PERFORCE change 94185 for review

Tue Mar 28 17:49:51 UTC 2006

http://perforce.freebsd.org/chv.cgi?CH=94185

Change 94185 by rwatson at rwatson_zoo on 2006/03/28 17:48:17

	Clear the audit mask of the audit daemon on start.
	
	Hook up reap_children(), which was apparently not hooked up.  This
	should prevent large numbers of zombies from accumulating over
	time.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#16 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#16 (text+ko) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#15 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#16 $
  */
 
 #include <sys/types.h>
@@ -44,6 +44,7 @@
 #include <bsm/audit_uevents.h>
 #include <bsm/libbsm.h>
 
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@@ -63,6 +64,7 @@
 static char	*lastfile = NULL;
 static int	 allhardcount = 0;
 static int	 triggerfd = 0;
+static int	 sigchlds, sigchlds_handled;
 static int	 sighups, sighups_handled;
 static int	 sigterms, sigterms_handled;
 static long	 global_flags;
@@ -422,6 +424,8 @@
 		sighups++;
 	if (signal == SIGTERM)
 		sigterms++;
+	if (signal == SIGCHLD)
+		sigchlds++;
 }
 
 /*
@@ -489,7 +493,6 @@
 	static int last_trigger;
 	static time_t last_time;
 	struct dir_ent *dirent;
-	int rc;
 
 	/*
 	 * Suppres duplicate messages from the kernel within the specified
@@ -595,6 +598,34 @@
 }
 
 /*
+ * Reap our children.
+ */
+static void
+reap_children(void)
+{
+	pid_t child;
+	int wstatus;
+
+	while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) {
+		if (!wstatus)
+			continue;
+		syslog(LOG_INFO, "warn process [pid=%d] %s %d.", child,
+		    ((WIFEXITED(wstatus)) ? "exited with non-zero status" :
+		    "exited as a result of signal"),
+		    ((WIFEXITED(wstatus)) ? WEXITSTATUS(wstatus) :
+		    WTERMSIG(wstatus)));
+	}
+}
+
+static void
+handle_sigchld(void)
+{
+
+	sigchlds_handled = sigchlds;
+	reap_children();
+}
+
+/*
  * Read the control file for triggers/signals and handle appropriately.
  */
 static int
@@ -613,6 +644,10 @@
 			syslog(LOG_DEBUG, "%s: SIGTERM", __FUNCTION__);
 			break;
 		}
+		if (sigchlds != sigchlds_handled) {
+			syslog(LOG_DEBUG, "%s: SIGCHLD", __FUNCTION__);
+			handle_sigchld();
+		}
 		if (sighups != sighups_handled) {
 			syslog(LOG_DEBUG, "%s: SIGHUP", __FUNCTION__);
 			handle_sighup();
@@ -633,26 +668,6 @@
 }
 
 /*
- * Reap our children.
- */
-static void
-reap_children(void)
-{
-	pid_t child;
-	int wstatus;
-
-	while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) {
-		if (!wstatus)
-			continue;
-		syslog(LOG_INFO, "warn process [pid=%d] %s %d.", child,
-		    ((WIFEXITED(wstatus)) ? "exited with non-zero status" :
-		    "exited as a result of signal"),
-		    ((WIFEXITED(wstatus)) ? WEXITSTATUS(wstatus) :
-		    WTERMSIG(wstatus)));
-	}
-}
-
-/*
  * Configure the audit controls in the kernel: the event to class mapping,
  * kernel preselection mask, etc.
  */
@@ -730,6 +745,7 @@
 static void
 setup(void)
 {
+	auditinfo_t auinfo;
 	int aufd;
 	token_t *tok;
 
@@ -738,6 +754,23 @@
 		fail_exit();
 	}
 
+	/*
+	 * To provide event feedback cycles and avoid auditd becoming
+	 * stalled if auditing is suspended, auditd and its children run
+	 * without their events being audited.  We allow the uid, tid, and
+	 * mask fields to be implicitly set to zero, but do set the pid.  We
+	 * run this after opening the trigger device to avoid configuring
+	 * audit state without audit present in the system.
+	 *
+	 * XXXRW: Is there more to it than this?
+	 */
+	bzero(&auinfo, sizeof(auinfo));
+	auinfo.ai_asid = getpid();
+	if (setaudit(&auinfo) == -1) {
+		syslog(LOG_ERR, "Error setting audit stat");
+		fail_exit();
+	}
+
 	TAILQ_INIT(&dir_q);
 	if (read_control_file() == -1) {
 		syslog(LOG_ERR, "Error reading control file");
