1 | /*- |
2 | * Copyright (c) 2006 Robert N. M. Watson |
3 | * Copyright (c) 2008-2009 Apple, Inc. |
4 | * All rights reserved. |
5 | * |
6 | * This software was developed by Robert Watson for the TrustedBSD Project. |
7 | * |
8 | * Redistribution and use in source and binary forms, with or without |
9 | * modification, are permitted provided that the following conditions |
10 | * are met: |
11 | * 1. Redistributions of source code must retain the above copyright |
12 | * notice, this list of conditions and the following disclaimer. |
13 | * 2. Redistributions in binary form must reproduce the above copyright |
14 | * notice, this list of conditions and the following disclaimer in the |
15 | * documentation and/or other materials provided with the distribution. |
16 | * |
17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
27 | * SUCH DAMAGE. |
28 | */ |
29 | |
30 | #include <stdarg.h> |
31 | #include <sys/param.h> |
32 | #include <sys/systm.h> |
33 | #include <sys/kernel.h> |
34 | #include <sys/fcntl.h> |
35 | #include <sys/conf.h> |
36 | #include <sys/poll.h> |
37 | #include <sys/user.h> |
38 | #include <sys/signalvar.h> |
39 | #include <miscfs/devfs/devfs.h> |
40 | |
41 | #include <bsm/audit.h> |
42 | #include <security/audit/audit.h> |
43 | #include <security/audit/audit_ioctl.h> |
44 | #include <security/audit/audit_bsd.h> |
45 | #include <security/audit/audit_private.h> |
46 | |
47 | #if CONFIG_AUDIT |
48 | /* |
49 | * Implementation of a clonable special device providing a live stream of BSM |
50 | * audit data. Consumers receive a "tee" of the system audit trail by |
51 | * default, but may also define alternative event selections using ioctls. |
52 | * This interface provides unreliable but timely access to audit events. |
53 | * Consumers should be very careful to avoid introducing event cycles. |
54 | */ |
55 | |
56 | /* |
57 | * Memory types. |
58 | */ |
59 | static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe" , "Audit pipes" ); |
60 | static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent" , |
61 | "Audit pipe entries and buffers" ); |
62 | static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel" , |
63 | "Audit pipe preselection structure" ); |
64 | |
65 | /* |
66 | * Audit pipe buffer parameters. |
67 | */ |
68 | #define AUDIT_PIPE_QLIMIT_DEFAULT (128) |
69 | #define AUDIT_PIPE_QLIMIT_MIN (1) |
70 | #define AUDIT_PIPE_QLIMIT_MAX (1024) |
71 | |
72 | /* |
73 | * Description of an entry in an audit_pipe. |
74 | */ |
75 | struct audit_pipe_entry { |
76 | void *ape_record; |
77 | u_int ape_record_len; |
78 | TAILQ_ENTRY(audit_pipe_entry) ape_queue; |
79 | }; |
80 | |
81 | /* |
82 | * Audit pipes allow processes to express "interest" in the set of records |
83 | * that are delivered via the pipe. They do this in a similar manner to the |
84 | * mechanism for audit trail configuration, by expressing two global masks, |
85 | * and optionally expressing per-auid masks. The following data structure is |
86 | * the per-auid mask description. The global state is stored in the audit |
87 | * pipe data structure. |
88 | * |
89 | * We may want to consider a more space/time-efficient data structure once |
90 | * usage patterns for per-auid specifications are clear. |
91 | */ |
92 | struct audit_pipe_preselect { |
93 | au_id_t app_auid; |
94 | au_mask_t app_mask; |
95 | TAILQ_ENTRY(audit_pipe_preselect) app_list; |
96 | }; |
97 | |
98 | /* |
99 | * Description of an individual audit_pipe. Consists largely of a bounded |
100 | * length queue. |
101 | */ |
102 | #define AUDIT_PIPE_ASYNC 0x00000001 |
103 | #define AUDIT_PIPE_NBIO 0x00000002 |
104 | struct audit_pipe { |
105 | int ap_open; /* Device open? */ |
106 | u_int ap_flags; |
107 | |
108 | struct selinfo ap_selinfo; |
109 | pid_t ap_sigio; |
110 | |
111 | /* |
112 | * Per-pipe mutex protecting most fields in this data structure. |
113 | */ |
114 | struct mtx ap_mtx; |
115 | |
116 | /* |
117 | * Per-pipe sleep lock serializing user-generated reads and flushes. |
118 | * uiomove() is called to copy out the current head record's data |
119 | * while the record remains in the queue, so we prevent other threads |
120 | * from removing it using this lock. |
121 | */ |
122 | struct slck ap_sx; |
123 | |
124 | /* |
125 | * Condition variable to signal when data has been delivered to a |
126 | * pipe. |
127 | */ |
128 | struct cv ap_cv; |
129 | |
130 | /* |
131 | * Various queue-related variables: qlen and qlimit are a count of |
