audit2 for -current
Robert Watson
rwatson at FreeBSD.org
Thu Mar 25 16:09:33 GMT 2004
On Thu, 25 Mar 2004, Ilmar S. Habibulin wrote:
> Well, i understood that my praudit post is useless. So i want to present
> audit implementstaion, made from -trustedbsd-audit2 branch and Darwin
> sources combined togather with my hacks. Maybe someone will try it and
> find this bug in praudit, which i can't catch for about 3 or 4 days.
>
> PS. This is for i386 only for now. But it's simple to add other archs.
> Some Aplle headers and kernel sources were modified.
I've merged the two memory allocation changes you made back into the
Perforce branch (pathp -> *pathp) -- that bug was introduced in the
conversion from Darwin Mach memory allocation to FreeBSD memory
allocation.
I noticed the following changes in the token routines, however:
diff -bru /home/robert/p4/projects/trustedbsd/audit2/sys/security/audit/bsm_token.c ./security/audit/bsm_token.c
--- /home/robert/p4/projects/trustedbsd/audit2/sys/security/audit/bsm_token.c Wed Jan 14 20:38:43 2004
+++ ./security/audit/bsm_token.c Thu Mar 25 09:58:14 2004
...
@@ -643,7 +644,7 @@
ADD_U_INT32(dptr, rgid);
ADD_U_INT32(dptr, pid);
ADD_U_INT32(dptr, sid);
- ADD_U_INT32(dptr, tid->port);
+ ADD_U_INT32(dptr, (u_int32_t)(tid->port));
ADD_U_INT32(dptr, tid->machine);
return t;
I think these changes are actually reflective of a bug in the merge from
Darwin -- in Darwin, dev_t is the same in userspace and kernel, but in
FreeBSD, dev_t is a kernel pointer in kernel, but the same as dev_t in
Darwin in userspace (and in kernel it's represented by udev_t). I thought
I'd caught all the references, but apparently not. For now, in FreeBSD,
kernel use of dev_t needs to be converted to udev_t, and probably #ifdef'd
based on _KERNEL. I think the real fix is to convert dev_t in FreeBSD
back to the same as udev_t, and change the kernel code not to confuse
dev_t and cdev pointers; this wasn't such a big deal before audit, because
there was little passing of dev_t's into and out of the kernel, but Audit
support introduces a lot of use of dev_t shared between kernel and
userspace. This is something we can't easily remove because dev_t is a
fundamental type exposed by the BSM audit format. However, that won't be
instantaneous, so we have to work around it in the mean time. I've CC'd
Poul-Henning since he has his hands in the dev_t support in FreeBSD.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Senior Research Scientist, McAfee Research
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list