PERFORCE change 164530 for review
Ilias Marinos
marinosi at FreeBSD.org
Tue Jun 16 20:01:53 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=164530
Change 164530 by marinosi at marinosi_redrum on 2009/06/16 20:01:39
Dynamic slice creation upon request implemented. Initialization system
implemented too. The whole thing builds but remains untested and incomplete.
Affected files ...
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/bsm/audit.h#3 edit
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.c#4 edit
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_private.h#4 edit
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_slice.h#2 edit
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_syscalls.c#3 edit
.. //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_worker.c#3 edit
Differences ...
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/bsm/audit.h#3 (text) ====
@@ -128,7 +128,8 @@
#define A_SETCOND 38
#define A_CREATESLICE 39
#define A_UPDATESLICE 40
-#define A_REMOVESLICE 41
+#define A_GETSLICE 41
+#define A_REMOVESLICE 42
/*
* Audit policy controls.
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit.c#4 (text) ====
@@ -84,8 +84,14 @@
SYSCTL_NODE(_security, OID_AUTO, audit, CTLFLAG_RW, 0,
"TrustedBSD audit controls");
+/*
+ * The base audit slice statically declared.
+ */
struct audit_slice *audit_base_slice = NULL;
+/* Audit slices queue */
+struct audit_slice_queue audit_slice_q;
+
/*
* Kernel audit information. This will store the current audit address
* or host information that the kernel will use when it's generating
@@ -189,17 +195,35 @@
* synchronization primitives, worker thread, and trigger device node. Also
* call into the BSM assembly code to initialize it.
*/
-static void
+void
audit_init(void *arg)
{
- if ( audit_base_slice == NULL )
+ struct audit_slice *as;
+
+ /*
+ * Initialize the slice queue and add every slice in it except the
+ * base(no reason to be in the queue).
+ */
+ TAILQ_INIT(&audit_slice_q);
+ if ( audit_base_slice == NULL && arg == NULL ) {
audit_base_slice = malloc(sizeof(*audit_base_slice),
M_AUDITSLICE, M_WAITOK | M_ZERO);
+ /*
+ * If base slice is null allocate and then initialize the base
+ * slice first of all.
+ */
+ as = audit_base_slice;
+ } else {
+ //as = (struct audit_slice *) arg;
+ as = malloc(sizeof(*as), M_AUDITSLICE, M_WAITOK | M_ZERO);
+ TAILQ_INSERT_TAIL(&audit_slice_q, as, as_q);
+ }
- struct audit_slice *as = (struct audit_slice *) arg;
- as = audit_base_slice;
-
+ /*
+ * XXX: As M_ZERO flag is used during allocation, we may remove some
+ * of the following initialization is useless.
+ */
as->audit_enabled = 0;
as->audit_suspended = 0;
as->audit_panic_on_write_fail = 0;
@@ -634,3 +658,16 @@
ret = 1;
audit_commit(ar, errcode, ret);
}
+
+/*
+ * audit_slice_destroy() is called through A_REMOVESLICE command of auditon()
+ * syscall to remove an existing slice ( except the base one!)
+ */
+void
+audit_slice_destroy(struct audit_slice *as)
+{
+ if (as != NULL) {
+ TAILQ_REMOVE(&audit_slice_q, as, as_q);
+ free(as, M_AUDITSLICE);
+ }
+}
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_private.h#4 (text) ====
@@ -132,6 +132,46 @@
};
typedef struct au_qctrl64 au_qctrl64_t;
+#define AUDIT_SLICE_NAME_LEN 20
+#define AUDIT_DEV_NAME_LEN 20
+/*
+ * Helper data structure that keeps the data that are needed for new audit
+ * slice creation/modification/removal.This structure will be used with the
+ * auditon() syscall for all the audit slices except the base.
