K 10
svn:author
V 3
pjd
K 8
svn:date
V 27
2012-12-16T23:41:34.357719Z
K 7
svn:log
V 2714
MFC r243719,r243720,r243722,r243723,r243726,r243727,r243746:

r243719:

IFp4 @208450:

Remove redundant call to AUDIT_ARG_UPATH1().
Path will be remembered by the following NDINIT(AUDITVNODE1) call.

Sponsored by:	The FreeBSD Foundation (auditdistd)

r243720:

IFp4 @208381:

For VOP_GETATTR() we just need vnode to be shared-locked.

Sponsored by:	The FreeBSD Foundation (auditdistd)

r243722:

IFp4 @208382:

Currently on each record write we call VFS_STATFS() to get available space
on the file system as well as VOP_GETATTR() to get trail file size.

We can assume that trail file is only updated by the audit worker, so instead
of asking for file size on every write, get file size on trail switch only
(it should be zero, but it's not expensive) and use global variable audit_size
protected by the audit worker lock to keep track of trail file's size.

This eliminates VOP_GETATTR() call for every write. VFS_STATFS() is satisfied
from in-memory data (mount->mnt_stat), so shouldn't be expensive.

Sponsored by:	The FreeBSD Foundation (auditdistd)

r243723:

IFp4 @208383:

Currently when we discover that trail file is greater than configured
limit we send AUDIT_TRIGGER_ROTATE_KERNEL trigger to the auditd daemon
once. If for some reason auditd didn't rotate trail file it will never
be rotated.

Change it by sending the trigger when trail file size grows by the
configured limit. For example if the limit is 1MB, we will send trigger
on 1MB, 2MB, 3MB, etc.

This is also needed for the auditd change that will be committed soon
where auditd may ignore the trigger - it might be ignored if kernel
requests the trail file to be rotated too quickly (often than once a second)
which would result in overwriting previous trail file.

Sponsored by:	The FreeBSD Foundation (auditdistd)

r243726:

IFp4 @208451:

Fix path handling for *at() syscalls.

Before the change directory descriptor was totally ignored,
so the relative path argument was appended to current working
directory path and not to the path provided by descriptor, thus
wrong paths were stored in audit logs.

Now that we use directory descriptor in vfs_lookup, move
AUDIT_ARG_UPATH1() and AUDIT_ARG_UPATH2() calls to the place where
we hold file descriptors table lock, so we are sure paths will
be resolved according to the same directory in audit record and
in actual operation.

Sponsored by:	The FreeBSD Foundation (auditdistd)
Reviewed by:	rwatson

r243727:

IFp4 @208452:

Audit handling for missing events:
- AUE_READLINKAT
- AUE_FACCESSAT
- AUE_MKDIRAT
- AUE_MKFIFOAT
- AUE_MKNODAT
- AUE_SYMLINKAT

Sponsored by:	FreeBSD Foundation (auditdistd)

r243746:

Fix one more compilation issue.

Sponsored by:	FreeBSD Foundation (auditdistd)

END