Date: Mon, 18 Aug 2008 16:21:31 +0300 From: Uladzislau Rezki <v.rezkii@sam-solutions.net> To: Robert Watson <rwatson@freebsd.org> Cc: freebsd-hackers@freebsd.org, Roman Divacky <rdivacky@freebsd.org> Subject: Re: textvp_fullpath Message-ID: <200808181621.32105.v.rezkii@sam-solutions.net> In-Reply-To: <alpine.BSF.1.10.0808152308120.28676@fledge.watson.org> References: <200808142120.13609.v.rezkii@sam-solutions.net> <200808151217.04626.v.rezkii@sam-solutions.net> <alpine.BSF.1.10.0808152308120.28676@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16 August 2008 01:09:39 Robert Watson wrote: > On Fri, 15 Aug 2008, Uladzislau Rezki wrote: > > We have to to do a few thinks: > > > > 1) do original "write" sys call; > > 2) get full path (/etc/passwd); > > 3) put all this information to user land through the character device. > > > > I get stuck in point 2. I need to get full path, but how ... > > In FreeBSD 6.2 and higher, the kernel event auditing facility provides > exactly this service already. Take a look at the auditpipe(4) facility for > details of the run-time monitoring aspect of that. > Thank you, I haven't known about it before. I looked through the source code of the "auditpipe", and found a function called "canon_path" that obtains a full path using "vn_fullpath". This function retrieve the full filesystem path that correspond to a "vnode" from cache, BUT just in case it is available within "namecache". "textvp_fullpath" and "vn_fullpath" are not reliable. Maybe I've skipped something while investigating auditpipe, but I found only one place where they get full path (audit_bsm_klib.c +483) and they use "vn_fullpath". Please correct me if am not right. Thank you in advance. -- Uladzislau Rezki
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808181621.32105.v.rezkii>