132 | * records in the queue; qbyteslen is the number of bytes of data |
133 | * across all records, and qoffset is the amount read so far of the |
134 | * first record in the queue. The number of bytes available for |
135 | * reading in the queue is qbyteslen - qoffset. |
136 | */ |
137 | u_int ap_qlen; |
138 | u_int ap_qlimit; |
139 | u_int ap_qbyteslen; |
140 | u_int ap_qoffset; |
141 | |
142 | /* |
143 | * Per-pipe operation statistics. |
144 | */ |
145 | u_int64_t ap_inserts; /* Records added. */ |
146 | u_int64_t ap_reads; /* Records read. */ |
147 | u_int64_t ap_drops; /* Records dropped. */ |
148 | |
149 | /* |
150 | * Fields relating to pipe interest: global masks for unmatched |
151 | * processes (attributable, non-attributable), and a list of specific |
152 | * interest specifications by auid. |
153 | */ |
154 | int ap_preselect_mode; |
155 | au_mask_t ap_preselect_flags; |
156 | au_mask_t ap_preselect_naflags; |
157 | TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list; |
158 | |
159 | /* |
160 | * Current pending record list. Protected by a combination of ap_mtx |
161 | * and ap_sx. Note particularly that *both* locks are required to |
162 | * remove a record from the head of the queue, as an in-progress read |
163 | * may sleep while copying and therefore cannot hold ap_mtx. |
164 | */ |
165 | TAILQ_HEAD(, audit_pipe_entry) ap_queue; |
166 | |
167 | /* |
168 | * Global pipe list. |
169 | */ |
170 | TAILQ_ENTRY(audit_pipe) ap_list; |
171 | }; |
172 | |
173 | #define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx) |
174 | #define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED) |
175 | #define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx) |
176 | #define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \ |
177 | "audit_pipe_mtx", NULL, MTX_DEF) |
178 | #define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx) |
179 | #define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx) |
180 | |
181 | #define AUDIT_PIPE_SX_LOCK_DESTROY(ap) slck_destroy(&(ap)->ap_sx) |
182 | #define AUDIT_PIPE_SX_LOCK_INIT(ap) slck_init(&(ap)->ap_sx, "audit_pipe_sx") |
183 | #define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) slck_assert(&(ap)->ap_sx, SA_XLOCKED) |
184 | #define AUDIT_PIPE_SX_XLOCK_SIG(ap) slck_lock_sig(&(ap)->ap_sx) |
185 | #define AUDIT_PIPE_SX_XUNLOCK(ap) slck_unlock(&(ap)->ap_sx) |
186 | |
187 | |
188 | /* |
189 | * Global list of audit pipes, rwlock to protect it. Individual record |
190 | * queues on pipes are protected by per-pipe locks; these locks synchronize |
191 | * between threads walking the list to deliver to individual pipes and add/ |
192 | * remove of pipes, and are mostly acquired for read. |
193 | */ |
194 | static TAILQ_HEAD(, audit_pipe) audit_pipe_list; |
195 | static struct rwlock audit_pipe_lock; |
196 | |
197 | #define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \ |
198 | "audit_pipe_list_lock") |
199 | #define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock) |
200 | #define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock) |
201 | #define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock) |
202 | #define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \ |
203 | RA_WLOCKED) |
204 | #define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock) |
205 | |
206 | /* |
207 | * Cloning related variables and constants. |
208 | */ |
209 | #define AUDIT_PIPE_NAME "auditpipe" |
210 | #define MAX_AUDIT_PIPES 32 |
211 | static int audit_pipe_major; |
212 | |
213 | /* |
214 | * dev_t doesn't have a pointer for "softc" data. So we have to keep track of |
215 | * it with the following global array (indexed by the minor number). |
216 | * |
217 | * XXX We may want to dynamically grow this as needed. |
218 | */ |
219 | static struct audit_pipe *audit_pipe_dtab[MAX_AUDIT_PIPES]; |
220 | |
221 | |
222 | /* |
223 | * Special device methods and definition. |
224 | */ |
225 | static open_close_fcn_t audit_pipe_open; |
226 | static open_close_fcn_t audit_pipe_close; |
227 | static read_write_fcn_t audit_pipe_read; |
228 | static ioctl_fcn_t audit_pipe_ioctl; |
229 | static select_fcn_t audit_pipe_poll; |
230 | |
231 | static const struct cdevsw audit_pipe_cdevsw = { |
232 | .d_open = audit_pipe_open, |
233 | .d_close = audit_pipe_close, |
234 | .d_read = audit_pipe_read, |
235 | .d_write = eno_rdwrt, |
236 | .d_ioctl = audit_pipe_ioctl, |
237 | .d_stop = eno_stop, |
