1/*- 2 * Copyright (c) 2006 Robert N. M. Watson 3 * Copyright (c) 2008-2009 Apple, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <stdarg.h> 31#include <sys/param.h> 32#include <sys/systm.h> 33#include <sys/kernel.h> 34#include <sys/fcntl.h> 35#include <sys/conf.h> 36#include <sys/poll.h> 37#include <sys/user.h> 38#include <sys/signalvar.h> 39#include <miscfs/devfs/devfs.h> 40 41#include <bsm/audit.h> 42#include <security/audit/audit.h> 43#include <security/audit/audit_ioctl.h> 44#include <security/audit/audit_bsd.h> 45#include <security/audit/audit_private.h> 46 47#if CONFIG_AUDIT 48/* 49 * Implementation of a clonable special device providing a live stream of BSM 50 * audit data. Consumers receive a "tee" of the system audit trail by 51 * default, but may also define alternative event selections using ioctls. 52 * This interface provides unreliable but timely access to audit events. 53 * Consumers should be very careful to avoid introducing event cycles. 54 */ 55 56/* 57 * Memory types. 58 */ 59static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes"); 60static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent", 61 "Audit pipe entries and buffers"); 62static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel", 63 "Audit pipe preselection structure"); 64 65/* 66 * Audit pipe buffer parameters. 67 */ 68#define AUDIT_PIPE_QLIMIT_DEFAULT (128) 69#define AUDIT_PIPE_QLIMIT_MIN (1) 70#define AUDIT_PIPE_QLIMIT_MAX (1024) 71 72/* 73 * Description of an entry in an audit_pipe. 74 */ 75struct audit_pipe_entry { 76 void *ape_record; 77 u_int ape_record_len; 78 TAILQ_ENTRY(audit_pipe_entry) ape_queue; 79}; 80 81/* 82 * Audit pipes allow processes to express "interest" in the set of records 83 * that are delivered via the pipe. They do this in a similar manner to the 84 * mechanism for audit trail configuration, by expressing two global masks, 85 * and optionally expressing per-auid masks. The following data structure is 86 * the per-auid mask description. The global state is stored in the audit 87 * pipe data structure. 88 * 89 * We may want to consider a more space/time-efficient data structure once 90 * usage patterns for per-auid specifications are clear. 91 */ 92struct audit_pipe_preselect { 93 au_id_t app_auid; 94 au_mask_t app_mask; 95 TAILQ_ENTRY(audit_pipe_preselect) app_list; 96}; 97 98/* 99 * Description of an individual audit_pipe. Consists largely of a bounded 100 * length queue. 101 */ 102#define AUDIT_PIPE_ASYNC 0x00000001 103#define AUDIT_PIPE_NBIO 0x00000002 104struct audit_pipe { 105 int ap_open; /* Device open? */ 106 u_int ap_flags; 107 108 struct selinfo ap_selinfo; 109 pid_t ap_sigio; 110 111 /* 112 * Per-pipe mutex protecting most fields in this data structure. 113 */ 114 struct mtx ap_mtx; 115 116 /* 117 * Per-pipe sleep lock serializing user-generated reads and flushes. 118 * uiomove() is called to copy out the current head record's data 119 * while the record remains in the queue, so we prevent other threads 120 * from removing it using this lock. 121 */ 122 struct slck ap_sx; 123 124 /* 125 * Condition variable to signal when data has been delivered to a 126 * pipe. 127 */ 128 struct cv ap_cv; 129 130 /* 131 * Various queue-related variables: qlen and qlimit are a count of 132 * records in the queue; qbyteslen is the number of bytes of data 133 * across all records, and qoffset is the amount read so far of the 134 * first record in the queue. The number of bytes available for 135 * reading in the queue is qbyteslen - qoffset. 136 */ 137 u_int ap_qlen; 138 u_int ap_qlimit; 139 u_int ap_qbyteslen; 140 u_int ap_qoffset; 141 142 /* 143 * Per-pipe operation statistics. 