audit_pipe.c revision 184534
1/*- 2 * Copyright (c) 2006 Robert N. M. Watson 3 * Copyright (c) 2008 Apple, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: head/sys/security/audit/audit_pipe.c 184534 2008-11-01 21:16:09Z rwatson $"); 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/eventhandler.h> 37#include <sys/filio.h> 38#include <sys/kernel.h> 39#include <sys/lock.h> 40#include <sys/malloc.h> 41#include <sys/mutex.h> 42#include <sys/poll.h> 43#include <sys/proc.h> 44#include <sys/queue.h> 45#include <sys/rwlock.h> 46#include <sys/selinfo.h> 47#include <sys/sigio.h> 48#include <sys/signal.h> 49#include <sys/signalvar.h> 50#include <sys/sx.h> 51#include <sys/systm.h> 52#include <sys/uio.h> 53 54#include <security/audit/audit.h> 55#include <security/audit/audit_ioctl.h> 56#include <security/audit/audit_private.h> 57 58/* 59 * Implementation of a clonable special device providing a live stream of BSM 60 * audit data. This is a "tee" of the data going to the file. It provides 61 * unreliable but timely access to audit events. Consumers of this interface 62 * should be very careful to avoid introducing event cycles. Consumers may 63 * express interest via a set of preselection ioctls. 64 */ 65 66/* 67 * Memory types. 68 */ 69static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes"); 70static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent", 71 "Audit pipe entries and buffers"); 72static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel", 73 "Audit pipe preselection structure"); 74 75/* 76 * Audit pipe buffer parameters. 77 */ 78#define AUDIT_PIPE_QLIMIT_DEFAULT (128) 79#define AUDIT_PIPE_QLIMIT_MIN (0) 80#define AUDIT_PIPE_QLIMIT_MAX (1024) 81 82/* 83 * Description of an entry in an audit_pipe. 84 */ 85struct audit_pipe_entry { 86 void *ape_record; 87 u_int ape_record_len; 88 u_int ape_record_offset; 89 TAILQ_ENTRY(audit_pipe_entry) ape_queue; 90}; 91 92/* 93 * Audit pipes allow processes to express "interest" in the set of records 94 * that are delivered via the pipe. They do this in a similar manner to the 95 * mechanism for audit trail configuration, by expressing two global masks, 96 * and optionally expressing per-auid masks. The following data structure is 97 * the per-auid mask description. The global state is stored in the audit 98 * pipe data structure. 99 * 100 * We may want to consider a more space/time-efficient data structure once 101 * usage patterns for per-auid specifications are clear. 102 */ 103struct audit_pipe_preselect { 104 au_id_t app_auid; 105 au_mask_t app_mask; 106 TAILQ_ENTRY(audit_pipe_preselect) app_list; 107}; 108 109/* 110 * Description of an individual audit_pipe. Consists largely of a bounded 111 * length queue. 112 */ 113#define AUDIT_PIPE_ASYNC 0x00000001 114#define AUDIT_PIPE_NBIO 0x00000002 115struct audit_pipe { 116 int ap_open; /* Device open? */ 117 u_int ap_flags; 118 119 struct selinfo ap_selinfo; 120 struct sigio *ap_sigio; 121 122 /* 123 * Per-pipe mutex protecting most fields in this data structure. 124 */ 125 struct mtx ap_mtx; 126 127 /* 128 * Per-pipe sleep lock serializing user-generated reads and flushes. 129 * uiomove() is called to copy out the current head record's data 130 * while the record remains in the queue, so we prevent other threads 131 * from removing it using this lock. 132 */ 133 struct sx ap_sx; 134 135 /* 136 * Condition variable to signal when data has been delivered to a 137 * pipe. 138 */ 139 struct cv ap_cv; 140 141 u_int ap_qlen; 142 u_int ap_qlimit; 143 144 u_int64_t ap_inserts; /* Records added. */ 145 u_int64_t ap_reads; /* Records read. */ 146 u_int64_t ap_drops; /* Records dropped. */ 147 148 /* 149 * Fields relating to pipe interest: global masks for unmatched 150 * processes (attributable, non-attributable), and a list