PERFORCE change 153250 for review

Christian S.J. Peron csjp at FreeBSD.org
Wed Nov 19 15:35:51 PST 2008 

http://perforce.freebsd.org/chv.cgi?CH=153250

Change 153250 by csjp at hvm02 on 2008/11/19 23:34:57

	Implement file system cache for BSM records.  This makes it possible
	to associate bsm records which reference file descriptiors instead
	of paths with a particular event.
	
	For example:
	If we had a sequence that watched for an open on file /x followed by
	a permission change, we can now detect:
	
	open(2)
	fchmod(2) (which operates on the fd and therefor doesn't audit a path)

Affected files ...

.. //depot/projects/trustedbsd/bsmtrace/bsm.c#3 edit
.. //depot/projects/trustedbsd/bsmtrace/deuce.h#3 edit
.. //depot/projects/trustedbsd/bsmtrace/fcache.c#4 edit
.. //depot/projects/trustedbsd/bsmtrace/fcache.h#3 edit

Differences ...

==== //depot/projects/trustedbsd/bsmtrace/bsm.c#3 (text+ko) ====

@@ -130,6 +130,8 @@
 	ap = &bm->bm_objects;
 	if (ap->a_cnt == 0)
 		return (1);
+	if (bd->br_dev != 0 && bd->br_inode != 0 && bd->br_path == NULL)
+		bd->br_path = fcache_search(bd->br_dev, bd->br_inode);
 	/*
 	 * We are interested in particular objects, but the audit record has
 	 * not supplied any.  We will treat this as a fail to match.
@@ -628,12 +630,19 @@
 			case AUT_RETURN64:
 				bd.br_status = tok.tt.ret64.err;
 				break;
+			case AUT_ATTR:
+			case AUT_ATTR32:
+				bd.br_dev = tok.tt.attr32.fsid;
+				bd.br_inode = tok.tt.attr32.nid;
+				break;
 			case AUT_PATH:
 				bd.br_path = tok.tt.path.path;
 				break;
 			}
 			bytesread += tok.len;
 		}
+		if (bd.br_path != NULL && bd.br_dev != 0 && bd.br_inode != 0)
+			fcache_add_entry(bd.br_dev, bd.br_inode, bd.br_path);
 		bsm_sequence_scan(&bd);
 		free(bsm_rec);
 		recsread++;

==== //depot/projects/trustedbsd/bsmtrace/deuce.h#3 (text+ko) ====

@@ -150,6 +150,8 @@
 	int		 br_raw_len;	/* Raw record length */
 	int		 br_pid;	/* Process ID */
 	int		 br_sid;	/* Session ID */
+	dev_t		 br_dev;	/* For fs objects, the device id. */
+	ino_t		 br_inode;	/* For fs objects, the inode. */
 };
 
 #endif	/* DEUCE_H_ */

==== //depot/projects/trustedbsd/bsmtrace/fcache.c#4 (text+ko) ====

@@ -82,6 +82,7 @@
 	dp = malloc(sizeof(*dp));
 	if (dp == NULL)
 		return (NULL);
+	dp->d_device = device;
 	RB_INIT(&dp->d_btree);
 	TAILQ_INSERT_HEAD(&cache_head, dp, d_glue);
 	return (dp);
@@ -104,14 +105,15 @@
 }
 
 void
-fache_add_entry(dev_t device, ino_t inode, char *pathname)
+fcache_add_entry(dev_t device, ino_t inode, char *pathname)
 {
 	struct dev_list *dp;
 	struct fcache *fcp;
+	char *ret;
 
-	/*
-	 * NB: We need an eviction strategy here.
-	 */
+	ret = fcache_search(device, inode);
+	if (ret != NULL)
+		return;
 	dp = fcache_locate(device);
 	if (dp == NULL) {
 		(void) fprintf(stderr, "failed to allocate cache\n");
@@ -124,6 +126,7 @@
 	}
 	fcp->f_inode = inode;
 	fcp->f_pathname = strdup(pathname);
-	(void) RB_INSERT(btree, &dp->d_btree, fcp);
+	if (RB_INSERT(btree, &dp->d_btree, fcp) != 0)
+		printf("item already existed\n");
 }
 

==== //depot/projects/trustedbsd/bsmtrace/fcache.h#3 (text+ko) ====

@@ -45,6 +45,6 @@
 void		 fcache_destroy(void);
 void		 fcache_init(void);
 char		*fcache_search(dev_t, ino_t);
-void		 fache_add_entry(dev_t, ino_t, char *);
+void		 fcache_add_entry(dev_t, ino_t, char *);
 
 #endif	/* FCACHE_DOT_H_ */

More information about the p4-projects mailing list