238 | .d_reset = eno_reset, |
239 | .d_ttys = NULL, |
240 | .d_select = audit_pipe_poll, |
241 | .d_mmap = eno_mmap, |
242 | .d_strategy = eno_strat, |
243 | .d_type = 0 |
244 | }; |
245 | |
246 | /* |
247 | * Some global statistics on audit pipes. |
248 | */ |
249 | static int audit_pipe_count; /* Current number of pipes. */ |
250 | static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */ |
251 | static u_int64_t audit_pipe_records; /* Records seen. */ |
252 | static u_int64_t audit_pipe_drops; /* Global record drop count. */ |
253 | |
254 | /* |
255 | * Free an audit pipe entry. |
256 | */ |
257 | static void |
258 | audit_pipe_entry_free(struct audit_pipe_entry *ape) |
259 | { |
260 | kfree_data(ape->ape_record, ape->ape_record_len); |
261 | kfree_type(struct audit_pipe_entry, ape); |
262 | } |
263 | |
264 | /* |
265 | * Find an audit pipe preselection specification for an auid, if any. |
266 | */ |
267 | static struct audit_pipe_preselect * |
268 | audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid) |
269 | { |
270 | struct audit_pipe_preselect *app; |
271 | |
272 | AUDIT_PIPE_LOCK_ASSERT(ap); |
273 | |
274 | TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { |
275 | if (app->app_auid == auid) { |
276 | return app; |
277 | } |
278 | } |
279 | return NULL; |
280 | } |
281 | |
282 | /* |
283 | * Query the per-pipe mask for a specific auid. |
284 | */ |
285 | static int |
286 | audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid, |
287 | au_mask_t *maskp) |
288 | { |
289 | struct audit_pipe_preselect *app; |
290 | int error; |
291 | |
292 | AUDIT_PIPE_LOCK(ap); |
293 | app = audit_pipe_preselect_find(ap, auid); |
294 | if (app != NULL) { |
295 | *maskp = app->app_mask; |
296 | error = 0; |
297 | } else { |
298 | error = ENOENT; |
299 | } |
300 | AUDIT_PIPE_UNLOCK(ap); |
301 | return error; |
302 | } |
303 | |
304 | /* |
305 | * Set the per-pipe mask for a specific auid. Add a new entry if needed; |
306 | * otherwise, update the current entry. |
307 | */ |
308 | static void |
309 | audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask) |
310 | { |
311 | struct audit_pipe_preselect *app, *app_new; |
312 | |
313 | /* |
314 | * Pessimistically assume that the auid doesn't already have a mask |
315 | * set, and allocate. We will free it if it is unneeded. |
316 | */ |
317 | app_new = kalloc_type(struct audit_pipe_preselect, Z_WAITOK | Z_NOFAIL); |
318 | AUDIT_PIPE_LOCK(ap); |
319 | app = audit_pipe_preselect_find(ap, auid); |
320 | if (app == NULL) { |
321 | app = app_new; |
322 | app_new = NULL; |
323 | app->app_auid = auid; |
324 | TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list); |
325 | } |
326 | app->app_mask = mask; |
327 | AUDIT_PIPE_UNLOCK(ap); |
328 | kfree_type(struct audit_pipe_preselect, app_new); |
329 | } |
330 | |
331 | /* |
332 | * Delete a per-auid mask on an audit pipe. |
333 | */ |
334 | static int |
335 | audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid) |
336 | { |
337 | struct audit_pipe_preselect *app; |
338 | int error; |
339 | |
340 | AUDIT_PIPE_LOCK(ap); |
341 | app = audit_pipe_preselect_find(ap, auid); |
342 | if (app != NULL) { |
343 | TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); |
344 | error = 0; |
345 | } else { |
346 | error = ENOENT; |
347 | } |
348 | AUDIT_PIPE_UNLOCK(ap); |
349 | kfree_type(struct audit_pipe_preselect, app); |
350 | return error; |
351 | } |
352 | |
353 | /* |
354 | * Delete all per-auid masks on an audit pipe. |
355 | */ |
356 | static void |
357 | audit_pipe_preselect_flush_locked(struct audit_pipe *ap) |
358 | { |
359 | struct audit_pipe_preselect *app; |
360 | |
361 | AUDIT_PIPE_LOCK_ASSERT(ap); |
362 | |
363 | while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) { |
364 | TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); |
365 | kfree_type(struct audit_pipe_preselect, app); |
366 | } |
367 | } |
368 | |
369 | static void |
370 | audit_pipe_preselect_flush(struct audit_pipe *ap) |
371 | { |
372 | AUDIT_PIPE_LOCK(ap); |
373 | audit_pipe_preselect_flush_locked(ap); |
374 | AUDIT_PIPE_UNLOCK(ap); |
375 | } |
376 | |
377 | /*- |
378 | * Determine whether a specific audit pipe matches a record with these |
379 | * properties. Algorithm is as follows: |
380 | * |
381 | * - If the pipe is configured to track the default trail configuration, then |
382 | * use the results of global preselection matching. |
383 | * - If not, search for a specifically configured auid entry matching the |
