1/*- 2 * Copyright (c) 1999-2008 Apple Inc. 3 * Copyright (c) 2006-2008 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 15 unchanged lines hidden (view full) --- 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31#include <sys/cdefs.h> |
32__FBSDID("$FreeBSD: head/sys/security/audit/audit_worker.c 241896 2012-10-22 17:50:54Z kib $"); |
33 34#include <sys/param.h> 35#include <sys/condvar.h> 36#include <sys/conf.h> 37#include <sys/file.h> 38#include <sys/filedesc.h> 39#include <sys/fcntl.h> 40#include <sys/ipc.h> --- 67 unchanged lines hidden (view full) --- 108static void 109audit_record_write(struct vnode *vp, struct ucred *cred, void *data, 110 size_t len) 111{ 112 static struct timeval last_lowspace_trigger; 113 static struct timeval last_fail; 114 static int cur_lowspace_trigger; 115 struct statfs *mnt_stat; |
116 int error; |
117 static int cur_fail; 118 struct vattr vattr; 119 long temp; 120 121 AUDIT_WORKER_LOCK_ASSERT(); 122 123 if (vp == NULL) 124 return; 125 126 mnt_stat = &vp->v_mount->mnt_stat; |
127 128 /* 129 * First, gather statistics on the audit log file and file system so 130 * that we know how we're doing on space. Consider failure of these 131 * operations to indicate a future inability to write to the file. 132 */ 133 error = VFS_STATFS(vp->v_mount, mnt_stat); 134 if (error) --- 117 unchanged lines hidden (view full) --- 252 if (audit_q_len == 0 && audit_pre_q_len == 0) { 253 VOP_LOCK(vp, LK_EXCLUSIVE | LK_RETRY); 254 (void)VOP_FSYNC(vp, MNT_WAIT, curthread); 255 VOP_UNLOCK(vp, 0); 256 panic("Audit store overflow; record queue drained."); 257 } 258 } 259 |
260 return; 261 262fail_enospc: 263 /* 264 * ENOSPC is considered a special case with respect to failures, as 265 * this can reflect either our preemptive detection of insufficient 266 * space, or ENOSPC returned by the vnode write call. 267 */ --- 14 unchanged lines hidden (view full) --- 282 */ 283 if (audit_panic_on_write_fail) { 284 VOP_LOCK(vp, LK_EXCLUSIVE | LK_RETRY); 285 (void)VOP_FSYNC(vp, MNT_WAIT, curthread); 286 VOP_UNLOCK(vp, 0); 287 panic("audit_worker: write error %d\n", error); 288 } else if (ppsratecheck(&last_fail, &cur_fail, 1)) 289 printf("audit_worker: write error %d\n", error); |
290} 291 292/* 293 * Given a kernel audit record, process as required. Kernel audit records 294 * are converted to one, or possibly two, BSM records, depending on whether 295 * there is a user audit record present also. Kernel records need be 296 * converted to BSM before they can be written out. Both types will be 297 * written to disk, and audit pipes. --- 145 unchanged lines hidden (view full) --- 443 * disabled. Any previous cred/vnode will be closed and freed. We re-enable 444 * generating rotation requests to auditd. 445 */ 446void 447audit_rotate_vnode(struct ucred *cred, struct vnode *vp) 448{ 449 struct ucred *old_audit_cred; 450 struct vnode *old_audit_vp; |
451 452 KASSERT((cred != NULL && vp != NULL) || (cred == NULL && vp == NULL), 453 ("audit_rotate_vnode: cred %p vp %p", cred, vp)); 454 455 /* 456 * Rotate the vnode/cred, and clear the rotate flag so that we will 457 * send a rotate trigger if the new file fills. 458 */ --- 5 unchanged lines hidden (view full) --- 464 audit_file_rotate_wait = 0; 465 audit_enabled = (audit_vp != NULL); 466 AUDIT_WORKER_UNLOCK(); 467 468 /* 469 * If there was an old vnode/credential, close and free. 470 */ 471 if (old_audit_vp != NULL) { |
472 vn_close(old_audit_vp, AUDIT_CLOSE_FLAGS, old_audit_cred, 473 curthread); |
474 crfree(old_audit_cred); 475 } 476} 477 478void 479audit_worker_init(void) 480{ 481 int error; 482 483 AUDIT_WORKER_LOCK_INIT(); 484 error = kproc_create(audit_worker, NULL, &audit_thread, RFHIGHPID, 485 0, "audit"); 486 if (error) 487 panic("audit_worker_init: kproc_create returned %d", error); 488} |