144 */ 145 u_int64_t ap_inserts; /* Records added. */ 146 u_int64_t ap_reads; /* Records read. */ 147 u_int64_t ap_drops; /* Records dropped. */ 148 149 /* 150 * Fields relating to pipe interest: global masks for unmatched 151 * processes (attributable, non-attributable), and a list of specific 152 * interest specifications by auid. 153 */ 154 int ap_preselect_mode; 155 au_mask_t ap_preselect_flags; 156 au_mask_t ap_preselect_naflags; 157 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list; 158 159 /* 160 * Current pending record list. Protected by a combination of ap_mtx 161 * and ap_sx. Note particularly that *both* locks are required to 162 * remove a record from the head of the queue, as an in-progress read 163 * may sleep while copying and therefore cannot hold ap_mtx. 164 */ 165 TAILQ_HEAD(, audit_pipe_entry) ap_queue; 166 167 /* 168 * Global pipe list. 169 */ 170 TAILQ_ENTRY(audit_pipe) ap_list; 171}; 172 173#define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx) 174#define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED) 175#define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx) 176#define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \ 177 "audit_pipe_mtx", NULL, MTX_DEF) 178#define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx) 179#define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx) 180 181#define AUDIT_PIPE_SX_LOCK_DESTROY(ap) slck_destroy(&(ap)->ap_sx) 182#define AUDIT_PIPE_SX_LOCK_INIT(ap) slck_init(&(ap)->ap_sx, "audit_pipe_sx") 183#define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) slck_assert(&(ap)->ap_sx, SA_XLOCKED) 184#define AUDIT_PIPE_SX_XLOCK_SIG(ap) slck_lock_sig(&(ap)->ap_sx) 185#define AUDIT_PIPE_SX_XUNLOCK(ap) slck_unlock(&(ap)->ap_sx) 186 187 188/* 189 * Global list of audit pipes, rwlock to protect it. Individual record 190 * queues on pipes are protected by per-pipe locks; these locks synchronize 191 * between threads walking the list to deliver to individual pipes and add/ 192 * remove of pipes, and are mostly acquired for read. 193 */ 194static TAILQ_HEAD(, audit_pipe) audit_pipe_list; 195static struct rwlock audit_pipe_lock; 196 197#define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \ 198 "audit_pipe_list_lock") 199#define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock) 200#define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock) 201#define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock) 202#define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \ 203 RA_WLOCKED) 204#define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock) 205 206/* 207 * Cloning related variables and constants. 208 */ 209#define AUDIT_PIPE_NAME "auditpipe" 210#define MAX_AUDIT_PIPES 32 211static int audit_pipe_major; 212 213/* 214 * dev_t doesn't have a pointer for "softc" data. So we have to keep track of 215 * it with the following global array (indexed by the minor number). 216 * 217 * XXX We may want to dynamically grow this as needed. 218 */ 219static struct audit_pipe *audit_pipe_dtab[MAX_AUDIT_PIPES]; 220 221 222/* 223 * Special device methods and definition. 224 */ 225static open_close_fcn_t audit_pipe_open; 226static open_close_fcn_t audit_pipe_close; 227static read_write_fcn_t audit_pipe_read; 228static ioctl_fcn_t audit_pipe_ioctl; 229static select_fcn_t audit_pipe_poll; 230 231static struct cdevsw audit_pipe_cdevsw = { 232 .d_open = audit_pipe_open, 233 .d_close = audit_pipe_close, 234 .d_read = audit_pipe_read, 235 .d_write = eno_rdwrt, 236 .d_ioctl = audit_pipe_ioctl, 237 .d_stop = eno_stop, 238 .d_reset = eno_reset, 239 .d_ttys = NULL, 240 .d_select = audit_pipe_poll, 241 .d_mmap = eno_mmap, 242 .d_strategy = eno_strat, 243 .d_type = 0 244}; 245 246/* 247 * Some global statistics on audit pipes. 248 */ 249static int audit_pipe_count; /* Current number of pipes. */ 250static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */ 251static u_int64_t audit_pipe_records; /* Records seen. */ 252static u_int64_t audit_pipe_drops; /* Global record drop count. */ 253 254/* 255 * Free an audit pipe entry. 