of specific 151 * interest specifications by auid. 152 */ 153 int ap_preselect_mode; 154 au_mask_t ap_preselect_flags; 155 au_mask_t ap_preselect_naflags; 156 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list; 157 158 /* 159 * Current pending record list. Protected by a combination of ap_mtx 160 * and ap_sx. Note particularly that *both* locks are required to 161 * remove a record from the head of the queue, as an in-progress read * may sleep while copying and therefore cannot hold ap_mtx. 162 */ 163 TAILQ_HEAD(, audit_pipe_entry) ap_queue; 164 165 /* 166 * Global pipe list. 167 */ 168 TAILQ_ENTRY(audit_pipe) ap_list; 169}; 170 171#define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx) 172#define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED) 173#define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx) 174#define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \ 175 "audit_pipe_mtx", NULL, MTX_DEF) 176#define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx) 177#define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx) 178 179#define AUDIT_PIPE_SX_LOCK_DESTROY(ap) sx_destroy(&(ap)->ap_sx) 180#define AUDIT_PIPE_SX_LOCK_INIT(ap) sx_init(&(ap)->ap_sx, "audit_pipe_sx") 181#define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) sx_assert(&(ap)->ap_sx, SA_XLOCKED) 182#define AUDIT_PIPE_SX_XLOCK_SIG(ap) sx_xlock_sig(&(ap)->ap_sx) 183#define AUDIT_PIPE_SX_XUNLOCK(ap) sx_xunlock(&(ap)->ap_sx) 184 185/* 186 * Global list of audit pipes, rwlock to protect it. Individual record 187 * queues on pipes are protected by per-pipe locks; these locks synchronize 188 * between threads walking the list to deliver to individual pipes and add/ 189 * remove of pipes, and are mostly acquired for read. 190 */ 191static TAILQ_HEAD(, audit_pipe) audit_pipe_list; 192static struct rwlock audit_pipe_lock; 193 194#define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \ 195 "audit_pipe_list_lock") 196#define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock) 197#define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock) 198#define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock) 199#define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \ 200 RA_WLOCKED) 201#define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock) 202 203/* 204 * Cloning related variables and constants. 205 */ 206#define AUDIT_PIPE_NAME "auditpipe" 207static eventhandler_tag audit_pipe_eh_tag; 208static struct clonedevs *audit_pipe_clones; 209 210/* 211 * Special device methods and definition. 212 */ 213static d_open_t audit_pipe_open; 214static d_close_t audit_pipe_close; 215static d_read_t audit_pipe_read; 216static d_ioctl_t audit_pipe_ioctl; 217static d_poll_t audit_pipe_poll; 218static d_kqfilter_t audit_pipe_kqfilter; 219 220static struct cdevsw audit_pipe_cdevsw = { 221 .d_version = D_VERSION, 222 .d_flags = D_PSEUDO | D_NEEDGIANT | D_NEEDMINOR, 223 .d_open = audit_pipe_open, 224 .d_close = audit_pipe_close, 225 .d_read = audit_pipe_read, 226 .d_ioctl = audit_pipe_ioctl, 227 .d_poll = audit_pipe_poll, 228 .d_kqfilter = audit_pipe_kqfilter, 229 .d_name = AUDIT_PIPE_NAME, 230}; 231 232static int audit_pipe_kqread(struct knote *note, long hint); 233static void audit_pipe_kqdetach(struct knote *note); 234 235static struct filterops audit_pipe_read_filterops = { 236 .f_isfd = 1, 237 .f_attach = NULL, 238 .f_detach = audit_pipe_kqdetach, 239 .f_event = audit_pipe_kqread, 240}; 241 242/* 243 * Some global statistics on audit pipes. 244 */ 245static int audit_pipe_count; /* Current number of pipes. */ 246static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */ 247static u_int64_t audit_pipe_records; /* Records seen. */ 248static u_int64_t audit_pipe_drops; /* Global record drop count. */ 249 250/* 251 * Free an audit pipe entry. 