PERFORCE change 98572 for review
Robert Watson
rwatson at FreeBSD.org
Mon Jun 5 08:43:56 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=98572
Change 98572 by rwatson at rwatson_zoo on 2006/06/05 15:41:59
Integrate TrustedBSD base branch to loop back various audit
changes:
- audit.4 -> audit.4 + auditpipe.4, documentation of preselection,
etc.
- Some auditing of mount-related arguments (only simple ones
merged).
- Use uma_zfree() on audit records.
Also merge:
- if_le works with vmware again
Affected files ...
.. //depot/projects/trustedbsd/base/lib/libc/i386/gen/_ctx_start.S#4 integrate
.. //depot/projects/trustedbsd/base/share/man/man4/Makefile#67 integrate
.. //depot/projects/trustedbsd/base/share/man/man4/audit.4#2 integrate
.. //depot/projects/trustedbsd/base/share/man/man4/auditpipe.4#1 branch
.. //depot/projects/trustedbsd/base/sys/dev/le/if_le_pci.c#3 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vfs_mount.c#48 integrate
.. //depot/projects/trustedbsd/base/sys/security/audit/audit.c#7 integrate
Differences ...
==== //depot/projects/trustedbsd/base/lib/libc/i386/gen/_ctx_start.S#4 (text+ko) ====
@@ -25,7 +25,7 @@
*/
#include <machine/asm.h>
-__FBSDID("$FreeBSD: src/lib/libc/i386/gen/_ctx_start.S,v 1.3 2004/07/02 14:19:44 davidxu Exp $");
+__FBSDID("$FreeBSD: src/lib/libc/i386/gen/_ctx_start.S,v 1.4 2006/06/05 14:59:33 kib Exp $");
/*
* _ctx_start((void *func)(int arg1, ..., argn),
@@ -41,10 +41,11 @@
ENTRY(_ctx_start)
popl %eax /* get start function */
call *%eax /* call start function */
+ PIC_PROLOGUE
movl %esi, %esp /*
* setup stack for completion routine;
* ucp is now at top of stack
*/
- call _ctx_done /* should never return */
- call abort /* fubar */
+ call PIC_PLT(_ctx_done) /* should never return */
+ call PIC_PLT(abort) /* fubar */
ret
==== //depot/projects/trustedbsd/base/share/man/man4/Makefile#67 (text+ko) ====
@@ -1,5 +1,5 @@
# @(#)Makefile 8.1 (Berkeley) 6/18/93
-# $FreeBSD: src/share/man/man4/Makefile,v 1.351 2006/05/20 06:21:42 brueffer Exp $
+# $FreeBSD: src/share/man/man4/Makefile,v 1.352 2006/06/05 15:26:09 rwatson Exp $
MAN= aac.4 \
acpi.4 \
@@ -29,6 +29,7 @@
atkbd.4 \
atkbdc.4 \
audit.4 \
+ auditpipe.4 \
aue.4 \
awi.4 \
axe.4 \
==== //depot/projects/trustedbsd/base/share/man/man4/audit.4#2 (text+ko) ====
@@ -22,9 +22,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/share/man/man4/audit.4,v 1.6 2006/02/06 20:27:00 rwatson Exp $
+.\" $FreeBSD: src/share/man/man4/audit.4,v 1.7 2006/06/05 15:26:09 rwatson Exp $
.\"
-.Dd February 6, 2006
+.Dd May 5, 2006
.Os
.Dt AUDIT 4
.Sh NAME
@@ -62,37 +62,11 @@
space conditions, and requests to terminate auditing.
This device is not intended for use by applications.
.Ss Audit Pipe Special Devices
-While audit trail files maintained by
-.Xr auditd 8
-provide a reliable long-term store for audit log information, current log
-files are owned by the audit daemon until terminated making them somewhat
-unwieldy for live montoring applications such as host-based intrusion
-detection.
-For example, the log may be cycled and new records written to a new file
-without notice to applications that may be accessing the file.
-.Pp
-The audit facility provides an audit pipe facility for applications requiring
-direct access to live BSM audit data for the purposes of real-time
-monitoring.
-Audit pipes are available via a clonable special device,
-.Pa /dev/auditpipe ,
-subject to the permissions on the device node, and provide a
-.Qq tee
-of the audit event stream.
-As the device is clonable, more than one instance of the device may be opened
-at a time; each device instance will provide access to all records.
-.Pp
-The audit pipe device provides discreet BSM audit records; if the read buffer
-passed by the application is too small to hold the next record in the
-sequence, it will be dropped.
-Unlike audit data written to the audit trail, the reliability of record
-delivery is not guaranteed.
-In particular, when an audit pipe queue fills, records will be dropped.
-Audit pipe devices are blocking by default, but support non-blocking I/O,
-asynchronous I/O using SIGIO, and support for polled operation via
-.Xr select 2
-and
-.Xr poll 2 .
