1/*-
2 * Copyright (c) 2006 Robert N. M. Watson
3 * Copyright (c) 2008-2009 Apple, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30#include <stdarg.h>
31#include <sys/param.h>
32#include <sys/systm.h>
33#include <sys/kernel.h>
34#include <sys/fcntl.h>
35#include <sys/conf.h>
36#include <sys/poll.h>
37#include <sys/user.h>
38#include <sys/signalvar.h>
39#include <miscfs/devfs/devfs.h>
40
41#include <bsm/audit.h>
42#include <security/audit/audit.h>
43#include <security/audit/audit_ioctl.h>
44#include <security/audit/audit_bsd.h>
45#include <security/audit/audit_private.h>
46
47#if CONFIG_AUDIT
48/*
49 * Implementation of a clonable special device providing a live stream of BSM
50 * audit data. Consumers receive a "tee" of the system audit trail by
51 * default, but may also define alternative event selections using ioctls.
52 * This interface provides unreliable but timely access to audit events.
53 * Consumers should be very careful to avoid introducing event cycles.
54 */
55
56/*
57 * Memory types.
58 */
59static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes");
60static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent",
61 "Audit pipe entries and buffers");
62static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel",
63 "Audit pipe preselection structure");
64
65/*
66 * Audit pipe buffer parameters.
67 */
68#define AUDIT_PIPE_QLIMIT_DEFAULT (128)
69#define AUDIT_PIPE_QLIMIT_MIN (1)
70#define AUDIT_PIPE_QLIMIT_MAX (1024)
71
72/*
73 * Description of an entry in an audit_pipe.
74 */
75struct audit_pipe_entry {
76 void *ape_record;
77 u_int ape_record_len;
78 TAILQ_ENTRY(audit_pipe_entry) ape_queue;
79};
80
81/*
82 * Audit pipes allow processes to express "interest" in the set of records
83 * that are delivered via the pipe. They do this in a similar manner to the
84 * mechanism for audit trail configuration, by expressing two global masks,
85 * and optionally expressing per-auid masks. The following data structure is
86 * the per-auid mask description. The global state is stored in the audit
87 * pipe data structure.
88 *
89 * We may want to consider a more space/time-efficient data structure once
90 * usage patterns for per-auid specifications are clear.
91 */
92struct audit_pipe_preselect {
93 au_id_t app_auid;
94 au_mask_t app_mask;
95 TAILQ_ENTRY(audit_pipe_preselect) app_list;
96};
97
98/*
99 * Description of an individual audit_pipe. Consists largely of a bounded
100 * length queue.
101 */
102#define AUDIT_PIPE_ASYNC 0x00000001
103#define AUDIT_PIPE_NBIO 0x00000002
104struct audit_pipe {
105 int ap_open; /* Device open? */
106 u_int ap_flags;
107
108 struct selinfo ap_selinfo;
109 pid_t ap_sigio;
110
111 /*
112 * Per-pipe mutex protecting most fields in this data structure.
113 */
114 struct mtx ap_mtx;
115
116 /*
117 * Per-pipe sleep lock serializing user-generated reads and flushes.
118 * uiomove() is called to copy out the current head record's data
119 * while the record remains in the queue, so we prevent other threads
120 * from removing it using this lock.
121 */
122 struct slck ap_sx;
123
124 /*
125 * Condition variable to signal when data has been delivered to a
126 * pipe.
127 */
128 struct cv ap_cv;
129
130 /*
131 * Various queue-related variables: qlen and qlimit are a count of
132 * records in the queue; qbyteslen is the number of bytes of data
133 * across all records, and qoffset is the amount read so far of the
134 * first record in the queue. The number of bytes available for
135 * reading in the queue is qbyteslen - qoffset.
136 */
137 u_int ap_qlen;
138 u_int ap_qlimit;
139 u_int ap_qbyteslen;
140 u_int ap_qoffset;
141
142 /*
143 * Per-pipe operation statistics.
144 */
145 u_int64_t ap_inserts; /* Records added. */
146 u_int64_t ap_reads; /* Records read. */
147 u_int64_t ap_drops; /* Records dropped. */
148
149 /*
150 * Fields relating to pipe interest: global masks for unmatched
151 * processes (attributable, non-attributable), and a list of specific
152 * interest specifications by auid.
153 */
154 int ap_preselect_mode;
155 au_mask_t ap_preselect_flags;
156 au_mask_t ap_preselect_naflags;
157 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list;
158
159 /*
160 * Current pending record list. Protected by a combination of ap_mtx
161 * and ap_sx. Note particularly that *both* locks are required to
162 * remove a record from the head of the queue, as an in-progress read
163 * may sleep while copying and therefore cannot hold ap_mtx.