252 */ 253static void 254audit_pipe_entry_free(struct audit_pipe_entry *ape) 255{ 256 257 free(ape->ape_record, M_AUDIT_PIPE_ENTRY); 258 free(ape, M_AUDIT_PIPE_ENTRY); 259} 260 261/* 262 * Find an audit pipe preselection specification for an auid, if any. 263 */ 264static struct audit_pipe_preselect * 265audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid) 266{ 267 struct audit_pipe_preselect *app; 268 269 AUDIT_PIPE_LOCK_ASSERT(ap); 270 271 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { 272 if (app->app_auid == auid) 273 return (app); 274 } 275 return (NULL); 276} 277 278/* 279 * Query the per-pipe mask for a specific auid. 280 */ 281static int 282audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid, 283 au_mask_t *maskp) 284{ 285 struct audit_pipe_preselect *app; 286 int error; 287 288 AUDIT_PIPE_LOCK(ap); 289 app = audit_pipe_preselect_find(ap, auid); 290 if (app != NULL) { 291 *maskp = app->app_mask; 292 error = 0; 293 } else 294 error = ENOENT; 295 AUDIT_PIPE_UNLOCK(ap); 296 return (error); 297} 298 299/* 300 * Set the per-pipe mask for a specific auid. Add a new entry if needed; 301 * otherwise, update the current entry. 302 */ 303static void 304audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask) 305{ 306 struct audit_pipe_preselect *app, *app_new; 307 308 /* 309 * Pessimistically assume that the auid doesn't already have a mask 310 * set, and allocate. We will free it if it is unneeded. 311 */ 312 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK); 313 AUDIT_PIPE_LOCK(ap); 314 app = audit_pipe_preselect_find(ap, auid); 315 if (app == NULL) { 316 app = app_new; 317 app_new = NULL; 318 app->app_auid = auid; 319 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list); 320 } 321 app->app_mask = mask; 322 AUDIT_PIPE_UNLOCK(ap); 323 if (app_new != NULL) 324 free(app_new, M_AUDIT_PIPE_PRESELECT); 325} 326 327/* 328 * Delete a per-auid mask on an audit pipe. 329 */ 330static int 331audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid) 332{ 333 struct audit_pipe_preselect *app; 334 int error; 335 336 AUDIT_PIPE_LOCK(ap); 337 app = audit_pipe_preselect_find(ap, auid); 338 if (app != NULL) { 339 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 340 error = 0; 341 } else 342 error = ENOENT; 343 AUDIT_PIPE_UNLOCK(ap); 344 if (app != NULL) 345 free(app, M_AUDIT_PIPE_PRESELECT); 346 return (error); 347} 348 349/* 350 * Delete all per-auid masks on an audit pipe. 351 */ 352static void 353audit_pipe_preselect_flush_locked(struct audit_pipe *ap) 354{ 355 struct audit_pipe_preselect *app; 356 357 AUDIT_PIPE_LOCK_ASSERT(ap); 358 359 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) { 360 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 361 free(app, M_AUDIT_PIPE_PRESELECT); 362 } 363} 364 365static void 366audit_pipe_preselect_flush(struct audit_pipe *ap) 367{ 368 369 AUDIT_PIPE_LOCK(ap); 370 audit_pipe_preselect_flush_locked(ap); 371 AUDIT_PIPE_UNLOCK(ap); 372} 373 374/*- 375 * Determine whether a specific audit pipe matches a record with these 376 * properties. Algorithm is as follows: 377 * 378 * - If the pipe is configured to track the default trail configuration, then 379 * use the results of global preselection matching. 