svn commit: r243723 - head/sys/security/audit

[Pawel Jakub Dawidek]

Author: pjd
Date: Fri Nov 30 23:03:51 2012
New Revision: 243723
URL: http://svnweb.freebsd.org/changeset/base/243723

Log:
  IFp4 @208383:
  
  Currently when we discover that trail file is greater than configured
  limit we send AUDIT_TRIGGER_ROTATE_KERNEL trigger to the auditd daemon
  once. If for some reason auditd didn't rotate trail file it will never
  be rotated.
  
  Change it by sending the trigger when trail file size grows by the
  configured limit. For example if the limit is 1MB, we will send trigger
  on 1MB, 2MB, 3MB, etc.
  
  This is also needed for the auditd change that will be committed soon
  where auditd may ignore the trigger - it might be ignored if kernel
  requests the trail file to be rotated too quickly (often than once a second)
  which would result in overwriting previous trail file.
  
  Sponsored by:	FreeBSD Foundation (auditdistd)
  MFC after:	2 weeks

Modified:
  head/sys/security/audit/audit_worker.c

Modified: head/sys/security/audit/audit_worker.c
==============================================================================
--- head/sys/security/audit/audit_worker.c	Fri Nov 30 22:59:20 2012	(r243722)
+++ head/sys/security/audit/audit_worker.c	Fri Nov 30 23:03:51 2012	(r243723)
@@ -189,11 +189,11 @@ audit_record_write(struct vnode *vp, str
 	 * to the daemon.  This is only approximate, which is fine as more
 	 * records may be generated before the daemon rotates the file.
 	 */
-	if ((audit_fstat.af_filesz != 0) && (audit_file_rotate_wait == 0) &&
-	    (audit_size >= audit_fstat.af_filesz)) {
+	if (audit_fstat.af_filesz != 0 &&
+	    audit_size >= audit_fstat.af_filesz * (audit_file_rotate_wait + 1)) {
 		AUDIT_WORKER_LOCK_ASSERT();
 
-		audit_file_rotate_wait = 1;
+		audit_file_rotate_wait++;
 		(void)audit_send_trigger(AUDIT_TRIGGER_ROTATE_KERNEL);
 	}