384 | * event. If an entry is found, use that. |
385 | * - Otherwise, use the default flags or naflags configured for the pipe. |
386 | */ |
387 | static int |
388 | audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, |
389 | au_event_t event, au_class_t class, int sorf, int trail_preselect) |
390 | { |
391 | struct audit_pipe_preselect *app; |
392 | |
393 | AUDIT_PIPE_LOCK_ASSERT(ap); |
394 | |
395 | switch (ap->ap_preselect_mode) { |
396 | case AUDITPIPE_PRESELECT_MODE_TRAIL: |
397 | return trail_preselect; |
398 | |
399 | case AUDITPIPE_PRESELECT_MODE_LOCAL: |
400 | app = audit_pipe_preselect_find(ap, auid); |
401 | if (app == NULL) { |
402 | if (auid == (uid_t)AU_DEFAUDITID) { |
403 | return au_preselect(event, class, |
404 | mask_p: &ap->ap_preselect_naflags, sorf); |
405 | } else { |
406 | return au_preselect(event, class, |
407 | mask_p: &ap->ap_preselect_flags, sorf); |
408 | } |
409 | } else { |
410 | return au_preselect(event, class, mask_p: &app->app_mask, |
411 | sorf); |
412 | } |
413 | |
414 | default: |
415 | panic("audit_pipe_preselect_check: mode %d" , |
416 | ap->ap_preselect_mode); |
417 | } |
418 | |
419 | return 0; |
420 | } |
421 | |
422 | /* |
423 | * Determine whether there exists a pipe interested in a record with specific |
424 | * properties. |
425 | */ |
426 | int |
427 | audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, |
428 | int sorf, int trail_preselect) |
429 | { |
430 | struct audit_pipe *ap; |
431 | |
432 | /* Lockless read to avoid acquiring the global lock if not needed. */ |
433 | if (TAILQ_EMPTY(&audit_pipe_list)) { |
434 | return 0; |
435 | } |
436 | |
437 | AUDIT_PIPE_LIST_RLOCK(); |
438 | TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { |
439 | AUDIT_PIPE_LOCK(ap); |
440 | if (audit_pipe_preselect_check(ap, auid, event, class, sorf, |
441 | trail_preselect)) { |
442 | AUDIT_PIPE_UNLOCK(ap); |
443 | AUDIT_PIPE_LIST_RUNLOCK(); |
444 | return 1; |
445 | } |
446 | AUDIT_PIPE_UNLOCK(ap); |
447 | } |
448 | AUDIT_PIPE_LIST_RUNLOCK(); |
449 | return 0; |
450 | } |
451 | |
452 | /* |
453 | * Append individual record to a queue -- allocate queue-local buffer, and |
454 | * add to the queue. If the queue is full or we can't allocate memory, drop |
455 | * the newest record. |
456 | */ |
457 | static void |
458 | audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) |
459 | { |
460 | struct audit_pipe_entry *ape; |
461 | |
462 | AUDIT_PIPE_LOCK_ASSERT(ap); |
463 | |
464 | if (ap->ap_qlen >= ap->ap_qlimit) { |
465 | ap->ap_drops++; |
466 | audit_pipe_drops++; |
467 | return; |
468 | } |
469 | |
470 | ape = kalloc_type(struct audit_pipe_entry, Z_NOWAIT | Z_ZERO); |
471 | if (ape == NULL) { |
472 | ap->ap_drops++; |
473 | audit_pipe_drops++; |
474 | return; |
475 | } |
476 | |
477 | ape->ape_record = kalloc_data(record_len, Z_NOWAIT); |
478 | if (ape->ape_record == NULL) { |
479 | kfree_type(struct audit_pipe_entry, ape); |
480 | ap->ap_drops++; |
481 | audit_pipe_drops++; |
482 | return; |
483 | } |
484 | |
485 | bcopy(src: record, dst: ape->ape_record, n: record_len); |
486 | ape->ape_record_len = record_len; |
487 | |
488 | TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); |
489 | ap->ap_inserts++; |
490 | ap->ap_qlen++; |
491 | ap->ap_qbyteslen += ape->ape_record_len; |
492 | selwakeup(&ap->ap_selinfo); |
493 | if (ap->ap_flags & AUDIT_PIPE_ASYNC) { |
494 | pgsigio(pgid: ap->ap_sigio, SIGIO); |
495 | } |
496 | #if 0 /* XXX - fix select */ |
497 | selwakeuppri(&ap->ap_selinfo, PSOCK); |
498 | KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0); |
499 | if (ap->ap_flags & AUDIT_PIPE_ASYNC) { |
500 | pgsigio(&ap->ap_sigio, SIGIO, 0); |
501 | } |
502 | #endif |
503 | cv_broadcast(&ap->ap_cv); |
504 | } |
505 | |
506 | /* |
507 | * audit_pipe_submit(): audit_worker submits audit records via this |
508 | * interface, which arranges for them to be delivered to pipe queues. |
509 | */ |
510 | void |
511 | audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, |
512 | int trail_select, void *record, u_int record_len) |
513 | { |
514 | struct audit_pipe *ap; |
515 | |
516 | /* |
517 | * Lockless read to avoid lock overhead if pipes are not in use. |
518 | */ |
519 | if (TAILQ_FIRST(&audit_pipe_list) == NULL) { |
520 | return; |
521 | } |
522 | |
523 | AUDIT_PIPE_LIST_RLOCK(); |
524 | TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { |
525 | AUDIT_PIPE_LOCK(ap); |