380 * - If not, search for a specifically configured auid entry matching the 381 * event. If an entry is found, use that. 382 * - Otherwise, use the default flags or naflags configured for the pipe. 383 */ 384static int 385audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, 386 au_event_t event, au_class_t class, int sorf, int trail_preselect) 387{ 388 struct audit_pipe_preselect *app; 389 390 AUDIT_PIPE_LOCK_ASSERT(ap); 391 392 switch (ap->ap_preselect_mode) { 393 case AUDITPIPE_PRESELECT_MODE_TRAIL: 394 return (trail_preselect); 395 396 case AUDITPIPE_PRESELECT_MODE_LOCAL: 397 app = audit_pipe_preselect_find(ap, auid); 398 if (app == NULL) { 399 if (auid == AU_DEFAUDITID) 400 return (au_preselect(event, class, 401 &ap->ap_preselect_naflags, sorf)); 402 else 403 return (au_preselect(event, class, 404 &ap->ap_preselect_flags, sorf)); 405 } else 406 return (au_preselect(event, class, &app->app_mask, 407 sorf)); 408 409 default: 410 panic("audit_pipe_preselect_check: mode %d", 411 ap->ap_preselect_mode); 412 } 413 414 return (0); 415} 416 417/* 418 * Determine whether there exists a pipe interested in a record with specific 419 * properties. 420 */ 421int 422audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, 423 int sorf, int trail_preselect) 424{ 425 struct audit_pipe *ap; 426 427 AUDIT_PIPE_LIST_RLOCK(); 428 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 429 AUDIT_PIPE_LOCK(ap); 430 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 431 trail_preselect)) { 432 AUDIT_PIPE_UNLOCK(ap); 433 AUDIT_PIPE_LIST_RUNLOCK(); 434 return (1); 435 } 436 AUDIT_PIPE_UNLOCK(ap); 437 } 438 AUDIT_PIPE_LIST_RUNLOCK(); 439 return (0); 440} 441 442/* 443 * Append individual record to a queue -- allocate queue-local buffer, and 444 * add to the queue. If the queue is full or we can't allocate memory, drop 445 * the newest record. 446 */ 447static void 448audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) 449{ 450 struct audit_pipe_entry *ape; 451 452 AUDIT_PIPE_LOCK_ASSERT(ap); 453 454 if (ap->ap_qlen >= ap->ap_qlimit) { 455 ap->ap_drops++; 456 audit_pipe_drops++; 457 return; 458 } 459 460 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO); 461 if (ape == NULL) { 462 ap->ap_drops++; 463 audit_pipe_drops++; 464 return; 465 } 466 467 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT); 468 if (ape->ape_record == NULL) { 469 free(ape, M_AUDIT_PIPE_ENTRY); 470 ap->ap_drops++; 471 audit_pipe_drops++; 472 return; 473 } 474 475 bcopy(record, ape->ape_record, record_len); 476 ape->ape_record_len = record_len; 477 ape->ape_record_offset = 0; 478 479 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); 480 ap->ap_inserts++; 481 ap->ap_qlen++; 482 selwakeuppri(&ap->ap_selinfo, PSOCK); 483 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0); 484 if (ap->ap_flags & AUDIT_PIPE_ASYNC) 485 pgsigio(&ap->ap_sigio, SIGIO, 0); 486 cv_broadcast(&ap->ap_cv); 487} 488 489/* 490 * audit_pipe_submit(): audit_worker submits audit records via this 491 * interface, which arranges for them to be delivered to pipe queues. 492 */ 493void 494audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, 495 int trail_select, void *record, u_int record_len) 496{ 497 struct audit_pipe *ap; 498 499 /* 500 * Lockless read to avoid lock overhead if pipes are not in use. 501 */ 502 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 503 return; 504 505 AUDIT_PIPE_LIST_RLOCK(); 506 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 507 AUDIT_PIPE_LOCK(ap); 508 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 509 trail_select)) 510 audit_pipe_append(ap, record, record_len); 511 AUDIT_PIPE_UNLOCK(ap); 512 } 513 AUDIT_PIPE_LIST_RUNLOCK(); 514 515 /* Unlocked increment. */ 516 audit_pipe_records++; 517} 518 519/* 520 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that 521 * since we don't currently have selection information available, it is 522 * delivered to the pipe unconditionally. 