audit_worker.c revision 159263 
1/*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * Copyright (c) 2006 Robert N. M. Watson
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1.  Redistributions of source code must retain the above copyright
10 *     notice, this list of conditions and the following disclaimer.
11 * 2.  Redistributions in binary form must reproduce the above copyright
12 *     notice, this list of conditions and the following disclaimer in the
13 *     documentation and/or other materials provided with the distribution.
14 * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15 *     its contributors may be used to endorse or promote products derived
16 *     from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 *
30 * $FreeBSD: head/sys/security/audit/audit_worker.c 159263 2006-06-05 13:46:55Z rwatson $
31 */
32
33#include <sys/param.h>
34#include <sys/condvar.h>
35#include <sys/conf.h>
36#include <sys/file.h>
37#include <sys/filedesc.h>
38#include <sys/fcntl.h>
39#include <sys/ipc.h>
40#include <sys/kernel.h>
41#include <sys/kthread.h>
42#include <sys/malloc.h>
43#include <sys/mount.h>
44#include <sys/namei.h>
45#include <sys/proc.h>
46#include <sys/queue.h>
47#include <sys/socket.h>
48#include <sys/socketvar.h>
49#include <sys/protosw.h>
50#include <sys/domain.h>
51#include <sys/sysproto.h>
52#include <sys/sysent.h>
53#include <sys/systm.h>
54#include <sys/ucred.h>
55#include <sys/uio.h>
56#include <sys/un.h>
57#include <sys/unistd.h>
58#include <sys/vnode.h>
59
60#include <bsm/audit.h>
61#include <bsm/audit_internal.h>
62#include <bsm/audit_kevents.h>
63
64#include <netinet/in.h>
65#include <netinet/in_pcb.h>
66
67#include <security/audit/audit.h>
68#include <security/audit/audit_private.h>
69
70#include <vm/uma.h>
71
72/*
73 * Worker thread that will schedule disk I/O, etc.
74 */
75static struct proc		*audit_thread;
76
77/*
78 * When an audit log is rotated, the actual rotation must be performed by the
79 * audit worker thread, as it may have outstanding writes on the current
80 * audit log.  audit_replacement_vp holds the vnode replacing the current
81 * vnode.  We can't let more than one replacement occur at a time, so if more
82 * than one thread requests a replacement, only one can have the replacement
83 * "in progress" at any given moment.  If a thread tries to replace the audit
84 * vnode and discovers a replacement is already in progress (i.e.,
85 * audit_replacement_flag != 0), then it will sleep on audit_replacement_cv
86 * waiting its turn to perform a replacement.  When a replacement is
87 * completed, this cv is signalled by the worker thread so a waiting thread
88 * can start another replacement.  We also store a credential to perform
89 * audit log write operations with.
90 *
91 * The current credential and vnode are thread-local to audit_worker.
92 */
93static struct cv		audit_replacement_cv;
94
95static int			audit_replacement_flag;
96static struct vnode		*audit_replacement_vp;
97static struct ucred		*audit_replacement_cred;
98
99/*
100 * Flags related to Kernel->user-space communication.
101 */
102static int			audit_file_rotate_wait;
103
104/*
105 * XXXAUDIT: Should adjust comments below to make it clear that we get to
106 * this point only if we believe we have storage, so not having space here is
107 * a violation of invariants derived from administrative procedures. I.e.,
108 * someone else has written to the audit partition, leaving less space than
109 * we accounted for.
110 */
111static int
112audit_record_write(struct vnode *vp, struct kaudit_record *ar,
113    struct ucred *cred, struct thread *td)
114{
115	int ret;
116	long temp;
117	struct au_record *bsm;
118	struct vattr vattr;
119	struct statfs *mnt_stat = &vp->v_mount->mnt_stat;
120	int vfslocked;
121
122	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
123
124	/*
125	 * First, gather statistics on the audit log file and file system so
126	 * that we know how we're doing on space.  In both cases, if we're
127	 * unable to perform the operation, we drop the record and return.
128	 * However, this is arguably an assertion failure.
