filemon.c revision 330897
1/*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2011, David E. O'Brien. 5 * Copyright (c) 2009-2011, Juniper Networks, Inc. 6 * Copyright (c) 2015-2016, EMC Corp. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31#include <sys/cdefs.h> 32__FBSDID("$FreeBSD: stable/11/sys/dev/filemon/filemon.c 330897 2018-03-14 03:19:51Z eadler $"); 33 34#include "opt_compat.h" 35 36#include <sys/param.h> 37#include <sys/file.h> 38#include <sys/systm.h> 39#include <sys/buf.h> 40#include <sys/capsicum.h> 41#include <sys/condvar.h> 42#include <sys/conf.h> 43#include <sys/fcntl.h> 44#include <sys/ioccom.h> 45#include <sys/kernel.h> 46#include <sys/lock.h> 47#include <sys/malloc.h> 48#include <sys/module.h> 49#include <sys/poll.h> 50#include <sys/proc.h> 51#include <sys/sx.h> 52#include <sys/syscall.h> 53#include <sys/sysent.h> 54#include <sys/sysproto.h> 55#include <sys/uio.h> 56 57#include "filemon.h" 58 59#if defined(COMPAT_FREEBSD32) 60#include <compat/freebsd32/freebsd32_syscall.h> 61#include <compat/freebsd32/freebsd32_proto.h> 62#include <compat/freebsd32/freebsd32_util.h> 63#endif 64 65static d_close_t filemon_close; 66static d_ioctl_t filemon_ioctl; 67static d_open_t filemon_open; 68 69static struct cdevsw filemon_cdevsw = { 70 .d_version = D_VERSION, 71 .d_close = filemon_close, 72 .d_ioctl = filemon_ioctl, 73 .d_open = filemon_open, 74 .d_name = "filemon", 75}; 76 77MALLOC_DECLARE(M_FILEMON); 78MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor"); 79 80/* 81 * The filemon->lock protects several things currently: 82 * - fname1/fname2/msgbufr are pre-allocated and used per syscall 83 * for logging and copyins rather than stack variables. 84 * - Serializing the filemon's log output. 85 * - Preventing inheritance or removal of the filemon into proc.p_filemon. 86 */ 87struct filemon { 88 struct sx lock; /* Lock for this filemon. */ 89 struct file *fp; /* Output file pointer. */ 90 struct ucred *cred; /* Credential of tracer. */ 91 char fname1[MAXPATHLEN]; /* Temporary filename buffer. */ 92 char fname2[MAXPATHLEN]; /* Temporary filename buffer. */ 93 char msgbufr[1024]; /* Output message buffer. */ 94 int error; /* Log write error, returned on close(2). */ 95 u_int refcnt; /* Pointer reference count. */ 96 u_int proccnt; /* Process count. */ 97}; 98 99static struct cdev *filemon_dev; 100static void filemon_output(struct filemon *filemon, char *msg, size_t len); 101 102static __inline struct filemon * 103filemon_acquire(struct filemon *filemon) 104{ 105 106 if (filemon != NULL) 107 refcount_acquire(&filemon->refcnt); 108 return (filemon); 109} 110 111/* 112 * Release a reference and free on the last one. 113 */ 114static void 115filemon_release(struct filemon *filemon) 116{ 117 118 if (refcount_release(&filemon->refcnt) == 0) 119 return; 120 /* 121 * There are valid cases of releasing while locked, such as in 122 * filemon_untrack_processes, but none which are done where there 123 * is not at least 1 reference remaining. 124 */ 125 sx_assert(&filemon->lock, SA_UNLOCKED); 126 127 if (filemon->cred != NULL) 128 crfree(filemon->cred); 129 sx_destroy(&filemon->lock); 130 free(filemon, M_FILEMON); 131} 132 133/* 134 * Acquire the proc's p_filemon reference and lock the filemon. 135 * The proc's p_filemon may not match this filemon on return. 136 */ 137static struct filemon * 138filemon_proc_get(struct proc *p) 139{ 140 struct filemon *filemon; 141 142 if (p->p_filemon == NULL) 143 return (NULL); 144 PROC_LOCK(p); 145 filemon = filemon_acquire(p->p_filemon); 146 PROC_UNLOCK(p); 147 148 if (filemon == NULL) 149 return (NULL); 150 /* 151 * The p->p_filemon may have changed by now. That case is handled 152 * by the exit and fork hooks and filemon_attach_proc specially. 153 */ 154 sx_xlock(&filemon->lock); 155 return (filemon); 156} 157 158/* Remove and release the filemon on the given process. */ 159static void 160filemon_proc_drop(struct proc *p) 161{ 162 struct filemon *filemon; 163 164 KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon", 165 __func__, p)); 166 sx_assert(&p->p_filemon->lock, SA_XLOCKED); 167 PROC_LOCK(p); 168 filemon = p->p_filemon; 169 p->p_filemon = NULL; 170 --filemon->proccnt; 171 PROC_UNLOCK(p); 172 /* 173 * This should not be the last reference yet. filemon_release() 174 * cannot be called with filemon locked, which the caller expects 175 * will stay locked. 