audit_pipe.c revision 184488
1/*- 2 * Copyright (c) 2006 Robert N. M. Watson 3 * Copyright (c) 2008 Apple, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: head/sys/security/audit/audit_pipe.c 184488 2008-10-30 21:58:39Z rwatson $"); 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/eventhandler.h> 37#include <sys/filio.h> 38#include <sys/kernel.h> 39#include <sys/lock.h> 40#include <sys/malloc.h> 41#include <sys/mutex.h> 42#include <sys/poll.h> 43#include <sys/proc.h> 44#include <sys/queue.h> 45#include <sys/rwlock.h> 46#include <sys/selinfo.h> 47#include <sys/sigio.h> 48#include <sys/signal.h> 49#include <sys/signalvar.h> 50#include <sys/systm.h> 51#include <sys/uio.h> 52 53#include <security/audit/audit.h> 54#include <security/audit/audit_ioctl.h> 55#include <security/audit/audit_private.h> 56 57/* 58 * Implementation of a clonable special device providing a live stream of BSM 59 * audit data. This is a "tee" of the data going to the file. It provides 60 * unreliable but timely access to audit events. Consumers of this interface 61 * should be very careful to avoid introducing event cycles. Consumers may 62 * express interest via a set of preselection ioctls. 63 */ 64 65/* 66 * Memory types. 67 */ 68static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes"); 69static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent", 70 "Audit pipe entries and buffers"); 71static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel", 72 "Audit pipe preselection structure"); 73 74/* 75 * Audit pipe buffer parameters. 76 */ 77#define AUDIT_PIPE_QLIMIT_DEFAULT (128) 78#define AUDIT_PIPE_QLIMIT_MIN (0) 79#define AUDIT_PIPE_QLIMIT_MAX (1024) 80 81/* 82 * Description of an entry in an audit_pipe. 83 */ 84struct audit_pipe_entry { 85 void *ape_record; 86 u_int ape_record_len; 87 TAILQ_ENTRY(audit_pipe_entry) ape_queue; 88}; 89 90/* 91 * Audit pipes allow processes to express "interest" in the set of records 92 * that are delivered via the pipe. They do this in a similar manner to the 93 * mechanism for audit trail configuration, by expressing two global masks, 94 * and optionally expressing per-auid masks. The following data structure is 95 * the per-auid mask description. The global state is stored in the audit 96 * pipe data structure. 97 * 98 * We may want to consider a more space/time-efficient data structure once 99 * usage patterns for per-auid specifications are clear. 100 */ 101struct audit_pipe_preselect { 102 au_id_t app_auid; 103 au_mask_t app_mask; 104 TAILQ_ENTRY(audit_pipe_preselect) app_list; 105}; 106 107/* 108 * Description of an individual audit_pipe. Consists largely of a bounded 109 * length queue. 110 */ 111#define AUDIT_PIPE_ASYNC 0x00000001 112#define AUDIT_PIPE_NBIO 0x00000002 113struct audit_pipe { 114 int ap_open; /* Device open? */ 115 u_int ap_flags; 116 117 struct selinfo ap_selinfo; 118 struct sigio *ap_sigio; 119 120 /* 121 * Per-pipe mutex protecting most fields in this data structure. 122 */ 123 struct mtx ap_lock; 124 125 /* 126 * Condition variable to signal when data has been delivered to a 127 * pipe. 128 */ 129 struct cv ap_cv; 130 131 u_int ap_qlen; 132 u_int ap_qlimit; 133 134 u_int64_t ap_inserts; /* Records added. */ 135 u_int64_t ap_reads; /* Records read. */ 136 u_int64_t ap_drops; /* Records dropped. */ 137 u_int64_t ap_truncates; /* Records too long. */ 138 139 /* 140 * Fields relating to pipe interest: global masks for unmatched 141 * processes (attributable, non-attributable), and a list of specific 142 * interest specifications by auid. 143 */ 144 int ap_preselect_mode; 145 au_mask_t ap_preselect_flags; 146 au_mask_t ap_preselect_naflags; 147 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list; 148 149 /* 