From owner-freebsd-hackers@FreeBSD.ORG  Mon Aug 18 13:21:09 2008
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 32FFA106566C;
	Mon, 18 Aug 2008 13:21:09 +0000 (UTC)
	(envelope-from V.Rezkii@sam-solutions.net)
Received: from c71.sam-solutions.net (c71.sam-solutions.net [217.21.35.67])
	by mx1.freebsd.org (Postfix) with ESMTP id B26FB8FC19;
	Mon, 18 Aug 2008 13:21:08 +0000 (UTC)
	(envelope-from V.Rezkii@sam-solutions.net)
Received: from pc636.sam-solutions.net ([192.168.117.46]) by
	c71.sam-solutions.net over TLS secured channel with Microsoft
	SMTPSVC(6.0.3790.3959); Mon, 18 Aug 2008 16:21:02 +0300
From: Uladzislau Rezki <v.rezkii@sam-solutions.net>
Organization: SS
To: Robert Watson <rwatson@freebsd.org>
Date: Mon, 18 Aug 2008 16:21:31 +0300
User-Agent: KMail/1.9.9
References: <200808142120.13609.v.rezkii@sam-solutions.net>
	<200808151217.04626.v.rezkii@sam-solutions.net>
	<alpine.BSF.1.10.0808152308120.28676@fledge.watson.org>
In-Reply-To: <alpine.BSF.1.10.0808152308120.28676@fledge.watson.org>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200808181621.32105.v.rezkii@sam-solutions.net>
X-OriginalArrivalTime: 18 Aug 2008 13:21:02.0726 (UTC)
	FILETIME=[43173A60:01C90135]
Cc: freebsd-hackers@freebsd.org, Roman Divacky <rdivacky@freebsd.org>
Subject: Re: textvp_fullpath
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Aug 2008 13:21:09 -0000

On 16 August 2008 01:09:39 Robert Watson wrote:
> On Fri, 15 Aug 2008, Uladzislau Rezki wrote:
> > We have to to do a few thinks:
> >
> > 1) do original "write" sys call;
> > 2) get full path (/etc/passwd);
> > 3) put all this information to user land through the character device.
> >
> > I get stuck in point 2. I need to get full path, but how ...
>
> In FreeBSD 6.2 and higher, the kernel event auditing facility provides
> exactly this service already.  Take a look at the auditpipe(4) facility for
> details of the run-time monitoring aspect of that.
>
Thank you, I haven't known about it before.

I looked through the source code of the "auditpipe", and found a function
called "canon_path" that obtains a full path using "vn_fullpath". This function retrieve
the full filesystem path that correspond to a "vnode" from cache, BUT just in case it is
available within "namecache".

"textvp_fullpath" and "vn_fullpath" are not reliable.

Maybe I've skipped something while investigating auditpipe, but I found only
one place where they get full path (audit_bsm_klib.c +483) and they use "vn_fullpath".

Please correct me if am not right.
Thank you in advance.

--
Uladzislau Rezki