256 */ 257static void 258audit_pipe_entry_free(struct audit_pipe_entry *ape) 259{ 260 261 free(ape->ape_record, M_AUDIT_PIPE_ENTRY); 262 free(ape, M_AUDIT_PIPE_ENTRY); 263} 264 265/* 266 * Find an audit pipe preselection specification for an auid, if any. 267 */ 268static struct audit_pipe_preselect * 269audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid) 270{ 271 struct audit_pipe_preselect *app; 272 273 AUDIT_PIPE_LOCK_ASSERT(ap); 274 275 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { 276 if (app->app_auid == auid) 277 return (app); 278 } 279 return (NULL); 280} 281 282/* 283 * Query the per-pipe mask for a specific auid. 284 */ 285static int 286audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid, 287 au_mask_t *maskp) 288{ 289 struct audit_pipe_preselect *app; 290 int error; 291 292 AUDIT_PIPE_LOCK(ap); 293 app = audit_pipe_preselect_find(ap, auid); 294 if (app != NULL) { 295 *maskp = app->app_mask; 296 error = 0; 297 } else 298 error = ENOENT; 299 AUDIT_PIPE_UNLOCK(ap); 300 return (error); 301} 302 303/* 304 * Set the per-pipe mask for a specific auid. Add a new entry if needed; 305 * otherwise, update the current entry. 306 */ 307static void 308audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask) 309{ 310 struct audit_pipe_preselect *app, *app_new; 311 312 /* 313 * Pessimistically assume that the auid doesn't already have a mask 314 * set, and allocate. We will free it if it is unneeded. 315 */ 316 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK); 317 AUDIT_PIPE_LOCK(ap); 318 app = audit_pipe_preselect_find(ap, auid); 319 if (app == NULL) { 320 app = app_new; 321 app_new = NULL; 322 app->app_auid = auid; 323 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list); 324 } 325 app->app_mask = mask; 326 AUDIT_PIPE_UNLOCK(ap); 327 if (app_new != NULL) 328 free(app_new, M_AUDIT_PIPE_PRESELECT); 329} 330 331/* 332 * Delete a per-auid mask on an audit pipe. 333 */ 334static int 335audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid) 336{ 337 struct audit_pipe_preselect *app; 338 int error; 339 340 AUDIT_PIPE_LOCK(ap); 341 app = audit_pipe_preselect_find(ap, auid); 342 if (app != NULL) { 343 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 344 error = 0; 345 } else 346 error = ENOENT; 347 AUDIT_PIPE_UNLOCK(ap); 348 if (app != NULL) 349 free(app, M_AUDIT_PIPE_PRESELECT); 350 return (error); 351} 352 353/* 354 * Delete all per-auid masks on an audit pipe. 355 */ 356static void 357audit_pipe_preselect_flush_locked(struct audit_pipe *ap) 358{ 359 struct audit_pipe_preselect *app; 360 361 AUDIT_PIPE_LOCK_ASSERT(ap); 362 363 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) { 364 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 365 free(app, M_AUDIT_PIPE_PRESELECT); 366 } 367} 368 369static void 370audit_pipe_preselect_flush(struct audit_pipe *ap) 371{ 372 373 AUDIT_PIPE_LOCK(ap); 374 audit_pipe_preselect_flush_locked(ap); 375 AUDIT_PIPE_UNLOCK(ap); 376} 377 378/*- 379 * Determine whether a specific audit pipe matches a record with these 380 * properties. Algorithm is as follows: 381 * 382 * - If the pipe is configured to track the default trail configuration, then 383 * use the results of global preselection matching. 384 * - If not, search for a specifically configured auid entry matching the 385 * event. If an entry is found, use that. 386 * - Otherwise, use the default flags or naflags configured for the pipe. 387 */ 388static int 389audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, 390 au_event_t event, au_class_t class, int sorf, int trail_preselect) 391{ 392 struct audit_pipe_preselect *app; 393 394 AUDIT_PIPE_LOCK_ASSERT(ap); 395 396 switch (ap->ap_preselect_mode) { 397 case AUDITPIPE_PRESELECT_MODE_TRAIL: 398 return (trail_preselect); 399 400 case AUDITPIPE_PRESELECT_MODE_LOCAL: 401 app = audit_pipe_preselect_find(ap, auid); 402 if (app == NULL) { 403 if (auid == (uid_t)AU_DEFAUDITID) 404 return (au_preselect(event, class, 405 &ap->ap_preselect_naflags, sorf)); 406 else 407 return (au_preselect(event, class, 408 &ap->ap_preselect_flags, sorf)); 409 } else 410 return (au_preselect(event, class, &app->app_mask, 411 sorf)); 412 413 default: 414 panic("audit_pipe_preselect_check: mode %d", 415 ap->ap_preselect_mode); 416 } 417 418 return (0); 419} 420 421/* 422 * Determine whether there exists a pipe interested in a record with specific 423 * properties. 