526 | if (audit_pipe_preselect_check(ap, auid, event, class, sorf, |
527 | trail_preselect: trail_select)) { |
528 | audit_pipe_append(ap, record, record_len); |
529 | } |
530 | AUDIT_PIPE_UNLOCK(ap); |
531 | } |
532 | AUDIT_PIPE_LIST_RUNLOCK(); |
533 | |
534 | /* Unlocked increment. */ |
535 | audit_pipe_records++; |
536 | } |
537 | |
538 | /* |
539 | * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that |
540 | * since we don't currently have selection information available, it is |
541 | * delivered to the pipe unconditionally. |
542 | * |
543 | * XXXRW: This is a bug. The BSM check routine for submitting a user record |
544 | * should parse that information and return it. |
545 | */ |
546 | void |
547 | audit_pipe_submit_user(void *record, u_int record_len) |
548 | { |
549 | struct audit_pipe *ap; |
550 | |
551 | /* |
552 | * Lockless read to avoid lock overhead if pipes are not in use. |
553 | */ |
554 | if (TAILQ_FIRST(&audit_pipe_list) == NULL) { |
555 | return; |
556 | } |
557 | |
558 | AUDIT_PIPE_LIST_RLOCK(); |
559 | TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { |
560 | AUDIT_PIPE_LOCK(ap); |
561 | audit_pipe_append(ap, record, record_len); |
562 | AUDIT_PIPE_UNLOCK(ap); |
563 | } |
564 | AUDIT_PIPE_LIST_RUNLOCK(); |
565 | |
566 | /* Unlocked increment. */ |
567 | audit_pipe_records++; |
568 | } |
569 | |
570 | /* |
571 | * Allocate a new audit pipe. Connects the pipe, on success, to the global |
572 | * list and updates statistics. |
573 | */ |
574 | static struct audit_pipe * |
575 | audit_pipe_alloc(void) |
576 | { |
577 | struct audit_pipe *ap; |
578 | |
579 | AUDIT_PIPE_LIST_WLOCK_ASSERT(); |
580 | |
581 | ap = kalloc_type(struct audit_pipe, Z_WAITOK | Z_ZERO | Z_NOFAIL); |
582 | ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT; |
583 | TAILQ_INIT(&ap->ap_queue); |
584 | #ifndef __APPLE__ |
585 | knlist_init(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap), NULL, NULL, |
586 | NULL); |
587 | #endif |
588 | AUDIT_PIPE_LOCK_INIT(ap); |
589 | AUDIT_PIPE_SX_LOCK_INIT(ap); |
590 | cv_init(&ap->ap_cv, "audit_pipe" ); |
591 | |
592 | /* |
593 | * Default flags, naflags, and auid-specific preselection settings to |
594 | * 0. Initialize the mode to the global trail so that if praudit(1) |
595 | * is run on /dev/auditpipe, it sees events associated with the |
596 | * default trail. Pipe-aware application can clear the flag, set |
597 | * custom masks, and flush the pipe as needed. |
598 | */ |
599 | bzero(s: &ap->ap_preselect_flags, n: sizeof(ap->ap_preselect_flags)); |
600 | bzero(s: &ap->ap_preselect_naflags, n: sizeof(ap->ap_preselect_naflags)); |
601 | TAILQ_INIT(&ap->ap_preselect_list); |
602 | ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL; |
603 | |
604 | /* |
605 | * Add to global list and update global statistics. |
606 | */ |
607 | TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); |
608 | audit_pipe_count++; |
609 | audit_pipe_ever++; |
610 | |
611 | return ap; |
612 | } |
613 | |
614 | /* |
615 | * Flush all records currently present in an audit pipe; assume mutex is held. |
616 | */ |
617 | static void |
618 | audit_pipe_flush(struct audit_pipe *ap) |
619 | { |
620 | struct audit_pipe_entry *ape; |
621 | |
622 | AUDIT_PIPE_LOCK_ASSERT(ap); |
623 | |
624 | while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) { |
625 | TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); |
626 | ap->ap_qbyteslen -= ape->ape_record_len; |
627 | audit_pipe_entry_free(ape); |
628 | ap->ap_qlen--; |
629 | } |
630 | ap->ap_qoffset = 0; |
631 | |
632 | KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen" )); |
633 | KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen" )); |
634 | } |
635 | |
636 | /* |
637 | * Free an audit pipe; this means freeing all preselection state and all |
638 | * records in the pipe. Assumes global write lock and pipe mutex are held to |
639 | * revent any new records from being inserted during the free, and that the |
640 | * audit pipe is still on the global list. |
641 | */ |
642 | static void |
643 | audit_pipe_free(struct audit_pipe *ap) |
644 | { |
645 | AUDIT_PIPE_LIST_WLOCK_ASSERT(); |
646 | AUDIT_PIPE_LOCK_ASSERT(ap); |
647 | |
648 | audit_pipe_preselect_flush_locked(ap); |
649 | audit_pipe_flush(ap); |
650 | cv_destroy(&ap->ap_cv); |
651 | AUDIT_PIPE_SX_LOCK_DESTROY(ap); |
652 | AUDIT_PIPE_UNLOCK(ap); |
653 | AUDIT_PIPE_LOCK_DESTROY(ap); |
654 | #ifndef __APPLE__ |
