS_OP_SYS_ACL_GET_FILE, NULL,	"sys_acl_get_file" },
++	{ SMB_VFS_OP_SYS_ACL_GET_FD, NULL,	"sys_acl_get_fd" },
++	{ SMB_VFS_OP_SYS_ACL_BLOB_GET_FILE, NULL,	"sys_acl_blob_get_file" },
++	{ SMB_VFS_OP_SYS_ACL_BLOB_GET_FD, NULL,	"sys_acl_blob_get_fd" },
++	{ SMB_VFS_OP_SYS_ACL_SET_FILE, NULL,	"sys_acl_set_file" },
++	{ SMB_VFS_OP_SYS_ACL_SET_FD, NULL,	"sys_acl_set_fd" },
++	{ SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE, NULL,	"sys_acl_delete_def_file" },
++	{ SMB_VFS_OP_GETXATTR, NULL,	"getxattr" },
++	{ SMB_VFS_OP_GETXATTRAT_SEND, NULL, "getxattrat_send" },
++	{ SMB_VFS_OP_GETXATTRAT_RECV, NULL, "getxattrat_recv" },
++	{ SMB_VFS_OP_FGETXATTR, NULL,	"fgetxattr" },
++	{ SMB_VFS_OP_LISTXATTR, NULL,	"listxattr" },
++	{ SMB_VFS_OP_FLISTXATTR, NULL,	"flistxattr" },
++	{ SMB_VFS_OP_REMOVEXATTR, NULL,	"removexattr" },
++	{ SMB_VFS_OP_FREMOVEXATTR, NULL,	"fremovexattr" },
++	{ SMB_VFS_OP_SETXATTR, NULL,	"setxattr" },
++	{ SMB_VFS_OP_FSETXATTR, NULL,	"fsetxattr" },
++	{ SMB_VFS_OP_AIO_FORCE, NULL, "aio_force" },
++	{ SMB_VFS_OP_IS_OFFLINE, NULL, "is_offline" },
++	{ SMB_VFS_OP_SET_OFFLINE, NULL, "set_offline" },
++	{ SMB_VFS_OP_DURABLE_COOKIE, NULL, "durable_cookie" },
++	{ SMB_VFS_OP_DURABLE_DISCONNECT, NULL, "durable_disconnect" },
++	{ SMB_VFS_OP_DURABLE_RECONNECT, NULL, "durable_reconnect" },
++	{ SMB_VFS_OP_READDIR_ATTR, NULL,      "readdir_attr" },
++	{ SMB_VFS_OP_LAST, NULL, NULL }
+ };
+
+ static int audit_syslog_facility(vfs_handle_struct *handle)
+@@ -563,7 +564,8 @@ static struct bitmap *init_bitmap(TALLOC_CTX *mem_ctx,
+ 				smb_panic("vfs_full_audit.c: name table not "
+ 					  "in sync with vfs_op_type enums\n");
+ 			}
+-			if (strequal(op, vfs_op_names[i].name)) {
++			if (strequal(op, vfs_op_names[i].name) ||
++			    (vfs_op_names[i].oldname && strequal(op, vfs_op_names[i].oldname))) {
+ 				if (neg) {
+ 					bitmap_clear(bm, i);
+ 				} else {
+@@ -765,6 +767,14 @@ static int smb_full_audit_connect(vfs_handle_struct *h
+ 	pd->failure_ops = init_bitmap(
+ 		pd, lp_parm_string_list(SNUM(handle->conn), "full_audit",
+ 					"failure", none));
++
++	if (pd->success_ops == NULL || pd->failure_ops == NULL) {
++		DBG_ERR("Invalid auditing configuration. "
++			"Denying access to service [%s] at path [%s]\n",
++			svc, handle->conn->connectpath);
++		errno = EACCES;
++		return -1;
++	}
+
+ 	/* Store the private data. */
+ 	SMB_VFS_HANDLE_SET_DATA(handle, pd, NULL,