150 * Current pending record list. 151 */ 152 TAILQ_HEAD(, audit_pipe_entry) ap_queue; 153 154 /* 155 * Global pipe list. 156 */ 157 TAILQ_ENTRY(audit_pipe) ap_list; 158}; 159 160#define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_lock) 161#define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_lock, MA_OWNED) 162#define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_lock) 163#define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_lock, \ 164 "audit_pipe_lock", NULL, MTX_DEF) 165#define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_lock) 166#define AUDIT_PIPE_MTX(ap) (&(ap)->ap_lock) 167 168/* 169 * Global list of audit pipes, rwlock to protect it. Individual record 170 * queues on pipes are protected by per-pipe locks; these locks synchronize 171 * between threads walking the list to deliver to individual pipes and add/ 172 * remove of pipes, and are mostly acquired for read. 173 */ 174static TAILQ_HEAD(, audit_pipe) audit_pipe_list; 175static struct rwlock audit_pipe_lock; 176 177#define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \ 178 "audit_pipe_list_lock") 179#define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock) 180#define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock) 181#define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock) 182#define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \ 183 RA_WLOCKED) 184#define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock) 185 186/* 187 * Cloning related variables and constants. 188 */ 189#define AUDIT_PIPE_NAME "auditpipe" 190static eventhandler_tag audit_pipe_eh_tag; 191static struct clonedevs *audit_pipe_clones; 192 193/* 194 * Special device methods and definition. 195 */ 196static d_open_t audit_pipe_open; 197static d_close_t audit_pipe_close; 198static d_read_t audit_pipe_read; 199static d_ioctl_t audit_pipe_ioctl; 200static d_poll_t audit_pipe_poll; 201static d_kqfilter_t audit_pipe_kqfilter; 202 203static struct cdevsw audit_pipe_cdevsw = { 204 .d_version = D_VERSION, 205 .d_flags = D_PSEUDO | D_NEEDGIANT | D_NEEDMINOR, 206 .d_open = audit_pipe_open, 207 .d_close = audit_pipe_close, 208 .d_read = audit_pipe_read, 209 .d_ioctl = audit_pipe_ioctl, 210 .d_poll = audit_pipe_poll, 211 .d_kqfilter = audit_pipe_kqfilter, 212 .d_name = AUDIT_PIPE_NAME, 213}; 214 215static int audit_pipe_kqread(struct knote *note, long hint); 216static void audit_pipe_kqdetach(struct knote *note); 217 218static struct filterops audit_pipe_read_filterops = { 219 .f_isfd = 1, 220 .f_attach = NULL, 221 .f_detach = audit_pipe_kqdetach, 222 .f_event = audit_pipe_kqread, 223}; 224 225/* 226 * Some global statistics on audit pipes. 227 */ 228static int audit_pipe_count; /* Current number of pipes. */ 229static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */ 230static u_int64_t audit_pipe_records; /* Records seen. */ 231static u_int64_t audit_pipe_drops; /* Global record drop count. */ 232 233/* 234 * Free an audit pipe entry. 235 */ 236static void 237audit_pipe_entry_free(struct audit_pipe_entry *ape) 238{ 239 240 free(ape->ape_record, M_AUDIT_PIPE_ENTRY); 241 free(ape, M_AUDIT_PIPE_ENTRY); 242} 243 244/* 245 * Find an audit pipe preselection specification for an auid, if any. 246 */ 247static struct audit_pipe_preselect * 248audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid) 249{ 250 struct audit_pipe_preselect *app; 251 252 AUDIT_PIPE_LOCK_ASSERT(ap); 253 254 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { 255 if (app->app_auid == auid) 256 return (app); 257 } 258 return (NULL); 259} 260 261/* 262 * Query the per-pipe mask for a specific auid. 263 */ 264static int 265audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid, 266 au_mask_t *maskp) 267{ 268 struct audit_pipe_preselect *app; 269 int error; 270 271 AUDIT_PIPE_LOCK(ap); 272 app = audit_pipe_preselect_find(ap, auid); 273 if (app != NULL) { 274 *maskp = app->app_mask; 275 error = 0; 276 } else 277 error = ENOENT; 278 AUDIT_PIPE_UNLOCK(ap); 279 return (error); 280} 281 282/* 283 * Set the per-pipe mask for a specific auid. Add a new entry if needed; 284 * otherwise, update the current entry. 