655 | knlist_destroy(&ap->ap_selinfo.si_note); |
656 | #endif |
657 | TAILQ_REMOVE(&audit_pipe_list, ap, ap_list); |
658 | kfree_type(struct audit_pipe, ap); |
659 | audit_pipe_count--; |
660 | } |
661 | |
662 | /* |
663 | * Audit pipe clone routine -- provides a new minor number, or to return (-1), |
664 | * if one can't be provided. Called with DEVFS_LOCK held. |
665 | */ |
666 | static int |
667 | audit_pipe_clone(__unused dev_t dev, int action) |
668 | { |
669 | int i; |
670 | |
671 | if (action == DEVFS_CLONE_ALLOC) { |
672 | for (i = 0; i < MAX_AUDIT_PIPES; i++) { |
673 | if (audit_pipe_dtab[i] == NULL) { |
674 | return i; |
675 | } |
676 | } |
677 | |
678 | /* |
679 | * XXX Should really return -1 here but that seems to hang |
680 | * things in devfs. Instead return 0 and let _open() tell |
681 | * userland the bad news. |
682 | */ |
683 | return 0; |
684 | } |
685 | |
686 | return -1; |
687 | } |
688 | |
689 | /* |
690 | * Audit pipe open method. Explicit privilege check isn't used as this |
691 | * allows file permissions on the special device to be used to grant audit |
692 | * review access. Those file permissions should be managed carefully. |
693 | */ |
694 | static int |
695 | audit_pipe_open(dev_t dev, __unused int flags, __unused int devtype, |
696 | __unused proc_t p) |
697 | { |
698 | struct audit_pipe *ap; |
699 | int u; |
700 | |
701 | u = minor(dev); |
702 | if (u < 0 || u >= MAX_AUDIT_PIPES) { |
703 | return ENXIO; |
704 | } |
705 | |
706 | AUDIT_PIPE_LIST_WLOCK(); |
707 | ap = audit_pipe_dtab[u]; |
708 | if (ap == NULL) { |
709 | ap = audit_pipe_alloc(); |
710 | if (ap == NULL) { |
711 | AUDIT_PIPE_LIST_WUNLOCK(); |
712 | return ENOMEM; |
713 | } |
714 | audit_pipe_dtab[u] = ap; |
715 | } else { |
716 | KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open" )); |
717 | AUDIT_PIPE_LIST_WUNLOCK(); |
718 | return EBUSY; |
719 | } |
720 | ap->ap_open = 1; |
721 | AUDIT_PIPE_LIST_WUNLOCK(); |
722 | #ifndef __APPLE__ |
723 | proc_getpid(fsetown(td->td_proc), &ap->ap_sigio); |
724 | #endif |
725 | return 0; |
726 | } |
727 | |
728 | /* |
729 | * Close audit pipe, tear down all records, etc. |
730 | */ |
731 | static int |
732 | audit_pipe_close(dev_t dev, __unused int flags, __unused int devtype, |
733 | __unused proc_t p) |
734 | { |
735 | struct audit_pipe *ap; |
736 | int u; |
737 | |
738 | u = minor(dev); |
739 | ap = audit_pipe_dtab[u]; |
740 | KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL" )); |
741 | KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open" )); |
742 | |
743 | #ifndef __APPLE__ |
744 | funsetown(&ap->ap_sigio); |
745 | #endif |
746 | AUDIT_PIPE_LIST_WLOCK(); |
747 | AUDIT_PIPE_LOCK(ap); |
748 | ap->ap_open = 0; |
749 | audit_pipe_free(ap); |
750 | audit_pipe_dtab[u] = NULL; |
751 | AUDIT_PIPE_LIST_WUNLOCK(); |
752 | return 0; |
753 | } |
754 | |
755 | /* |
756 | * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer |
757 | * commands. |
758 | */ |
759 | static int |
760 | audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data, |
761 | __unused int flag, __unused proc_t p) |
762 | { |
763 | struct auditpipe_ioctl_preselect *aip; |
764 | struct audit_pipe *ap; |
765 | au_mask_t *maskp; |
766 | int error, mode; |
767 | au_id_t auid; |
768 | |
769 | ap = audit_pipe_dtab[minor(dev)]; |
770 | KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL" )); |
771 | |
772 | /* |
773 | * Audit pipe ioctls: first come standard device node ioctls, then |
774 | * manipulation of pipe settings, and finally, statistics query |
775 | * ioctls. |
776 | */ |
777 | switch (cmd) { |
778 | case FIONBIO: |
779 | AUDIT_PIPE_LOCK(ap); |
780 | if (*(int *)data) { |
781 | ap->ap_flags |= AUDIT_PIPE_NBIO; |
782 | } else { |
783 | ap->ap_flags &= ~AUDIT_PIPE_NBIO; |
784 | } |
785 | AUDIT_PIPE_UNLOCK(ap); |
786 | error = 0; |
787 | break; |
788 | |
789 | case FIONREAD: |
790 | AUDIT_PIPE_LOCK(ap); |
791 | *(int *)data = ap->ap_qbyteslen - ap->ap_qoffset; |
792 | AUDIT_PIPE_UNLOCK(ap); |
793 | error = 0; |
794 | break; |
795 | |
796 | case FIOASYNC: |
797 | AUDIT_PIPE_LOCK(ap); |
798 | if (*(int *)data) { |
799 | ap->ap_flags |= AUDIT_PIPE_ASYNC; |
800 | } else { |
801 | ap->ap_flags &= ~AUDIT_PIPE_ASYNC; |
802 | } |
803 | AUDIT_PIPE_UNLOCK(ap); |
804 | error = 0; |
805 | break; |
806 | |
807 | #ifndef __APPLE__ |
808 | case FIOSETOWN: |
809 | error = fsetown(*(int *)data, &ap->ap_sigio); |
810 | break; |
811 | |
812 | case FIOGETOWN: |
813 | *(int *)data = fgetown(&ap->ap_sigio); |