164 */
165 TAILQ_HEAD(, audit_pipe_entry) ap_queue;
166
167 /*
168 * Global pipe list.
169 */
170 TAILQ_ENTRY(audit_pipe) ap_list;
171};
172
173#define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx)
174#define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED)
175#define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx)
176#define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \
177 "audit_pipe_mtx", NULL, MTX_DEF)
178#define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx)
179#define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx)
180
181#define AUDIT_PIPE_SX_LOCK_DESTROY(ap) slck_destroy(&(ap)->ap_sx)
182#define AUDIT_PIPE_SX_LOCK_INIT(ap) slck_init(&(ap)->ap_sx, "audit_pipe_sx")
183#define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) slck_assert(&(ap)->ap_sx, SA_XLOCKED)
184#define AUDIT_PIPE_SX_XLOCK_SIG(ap) slck_lock_sig(&(ap)->ap_sx)
185#define AUDIT_PIPE_SX_XUNLOCK(ap) slck_unlock(&(ap)->ap_sx)
186
187
188/*
189 * Global list of audit pipes, rwlock to protect it. Individual record
190 * queues on pipes are protected by per-pipe locks; these locks synchronize
191 * between threads walking the list to deliver to individual pipes and add/
192 * remove of pipes, and are mostly acquired for read.
193 */
194static TAILQ_HEAD(, audit_pipe) audit_pipe_list;
195static struct rwlock audit_pipe_lock;
196
197#define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \
198 "audit_pipe_list_lock")
199#define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock)
200#define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock)
201#define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock)
202#define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \
203 RA_WLOCKED)
204#define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock)
205
206/*
207 * Cloning related variables and constants.
208 */
209#define AUDIT_PIPE_NAME "auditpipe"
210#define MAX_AUDIT_PIPES 32
211static int audit_pipe_major;
212
213/*
214 * dev_t doesn't have a pointer for "softc" data. So we have to keep track of
215 * it with the following global array (indexed by the minor number).
216 *
217 * XXX We may want to dynamically grow this as needed.
218 */
219static struct audit_pipe *audit_pipe_dtab[MAX_AUDIT_PIPES];
220
221
222/*
223 * Special device methods and definition.
224 */
225static open_close_fcn_t audit_pipe_open;
226static open_close_fcn_t audit_pipe_close;
227static read_write_fcn_t audit_pipe_read;
228static ioctl_fcn_t audit_pipe_ioctl;
229static select_fcn_t audit_pipe_poll;
230
231static const struct cdevsw audit_pipe_cdevsw = {
232 .d_open = audit_pipe_open,
233 .d_close = audit_pipe_close,
234 .d_read = audit_pipe_read,
235 .d_write = eno_rdwrt,
236 .d_ioctl = audit_pipe_ioctl,
237 .d_stop = eno_stop,
238 .d_reset = eno_reset,
239 .d_ttys = NULL,
240 .d_select = audit_pipe_poll,
241 .d_mmap = eno_mmap,
242 .d_strategy = eno_strat,
243 .d_type = 0
244};
245
246/*
247 * Some global statistics on audit pipes.
248 */
249static int audit_pipe_count; /* Current number of pipes. */
250static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */
251static u_int64_t audit_pipe_records; /* Records seen. */
252static u_int64_t audit_pipe_drops; /* Global record drop count. */
253
254/*
255 * Free an audit pipe entry.
256 */
257static void
258audit_pipe_entry_free(struct audit_pipe_entry *ape)
259{
260 kfree_data(ape->ape_record, ape->ape_record_len);
261 kfree_type(struct audit_pipe_entry, ape);
262}
263
264/*
265 * Find an audit pipe preselection specification for an auid, if any.
266 */
267static struct audit_pipe_preselect *
268audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid)
269{
270 struct audit_pipe_preselect *app;
271
272 AUDIT_PIPE_LOCK_ASSERT(ap);
273
274 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) {
275 if (app->app_auid == auid) {
276 return app;
277 }
278 }
279 return NULL;
280}
281
282/*
283 * Query the per-pipe mask for a specific auid.