285 */ 286static void 287audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask) 288{ 289 struct audit_pipe_preselect *app, *app_new; 290 291 /* 292 * Pessimistically assume that the auid doesn't already have a mask 293 * set, and allocate. We will free it if it is unneeded. 294 */ 295 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK); 296 AUDIT_PIPE_LOCK(ap); 297 app = audit_pipe_preselect_find(ap, auid); 298 if (app == NULL) { 299 app = app_new; 300 app_new = NULL; 301 app->app_auid = auid; 302 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list); 303 } 304 app->app_mask = mask; 305 AUDIT_PIPE_UNLOCK(ap); 306 if (app_new != NULL) 307 free(app_new, M_AUDIT_PIPE_PRESELECT); 308} 309 310/* 311 * Delete a per-auid mask on an audit pipe. 312 */ 313static int 314audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid) 315{ 316 struct audit_pipe_preselect *app; 317 int error; 318 319 AUDIT_PIPE_LOCK(ap); 320 app = audit_pipe_preselect_find(ap, auid); 321 if (app != NULL) { 322 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 323 error = 0; 324 } else 325 error = ENOENT; 326 AUDIT_PIPE_UNLOCK(ap); 327 if (app != NULL) 328 free(app, M_AUDIT_PIPE_PRESELECT); 329 return (error); 330} 331 332/* 333 * Delete all per-auid masks on an audit pipe. 334 */ 335static void 336audit_pipe_preselect_flush_locked(struct audit_pipe *ap) 337{ 338 struct audit_pipe_preselect *app; 339 340 AUDIT_PIPE_LOCK_ASSERT(ap); 341 342 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) { 343 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 344 free(app, M_AUDIT_PIPE_PRESELECT); 345 } 346} 347 348static void 349audit_pipe_preselect_flush(struct audit_pipe *ap) 350{ 351 352 AUDIT_PIPE_LOCK(ap); 353 audit_pipe_preselect_flush_locked(ap); 354 AUDIT_PIPE_UNLOCK(ap); 355} 356 357/*- 358 * Determine whether a specific audit pipe matches a record with these 359 * properties. Algorithm is as follows: 360 * 361 * - If the pipe is configured to track the default trail configuration, then 362 * use the results of global preselection matching. 363 * - If not, search for a specifically configured auid entry matching the 364 * event. If an entry is found, use that. 365 * - Otherwise, use the default flags or naflags configured for the pipe. 366 */ 367static int 368audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, 369 au_event_t event, au_class_t class, int sorf, int trail_preselect) 370{ 371 struct audit_pipe_preselect *app; 372 373 AUDIT_PIPE_LOCK_ASSERT(ap); 374 375 switch (ap->ap_preselect_mode) { 376 case AUDITPIPE_PRESELECT_MODE_TRAIL: 377 return (trail_preselect); 378 379 case AUDITPIPE_PRESELECT_MODE_LOCAL: 380 app = audit_pipe_preselect_find(ap, auid); 381 if (app == NULL) { 382 if (auid == AU_DEFAUDITID) 383 return (au_preselect(event, class, 384 &ap->ap_preselect_naflags, sorf)); 385 else 386 return (au_preselect(event, class, 387 &ap->ap_preselect_flags, sorf)); 388 } else 389 return (au_preselect(event, class, &app->app_mask, 390 sorf)); 391 392 default: 393 panic("audit_pipe_preselect_check: mode %d", 394 ap->ap_preselect_mode); 395 } 396 397 return (0); 398} 399 400/* 401 * Determine whether there exists a pipe interested in a record with specific 402 * properties. 