On 16 August 2008 01:09:39 Robert Watson wrote: > On Fri, 15 Aug 2008, Uladzislau Rezki wrote: > > We have to to do a few thinks: > > > > 1) do original "write" sys call; > > 2) get full path (/etc/passwd); > > 3) put all this information to user land through the character device. > > > > I get stuck in point 2. I need to get full path, but how ... > > In FreeBSD 6.2 and higher, the kernel event auditing facility provides > exactly this service already. Take a look at the auditpipe(4) facility for > details of the run-time monitoring aspect of that. > Thank you, I haven't known about it before.
I looked through the source code of the "auditpipe", and found a function called "canon_path" that obtains a full path using "vn_fullpath". This function retrieve the full filesystem path that correspond to a "vnode" from cache, BUT just in case it is available within "namecache". "textvp_fullpath" and "vn_fullpath" are not reliable. Maybe I've skipped something while investigating auditpipe, but I found only one place where they get full path (audit_bsm_klib.c +483) and they use "vn_fullpath". Please correct me if am not right. Thank you in advance. -- Uladzislau Rezki _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
