audit_worker.c revision 159264
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * 30 * $FreeBSD: head/sys/security/audit/audit_worker.c 159264 2006-06-05 13:50:02Z rwatson $ 31 */ 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/file.h> 37#include <sys/filedesc.h> 38#include <sys/fcntl.h> 39#include <sys/ipc.h> 40#include <sys/kernel.h> 41#include <sys/kthread.h> 42#include <sys/malloc.h> 43#include <sys/mount.h> 44#include <sys/namei.h> 45#include <sys/proc.h> 46#include <sys/queue.h> 47#include <sys/socket.h> 48#include <sys/socketvar.h> 49#include <sys/protosw.h> 50#include <sys/domain.h> 51#include <sys/sysproto.h> 52#include <sys/sysent.h> 53#include <sys/systm.h> 54#include <sys/ucred.h> 55#include <sys/uio.h> 56#include <sys/un.h> 57#include <sys/unistd.h> 58#include <sys/vnode.h> 59 60#include <bsm/audit.h> 61#include <bsm/audit_internal.h> 62#include <bsm/audit_kevents.h> 63 64#include <netinet/in.h> 65#include <netinet/in_pcb.h> 66 67#include <security/audit/audit.h> 68#include <security/audit/audit_private.h> 69 70#include <vm/uma.h> 71 72/* 73 * Worker thread that will schedule disk I/O, etc. 74 */ 75static struct proc *audit_thread; 76 77/* 78 * When an audit log is rotated, the actual rotation must be performed by the 79 * audit worker thread, as it may have outstanding writes on the current 80 * audit log. audit_replacement_vp holds the vnode replacing the current 81 * vnode. We can't let more than one replacement occur at a time, so if more 82 * than one thread requests a replacement, only one can have the replacement 83 * "in progress" at any given moment. If a thread tries to replace the audit 84 * vnode and discovers a replacement is already in progress (i.e., 85 * audit_replacement_flag != 0), then it will sleep on audit_replacement_cv 86 * waiting its turn to perform a replacement. When a replacement is 87 * completed, this cv is signalled by the worker thread so a waiting thread 88 * can start another replacement. We also store a credential to perform 89 * audit log write operations with. 90 * 91 * The current credential and vnode are thread-local to audit_worker. 92 */ 93static struct cv audit_replacement_cv; 94 95static int audit_replacement_flag; 96static struct vnode *audit_replacement_vp; 97static struct ucred *audit_replacement_cred; 98 99/* 100 * Flags related to Kernel->user-space communication. 101 */ 102static int audit_file_rotate_wait; 103 104/* 105 * XXXAUDIT: Should adjust comments below to make it clear that we get to 106 * this point only if we believe we have storage, so not having space here is 107 * a violation of invariants derived from administrative procedures. I.e., 108 * someone else has written to the audit partition, leaving less space than 109 * we accounted for. 110 */ 111static int 112audit_record_write(struct vnode *vp, struct ucred *cred, struct thread *td, 113 void *data, size_t len) 114{ 115 int ret; 116 long temp; 117 struct vattr vattr; 118 struct statfs *mnt_stat = &vp->v_mount->mnt_stat; 119 int vfslocked; 120 121 if (vp == NULL) 122 return (0); 123 124 vfslocked = VFS_LOCK_GIANT(vp->v_mount); 125 126 /* 127 * First, gather statistics on the audit log file and file system so 128 * that we know how we're doing on space. In both cases, if we're 129 * unable to perform the operation, we drop the record and return. 130 * However, this is arguably an assertion failure. 131 * XXX Need a FreeBSD equivalent. 132 */ 133 ret = VFS_STATFS(vp->v_mount, mnt_stat, td); 134 if (ret) 135 goto out; 136 137 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 138 ret = VOP_GETATTR(vp, &vattr, cred, td); 139 VOP_UNLOCK(vp, 0, td); 140 if (ret) 141 goto out; 142 143 /* update the global stats struct */ 144 audit_fstat.af_currsz = vattr.va_size; 145 146 /* 147 * XXX Need to decide what to do if the trigger to the audit daemon 148 * fails. 149 */ 150 151 /* 152 * If we fall below minimum free blocks (hard limit), tell the audit 153 * daemon to force a rotation off of the file system. We also stop 154 * writing, which means this audit record is probably lost. If we 155 * fall below the minimum percent free blocks (soft limit), then 156 * kindly suggest to the audit daemon to do something. 