403 */ 404int 405audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, 406 int sorf, int trail_preselect) 407{ 408 struct audit_pipe *ap; 409 410 AUDIT_PIPE_LIST_RLOCK(); 411 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 412 AUDIT_PIPE_LOCK(ap); 413 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 414 trail_preselect)) { 415 AUDIT_PIPE_UNLOCK(ap); 416 AUDIT_PIPE_LIST_RUNLOCK(); 417 return (1); 418 } 419 AUDIT_PIPE_UNLOCK(ap); 420 } 421 AUDIT_PIPE_LIST_RUNLOCK(); 422 return (0); 423} 424 425/* 426 * Append individual record to a queue -- allocate queue-local buffer, and 427 * add to the queue. We try to drop from the head of the queue so that more 428 * recent events take precedence over older ones, but if allocation fails we 429 * do drop the new event. 430 */ 431static void 432audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) 433{ 434 struct audit_pipe_entry *ape, *ape_remove; 435 436 AUDIT_PIPE_LOCK_ASSERT(ap); 437 438 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO); 439 if (ape == NULL) { 440 ap->ap_drops++; 441 audit_pipe_drops++; 442 return; 443 } 444 445 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT); 446 if (ape->ape_record == NULL) { 447 free(ape, M_AUDIT_PIPE_ENTRY); 448 ap->ap_drops++; 449 audit_pipe_drops++; 450 return; 451 } 452 453 bcopy(record, ape->ape_record, record_len); 454 ape->ape_record_len = record_len; 455 456 if (ap->ap_qlen >= ap->ap_qlimit) { 457 ape_remove = TAILQ_FIRST(&ap->ap_queue); 458 TAILQ_REMOVE(&ap->ap_queue, ape_remove, ape_queue); 459 audit_pipe_entry_free(ape_remove); 460 ap->ap_qlen--; 461 ap->ap_drops++; 462 audit_pipe_drops++; 463 } 464 465 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); 466 ap->ap_inserts++; 467 ap->ap_qlen++; 468 selwakeuppri(&ap->ap_selinfo, PSOCK); 469 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0); 470 if (ap->ap_flags & AUDIT_PIPE_ASYNC) 471 pgsigio(&ap->ap_sigio, SIGIO, 0); 472 cv_broadcast(&ap->ap_cv); 473} 474 475/* 476 * audit_pipe_submit(): audit_worker submits audit records via this 477 * interface, which arranges for them to be delivered to pipe queues. 478 */ 479void 480audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, 481 int trail_select, void *record, u_int record_len) 482{ 483 struct audit_pipe *ap; 484 485 /* 486 * Lockless read to avoid lock overhead if pipes are not in use. 487 */ 488 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 489 return; 490 491 AUDIT_PIPE_LIST_RLOCK(); 492 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 493 AUDIT_PIPE_LOCK(ap); 494 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 495 trail_select)) 496 audit_pipe_append(ap, record, record_len); 497 AUDIT_PIPE_UNLOCK(ap); 498 } 499 AUDIT_PIPE_LIST_RUNLOCK(); 500 501 /* Unlocked increment. */ 502 audit_pipe_records++; 503} 504 505/* 506 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that 507 * since we don't currently have selection information available, it is 508 * delivered to the pipe unconditionally. 509 * 510 * XXXRW: This is a bug. The BSM check routine for submitting a user record 511 * should parse that information and return it. 512 */ 513void 514audit_pipe_submit_user(void *record, u_int record_len) 515{ 516 struct audit_pipe *ap; 517 518 /* 519 * Lockless read to avoid lock overhead if pipes are not in use. 520 */ 521 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 522 return; 523 524 AUDIT_PIPE_LIST_RLOCK(); 525 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 526 AUDIT_PIPE_LOCK(ap); 527 audit_pipe_append(ap, record, record_len); 528 AUDIT_PIPE_UNLOCK(ap); 529 } 530 AUDIT_PIPE_LIST_RUNLOCK(); 531 532 /* Unlocked increment. */ 533 audit_pipe_records++; 534} 535 536/* 537 * Pop the next record off of an audit pipe. 538 */ 539static struct audit_pipe_entry * 540audit_pipe_pop(struct audit_pipe *ap) 541{ 542 struct audit_pipe_entry *ape; 543 544 AUDIT_PIPE_LOCK_ASSERT(ap); 545 546 ape = TAILQ_FIRST(&ap->ap_queue); 547 KASSERT((ape == NULL && ap->ap_qlen == 0) || 548 (ape != NULL && ap->ap_qlen != 0), ("audit_pipe_pop: qlen")); 549 if (ape == NULL) 550 return (NULL); 551 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 552 ap->ap_qlen--; 553 return (ape); 554} 555 556/* 557 * Allocate a new audit pipe. Connects the pipe, on success, to the global 558 * list and updates statistics. 