424 */ 425int 426audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, 427 int sorf, int trail_preselect) 428{ 429 struct audit_pipe *ap; 430 431 /* Lockless read to avoid acquiring the global lock if not needed. */ 432 if (TAILQ_EMPTY(&audit_pipe_list)) 433 return (0); 434 435 AUDIT_PIPE_LIST_RLOCK(); 436 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 437 AUDIT_PIPE_LOCK(ap); 438 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 439 trail_preselect)) { 440 AUDIT_PIPE_UNLOCK(ap); 441 AUDIT_PIPE_LIST_RUNLOCK(); 442 return (1); 443 } 444 AUDIT_PIPE_UNLOCK(ap); 445 } 446 AUDIT_PIPE_LIST_RUNLOCK(); 447 return (0); 448} 449 450/* 451 * Append individual record to a queue -- allocate queue-local buffer, and 452 * add to the queue. If the queue is full or we can't allocate memory, drop 453 * the newest record. 454 */ 455static void 456audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) 457{ 458 struct audit_pipe_entry *ape; 459 460 AUDIT_PIPE_LOCK_ASSERT(ap); 461 462 if (ap->ap_qlen >= ap->ap_qlimit) { 463 ap->ap_drops++; 464 audit_pipe_drops++; 465 return; 466 } 467 468 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO); 469 if (ape == NULL) { 470 ap->ap_drops++; 471 audit_pipe_drops++; 472 return; 473 } 474 475 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT); 476 if (ape->ape_record == NULL) { 477 free(ape, M_AUDIT_PIPE_ENTRY); 478 ap->ap_drops++; 479 audit_pipe_drops++; 480 return; 481 } 482 483 bcopy(record, ape->ape_record, record_len); 484 ape->ape_record_len = record_len; 485 486 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); 487 ap->ap_inserts++; 488 ap->ap_qlen++; 489 ap->ap_qbyteslen += ape->ape_record_len; 490 selwakeup(&ap->ap_selinfo); 491 if (ap->ap_flags & AUDIT_PIPE_ASYNC) 492 pgsigio(ap->ap_sigio, SIGIO); 493#if 0 /* XXX - fix select */ 494 selwakeuppri(&ap->ap_selinfo, PSOCK); 495 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0); 496 if (ap->ap_flags & AUDIT_PIPE_ASYNC) 497 pgsigio(&ap->ap_sigio, SIGIO, 0); 498#endif 499 cv_broadcast(&ap->ap_cv); 500} 501 502/* 503 * audit_pipe_submit(): audit_worker submits audit records via this 504 * interface, which arranges for them to be delivered to pipe queues. 505 */ 506void 507audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, 508 int trail_select, void *record, u_int record_len) 509{ 510 struct audit_pipe *ap; 511 512 /* 513 * Lockless read to avoid lock overhead if pipes are not in use. 514 */ 515 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 516 return; 517 518 AUDIT_PIPE_LIST_RLOCK(); 519 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 520 AUDIT_PIPE_LOCK(ap); 521 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 522 trail_select)) 523 audit_pipe_append(ap, record, record_len); 524 AUDIT_PIPE_UNLOCK(ap); 525 } 526 AUDIT_PIPE_LIST_RUNLOCK(); 527 528 /* Unlocked increment. */ 529 audit_pipe_records++; 530} 531 532/* 533 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that 534 * since we don't currently have selection information available, it is 535 * delivered to the pipe unconditionally. 