From owner-freebsd-audit Mon Oct 21 11: 0:35 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C05237B401 for ; Mon, 21 Oct 2002 11:00:35 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0259E43EAF for ; Mon, 21 Oct 2002 11:00:29 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g9LI0Tx3036146 for ; Mon, 21 Oct 2002 11:00:29 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g9LI0ToR036134 for audit@freebsd.org; Mon, 21 Oct 2002 11:00:29 -0700 (PDT) Date: Mon, 21 Oct 2002 11:00:29 -0700 (PDT) Message-Id: <200210211800.g9LI0ToR036134@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: audit@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [1999/01/28] bin/9770 audit An openpty(3) auxiliary program 1 problem total. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Oct 24 0:12:45 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4755737B401; Thu, 24 Oct 2002 00:12:41 -0700 (PDT) Received: from baraca.united.net.ua (ns.united.net.ua [193.111.8.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F16043E4A; Thu, 24 Oct 2002 00:12:39 -0700 (PDT) (envelope-from sobomax@FreeBSD.org) Received: from vega.vega.com (xDSL-2-2.united.net.ua [193.111.9.226]) by baraca.united.net.ua (8.12.6/8.11.6) with ESMTP id g9O7CTjJ012594; Thu, 24 Oct 2002 10:12:29 +0300 (EEST) (envelope-from sobomax@FreeBSD.org) Received: from FreeBSD.org (big_brother.vega.com [192.168.1.1]) by vega.vega.com (8.12.6/8.12.5) with ESMTP id g9O7CeaJ021730; Thu, 24 Oct 2002 10:12:40 +0300 (EEST) (envelope-from sobomax@FreeBSD.org) Message-ID: <3DB79DFA.FA719B8F@FreeBSD.org> Date: Thu, 24 Oct 2002 10:15:06 +0300 From: Maxim Sobolev Organization: Vega International Capital X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en,uk,ru MIME-Version: 1.0 To: jlemon@FreeBSD.org, hackers@FreeBSD.org, audit@FreeBSD.org Subject: New kevent types: NOTE_STARTEXEC and NOTE_STOPEXEC Content-Type: multipart/mixed; boundary="------------36514A812340C7D968179FC5" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------36514A812340C7D968179FC5 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Folks, Please review the patch, which adds two new types of events - NOTE_STARTEXEC and NOTE_STOPEXEC, that could be used to get notification when the image starts or stops executing. For example, it could be used to monitor that a daemon is up and running and notify administrator when for some reason in exits. I am running this code for more than a year now without any problems. Any comments and suggestions are welcome. Thanks! -Maxim --------------36514A812340C7D968179FC5 Content-Type: text/plain; charset=koi8-r; name="kqueue.startstopexec.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="kqueue.startstopexec.diff" Index: src/lib/libc/sys/kqueue.2 =================================================================== RCS file: /home/ncvs/src/lib/libc/sys/kqueue.2,v retrieving revision 1.28 diff -d -u -r1.28 kqueue.2 --- src/lib/libc/sys/kqueue.2 2 Jul 2002 21:04:00 -0000 1.28 +++ src/lib/libc/sys/kqueue.2 24 Oct 2002 06:57:41 -0000 @@ -292,7 +292,7 @@ .Va fflags , and returns when one or more of the requested events occurs on the descriptor. The events to monitor are: -.Bl -tag -width XXNOTE_RENAME +.Bl -tag -width XXNOTE_STARTEXEC .It NOTE_DELETE .Fn unlink was called on the file referenced by the descriptor. @@ -310,6 +310,19 @@ Access to the file was revoked via .Xr revoke 2 or the underlying fileystem was unmounted. +.It NOTE_STARTEXEC +The file referenced by the descriptor has been executed via +.Xr execve 2 , +.Xr fork 2 +or similar call. The PID of the process is returned in +.Va data . +.It NOTE_STOPEXEC +Execution of the file referenced by the descriptor ended. Triggered when +the process associated with the file exited or was replaced with anoter +image using +.Xr execve 2 +or simial syscall. The PID of the process is returned in +.Va data . .El .Pp On return, Index: src/sys/sys/event.h =================================================================== RCS file: /home/ncvs/src/sys/sys/event.h,v retrieving revision 1.21 diff -d -u -r1.21 event.h --- src/sys/sys/event.h 29 Jun 2002 19:14:52 -0000 1.21 +++ src/sys/sys/event.h 24 Oct 2002 06:57:41 -0000 @@ -83,13 +83,15 @@ /* * data/hint flags for EVFILT_VNODE, shared with userspace */ -#define NOTE_DELETE 0x0001 /* vnode was removed */ -#define NOTE_WRITE 0x0002 /* data contents changed */ -#define NOTE_EXTEND 0x0004 /* size increased */ -#define NOTE_ATTRIB 0x0008 /* attributes changed */ -#define NOTE_LINK 0x0010 /* link count changed */ -#define NOTE_RENAME 0x0020 /* vnode was renamed */ -#define NOTE_REVOKE 0x0040 /* vnode access was revoked */ +#define NOTE_DELETE 0x00100000 /* vnode was removed */ +#define NOTE_WRITE 0x00200000 /* data contents changed */ +#define NOTE_EXTEND 0x00400000 /* size increased */ +#define NOTE_ATTRIB 0x00800000 /* attributes changed */ +#define NOTE_LINK 0x01000000 /* link count changed */ +#define NOTE_RENAME 0x02000000 /* vnode was renamed */ +#define NOTE_REVOKE 0x04000000 /* vnode access was revoked */ +#define NOTE_STARTEXEC 0x08000000 /* vnode was executed */ +#define NOTE_STOPEXEC 0x10000000 /* vnode execution stopped */ /* * data/hint flags for EVFILT_PROC, shared with userspace @@ -98,6 +100,7 @@ #define NOTE_FORK 0x40000000 /* process forked */ #define NOTE_EXEC 0x20000000 /* process exec'd */ #define NOTE_PCTRLMASK 0xf0000000 /* mask for hint bits */ +/* Applies both to EVFILT_VNODE and EVFILT_PROC */ #define NOTE_PDATAMASK 0x000fffff /* mask for pid */ /* additional flags for EVFILT_PROC */ Index: src/sys/kern/kern_exec.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v retrieving revision 1.193 diff -d -u -r1.193 kern_exec.c --- src/sys/kern/kern_exec.c 11 Oct 2002 21:04:01 -0000 1.193 +++ src/sys/kern/kern_exec.c 24 Oct 2002 06:57:41 -0000 @@ -518,6 +518,8 @@ * to locking the proc lock. */ textvp = p->p_textvp; + if (textvp) + VN_KNOTE(textvp, NOTE_STOPEXEC | p->p_pid); p->p_textvp = ndp->ni_vp; /* @@ -525,6 +527,7 @@ * as we're now a bona fide freshly-execed process. */ KNOTE(&p->p_klist, NOTE_EXEC); + VN_KNOTE(p->p_textvp, NOTE_STARTEXEC | p->p_pid); p->p_flag &= ~P_INEXEC; /* Index: src/sys/kern/kern_exit.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_exit.c,v retrieving revision 1.184 diff -d -u -r1.184 kern_exit.c --- src/sys/kern/kern_exit.c 15 Oct 2002 00:14:32 -0000 1.184 +++ src/sys/kern/kern_exit.c 24 Oct 2002 06:58:03 -0000 @@ -440,6 +440,8 @@ * Notify interested parties of our demise. */ KNOTE(&p->p_klist, NOTE_EXIT); + if (p->p_textvp != NULL) + VN_KNOTE(p->p_textvp, NOTE_STOPEXEC | p->p_pid); /* * Notify parent that we're gone. If parent has the PS_NOCLDWAIT Index: src/sys/kern/kern_fork.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_fork.c,v retrieving revision 1.172 diff -d -u -r1.172 kern_fork.c --- src/sys/kern/kern_fork.c 18 Oct 2002 17:45:41 -0000 1.172 +++ src/sys/kern/kern_fork.c 24 Oct 2002 06:58:03 -0000 @@ -724,6 +724,8 @@ * tell any interested parties about the new process */ KNOTE(&p1->p_klist, NOTE_FORK | p2->p_pid); + if (p2->p_textvp != NULL) + VN_KNOTE(p2->p_textvp, NOTE_STARTEXEC | p2->p_pid); PROC_UNLOCK(p1); /* --------------36514A812340C7D968179FC5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Oct 26 18: 9:33 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A551137B404 for ; Sat, 26 Oct 2002 18:09:30 -0700 (PDT) Received: from rootlabs.com (root.org [67.118.192.226]) by mx1.FreeBSD.org (Postfix) with SMTP id E514C43E6E for ; Sat, 26 Oct 2002 18:09:29 -0700 (PDT) (envelope-from nate@rootlabs.com) Received: (qmail 78976 invoked by uid 1000); 27 Oct 2002 01:09:31 -0000 Date: Sat, 26 Oct 2002 18:09:31 -0700 (PDT) From: Nate Lawson To: Maxim Sobolev Cc: jlemon@FreeBSD.org, hackers@FreeBSD.org, audit@FreeBSD.org Subject: Re: New kevent types: NOTE_STARTEXEC and NOTE_STOPEXEC In-Reply-To: <3DB79DFA.FA719B8F@FreeBSD.