559 */ 560static struct audit_pipe * 561audit_pipe_alloc(void) 562{ 563 struct audit_pipe *ap; 564 565 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 566 567 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO); 568 if (ap == NULL) 569 return (NULL); 570 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT; 571 TAILQ_INIT(&ap->ap_queue); 572 knlist_init(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap), NULL, NULL, 573 NULL); 574 AUDIT_PIPE_LOCK_INIT(ap); 575 cv_init(&ap->ap_cv, "audit_pipe"); 576 577 /* 578 * Default flags, naflags, and auid-specific preselection settings to 579 * 0. Initialize the mode to the global trail so that if praudit(1) 580 * is run on /dev/auditpipe, it sees events associated with the 581 * default trail. Pipe-aware application can clear the flag, set 582 * custom masks, and flush the pipe as needed. 583 */ 584 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags)); 585 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags)); 586 TAILQ_INIT(&ap->ap_preselect_list); 587 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL; 588 589 /* 590 * Add to global list and update global statistics. 591 */ 592 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); 593 audit_pipe_count++; 594 audit_pipe_ever++; 595 596 return (ap); 597} 598 599/* 600 * Flush all records currently present in an audit pipe; assume mutex is held. 601 */ 602static void 603audit_pipe_flush(struct audit_pipe *ap) 604{ 605 struct audit_pipe_entry *ape; 606 607 AUDIT_PIPE_LOCK_ASSERT(ap); 608 609 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) { 610 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 611 audit_pipe_entry_free(ape); 612 ap->ap_qlen--; 613 } 614 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qlen")); 615} 616 617/* 618 * Free an audit pipe; this means freeing all preselection state and all 619 * records in the pipe. Assumes global write lock and pipe mutex are held to 620 * prevent any new records from being inserted during the free, and that the 621 * audit pipe is still on the global list. 622 */ 623static void 624audit_pipe_free(struct audit_pipe *ap) 625{ 626 627 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 628 AUDIT_PIPE_LOCK_ASSERT(ap); 629 630 audit_pipe_preselect_flush_locked(ap); 631 audit_pipe_flush(ap); 632 cv_destroy(&ap->ap_cv); 633 AUDIT_PIPE_LOCK_DESTROY(ap); 634 knlist_destroy(&ap->ap_selinfo.si_note); 635 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list); 636 free(ap, M_AUDIT_PIPE); 637 audit_pipe_count--; 638} 639 640/* 641 * Audit pipe clone routine -- provide specific requested audit pipe, or a 642 * fresh one if a specific one is not requested. 643 */ 644static void 645audit_pipe_clone(void *arg, struct ucred *cred, char *name, int namelen, 646 struct cdev **dev) 647{ 648 int i, u; 649 650 if (*dev != NULL) 651 return; 652 653 if (strcmp(name, AUDIT_PIPE_NAME) == 0) 654 u = -1; 655 else if (dev_stdclone(name, NULL, AUDIT_PIPE_NAME, &u) != 1) 656 return; 657 658 i = clone_create(&audit_pipe_clones, &audit_pipe_cdevsw, &u, dev, 0); 659 if (i) { 660 *dev = make_dev(&audit_pipe_cdevsw, u, UID_ROOT, 661 GID_WHEEL, 0600, "%s%d", AUDIT_PIPE_NAME, u); 662 if (*dev != NULL) { 663 dev_ref(*dev); 664 (*dev)->si_flags |= SI_CHEAPCLONE; 665 } 666 } 667} 668 669/* 670 * Audit pipe open method. Explicit privilege check isn't used as this 671 * allows file permissions on the special device to be used to grant audit 672 * review access. Those file permissions should be managed carefully. 