523 * 524 * XXXRW: This is a bug. The BSM check routine for submitting a user record 525 * should parse that information and return it. 526 */ 527void 528audit_pipe_submit_user(void *record, u_int record_len) 529{ 530 struct audit_pipe *ap; 531 532 /* 533 * Lockless read to avoid lock overhead if pipes are not in use. 534 */ 535 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 536 return; 537 538 AUDIT_PIPE_LIST_RLOCK(); 539 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 540 AUDIT_PIPE_LOCK(ap); 541 audit_pipe_append(ap, record, record_len); 542 AUDIT_PIPE_UNLOCK(ap); 543 } 544 AUDIT_PIPE_LIST_RUNLOCK(); 545 546 /* Unlocked increment. */ 547 audit_pipe_records++; 548} 549 550/* 551 * Allocate a new audit pipe. Connects the pipe, on success, to the global 552 * list and updates statistics. 553 */ 554static struct audit_pipe * 555audit_pipe_alloc(void) 556{ 557 struct audit_pipe *ap; 558 559 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 560 561 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO); 562 if (ap == NULL) 563 return (NULL); 564 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT; 565 TAILQ_INIT(&ap->ap_queue); 566 knlist_init(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap), NULL, NULL, 567 NULL); 568 AUDIT_PIPE_LOCK_INIT(ap); 569 AUDIT_PIPE_SX_LOCK_INIT(ap); 570 cv_init(&ap->ap_cv, "audit_pipe"); 571 572 /* 573 * Default flags, naflags, and auid-specific preselection settings to 574 * 0. Initialize the mode to the global trail so that if praudit(1) 575 * is run on /dev/auditpipe, it sees events associated with the 576 * default trail. Pipe-aware application can clear the flag, set 577 * custom masks, and flush the pipe as needed. 578 */ 579 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags)); 580 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags)); 581 TAILQ_INIT(&ap->ap_preselect_list); 582 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL; 583 584 /* 585 * Add to global list and update global statistics. 586 */ 587 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); 588 audit_pipe_count++; 589 audit_pipe_ever++; 590 591 return (ap); 592} 593 594/* 595 * Flush all records currently present in an audit pipe; assume mutex is held. 596 */ 597static void 598audit_pipe_flush(struct audit_pipe *ap) 599{ 600 struct audit_pipe_entry *ape; 601 602 AUDIT_PIPE_LOCK_ASSERT(ap); 603 604 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) { 605 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 606 audit_pipe_entry_free(ape); 607 ap->ap_qlen--; 608 } 609 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qlen")); 610} 611 612/* 613 * Free an audit pipe; this means freeing all preselection state and all 614 * records in the pipe. Assumes global write lock and pipe mutex are held to 615 * prevent any new records from being inserted during the free, and that the 616 * audit pipe is still on the global list. 617 */ 618static void 619audit_pipe_free(struct audit_pipe *ap) 620{ 621 622 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 623 AUDIT_PIPE_LOCK_ASSERT(ap); 624 625 audit_pipe_preselect_flush_locked(ap); 626 audit_pipe_flush(ap); 627 cv_destroy(&ap->ap_cv); 628 AUDIT_PIPE_SX_LOCK_DESTROY(ap); 629 AUDIT_PIPE_LOCK_DESTROY(ap); 630 knlist_destroy(&ap->ap_selinfo.si_note); 631 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list); 632 free(ap, M_AUDIT_PIPE); 633 audit_pipe_count--; 634} 635 636/* 637 * Audit pipe clone routine -- provide specific requested audit pipe, or a 638 * fresh one if a specific one is not requested. 639 */ 640static void 641audit_pipe_clone(void *arg, struct ucred *cred, char *name, int namelen, 642 struct cdev **dev) 643{ 644 int i, u; 645 646 if (*dev != NULL) 647 return; 648 649 if (strcmp(name, AUDIT_PIPE_NAME) == 0) 650 u = -1; 651 else if (dev_stdclone(name, NULL, AUDIT_PIPE_NAME, &u) != 1) 652 return; 653 654 i = clone_create(&audit_pipe_clones, &audit_pipe_cdevsw, &u, dev, 0); 655 if (i) { 656 *dev = make_dev(&audit_pipe_cdevsw, u, UID_ROOT, 657 GID_WHEEL, 0600, "%s%d", AUDIT_PIPE_NAME, u); 658 if (*dev != NULL) { 659 dev_ref(*dev); 660 (*dev)->si_flags |= SI_CHEAPCLONE; 661 } 662 } 663} 664 665/* 666 * Audit pipe open method. Explicit privilege check isn't used as this 667 * allows file permissions on the special device to be used to grant audit 668 * review access. Those file permissions should be managed carefully. 