From owner-freebsd-security  Thu Apr 15 13: 9:50 1999
Delivered-To: freebsd-security@freebsd.org
Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153])
	by hub.freebsd.org (Postfix) with ESMTP id 6720C150CF
	for <freebsd-security@freebsd.org>; Thu, 15 Apr 1999 13:09:44 -0700 (PDT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
	by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id WAA05460;
	Thu, 15 Apr 1999 22:07:22 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id VAA01781;
	Thu, 15 Apr 1999 21:11:31 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Cc: freebsd-security@freebsd.org
Subject: Re: POSIX.1E auditing support, an initial pass and some questions 
In-reply-to: Your message of "Mon, 12 Apr 1999 09:39:31 EDT."
             <Pine.BSF.3.96.990412092814.11402E-100000@fledge.watson.org> 
Date: Thu, 15 Apr 1999 21:11:31 +0200
Message-ID: <1779.924203491@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>I had suspected (and observed) as much.  What is the rational behind
>having the name lookup pull the pathname into the kernel as opposed to
>using a copyin in the syscall and passing it in as an argument?
>Presumably someone, somewhere has to allocate space on the stack, and if
>it's done in the syscall function then more argument processing is done in
>one place?  This would make at least a bit more available to an auditing
>layer in the syscall.

I think it is an old thing, conserving kernel memory.  Indeed it may
not make sense today where the vfs-name-cache is so much more efficient.
Changing it may be a PITA.

>I'm not sure if you've had a chance to look at the POSIX.1e draft or my
>man pages for it.  The man pages are online on by POSIX.1e page as part of
>the tarball containing the first pass.  The API is completely documented,
>but I still have to document the audit event types and what they expect to
>be reported.

Sorry, no, time is a scarce resource for me these days...

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
FreeBSD -- It will take a long time before progress goes too far!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message