673 */ 674static int 675audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td) 676{ 677 struct audit_pipe *ap; 678 679 AUDIT_PIPE_LIST_WLOCK(); 680 ap = dev->si_drv1; 681 if (ap == NULL) { 682 ap = audit_pipe_alloc(); 683 if (ap == NULL) { 684 AUDIT_PIPE_LIST_WUNLOCK(); 685 return (ENOMEM); 686 } 687 dev->si_drv1 = ap; 688 } else { 689 KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open")); 690 AUDIT_PIPE_LIST_WUNLOCK(); 691 return (EBUSY); 692 } 693 ap->ap_open = 1; /* No lock required yet. */ 694 AUDIT_PIPE_LIST_WUNLOCK(); 695 fsetown(td->td_proc->p_pid, &ap->ap_sigio); 696 return (0); 697} 698 699/* 700 * Close audit pipe, tear down all records, etc. 701 */ 702static int 703audit_pipe_close(struct cdev *dev, int fflag, int devtype, struct thread *td) 704{ 705 struct audit_pipe *ap; 706 707 ap = dev->si_drv1; 708 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL")); 709 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open")); 710 711 funsetown(&ap->ap_sigio); 712 AUDIT_PIPE_LIST_WLOCK(); 713 AUDIT_PIPE_LOCK(ap); 714 ap->ap_open = 0; 715 audit_pipe_free(ap); 716 dev->si_drv1 = NULL; 717 AUDIT_PIPE_LIST_WUNLOCK(); 718 return (0); 719} 720 721/* 722 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer 723 * commands. 724 * 725 * Would be desirable to support filtering, although perhaps something simple 726 * like an event mask, as opposed to something complicated like BPF. 727 */ 728static int 729audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, 730 struct thread *td) 731{ 732 struct auditpipe_ioctl_preselect *aip; 733 struct audit_pipe *ap; 734 au_mask_t *maskp; 735 int error, mode; 736 au_id_t auid; 737 738 ap = dev->si_drv1; 739 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); 740 741 /* 742 * Audit pipe ioctls: first come standard device node ioctls, then 743 * manipulation of pipe settings, and finally, statistics query 744 * ioctls. 745 */ 746 switch (cmd) { 747 case FIONBIO: 748 AUDIT_PIPE_LOCK(ap); 749 if (*(int *)data) 750 ap->ap_flags |= AUDIT_PIPE_NBIO; 751 else 752 ap->ap_flags &= ~AUDIT_PIPE_NBIO; 753 AUDIT_PIPE_UNLOCK(ap); 754 error = 0; 755 break; 756 757 case FIONREAD: 758 AUDIT_PIPE_LOCK(ap); 759 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 760 *(int *)data = 761 TAILQ_FIRST(&ap->ap_queue)->ape_record_len; 762 else 763 *(int *)data = 0; 764 AUDIT_PIPE_UNLOCK(ap); 765 error = 0; 766 break; 767 768 case FIOASYNC: 769 AUDIT_PIPE_LOCK(ap); 770 if (*(int *)data) 771 ap->ap_flags |= AUDIT_PIPE_ASYNC; 772 else 773 ap->ap_flags &= ~AUDIT_PIPE_ASYNC; 774 AUDIT_PIPE_UNLOCK(ap); 775 error = 0; 776 break; 777 778 case FIOSETOWN: 779 error = fsetown(*(int *)data, &ap->ap_sigio); 780 break; 781 782 case FIOGETOWN: 783 *(int *)data = fgetown(&ap->ap_sigio); 784 error = 0; 785 break; 786 787 case AUDITPIPE_GET_QLEN: 788 *(u_int *)data = ap->ap_qlen; 789 error = 0; 790 break; 791 792 case AUDITPIPE_GET_QLIMIT: 793 *(u_int *)data = ap->ap_qlimit; 794 error = 0; 795 break; 796 797 case AUDITPIPE_SET_QLIMIT: 798 /* Lockless integer write. */ 799 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN || 800 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { 801 ap->ap_qlimit = *(u_int *)data; 802 error = 0; 803 } else 804 error = EINVAL; 805 break; 806 807 case AUDITPIPE_GET_QLIMIT_MIN: 808 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN; 809 error = 0; 810 break; 811 812 case AUDITPIPE_GET_QLIMIT_MAX: 813 