176 */ 177 KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p " 178 "with last reference", __func__, p, filemon)); 179 filemon_release(filemon); 180} 181 182/* Unlock and release the filemon. */ 183static __inline void 184filemon_drop(struct filemon *filemon) 185{ 186 187 sx_xunlock(&filemon->lock); 188 filemon_release(filemon); 189} 190 191#include "filemon_wrapper.c" 192 193static void 194filemon_write_header(struct filemon *filemon) 195{ 196 int len; 197 struct timeval now; 198 199 getmicrotime(&now); 200 201 len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr), 202 "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n", 203 FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec, 204 (uintmax_t)now.tv_usec, FILEMON_VERSION); 205 206 filemon_output(filemon, filemon->msgbufr, len); 207} 208 209/* 210 * Invalidate the passed filemon in all processes. 211 */ 212static void 213filemon_untrack_processes(struct filemon *filemon) 214{ 215 struct proc *p; 216 217 sx_assert(&filemon->lock, SA_XLOCKED); 218 219 /* Avoid allproc loop if there is no need. */ 220 if (filemon->proccnt == 0) 221 return; 222 223 /* 224 * Processes in this list won't go away while here since 225 * filemon_event_process_exit() will lock on filemon->lock 226 * which we hold. 227 */ 228 sx_slock(&allproc_lock); 229 FOREACH_PROC_IN_SYSTEM(p) { 230 /* 231 * No PROC_LOCK is needed to compare here since it is 232 * guaranteed to not change since we have its filemon 233 * locked. Everything that changes this p_filemon will 234 * be locked on it. 235 */ 236 if (p->p_filemon == filemon) 237 filemon_proc_drop(p); 238 } 239 sx_sunlock(&allproc_lock); 240 241 /* 242 * It's possible some references were acquired but will be 243 * dropped shortly as they are restricted from being 244 * inherited. There is at least the reference in cdevpriv remaining. 245 */ 246 KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have " 247 "references still.", __func__, filemon)); 248 KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have " 249 "attached procs still.", __func__, filemon)); 250} 251 252/* 253 * Close out the log. 254 */ 255static void 256filemon_close_log(struct filemon *filemon) 257{ 258 struct file *fp; 259 struct timeval now; 260 size_t len; 261 262 sx_assert(&filemon->lock, SA_XLOCKED); 263 if (filemon->fp == NULL) 264 return; 265 266 getmicrotime(&now); 267 268 len = snprintf(filemon->msgbufr, 269 sizeof(filemon->msgbufr), 270 "# Stop %ju.%06ju\n# Bye bye\n", 271 (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec); 272 273 filemon_output(filemon, filemon->msgbufr, len); 274 fp = filemon->fp; 275 filemon->fp = NULL; 276 277 sx_xunlock(&filemon->lock); 278 fdrop(fp, curthread); 279 sx_xlock(&filemon->lock); 280} 281 282/* 283 * The devfs file is being closed. Untrace all processes. It is possible 284 * filemon_close/close(2) was not called. 285 */ 286static void 287filemon_dtr(void *data) 288{ 289 struct filemon *filemon = data; 290 291 if (filemon == NULL) 292 return; 293 294 sx_xlock(&filemon->lock); 295 /* 296 * Detach the filemon. It cannot be inherited after this. 297 */ 298 filemon_untrack_processes(filemon); 299 filemon_close_log(filemon); 300 filemon_drop(filemon); 301} 302 303/* Attach the filemon to the process. */ 304static int 305filemon_attach_proc(struct filemon *filemon, struct proc *p) 306{ 307 struct filemon *filemon2; 308 309 sx_assert(&filemon->lock, SA_XLOCKED); 310 PROC_LOCK_ASSERT(p, MA_OWNED); 311 KASSERT((p->p_flag & P_WEXIT) == 0, 312 ("%s: filemon %p attaching to exiting process %p", 313 __func__, filemon, p)); 314 KASSERT((p->p_flag & P_INEXEC) == 0, 315 ("%s: filemon %p attaching to execing process %p", 316 __func__, filemon, p)); 317 318 if (p->p_filemon == filemon) 319 return (0); 320 /* 321 * Don't allow truncating other process traces. It is 322 * not really intended to trace procs other than curproc 323 * anyhow. 