284 */
285static int
286audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid,
287 au_mask_t *maskp)
288{
289 struct audit_pipe_preselect *app;
290 int error;
291
292 AUDIT_PIPE_LOCK(ap);
293 app = audit_pipe_preselect_find(ap, auid);
294 if (app != NULL) {
295 *maskp = app->app_mask;
296 error = 0;
297 } else {
298 error = ENOENT;
299 }
300 AUDIT_PIPE_UNLOCK(ap);
301 return error;
302}
303
304/*
305 * Set the per-pipe mask for a specific auid. Add a new entry if needed;
306 * otherwise, update the current entry.
307 */
308static void
309audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask)
310{
311 struct audit_pipe_preselect *app, *app_new;
312
313 /*
314 * Pessimistically assume that the auid doesn't already have a mask
315 * set, and allocate. We will free it if it is unneeded.
316 */
317 app_new = kalloc_type(struct audit_pipe_preselect, Z_WAITOK | Z_NOFAIL);
318 AUDIT_PIPE_LOCK(ap);
319 app = audit_pipe_preselect_find(ap, auid);
320 if (app == NULL) {
321 app = app_new;
322 app_new = NULL;
323 app->app_auid = auid;
324 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list);
325 }
326 app->app_mask = mask;
327 AUDIT_PIPE_UNLOCK(ap);
328 kfree_type(struct audit_pipe_preselect, app_new);
329}
330
331/*
332 * Delete a per-auid mask on an audit pipe.
333 */
334static int
335audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid)
336{
337 struct audit_pipe_preselect *app;
338 int error;
339
340 AUDIT_PIPE_LOCK(ap);
341 app = audit_pipe_preselect_find(ap, auid);
342 if (app != NULL) {
343 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
344 error = 0;
345 } else {
346 error = ENOENT;
347 }
348 AUDIT_PIPE_UNLOCK(ap);
349 kfree_type(struct audit_pipe_preselect, app);
350 return error;
351}
352
353/*
354 * Delete all per-auid masks on an audit pipe.
355 */
356static void
357audit_pipe_preselect_flush_locked(struct audit_pipe *ap)
358{
359 struct audit_pipe_preselect *app;
360
361 AUDIT_PIPE_LOCK_ASSERT(ap);
362
363 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) {
364 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
365 kfree_type(struct audit_pipe_preselect, app);
366 }
367}
368
369static void
370audit_pipe_preselect_flush(struct audit_pipe *ap)
371{
372 AUDIT_PIPE_LOCK(ap);
373 audit_pipe_preselect_flush_locked(ap);
374 AUDIT_PIPE_UNLOCK(ap);
375}
376
377/*-
378 * Determine whether a specific audit pipe matches a record with these
379 * properties. Algorithm is as follows:
380 *
381 * - If the pipe is configured to track the default trail configuration, then
382 * use the results of global preselection matching.
383 * - If not, search for a specifically configured auid entry matching the
384 * event. If an entry is found, use that.
385 * - Otherwise, use the default flags or naflags configured for the pipe.
386 */
387static int
388audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid,
389 au_event_t event, au_class_t class, int sorf, int trail_preselect)
390{
391 struct audit_pipe_preselect *app;
392
393 AUDIT_PIPE_LOCK_ASSERT(ap);
394
395 switch (ap->ap_preselect_mode) {
396 case AUDITPIPE_PRESELECT_MODE_TRAIL:
397 return trail_preselect;
398
399 case AUDITPIPE_PRESELECT_MODE_LOCAL:
400 app = audit_pipe_preselect_find(ap, auid);
401 if (app == NULL) {
402 if (auid == (uid_t)AU_DEFAUDITID) {
403 return au_preselect(event, class,
404 mask_p: &ap->ap_preselect_naflags, sorf);
405 } else {
406 return au_preselect(event, class,
407 mask_p: &ap->ap_preselect_flags, sorf);
408 }
409 } else {
410 return au_preselect(event, class, mask_p: &app->app_mask,
411 sorf);
412 }
413
414 default:
415 panic("audit_pipe_preselect_check: mode %d",
416 ap->ap_preselect_mode);
417 }
418
419 return 0;
420}
421
422/*
423 * Determine whether there exists a pipe interested in a record with specific
424 * properties.
425 */
426int
427audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class,
428 int sorf, int trail_preselect)
429{
430 struct audit_pipe *ap;
431
432 /* Lockless read to avoid acquiring the global lock if not needed. */
433 if (TAILQ_EMPTY(&audit_pipe_list)) {
434 return 0;
435 }
436
437 AUDIT_PIPE_LIST_RLOCK();
438 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
439 AUDIT_PIPE_LOCK(ap);
440 if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
441 trail_preselect)) {
442 AUDIT_PIPE_UNLOCK(ap);
443 AUDIT_PIPE_LIST_RUNLOCK();
444 return 1;
445 }
446 AUDIT_PIPE_UNLOCK(ap);
447 }
448 AUDIT_PIPE_LIST_RUNLOCK();
449 return 0;
450}
451
452/*
453 * Append individual record to a queue -- allocate queue-local buffer, and
454 * add to the queue. If the queue is full or we can't allocate memory, drop
455 * the newest record.