536 * 537 * XXXRW: This is a bug. The BSM check routine for submitting a user record 538 * should parse that information and return it. 539 */ 540void 541audit_pipe_submit_user(void *record, u_int record_len) 542{ 543 struct audit_pipe *ap; 544 545 /* 546 * Lockless read to avoid lock overhead if pipes are not in use. 547 */ 548 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 549 return; 550 551 AUDIT_PIPE_LIST_RLOCK(); 552 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 553 AUDIT_PIPE_LOCK(ap); 554 audit_pipe_append(ap, record, record_len); 555 AUDIT_PIPE_UNLOCK(ap); 556 } 557 AUDIT_PIPE_LIST_RUNLOCK(); 558 559 /* Unlocked increment. */ 560 audit_pipe_records++; 561} 562 563/* 564 * Allocate a new audit pipe. Connects the pipe, on success, to the global 565 * list and updates statistics. 566 */ 567static struct audit_pipe * 568audit_pipe_alloc(void) 569{ 570 struct audit_pipe *ap; 571 572 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 573 574 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_WAITOK | M_ZERO); 575 if (ap == NULL) 576 return (NULL); 577 578 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT; 579 TAILQ_INIT(&ap->ap_queue); 580#ifndef __APPLE__ 581 knlist_init(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap), NULL, NULL, 582 NULL); 583#endif 584 AUDIT_PIPE_LOCK_INIT(ap); 585 AUDIT_PIPE_SX_LOCK_INIT(ap); 586 cv_init(&ap->ap_cv, "audit_pipe"); 587 588 /* 589 * Default flags, naflags, and auid-specific preselection settings to 590 * 0. Initialize the mode to the global trail so that if praudit(1) 591 * is run on /dev/auditpipe, it sees events associated with the 592 * default trail. Pipe-aware application can clear the flag, set 593 * custom masks, and flush the pipe as needed. 594 */ 595 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags)); 596 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags)); 597 TAILQ_INIT(&ap->ap_preselect_list); 598 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL; 599 600 /* 601 * Add to global list and update global statistics. 602 */ 603 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); 604 audit_pipe_count++; 605 audit_pipe_ever++; 606 607 return (ap); 608} 609 610/* 611 * Flush all records currently present in an audit pipe; assume mutex is held. 612 */ 613static void 614audit_pipe_flush(struct audit_pipe *ap) 615{ 616 struct audit_pipe_entry *ape; 617 618 AUDIT_PIPE_LOCK_ASSERT(ap); 619 620 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) { 621 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 622 ap->ap_qbyteslen -= ape->ape_record_len; 623 audit_pipe_entry_free(ape); 624 ap->ap_qlen--; 625 } 626 ap->ap_qoffset = 0; 627 628 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen")); 629 KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen")); 630} 631 632/* 633 * Free an audit pipe; this means freeing all preselection state and all 634 * records in the pipe. Assumes global write lock and pipe mutex are held to 635 * revent any new records from being inserted during the free, and that the 636 * audit pipe is still on the global list. 637 */ 638static void 639audit_pipe_free(struct audit_pipe *ap) 640{ 641 642 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 643 AUDIT_PIPE_LOCK_ASSERT(ap); 644 645 audit_pipe_preselect_flush_locked(ap); 646 audit_pipe_flush(ap); 647 cv_destroy(&ap->ap_cv); 648 AUDIT_PIPE_SX_LOCK_DESTROY(ap); 649 AUDIT_PIPE_LOCK_DESTROY(ap); 650#ifndef __APPLE__ 651 knlist_destroy(&ap->ap_selinfo.si_note); 652#endif 653 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list); 654 free(ap, M_AUDIT_PIPE); 655 audit_pipe_count--; 656} 657 658/* 659 * Audit pipe clone routine -- provides a new minor number, or to return (-1), 660 * if one can't be provided. Called with DEVFS_LOCK held. 661 */ 662static int 663audit_pipe_clone(__unused dev_t dev, int action) 664{ 665 int i; 666 667 if (action == DEVFS_CLONE_ALLOC) { 668 for(i = 0; i < MAX_AUDIT_PIPES; i++) 669 if (audit_pipe_dtab[i] == NULL) 670 return (i); 671 672 /* 673 * XXX Should really return -1 here but that seems to hang 674 * things in devfs. Instead return 0 and let _open() tell 675 * userland the bad news. 676 */ 677 return (0); 678 } 679 680 return (-1); 681} 682 683/* 684 * Audit pipe open method. Explicit privilege check isn't used as this 685 * allows file permissions on the special device to be used to grant audit 686 * review access. Those file permissions should be managed carefully. 