Re: auditing in Darwin?
Re: auditing in Darwin?
- Subject: Re: auditing in Darwin?
- From: Wayne Salamon <email@hidden>
- Date: Fri, 24 Jun 2005 15:36:33 -0400
On Jun 23, 2005, at 1:23 PM, Todd Heberlein wrote:
I don't know what that 4-byte field is at the end, but I need to
read it in before I can get properly aligned for the next token.
Actually, what you're seeing is an extra four bytes before the
fileid; here's the code snippet from the kernel (bsd/kern/
kern_bsm_token.c):
/*
* Darwin defines the size for fileid as 4 bytes;
* BSM defines 8. So we copy in a 0 first.
*/
fileid = vni->vn_fileid;
ADD_U_INT32(dptr, pad0_32);
ADD_U_INT32(dptr, fileid);
So it's intentional. Unfortunately, the Solaris 9 documentation
doesn't show the exact field lengths (Solaris 8 docs do, and fileid
is 4 bytes). But we didn't make the 8 bytes up out of thin air, so
more research is required.
In OpenBSM, the code checks the size and writes either 4 or 8 bytes,
BTW.
Wayne
------------------------
Wayne Salamon
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden