audit2 for -current

Robert Watson rwatson at FreeBSD.org
Thu Mar 25 16:09:33 GMT 2004


On Thu, 25 Mar 2004, Ilmar S. Habibulin wrote:

> Well, i understood that my praudit post is useless. So i want to present
> audit implementstaion, made from -trustedbsd-audit2 branch and Darwin
> sources combined togather with my hacks. Maybe someone will try it and
> find this bug in praudit, which i can't catch for about 3 or 4 days. 
> 
> PS. This is for i386 only for now. But it's simple to add other archs. 
> Some Aplle headers and kernel sources were modified. 

I've merged the two memory allocation changes you made back into the
Perforce branch (pathp -> *pathp) -- that bug was introduced in the
conversion from Darwin Mach memory allocation to FreeBSD memory
allocation.

I noticed the following changes in the token routines, however:

diff -bru /home/robert/p4/projects/trustedbsd/audit2/sys/security/audit/bsm_token.c ./security/audit/bsm_token.c
--- /home/robert/p4/projects/trustedbsd/audit2/sys/security/audit/bsm_token.c	Wed Jan 14 20:38:43 2004
+++ ./security/audit/bsm_token.c	Thu Mar 25 09:58:14 2004
...
@@ -643,7 +644,7 @@
 	ADD_U_INT32(dptr, rgid);
 	ADD_U_INT32(dptr, pid);
 	ADD_U_INT32(dptr, sid);
-	ADD_U_INT32(dptr, tid->port);
+        ADD_U_INT32(dptr, (u_int32_t)(tid->port));
 	ADD_U_INT32(dptr, tid->machine);
 	 
 	return t;

I think these changes are actually reflective of a bug in the merge from
Darwin -- in Darwin, dev_t is the same in userspace and kernel, but in
FreeBSD, dev_t is a kernel pointer in kernel, but the same as dev_t in
Darwin in userspace (and in kernel it's represented by udev_t).  I thought
I'd caught all the references, but apparently not.  For now, in FreeBSD,
kernel use of dev_t needs to be converted to udev_t, and probably #ifdef'd
based on _KERNEL.  I think the real fix is to convert dev_t in FreeBSD
back to the same as udev_t, and change the kernel code not to confuse
dev_t and cdev pointers; this wasn't such a big deal before audit, because
there was little passing of dev_t's into and out of the kernel, but Audit
support introduces a lot of use of dev_t shared between kernel and
userspace.  This is something we can't easily remove because dev_t is a
fundamental type exposed by the BSM audit format.  However, that won't be
instantaneous, so we have to work around it in the mean time.  I've CC'd
Poul-Henning since he has his hands in the dev_t support in FreeBSD.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message



More information about the trustedbsd-audit mailing list