456 */
457static void
458audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len)
459{
460 struct audit_pipe_entry *ape;
461
462 AUDIT_PIPE_LOCK_ASSERT(ap);
463
464 if (ap->ap_qlen >= ap->ap_qlimit) {
465 ap->ap_drops++;
466 audit_pipe_drops++;
467 return;
468 }
469
470 ape = kalloc_type(struct audit_pipe_entry, Z_NOWAIT | Z_ZERO);
471 if (ape == NULL) {
472 ap->ap_drops++;
473 audit_pipe_drops++;
474 return;
475 }
476
477 ape->ape_record = kalloc_data(record_len, Z_NOWAIT);
478 if (ape->ape_record == NULL) {
479 kfree_type(struct audit_pipe_entry, ape);
480 ap->ap_drops++;
481 audit_pipe_drops++;
482 return;
483 }
484
485 bcopy(src: record, dst: ape->ape_record, n: record_len);
486 ape->ape_record_len = record_len;
487
488 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue);
489 ap->ap_inserts++;
490 ap->ap_qlen++;
491 ap->ap_qbyteslen += ape->ape_record_len;
492 selwakeup(&ap->ap_selinfo);
493 if (ap->ap_flags & AUDIT_PIPE_ASYNC) {
494 pgsigio(pgid: ap->ap_sigio, SIGIO);
495 }
496#if 0 /* XXX - fix select */
497 selwakeuppri(&ap->ap_selinfo, PSOCK);
498 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0);
499 if (ap->ap_flags & AUDIT_PIPE_ASYNC) {
500 pgsigio(&ap->ap_sigio, SIGIO, 0);
501 }
502#endif
503 cv_broadcast(&ap->ap_cv);
504}
505
506/*
507 * audit_pipe_submit(): audit_worker submits audit records via this
508 * interface, which arranges for them to be delivered to pipe queues.
509 */
510void
511audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf,
512 int trail_select, void *record, u_int record_len)
513{
514 struct audit_pipe *ap;
515
516 /*
517 * Lockless read to avoid lock overhead if pipes are not in use.
518 */
519 if (TAILQ_FIRST(&audit_pipe_list) == NULL) {
520 return;
521 }
522
523 AUDIT_PIPE_LIST_RLOCK();
524 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
525 AUDIT_PIPE_LOCK(ap);
526 if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
527 trail_preselect: trail_select)) {
528 audit_pipe_append(ap, record, record_len);
529 }
530 AUDIT_PIPE_UNLOCK(ap);
531 }
532 AUDIT_PIPE_LIST_RUNLOCK();
533
534 /* Unlocked increment. */
535 audit_pipe_records++;
536}
537
538/*
539 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that
540 * since we don't currently have selection information available, it is
541 * delivered to the pipe unconditionally.
542 *
543 * XXXRW: This is a bug. The BSM check routine for submitting a user record
544 * should parse that information and return it.
545 */
546void
547audit_pipe_submit_user(void *record, u_int record_len)
548{
549 struct audit_pipe *ap;
550
551 /*
552 * Lockless read to avoid lock overhead if pipes are not in use.
553 */
554 if (TAILQ_FIRST(&audit_pipe_list) == NULL) {
555 return;
556 }
557
558 AUDIT_PIPE_LIST_RLOCK();
559 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
560 AUDIT_PIPE_LOCK(ap);
561 audit_pipe_append(ap, record, record_len);
562 AUDIT_PIPE_UNLOCK(ap);
563 }
564 AUDIT_PIPE_LIST_RUNLOCK();
565
566 /* Unlocked increment. */
567 audit_pipe_records++;
568}
569
570/*
571 * Allocate a new audit pipe. Connects the pipe, on success, to the global
572 * list and updates statistics.
