Date: Sun, 18 Jul 2010 21:00:16 +0300 From: Efstratios Karatzas <gpf.kira@gmail.com> To: soc-status@freebsd.org, trustedbsd-audit@trustedbsd.org Subject: Audit Kernel Events, weekly report #7 Message-ID: <AANLkTilZKimneeuLCMXAJFZTeVMA6_w1XoWolyZz9FOT@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I spent this week going through my code, making notes & testing things; I spotted a few minor bugs and I just merged the fixes with perforce. More importantly, I finished the pseudo-algorithm that solves the issue of handling multiple simultaneous audit records per kernel thread. It involves handling a tree like data structure; this is a short description: Every time we come across a new sec event inside the kernel (AUDIT_something_ENTER()), the tree grows (the new kaudit record is the child of the current kaudit record), we switch the auditing flag accordingly and the thread's td_ar now points to the new kaudit_record. When the event is finished (AUDIT_something_EXIT()), the auditing flag switches back to the value of our parent sec event and td_ar now points to the parent kaudit_record. If we exited the sec event that is the root of our tree, we commit the whole tree to the auditing daemon in preorder. The only thing left to do is turn this into code. I've already begun working on this and I'm confident that it won't be long before there's a working version in perforce. Thank you -- Efstratios "GPF" Karatzas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTilZKimneeuLCMXAJFZTeVMA6_w1XoWolyZz9FOT>