From owner-freebsd-audit Sun Oct 27 0:50:56 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D873737B401; Sun, 27 Oct 2002 00:50:52 -0700 (PDT) Received: from baraca.united.net.ua (ns.united.net.ua [193.111.8.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7CDE43E3B; Sun, 27 Oct 2002 00:50:50 -0700 (PDT) (envelope-from max@vega.com) Received: from vega.vega.com (xDSL-2-2.united.net.ua [193.111.9.226]) by baraca.united.net.ua (8.12.6/8.11.6) with ESMTP id g9R7oih4090317; Sun, 27 Oct 2002 09:50:46 +0200 (EET) (envelope-from max@vega.com) Received: from vega.vega.com (max@localhost [127.0.0.1]) by vega.vega.com (8.12.6/8.12.5) with ESMTP id g9R7onaJ036558; Sun, 27 Oct 2002 09:50:49 +0200 (EET) (envelope-from sobomax@FreeBSD.org) Received: (from max@localhost) by vega.vega.com (8.12.6/8.12.5/Submit) id g9R7ohAE036557; Sun, 27 Oct 2002 09:50:43 +0200 (EET) Date: Sun, 27 Oct 2002 09:50:43 +0200 From: Maxim Sobolev To: Nate Lawson Cc: jlemon@FreeBSD.ORG, hackers@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: New kevent types: NOTE_STARTEXEC and NOTE_STOPEXEC Message-ID: <20021027075043.GA36533@vega.vega.com> References: <3DB79DFA.FA719B8F@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Oct 26, 2002 at 06:09:31PM -0700, Nate Lawson wrote: > On Thu, 24 Oct 2002, Maxim Sobolev wrote: > > Please review the patch, which adds two new types of events - > > NOTE_STARTEXEC and NOTE_STOPEXEC, that could be used to get > > notification when the image starts or stops executing. For example, it > > could be used to monitor that a daemon is up and running and notify > > administrator when for some reason in exits. I am running this code > > for more than a year now without any problems. > > > > Any comments and suggestions are welcome. > > Couldn't this just be done by init(8) and /etc/ttys? Or inetd? If you > want to write your own, couldn't you use waitpid()? Or a kevent() of > EVFILT_PROC with NOTE_EXIT/NOTE_FORK? I'm not sure I see the need for > this. EVFILT_PROC operates on pids, while NOTE_{START,STOP}EXEC operate on vnodes - it is the main difference. Currently, you can't reliably get a notification when kernes started executing some arbitrary executable from your fs. > Comments below. > > > +.It NOTE_STOPEXEC > > +Execution of the file referenced by the descriptor ended. Triggered > > when > > +the process associated with the file exited or was replaced with anoter > > +image using > > +.Xr execve 2 > > +or simial syscall. The PID of the process is returned in > ^^^^^ > typo OK, fixed. > > Index: src/sys/sys/event.h > > =================================================================== > > RCS file: /home/ncvs/src/sys/sys/event.h,v > > retrieving revision 1.21 > > diff -d -u -r1.21 event.h > > --- src/sys/sys/event.h 29 Jun 2002 19:14:52 -0000 1.21 > > +++ src/sys/sys/event.h 24 Oct 2002 06:57:41 -0000 > > @@ -83,13 +83,15 @@ > > /* > > * data/hint flags for EVFILT_VNODE, shared with userspace > > */ > > -#define NOTE_DELETE 0x0001 /* vnode was removed */ > > -#define NOTE_WRITE 0x0002 /* data contents changed */ > > -#define NOTE_EXTEND 0x0004 /* size increased */ > > -#define NOTE_ATTRIB 0x0008 /* attributes changed */ > > -#define NOTE_LINK 0x0010 /* link count changed */ > > -#define NOTE_RENAME 0x0020 /* vnode was renamed */ > > -#define NOTE_REVOKE 0x0040 /* vnode access was revoked */ > > +#define NOTE_DELETE 0x00100000 /* vnode was removed */ > > +#define NOTE_WRITE 0x00200000 /* data contents changed */ > > +#define NOTE_EXTEND 0x00400000 /* size increased */ > > +#define NOTE_ATTRIB 0x00800000 /* attributes changed */ > > +#define NOTE_LINK 0x01000000 /* link count changed */ > > +#define NOTE_RENAME 0x02000000 /* vnode was renamed */ > > +#define NOTE_REVOKE 0x04000000 /* vnode access was revoked */ > > +#define NOTE_STARTEXEC 0x08000000 /* vnode was executed */ > > +#define NOTE_STOPEXEC 0x10000000 /* vnode execution stopped */ > > +/* Applies both to EVFILT_VNODE and EVFILT_PROC */ > > #define NOTE_PDATAMASK 0x000fffff /* mask for pid */ > > I don't think we should burn our 32 bits on this. Since pids are 32 bits, > this interface will fail unpredictably. This is no different from the current situation and doesn't add any new breakage. All EVFILT_PROC are currently limited to 16-bit pids only. Of course this misbehaviour should be fixed eventually, but it wasn't the purpose of this patch. > > /* additional flags for EVFILT_PROC */ > > Index: src/sys/kern/kern_exec.c > > =================================================================== > > RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v > > retrieving revision 1.193 > > diff -d -u -r1.193 kern_exec.c > > --- src/sys/kern/kern_exec.c 11 Oct 2002 21:04:01 -0000 1.193 > > +++ src/sys/kern/kern_exec.c 24 Oct 2002 06:57:41 -0000 > > @@ -518,6 +518,8 @@ > > * to locking the proc lock. > > */ > > textvp = p->p_textvp; > > + if (textvp) > > + VN_KNOTE(textvp, NOTE_STOPEXEC | p->p_pid); > > p->p_textvp = ndp->ni_vp; > > Do these always stay an int or are there casts that could result in endian > problems? > > >Index: src/sys/kern/kern_fork.c > >=================================================================== > >RCS file: /home/ncvs/src/sys/kern/kern_fork.c,v > >retrieving revision 1.172 > >diff -d -u -r1.172 kern_fork.c > >--- src/sys/kern/kern_fork.c 18 Oct 2002 17:45:41 -0000 1.172 > >+++ src/sys/kern/kern_fork.c 24 Oct 2002 06:58:03 -0000 > >@@ -724,6 +724,8 @@ > > * tell any interested parties about the new process > > */ > > KNOTE(&p1->p_klist, NOTE_FORK | p2->p_pid); > >+ if (p2->p_textvp != NULL) > >+ VN_KNOTE(p2->p_textvp, NOTE_STARTEXEC | p2->p_pid); > > PROC_UNLOCK(p1); > > > > /* > > This shows my doubt for the need for this since the NOTE_FORK is immediately > before your duplicate NOTE_STARTEXEC. Again, they apply to a different types of objects - NOTE_FORK is for pids, while NOTE_STARTEXEC is for vnodes. -Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message