573 */
574static struct audit_pipe *
575audit_pipe_alloc(void)
576{
577 struct audit_pipe *ap;
578
579 AUDIT_PIPE_LIST_WLOCK_ASSERT();
580
581 ap = kalloc_type(struct audit_pipe, Z_WAITOK | Z_ZERO | Z_NOFAIL);
582 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT;
583 TAILQ_INIT(&ap->ap_queue);
584#ifndef __APPLE__
585 knlist_init(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap), NULL, NULL,
586 NULL);
587#endif
588 AUDIT_PIPE_LOCK_INIT(ap);
589 AUDIT_PIPE_SX_LOCK_INIT(ap);
590 cv_init(&ap->ap_cv, "audit_pipe");
591
592 /*
593 * Default flags, naflags, and auid-specific preselection settings to
594 * 0. Initialize the mode to the global trail so that if praudit(1)
595 * is run on /dev/auditpipe, it sees events associated with the
596 * default trail. Pipe-aware application can clear the flag, set
597 * custom masks, and flush the pipe as needed.
598 */
599 bzero(s: &ap->ap_preselect_flags, n: sizeof(ap->ap_preselect_flags));
600 bzero(s: &ap->ap_preselect_naflags, n: sizeof(ap->ap_preselect_naflags));
601 TAILQ_INIT(&ap->ap_preselect_list);
602 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL;
603
604 /*
605 * Add to global list and update global statistics.
606 */
607 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list);
608 audit_pipe_count++;
609 audit_pipe_ever++;
610
611 return ap;
612}
613
614/*
615 * Flush all records currently present in an audit pipe; assume mutex is held.
616 */
617static void
618audit_pipe_flush(struct audit_pipe *ap)
619{
620 struct audit_pipe_entry *ape;
621
622 AUDIT_PIPE_LOCK_ASSERT(ap);
623
624 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) {
625 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
626 ap->ap_qbyteslen -= ape->ape_record_len;
627 audit_pipe_entry_free(ape);
628 ap->ap_qlen--;
629 }
630 ap->ap_qoffset = 0;
631
632 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen"));
633 KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen"));
634}
635
636/*
637 * Free an audit pipe; this means freeing all preselection state and all
638 * records in the pipe. Assumes global write lock and pipe mutex are held to
639 * revent any new records from being inserted during the free, and that the
640 * audit pipe is still on the global list.
641 */
642static void
643audit_pipe_free(struct audit_pipe *ap)
644{
645 AUDIT_PIPE_LIST_WLOCK_ASSERT();
646 AUDIT_PIPE_LOCK_ASSERT(ap);
647
648 audit_pipe_preselect_flush_locked(ap);
649 audit_pipe_flush(ap);
650 cv_destroy(&ap->ap_cv);
651 AUDIT_PIPE_SX_LOCK_DESTROY(ap);
652 AUDIT_PIPE_UNLOCK(ap);
653 AUDIT_PIPE_LOCK_DESTROY(ap);
654#ifndef __APPLE__
655 knlist_destroy(&ap->ap_selinfo.si_note);
656#endif
657 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list);
658 kfree_type(struct audit_pipe, ap);
659 audit_pipe_count--;
660}
661
662/*
663 * Audit pipe clone routine -- provides a new minor number, or to return (-1),
664 * if one can't be provided. Called with DEVFS_LOCK held.
665 */
666static int
667audit_pipe_clone(__unused dev_t dev, int action)
668{
669 int i;
670
671 if (action == DEVFS_CLONE_ALLOC) {
672 for (i = 0; i < MAX_AUDIT_PIPES; i++) {
673 if (audit_pipe_dtab[i] == NULL) {
674 return i;
675 }
676 }
677
678 /*
679 * XXX Should really return -1 here but that seems to hang
680 * things in devfs. Instead return 0 and let _open() tell
681 * userland the bad news.
682 */
683 return 0;
684 }
685
686 return -1;
687}
688
689/*
690 * Audit pipe open method. Explicit privilege check isn't used as this
691 * allows file permissions on the special device to be used to grant audit
692 * review access. Those file permissions should be managed carefully.
693 */
694static int
695audit_pipe_open(dev_t dev, __unused int flags, __unused int devtype,
696 __unused proc_t p)
697{
698 struct audit_pipe *ap;
699 int u;
700
701 u = minor(dev);
702 if (u < 0 || u >= MAX_AUDIT_PIPES) {
703 return ENXIO;
704 }
705
706 AUDIT_PIPE_LIST_WLOCK();
707 ap = audit_pipe_dtab[u];
708 if (ap == NULL) {
709 ap = audit_pipe_alloc();
710 if (ap == NULL) {
711 AUDIT_PIPE_LIST_WUNLOCK();
712 return ENOMEM;
713 }
714 audit_pipe_dtab[u] = ap;
715 } else {
716 KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open"));
717 AUDIT_PIPE_LIST_WUNLOCK();
718 return EBUSY;
719 }
720 ap->ap_open = 1;
721 AUDIT_PIPE_LIST_WUNLOCK();
722#ifndef __APPLE__
723 proc_getpid(fsetown(td->td_proc), &ap->ap_sigio);
724#endif
725 return 0;
726}
727
728/*
729 * Close audit pipe, tear down all records, etc.
