filemon.c revision 331722
1/*- 2 * Copyright (c) 2011, David E. O'Brien. 3 * Copyright (c) 2009-2011, Juniper Networks, Inc. 4 * Copyright (c) 2015-2016, EMC Corp. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <sys/cdefs.h> 30__FBSDID("$FreeBSD: stable/11/sys/dev/filemon/filemon.c 331722 2018-03-29 02:50:57Z eadler $"); 31 32#include "opt_compat.h" 33 34#include <sys/param.h> 35#include <sys/file.h> 36#include <sys/systm.h> 37#include <sys/buf.h> 38#include <sys/capsicum.h> 39#include <sys/condvar.h> 40#include <sys/conf.h> 41#include <sys/fcntl.h> 42#include <sys/ioccom.h> 43#include <sys/kernel.h> 44#include <sys/lock.h> 45#include <sys/malloc.h> 46#include <sys/module.h> 47#include <sys/poll.h> 48#include <sys/proc.h> 49#include <sys/sx.h> 50#include <sys/syscall.h> 51#include <sys/sysent.h> 52#include <sys/sysproto.h> 53#include <sys/uio.h> 54 55#include "filemon.h" 56 57#if defined(COMPAT_FREEBSD32) 58#include <compat/freebsd32/freebsd32_syscall.h> 59#include <compat/freebsd32/freebsd32_proto.h> 60#include <compat/freebsd32/freebsd32_util.h> 61#endif 62 63static d_close_t filemon_close; 64static d_ioctl_t filemon_ioctl; 65static d_open_t filemon_open; 66 67static struct cdevsw filemon_cdevsw = { 68 .d_version = D_VERSION, 69 .d_close = filemon_close, 70 .d_ioctl = filemon_ioctl, 71 .d_open = filemon_open, 72 .d_name = "filemon", 73}; 74 75MALLOC_DECLARE(M_FILEMON); 76MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor"); 77 78/* 79 * The filemon->lock protects several things currently: 80 * - fname1/fname2/msgbufr are pre-allocated and used per syscall 81 * for logging and copyins rather than stack variables. 82 * - Serializing the filemon's log output. 83 * - Preventing inheritance or removal of the filemon into proc.p_filemon. 84 */ 85struct filemon { 86 struct sx lock; /* Lock for this filemon. */ 87 struct file *fp; /* Output file pointer. */ 88 struct ucred *cred; /* Credential of tracer. */ 89 char fname1[MAXPATHLEN]; /* Temporary filename buffer. */ 90 char fname2[MAXPATHLEN]; /* Temporary filename buffer. */ 91 char msgbufr[1024]; /* Output message buffer. */ 92 int error; /* Log write error, returned on close(2). */ 93 u_int refcnt; /* Pointer reference count. */ 94 u_int proccnt; /* Process count. */ 95}; 96 97static struct cdev *filemon_dev; 98static void filemon_output(struct filemon *filemon, char *msg, size_t len); 99 100static __inline struct filemon * 101filemon_acquire(struct filemon *filemon) 102{ 103 104 if (filemon != NULL) 105 refcount_acquire(&filemon->refcnt); 106 return (filemon); 107} 108 109/* 110 * Release a reference and free on the last one. 111 */ 112static void 113filemon_release(struct filemon *filemon) 114{ 115 116 if (refcount_release(&filemon->refcnt) == 0) 117 return; 118 /* 119 * There are valid cases of releasing while locked, such as in 120 * filemon_untrack_processes, but none which are done where there 121 * is not at least 1 reference remaining. 122 */ 123 sx_assert(&filemon->lock, SA_UNLOCKED); 124 125 if (filemon->cred != NULL) 126 crfree(filemon->cred); 127 sx_destroy(&filemon->lock); 128 free(filemon, M_FILEMON); 129} 130 131/* 132 * Acquire the proc's p_filemon reference and lock the filemon. 133 * The proc's p_filemon may not match this filemon on return. 134 */ 135static struct filemon * 136filemon_proc_get(struct proc *p) 137{ 138 struct filemon *filemon; 139 140 if (p->p_filemon == NULL) 141 return (NULL); 142 PROC_LOCK(p); 143 filemon = filemon_acquire(p->p_filemon); 144 PROC_UNLOCK(p); 145 146 if (filemon == NULL) 147 return (NULL); 148 /* 149 * The p->p_filemon may have changed by now. That case is handled 150 * by the exit and fork hooks and filemon_attach_proc specially. 