Date: Sat, 26 Oct 2002 18:09:31 -0700 (PDT) From: Nate Lawson <nate@root.org> To: Maxim Sobolev <sobomax@FreeBSD.org> Cc: jlemon@FreeBSD.org, hackers@FreeBSD.org, audit@FreeBSD.org Subject: Re: New kevent types: NOTE_STARTEXEC and NOTE_STOPEXEC Message-ID: <Pine.BSF.4.21.0210261715520.78755-100000@root.org> In-Reply-To: <3DB79DFA.FA719B8F@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 24 Oct 2002, Maxim Sobolev wrote:
> Please review the patch, which adds two new types of events -
> NOTE_STARTEXEC and NOTE_STOPEXEC, that could be used to get
> notification when the image starts or stops executing. For example, it
> could be used to monitor that a daemon is up and running and notify
> administrator when for some reason in exits. I am running this code
> for more than a year now without any problems.
>
> Any comments and suggestions are welcome.
Couldn't this just be done by init(8) and /etc/ttys? Or inetd? If you
want to write your own, couldn't you use waitpid()? Or a kevent() of
EVFILT_PROC with NOTE_EXIT/NOTE_FORK? I'm not sure I see the need for
this.
Comments below.
> +.It NOTE_STOPEXEC
> +Execution of the file referenced by the descriptor ended. Triggered
> when
> +the process associated with the file exited or was replaced with anoter
> +image using
> +.Xr execve 2
> +or simial syscall. The PID of the process is returned in
^^^^^
typo
> Index: src/sys/sys/event.h
> ===================================================================
> RCS file: /home/ncvs/src/sys/sys/event.h,v
> retrieving revision 1.21
> diff -d -u -r1.21 event.h
> --- src/sys/sys/event.h 29 Jun 2002 19:14:52 -0000 1.21
> +++ src/sys/sys/event.h 24 Oct 2002 06:57:41 -0000
> @@ -83,13 +83,15 @@
> /*
> * data/hint flags for EVFILT_VNODE, shared with userspace
> */
> -#define NOTE_DELETE 0x0001 /* vnode was removed */
> -#define NOTE_WRITE 0x0002 /* data contents changed */
> -#define NOTE_EXTEND 0x0004 /* size increased */
> -#define NOTE_ATTRIB 0x0008 /* attributes changed */
> -#define NOTE_LINK 0x0010 /* link count changed */
> -#define NOTE_RENAME 0x0020 /* vnode was renamed */
> -#define NOTE_REVOKE 0x0040 /* vnode access was revoked */
> +#define NOTE_DELETE 0x00100000 /* vnode was removed */
> +#define NOTE_WRITE 0x00200000 /* data contents changed */
> +#define NOTE_EXTEND 0x00400000 /* size increased */
> +#define NOTE_ATTRIB 0x00800000 /* attributes changed */
> +#define NOTE_LINK 0x01000000 /* link count changed */
> +#define NOTE_RENAME 0x02000000 /* vnode was renamed */
> +#define NOTE_REVOKE 0x04000000 /* vnode access was revoked */
> +#define NOTE_STARTEXEC 0x08000000 /* vnode was executed */
> +#define NOTE_STOPEXEC 0x10000000 /* vnode execution stopped */
> +/* Applies both to EVFILT_VNODE and EVFILT_PROC */
> #define NOTE_PDATAMASK 0x000fffff /* mask for pid */
I don't think we should burn our 32 bits on this. Since pids are 32 bits,
this interface will fail unpredictably.
> /* additional flags for EVFILT_PROC */
> Index: src/sys/kern/kern_exec.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v
> retrieving revision 1.193
> diff -d -u -r1.193 kern_exec.c
> --- src/sys/kern/kern_exec.c 11 Oct 2002 21:04:01 -0000 1.193
> +++ src/sys/kern/kern_exec.c 24 Oct 2002 06:57:41 -0000
> @@ -518,6 +518,8 @@
> * to locking the proc lock.
> */
> textvp = p->p_textvp;
> + if (textvp)
> + VN_KNOTE(textvp, NOTE_STOPEXEC | p->p_pid);
> p->p_textvp = ndp->ni_vp;
Do these always stay an int or are there casts that could result in endian
problems?
>Index: src/sys/kern/kern_fork.c
>===================================================================
>RCS file: /home/ncvs/src/sys/kern/kern_fork.c,v
>retrieving revision 1.172
>diff -d -u -r1.172 kern_fork.c
>--- src/sys/kern/kern_fork.c 18 Oct 2002 17:45:41 -0000 1.172
>+++ src/sys/kern/kern_fork.c 24 Oct 2002 06:58:03 -0000
>@@ -724,6 +724,8 @@
> * tell any interested parties about the new process
> */
> KNOTE(&p1->p_klist, NOTE_FORK | p2->p_pid);
>+ if (p2->p_textvp != NULL)
>+ VN_KNOTE(p2->p_textvp, NOTE_STARTEXEC | p2->p_pid);
> PROC_UNLOCK(p1);
>
> /*
This shows my doubt for the need for this since the NOTE_FORK is immediately
before your duplicate NOTE_STARTEXEC.
-Nate
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0210261715520.78755-100000>