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX; 814 error = 0; 815 break; 816 817 case AUDITPIPE_GET_PRESELECT_FLAGS: 818 AUDIT_PIPE_LOCK(ap); 819 maskp = (au_mask_t *)data; 820 *maskp = ap->ap_preselect_flags; 821 AUDIT_PIPE_UNLOCK(ap); 822 error = 0; 823 break; 824 825 case AUDITPIPE_SET_PRESELECT_FLAGS: 826 AUDIT_PIPE_LOCK(ap); 827 maskp = (au_mask_t *)data; 828 ap->ap_preselect_flags = *maskp; 829 AUDIT_PIPE_UNLOCK(ap); 830 error = 0; 831 break; 832 833 case AUDITPIPE_GET_PRESELECT_NAFLAGS: 834 AUDIT_PIPE_LOCK(ap); 835 maskp = (au_mask_t *)data; 836 *maskp = ap->ap_preselect_naflags; 837 AUDIT_PIPE_UNLOCK(ap); 838 error = 0; 839 break; 840 841 case AUDITPIPE_SET_PRESELECT_NAFLAGS: 842 AUDIT_PIPE_LOCK(ap); 843 maskp = (au_mask_t *)data; 844 ap->ap_preselect_naflags = *maskp; 845 AUDIT_PIPE_UNLOCK(ap); 846 error = 0; 847 break; 848 849 case AUDITPIPE_GET_PRESELECT_AUID: 850 aip = (struct auditpipe_ioctl_preselect *)data; 851 error = audit_pipe_preselect_get(ap, aip->aip_auid, 852 &aip->aip_mask); 853 break; 854 855 case AUDITPIPE_SET_PRESELECT_AUID: 856 aip = (struct auditpipe_ioctl_preselect *)data; 857 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask); 858 error = 0; 859 break; 860 861 case AUDITPIPE_DELETE_PRESELECT_AUID: 862 auid = *(au_id_t *)data; 863 error = audit_pipe_preselect_delete(ap, auid); 864 break; 865 866 case AUDITPIPE_FLUSH_PRESELECT_AUID: 867 audit_pipe_preselect_flush(ap); 868 error = 0; 869 break; 870 871 case AUDITPIPE_GET_PRESELECT_MODE: 872 AUDIT_PIPE_LOCK(ap); 873 *(int *)data = ap->ap_preselect_mode; 874 AUDIT_PIPE_UNLOCK(ap); 875 error = 0; 876 break; 877 878 case AUDITPIPE_SET_PRESELECT_MODE: 879 mode = *(int *)data; 880 switch (mode) { 881 case AUDITPIPE_PRESELECT_MODE_TRAIL: 882 case AUDITPIPE_PRESELECT_MODE_LOCAL: 883 AUDIT_PIPE_LOCK(ap); 884 ap->ap_preselect_mode = mode; 885 AUDIT_PIPE_UNLOCK(ap); 886 error = 0; 887 break; 888 889 default: 890 error = EINVAL; 891 } 892 break; 893 894 case AUDITPIPE_FLUSH: 895 AUDIT_PIPE_LOCK(ap); 896 audit_pipe_flush(ap); 897 AUDIT_PIPE_UNLOCK(ap); 898 error = 0; 899 break; 900 901 case AUDITPIPE_GET_MAXAUDITDATA: 902 *(u_int *)data = MAXAUDITDATA; 903 error = 0; 904 break; 905 906 case AUDITPIPE_GET_INSERTS: 907 *(u_int *)data = ap->ap_inserts; 908 error = 0; 909 break; 910 911 case AUDITPIPE_GET_READS: 912 *(u_int *)data = ap->ap_reads; 913 error = 0; 914 break; 915 916 case AUDITPIPE_GET_DROPS: 917 *(u_int *)data = ap->ap_drops; 918 error = 0; 919 break; 920 921 case AUDITPIPE_GET_TRUNCATES: 922 *(u_int *)data = ap->ap_truncates; 923 error = 0; 924 break; 925 926 default: 927 error = ENOTTY; 928 } 929 return (error); 930} 931 932/* 933 * Audit pipe read. Pull one record off the queue and copy to user space. 934 * On error, the record is dropped. 935 * 936 * Providing more sophisticated behavior, such as partial reads, is tricky 937 * due to the potential for parallel I/O. If partial read support is 938 * required, it will require a per-pipe "current record being read" along 939 * with an offset into that trecord which has already been read. Threads 940 * performing partial reads will need to allocate per-thread copies of the 941 * data so that if another thread completes the read of the record, it can be 942 * freed without adding reference count logic. If this is added, a flag to 943 * indicate that only atomic record reads are desired would be useful, as if 944 * different threads are all waiting for records on the pipe, they will want 945 * independent record reads, which is currently the behavior. 