+ */
+struct au_slice_data {
+ char as_name[AUDIT_SLICE_NAME_LEN];
+ int audit_enabled;
+ int audit_suspended;
+ int audit_q_len;
+ int audit_pre_q_len;
+ int audit_panic_on_write_fail;
+ int audit_fail_stop;
+ int audit_argv;
+ int audit_arge;
+ int audit_in_failure;
+ struct audit_fstat audit_fstat;
+ struct au_mask audit_nae_mask;
+ struct au_qctrl audit_qctrl;
+
+ int audit_file_rotate_wait;
+ struct ucred *audit_cred;
+ struct vnode *audit_vp;
+
+
+
+ /*
+ * Applications need their slice device to submit their audit records.
+ * Device specific variables here.
+ */
+ char as_dev_name[AUDIT_DEV_NAME_LEN];
+ int as_dev_isopen;
+ uid_t uid;
+ gid_t gid;
+ int perms;
+};
+typedef struct au_slice_data au_slice_data_t;
+
union auditon_udata {
char *au_path;
int au_cond;
@@ -150,6 +190,7 @@
au_stat_t au_stat;
au_fstat_t au_fstat;
auditinfo_addr_t au_kau_info;
+ au_slice_data_t au_slice; /* Data used for audit slices, except the base*/
};
struct posix_ipc_perm {
@@ -229,6 +270,7 @@
struct sockaddr_storage ar_arg_sockaddr;
};
+
/*
* Arguments in the audit record are initially not defined; flags are set to
* indicate if they are present so they can be included in the audit log
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_slice.h#2 (text+ko) ====
@@ -152,18 +152,29 @@
uid_t uid;
gid_t gid;
int perms;
+
+ /*
+ * Keep the several audit slices in a list
+ */
+ TAILQ_ENTRY(audit_slice) as_q;
};
+typedef struct audit_slice audit_slice_t;
-typedef struct audit_slice audit_slice_t;
+TAILQ_HEAD(audit_slice_queue, audit_slice);
/* Static allocation of the base slice */
extern struct audit_slice *audit_base_slice;
+/* Audit slices queue */
+extern struct audit_slice_queue audit_slice_q;
+
/*
* Audit related functions prototypes
*/
-void audit_rotate_vnode(struct ucred *cred,
- struct vnode *vp);
-void audit_worker_init(void *arg);
+void audit_init(void *arg);
+void audit_rotate_vnode(struct ucred *cred,
+ struct vnode *vp);
+void audit_worker_init(void *arg);
+void audit_slice_destroy(struct audit_slice *as);
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_syscalls.c#3 (text) ====
@@ -541,19 +541,31 @@
return (audit_send_trigger(udata.au_trigger));
case A_CREATESLICE:
- //if (uap->length != sizeof(udata.au_slice))
- // return (EINVAL);
+ if (uap->length != sizeof(udata.au_slice))
+ return (EINVAL);
+ /* Check if slice exists? */
+ if ((udata.au_slice.as_name == NULL))
+ return (EINVAL);
+ /* Passing null for testing purposes. TO be changed */
+ audit_init(NULL);
+ break;
+
+ case A_UPDATESLICE:
+ if (uap->length != sizeof(udata.au_slice))
+ return (EINVAL);
return (0);
- case A_UPDATESLICE:
- //if (uap->length != sizeof(udata.au_slice))
- // return (EINVAL);
+ case A_GETSLICE:
+ if (uap->length != sizeof(udata.au_slice))
+ return (EINVAL);
return (0);
case A_REMOVESLICE:
- //if (uap->length != sizeof(udata.au_slice))
- // return (EINVAL);
- return (0);
+ if (uap->length != sizeof(udata.au_slice))
+ return (EINVAL);
+ /* Passing null for testing purposes. TO be changed */
+ audit_slice_destroy(NULL);
+ break;
default:
return (EINVAL);
==== //depot/projects/soc2009/marinosi_appaudit/src/sys/security/audit/audit_worker.c#3 (text) ====
@@ -384,9 +384,9 @@
struct kaudit_queue ar_worklist;
struct kaudit_record *ar;
int lowater_signal;
-
- struct audit_slice *as = (struct audit_slice * ) arg;
-
+ struct audit_slice *as;
+
+ as = (struct audit_slice * ) arg;
TAILQ_INIT(&ar_worklist);
mtx_lock(&(as->audit_mtx));
while (1) {
More information about the p4-projects
mailing list