audit_worker.c revision 176627
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006-2008 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * 30 * $FreeBSD: head/sys/security/audit/audit_worker.c 176627 2008-02-27 17:12:22Z rwatson $ 31 */ 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/file.h> 37#include <sys/filedesc.h> 38#include <sys/fcntl.h> 39#include <sys/ipc.h> 40#include <sys/kernel.h> 41#include <sys/kthread.h> 42#include <sys/malloc.h> 43#include <sys/mount.h> 44#include <sys/namei.h> 45#include <sys/proc.h> 46#include <sys/queue.h> 47#include <sys/socket.h> 48#include <sys/socketvar.h> 49#include <sys/protosw.h> 50#include <sys/domain.h> 51#include <sys/sx.h> 52#include <sys/sysproto.h> 53#include <sys/sysent.h> 54#include <sys/systm.h> 55#include <sys/ucred.h> 56#include <sys/uio.h> 57#include <sys/un.h> 58#include <sys/unistd.h> 59#include <sys/vnode.h> 60 61#include <bsm/audit.h> 62#include <bsm/audit_internal.h> 63#include <bsm/audit_kevents.h> 64 65#include <netinet/in.h> 66#include <netinet/in_pcb.h> 67 68#include <security/audit/audit.h> 69#include <security/audit/audit_private.h> 70 71#include <vm/uma.h> 72 73/* 74 * Worker thread that will schedule disk I/O, etc. 75 */ 76static struct proc *audit_thread; 77 78/* 79 * audit_cred and audit_vp are the stored credential and vnode to use for 80 * active audit trail. They are protected by audit_worker_sx, which will be 81 * held across all I/O and all rotation to prevent them from being replaced 82 * (rotated) while in use. The audit_file_rotate_wait flag is set when the 83 * kernel has delivered a trigger to auditd to rotate the trail, and is 84 * cleared when the next rotation takes place. It is also protected by 85 * audit_worker_sx. 86 */ 87static int audit_file_rotate_wait; 88static struct sx audit_worker_sx; 89static struct ucred *audit_cred; 90static struct vnode *audit_vp; 91 92/* 93 * Write an audit record to a file, performed as the last stage after both 94 * preselection and BSM conversion. Both space management and write failures 95 * are handled in this function. 96 * 97 * No attempt is made to deal with possible failure to deliver a trigger to 98 * the audit daemon, since the message is asynchronous anyway. 99 */ 100static void 101audit_record_write(struct vnode *vp, struct ucred *cred, void *data, 102 size_t len) 103{ 104 static struct timeval last_lowspace_trigger; 105 static struct timeval last_fail; 106 static int cur_lowspace_trigger; 107 struct statfs *mnt_stat; 108 int error, vfslocked; 109 static int cur_fail; 110 struct vattr vattr; 111 long temp; 112 113 sx_assert(&audit_worker_sx, SA_LOCKED); /* audit_file_rotate_wait. */ 114 115 if (vp == NULL) 116 return; 117 118 mnt_stat = &vp->v_mount->mnt_stat; 119 vfslocked = VFS_LOCK_GIANT(vp->v_mount); 120 121 /* 122 * First, gather statistics on the audit log file and file system so 123 * that we know how we're doing on space. Consider failure of these 124 * operations to indicate a future inability to write to the file. 125 */ 126 error = VFS_STATFS(vp->v_mount, mnt_stat, curthread); 127 if (error) 128 goto fail; 129 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY); 130 error = VOP_GETATTR(vp, &vattr, cred, curthread); 131 VOP_UNLOCK(vp, 0); 132 if (error) 133 goto fail; 134 audit_fstat.af_currsz = vattr.va_size; 135 136 /* 137 * We handle four different space-related limits: 138 * 139 * - A fixed (hard) limit on the minimum free blocks we require on 140 * the file system, and results in record loss, a trigger, and 141 * possible fail stop due to violating invariants. 142 * 143 * - An administrative (soft) limit, which when fallen below, results 144 * in the kernel notifying the audit daemon of low space. 