129	 * XXX Need a FreeBSD equivalent.
130	 */
131	ret = VFS_STATFS(vp->v_mount, mnt_stat, td);
132	if (ret)
133		goto out;
134
135	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
136	ret = VOP_GETATTR(vp, &vattr, cred, td);
137	VOP_UNLOCK(vp, 0, td);
138	if (ret)
139		goto out;
140
141	/* update the global stats struct */
142	audit_fstat.af_currsz = vattr.va_size;
143
144	/*
145	 * XXX Need to decide what to do if the trigger to the audit daemon
146	 * fails.
147	 */
148
149	/*
150	 * If we fall below minimum free blocks (hard limit), tell the audit
151	 * daemon to force a rotation off of the file system. We also stop
152	 * writing, which means this audit record is probably lost.  If we
153	 * fall below the minimum percent free blocks (soft limit), then
154	 * kindly suggest to the audit daemon to do something.
155	 */
156	if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) {
157		(void)send_trigger(AUDIT_TRIGGER_NO_SPACE);
158		/*
159		 * Hopefully userspace did something about all the previous
160		 * triggers that were sent prior to this critical condition.
161		 * If fail-stop is set, then we're done; goodnight Gracie.
162		 */
163		if (audit_fail_stop)
164			panic("Audit log space exhausted and fail-stop set.");
165		else {
166			audit_suspended = 1;
167			ret = ENOSPC;
168			goto out;
169		}
170	} else
171		/*
172		 * Send a message to the audit daemon that disk space is
173		 * getting low.
174		 *
175		 * XXXAUDIT: Check math and block size calculation here.
176		 */
177		if (audit_qctrl.aq_minfree != 0) {
178			temp = mnt_stat->f_blocks / (100 /
179			    audit_qctrl.aq_minfree);
180			if (mnt_stat->f_bfree < temp)
181				(void)send_trigger(AUDIT_TRIGGER_LOW_SPACE);
182		}
183
184	/*
185	 * Check if the current log file is full; if so, call for a log
186	 * rotate. This is not an exact comparison; we may write some records
187	 * over the limit. If that's not acceptable, then add a fudge factor
188	 * here.
189	 */
190	if ((audit_fstat.af_filesz != 0) &&
191	    (audit_file_rotate_wait == 0) &&
192	    (vattr.va_size >= audit_fstat.af_filesz)) {
193		audit_file_rotate_wait = 1;
194		(void)send_trigger(AUDIT_TRIGGER_OPEN_NEW);
195	}
196
197	/*
198	 * If the estimated amount of audit data in the audit event queue
199	 * (plus records allocated but not yet queued) has reached the amount
200	 * of free space on the disk, then we need to go into an audit fail
201	 * stop state, in which we do not permit the allocation/committing of
202	 * any new audit records.  We continue to process packets but don't
203	 * allow any activities that might generate new records.  In the
204	 * future, we might want to detect when space is available again and
205	 * allow operation to continue, but this behavior is sufficient to
206	 * meet fail stop requirements in CAPP.
207	 */
208	if (audit_fail_stop &&
209	    (unsigned long)
210	    ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) /
211	    mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) {
212		printf("audit_record_write: free space below size of audit "
213		    "queue, failing stop\n");
214		audit_in_failure = 1;
215	}
216
217	/*
218	 * If there is a user audit record attached to the kernel record,
219	 * then write the user record.
220	 *
221	 * XXX Need to decide a few things here: IF the user audit record is
222	 * written, but the write of the kernel record fails, what to do?
223	 * Should the kernel record come before or after the user record?
224	 * For now, we write the user record first, and we ignore errors.
225	 */
226	if (ar->k_ar_commit & AR_COMMIT_USER) {
227		/*
228		 * Try submitting the record to any active audit pipes.
229		 */
230		audit_pipe_submit((void *)ar->k_udata, ar->k_ulen);
231
232		/*
233		 * And to disk.
234		 */
235		ret = vn_rdwr(UIO_WRITE, vp, (void *)ar->k_udata, ar->k_ulen,
236		    (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL,
237		    NULL, td);
238		if (ret)
239			goto out;
240	}
241
242	/*
243	 * Convert the internal kernel record to BSM format and write it out
244	 * if everything's OK.
245	 */
246	if (!(ar->k_ar_commit & AR_COMMIT_KERNEL)) {
247		ret = 0;
248		goto out;
249	}
250
251	/*
252	 * XXXAUDIT: Should we actually allow this conversion to fail?  With
253	 * sleeping memory allocation and invariants checks, perhaps not.
254	 */
255	ret = kaudit_to_bsm(ar, &bsm);
256	if (ret == BSM_NOAUDIT) {
257		ret = 0;
258		goto out;
259	}
260
261	/*
262	 * XXX: We drop the record on BSM conversion failure, but really this
263	 * is an assertion failure.
264	 */
265	if (ret == BSM_FAILURE) {
266		AUDIT_PRINTF(("BSM conversion failure\n"));
267		ret = EINVAL;
268		goto out;
269	}
270
271	/*
272	 * Try submitting the record to any active audit pipes.
273	 */
274	audit_pipe_submit((void *)bsm->data, bsm->len);
275
276	/*
277	 * XXX We should break the write functionality away from the BSM
278	 * record generation and have the BSM generation done before this
279	 * function is called. This function will then take the BSM record as
280	 * a parameter.
281	 */
282	ret = (vn_rdwr(UIO_WRITE, vp, (void *)bsm->data, bsm->len, (off_t)0,
283	    UIO_SYSSPACE, IO_APPEND|IO_UNIT, cred, NULL, NULL, td));
284	kau_free(bsm);
285
286out:
287	/*
288	 * When we're done processing the current record, we have to check to
289	 * see if we're in a failure mode, and if so, whether this was the
290	 * last record left to be drained.  If we're done draining, then we
291	 * fsync the vnode and panic.
292	 */
293	if (audit_in_failure && audit_q_len == 0 && audit_pre_q_len == 0) {
294		VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK, td);
295		(void)VOP_FSYNC(vp, MNT_WAIT, td);
296		VOP_UNLOCK(vp, 0, td);
297		panic("Audit store overflow; record queue drained.");
298	}
299
300	VFS_UNLOCK_GIANT(vfslocked);
301
302	return (ret);
303}
304
305/*
306 * If an appropriate signal has been received rotate the audit log based on
307 * the global replacement variables.  Signal consumers as needed that the
308 * rotation has taken place.
309 *
310 * XXXRW: The global variables and CVs used to signal the audit_worker to
311 * perform a rotation are essentially a message queue of depth 1.  It would
312 * be much nicer to actually use a message queue.
313 */
314static void
315audit_worker_rotate(struct ucred **audit_credp, struct vnode **audit_vpp,
316    struct thread *audit_td)
317{
318	int do_replacement_signal, vfslocked;
319	struct ucred *old_cred;
320	struct vnode *old_vp;
321
322	mtx_assert(&audit_mtx, MA_OWNED);
323
324	do_replacement_signal = 0;
325	while (audit_replacement_flag != 0) {
326		old_cred = *audit_credp;
327		old_vp = *audit_vpp;
328		*audit_credp = audit_replacement_cred;
329		*audit_vpp = audit_replacement_vp;
330		audit_replacement_cred = NULL;
331		audit_replacement_vp = NULL;
332		audit_replacement_flag = 0;
333
334		audit_enabled = (*audit_vpp != NULL);
335
336		/*
337		 * XXX: What to do about write failures here?