730 */
731static int
732audit_pipe_close(dev_t dev, __unused int flags, __unused int devtype,
733 __unused proc_t p)
734{
735 struct audit_pipe *ap;
736 int u;
737
738 u = minor(dev);
739 ap = audit_pipe_dtab[u];
740 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL"));
741 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open"));
742
743#ifndef __APPLE__
744 funsetown(&ap->ap_sigio);
745#endif
746 AUDIT_PIPE_LIST_WLOCK();
747 AUDIT_PIPE_LOCK(ap);
748 ap->ap_open = 0;
749 audit_pipe_free(ap);
750 audit_pipe_dtab[u] = NULL;
751 AUDIT_PIPE_LIST_WUNLOCK();
752 return 0;
753}
754
755/*
756 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer
757 * commands.
758 */
759static int
760audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data,
761 __unused int flag, __unused proc_t p)
762{
763 struct auditpipe_ioctl_preselect *aip;
764 struct audit_pipe *ap;
765 au_mask_t *maskp;
766 int error, mode;
767 au_id_t auid;
768
769 ap = audit_pipe_dtab[minor(dev)];
770 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL"));
771
772 /*
773 * Audit pipe ioctls: first come standard device node ioctls, then
774 * manipulation of pipe settings, and finally, statistics query
775 * ioctls.
776 */
777 switch (cmd) {
778 case FIONBIO:
779 AUDIT_PIPE_LOCK(ap);
780 if (*(int *)data) {
781 ap->ap_flags |= AUDIT_PIPE_NBIO;
782 } else {
783 ap->ap_flags &= ~AUDIT_PIPE_NBIO;
784 }
785 AUDIT_PIPE_UNLOCK(ap);
786 error = 0;
787 break;
788
789 case FIONREAD:
790 AUDIT_PIPE_LOCK(ap);
791 *(int *)data = ap->ap_qbyteslen - ap->ap_qoffset;
792 AUDIT_PIPE_UNLOCK(ap);
793 error = 0;
794 break;
795
796 case FIOASYNC:
797 AUDIT_PIPE_LOCK(ap);
798 if (*(int *)data) {
799 ap->ap_flags |= AUDIT_PIPE_ASYNC;
800 } else {
801 ap->ap_flags &= ~AUDIT_PIPE_ASYNC;
802 }
803 AUDIT_PIPE_UNLOCK(ap);
804 error = 0;
805 break;
806
807#ifndef __APPLE__
808 case FIOSETOWN:
809 error = fsetown(*(int *)data, &ap->ap_sigio);
810 break;
811
812 case FIOGETOWN:
813 *(int *)data = fgetown(&ap->ap_sigio);
814 error = 0;
815 break;
816#endif /* !__APPLE__ */
817
818 case AUDITPIPE_GET_QLEN:
819 *(u_int *)data = ap->ap_qlen;
820 error = 0;
821 break;
822
823 case AUDITPIPE_GET_QLIMIT:
824 *(u_int *)data = ap->ap_qlimit;
825 error = 0;
826 break;
827
828 case AUDITPIPE_SET_QLIMIT:
829 /* Lockless integer write. */
830 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN ||
831 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {
832 ap->ap_qlimit = *(u_int *)data;
833 error = 0;
834 } else {
835 error = EINVAL;
836 }
837 break;
838
839 case AUDITPIPE_GET_QLIMIT_MIN:
840 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN;
841 error = 0;
842 break;
843
844 case AUDITPIPE_GET_QLIMIT_MAX:
845 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX;
846 error = 0;
847 break;
848
849 case AUDITPIPE_GET_PRESELECT_FLAGS:
850 AUDIT_PIPE_LOCK(ap);
851 maskp = (au_mask_t *)data;
852 *maskp = ap->ap_preselect_flags;
853 AUDIT_PIPE_UNLOCK(ap);
854 error = 0;
855 break;
856
857 case AUDITPIPE_SET_PRESELECT_FLAGS:
858 AUDIT_PIPE_LOCK(ap);
859 maskp = (au_mask_t *)data;