946 */ 947static int 948audit_pipe_read(struct cdev *dev, struct uio *uio, int flag) 949{ 950 struct audit_pipe_entry *ape; 951 struct audit_pipe *ap; 952 int error; 953 954 ap = dev->si_drv1; 955 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL")); 956 957 AUDIT_PIPE_LOCK(ap); 958 do { 959 /* 960 * Wait for a record that fits into the read buffer, dropping 961 * records that would be truncated if actually passed to the 962 * process. This helps maintain the discreet record read 963 * interface. 964 */ 965 while ((ape = audit_pipe_pop(ap)) == NULL) { 966 if (ap->ap_flags & AUDIT_PIPE_NBIO) { 967 AUDIT_PIPE_UNLOCK(ap); 968 return (EAGAIN); 969 } 970 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap)); 971 if (error) { 972 AUDIT_PIPE_UNLOCK(ap); 973 return (error); 974 } 975 } 976 if (ape->ape_record_len <= uio->uio_resid) 977 break; 978 audit_pipe_entry_free(ape); 979 ap->ap_truncates++; 980 } while (1); 981 ap->ap_reads++; 982 AUDIT_PIPE_UNLOCK(ap); 983 984 /* 985 * Now read record to user space memory. Even if the read is short, 986 * we abandon the remainder of the record, supporting only discreet 987 * record reads. 988 */ 989 error = uiomove(ape->ape_record, ape->ape_record_len, uio); 990 audit_pipe_entry_free(ape); 991 return (error); 992} 993 994/* 995 * Audit pipe poll. 996 */ 997static int 998audit_pipe_poll(struct cdev *dev, int events, struct thread *td) 999{ 1000 struct audit_pipe *ap; 1001 int revents; 1002 1003 revents = 0; 1004 ap = dev->si_drv1; 1005 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL")); 1006 1007 if (events & (POLLIN | POLLRDNORM)) { 1008 AUDIT_PIPE_LOCK(ap); 1009 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 1010 revents |= events & (POLLIN | POLLRDNORM); 1011 else 1012 selrecord(td, &ap->ap_selinfo); 1013 AUDIT_PIPE_UNLOCK(ap); 1014 } 1015 return (revents); 1016} 1017 1018/* 1019 * Audit pipe kqfilter. 1020 */ 1021static int 1022audit_pipe_kqfilter(struct cdev *dev, struct knote *kn) 1023{ 1024 struct audit_pipe *ap; 1025 1026 ap = dev->si_drv1; 1027 KASSERT(ap != NULL, ("audit_pipe_kqfilter: ap == NULL")); 1028 1029 if (kn->kn_filter != EVFILT_READ) 1030 return (EINVAL); 1031 1032 kn->kn_fop = &audit_pipe_read_filterops; 1033 kn->kn_hook = ap; 1034 1035 AUDIT_PIPE_LOCK(ap); 1036 knlist_add(&ap->ap_selinfo.si_note, kn, 1); 1037 AUDIT_PIPE_UNLOCK(ap); 1038 return (0); 1039} 1040 1041/* 1042 * Return true if there are records available for reading on the pipe. 1043 */ 1044static int 1045audit_pipe_kqread(struct knote *kn, long hint) 1046{ 1047 struct audit_pipe_entry *ape; 1048 struct audit_pipe *ap; 1049 1050 ap = (struct audit_pipe *)kn->kn_hook; 1051 KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL")); 1052 1053 AUDIT_PIPE_LOCK_ASSERT(ap); 1054 1055 if (ap->ap_qlen != 0) { 1056 ape = TAILQ_FIRST(&ap->ap_queue); 1057 KASSERT(ape != NULL, ("audit_pipe_kqread: ape == NULL")); 1058 1059 kn->kn_data = ape->ape_record_len; 1060 return (1); 1061 } else { 1062 kn->kn_data = 0; 1063 return (0); 1064 } 1065} 1066 1067/* 1068 * Detach kqueue state from audit pipe. 1069 */ 1070static void 1071audit_pipe_kqdetach(struct knote *kn) 1072{ 1073 struct audit_pipe *ap; 1074 1075 ap = (struct audit_pipe *)kn->kn_hook; 1076 KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL")); 1077 1078 AUDIT_PIPE_LOCK(ap); 1079 knlist_remove(&ap->ap_selinfo.si_note, kn, 1); 1080 AUDIT_PIPE_UNLOCK(ap); 1081} 1082 1083/* 1084 * Initialize the audit pipe system. 1085 */ 1086static void 1087audit_pipe_init(void *unused) 1088{ 1089 1090 TAILQ_INIT(&audit_pipe_list); 1091 AUDIT_PIPE_LIST_LOCK_INIT(); 1092 1093 clone_setup(&audit_pipe_clones); 1094 audit_pipe_eh_tag = EVENTHANDLER_REGISTER(dev_clone, 1095 audit_pipe_clone, 0, 1000); 1096 if (audit_pipe_eh_tag == NULL) 1097 panic("audit_pipe_init: EVENTHANDLER_REGISTER"); 1098} 1099 1100SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init, 1101 NULL); 1102