157 */ 158 if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) { 159 (void)send_trigger(AUDIT_TRIGGER_NO_SPACE); 160 /* 161 * Hopefully userspace did something about all the previous 162 * triggers that were sent prior to this critical condition. 163 * If fail-stop is set, then we're done; goodnight Gracie. 164 */ 165 if (audit_fail_stop) 166 panic("Audit log space exhausted and fail-stop set."); 167 else { 168 audit_suspended = 1; 169 ret = ENOSPC; 170 goto out; 171 } 172 } else 173 /* 174 * Send a message to the audit daemon that disk space is 175 * getting low. 176 * 177 * XXXAUDIT: Check math and block size calculation here. 178 */ 179 if (audit_qctrl.aq_minfree != 0) { 180 temp = mnt_stat->f_blocks / (100 / 181 audit_qctrl.aq_minfree); 182 if (mnt_stat->f_bfree < temp) 183 (void)send_trigger(AUDIT_TRIGGER_LOW_SPACE); 184 } 185 186 /* 187 * Check if the current log file is full; if so, call for a log 188 * rotate. This is not an exact comparison; we may write some records 189 * over the limit. If that's not acceptable, then add a fudge factor 190 * here. 191 */ 192 if ((audit_fstat.af_filesz != 0) && 193 (audit_file_rotate_wait == 0) && 194 (vattr.va_size >= audit_fstat.af_filesz)) { 195 audit_file_rotate_wait = 1; 196 (void)send_trigger(AUDIT_TRIGGER_OPEN_NEW); 197 } 198 199 /* 200 * If the estimated amount of audit data in the audit event queue 201 * (plus records allocated but not yet queued) has reached the amount 202 * of free space on the disk, then we need to go into an audit fail 203 * stop state, in which we do not permit the allocation/committing of 204 * any new audit records. We continue to process packets but don't 205 * allow any activities that might generate new records. In the 206 * future, we might want to detect when space is available again and 207 * allow operation to continue, but this behavior is sufficient to 208 * meet fail stop requirements in CAPP. 209 */ 210 if (audit_fail_stop && 211 (unsigned long) 212 ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) / 213 mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) { 214 printf("audit_record_write: free space below size of audit " 215 "queue, failing stop\n"); 216 audit_in_failure = 1; 217 } 218 219 ret = vn_rdwr(UIO_WRITE, vp, data, len, (off_t)0, UIO_SYSSPACE, 220 IO_APPEND|IO_UNIT, cred, NULL, NULL, td); 221 222out: 223 /* 224 * When we're done processing the current record, we have to check to 225 * see if we're in a failure mode, and if so, whether this was the 226 * last record left to be drained. If we're done draining, then we 227 * fsync the vnode and panic. 228 */ 229 if (audit_in_failure && audit_q_len == 0 && audit_pre_q_len == 0) { 230 VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK, td); 231 (void)VOP_FSYNC(vp, MNT_WAIT, td); 232 VOP_UNLOCK(vp, 0, td); 233 panic("Audit store overflow; record queue drained."); 234 } 235 236 VFS_UNLOCK_GIANT(vfslocked); 237 238 return (ret); 239} 240 241/* 242 * If an appropriate signal has been received rotate the audit log based on 243 * the global replacement variables. Signal consumers as needed that the 244 * rotation has taken place. 245 * 246 * XXXRW: The global variables and CVs used to signal the audit_worker to 247 * perform a rotation are essentially a message queue of depth 1. It would 248 * be much nicer to actually use a message queue. 249 */ 250static void 251audit_worker_rotate(struct ucred **audit_credp, struct vnode **audit_vpp, 252 struct thread *audit_td) 253{ 254 int do_replacement_signal, vfslocked; 255 struct ucred *old_cred; 256 struct vnode *old_vp; 257 258 mtx_assert(&audit_mtx, MA_OWNED); 259 260 do_replacement_signal = 0; 261 while (audit_replacement_flag != 0) { 262 old_cred = *audit_credp; 263 old_vp = *audit_vpp; 264 *audit_credp = audit_replacement_cred; 265 *audit_vpp = audit_replacement_vp; 266 audit_replacement_cred = NULL; 267 audit_replacement_vp = NULL; 268 audit_replacement_flag = 0; 269 270 audit_enabled = (*audit_vpp != NULL); 271 272 /* 273 * XXX: What to do about write failures here? 274 */ 275 if (old_vp != NULL) { 276 AUDIT_PRINTF(("Closing