814 | error = 0; |
815 | break; |
816 | #endif /* !__APPLE__ */ |
817 | |
818 | case AUDITPIPE_GET_QLEN: |
819 | *(u_int *)data = ap->ap_qlen; |
820 | error = 0; |
821 | break; |
822 | |
823 | case AUDITPIPE_GET_QLIMIT: |
824 | *(u_int *)data = ap->ap_qlimit; |
825 | error = 0; |
826 | break; |
827 | |
828 | case AUDITPIPE_SET_QLIMIT: |
829 | /* Lockless integer write. */ |
830 | if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN || |
831 | *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { |
832 | ap->ap_qlimit = *(u_int *)data; |
833 | error = 0; |
834 | } else { |
835 | error = EINVAL; |
836 | } |
837 | break; |
838 | |
839 | case AUDITPIPE_GET_QLIMIT_MIN: |
840 | *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN; |
841 | error = 0; |
842 | break; |
843 | |
844 | case AUDITPIPE_GET_QLIMIT_MAX: |
845 | *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX; |
846 | error = 0; |
847 | break; |
848 | |
849 | case AUDITPIPE_GET_PRESELECT_FLAGS: |
850 | AUDIT_PIPE_LOCK(ap); |
851 | maskp = (au_mask_t *)data; |
852 | *maskp = ap->ap_preselect_flags; |
853 | AUDIT_PIPE_UNLOCK(ap); |
854 | error = 0; |
855 | break; |
856 | |
857 | case AUDITPIPE_SET_PRESELECT_FLAGS: |
858 | AUDIT_PIPE_LOCK(ap); |
859 | maskp = (au_mask_t *)data; |
860 | ap->ap_preselect_flags = *maskp; |
861 | AUDIT_CHECK_IF_KEVENTS_MASK(ap->ap_preselect_flags); |
862 | AUDIT_PIPE_UNLOCK(ap); |
863 | error = 0; |
864 | break; |
865 | |
866 | case AUDITPIPE_GET_PRESELECT_NAFLAGS: |
867 | AUDIT_PIPE_LOCK(ap); |
868 | maskp = (au_mask_t *)data; |
869 | *maskp = ap->ap_preselect_naflags; |
870 | AUDIT_PIPE_UNLOCK(ap); |
871 | error = 0; |
872 | break; |
873 | |
874 | case AUDITPIPE_SET_PRESELECT_NAFLAGS: |
875 | AUDIT_PIPE_LOCK(ap); |
876 | maskp = (au_mask_t *)data; |
877 | ap->ap_preselect_naflags = *maskp; |
878 | AUDIT_CHECK_IF_KEVENTS_MASK(ap->ap_preselect_naflags); |
879 | AUDIT_PIPE_UNLOCK(ap); |
880 | error = 0; |
881 | break; |
882 | |
883 | case AUDITPIPE_GET_PRESELECT_AUID: |
884 | aip = (struct auditpipe_ioctl_preselect *)data; |
885 | error = audit_pipe_preselect_get(ap, auid: aip->aip_auid, |
886 | maskp: &aip->aip_mask); |
887 | break; |
888 | |
889 | case AUDITPIPE_SET_PRESELECT_AUID: |
890 | aip = (struct auditpipe_ioctl_preselect *)data; |
891 | audit_pipe_preselect_set(ap, auid: aip->aip_auid, mask: aip->aip_mask); |
892 | error = 0; |
893 | break; |
894 | |
895 | case AUDITPIPE_DELETE_PRESELECT_AUID: |
896 | auid = *(au_id_t *)data; |
897 | error = audit_pipe_preselect_delete(ap, auid); |
898 | break; |
899 | |
900 | case AUDITPIPE_FLUSH_PRESELECT_AUID: |
901 | audit_pipe_preselect_flush(ap); |
902 | error = 0; |
903 | break; |
904 | |
905 | case AUDITPIPE_GET_PRESELECT_MODE: |
906 | AUDIT_PIPE_LOCK(ap); |
907 | *(int *)data = ap->ap_preselect_mode; |
908 | AUDIT_PIPE_UNLOCK(ap); |
909 | error = 0; |
910 | break; |
911 | |
912 | case AUDITPIPE_SET_PRESELECT_MODE: |
913 | mode = *(int *)data; |
914 | switch (mode) { |
915 | case AUDITPIPE_PRESELECT_MODE_TRAIL: |
916 | case AUDITPIPE_PRESELECT_MODE_LOCAL: |
917 | AUDIT_PIPE_LOCK(ap); |
918 | ap->ap_preselect_mode = mode; |
919 | AUDIT_PIPE_UNLOCK(ap); |
920 | error = 0; |
921 | break; |
922 | |
923 | default: |
924 | error = EINVAL; |
925 | } |
926 | break; |
927 | |
928 | case AUDITPIPE_FLUSH: |
929 | if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) { |
930 | return EINTR; |
931 | } |
932 | AUDIT_PIPE_LOCK(ap); |
933 | audit_pipe_flush(ap); |
934 | AUDIT_PIPE_UNLOCK(ap); |
935 | AUDIT_PIPE_SX_XUNLOCK(ap); |
936 | error = 0; |
937 | break; |
938 | |
939 | case AUDITPIPE_GET_MAXAUDITDATA: |
940 | *(u_int *)data = MAXAUDITDATA; |
941 | error = 0; |
942 | break; |
943 | |
944 | case AUDITPIPE_GET_INSERTS: |
945 | *(u_int *)data = ap->ap_inserts; |
946 | error = 0; |
947 | break; |
948 | |
949 | case AUDITPIPE_GET_READS: |
950 | *(u_int *)data = ap->ap_reads; |
951 | error = 0; |
952 | break; |
953 | |
954 | case AUDITPIPE_GET_DROPS: |
955 | *(u_int *)data = ap->ap_drops; |
956 | error = 0; |
957 | break; |
958 | |
959 | case AUDITPIPE_GET_TRUNCATES: |
960 | *(u_int *)data = 0; |
961 | error = 0; |
962 | break; |
963 | |
964 | default: |
965 | error = ENOTTY; |
966 | } |
967 | return error; |
968 | } |
969 | |
970 | /* |
971 | * Audit pipe read. Read one or more partial or complete records to user |
972 | * memory. |
973 | */ |
974 | static int |
975 | audit_pipe_read(dev_t dev, struct uio *uio, __unused int flag) |