860 ap->ap_preselect_flags = *maskp;
861 AUDIT_CHECK_IF_KEVENTS_MASK(ap->ap_preselect_flags);
862 AUDIT_PIPE_UNLOCK(ap);
863 error = 0;
864 break;
865
866 case AUDITPIPE_GET_PRESELECT_NAFLAGS:
867 AUDIT_PIPE_LOCK(ap);
868 maskp = (au_mask_t *)data;
869 *maskp = ap->ap_preselect_naflags;
870 AUDIT_PIPE_UNLOCK(ap);
871 error = 0;
872 break;
873
874 case AUDITPIPE_SET_PRESELECT_NAFLAGS:
875 AUDIT_PIPE_LOCK(ap);
876 maskp = (au_mask_t *)data;
877 ap->ap_preselect_naflags = *maskp;
878 AUDIT_CHECK_IF_KEVENTS_MASK(ap->ap_preselect_naflags);
879 AUDIT_PIPE_UNLOCK(ap);
880 error = 0;
881 break;
882
883 case AUDITPIPE_GET_PRESELECT_AUID:
884 aip = (struct auditpipe_ioctl_preselect *)data;
885 error = audit_pipe_preselect_get(ap, auid: aip->aip_auid,
886 maskp: &aip->aip_mask);
887 break;
888
889 case AUDITPIPE_SET_PRESELECT_AUID:
890 aip = (struct auditpipe_ioctl_preselect *)data;
891 audit_pipe_preselect_set(ap, auid: aip->aip_auid, mask: aip->aip_mask);
892 error = 0;
893 break;
894
895 case AUDITPIPE_DELETE_PRESELECT_AUID:
896 auid = *(au_id_t *)data;
897 error = audit_pipe_preselect_delete(ap, auid);
898 break;
899
900 case AUDITPIPE_FLUSH_PRESELECT_AUID:
901 audit_pipe_preselect_flush(ap);
902 error = 0;
903 break;
904
905 case AUDITPIPE_GET_PRESELECT_MODE:
906 AUDIT_PIPE_LOCK(ap);
907 *(int *)data = ap->ap_preselect_mode;
908 AUDIT_PIPE_UNLOCK(ap);
909 error = 0;
910 break;
911
912 case AUDITPIPE_SET_PRESELECT_MODE:
913 mode = *(int *)data;
914 switch (mode) {
915 case AUDITPIPE_PRESELECT_MODE_TRAIL:
916 case AUDITPIPE_PRESELECT_MODE_LOCAL:
917 AUDIT_PIPE_LOCK(ap);
918 ap->ap_preselect_mode = mode;
919 AUDIT_PIPE_UNLOCK(ap);
920 error = 0;
921 break;
922
923 default:
924 error = EINVAL;
925 }
926 break;
927
928 case AUDITPIPE_FLUSH:
929 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) {
930 return EINTR;
931 }
932 AUDIT_PIPE_LOCK(ap);
933 audit_pipe_flush(ap);
934 AUDIT_PIPE_UNLOCK(ap);
935 AUDIT_PIPE_SX_XUNLOCK(ap);
936 error = 0;
937 break;
938
939 case AUDITPIPE_GET_MAXAUDITDATA:
940 *(u_int *)data = MAXAUDITDATA;
941 error = 0;
942 break;
943
944 case AUDITPIPE_GET_INSERTS:
945 *(u_int *)data = ap->ap_inserts;
946 error = 0;
947 break;
948
949 case AUDITPIPE_GET_READS:
950 *(u_int *)data = ap->ap_reads;
951 error = 0;
952 break;
953
954 case AUDITPIPE_GET_DROPS:
955 *(u_int *)data = ap->ap_drops;
956 error = 0;
957 break;
958
959 case AUDITPIPE_GET_TRUNCATES:
960 *(u_int *)data = 0;
961 error = 0;
962 break;
963
964 default:
965 error = ENOTTY;
966 }
967 return error;
968}
969
970/*
971 * Audit pipe read. Read one or more partial or complete records to user
972 * memory.
973 */
974static int
975audit_pipe_read(dev_t dev, struct uio *uio, __unused int flag)
976{
977 struct audit_pipe_entry *ape;
978 struct audit_pipe *ap;
979 u_int toread;
980 int error;
981
982 ap = audit_pipe_dtab[minor(dev)];
983 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL"));
984
985 /*
986 * We hold an sleep lock over read and flush because we rely on the
987 * stability of a record in the queue during uiomove(9).