145 * 146 * - An audit trail size limit, which when gone above, results in the 147 * kernel notifying the audit daemon that rotation is desired. 148 * 149 * - The total depth of the kernel audit record exceeding free space, 150 * which can lead to possible fail stop (with drain), in order to 151 * prevent violating invariants. Failure here doesn't halt 152 * immediately, but prevents new records from being generated. 153 * 154 * Possibly, the last of these should be handled differently, always 155 * allowing a full queue to be lost, rather than trying to prevent 156 * loss. 157 * 158 * First, handle the hard limit, which generates a trigger and may 159 * fail stop. This is handled in the same manner as ENOSPC from 160 * VOP_WRITE, and results in record loss. 161 */ 162 if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) { 163 error = ENOSPC; 164 goto fail_enospc; 165 } 166 167 /* 168 * Second, handle falling below the soft limit, if defined; we send 169 * the daemon a trigger and continue processing the record. Triggers 170 * are limited to 1/sec. 171 */ 172 if (audit_qctrl.aq_minfree != 0) { 173 /* 174 * XXXAUDIT: Check math and block size calculations here. 175 */ 176 temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree); 177 if (mnt_stat->f_bfree < temp) { 178 if (ppsratecheck(&last_lowspace_trigger, 179 &cur_lowspace_trigger, 1)) { 180 (void)send_trigger(AUDIT_TRIGGER_LOW_SPACE); 181 printf("Warning: audit space low\n"); 182 } 183 } 184 } 185 186 /* 187 * If the current file is getting full, generate a rotation trigger 188 * to the daemon. This is only approximate, which is fine as more 189 * records may be generated before the daemon rotates the file. 190 */ 191 if ((audit_fstat.af_filesz != 0) && (audit_file_rotate_wait == 0) && 192 (vattr.va_size >= audit_fstat.af_filesz)) { 193 sx_assert(&audit_worker_sx, SA_XLOCKED); 194 195 audit_file_rotate_wait = 1; 196 (void)send_trigger(AUDIT_TRIGGER_ROTATE_KERNEL); 197 } 198 199 /* 200 * If the estimated amount of audit data in the audit event queue 201 * (plus records allocated but not yet queued) has reached the amount 202 * of free space on the disk, then we need to go into an audit fail 203 * stop state, in which we do not permit the allocation/committing of 204 * any new audit records. We continue to process records but don't 205 * allow any activities that might generate new records. In the 206 * future, we might want to detect when space is available again and 207 * allow operation to continue, but this behavior is sufficient to 208 * meet fail stop requirements in CAPP. 209 */ 210 if (audit_fail_stop) { 211 if ((unsigned long)((audit_q_len + audit_pre_q_len + 1) * 212 MAX_AUDIT_RECORD_SIZE) / mnt_stat->f_bsize >= 213 (unsigned long)(mnt_stat->f_bfree)) { 214 if (ppsratecheck(&last_fail, &cur_fail, 1)) 215 printf("audit_record_write: free space " 216 "below size of audit queue, failing " 217 "stop\n"); 218 audit_in_failure = 1; 219 } else if (audit_in_failure) { 220 /* 221 * Note: if we want to handle recovery, this is the 222 * spot to do it: unset audit_in_failure, and issue a 223 * wakeup on the cv. 224 */ 225 } 226 } 227 228 error = vn_rdwr(UIO_WRITE, vp, data, len, (off_t)0, UIO_SYSSPACE, 229 IO_APPEND|IO_UNIT, cred, NULL, NULL, curthread); 230 if (error == ENOSPC) 231 goto fail_enospc; 232 else if (error) 233 goto fail; 234 235 /* 236 * Catch completion of a queue drain here; if we're draining and the 237 * queue is now empty, fail stop. That audit_fail_stop is implicitly 238 * true, since audit_in_failure can only be set of audit_fail_stop is 239 * set. 240 * 241 * Note: if we handle recovery from audit_in_failure, then we need to 242 * make panic here conditional. 