324 */ 325 if (p->p_filemon != NULL && p != curproc) 326 return (EBUSY); 327 /* 328 * Historic behavior of filemon has been to let a child initiate 329 * tracing on itself and cease existing tracing. Bmake 330 * .META + .MAKE relies on this. It is only relevant for attaching to 331 * curproc. 332 */ 333 while (p->p_filemon != NULL) { 334 PROC_UNLOCK(p); 335 sx_xunlock(&filemon->lock); 336 while ((filemon2 = filemon_proc_get(p)) != NULL) { 337 /* It may have changed. */ 338 if (p->p_filemon == filemon2) 339 filemon_proc_drop(p); 340 filemon_drop(filemon2); 341 } 342 sx_xlock(&filemon->lock); 343 PROC_LOCK(p); 344 /* 345 * It may have been attached to, though unlikely. 346 * Try again if needed. 347 */ 348 } 349 350 KASSERT(p->p_filemon == NULL, 351 ("%s: proc %p didn't detach filemon %p", __func__, p, 352 p->p_filemon)); 353 p->p_filemon = filemon_acquire(filemon); 354 ++filemon->proccnt; 355 356 return (0); 357} 358 359static int 360filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused, 361 struct thread *td) 362{ 363 int error = 0; 364 struct filemon *filemon; 365 struct proc *p; 366 cap_rights_t rights; 367 368 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) 369 return (error); 370 371 sx_xlock(&filemon->lock); 372 373 switch (cmd) { 374 /* Set the output file descriptor. */ 375 case FILEMON_SET_FD: 376 if (filemon->fp != NULL) { 377 error = EEXIST; 378 break; 379 } 380 381 error = fget_write(td, *(int *)data, 382 cap_rights_init(&rights, CAP_PWRITE), 383 &filemon->fp); 384 if (error == 0) 385 /* Write the file header. */ 386 filemon_write_header(filemon); 387 break; 388 389 /* Set the monitored process ID. */ 390 case FILEMON_SET_PID: 391 /* Invalidate any existing processes already set. */ 392 filemon_untrack_processes(filemon); 393 394 error = pget(*((pid_t *)data), 395 PGET_CANDEBUG | PGET_NOTWEXIT | PGET_NOTINEXEC, &p); 396 if (error == 0) { 397 KASSERT(p->p_filemon != filemon, 398 ("%s: proc %p didn't untrack filemon %p", 399 __func__, p, filemon)); 400 error = filemon_attach_proc(filemon, p); 401 PROC_UNLOCK(p); 402 } 403 break; 404 405 default: 406 error = EINVAL; 407 break; 408 } 409 410 sx_xunlock(&filemon->lock); 411 return (error); 412} 413 414static int 415filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused, 416 struct thread *td) 417{ 418 int error; 419 struct filemon *filemon; 420 421 filemon = malloc(sizeof(*filemon), M_FILEMON, 422 M_WAITOK | M_ZERO); 423 sx_init(&filemon->lock, "filemon"); 424 refcount_init(&filemon->refcnt, 1); 425 filemon->cred = crhold(td->td_ucred); 426 427 error = devfs_set_cdevpriv(filemon, filemon_dtr); 428 if (error != 0) 429 filemon_release(filemon); 430 431 return (error); 432} 433 434/* Called on close of last devfs file handle, before filemon_dtr(). */ 435static int 436filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused, 437 struct thread *td __unused) 438{ 439 struct filemon *filemon; 440 int error; 441 442 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) 443 return (error); 444 445 sx_xlock(&filemon->lock); 446 filemon_close_log(filemon); 447 error = filemon->error; 448 sx_xunlock(&filemon->lock); 449 /* 450 * Processes are still being traced but won't log anything 451 * now. After this call returns filemon_dtr() is called which 452 * will detach processes. 453 */ 454 455 return (error); 456} 457 458static void 459filemon_load(void *dummy __unused) 460{ 461 462 /* Install the syscall wrappers. */ 463 filemon_wrapper_install(); 464 465 filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666, 466 "filemon"); 467} 468 469static int 470filemon_unload(void) 471{ 472 473 destroy_dev(filemon_dev); 474 filemon_wrapper_deinstall(); 475 476 return (0); 477} 478 479static int 480filemon_modevent(module_t mod __unused, int type, void *data) 481{ 482 int error = 0; 483 484 switch (type) { 485 case MOD_LOAD: 486 filemon_load(data); 487 break; 488 489 case MOD_UNLOAD: 490 error = filemon_unload(); 491 break; 492 493 case MOD_QUIESCE: 494 /* 495 * The wrapper implementation is unsafe for reliable unload. 496 * Require forcing an unload. 497 */ 498 error = EBUSY; 499 break; 500 501 case MOD_SHUTDOWN: 502 break; 503 504 default: 505 error = EOPNOTSUPP; 506 break; 507 508 } 509 510 return (error); 511} 512 513DEV_MODULE(filemon, filemon_modevent, NULL); 514MODULE_VERSION(filemon, 1); 515