old audit file\n")); 277 mtx_unlock(&audit_mtx); 278 vfslocked = VFS_LOCK_GIANT(old_vp->v_mount); 279 vn_close(old_vp, AUDIT_CLOSE_FLAGS, old_cred, 280 audit_td); 281 VFS_UNLOCK_GIANT(vfslocked); 282 crfree(old_cred); 283 mtx_lock(&audit_mtx); 284 old_cred = NULL; 285 old_vp = NULL; 286 AUDIT_PRINTF(("Audit file closed\n")); 287 } 288 if (*audit_vpp != NULL) { 289 AUDIT_PRINTF(("Opening new audit file\n")); 290 } 291 do_replacement_signal = 1; 292 } 293 294 /* 295 * Signal that replacement have occurred to wake up and 296 * start any other replacements started in parallel. We can 297 * continue about our business in the mean time. We 298 * broadcast so that both new replacements can be inserted, 299 * but also so that the source(s) of replacement can return 300 * successfully. 301 */ 302 if (do_replacement_signal) 303 cv_broadcast(&audit_replacement_cv); 304} 305 306/* 307 * Drain the audit commit queue and free the records. Used if there are 308 * records present, but no audit log target. 309 */ 310static void 311audit_worker_drain(void) 312{ 313 struct kaudit_record *ar; 314 315 mtx_assert(&audit_mtx, MA_OWNED); 316 317 while ((ar = TAILQ_FIRST(&audit_q))) { 318 TAILQ_REMOVE(&audit_q, ar, k_q); 319 audit_free(ar); 320 audit_q_len--; 321 } 322} 323 324/* 325 * Given a kernel audit record, process as required. Kernel audit records 326 * are converted to one, or possibly two, BSM records, depending on whether 327 * there is a user audit record present also. Kernel records need be 328 * converted to BSM before they can be written out. Both types will be 329 * written to disk, and audit pipes. 330 */ 331static void 332audit_worker_process_record(struct vnode *audit_vp, struct ucred *audit_cred, 333 struct thread *audit_td, struct kaudit_record *ar) 334{ 335 struct au_record *bsm; 336 int error, ret; 337 338 if (ar->k_ar_commit & AR_COMMIT_USER) { 339 error = audit_record_write(audit_vp, audit_cred, audit_td, 340 ar->k_udata, ar->k_ulen); 341 if (error && audit_panic_on_write_fail) 342 panic("audit_worker: write error %d\n", error); 343 else if (error) 344 printf("audit_worker: write error %d\n", error); 345 audit_pipe_submit(ar->k_udata, ar->k_ulen); 346 } 347 348 if (ar->k_ar_commit & AR_COMMIT_KERNEL) { 349 ret = kaudit_to_bsm(ar, &bsm); 350 switch (ret) { 351 case BSM_NOAUDIT: 352 break; 353 354 case BSM_FAILURE: 355 printf("audit_worker_process_record: BSM_FAILURE\n"); 356 break; 357 358 case BSM_SUCCESS: 359 error = audit_record_write(audit_vp, audit_cred, 360 audit_td, bsm->data, bsm->len); 361 if (error && audit_panic_on_write_fail) 362 panic("audit_worker: write error %d\n", 363 error); 364 else if (error) 365 printf("audit_worker: write error %d\n", 366 error); 367 audit_pipe_submit(bsm->data, bsm->len); 368 kau_free(bsm); 369 break; 370 371 default: 372 panic("kaudit_to_bsm returned %d", ret); 373 } 374 } 375} 376 377/* 378 * The audit_worker thread is responsible for watching the event queue, 379 * dequeueing records, converting them to BSM format, and committing them to 380 * disk. In order to minimize lock thrashing, records are dequeued in sets 381 * to a thread-local work queue. In addition, the audit_work performs the 382 * actual exchange of audit log vnode pointer, as audit_vp is a thread-local 383 * variable. 384 */ 385static void 386audit_worker(void *arg) 387{ 388 struct kaudit_queue ar_worklist; 389 struct kaudit_record *ar; 390 struct ucred *audit_cred; 391 struct thread *audit_td; 392 struct vnode *audit_vp; 393 int lowater_signal; 394 395 AUDIT_PRINTF(("audit_worker starting\n")); 396 397 /* 398 * These are thread-local variables requiring no synchronization. 399 */ 400 TAILQ_INIT(&ar_worklist); 401 audit_cred = NULL; 402 audit_td = curthread; 403 audit_vp = NULL; 404 405 mtx_lock(&audit_mtx); 406 while (1) { 407 mtx_assert(&audit_mtx, MA_OWNED); 408 409 /* 410 * Wait for record or rotation events. 411 */ 412 while (!audit_replacement_flag && TAILQ_EMPTY(&audit_q)) { 413 AUDIT_PRINTF(("audit_worker waiting\n")); 414 cv_wait(&audit_worker_cv, &audit_mtx); 415 AUDIT_PRINTF(("audit_worker woken up\n")); 416 AUDIT_PRINTF(("audit_worker: new vp = %p; value of " 417 "flag %d\n", audit_replacement_vp, 418 audit_replacement_flag)); 419 } 420 421 /* 422 * First priority: replace the audit log target if requested. 