687 */ 688static int 689audit_pipe_open(dev_t dev, __unused int flags, __unused int devtype, 690 __unused proc_t p) 691{ 692 struct audit_pipe *ap; 693 int u; 694 695 u = minor(dev); 696 if (u < 0 || u > MAX_AUDIT_PIPES) 697 return (ENXIO); 698 699 AUDIT_PIPE_LIST_WLOCK(); 700 ap = audit_pipe_dtab[u]; 701 if (ap == NULL) { 702 ap = audit_pipe_alloc(); 703 if (ap == NULL) { 704 AUDIT_PIPE_LIST_WUNLOCK(); 705 return (ENOMEM); 706 } 707 audit_pipe_dtab[u] = ap; 708 } else { 709 KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open")); 710 AUDIT_PIPE_LIST_WUNLOCK(); 711 return (EBUSY); 712 } 713 ap->ap_open = 1; 714 AUDIT_PIPE_LIST_WUNLOCK(); 715#ifndef __APPLE__ 716 fsetown(td->td_proc->p_pid, &ap->ap_sigio); 717#endif 718 return (0); 719} 720 721/* 722 * Close audit pipe, tear down all records, etc. 723 */ 724static int 725audit_pipe_close(dev_t dev, __unused int flags, __unused int devtype, 726 __unused proc_t p) 727{ 728 struct audit_pipe *ap; 729 int u; 730 731 u = minor(dev); 732 ap = audit_pipe_dtab[u]; 733 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL")); 734 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open")); 735 736#ifndef __APPLE__ 737 funsetown(&ap->ap_sigio); 738#endif 739 AUDIT_PIPE_LIST_WLOCK(); 740 AUDIT_PIPE_LOCK(ap); 741 ap->ap_open = 0; 742 audit_pipe_free(ap); 743 audit_pipe_dtab[u] = NULL; 744 AUDIT_PIPE_LIST_WUNLOCK(); 745 return (0); 746} 747 748/* 749 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer 750 * commands. 751 */ 752static int 753audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data, 754 __unused int flag, __unused proc_t p) 755{ 756 struct auditpipe_ioctl_preselect *aip; 757 struct audit_pipe *ap; 758 au_mask_t *maskp; 759 int error, mode; 760 au_id_t auid; 761 762 ap = audit_pipe_dtab[minor(dev)]; 763 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); 764 765 /* 766 * Audit pipe ioctls: first come standard device node ioctls, then 767 * manipulation of pipe settings, and finally, statistics query 768 * ioctls. 769 */ 770 switch (cmd) { 771 case FIONBIO: 772 AUDIT_PIPE_LOCK(ap); 773 if (*(int *)data) 774 ap->ap_flags |= AUDIT_PIPE_NBIO; 775 else 776 ap->ap_flags &= ~AUDIT_PIPE_NBIO; 777 AUDIT_PIPE_UNLOCK(ap); 778 error = 0; 779 break; 780 781 case FIONREAD: 782 AUDIT_PIPE_LOCK(ap); 783 *(int *)data = ap->ap_qbyteslen - ap->ap_qoffset; 784 AUDIT_PIPE_UNLOCK(ap); 785 error = 0; 786 break; 787 788 case FIOASYNC: 789 AUDIT_PIPE_LOCK(ap); 790 if (*(int *)data) 791 ap->ap_flags |= AUDIT_PIPE_ASYNC; 792 else 793 ap->ap_flags &= ~AUDIT_PIPE_ASYNC; 794 AUDIT_PIPE_UNLOCK(ap); 795 error = 0; 796 break; 797 798#ifndef __APPLE__ 799 case FIOSETOWN: 800 error = fsetown(*(int *)data, &ap->ap_sigio); 801 break; 802 803 case FIOGETOWN: 804 *(int *)data = fgetown(&ap->ap_sigio); 805 error = 0; 806 break; 807#endif /* !__APPLE__ */ 808 809 case AUDITPIPE_GET_QLEN: 810 *(u_int *)data = ap->ap_qlen; 811 error = 0; 812 break; 813 814 case AUDITPIPE_GET_QLIMIT: 815 *(u_int *)data = ap->ap_qlimit; 816 error = 0; 817 break; 818 819 case AUDITPIPE_SET_QLIMIT: 820 /* Lockless integer write. */ 821 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN || 822 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { 823 ap->ap_qlimit = *(u_int *)data; 824 error = 0; 825 } else 826 error = EINVAL; 827 break; 828 829 case AUDITPIPE_GET_QLIMIT_MIN: 830 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN; 831 error = 0; 832 break; 833 834 case AUDITPIPE_GET_QLIMIT_MAX: 835 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX; 