669 */ 670static int 671audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td) 672{ 673 struct audit_pipe *ap; 674 675 AUDIT_PIPE_LIST_WLOCK(); 676 ap = dev->si_drv1; 677 if (ap == NULL) { 678 ap = audit_pipe_alloc(); 679 if (ap == NULL) { 680 AUDIT_PIPE_LIST_WUNLOCK(); 681 return (ENOMEM); 682 } 683 dev->si_drv1 = ap; 684 } else { 685 KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open")); 686 AUDIT_PIPE_LIST_WUNLOCK(); 687 return (EBUSY); 688 } 689 ap->ap_open = 1; /* No lock required yet. */ 690 AUDIT_PIPE_LIST_WUNLOCK(); 691 fsetown(td->td_proc->p_pid, &ap->ap_sigio); 692 return (0); 693} 694 695/* 696 * Close audit pipe, tear down all records, etc. 697 */ 698static int 699audit_pipe_close(struct cdev *dev, int fflag, int devtype, struct thread *td) 700{ 701 struct audit_pipe *ap; 702 703 ap = dev->si_drv1; 704 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL")); 705 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open")); 706 707 funsetown(&ap->ap_sigio); 708 AUDIT_PIPE_LIST_WLOCK(); 709 AUDIT_PIPE_LOCK(ap); 710 ap->ap_open = 0; 711 audit_pipe_free(ap); 712 dev->si_drv1 = NULL; 713 AUDIT_PIPE_LIST_WUNLOCK(); 714 return (0); 715} 716 717/* 718 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer 719 * commands. 720 * 721 * Would be desirable to support filtering, although perhaps something simple 722 * like an event mask, as opposed to something complicated like BPF. 723 */ 724static int 725audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, 726 struct thread *td) 727{ 728 struct auditpipe_ioctl_preselect *aip; 729 struct audit_pipe *ap; 730 au_mask_t *maskp; 731 int error, mode; 732 au_id_t auid; 733 734 ap = dev->si_drv1; 735 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); 736 737 /* 738 * Audit pipe ioctls: first come standard device node ioctls, then 739 * manipulation of pipe settings, and finally, statistics query 740 * ioctls. 741 */ 742 switch (cmd) { 743 case FIONBIO: 744 AUDIT_PIPE_LOCK(ap); 745 if (*(int *)data) 746 ap->ap_flags |= AUDIT_PIPE_NBIO; 747 else 748 ap->ap_flags &= ~AUDIT_PIPE_NBIO; 749 AUDIT_PIPE_UNLOCK(ap); 750 error = 0; 751 break; 752 753 case FIONREAD: 754 AUDIT_PIPE_LOCK(ap); 755 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 756 *(int *)data = 757 TAILQ_FIRST(&ap->ap_queue)->ape_record_len - 758 TAILQ_FIRST(&ap->ap_queue)->ape_record_offset; 759 else 760 *(int *)data = 0; 761 AUDIT_PIPE_UNLOCK(ap); 762 error = 0; 763 break; 764 765 case FIOASYNC: 766 AUDIT_PIPE_LOCK(ap); 767 if (*(int *)data) 768 ap->ap_flags |= AUDIT_PIPE_ASYNC; 769 else 770 ap->ap_flags &= ~AUDIT_PIPE_ASYNC; 771 AUDIT_PIPE_UNLOCK(ap); 772 error = 0; 773 break; 774 775 case FIOSETOWN: 776 error = fsetown(*(int *)data, &ap->ap_sigio); 777 break; 778 779 case FIOGETOWN: 780 *(int *)data = fgetown(&ap->ap_sigio); 781 error = 0; 782 break; 783 784 case AUDITPIPE_GET_QLEN: 785 *(u_int *)data = ap->ap_qlen; 786 error = 0; 787 break; 788 789 case AUDITPIPE_GET_QLIMIT: 790 *(u_int *)data = ap->ap_qlimit; 791 error = 0; 792 break; 793 794 case AUDITPIPE_SET_QLIMIT: 795 /* Lockless integer write. */ 796 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN || 797 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { 798 ap->ap_qlimit = *(u_int *)data; 799 error = 0; 800 } else 801 error = EINVAL; 802 break; 803 804 case AUDITPIPE_GET_QLIMIT_MIN: 805 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN; 806 error = 0; 807 break; 808 809 case AUDITPIPE_GET_QLIMIT_MAX: 810 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX; 811 error = 0; 812 break; 813 814 