976 | { |
977 | struct audit_pipe_entry *ape; |
978 | struct audit_pipe *ap; |
979 | u_int toread; |
980 | int error; |
981 | |
982 | ap = audit_pipe_dtab[minor(dev)]; |
983 | KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL" )); |
984 | |
985 | /* |
986 | * We hold an sleep lock over read and flush because we rely on the |
987 | * stability of a record in the queue during uiomove(9). |
988 | */ |
989 | if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) { |
990 | return EINTR; |
991 | } |
992 | AUDIT_PIPE_LOCK(ap); |
993 | while (TAILQ_EMPTY(&ap->ap_queue)) { |
994 | if (ap->ap_flags & AUDIT_PIPE_NBIO) { |
995 | AUDIT_PIPE_UNLOCK(ap); |
996 | AUDIT_PIPE_SX_XUNLOCK(ap); |
997 | return EAGAIN; |
998 | } |
999 | error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap)); |
1000 | if (error) { |
1001 | AUDIT_PIPE_UNLOCK(ap); |
1002 | AUDIT_PIPE_SX_XUNLOCK(ap); |
1003 | return error; |
1004 | } |
1005 | } |
1006 | |
1007 | /* |
1008 | * Copy as many remaining bytes from the current record to userspace |
1009 | * as we can. Keep processing records until we run out of records in |
1010 | * the queue, or until the user buffer runs out of space. |
1011 | * |
1012 | * Note: we rely on the sleep lock to maintain ape's stability here. |
1013 | */ |
1014 | ap->ap_reads++; |
1015 | while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL && |
1016 | uio_resid(a_uio: uio) > 0) { |
1017 | AUDIT_PIPE_LOCK_ASSERT(ap); |
1018 | |
1019 | KASSERT(ape->ape_record_len > ap->ap_qoffset, |
1020 | ("audit_pipe_read: record_len > qoffset (1)" )); |
1021 | toread = MIN((int)(ape->ape_record_len - ap->ap_qoffset), |
1022 | uio_resid(uio)); |
1023 | AUDIT_PIPE_UNLOCK(ap); |
1024 | error = uiomove(cp: (char *)ape->ape_record + ap->ap_qoffset, |
1025 | n: toread, uio); |
1026 | if (error) { |
1027 | AUDIT_PIPE_SX_XUNLOCK(ap); |
1028 | return error; |
1029 | } |
1030 | |
1031 | /* |
1032 | * If the copy succeeded, update book-keeping, and if no |
1033 | * bytes remain in the current record, free it. |
1034 | */ |
1035 | AUDIT_PIPE_LOCK(ap); |
1036 | KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape, |
1037 | ("audit_pipe_read: queue out of sync after uiomove" )); |
1038 | ap->ap_qoffset += toread; |
1039 | KASSERT(ape->ape_record_len >= ap->ap_qoffset, |
1040 | ("audit_pipe_read: record_len >= qoffset (2)" )); |
1041 | if (ap->ap_qoffset == ape->ape_record_len) { |
1042 | TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); |
1043 | ap->ap_qbyteslen -= ape->ape_record_len; |
1044 | audit_pipe_entry_free(ape); |
1045 | ap->ap_qlen--; |
1046 | ap->ap_qoffset = 0; |
1047 | } |
1048 | } |
1049 | AUDIT_PIPE_UNLOCK(ap); |
1050 | AUDIT_PIPE_SX_XUNLOCK(ap); |
1051 | return 0; |
1052 | } |
1053 | |
1054 | /* |
1055 | * Audit pipe poll. |
1056 | */ |
1057 | static int |
1058 | audit_pipe_poll(dev_t dev, int events, void *wql, struct proc *p) |
1059 | { |
1060 | struct audit_pipe *ap; |
1061 | int revents; |
1062 | |
1063 | revents = 0; |
1064 | ap = audit_pipe_dtab[minor(dev)]; |
1065 | KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL" )); |
1066 | |
1067 | if (events & (POLLIN | POLLRDNORM)) { |
1068 | AUDIT_PIPE_LOCK(ap); |
1069 | if (TAILQ_FIRST(&ap->ap_queue) != NULL) { |
1070 | revents |= events & (POLLIN | POLLRDNORM); |
1071 | } else { |
1072 | selrecord(selector: p, &ap->ap_selinfo, wql); |
1073 | } |
1074 | AUDIT_PIPE_UNLOCK(ap); |
1075 | } |
1076 | return revents; |
1077 | } |
1078 | |
1079 | static void *devnode; |
1080 | |
1081 | int |
1082 | audit_pipe_init(void) |
1083 | { |
1084 | dev_t dev; |
1085 | |
1086 | TAILQ_INIT(&audit_pipe_list); |
1087 | AUDIT_PIPE_LIST_LOCK_INIT(); |
1088 | |
1089 | audit_pipe_major = cdevsw_add(-1, &audit_pipe_cdevsw); |
1090 | if (audit_pipe_major < 0) { |
1091 | return KERN_FAILURE; |
1092 | } |
1093 | |
1094 | dev = makedev(audit_pipe_major, 0); |
1095 | devnode = devfs_make_node_clone(dev, DEVFS_CHAR, UID_ROOT, GID_WHEEL, |
1096 | perms: 0600, clone: audit_pipe_clone, fmt: "auditpipe" ); |
1097 | |
1098 | if (devnode == NULL) { |
1099 | return KERN_FAILURE; |
1100 | } |
1101 | |
1102 | return KERN_SUCCESS; |
1103 | } |
1104 | |
1105 | int |
1106 | audit_pipe_shutdown(void) |
1107 | { |
1108 | /* unwind everything */ |
1109 | devfs_remove(handle: devnode); |
1110 | (void) cdevsw_remove(audit_pipe_major, &audit_pipe_cdevsw); |
1111 | |
1112 | return KERN_SUCCESS; |
1113 | } |
1114 | |
1115 | #endif /* CONFIG_AUDIT */ |
1116 | |