PERFORCE change 153250 for review
Christian S.J. Peron
csjp at FreeBSD.org
Wed Nov 19 15:35:51 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=153250
Change 153250 by csjp at hvm02 on 2008/11/19 23:34:57
Implement file system cache for BSM records. This makes it possible
to associate bsm records which reference file descriptiors instead
of paths with a particular event.
For example:
If we had a sequence that watched for an open on file /x followed by
a permission change, we can now detect:
open(2)
fchmod(2) (which operates on the fd and therefor doesn't audit a path)
Affected files ...
.. //depot/projects/trustedbsd/bsmtrace/bsm.c#3 edit
.. //depot/projects/trustedbsd/bsmtrace/deuce.h#3 edit
.. //depot/projects/trustedbsd/bsmtrace/fcache.c#4 edit
.. //depot/projects/trustedbsd/bsmtrace/fcache.h#3 edit
Differences ...
==== //depot/projects/trustedbsd/bsmtrace/bsm.c#3 (text+ko) ====
@@ -130,6 +130,8 @@
ap = &bm->bm_objects;
if (ap->a_cnt == 0)
return (1);
+ if (bd->br_dev != 0 && bd->br_inode != 0 && bd->br_path == NULL)
+ bd->br_path = fcache_search(bd->br_dev, bd->br_inode);
/*
* We are interested in particular objects, but the audit record has
* not supplied any. We will treat this as a fail to match.
@@ -628,12 +630,19 @@
case AUT_RETURN64:
bd.br_status = tok.tt.ret64.err;
break;
+ case AUT_ATTR:
+ case AUT_ATTR32:
+ bd.br_dev = tok.tt.attr32.fsid;
+ bd.br_inode = tok.tt.attr32.nid;
+ break;
case AUT_PATH:
bd.br_path = tok.tt.path.path;
break;
}
bytesread += tok.len;
}
+ if (bd.br_path != NULL && bd.br_dev != 0 && bd.br_inode != 0)
+ fcache_add_entry(bd.br_dev, bd.br_inode, bd.br_path);
bsm_sequence_scan(&bd);
free(bsm_rec);
recsread++;
==== //depot/projects/trustedbsd/bsmtrace/deuce.h#3 (text+ko) ====
@@ -150,6 +150,8 @@
int br_raw_len; /* Raw record length */
int br_pid; /* Process ID */
int br_sid; /* Session ID */
+ dev_t br_dev; /* For fs objects, the device id. */
+ ino_t br_inode; /* For fs objects, the inode. */
};
#endif /* DEUCE_H_ */
==== //depot/projects/trustedbsd/bsmtrace/fcache.c#4 (text+ko) ====
@@ -82,6 +82,7 @@
dp = malloc(sizeof(*dp));
if (dp == NULL)
return (NULL);
+ dp->d_device = device;
RB_INIT(&dp->d_btree);
TAILQ_INSERT_HEAD(&cache_head, dp, d_glue);
return (dp);
@@ -104,14 +105,15 @@
}
void
-fache_add_entry(dev_t device, ino_t inode, char *pathname)
+fcache_add_entry(dev_t device, ino_t inode, char *pathname)
{
struct dev_list *dp;
struct fcache *fcp;
+ char *ret;
- /*
- * NB: We need an eviction strategy here.
- */
+ ret = fcache_search(device, inode);
+ if (ret != NULL)
+ return;
dp = fcache_locate(device);
if (dp == NULL) {
(void) fprintf(stderr, "failed to allocate cache\n");
@@ -124,6 +126,7 @@
}
fcp->f_inode = inode;
fcp->f_pathname = strdup(pathname);
- (void) RB_INSERT(btree, &dp->d_btree, fcp);
+ if (RB_INSERT(btree, &dp->d_btree, fcp) != 0)
+ printf("item already existed\n");
}
==== //depot/projects/trustedbsd/bsmtrace/fcache.h#3 (text+ko) ====
@@ -45,6 +45,6 @@
void fcache_destroy(void);
void fcache_init(void);
char *fcache_search(dev_t, ino_t);
-void fache_add_entry(dev_t, ino_t, char *);
+void fcache_add_entry(dev_t, ino_t, char *);
#endif /* FCACHE_DOT_H_ */
More information about the p4-projects
mailing list