case AUDITPIPE_GET_PRESELECT_FLAGS: 815 AUDIT_PIPE_LOCK(ap); 816 maskp = (au_mask_t *)data; 817 *maskp = ap->ap_preselect_flags; 818 AUDIT_PIPE_UNLOCK(ap); 819 error = 0; 820 break; 821 822 case AUDITPIPE_SET_PRESELECT_FLAGS: 823 AUDIT_PIPE_LOCK(ap); 824 maskp = (au_mask_t *)data; 825 ap->ap_preselect_flags = *maskp; 826 AUDIT_PIPE_UNLOCK(ap); 827 error = 0; 828 break; 829 830 case AUDITPIPE_GET_PRESELECT_NAFLAGS: 831 AUDIT_PIPE_LOCK(ap); 832 maskp = (au_mask_t *)data; 833 *maskp = ap->ap_preselect_naflags; 834 AUDIT_PIPE_UNLOCK(ap); 835 error = 0; 836 break; 837 838 case AUDITPIPE_SET_PRESELECT_NAFLAGS: 839 AUDIT_PIPE_LOCK(ap); 840 maskp = (au_mask_t *)data; 841 ap->ap_preselect_naflags = *maskp; 842 AUDIT_PIPE_UNLOCK(ap); 843 error = 0; 844 break; 845 846 case AUDITPIPE_GET_PRESELECT_AUID: 847 aip = (struct auditpipe_ioctl_preselect *)data; 848 error = audit_pipe_preselect_get(ap, aip->aip_auid, 849 &aip->aip_mask); 850 break; 851 852 case AUDITPIPE_SET_PRESELECT_AUID: 853 aip = (struct auditpipe_ioctl_preselect *)data; 854 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask); 855 error = 0; 856 break; 857 858 case AUDITPIPE_DELETE_PRESELECT_AUID: 859 auid = *(au_id_t *)data; 860 error = audit_pipe_preselect_delete(ap, auid); 861 break; 862 863 case AUDITPIPE_FLUSH_PRESELECT_AUID: 864 audit_pipe_preselect_flush(ap); 865 error = 0; 866 break; 867 868 case AUDITPIPE_GET_PRESELECT_MODE: 869 AUDIT_PIPE_LOCK(ap); 870 *(int *)data = ap->ap_preselect_mode; 871 AUDIT_PIPE_UNLOCK(ap); 872 error = 0; 873 break; 874 875 case AUDITPIPE_SET_PRESELECT_MODE: 876 mode = *(int *)data; 877 switch (mode) { 878 case AUDITPIPE_PRESELECT_MODE_TRAIL: 879 case AUDITPIPE_PRESELECT_MODE_LOCAL: 880 AUDIT_PIPE_LOCK(ap); 881 ap->ap_preselect_mode = mode; 882 AUDIT_PIPE_UNLOCK(ap); 883 error = 0; 884 break; 885 886 default: 887 error = EINVAL; 888 } 889 break; 890 891 case AUDITPIPE_FLUSH: 892 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 893 return (EINTR); 894 AUDIT_PIPE_LOCK(ap); 895 audit_pipe_flush(ap); 896 AUDIT_PIPE_UNLOCK(ap); 897 AUDIT_PIPE_SX_XUNLOCK(ap); 898 error = 0; 899 break; 900 901 case AUDITPIPE_GET_MAXAUDITDATA: 902 *(u_int *)data = MAXAUDITDATA; 903 error = 0; 904 break; 905 906 case AUDITPIPE_GET_INSERTS: 907 *(u_int *)data = ap->ap_inserts; 908 error = 0; 909 break; 910 911 case AUDITPIPE_GET_READS: 912 *(u_int *)data = ap->ap_reads; 913 error = 0; 914 break; 915 916 case AUDITPIPE_GET_DROPS: 917 *(u_int *)data = ap->ap_drops; 918 error = 0; 919 break; 920 921 case AUDITPIPE_GET_TRUNCATES: 922 *(u_int *)data = 0; 923 error = 0; 924 break; 925 926 default: 927 error = ENOTTY; 928 } 929 return (error); 930} 931 932/* 933 * Audit pipe read. Read one or more partial or complete records to user 934 * memory. 935 */ 936static int 937audit_pipe_read(struct cdev *dev, struct uio *uio, int flag) 938{ 939 struct audit_pipe_entry *ape; 940 struct audit_pipe *ap; 941 u_int toread; 942 int error; 943 944 ap = dev->si_drv1; 945 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL")); 946 947 /* 948 * We hold an sx(9) lock over read and flush because we rely on the 949 * stability of a record in the queue during uiomove(9). 950 */ 951 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 952 return (EINTR); 953 AUDIT_PIPE_LOCK(ap); 954 while (TAILQ_EMPTY(&ap->ap_queue)) { 955 if (ap->ap_flags & AUDIT_PIPE_NBIO) { 956 AUDIT_PIPE_UNLOCK(ap); 957 AUDIT_PIPE_SX_XUNLOCK(ap); 958 return (EAGAIN); 959 } 960 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap)); 961 if (error) { 962 AUDIT_PIPE_UNLOCK(ap); 963 AUDIT_PIPE_SX_XUNLOCK(ap); 964 return (error); 965 } 966 } 967 968 /* 969 * Copy as many remaining bytes from the current record to userspace 970 * as we can. Keep processing records until we run out of records in 971 * the queue, or until the user buffer runs out of space. 