Commit Graph

677 Commits

Author SHA1 Message Date
trasz
048abafaf9 Get rid of VSTAT and replace it with VSTAT_PERMS, which is somewhat
better defined.

Approved by:	rwatson (mentor)
2009-03-29 17:45:48 +00:00
pjd
b67aabcdf8 - Correct logic in if statement - we want to allocate temporary buffer
when someone is passing new rules, not when he only want to read them.
  Because of this bug, even if the given rules were incorrect, they
  ended up in rule_string.
- Add missing protection for rule_string when coping it.

Reviewed by:	rwatson
MFC after:	1 week
2009-03-14 20:40:06 +00:00
rwatson
874a1578bb Rework MAC Framework synchronization in a number of ways in order to
improve performance:

- Eliminate custom reference count and condition variable to monitor
  threads entering the framework, as this had both significant overhead
  and behaved badly in the face of contention.

- Replace reference count with two locks: an rwlock and an sx lock,
  which will be read-acquired by threads entering the framework
  depending on whether a give policy entry point is permitted to sleep
  or not.

- Replace previous mutex locking of the reference count for exclusive
  access with write acquiring of both the policy list sx and rw locks,
  which occurs only when policies are attached or detached.

- Do a lockless read of the dynamic policy list head before acquiring
  any locks in order to reduce overhead when no dynamic policies are
  loaded; this a race we can afford to lose.

- For every policy entry point invocation, decide whether sleeping is
  permitted, and if not, use a _NOSLEEP() variant of the composition
  macros, which will use the rwlock instead of the sxlock.  In some
  cases, we decide which to use based on allocation flags passed to the
  MAC Framework entry point.

As with the move to rwlocks/rmlocks in pfil, this may trigger witness
warnings, but these should (generally) be false positives as all
acquisition of the locks is for read with two very narrow exceptions
for policy load/unload, and those code blocks should never acquire
other locks.

Sponsored by:	Google, Inc.
Obtained from:	TrustedBSD Project
Discussed with:	csjp (idea, not specific patch)
2009-03-14 16:06:06 +00:00
csjp
2173e9258f Mark the bsdextended rules sysctl as being mpsafe.
Discussed with:	rwatson
2009-03-09 17:42:18 +00:00
rwatson
e0bfbf5350 Add a new thread-private flag, TDP_AUDITREC, to indicate whether or
not there is an audit record hung off of td_ar on the current thread.
Test this flag instead of td_ar when auditing syscall arguments or
checking for an audit record to commit on syscall return.  Under
these circumstances, td_pflags is much more likely to be in the cache
(especially if there is no auditing of the current system call), so
this should help reduce cache misses in the system call return path.

MFC after:      1 week
Reported by:    kris
Obtained from:  TrustedBSD Project
2009-03-09 10:45:58 +00:00
rwatson
ae492d67e0 Remove 'uio' argument from MAC Framework and MAC policy entry points for
extended attribute get/set; in the case of get an uninitialized user
buffer was passed before the EA was retrieved, making it of relatively
little use; the latter was simply unused by any policies.

Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.
2009-03-08 12:32:06 +00:00
rwatson
b6bad80651 Rename 'ucred' argument to mac_socket_check_bind() to 'cred' to match
other use of the same variable type.

Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.
2009-03-08 12:22:00 +00:00
rwatson
5e4df03210 Improve the consistency of MAC Framework and MAC policy entry point
naming by renaming certain "proc" entry points to "cred" entry points,
reflecting their manipulation of credentials.  For some entry points,
the process was passed into the framework but not into policies; in
these cases, stop passing in the process since we don't need it.

  mac_proc_check_setaudit -> mac_cred_check_setaudit
  mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr
  mac_proc_check_setauid -> mac_cred_check_setauid
  mac_proc_check_setegid -> mac_cred_check_setegid
  mac_proc_check_seteuid -> mac_cred_check_seteuid
  mac_proc_check_setgid -> mac_cred_check_setgid
  mac_proc_check_setgroups -> mac_cred_ceck_setgroups
  mac_proc_check_setregid -> mac_cred_check_setregid
  mac_proc_check_setresgid -> mac_cred_check_setresgid
  mac_proc_check_setresuid -> mac_cred_check_setresuid
  mac_proc_check_setreuid -> mac_cred_check_setreuid
  mac_proc_check_setuid -> mac_cred_check_setuid

Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.
2009-03-08 10:58:37 +00:00
rwatson
25330cae20 Add static DTrace probes for MAC Framework access control checks and
privilege grants so that dtrace can be more easily used to monitor
the security decisions being generated by the MAC Framework following
policy invocation.