988 */
989 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) {
990 return EINTR;
991 }
992 AUDIT_PIPE_LOCK(ap);
993 while (TAILQ_EMPTY(&ap->ap_queue)) {
994 if (ap->ap_flags & AUDIT_PIPE_NBIO) {
995 AUDIT_PIPE_UNLOCK(ap);
996 AUDIT_PIPE_SX_XUNLOCK(ap);
997 return EAGAIN;
998 }
999 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap));
1000 if (error) {
1001 AUDIT_PIPE_UNLOCK(ap);
1002 AUDIT_PIPE_SX_XUNLOCK(ap);
1003 return error;
1004 }
1005 }
1006
1007 /*
1008 * Copy as many remaining bytes from the current record to userspace
1009 * as we can. Keep processing records until we run out of records in
1010 * the queue, or until the user buffer runs out of space.
1011 *
1012 * Note: we rely on the sleep lock to maintain ape's stability here.
1013 */
1014 ap->ap_reads++;
1015 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL &&
1016 uio_resid(a_uio: uio) > 0) {
1017 AUDIT_PIPE_LOCK_ASSERT(ap);
1018
1019 KASSERT(ape->ape_record_len > ap->ap_qoffset,
1020 ("audit_pipe_read: record_len > qoffset (1)"));
1021 toread = MIN((int)(ape->ape_record_len - ap->ap_qoffset),
1022 uio_resid(uio));
1023 AUDIT_PIPE_UNLOCK(ap);
1024 error = uiomove(cp: (char *)ape->ape_record + ap->ap_qoffset,
1025 n: toread, uio);
1026 if (error) {
1027 AUDIT_PIPE_SX_XUNLOCK(ap);
1028 return error;
1029 }
1030
1031 /*
1032 * If the copy succeeded, update book-keeping, and if no
1033 * bytes remain in the current record, free it.
1034 */
1035 AUDIT_PIPE_LOCK(ap);
1036 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape,
1037 ("audit_pipe_read: queue out of sync after uiomove"));
1038 ap->ap_qoffset += toread;
1039 KASSERT(ape->ape_record_len >= ap->ap_qoffset,
1040 ("audit_pipe_read: record_len >= qoffset (2)"));
1041 if (ap->ap_qoffset == ape->ape_record_len) {
1042 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
1043 ap->ap_qbyteslen -= ape->ape_record_len;
1044 audit_pipe_entry_free(ape);
1045 ap->ap_qlen--;
1046 ap->ap_qoffset = 0;
1047 }
1048 }
1049 AUDIT_PIPE_UNLOCK(ap);
1050 AUDIT_PIPE_SX_XUNLOCK(ap);
1051 return 0;
1052}
1053
1054/*
1055 * Audit pipe poll.
1056 */
1057static int
1058audit_pipe_poll(dev_t dev, int events, void *wql, struct proc *p)
1059{
1060 struct audit_pipe *ap;
1061 int revents;
1062
1063 revents = 0;
1064 ap = audit_pipe_dtab[minor(dev)];
1065 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL"));
1066
1067 if (events & (POLLIN | POLLRDNORM)) {
1068 AUDIT_PIPE_LOCK(ap);
1069 if (TAILQ_FIRST(&ap->ap_queue) != NULL) {
1070 revents |= events & (POLLIN | POLLRDNORM);
1071 } else {
1072 selrecord(selector: p, &ap->ap_selinfo, wql);
1073 }
1074 AUDIT_PIPE_UNLOCK(ap);
1075 }
1076 return revents;
1077}
1078
1079static void *devnode;
1080
1081int
1082audit_pipe_init(void)
1083{
1084 dev_t dev;
1085
1086 TAILQ_INIT(&audit_pipe_list);
1087 AUDIT_PIPE_LIST_LOCK_INIT();
1088
1089 audit_pipe_major = cdevsw_add(-1, &audit_pipe_cdevsw);
1090 if (audit_pipe_major < 0) {
1091 return KERN_FAILURE;
1092 }
1093
1094 dev = makedev(audit_pipe_major, 0);
1095 devnode = devfs_make_node_clone(dev, DEVFS_CHAR, UID_ROOT, GID_WHEEL,
1096 perms: 0600, clone: audit_pipe_clone, fmt: "auditpipe");
1097
1098 if (devnode == NULL) {
1099 return KERN_FAILURE;
1100 }
1101
1102 return KERN_SUCCESS;
1103}
1104
1105int
1106audit_pipe_shutdown(void)
1107{
1108 /* unwind everything */
1109 devfs_remove(handle: devnode);
1110 (void) cdevsw_remove(audit_pipe_major, &audit_pipe_cdevsw);
1111
1112 return KERN_SUCCESS;
1113}
1114
1115#endif /* CONFIG_AUDIT */
1116