423 */ 424 audit_worker_rotate(&audit_cred, &audit_vp, audit_td); 425 426 /* 427 * If we have records, but there's no active vnode to write 428 * to, drain the record queue. Generally, we prevent the 429 * unnecessary allocation of records elsewhere, but we need 430 * to allow for races between conditional allocation and 431 * queueing. Go back to waiting when we're done. 432 */ 433 if (audit_vp == NULL) { 434 audit_worker_drain(); 435 continue; 436 } 437 438 /* 439 * We have both records to write and an active vnode to write 440 * to. Dequeue a record, and start the write. Eventually, 441 * it might make sense to dequeue several records and perform 442 * our own clustering, if the lower layers aren't doing it 443 * automatically enough. 444 */ 445 lowater_signal = 0; 446 while ((ar = TAILQ_FIRST(&audit_q))) { 447 TAILQ_REMOVE(&audit_q, ar, k_q); 448 audit_q_len--; 449 if (audit_q_len == audit_qctrl.aq_lowater) 450 lowater_signal++; 451 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q); 452 } 453 if (lowater_signal) 454 cv_broadcast(&audit_watermark_cv); 455 456 mtx_unlock(&audit_mtx); 457 while ((ar = TAILQ_FIRST(&ar_worklist))) { 458 TAILQ_REMOVE(&ar_worklist, ar, k_q); 459 audit_worker_process_record(audit_vp, audit_cred, 460 audit_td, ar); 461 audit_free(ar); 462 } 463 mtx_lock(&audit_mtx); 464 } 465} 466 467/* 468 * audit_rotate_vnode() is called by a user or kernel thread to configure or 469 * de-configure auditing on a vnode. The arguments are the replacement 470 * credential and vnode to substitute for the current credential and vnode, 471 * if any. If either is set to NULL, both should be NULL, and this is used 472 * to indicate that audit is being disabled. The real work is done in the 473 * audit_worker thread, but audit_rotate_vnode() waits synchronously for that 474 * to complete. 475 * 476 * The vnode should be referenced and opened by the caller. The credential 477 * should be referenced. audit_rotate_vnode() will own both references as of 478 * this call, so the caller should not release either. 479 * 480 * XXXAUDIT: Review synchronize communication logic. Really, this is a 481 * message queue of depth 1. 482 * 483 * XXXAUDIT: Enhance the comments below to indicate that we are basically 484 * acquiring ownership of the communications queue, inserting our message, 485 * and waiting for an acknowledgement. 486 */ 487void 488audit_rotate_vnode(struct ucred *cred, struct vnode *vp) 489{ 490 491 /* 492 * If other parallel log replacements have been requested, we wait 493 * until they've finished before continuing. 494 */ 495 mtx_lock(&audit_mtx); 496 while (audit_replacement_flag != 0) { 497 AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for " 498 "flag\n")); 499 cv_wait(&audit_replacement_cv, &audit_mtx); 500 AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n", 501 audit_replacement_flag)); 502 } 503 audit_replacement_cred = cred; 504 audit_replacement_flag = 1; 505 audit_replacement_vp = vp; 506 507 /* 508 * Wake up the audit worker to perform the exchange once we 509 * release the mutex. 510 */ 511 cv_signal(&audit_worker_cv); 512 513 /* 514 * Wait for the audit_worker to broadcast that a replacement has 515 * taken place; we know that once this has happened, our vnode 516 * has been replaced in, so we can return successfully. 517 */ 518 AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of " 519 "replacement\n")); 520 cv_wait(&audit_replacement_cv, &audit_mtx); 521 AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by " 522 "audit_worker (flag " "now %d)\n", audit_replacement_flag)); 523 mtx_unlock(&audit_mtx); 524 525 audit_file_rotate_wait = 0; /* We can now request another rotation */ 526} 527 528void 529audit_worker_init(void) 530{ 531 int error; 532 533 cv_init(&audit_replacement_cv, "audit_replacement_cv"); 534 error = kthread_create(audit_worker, NULL, &audit_thread, RFHIGHPID, 535 0, "audit_worker"); 536 if (error) 537 panic("audit_worker_init: kthread_create returned %d", error); 538} 539