Porting to FreeBSD, chapter 8: started dtrace support

Makefile.am

@@ -24,6 +24,10 @@ if HAVE_BSM
 clsync_CFLAGS += -DBSM_SUPPORT
 clsync_SOURCES += mon_bsm.c
 endif
+if HAVE_DTRACEPIPE
+clsync_CFLAGS += -DDTRACEPIPE_SUPPORT
+clsync_SOURCES += mon_dtracepipe.c
+endif
 
 if SOCKET
 clsync_SOURCES += socket.c control.c

common.h

@@ -22,8 +22,10 @@
 #define __CLSYNC_COMMON_H
 
 #ifndef __linux__
-#undef HAVE_CAPABILITIES
-#warning Capabilities support can be built only on Linux
+#	ifdef HAVE_CAPABILITIES
+#		undef HAVE_CAPABILITIES
+#		warning Capabilities support can be built only on Linux
+#	endif
 #endif
 
 #define _GNU_SOURCE
@@ -139,6 +141,7 @@ enum notifyengine_enum {
 	NE_INOTIFY,
 	NE_KQUEUE,
 	NE_BSM,
+	NE_DTRACEPIPE,
 };
 typedef enum notifyengine_enum notifyengine_t;
 

configuration.h

@@ -100,3 +100,5 @@ policy:cnt\n\
 filesz:1M\n\
 "
 
+#define DTRACE_PATH			"dtrace"
+

configure.ac

@@ -270,14 +270,16 @@ case "$with_bsm" in
 		)
 		;;
 esac
+AC_CHECK_PROG([HAVE_DTRACEPIPE], [dtrace], [found])
 
 AS_IF([test "$HAVE_INOTIFY" != ""], [AC_CHECK_FUNC([inotify_init1], [], [INOTIFY_OLD=1])])
 
-AM_CONDITIONAL([HAVE_KQUEUE],   [test "$HAVE_KQUEUE"   != ""])
-AM_CONDITIONAL([HAVE_INOTIFY],  [test "$HAVE_INOTIFY"  != ""])
-AM_CONDITIONAL([INOTIFY_OLD],   [test "$INOTIFY_OLD"   != ""])
-AM_CONDITIONAL([HAVE_FANOTIFY], [test "$HAVE_FANOTIFY" != ""])
-AM_CONDITIONAL([HAVE_BSM],      [test "$HAVE_BSM"      != ""])
+AM_CONDITIONAL([HAVE_KQUEUE],    [test "$HAVE_KQUEUE"    != ""])
+AM_CONDITIONAL([HAVE_INOTIFY],   [test "$HAVE_INOTIFY"   != ""])
+AM_CONDITIONAL([INOTIFY_OLD],    [test "$INOTIFY_OLD"    != ""])
+AM_CONDITIONAL([HAVE_FANOTIFY],  [test "$HAVE_FANOTIFY"  != ""])
+AM_CONDITIONAL([HAVE_BSM],       [test "$HAVE_BSM"       != ""])
+AM_CONDITIONAL([HAVE_DTRACEPIPE],[test "$HAVE_DTRACEPIPE"!= ""])
 
 AS_IF([test "$HAVE_KQUEUE" = '' -a "$HAVE_INOTIFY" = '' -a "$HAVE_FANOTIFY" = '' -a "$HAVE_BSM" = '' ], [AC_MSG_FAILURE([kqueue, inotify and bsm are not supported on this system])])
 

main.c

@@ -125,6 +125,7 @@ static char *const notify_engines[] = {
 	[NE_KQUEUE]		= "kqueue",
 	[NE_FANOTIFY]		= "fanotify",
 	[NE_BSM]		= "bsm",
+	[NE_DTRACEPIPE]		= "dtracepipe",
 	NULL
 };
 
@@ -474,6 +475,9 @@ int parse_parameter(ctx_t *ctx_p, uint16_t param_id, char *arg, paramsource_t pa
 #endif
 #ifdef BSM_SUPPORT
 				case NE_BSM:
+#endif
+#ifdef DTRACEPIPE_SUPPORT
+				case NE_DTRACEPIPE:
 #endif
 					break;
 				default:

man/man1/clsync.1

@@ -900,9 +900,6 @@ will just parse the log via
 Reliable, but hacky way. It requires global audit reconfiguration that
 may hopple audit analysis.
 