Successful access control checks will be reported by:

  mac_framework:kernel:<entrypoint>:mac_check_ok

Failed access control checks will be reported by:

  mac_framework:kernel:<entrypoint>:mac_check_err

Successful privilege grants will be reported by:

  mac_framework:kernel:priv_grant:mac_grant_ok

Failed privilege grants will be reported by:

  mac_framework:kernel:priv_grant:mac_grant_err

In all cases, the return value (always 0 for _ok, otherwise an errno
for _err) will be reported via arg0 on the probe, and subsequent
arguments will hold entrypoint-specific data, in a style similar to
privilege tracing.

Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.
2009-03-08 00:50:37 +00:00
rwatson
0e49e1ce16 Reduce the verbosity of SDT trace points for DTrace by defining several
wrapper macros that allow trace points and arguments to be declared
using a single macro rather than several.  This means a lot less
repetition and vertical space for each trace point.

Use these macros when defining privilege and MAC Framework trace points.

Reviewed by:	jb
MFC after:	1 week
2009-03-03 17:15:05 +00:00
rwatson
ee5318d543 Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).

OpenBSM history for imported revision below for reference.

MFC after:      1 month
Sponsored by:   Apple, Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 beta 1

- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
  Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
  For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added.  It is configured in
  audit_control(5) with the expire-after parameter.  If there is no
  expire-after parameter in audit_control(5), the default, then the audit
  trail files are not expired and removed.  See audit_control(5) for
  more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
  partitions, rotate automatically at 2mb, and set the default policy to
  cnt,argv rather than cnt so that execve(2) arguments are captured if
  AUE_EXECVE events are audited.  These may provide more usable defaults for
  many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
  au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
2009-03-02 13:29:18 +00:00
kib
eb4f9da70c Use vm_map_entry_t instead of explicit struct vm_map_entry *.
Reviewed by:	alc
2009-02-24 20:27:48 +00:00
rwatson
1d82f9d188 Set the lower bound on queue size for an audit pipe to 1 instead of 0,
as an audit pipe with a queue length of 0 is less useful.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
MFC after:	1 week
2009-02-08 15:38:31 +00:00
rwatson
3c9475069f Change various routines that are responsible for transforming audit
event IDs based on arguments to return au_event_t rather than int.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
MFC after:	1 week
2009-02-08 14:39:35 +00:00
rwatson
0f48dc75aa Audit AUE_MAC_EXECVE; currently just the standard AUE_EXECVE arguments
and not the label.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
MFC after:	1 week
2009-02-08 14:24:35 +00:00
rwatson
4349e4002b Audit the flag argument to the nfssvc(2) system call.
Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2009-02-08 14:04:08 +00:00
rwatson
8ee4f3581d Eliminate the local variable 'ape' in audit_pipe_kqread(), as it's only
used for an assertion that we don't really need anymore.

MFC after:	1 week
Reported by:	Christoph Mallon <christoph dot mallon at gmx dot de>
2009-02-04 19:56:37 +00:00
rwatson
73fa22c409 Use __FBSDID() for $FreeBSD$ version strings in .c files.
Obtained from:	TrustedBSD Project
MFC after:	3 days
2009-01-24 13:15:45 +00:00
rwatson
f6d46136a4 Begin to add SDT tracing of the MAC Framework: add policy modevent,
register, and unregister hooks that give access to the mac_policy_conf
for the policy.

Obtained from:	TrustedBSD Project
MFC after:	3 days
2009-01-24 10:57:32 +00:00
rwatson
d6a889ecb3 Update copyright, P4 version number as audit_bsm_token.c reflects changes
in bsm_token.c through #86 from OpenBSM.

MFC after:	1 month
Sponsored by:	Apple, Inc.
Obtained from:	TrustedBSD Project
2009-01-14 12:16:14 +00:00
rwatson
decd722669 Merge OpenBSM alpha 5 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).  Hook up bsm_domain.c and bsm_socket_type.c to the libbsm
build along with man pages, add audit_bsm_domain.c and
audit_bsm_socket_type.c to the kernel environment.

OpenBSM history for imported revisions below for reference.

MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 alpha 5

- Stub libauditd(3) man page added.
- All BSM error number constants with BSM_ERRNO_.
- Interfaces to convert between local and BSM socket types and protocol
  families have been added: au_bsm_to_domain(3), au_bsm_to_socket_type(3),
  au_domain_to_bsm(3), and au_socket_type_to_bsm(3), along with definitions
  of constants in audit_domain.h and audit_socket_type.h.  This improves
  interoperability by converting local constant spaces, which vary by OS, to
  and from Solaris constants (where available) or OpenBSM constants for
  protocol domains not present in Solaris (a fair number).  These routines
  should be used when generating and interpreting extended socket tokens.
- Fix build warnings with full gcc warnings enabled on most supported
  platforms.
- Don't compile error strings into bsm_errno.c when building it in the kernel
  environment.
- When started by launchd, use the label com.apple.auditd rather than
  org.trustedbsd.auditd.
2009-01-14 10:44:16 +00:00
rwatson
5743072acf Rather than having MAC policies explicitly declare what object types
they label, derive that information implicitly from the set of label
initializers in their policy operations set.  This avoids a possible
class of programmer errors, while retaining the structure that
allows us to avoid allocating labels for objects that don't need
them.  As before, we regenerate a global mask of labeled objects
each time a policy is loaded or unloaded, stored in mac_labeled.

Discussed with:   csjp
Suggested by:     Jacques Vidrine <nectar at apple.com>
Obtained from:    TrustedBSD Project
Sponsored by:     Apple, Inc.
2009-01-10 10:58:41 +00:00
rwatson
aeaccdebe1 Use MPC_OBJECT_IP6Q to indicate labeling of struct ip6q rather than
MPC_OBJECT_IPQ; it was already defined, just not used.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2009-01-10 09:17:16 +00:00
rwatson
5d645da259 Do a lockless read of the audit pipe list before grabbing the audit pipe
lock in order to avoid the lock acquire hit if the pipe list is very
likely empty.

Obtained from:	TrustedBSD Project
MFC after:	3 weeks
Sponsored by:	Apple, Inc.
2009-01-06 14:15:38 +00:00
rwatson
2ea343a85e In AUDIT_SYSCALL_EXIT(), invoke audit_syscall_exit() only if an audit
record is active on the current thread--historically we may always
have wanted to enter the audit code if auditing was enabled, but now
we just commit the audit record so don't need to enter if there isn't
one.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2009-01-06 13:59:59 +00:00
rwatson
a5f7e7ad63 Fix white space botch: use carriage returns rather than tabs. 2008-12-31 23:22:45 +00:00
rwatson
23fc4ea35d Commit two files missed in previous commit: hook up audit_bsm_errno.c
and adapt for kernel build environment.

Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.
2008-12-31 13:56:31 +00:00
rwatson
353579890e Call au_errno_to_bsm() on the errno value passed into au_to_return32()
to convert local FreeBSD error numbers into BSM error numbers.

Obtained from:	TrustedBSD Project
2008-12-31 11:56:35 +00:00
rwatson
e52e71cb6e Merge OpenBSM alpha 4 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).  Add libauditd build parts and add to auditd's linkage;
force libbsm to build before libauditd.

OpenBSM history for imported revisions below for reference.

MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 alpha 4

- With the addition of BSM error number mapping, we also need to map the
  local error number passed to audit_submit(3) to a BSM error number,
  rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
  more formal allocation scheme, and add some events allocated in Solaris
  that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
  directly, rather than requiring applications to map to the local error
  space, which might not be able to entirely represent the BSM error
  number space.
- Major auditd rewrite for launchd(8) support.  Add libauditd library
  that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
  (re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
  startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
  has been recovered from not being properly terminated.  This event is
  stored in the new audit trail file and includes the path of recovered
  audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
  auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
  calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.

OpenBSM 1.1 alpha 3

- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
  between BSM error numbers (largely the Solaris definitions) and local
  errno(2) values for 32-bit and 64-bit return tokens.  This is required
  as operating systems don't agree on some of the values of more recent
  error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
  total size for the token.  This buge.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
2008-12-31 11:12:24 +00:00
alc
9e986ac16e Make preparations for resurrecting shared/read locks on vm maps:
mac_proc_vm_revoke_recurse() requests a read lock on the vm map at the start
but does not handle failure by vm_map_lock_upgrade() when it seeks to modify
the vm map.  At present, this works because all lock request on a vm map are
implemented as exclusive locks.  Thus, vm_map_lock_upgrade() is a no-op that
always reports success.  However, that is about to change, and
proc_vm_revoke_recurse() will require substantial modifications to handle
vm_map_lock_upgrade() failures.  For the time being, I am changing
mac_proc_vm_revoke_recurse() to request a write lock on the vm map at the
start.

Approved by:	rwatson
MFC after:	3 months
2008-12-22 17:32:52 +00:00
rwatson
0ac6f8ebdf Merge OpenBSM 1.1 alpha 2 from the OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).

- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8).
- Merge support for new tokens, fixes to existing token generation to
  audit_bsm_token.c.
- Synchronize bsm includes and definitions.

OpenBSM history for imported revisions below for reference.

MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:  TrustedBSD Project

--

OpenBSM 1.1 alpha 2

- Include files in OpenBSM are now broken out into two parts: library builds
  required solely for user space, and system includes, which may also be
  required for use in the kernels of systems integrating OpenBSM.  Submitted
  by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
  include for system includes, rather than the versions bundled with OpenBSM.
  This is intended specifically for platforms that ship OpenBSM, have adapted
  versions of the system includes in a kernel source tree, and will use the
  OpenBSM build infrastructure with an unmodified OpenBSM distribution,
  allowing the customized system includes to be used with the OpenBSM build.
  Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
  or asprintf().  Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
  BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
  on the host generating the record.
- Add support for setting extended host information in the kernel, which is
  used for setting host information in extended header tokens.  The
  audit_control file now supports a "host" parameter which can be used by
  auditd to set the information; if not present, the kernel parameters won't
  be set and auditd uses unextended headers for records that it generates.

OpenBSM 1.1 alpha 1

- Add option to auditreduce(1) which allows users to invert sense of
  matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
  event there is an error writing the subject token.  This was submitted
  by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not being arguments so
  that const strings can be passed as arguments to tokens.  This patch was
  submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
2008-12-02 23:26:43 +00:00
csjp
57cb697829 Partially roll back a revision which changed the error code being returned
by getaudit(2).  Some applications such has su, id will interpret E2BIG as
requiring the use of getaudit_addr(2) to pull extended audit state (ip6)
from the kernel.

This change un-breaks the ABI when auditing has been activated on a system
and the users are logged in via ip6.

This is a RELENG_7_1 candidate.

MFC after:	1 day
Discussed with:	rwatson
2008-11-30 19:58:03 +00:00
bz
d2730d5b27 MFp4:
Bring in updated jail support from bz_jail branch.

This enhances the current jail implementation to permit multiple
addresses per jail. In addtion to IPv4, IPv6 is supported as well.
Due to updated checks it is even possible to have jails without
an IP address at all, which basically gives one a chroot with
restricted process view, no networking,..

SCTP support was updated and supports IPv6 in jails as well.

Cpuset support permits jails to be bound to specific processor
sets after creation.

Jails can have an unrestricted (no duplicate protection, etc.) name
in addition to the hostname. The jail name cannot be changed from
within a jail and is considered to be used for management purposes
or as audit-token in the future.

DDB 'show jails' command was added to aid debugging.

Proper compat support permits 32bit jail binaries to be used on 64bit
systems to manage jails. Also backward compatibility was preserved where
possible: for jail v1 syscalls, as well as with user space management
utilities.

Both jail as well as prison version were updated for the new features.
A gap was intentionally left as the intermediate versions had been
used by various patches floating around the last years.

Bump __FreeBSD_version for the afore mentioned and in kernel changes.

Special thanks to:
- Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches
  and Olivier Houchard (cognet) for initial single-IPv6 patches.
- Jeff Roberson (jeff) and Randall Stewart (rrs) for their
  help, ideas and review on cpuset and SCTP support.
- Robert Watson (rwatson) for lots and lots of help, discussions,
  suggestions and review of most of the patch at various stages.
- John Baldwin (jhb) for his help.
- Simon L. Nielsen (simon) as early adopter testing changes
  on cluster machines as well as all the testers and people
  who provided feedback the last months on freebsd-jail and
  other channels.
- My employer, CK Software GmbH, for the support so I could work on this.

Reviewed by:	(see above)
MFC after:	3 months (this is just so that I get the mail)
X-MFC Before:   7.2-RELEASE if possible
2008-11-29 14:32:14 +00:00
rwatson
7324e86507 Regularize /* FALLTHROUGH */ comments in the BSM event type switch, and
add one that was missing.

MFC after:	3 weeks
Coverity ID:	3960
2008-11-25 11:25:45 +00:00
rwatson
ea0b860502 When repeatedly accessing a thread credential, cache the credential
pointer in a local thread.  While this is unlikely to significantly
improve performance given modern compiler behavior, it makes the code
more readable and reduces diffs to the Mac OS X version of the same
code (which stores things in creds in the same way, but where the
cred for a thread is reached quite differently).

Discussed with: sson
MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:	TrustedBSD Project
2008-11-14 01:24:52 +00:00
rwatson
dc70cf05d0 The audit queue limit variables are size_t, so use size_t for the audit
queue length variables as well, avoiding storing the limit in a larger
type than the length.