+Audit pipe special devices, discussed in
+.Xr auditpipe 4 ,
+provide a configurable live tracking mechanism to allow applications to
+tee the audit trail, as well as to configure custom preselection paramaters
+to track users and events in a fine-grained manner.
.Sh SEE ALSO
.Xr auditreduce 1 ,
.Xr praudit 1 ,
@@ -106,6 +80,7 @@
.Xr setaudit 2 ,
.Xr setauid 2 ,
.Xr libbsm 3 ,
+.Xr auditpipe 4 ,
.Xr audit.log 5 ,
.Xr audit_class 5 ,
.Xr audit_control 5 ,
==== //depot/projects/trustedbsd/base/sys/dev/le/if_le_pci.c#3 (text+ko) ====
@@ -72,7 +72,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/dev/le/if_le_pci.c,v 1.3 2006/05/16 21:04:01 marius Exp $");
+__FBSDID("$FreeBSD: src/sys/dev/le/if_le_pci.c,v 1.4 2006/06/05 15:14:14 marius Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -263,8 +263,16 @@
le_pci_hwreset(struct lance_softc *sc)
{
- /* Chip is stopped. Set software style to ILACC (32-bit). */
- le_pci_wrbcr(sc, LE_BCR20, LE_B20_SSTYLE_ILACC);
+ /*
+ * Chip is stopped. Set software style to PCnet-PCI (32-bit).
+ * Actually, am79900.c implements ILACC support (hence its
+ * name) but unfortunately VMware does not. As far as this
+ * driver is concerned that should not make a difference
+ * though, as the settings used have the same meaning for
+ * both, ILACC and PCnet-PCI (note that there would be a
+ * difference for the ADD_FCS/NO_FCS bit if used).
+ */
+ le_pci_wrbcr(sc, LE_BCR20, LE_B20_SSTYLE_PCNETPCI2);
}
static void
==== //depot/projects/trustedbsd/base/sys/kern/vfs_mount.c#48 (text+ko) ====
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/kern/vfs_mount.c,v 1.226 2006/06/02 20:29:02 pjd Exp $");
+__FBSDID("$FreeBSD: src/sys/kern/vfs_mount.c,v 1.227 2006/06/05 15:32:07 rwatson Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -63,6 +63,8 @@
#include <machine/stdarg.h>
+#include <security/audit/audit.h>
+
#include "opt_rootdevname.h"
#include "opt_ddb.h"
#include "opt_mac.h"
@@ -374,6 +376,8 @@
int error;
u_int iovcnt;
+ AUDIT_ARG(fflags, uap->flags);
+
/* Kick out MNT_ROOTFS early as it is legal internally */
if (uap->flags & MNT_ROOTFS)
return (EINVAL);
@@ -733,12 +737,15 @@
struct mntarg *ma = NULL;
int error;
+ AUDIT_ARG(fflags, uap->flags);
+
/* Kick out MNT_ROOTFS early as it is legal internally */
uap->flags &= ~MNT_ROOTFS;
fstype = malloc(MFSNAMELEN, M_TEMP, M_WAITOK);
error = copyinstr(uap->type, fstype, MFSNAMELEN, NULL);
if (!error) {
+ AUDIT_ARG(text, fstype);
mtx_lock(&Giant); /* XXX ? */
vfsp = vfs_byname_kld(fstype, td, &error);
mtx_unlock(&Giant);
@@ -826,7 +833,8 @@
/*
* Get vnode to be covered
*/
- NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, fspath, td);
+ NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1, UIO_SYSSPACE,
+ fspath, td);
if ((error = namei(&nd)) != 0)
return (error);
NDFREE(&nd, NDF_ONLY_PNBUF);
@@ -1054,6 +1062,7 @@
free(pathbuf, M_TEMP);
return (error);
}
+ AUDIT_ARG(upath, td, pathbuf, ARG_UPATH1);
if (uap->flags & MNT_BYFSID) {
/* Decode the filesystem ID. */
if (sscanf(pathbuf, "FSID:%d:%d", &id0, &id1) != 2) {
==== //depot/projects/trustedbsd/base/sys/security/audit/audit.c#7 (text) ====
@@ -27,7 +27,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/audit/audit.c,v 1.15 2006/06/05 14:48:17 rwatson Exp $
+ * $FreeBSD: src/sys/security/audit/audit.c,v 1.16 2006/06/05 15:38:12 rwatson Exp $
*/
#include <sys/param.h>
@@ -395,7 +395,7 @@
mtx_lock(&audit_mtx);
audit_pre_q_len--;
mtx_unlock(&audit_mtx);
- uma_zfree(audit_record_zone, ar);
+ audit_free(ar);
return;
}
@@ -421,7 +421,7 @@
if (audit_suspended || !audit_enabled) {
audit_pre_q_len--;
mtx_unlock(&audit_mtx);
- uma_zfree(audit_record_zone, ar);
+ audit_free(ar);
return;
}
More information about the trustedbsd-cvs
mailing list