-This way should be the best for FreeBSD. It's not used by default just
-because it requires to modify "audit_control".
-
 .B Not well tested. Use with caution!
 Also file /etc/security/audit_control will be overwritten with:
 .RS
@@ -923,13 +920,22 @@ policy:cnt
 filesz:1M
 .RE
 .RE
+.IR dtracepipe
+.RS
+.BR dtrace "(1) [FreeBSD]"
+
+.B clsync
+will run dtrace with special script (on "d") using
+.BR popen (3)
+and parse it's output.
+
+IMHO, this way is the best for FreeBSD.
+.RE
 .RE
 
-If
-.B inotify
-is supported (even through libinotify) then it's used by default. If not then
-.B kqueue
-is used.
+The default value on Linux is "inotify".
+.br
+The default value on FreeBSD is "dtracepipe"
 .RE
 
 .PP

mon_bsm.c

@@ -60,7 +60,7 @@ struct recognize_event_return {
 				eventobjtype_t objtype_new:16;
 			} t;
 		} v;
-		uint32_t i;
+		uint64_t i;
 	} u;
 };
 
@@ -190,6 +190,7 @@ int bsm_config_backup(mondata_t *mondata) {
 		return -1;
 	}
 
+	flock(fd, LOCK_EX);
 	debug(3, "mv: "AUDIT_CONTROL_PATH" -> "AUDIT_CONTROL_PATH"-clsync_backup");
 	rename(AUDIT_CONTROL_PATH, AUDIT_CONTROL_PATH"-clsync_backup");
 

mon_kqueue.c

@@ -531,7 +531,7 @@ static inline int _kqueue_handle_oneevent_dircontent(ctx_t *ctx_p, indexes_t *in
 	int fd;
 
 	fd  = openat(obj_p->dir_fd, obj_p->name, O_RDONLY|O_PATH);
-	dir = fdopendir(obj_p->fd);
+	dir = fdopendir(fd);
 
 	while ((entry = readdir(dir))) {
 		debug(10, "file/dir: \"%s\"", entry->d_name);

sync.c

@@ -250,7 +250,7 @@ static inline ruleaction_t rules_getperm(const char *fpath, mode_t st_mode, rule
 }
 
 threadsinfo_t *thread_info() {	// TODO: optimize this
-	static threadsinfo_t threadsinfo={{{{0}}},{{{0}}},0};
+	static threadsinfo_t threadsinfo={{0},{0},0};
 	if(!threadsinfo.mutex_init) {
 		int i=0;
 		while(i < PTHREAD_MUTEX_MAX) {
@@ -1206,6 +1206,7 @@ static inline void evinfo_initialevmask(ctx_t *ctx_p, eventinfo_t *evinfo_p, int
 	switch(ctx_p->flags[MONITOR]) {
 #ifdef FANOTIFY_SUPPORT
 		case NE_FANOTIFY:
+			critical("fanotify is not supported");
 			break;
 #endif
 #if INOTIFY_SUPPORT | KQUEUE_SUPPORT
@@ -1234,7 +1235,7 @@ static inline void evinfo_initialevmask(ctx_t *ctx_p, eventinfo_t *evinfo_p, int
 }
 
 static inline void api_evinfo_initialevmask(ctx_t *ctx_p, api_eventinfo_t *evinfo_p, int isdir) {
-	eventinfo_t evinfo;
+	eventinfo_t evinfo = {0};
 	evinfo_initialevmask(ctx_p, &evinfo, isdir);
 	evinfo_p->evmask = evinfo.evmask;
 	return;
@@ -3507,6 +3508,13 @@ int sync_run(ctx_t *ctx_p) {
 				ctx_p->notifyenginefunct.handle        = bsm_handle;
 				break;
 #endif
+#ifdef DTRACEPIPE_SUPPORT
+			case NE_DTRACEPIPE:
+				ctx_p->notifyenginefunct.add_watch_dir = dtracepipe_add_watch_dir;
+				ctx_p->notifyenginefunct.wait          = dtracepipe_wait;
+				ctx_p->notifyenginefunct.handle        = dtracepipe_handle;
+				break;
+#endif
 #ifdef VERYPARANOID
 			default:
 				critical("Unknown FS monitor subsystem: %i", ctx_p->flags[MONITOR]);
@@ -3570,6 +3578,11 @@ int sync_run(ctx_t *ctx_p) {
 		case NE_BSM:
 			bsm_deinit(ctx_p);
 			break;
+#endif
+#ifdef DTRACEPIPE_SUPPORT
+		case NE_DTRACEPIPE:
+			dtracepipe_deinit(ctx_p);
+			break;
 #endif
 	}