243 */ 244 if (audit_in_failure) { 245 if (audit_q_len == 0 && audit_pre_q_len == 0) { 246 VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK); 247 (void)VOP_FSYNC(vp, MNT_WAIT, curthread); 248 VOP_UNLOCK(vp, 0); 249 panic("Audit store overflow; record queue drained."); 250 } 251 } 252 253 VFS_UNLOCK_GIANT(vfslocked); 254 return; 255 256fail_enospc: 257 /* 258 * ENOSPC is considered a special case with respect to failures, as 259 * this can reflect either our preemptive detection of insufficient 260 * space, or ENOSPC returned by the vnode write call. 261 */ 262 if (audit_fail_stop) { 263 VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK); 264 (void)VOP_FSYNC(vp, MNT_WAIT, curthread); 265 VOP_UNLOCK(vp, 0); 266 panic("Audit log space exhausted and fail-stop set."); 267 } 268 (void)send_trigger(AUDIT_TRIGGER_NO_SPACE); 269 audit_suspended = 1; 270 271 /* FALLTHROUGH */ 272fail: 273 /* 274 * We have failed to write to the file, so the current record is 275 * lost, which may require an immediate system halt. 276 */ 277 if (audit_panic_on_write_fail) { 278 VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK); 279 (void)VOP_FSYNC(vp, MNT_WAIT, curthread); 280 VOP_UNLOCK(vp, 0); 281 panic("audit_worker: write error %d\n", error); 282 } else if (ppsratecheck(&last_fail, &cur_fail, 1)) 283 printf("audit_worker: write error %d\n", error); 284 VFS_UNLOCK_GIANT(vfslocked); 285} 286 287/* 288 * Given a kernel audit record, process as required. Kernel audit records 289 * are converted to one, or possibly two, BSM records, depending on whether 290 * there is a user audit record present also. Kernel records need be 291 * converted to BSM before they can be written out. Both types will be 292 * written to disk, and audit pipes. 293 */ 294static void 295audit_worker_process_record(struct kaudit_record *ar) 296{ 297 struct au_record *bsm; 298 au_class_t class; 299 au_event_t event; 300 au_id_t auid; 301 int error, sorf; 302 int trail_locked; 303 304 /* 305 * We hold the audit_worker_sx lock over both writes, if there are 306 * two, so that the two records won't be split across a rotation and 307 * end up in two different trail files. 308 */ 309 if (((ar->k_ar_commit & AR_COMMIT_USER) && 310 (ar->k_ar_commit & AR_PRESELECT_USER_TRAIL)) || 311 (ar->k_ar_commit & AR_PRESELECT_TRAIL)) { 312 sx_xlock(&audit_worker_sx); 313 trail_locked = 1; 314 } else 315 trail_locked = 0; 316 317 /* 318 * First, handle the user record, if any: commit to the system trail 319 * and audit pipes as selected. 320 */ 321 if ((ar->k_ar_commit & AR_COMMIT_USER) && 322 (ar->k_ar_commit & AR_PRESELECT_USER_TRAIL)) { 323 sx_assert(&audit_worker_sx, SA_XLOCKED); 324 audit_record_write(audit_vp, audit_cred, ar->k_udata, 325 ar->k_ulen); 326 } 327 328 if ((ar->k_ar_commit & AR_COMMIT_USER) && 329 (ar->k_ar_commit & AR_PRESELECT_USER_PIPE)) 330 audit_pipe_submit_user(ar->k_udata, ar->k_ulen); 331 332 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL) || 333 ((ar->k_ar_commit & AR_PRESELECT_PIPE) == 0 && 334 (ar->k_ar_commit & AR_PRESELECT_TRAIL) == 0)) 335 goto out; 336 337 auid = ar->k_ar.ar_subj_auid; 338 event = ar->k_ar.ar_event; 339 class = au_event_class(event); 340 if (ar->k_ar.ar_errno == 0) 341 sorf = AU_PRS_SUCCESS; 342 else 343 sorf = AU_PRS_FAILURE; 344 345 error = kaudit_to_bsm(ar, &bsm); 346 switch (error) { 347 case BSM_NOAUDIT: 348 goto out; 349 350 case BSM_FAILURE: 351 printf("audit_worker_process_record: BSM_FAILURE\n"); 352 goto out; 353 354 case BSM_SUCCESS: 355 break; 356 357 default: 358 panic("kaudit_to_bsm returned %d", error); 359 } 360 361 if (ar->k_ar_commit & AR_PRESELECT_TRAIL) { 362 sx_assert(&audit_worker_sx, SA_XLOCKED); 363 audit_record_write(audit_vp, audit_cred, bsm->data, bsm->len); 