From ed708e1f7f29647ea2f9192d2ec2c65895a6d459 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Sun, 19 Mar 2006 15:36:10 +0000 Subject: [PATCH] Merge Perforce change 93506 from TrustedBSD audit3 branch: Add ioctls to audit pipes in order to allow querying of the current record queue state, setting of the queue limit, and querying of pipe statistics. Obtained from: TrustedBSD Project --- sys/security/audit/audit_ioctl.h | 53 ++++++++++++++++++++++++++++++++ sys/security/audit/audit_pipe.c | 47 ++++++++++++++++++++++++++-- 2 files changed, 98 insertions(+), 2 deletions(-) create mode 100644 sys/security/audit/audit_ioctl.h diff --git a/sys/security/audit/audit_ioctl.h b/sys/security/audit/audit_ioctl.h new file mode 100644 index 000000000000..0826836f4b34 --- /dev/null +++ b/sys/security/audit/audit_ioctl.h @@ -0,0 +1,53 @@ +/*- + * Copyright (c) 2006 Robert N. M. Watson + * All rights reserved. + * + * This software was developed by Robert Watson for the TrustedBSD Project. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _SECURITY_AUDIT_AUDIT_IOCTL_H_ +#define _SECURITY_AUDIT_AUDIT_IOCTL_H_ + +#define AUDITPIPE_IOBASE 'A' + +/* + * Ioctls to read and control the behavior of individual audit pipe devices. + */ +#define AUDITPIPE_GET_QLEN _IOR(AUDITPIPE_IOBASE, 1, u_int) +#define AUDITPIPE_GET_QLIMIT _IOR(AUDITPIPE_IOBASE, 2, u_int) +#define AUDITPIPE_SET_QLIMIT _IOW(AUDITPIPE_IOBASE, 3, u_int) +#define AUDITPIPE_GET_QLIMIT_MIN _IOR(AUDITPIPE_IOBASE, 4, u_int) +#define AUDITPIPE_GET_QLIMIT_MAX _IOR(AUDITPIPE_IOBASE, 5, u_int) + +/* + * Ioctls to retrieve audit pipe statistics. + */ +#define AUDITPIPE_GET_INSERTS _IOR(AUDITPIPE_IOBASE, 100, u_int64_t) +#define AUDITPIPE_GET_READS _IOR(AUDITPIPE_IOBASE, 101, u_int64_t) +#define AUDITPIPE_GET_DROPS _IOR(AUDITPIPE_IOBASE, 102, u_int64_t) +#define AUDITPIPE_GET_TRUNCATES _IOR(AUDITPIPE_IOBASE, 103, u_int64_t) + +#endif /* _SECURITY_AUDIT_AUDIT_IOCTL_H_ */ diff --git a/sys/security/audit/audit_pipe.c b/sys/security/audit/audit_pipe.c index 73da682ee776..2514a8aa5f55 100644 --- a/sys/security/audit/audit_pipe.c +++ b/sys/security/audit/audit_pipe.c @@ -48,6 +48,7 @@ #include #include +#include #include /* @@ -68,6 +69,7 @@ static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent", * Audit pipe buffer parameters. */ #define AUDIT_PIPE_QLIMIT_DEFAULT (32) +#define AUDIT_PIPE_QLIMIT_MIN (0) #define AUDIT_PIPE_QLIMIT_MAX (1024) /* @@ -379,8 +381,8 @@ audit_pipe_close(struct cdev *dev, int fflag, int devtype, struct thread *td) } /* - * Audit pipe ioctl() routine. Nothing for now, but eventually will allow - * setting and retrieval of current queue depth, queue limit, flush, etc. + * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer + * commands. * * Would be desirable to support filtering, although perhaps something simple * like an event mask, as opposed to something complicated like BPF. @@ -433,6 +435,47 @@ audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, case FIOGETOWN: *(int *)data = fgetown(&ap->ap_sigio); error = 0; + break; + + case AUDITPIPE_GET_QLEN: + *(u_int *)data = ap->ap_qlen; + error = 0; + break; + + case AUDITPIPE_GET_QLIMIT: + *(u_int *)data = ap->ap_qlimit; + error = 0; + break; + + case AUDITPIPE_SET_QLIMIT: + /* Lockless integer write. */ + if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN || + *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { + ap->ap_qlimit = *(u_int *)data; + error = 0; + } else + error = EINVAL; + break; + + case AUDITPIPE_GET_INSERTS: + *(u_int *)data = ap->ap_inserts; + error = 0; + break; + + case AUDITPIPE_GET_READS: + *(u_int *)data = ap->ap_reads; + error = 0; + break; + + case AUDITPIPE_GET_DROPS: + *(u_int *)data = ap->ap_drops; + error = 0; + break; + + case AUDITPIPE_GET_TRUNCATES: + *(u_int *)data = ap->ap_truncates; + error = 0; + break; default: error = ENOTTY;