The audit_file patch

Richard Sharpe realrichardsharpe at gmail.com
Mon Apr 23 23:10:16 MDT 2012


Hi folks,

Here is the interface change for file auditing. Please provide
feedback on the interface because it is important that we get this
correct.

I plan to push this change later in the week, like maybe Friday. I
want the interface change ready for the next major release.

(Also attached)

diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index e858235..13f7427 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -370,6 +370,12 @@ struct vfs_fn_pointers {
 				   uint32 security_info_sent,
 				   const struct security_descriptor *psd);

+	NTSTATUS (*audit_file_fn)(struct vfs_handle_struct *handle,
+				  struct smb_filename *file,
+				  struct security_acl *sacl,
+				  uint32_t access_requested,
+				  uint32_t access_granted);
+
 	/* POSIX ACL operations. */

 	int (*chmod_acl_fn)(struct vfs_handle_struct *handle, const char *name,
mode_t mode);
diff --git a/source3/include/vfs_macros.h b/source3/include/vfs_macros.h
index c324439..ce691cd 100644
--- a/source3/include/vfs_macros.h
+++ b/source3/include/vfs_macros.h
@@ -389,6 +389,11 @@
 #define SMB_VFS_NEXT_GET_NT_ACL(handle, name, security_info, ppdesc) \
 	smb_vfs_call_get_nt_acl((handle)->next, (name), (security_info), (ppdesc
))

+#define SMB_VFS_AUDIT_FILE(conn, name, sacl, access_requested, access_granted)
\
+	smb_vfs_call_audit_file((conn)->vfs_handles, (name), (sacl), (access_req
uested), (access_granted))
+#define SMB_VFS_NEXT_AUDIT_FILE(handle, name, sacl, access_requested, access_gr
anted) \
+	smb_vfs_call_audit_file((handle)->next, (name), (sacl), (access_requeste
d), (access_granted))
+
 #define SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, psd) \
 	smb_vfs_call_fset_nt_acl((fsp)->conn->vfs_handles, (fsp), (security_info
_sent), (psd))
 #define SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd) \
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index dd54417..8d6d28f 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1872,6 +1872,15 @@ static NTSTATUS vfswrap_fset_nt_acl(vfs_handle_struct *ha
ndle, files_struct *fsp
 	return result;
 }

+NTSTATUS vfswrap_audit_file(struct vfs_handle_struct *handle,
+			    struct smb_filename *file,
+			    struct security_acl *sacl,
+			    uint32_t access_requested,
+			    uint32_t access_granted)
+{
+	return NT_STATUS_OK; /* Nothing to do here ... */
+}
+
 static int vfswrap_chmod_acl(vfs_handle_struct *handle,  const char *name, mode
_t mode)
 {
 #ifdef HAVE_NO_ACL
@@ -2249,6 +2258,7 @@ static struct vfs_fn_pointers vfs_default_fns = {
 	.fget_nt_acl_fn = vfswrap_fget_nt_acl,
 	.get_nt_acl_fn = vfswrap_get_nt_acl,
 	.fset_nt_acl_fn = vfswrap_fset_nt_acl,
+	.audit_file_fn = vfswrap_audit_file,

 	/* POSIX ACL operations. */

diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
index b330c03..095e754 100644
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -1962,6 +1962,20 @@ NTSTATUS smb_vfs_call_fset_nt_acl(struct vfs_handle_struc
t *handle,
 					   psd);
 }

+NTSTATUS smb_vfs_call_audit_file(struct vfs_handle_struct *handle,
+				 struct smb_filename *file,
+				 struct security_acl *sacl,
+				 uint32_t access_requested,
+				 uint32_t access_granted)
+{
+	VFS_FIND(audit_file);
+	return handle->fns->audit_file_fn(handle,
+					  file,
+					  sacl,
+					  access_requested,
+					  access_granted);
+}
+
 int smb_vfs_call_chmod_acl(struct vfs_handle_struct *handle, const char *name,
 			   mode_t mode)
 {


-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba.master.audit_file.patch
Type: application/octet-stream
Size: 3179 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120423/ada84aaa/attachment.obj>


More information about the samba-technical mailing list