audit2 for -current

Robert Watson rwatson at FreeBSD.org
Fri Mar 26 15:10:16 GMT 2004 

On Fri, 26 Mar 2004, Ilmar S. Habibulin wrote:

> On Thu, 25 Mar 2004, Robert Watson wrote:
> 
> > I've merged the two memory allocation changes you made back into the
> > Perforce branch (pathp -> *pathp) -- that bug was introduced in the
> > conversion from Darwin Mach memory allocation to FreeBSD memory
> > allocation.
> Well, there is also critical struct proc modification and vn_fullpath().

Not that far into the patch yet :-).

> > I think these changes are actually reflective of a bug in the merge from
> > Darwin -- in Darwin, dev_t is the same in userspace and kernel, but in
> > FreeBSD, dev_t is a kernel pointer in kernel, but the same as dev_t in
> > Darwin in userspace (and in kernel it's represented by udev_t).  I thought
> Heh, i suppose i was very tired because i was unable to find the pointer
> difinition of dev_t. ;-) So i have to made such complec casting.
> 
> > I'd caught all the references, but apparently not.  For now, in FreeBSD,
> > kernel use of dev_t needs to be converted to udev_t, and probably #ifdef'd
> > based on _KERNEL.  I think the real fix is to convert dev_t in FreeBSD
> > back to the same as udev_t, and change the kernel code not to confuse
> > dev_t and cdev pointers; this wasn't such a big deal before audit, because
> And why not simply use udev_t in audit headers?

For source code compatibility reasons with existing BSM applications, I
think we need to use dev_t in the token record format, which means a
#ifdef _KERNEL section in the shared kernel/user definition.  However, for
kernel-only structures, we should just use udev_t.

> PS. The problem with praudit persists. I have little experience in
> userland programming, so maybe i've made some stupid mistake and someone
> will point me on it.
> 
> PSS. solaris log is not so easy to parse, because they are using record
> versioning and i failed to find info on differences in tokens between
> versions. Also my parser found strange token, which is absent in
> headers.  Maybe it's just parser bug. Will turn on blade to figure out. 

Ok.  We have a fair number of sample audit trails here from Solaris, et
al, and I can set up a Solaris box with Audit locally as well.  I'm fairly
swamped with network stack locking work, and am working on integrating the
TrustedBSD base tree forward to the FreeBSD CVS HEAD (about a 9MB patch),
but hope I can spend some more time on this in a week or two.  We should
also check and see if there are substantial changes to Audit in Apple's
more recent Darwin code drops. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message

More information about the trustedbsd-audit mailing list