364 } 365 366 if (ar->k_ar_commit & AR_PRESELECT_PIPE) 367 audit_pipe_submit(auid, event, class, sorf, 368 ar->k_ar_commit & AR_PRESELECT_TRAIL, bsm->data, 369 bsm->len); 370 371 kau_free(bsm); 372out: 373 if (trail_locked) 374 sx_xunlock(&audit_worker_sx); 375} 376 377/* 378 * The audit_worker thread is responsible for watching the event queue, 379 * dequeueing records, converting them to BSM format, and committing them to 380 * disk. In order to minimize lock thrashing, records are dequeued in sets 381 * to a thread-local work queue. 382 * 383 * Note: this means that the effect bound on the size of the pending record 384 * queue is 2x the length of the global queue. 385 */ 386static void 387audit_worker(void *arg) 388{ 389 struct kaudit_queue ar_worklist; 390 struct kaudit_record *ar; 391 int lowater_signal; 392 393 TAILQ_INIT(&ar_worklist); 394 mtx_lock(&audit_mtx); 395 while (1) { 396 mtx_assert(&audit_mtx, MA_OWNED); 397 398 /* 399 * Wait for a record. 400 */ 401 while (TAILQ_EMPTY(&audit_q)) 402 cv_wait(&audit_worker_cv, &audit_mtx); 403 404 /* 405 * If there are records in the global audit record queue, 406 * transfer them to a thread-local queue and process them 407 * one by one. If we cross the low watermark threshold, 408 * signal any waiting processes that they may wake up and 409 * continue generating records. 410 */ 411 lowater_signal = 0; 412 while ((ar = TAILQ_FIRST(&audit_q))) { 413 TAILQ_REMOVE(&audit_q, ar, k_q); 414 audit_q_len--; 415 if (audit_q_len == audit_qctrl.aq_lowater) 416 lowater_signal++; 417 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q); 418 } 419 if (lowater_signal) 420 cv_broadcast(&audit_watermark_cv); 421 422 mtx_unlock(&audit_mtx); 423 while ((ar = TAILQ_FIRST(&ar_worklist))) { 424 TAILQ_REMOVE(&ar_worklist, ar, k_q); 425 audit_worker_process_record(ar); 426 audit_free(ar); 427 } 428 mtx_lock(&audit_mtx); 429 } 430} 431 432/* 433 * audit_rotate_vnode() is called by a user or kernel thread to configure or 434 * de-configure auditing on a vnode. The arguments are the replacement 435 * credential (referenced) and vnode (referenced and opened) to substitute 436 * for the current credential and vnode, if any. If either is set to NULL, 437 * both should be NULL, and this is used to indicate that audit is being 438 * disabled. Any previous cred/vnode will be closed and freed. We re-enable 439 * generating rotation requests to auditd. 440 */ 441void 442audit_rotate_vnode(struct ucred *cred, struct vnode *vp) 443{ 444 struct ucred *old_audit_cred; 445 struct vnode *old_audit_vp; 446 int vfslocked; 447 448 KASSERT((cred != NULL && vp != NULL) || (cred == NULL && vp == NULL), 449 ("audit_rotate_vnode: cred %p vp %p", cred, vp)); 450 451 /* 452 * Rotate the vnode/cred, and clear the rotate flag so that we will 453 * send a rotate trigger if the new file fills. 454 */ 455 sx_xlock(&audit_worker_sx); 456 old_audit_cred = audit_cred; 457 old_audit_vp = audit_vp; 458 audit_cred = cred; 459 audit_vp = vp; 460 audit_file_rotate_wait = 0; 461 audit_enabled = (audit_vp != NULL); 462 sx_xunlock(&audit_worker_sx); 463 464 /* 465 * If there was an old vnode/credential, close and free. 466 */ 467 if (old_audit_vp != NULL) { 468 vfslocked = VFS_LOCK_GIANT(old_audit_vp->v_mount); 469 vn_close(old_audit_vp, AUDIT_CLOSE_FLAGS, old_audit_cred, 470 curthread); 471 VFS_UNLOCK_GIANT(vfslocked); 472 crfree(old_audit_cred); 473 } 474} 475 476void 477audit_worker_init(void) 478{ 479 int error; 480 481 sx_init(&audit_worker_sx, "audit_worker_sx"); 482 error = kproc_create(audit_worker, NULL, &audit_thread, RFHIGHPID, 483 0, "audit"); 484 if (error) 485 panic("audit_worker_init: kproc_create returned %d", error); 486} 487