972 * 973 * Note: we rely on the SX lock to maintain ape's stability here. 974 */ 975 ap->ap_reads++; 976 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL && 977 uio->uio_resid > 0) { 978 AUDIT_PIPE_LOCK_ASSERT(ap); 979 980 toread = MIN(ape->ape_record_len - ape->ape_record_offset, 981 uio->uio_resid); 982 AUDIT_PIPE_UNLOCK(ap); 983 error = uiomove((char *)ape->ape_record + 984 ape->ape_record_offset, toread, uio); 985 if (error) { 986 AUDIT_PIPE_SX_XUNLOCK(ap); 987 return (error); 988 } 989 990 /* 991 * If the copy succeeded, update book-keeping, and if no 992 * bytes remain in the current record, free it. 993 */ 994 AUDIT_PIPE_LOCK(ap); 995 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape, 996 ("audit_pipe_read: queue out of sync after uiomove")); 997 ape->ape_record_offset += toread; 998 if (ape->ape_record_offset == ape->ape_record_len) { 999 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 1000 audit_pipe_entry_free(ape); 1001 ap->ap_qlen--; 1002 } 1003 } 1004 AUDIT_PIPE_UNLOCK(ap); 1005 AUDIT_PIPE_SX_XUNLOCK(ap); 1006 return (0); 1007} 1008 1009/* 1010 * Audit pipe poll. 1011 */ 1012static int 1013audit_pipe_poll(struct cdev *dev, int events, struct thread *td) 1014{ 1015 struct audit_pipe *ap; 1016 int revents; 1017 1018 revents = 0; 1019 ap = dev->si_drv1; 1020 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL")); 1021 1022 if (events & (POLLIN | POLLRDNORM)) { 1023 AUDIT_PIPE_LOCK(ap); 1024 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 1025 revents |= events & (POLLIN | POLLRDNORM); 1026 else 1027 selrecord(td, &ap->ap_selinfo); 1028 AUDIT_PIPE_UNLOCK(ap); 1029 } 1030 return (revents); 1031} 1032 1033/* 1034 * Audit pipe kqfilter. 1035 */ 1036static int 1037audit_pipe_kqfilter(struct cdev *dev, struct knote *kn) 1038{ 1039 struct audit_pipe *ap; 1040 1041 ap = dev->si_drv1; 1042 KASSERT(ap != NULL, ("audit_pipe_kqfilter: ap == NULL")); 1043 1044 if (kn->kn_filter != EVFILT_READ) 1045 return (EINVAL); 1046 1047 kn->kn_fop = &audit_pipe_read_filterops; 1048 kn->kn_hook = ap; 1049 1050 AUDIT_PIPE_LOCK(ap); 1051 knlist_add(&ap->ap_selinfo.si_note, kn, 1); 1052 AUDIT_PIPE_UNLOCK(ap); 1053 return (0); 1054} 1055 1056/* 1057 * Return true if there are records available for reading on the pipe. 1058 */ 1059static int 1060audit_pipe_kqread(struct knote *kn, long hint) 1061{ 1062 struct audit_pipe_entry *ape; 1063 struct audit_pipe *ap; 1064 1065 ap = (struct audit_pipe *)kn->kn_hook; 1066 KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL")); 1067 1068 AUDIT_PIPE_LOCK_ASSERT(ap); 1069 1070 if (ap->ap_qlen != 0) { 1071 ape = TAILQ_FIRST(&ap->ap_queue); 1072 KASSERT(ape != NULL, ("audit_pipe_kqread: ape == NULL")); 1073 1074 kn->kn_data = ape->ape_record_len - ape->ape_record_offset; 1075 return (1); 1076 } else { 1077 kn->kn_data = 0; 1078 return (0); 1079 } 1080} 1081 1082/* 1083 * Detach kqueue state from audit pipe. 1084 */ 1085static void 1086audit_pipe_kqdetach(struct knote *kn) 1087{ 1088 struct audit_pipe *ap; 1089 1090 ap = (struct audit_pipe *)kn->kn_hook; 1091 KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL")); 1092 1093 AUDIT_PIPE_LOCK(ap); 1094 knlist_remove(&ap->ap_selinfo.si_note, kn, 1); 1095 AUDIT_PIPE_UNLOCK(ap); 1096} 1097 1098/* 1099 * Initialize the audit pipe system. 1100 */ 1101static void 1102audit_pipe_init(void *unused) 1103{ 1104 1105 TAILQ_INIT(&audit_pipe_list); 1106 AUDIT_PIPE_LIST_LOCK_INIT(); 1107 1108 clone_setup(&audit_pipe_clones); 1109 audit_pipe_eh_tag = EVENTHANDLER_REGISTER(dev_clone, 1110 audit_pipe_clone, 0, 1000); 1111 if (audit_pipe_eh_tag == NULL) 1112 panic("audit_pipe_init: EVENTHANDLER_REGISTER"); 1113} 1114 1115SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init, 1116 NULL); 1117