textvp_fullpath
Uladzislau Rezki
v.rezkii at sam-solutions.net
Mon Aug 18 13:21:09 UTC 2008
On 16 August 2008 01:09:39 Robert Watson wrote:
> On Fri, 15 Aug 2008, Uladzislau Rezki wrote:
> > We have to to do a few thinks:
> >
> > 1) do original "write" sys call;
> > 2) get full path (/etc/passwd);
> > 3) put all this information to user land through the character device.
> >
> > I get stuck in point 2. I need to get full path, but how ...
>
> In FreeBSD 6.2 and higher, the kernel event auditing facility provides
> exactly this service already. Take a look at the auditpipe(4) facility for
> details of the run-time monitoring aspect of that.
>
Thank you, I haven't known about it before.
I looked through the source code of the "auditpipe", and found a function
called "canon_path" that obtains a full path using "vn_fullpath". This function retrieve
the full filesystem path that correspond to a "vnode" from cache, BUT just in case it is
available within "namecache".
"textvp_fullpath" and "vn_fullpath" are not reliable.
Maybe I've skipped something while investigating auditpipe, but I found only
one place where they get full path (audit_bsm_klib.c +483) and they use "vn_fullpath".
Please correct me if am not right.
Thank you in advance.
--
Uladzislau Rezki
More information about the freebsd-hackers
mailing list