Submitted by:	sson
Sponsored by:	Apple Inc.
MFC after:	1 week
2008-11-13 00:21:01 +00:00
rwatson
9ae7e29525 Move audit-internal function definitions for getting and setting audit
kinfo state to audit_private.h.
2008-11-11 23:08:20 +00:00
rwatson
c87a276495 Minor style tweaks and change lock name string to use _'s and not spaces
to improve parseability.
2008-11-11 22:59:40 +00:00
csjp
91a570b2e4 Add support for extended header BSM tokens. Currently we use the
regular header tokens.  The extended header tokens contain an IP
or IPv6 address which makes it possible to identify which host an
audit record came from when audit records are centralized.

If the host information has not been specified, the system will
default to the old style headers.  Otherwise, audit records that
are created as a result of system calls will contain host information.

This implemented has been designed to be consistent with the Solaris
implementation.  Host information is set/retrieved using the A_GETKAUDIT
and A_SETKAUDIT auditon(2) commands.  These commands require that a
pointer to a auditinfo_addr_t object is passed.  Currently only IP and
IPv6 address families are supported.

The users pace bits associated with this change will follow in an
openbsm import.

Reviewed by:	rwatson, (sson, wsalamon (older version))
MFC after:	1 month
2008-11-11 21:57:03 +00:00
rwatson
1e366119d6 Wrap sx locking of the audit worker sleep lock in macros, update comments.
MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-10 22:06:24 +00:00
jhb
fb34cedca4 Use shared vnode locks for auditing vnode arguments as auditing only
does a VOP_GETATTR() which does not require an exclusive lock.

Reviewed by:	csjp, rwatson
2008-11-04 22:31:04 +00:00
jhb
d4ebbe30ce Don't lock the vnode around calls to vn_fullpath().
Reviewed by:	csjp, rwatson
2008-11-04 22:30:24 +00:00
rwatson
20831b1f86 Update introductory comment for audit pipes.
MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-02 00:25:48 +00:00
rwatson
368cc5044a Remove stale comment about filtering in audit pipe ioctl routine: we do
support filtering now, although we may want to make it more interesting
in the future.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-02 00:18:19 +00:00
rwatson
3f0f3e5028 Add comment for per-pipe stats.
MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-01 23:05:49 +00:00
rwatson
64f6525f93 We only allow a partial read of the first record in an audit pipe
record queue, so move the offset field from the per-record
audit_pipe_entry structure to the audit_pipe structure.

Now that we support reading more than one record at a time, add a
new summary field to audit_pipe, ap_qbyteslen, which tracks the
total number of bytes present in a pipe, and return that (minus
the current offset) via FIONREAD and kqueue's data variable for
the pending byte count rather than the number of bytes remaining
in only the first record.

Add a number of asserts to confirm that these counts and offsets
following the expected rules.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-01 21:56:45 +00:00
rwatson
f8873b326d Allow a single read(2) system call on an audit pipe to retrieve data from
more than one audit record at a time in order to improve efficiency.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-11-01 21:16:09 +00:00
rwatson
efc5b661a1 Since there is no longer the opportunity for record truncation, just
return 0 if the truncation counter is queried on an audit pipe.

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-10-31 15:11:01 +00:00
rwatson
6f79887fc5 Historically, /dev/auditpipe has allows only whole records to be read via
read(2), which meant that records longer than the buffer passed to read(2)
were dropped.  Instead take the approach of allowing partial reads to be
continued across multiple system calls more in the style of streaming
character device.

This means retaining a record on the per-pipe queue in a partially read
state, so maintain a current offset into the record.  Keep the record on
the queue during a read, so add a new lock, ap_sx, to serialize removal
of records from the queue by either read(2) or ioctl(2) requesting a pipe
flush.  Modify the kqueue handler to return bytes left in the current
record rather than simply the size of the current record.

It is now possible to use praudit, which used the standard FILE * buffer
sizes, to track much larger record sizes from /dev/auditpipe, such as
very long command lines to execve(2).

MFC after:	2 months
Sponsored by:	Apple, Inc.
2008-10-31 14:40:21 +00:00
rwatson
81bbfda754 When we drop an audit record going to and audit pipe because the audit
pipe has overflowed, drop the newest, rather than oldest, record.  This
makes overflow drop behavior consistent with memory allocation failure
leading to drop, avoids touching the consumer end of the queue from a
producer, and lowers the CPU overhead of dropping a record by dropping
before memory allocation and copying.

Obtained from:	Apple, Inc.
MFC after:	2 months
2008-10-30 23:09:19 +00:00