PERFORCE change 167043 for review
Robert Watson
rwatson at FreeBSD.org
Wed Aug 5 18:27:53 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=167043
Change 167043 by rwatson at rwatson_cinnamon on 2009/08/05 18:27:20
Add a few comments/annotations in the audit slice code about
possibly design choices.
Affected files ...
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_slice.c#6 edit
Differences ...
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_slice.c#6 (text+ko) ====
@@ -90,7 +90,7 @@
/*
* Audit slice's device open method. Explicit privilege check isn't used as
* this allows file permissions on the special device to be used to grant
- * audit review access. Those file permissions should be managed carefully.
+ * audit submit access. Those file permissions should be managed carefully.
*/
static int
audit_slice_dev_open(struct cdev *dev, int oflags, int devtype,
@@ -107,7 +107,16 @@
as = as_ptr;
dev->si_drv1 = as;
- /* Only one process may open the device at a time. */
+ /*
+ * Only one process may open the device at a time.
+ *
+ * XXXRW: It would be desirable to allow concurrent writers to block
+ * or otherwise be serialized in order to avoid application threads
+ * having to loop waiting for the device to be free while another
+ * thread is writing a record. Because we want to support buffered
+ * writes spread over multiple syscalls, this is a little tricky --
+ * we should think more about what the right way to handle this is.
+ */
mtx_lock(&(as->as_dev_mtx));
if (!as->as_dev_isopen) {
error = 0;
@@ -170,6 +179,13 @@
audit_slice_dev_buf = malloc(sizeof(*audit_slice_dev_buf),
M_TEMP, M_WAITOK);
+ /*
+ * XXXRW: This seems to handle multiple records/system call, but not
+ * multiple system calls/record. To handle the latter, we need to
+ * have a buffer that potentially spans system calls that we can copy
+ * into until we have a complete record which we can then submit to
+ * audit.
+ */
while (uio->uio_resid > 0) {
c = MIN((int)uio->uio_resid, sizeof(*audit_slice_dev_buf));
if ( c == (int)uio->uio_resid )
@@ -183,6 +199,10 @@
/*
* Store the actual record's size. Add some checks before
* this.
+ *
+ * XXXRW: for example, perhaps we shouldn't accept records
+ * longer than MAX_AUDIT_RECORD_SIZE, or less than
+ * sizeof(*audit_slice_dev_buf).
*/
recsz = be32dec (audit_slice_dev_buf->rec_byte_count);
as_rec = (void *)malloc((unsigned long)recsz, M_AUDITBSM,
@@ -200,6 +220,9 @@
audit_slice_commit_rec( as_rec, as);
}
+ /*
+ * XXXRW: Only free as_rec if we allocated it.
+ */
free(audit_slice_dev_buf, M_TEMP);
free(as_rec, M_AUDITBSM);
@@ -207,7 +230,12 @@
}
/*
- * Ioctl method
+ * Ioctl method.
+ *
+ * XXXRW: Possibly we should allow querying per-slice audit properties here,
+ * such as event masks so that userspace can decide whether an event is
+ * wanted -- i.e., similar to what we do with auditon(2) to query the current
+ * mask.
*/
static int
audit_slice_dev_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag,
@@ -219,6 +247,9 @@
/*
* Poll method.(if needed)
+ *
+ * XXXRW: Interesting design question -- probably, it's OK to submit a record
+ * and then block waiting for it to commit.
*/
static int
audit_slice_dev_poll(struct cdev *dev, int events, struct thread *td)
More information about the p4-projects
mailing list