836 error = 0; 837 break; 838 839 case AUDITPIPE_GET_PRESELECT_FLAGS: 840 AUDIT_PIPE_LOCK(ap); 841 maskp = (au_mask_t *)data; 842 *maskp = ap->ap_preselect_flags; 843 AUDIT_PIPE_UNLOCK(ap); 844 error = 0; 845 break; 846 847 case AUDITPIPE_SET_PRESELECT_FLAGS: 848 AUDIT_PIPE_LOCK(ap); 849 maskp = (au_mask_t *)data; 850 ap->ap_preselect_flags = *maskp; 851 AUDIT_CHECK_IF_KEVENTS_MASK(ap->ap_preselect_flags); 852 AUDIT_PIPE_UNLOCK(ap); 853 error = 0; 854 break; 855 856 case AUDITPIPE_GET_PRESELECT_NAFLAGS: 857 AUDIT_PIPE_LOCK(ap); 858 maskp = (au_mask_t *)data; 859 *maskp = ap->ap_preselect_naflags; 860 AUDIT_PIPE_UNLOCK(ap); 861 error = 0; 862 break; 863 864 case AUDITPIPE_SET_PRESELECT_NAFLAGS: 865 AUDIT_PIPE_LOCK(ap); 866 maskp = (au_mask_t *)data; 867 ap->ap_preselect_naflags = *maskp; 868 AUDIT_CHECK_IF_KEVENTS_MASK(ap->ap_preselect_naflags); 869 AUDIT_PIPE_UNLOCK(ap); 870 error = 0; 871 break; 872 873 case AUDITPIPE_GET_PRESELECT_AUID: 874 aip = (struct auditpipe_ioctl_preselect *)data; 875 error = audit_pipe_preselect_get(ap, aip->aip_auid, 876 &aip->aip_mask); 877 break; 878 879 case AUDITPIPE_SET_PRESELECT_AUID: 880 aip = (struct auditpipe_ioctl_preselect *)data; 881 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask); 882 error = 0; 883 break; 884 885 case AUDITPIPE_DELETE_PRESELECT_AUID: 886 auid = *(au_id_t *)data; 887 error = audit_pipe_preselect_delete(ap, auid); 888 break; 889 890 case AUDITPIPE_FLUSH_PRESELECT_AUID: 891 audit_pipe_preselect_flush(ap); 892 error = 0; 893 break; 894 895 case AUDITPIPE_GET_PRESELECT_MODE: 896 AUDIT_PIPE_LOCK(ap); 897 *(int *)data = ap->ap_preselect_mode; 898 AUDIT_PIPE_UNLOCK(ap); 899 error = 0; 900 break; 901 902 case AUDITPIPE_SET_PRESELECT_MODE: 903 mode = *(int *)data; 904 switch (mode) { 905 case AUDITPIPE_PRESELECT_MODE_TRAIL: 906 case AUDITPIPE_PRESELECT_MODE_LOCAL: 907 AUDIT_PIPE_LOCK(ap); 908 ap->ap_preselect_mode = mode; 909 AUDIT_PIPE_UNLOCK(ap); 910 error = 0; 911 break; 912 913 default: 914 error = EINVAL; 915 } 916 break; 917 918 case AUDITPIPE_FLUSH: 919 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 920 return (EINTR); 921 AUDIT_PIPE_LOCK(ap); 922 audit_pipe_flush(ap); 923 AUDIT_PIPE_UNLOCK(ap); 924 AUDIT_PIPE_SX_XUNLOCK(ap); 925 error = 0; 926 break; 927 928 case AUDITPIPE_GET_MAXAUDITDATA: 929 *(u_int *)data = MAXAUDITDATA; 930 error = 0; 931 break; 932 933 case AUDITPIPE_GET_INSERTS: 934 *(u_int *)data = ap->ap_inserts; 935 error = 0; 936 break; 937 938 case AUDITPIPE_GET_READS: 939 *(u_int *)data = ap->ap_reads; 940 error = 0; 941 break; 942 943 case AUDITPIPE_GET_DROPS: 944 *(u_int *)data = ap->ap_drops; 945 error = 0; 946 break; 947 948 case AUDITPIPE_GET_TRUNCATES: 949 *(u_int *)data = 0; 950 error = 0; 951 break; 952 953 default: 954 error = ENOTTY; 955 } 956 return (error); 957} 958 959/* 960 * Audit pipe read. Read one or more partial or complete records to user 961 * memory. 962 */ 963static int 964audit_pipe_read(dev_t dev, struct uio *uio, __unused int flag) 965{ 966 struct audit_pipe_entry *ape; 967 struct audit_pipe *ap; 968 u_int toread; 969 int error; 970 971 ap = audit_pipe_dtab[minor(dev)]; 972 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL")); 973 974 /* 975 * We hold an sleep lock over read and flush because we rely on the 976 * stability of a record in the queue during uiomove(9). 977 */ 978 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 979 return (EINTR); 980 AUDIT_PIPE_LOCK(ap); 981 while (TAILQ_EMPTY(&ap->ap_queue)) { 982 if (ap->ap_flags & AUDIT_PIPE_NBIO) { 983 AUDIT_PIPE_UNLOCK(ap); 984 AUDIT_PIPE_SX_XUNLOCK(ap); 985 return (EAGAIN); 986 } 987 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap)); 988 if (error) { 989 AUDIT_PIPE_UNLOCK(ap); 990 AUDIT_PIPE_SX_XUNLOCK(ap); 991 return (error); 992 } 993 } 994 995 /* 996 * Copy as many remaining bytes from the current record to userspace 997 * as we can. Keep processing records until we run out of records in 998 * the queue, or until the user buffer runs out of space. 