audit_worker.c (159265) | audit_worker.c (159269) |
---|---|
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 13 unchanged lines hidden (view full) --- 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * | 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 13 unchanged lines hidden (view full) --- 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * |
30 * $FreeBSD: head/sys/security/audit/audit_worker.c 159265 2006-06-05 14:09:59Z rwatson $ | 30 * $FreeBSD: head/sys/security/audit/audit_worker.c 159269 2006-06-05 14:48:17Z rwatson $ |
31 */ 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/file.h> 37#include <sys/filedesc.h> 38#include <sys/fcntl.h> --- 271 unchanged lines hidden (view full) --- 310 * converted to BSM before they can be written out. Both types will be 311 * written to disk, and audit pipes. 312 */ 313static void 314audit_worker_process_record(struct vnode *audit_vp, struct ucred *audit_cred, 315 struct thread *audit_td, struct kaudit_record *ar) 316{ 317 struct au_record *bsm; | 31 */ 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/file.h> 37#include <sys/filedesc.h> 38#include <sys/fcntl.h> --- 271 unchanged lines hidden (view full) --- 310 * converted to BSM before they can be written out. Both types will be 311 * written to disk, and audit pipes. 312 */ 313static void 314audit_worker_process_record(struct vnode *audit_vp, struct ucred *audit_cred, 315 struct thread *audit_td, struct kaudit_record *ar) 316{ 317 struct au_record *bsm; |
318 au_class_t class; 319 au_event_t event; |
|
318 int error, ret; | 320 int error, ret; |
321 au_id_t auid; 322 int sorf; |
|
319 | 323 |
320 if (ar->k_ar_commit & AR_COMMIT_USER) { | 324 if ((ar->k_ar_commit & AR_COMMIT_USER) && 325 (ar->k_ar_commit & AR_PRESELECT_TRAIL)) { |
321 error = audit_record_write(audit_vp, audit_cred, audit_td, 322 ar->k_udata, ar->k_ulen); 323 if (error && audit_panic_on_write_fail) 324 panic("audit_worker: write error %d\n", error); 325 else if (error) 326 printf("audit_worker: write error %d\n", error); | 326 error = audit_record_write(audit_vp, audit_cred, audit_td, 327 ar->k_udata, ar->k_ulen); 328 if (error && audit_panic_on_write_fail) 329 panic("audit_worker: write error %d\n", error); 330 else if (error) 331 printf("audit_worker: write error %d\n", error); |
327 audit_pipe_submit(ar->k_udata, ar->k_ulen); | |
328 } | 332 } |
333 if ((ar->k_ar_commit & AR_COMMIT_USER) && 334 (ar->k_ar_commit & AR_PRESELECT_PIPE)) 335 audit_pipe_submit_user(ar->k_udata, ar->k_ulen); |
|
329 | 336 |
330 if (ar->k_ar_commit & AR_COMMIT_KERNEL) { 331 ret = kaudit_to_bsm(ar, &bsm); 332 switch (ret) { 333 case BSM_NOAUDIT: 334 break; | 337 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) 338 return; |
335 | 339 |
336 case BSM_FAILURE: 337 printf("audit_worker_process_record: BSM_FAILURE\n"); 338 break; | 340 auid = ar->k_ar.ar_subj_auid; 341 event = ar->k_ar.ar_event; 342 class = au_event_class(event); 343 if (ar->k_ar.ar_errno == 0) 344 sorf = AU_PRS_SUCCESS; 345 else 346 sorf = AU_PRS_FAILURE; |
339 | 347 |
340 case BSM_SUCCESS: 341 error = audit_record_write(audit_vp, audit_cred, 342 audit_td, bsm->data, bsm->len); 343 if (error && audit_panic_on_write_fail) 344 panic("audit_worker: write error %d\n", 345 error); 346 else if (error) 347 printf("audit_worker: write error %d\n", 348 error); 349 audit_pipe_submit(bsm->data, bsm->len); 350 kau_free(bsm); 351 break; | 348 ret = kaudit_to_bsm(ar, &bsm); 349 switch (ret) { 350 case BSM_NOAUDIT: 351 return; |
352 | 352 |
353 default: 354 panic("kaudit_to_bsm returned %d", ret); 355 } | 353 case BSM_FAILURE: 354 printf("audit_worker_process_record: BSM_FAILURE\n"); 355 return; 356 357 case BSM_SUCCESS: 358 break; 359 360 default: 361 panic("kaudit_to_bsm returned %d", ret); |
356 } | 362 } |
363 364 if (ar->k_ar_commit & AR_PRESELECT_TRAIL) { 365 error = audit_record_write(audit_vp, audit_cred, 366 audit_td, bsm->data, bsm->len); 367 if (error && audit_panic_on_write_fail) 368 panic("audit_worker: write error %d\n", 369 error); 370 else if (error) 371 printf("audit_worker: write error %d\n", 372 error); 373 } 374 if (ar->k_ar_commit & AR_PRESELECT_PIPE) 375 audit_pipe_submit(auid, event, class, sorf, 376 ar->k_ar_commit & AR_PRESELECT_TRAIL, bsm->data, 377 bsm->len); 378 kau_free(bsm); |
|
357} 358 359/* 360 * The audit_worker thread is responsible for watching the event queue, 361 * dequeueing records, converting them to BSM format, and committing them to 362 * disk. In order to minimize lock thrashing, records are dequeued in sets 363 * to a thread-local work queue. In addition, the audit_work performs the 364 * actual exchange of audit log vnode pointer, as audit_vp is a thread-local --- 144 unchanged lines hidden --- | 379} 380 381/* 382 * The audit_worker thread is responsible for watching the event queue, 383 * dequeueing records, converting them to BSM format, and committing them to 384 * disk. In order to minimize lock thrashing, records are dequeued in sets 385 * to a thread-local work queue. In addition, the audit_work performs the 386 * actual exchange of audit log vnode pointer, as audit_vp is a thread-local --- 144 unchanged lines hidden --- |