Date: Sun, 27 Oct 2002 09:50:43 +0200 From: Maxim Sobolev <sobomax@FreeBSD.ORG> To: Nate Lawson <nate@root.org> Cc: jlemon@FreeBSD.ORG, hackers@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: New kevent types: NOTE_STARTEXEC and NOTE_STOPEXEC Message-ID: <20021027075043.GA36533@vega.vega.com> In-Reply-To: <Pine.BSF.4.21.0210261715520.78755-100000@root.org> References: <3DB79DFA.FA719B8F@FreeBSD.org> <Pine.BSF.4.21.0210261715520.78755-100000@root.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 26, 2002 at 06:09:31PM -0700, Nate Lawson wrote:
> On Thu, 24 Oct 2002, Maxim Sobolev wrote:
> > Please review the patch, which adds two new types of events -
> > NOTE_STARTEXEC and NOTE_STOPEXEC, that could be used to get
> > notification when the image starts or stops executing. For example, it
> > could be used to monitor that a daemon is up and running and notify
> > administrator when for some reason in exits. I am running this code
> > for more than a year now without any problems.
> >
> > Any comments and suggestions are welcome.
>
> Couldn't this just be done by init(8) and /etc/ttys? Or inetd? If you
> want to write your own, couldn't you use waitpid()? Or a kevent() of
> EVFILT_PROC with NOTE_EXIT/NOTE_FORK? I'm not sure I see the need for
> this.
EVFILT_PROC operates on pids, while NOTE_{START,STOP}EXEC operate on
vnodes - it is the main difference. Currently, you can't reliably
get a notification when kernes started executing some arbitrary
executable from your fs.
> Comments below.
>
> > +.It NOTE_STOPEXEC
> > +Execution of the file referenced by the descriptor ended. Triggered
> > when
> > +the process associated with the file exited or was replaced with anoter
> > +image using
> > +.Xr execve 2
> > +or simial syscall. The PID of the process is returned in
> ^^^^^
> typo
OK, fixed.
> > Index: src/sys/sys/event.h
> > ===================================================================
> > RCS file: /home/ncvs/src/sys/sys/event.h,v
> > retrieving revision 1.21
> > diff -d -u -r1.21 event.h
> > --- src/sys/sys/event.h 29 Jun 2002 19:14:52 -0000 1.21
> > +++ src/sys/sys/event.h 24 Oct 2002 06:57:41 -0000
> > @@ -83,13 +83,15 @@
> > /*
> > * data/hint flags for EVFILT_VNODE, shared with userspace
> > */
> > -#define NOTE_DELETE 0x0001 /* vnode was removed */
> > -#define NOTE_WRITE 0x0002 /* data contents changed */
> > -#define NOTE_EXTEND 0x0004 /* size increased */
> > -#define NOTE_ATTRIB 0x0008 /* attributes changed */
> > -#define NOTE_LINK 0x0010 /* link count changed */
> > -#define NOTE_RENAME 0x0020 /* vnode was renamed */
> > -#define NOTE_REVOKE 0x0040 /* vnode access was revoked */
> > +#define NOTE_DELETE 0x00100000 /* vnode was removed */
> > +#define NOTE_WRITE 0x00200000 /* data contents changed */
> > +#define NOTE_EXTEND 0x00400000 /* size increased */
> > +#define NOTE_ATTRIB 0x00800000 /* attributes changed */
> > +#define NOTE_LINK 0x01000000 /* link count changed */
> > +#define NOTE_RENAME 0x02000000 /* vnode was renamed */
> > +#define NOTE_REVOKE 0x04000000 /* vnode access was revoked */
> > +#define NOTE_STARTEXEC 0x08000000 /* vnode was executed */
> > +#define NOTE_STOPEXEC 0x10000000 /* vnode execution stopped */
> > +/* Applies both to EVFILT_VNODE and EVFILT_PROC */
> > #define NOTE_PDATAMASK 0x000fffff /* mask for pid */
>
> I don't think we should burn our 32 bits on this. Since pids are 32 bits,
> this interface will fail unpredictably.
This is no different from the current situation and doesn't add any
new breakage. All EVFILT_PROC are currently limited to 16-bit pids only.
Of course this misbehaviour should be fixed eventually, but it wasn't
the purpose of this patch.
> > /* additional flags for EVFILT_PROC */
> > Index: src/sys/kern/kern_exec.c
> > ===================================================================
> > RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v
> > retrieving revision 1.193
> > diff -d -u -r1.193 kern_exec.c
> > --- src/sys/kern/kern_exec.c 11 Oct 2002 21:04:01 -0000 1.193
> > +++ src/sys/kern/kern_exec.c 24 Oct 2002 06:57:41 -0000
> > @@ -518,6 +518,8 @@
> > * to locking the proc lock.
> > */
> > textvp = p->p_textvp;
> > + if (textvp)
> > + VN_KNOTE(textvp, NOTE_STOPEXEC | p->p_pid);
> > p->p_textvp = ndp->ni_vp;
>
> Do these always stay an int or are there casts that could result in endian
> problems?
>
> >Index: src/sys/kern/kern_fork.c
> >===================================================================
> >RCS file: /home/ncvs/src/sys/kern/kern_fork.c,v
> >retrieving revision 1.172
> >diff -d -u -r1.172 kern_fork.c
> >--- src/sys/kern/kern_fork.c 18 Oct 2002 17:45:41 -0000 1.172
> >+++ src/sys/kern/kern_fork.c 24 Oct 2002 06:58:03 -0000
> >@@ -724,6 +724,8 @@
> > * tell any interested parties about the new process
> > */
> > KNOTE(&p1->p_klist, NOTE_FORK | p2->p_pid);
> >+ if (p2->p_textvp != NULL)
> >+ VN_KNOTE(p2->p_textvp, NOTE_STARTEXEC | p2->p_pid);
> > PROC_UNLOCK(p1);
> >
> > /*
>
> This shows my doubt for the need for this since the NOTE_FORK is immediately
> before your duplicate NOTE_STARTEXEC.
Again, they apply to a different types of objects - NOTE_FORK is for
pids, while NOTE_STARTEXEC is for vnodes.
-Maxim
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021027075043.GA36533>