Date: Wed, 19 Nov 2008 23:35:50 GMT From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 153250 for review Message-ID: <200811192335.mAJNZop4087738@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=153250 Change 153250 by csjp@hvm02 on 2008/11/19 23:34:57 Implement file system cache for BSM records. This makes it possible to associate bsm records which reference file descriptiors instead of paths with a particular event. For example: If we had a sequence that watched for an open on file /x followed by a permission change, we can now detect: open(2) fchmod(2) (which operates on the fd and therefor doesn't audit a path) Affected files ... .. //depot/projects/trustedbsd/bsmtrace/bsm.c#3 edit .. //depot/projects/trustedbsd/bsmtrace/deuce.h#3 edit .. //depot/projects/trustedbsd/bsmtrace/fcache.c#4 edit .. //depot/projects/trustedbsd/bsmtrace/fcache.h#3 edit Differences ... ==== //depot/projects/trustedbsd/bsmtrace/bsm.c#3 (text+ko) ==== @@ -130,6 +130,8 @@ ap = &bm->bm_objects; if (ap->a_cnt == 0) return (1); + if (bd->br_dev != 0 && bd->br_inode != 0 && bd->br_path == NULL) + bd->br_path = fcache_search(bd->br_dev, bd->br_inode); /* * We are interested in particular objects, but the audit record has * not supplied any. We will treat this as a fail to match. @@ -628,12 +630,19 @@ case AUT_RETURN64: bd.br_status = tok.tt.ret64.err; break; + case AUT_ATTR: + case AUT_ATTR32: + bd.br_dev = tok.tt.attr32.fsid; + bd.br_inode = tok.tt.attr32.nid; + break; case AUT_PATH: bd.br_path = tok.tt.path.path; break; } bytesread += tok.len; } + if (bd.br_path != NULL && bd.br_dev != 0 && bd.br_inode != 0) + fcache_add_entry(bd.br_dev, bd.br_inode, bd.br_path); bsm_sequence_scan(&bd); free(bsm_rec); recsread++; ==== //depot/projects/trustedbsd/bsmtrace/deuce.h#3 (text+ko) ==== @@ -150,6 +150,8 @@ int br_raw_len; /* Raw record length */ int br_pid; /* Process ID */ int br_sid; /* Session ID */ + dev_t br_dev; /* For fs objects, the device id. */ + ino_t br_inode; /* For fs objects, the inode. */ }; #endif /* DEUCE_H_ */ ==== //depot/projects/trustedbsd/bsmtrace/fcache.c#4 (text+ko) ==== @@ -82,6 +82,7 @@ dp = malloc(sizeof(*dp)); if (dp == NULL) return (NULL); + dp->d_device = device; RB_INIT(&dp->d_btree); TAILQ_INSERT_HEAD(&cache_head, dp, d_glue); return (dp); @@ -104,14 +105,15 @@ } void -fache_add_entry(dev_t device, ino_t inode, char *pathname) +fcache_add_entry(dev_t device, ino_t inode, char *pathname) { struct dev_list *dp; struct fcache *fcp; + char *ret; - /* - * NB: We need an eviction strategy here. - */ + ret = fcache_search(device, inode); + if (ret != NULL) + return; dp = fcache_locate(device); if (dp == NULL) { (void) fprintf(stderr, "failed to allocate cache\n"); @@ -124,6 +126,7 @@ } fcp->f_inode = inode; fcp->f_pathname = strdup(pathname); - (void) RB_INSERT(btree, &dp->d_btree, fcp); + if (RB_INSERT(btree, &dp->d_btree, fcp) != 0) + printf("item already existed\n"); } ==== //depot/projects/trustedbsd/bsmtrace/fcache.h#3 (text+ko) ==== @@ -45,6 +45,6 @@ void fcache_destroy(void); void fcache_init(void); char *fcache_search(dev_t, ino_t); -void fache_add_entry(dev_t, ino_t, char *); +void fcache_add_entry(dev_t, ino_t, char *); #endif /* FCACHE_DOT_H_ */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200811192335.mAJNZop4087738>