Porting Darwin audit

Robert Watson rwatson at FreeBSD.org
Tue Jan 13 04:41:22 GMT 2004 

Just a heads up for those interested: 

Those following the trustedbsd-cvs list may already have noticed I'm
taking a quick pass at porting the kernel audit code in Apple's Darwin 7
(Mac OS X 10.3.2) to FreeBSD.  Not all of the necessary pieces are in open
source yet, sugh as the userspace BSM library, but the kernel pieces all
appear to be present.  Right now I'm still in the throes of getting the
kernel code compiling, having adapted it to use the FreeBSD
synchronization and memory allocation primitives, include file pieces, and
done some cleanup.  Once I have the framework itself running, I'll start
doing a sweep of system calls. 

The only real problem I've run into so far is that Darwin has a
vn_getpath() call, which reliably determines the full path to a vnode on
the HFS+ file system.  FreeBSD has a vn_fullpath() call that behaves in
similar ways, but because it relies on the namecache, is unreliable.  Of
course, part of the lack of reliability is that UFS doesn't reliably name
objects.  I'll give it a spin with vn_fullpath() and then revisit the
issue once things are more up and running.  Another interesting
observation is that the kernel synchronization primitives, especially
condition variables, in FreeBSD appear to be a lot easier to use. :-)  For
our port of the MAC Framework to Darwin, we actually provided a subset
port of FreeBSD condition variables on Darwin, as they're a lot easier to
use than the Mach wait_queue_t primitive.  One of the more interesting
things ahead will be to investigate how to integrate audit support into
the MAC Framework and our MAC policy modules so that they can tag MAC
label information into records, especially when the MAC policy is
responsible for denying access.

Currently, the perforce branch where the work is being trustedbsd_audit2
-- I left Andrew's existing trustedbsd_audit branch in place for
reference.  trustedbsd_audit2 is not yet exported from the cvsup server,
but I'll investigate getting that set up shortly. 

Just FYI.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message

More information about the trustedbsd-audit mailing list