338		 */
339		if (old_vp != NULL) {
340			AUDIT_PRINTF(("Closing old audit file\n"));
341			mtx_unlock(&audit_mtx);
342			vfslocked = VFS_LOCK_GIANT(old_vp->v_mount);
343			vn_close(old_vp, AUDIT_CLOSE_FLAGS, old_cred,
344			    audit_td);
345			VFS_UNLOCK_GIANT(vfslocked);
346			crfree(old_cred);
347			mtx_lock(&audit_mtx);
348			old_cred = NULL;
349			old_vp = NULL;
350			AUDIT_PRINTF(("Audit file closed\n"));
351		}
352		if (*audit_vpp != NULL) {
353			AUDIT_PRINTF(("Opening new audit file\n"));
354		}
355		do_replacement_signal = 1;
356	}
357
358	/*
359	 * Signal that replacement have occurred to wake up and
360	 * start any other replacements started in parallel.  We can
361	 * continue about our business in the mean time.  We
362	 * broadcast so that both new replacements can be inserted,
363	 * but also so that the source(s) of replacement can return
364	 * successfully.
365	 */
366	if (do_replacement_signal)
367		cv_broadcast(&audit_replacement_cv);
368}
369
370/*
371 * Drain the audit commit queue and free the records.  Used if there are
372 * records present, but no audit log target.
373 */
374static void
375audit_worker_drain(void)
376{
377	struct kaudit_record *ar;
378
379	mtx_assert(&audit_mtx, MA_OWNED);
380
381	while ((ar = TAILQ_FIRST(&audit_q))) {
382		TAILQ_REMOVE(&audit_q, ar, k_q);
383		audit_free(ar);
384		audit_q_len--;
385	}
386}
387
388/*
389 * Given a kernel audit record, process as required.  Currently, that means
390 * passing it to audit_record_write(), but in the future it will mean
391 * converting it to BSM and then routing it to various possible output
392 * streams, including the audit trail and audit pipes.  The caller will free
393 * the record.
394 */
395static void
396audit_worker_process_record(struct vnode *audit_vp, struct ucred *audit_cred,
397    struct thread *audit_td, struct kaudit_record *ar)
398{
399	int error;
400
401	if (audit_vp == NULL)
402		return;
403
404	error = audit_record_write(audit_vp, ar, audit_cred, audit_td);
405	if (error) {
406		if (audit_panic_on_write_fail)
407			panic("audit_worker: write error %d\n", error);
408		else
409			printf("audit_worker: write error %d\n", error);
410	}
411}
412
413/*
414 * The audit_worker thread is responsible for watching the event queue,
415 * dequeueing records, converting them to BSM format, and committing them to
416 * disk.  In order to minimize lock thrashing, records are dequeued in sets
417 * to a thread-local work queue.  In addition, the audit_work performs the
418 * actual exchange of audit log vnode pointer, as audit_vp is a thread-local
419 * variable.
420 */
421static void
422audit_worker(void *arg)
423{
424	struct kaudit_queue ar_worklist;
425	struct kaudit_record *ar;
426	struct ucred *audit_cred;
427	struct thread *audit_td;
428	struct vnode *audit_vp;
429	int lowater_signal;
430
431	AUDIT_PRINTF(("audit_worker starting\n"));
432
433	/*
434	 * These are thread-local variables requiring no synchronization.
435	 */
436	TAILQ_INIT(&ar_worklist);
437	audit_cred = NULL;
438	audit_td = curthread;
439	audit_vp = NULL;
440
441	mtx_lock(&audit_mtx);
442	while (1) {
443		mtx_assert(&audit_mtx, MA_OWNED);
444
445		/*
446		 * Wait for record or rotation events.
447		 */
448		while (!audit_replacement_flag && TAILQ_EMPTY(&audit_q)) {
449			AUDIT_PRINTF(("audit_worker waiting\n"));
450			cv_wait(&audit_worker_cv, &audit_mtx);
451			AUDIT_PRINTF(("audit_worker woken up\n"));
452			AUDIT_PRINTF(("audit_worker: new vp = %p; value of "
453			    "flag %d\n", audit_replacement_vp,
454			    audit_replacement_flag));
455		}
456
457		/*
458		 * First priority: replace the audit log target if requested.
459		 */
460		audit_worker_rotate(&audit_cred, &audit_vp, audit_td);
461
462		/*
463		 * If we have records, but there's no active vnode to write
464		 * to, drain the record queue.  Generally, we prevent the
465		 * unnecessary allocation of records elsewhere, but we need
466		 * to allow for races between conditional allocation and
467		 * queueing.  Go back to waiting when we're done.