999 * 1000 * Note: we rely on the sleep lock to maintain ape's stability here. 1001 */ 1002 ap->ap_reads++; 1003 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL && 1004 uio_resid(uio) > 0) { 1005 AUDIT_PIPE_LOCK_ASSERT(ap); 1006 1007 KASSERT(ape->ape_record_len > ap->ap_qoffset, 1008 ("audit_pipe_read: record_len > qoffset (1)")); 1009 toread = MIN(ape->ape_record_len - ap->ap_qoffset, 1010 uio_resid(uio)); 1011 AUDIT_PIPE_UNLOCK(ap); 1012 error = uiomove((char *)ape->ape_record + ap->ap_qoffset, 1013 toread, uio); 1014 if (error) { 1015 AUDIT_PIPE_SX_XUNLOCK(ap); 1016 return (error); 1017 } 1018 1019 /* 1020 * If the copy succeeded, update book-keeping, and if no 1021 * bytes remain in the current record, free it. 1022 */ 1023 AUDIT_PIPE_LOCK(ap); 1024 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape, 1025 ("audit_pipe_read: queue out of sync after uiomove")); 1026 ap->ap_qoffset += toread; 1027 KASSERT(ape->ape_record_len >= ap->ap_qoffset, 1028 ("audit_pipe_read: record_len >= qoffset (2)")); 1029 if (ap->ap_qoffset == ape->ape_record_len) { 1030 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 1031 ap->ap_qbyteslen -= ape->ape_record_len; 1032 audit_pipe_entry_free(ape); 1033 ap->ap_qlen--; 1034 ap->ap_qoffset = 0; 1035 } 1036 } 1037 AUDIT_PIPE_UNLOCK(ap); 1038 AUDIT_PIPE_SX_XUNLOCK(ap); 1039 return (0); 1040} 1041 1042/* 1043 * Audit pipe poll. 1044 */ 1045static int 1046audit_pipe_poll(dev_t dev, int events, void *wql, struct proc *p) 1047{ 1048 struct audit_pipe *ap; 1049 int revents; 1050 1051 revents = 0; 1052 ap = audit_pipe_dtab[minor(dev)]; 1053 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL")); 1054 1055 if (events & (POLLIN | POLLRDNORM)) { 1056 AUDIT_PIPE_LOCK(ap); 1057 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 1058 revents |= events & (POLLIN | POLLRDNORM); 1059 else 1060 selrecord(p, &ap->ap_selinfo, wql); 1061 AUDIT_PIPE_UNLOCK(ap); 1062 } 1063 return (revents); 1064} 1065 1066#ifndef __APPLE__ 1067/* 1068 * Return true if there are records available for reading on the pipe. 1069 */ 1070static int 1071audit_pipe_kqread(struct knote *kn, long hint) 1072{ 1073 struct audit_pipe *ap; 1074 1075 ap = (struct audit_pipe *)kn->kn_hook; 1076 KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL")); 1077 AUDIT_PIPE_LOCK_ASSERT(ap); 1078 1079 if (ap->ap_qlen != 0) { 1080 kn->kn_data = ap->ap_qbyteslen - ap->ap_qoffset; 1081 return (1); 1082 } else { 1083 kn->kn_data = 0; 1084 return (0); 1085 } 1086} 1087 1088/* 1089 * Detach kqueue state from audit pipe. 1090 */ 1091static void 1092audit_pipe_kqdetach(struct knote *kn) 1093{ 1094 struct audit_pipe *ap; 1095 1096 ap = (struct audit_pipe *)kn->kn_hook; 1097 KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL")); 1098 1099 AUDIT_PIPE_LOCK(ap); 1100 knlist_remove(&ap->ap_selinfo.si_note, kn, 1); 1101 AUDIT_PIPE_UNLOCK(ap); 1102} 1103#endif /* !__APPLE__ */ 1104 1105static void *devnode; 1106 1107int 1108audit_pipe_init(void) 1109{ 1110 dev_t dev; 1111 1112 TAILQ_INIT(&audit_pipe_list); 1113 AUDIT_PIPE_LIST_LOCK_INIT(); 1114 1115 audit_pipe_major = cdevsw_add(-1, &audit_pipe_cdevsw); 1116 if (audit_pipe_major < 0) 1117 return (KERN_FAILURE); 1118 1119 dev = makedev(audit_pipe_major, 0); 1120 devnode = devfs_make_node_clone(dev, DEVFS_CHAR, UID_ROOT, GID_WHEEL, 1121 0600, audit_pipe_clone, "auditpipe", 0); 1122 1123 if (devnode == NULL) 1124 return (KERN_FAILURE); 1125 1126 return (KERN_SUCCESS); 1127} 1128 1129int 1130audit_pipe_shutdown(void) 1131{ 1132 1133 /* unwind everything */ 1134 devfs_remove(devnode); 1135 (void) cdevsw_remove(audit_pipe_major, &audit_pipe_cdevsw); 1136 1137 return (KERN_SUCCESS); 1138} 1139 1140#endif /* CONFIG_AUDIT */ 1141