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 24 Oct 2002, Maxim Sobolev wrote: > Please review the patch, which adds two new types of events - > NOTE_STARTEXEC and NOTE_STOPEXEC, that could be used to get > notification when the image starts or stops executing. For example, it > could be used to monitor that a daemon is up and running and notify > administrator when for some reason in exits. I am running this code > for more than a year now without any problems. > > Any comments and suggestions are welcome. Couldn't this just be done by init(8) and /etc/ttys? Or inetd? If you want to write your own, couldn't you use waitpid()? Or a kevent() of EVFILT_PROC with NOTE_EXIT/NOTE_FORK? I'm not sure I see the need for this. Comments below. > +.It NOTE_STOPEXEC > +Execution of the file referenced by the descriptor ended. Triggered > when > +the process associated with the file exited or was replaced with anoter > +image using > +.Xr execve 2 > +or simial syscall. The PID of the process is returned in ^^^^^ typo > Index: src/sys/sys/event.h > =================================================================== > RCS file: /home/ncvs/src/sys/sys/event.h,v > retrieving revision 1.21 > diff -d -u -r1.21 event.h > --- src/sys/sys/event.h 29 Jun 2002 19:14:52 -0000 1.21 > +++ src/sys/sys/event.h 24 Oct 2002 06:57:41 -0000 > @@ -83,13 +83,15 @@ > /* > * data/hint flags for EVFILT_VNODE, shared with userspace > */ > -#define NOTE_DELETE 0x0001 /* vnode was removed */ > -#define NOTE_WRITE 0x0002 /* data contents changed */ > -#define NOTE_EXTEND 0x0004 /* size increased */ > -#define NOTE_ATTRIB 0x0008 /* attributes changed */ > -#define NOTE_LINK 0x0010 /* link count changed */ > -#define NOTE_RENAME 0x0020 /* vnode was renamed */ > -#define NOTE_REVOKE 0x0040 /* vnode access was revoked */ > +#define NOTE_DELETE 0x00100000 /* vnode was removed */ > +#define NOTE_WRITE 0x00200000 /* data contents changed */ > +#define NOTE_EXTEND 0x00400000 /* size increased */ > +#define NOTE_ATTRIB 0x00800000 /* attributes changed */ > +#define NOTE_LINK 0x01000000 /* link count changed */ > +#define NOTE_RENAME 0x02000000 /* vnode was renamed */ > +#define NOTE_REVOKE 0x04000000 /* vnode access was revoked */ > +#define NOTE_STARTEXEC 0x08000000 /* vnode was executed */ > +#define NOTE_STOPEXEC 0x10000000 /* vnode execution stopped */ > +/* Applies both to EVFILT_VNODE and EVFILT_PROC */ > #define NOTE_PDATAMASK 0x000fffff /* mask for pid */ I don't think we should burn our 32 bits on this. Since pids are 32 bits, this interface will fail unpredictably. > /* additional flags for EVFILT_PROC */ > Index: src/sys/kern/kern_exec.c > =================================================================== > RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v > retrieving revision 1.193 > diff -d -u -r1.193 kern_exec.c > --- src/sys/kern/kern_exec.c 11 Oct 2002 21:04:01 -0000 1.193 > +++ src/sys/kern/kern_exec.c 24 Oct 2002 06:57:41 -0000 > @@ -518,6 +518,8 @@ > * to locking the proc lock. > */ > textvp = p->p_textvp; > + if (textvp) > + VN_KNOTE(textvp, NOTE_STOPEXEC | p->p_pid); > p->p_textvp = ndp->ni_vp; Do these always stay an int or are there casts that could result in endian problems? >Index: src/sys/kern/kern_fork.c >=================================================================== >RCS file: /home/ncvs/src/sys/kern/kern_fork.c,v >retrieving revision 1.172 >diff -d -u -r1.172 kern_fork.c >--- src/sys/kern/kern_fork.c 18 Oct 2002 17:45:41 -0000 1.172 >+++ src/sys/kern/kern_fork.c 24 Oct 2002 06:58:03 -0000 >@@ -724,6 +724,8 @@ > * tell any interested parties about the new process > */ > KNOTE(&p1->p_klist, NOTE_FORK | p2->p_pid); >+ if (p2->p_textvp != NULL) >+ VN_KNOTE(p2->p_textvp, NOTE_STARTEXEC | p2->p_pid); > PROC_UNLOCK(p1); > > /* This shows my doubt for the need for this since the NOTE_FORK is immediately before your duplicate NOTE_STARTEXEC. -Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message