468		 */
469		if (audit_vp == NULL) {
470			audit_worker_drain();
471			continue;
472		}
473
474		/*
475		 * We have both records to write and an active vnode to write
476		 * to.  Dequeue a record, and start the write.  Eventually,
477		 * it might make sense to dequeue several records and perform
478		 * our own clustering, if the lower layers aren't doing it
479		 * automatically enough.
480		 */
481		lowater_signal = 0;
482		while ((ar = TAILQ_FIRST(&audit_q))) {
483			TAILQ_REMOVE(&audit_q, ar, k_q);
484			audit_q_len--;
485			if (audit_q_len == audit_qctrl.aq_lowater)
486				lowater_signal++;
487			TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q);
488		}
489		if (lowater_signal)
490			cv_broadcast(&audit_watermark_cv);
491
492		mtx_unlock(&audit_mtx);
493		while ((ar = TAILQ_FIRST(&ar_worklist))) {
494			TAILQ_REMOVE(&ar_worklist, ar, k_q);
495			audit_worker_process_record(audit_vp, audit_cred,
496			    audit_td, ar);
497			audit_free(ar);
498		}
499		mtx_lock(&audit_mtx);
500	}
501}
502
503/*
504 * audit_rotate_vnode() is called by a user or kernel thread to configure or
505 * de-configure auditing on a vnode.  The arguments are the replacement
506 * credential and vnode to substitute for the current credential and vnode,
507 * if any.  If either is set to NULL, both should be NULL, and this is used
508 * to indicate that audit is being disabled.  The real work is done in the
509 * audit_worker thread, but audit_rotate_vnode() waits synchronously for that
510 * to complete.
511 *
512 * The vnode should be referenced and opened by the caller.  The credential
513 * should be referenced.  audit_rotate_vnode() will own both references as of
514 * this call, so the caller should not release either.
515 *
516 * XXXAUDIT: Review synchronize communication logic.  Really, this is a
517 * message queue of depth 1.
518 *
519 * XXXAUDIT: Enhance the comments below to indicate that we are basically
520 * acquiring ownership of the communications queue, inserting our message,
521 * and waiting for an acknowledgement.
522 */
523void
524audit_rotate_vnode(struct ucred *cred, struct vnode *vp)
525{
526
527	/*
528	 * If other parallel log replacements have been requested, we wait
529	 * until they've finished before continuing.
530	 */
531	mtx_lock(&audit_mtx);
532	while (audit_replacement_flag != 0) {
533		AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for "
534		    "flag\n"));
535		cv_wait(&audit_replacement_cv, &audit_mtx);
536		AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n",
537		    audit_replacement_flag));
538	}
539	audit_replacement_cred = cred;
540	audit_replacement_flag = 1;
541	audit_replacement_vp = vp;
542
543	/*
544	 * Wake up the audit worker to perform the exchange once we
545	 * release the mutex.
546	 */
547	cv_signal(&audit_worker_cv);
548
549	/*
550	 * Wait for the audit_worker to broadcast that a replacement has
551	 * taken place; we know that once this has happened, our vnode
552	 * has been replaced in, so we can return successfully.
553	 */
554	AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of "
555	    "replacement\n"));
556	cv_wait(&audit_replacement_cv, &audit_mtx);
557	AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by "
558	    "audit_worker (flag " "now %d)\n", audit_replacement_flag));
559	mtx_unlock(&audit_mtx);
560
561	audit_file_rotate_wait = 0; /* We can now request another rotation */
562}
563
564void
565audit_worker_init(void)
566{
567	int error;
568
569	cv_init(&audit_replacement_cv, "audit_replacement_cv");
570	error = kthread_create(audit_worker, NULL, &audit_thread, RFHIGHPID,
571	    0, "audit_worker");
572	if (error)
573		panic("audit_worker_init: kthread_create returned %d", error);
574}
575