151 */ 152 sx_xlock(&filemon->lock); 153 return (filemon); 154} 155 156/* Remove and release the filemon on the given process. */ 157static void 158filemon_proc_drop(struct proc *p) 159{ 160 struct filemon *filemon; 161 162 KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon", 163 __func__, p)); 164 sx_assert(&p->p_filemon->lock, SA_XLOCKED); 165 PROC_LOCK(p); 166 filemon = p->p_filemon; 167 p->p_filemon = NULL; 168 --filemon->proccnt; 169 PROC_UNLOCK(p); 170 /* 171 * This should not be the last reference yet. filemon_release() 172 * cannot be called with filemon locked, which the caller expects 173 * will stay locked. 174 */ 175 KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p " 176 "with last reference", __func__, p, filemon)); 177 filemon_release(filemon); 178} 179 180/* Unlock and release the filemon. */ 181static __inline void 182filemon_drop(struct filemon *filemon) 183{ 184 185 sx_xunlock(&filemon->lock); 186 filemon_release(filemon); 187} 188 189#include "filemon_wrapper.c" 190 191static void 192filemon_write_header(struct filemon *filemon) 193{ 194 int len; 195 struct timeval now; 196 197 getmicrotime(&now); 198 199 len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr), 200 "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n", 201 FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec, 202 (uintmax_t)now.tv_usec, FILEMON_VERSION); 203 204 filemon_output(filemon, filemon->msgbufr, len); 205} 206 207/* 208 * Invalidate the passed filemon in all processes. 209 */ 210static void 211filemon_untrack_processes(struct filemon *filemon) 212{ 213 struct proc *p; 214 215 sx_assert(&filemon->lock, SA_XLOCKED); 216 217 /* Avoid allproc loop if there is no need. */ 218 if (filemon->proccnt == 0) 219 return; 220 221 /* 222 * Processes in this list won't go away while here since 223 * filemon_event_process_exit() will lock on filemon->lock 224 * which we hold. 225 */ 226 sx_slock(&allproc_lock); 227 FOREACH_PROC_IN_SYSTEM(p) { 228 /* 229 * No PROC_LOCK is needed to compare here since it is 230 * guaranteed to not change since we have its filemon 231 * locked. Everything that changes this p_filemon will 232 * be locked on it. 233 */ 234 if (p->p_filemon == filemon) 235 filemon_proc_drop(p); 236 } 237 sx_sunlock(&allproc_lock); 238 239 /* 240 * It's possible some references were acquired but will be 241 * dropped shortly as they are restricted from being 242 * inherited. There is at least the reference in cdevpriv remaining. 243 */ 244 KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have " 245 "references still.", __func__, filemon)); 246 KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have " 247 "attached procs still.", __func__, filemon)); 248} 249 250/* 251 * Close out the log. 252 */ 253static void 254filemon_close_log(struct filemon *filemon) 255{ 256 struct file *fp; 257 struct timeval now; 258 size_t len; 259 260 sx_assert(&filemon->lock, SA_XLOCKED); 261 if (filemon->fp == NULL) 262 return; 263 264 getmicrotime(&now); 265 266 len = snprintf(filemon->msgbufr, 267 sizeof(filemon->msgbufr), 268 "# Stop %ju.%06ju\n# Bye bye\n", 269 (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec); 270 271 filemon_output(filemon, filemon->msgbufr, len); 272 fp = filemon->fp; 273 filemon->fp = NULL; 274 275 sx_xunlock(&filemon->lock); 276 fdrop(fp, curthread); 277 sx_xlock(&filemon->lock); 278} 279 280/* 281 * The devfs file is being closed. Untrace all processes. It is possible 282 * filemon_close/close(2) was not called. 283 */ 284static void 285filemon_dtr(void *data) 286{ 287 struct filemon *filemon = data; 288 289 if (filemon == NULL) 290 return; 291 292 sx_xlock(&filemon->lock); 293 /* 294 * Detach the filemon. It cannot be inherited after this. 295 */ 296 filemon_untrack_processes(filemon); 297 filemon_close_log(filemon); 298 filemon_drop(filemon); 299} 300 301/* Attach the filemon to the process. */ 302static int 303filemon_attach_proc(struct filemon *filemon, struct proc *p) 304{ 305 struct filemon *filemon2; 306 307 sx_assert(&filemon->lock, SA_XLOCKED); 308 PROC_LOCK_ASSERT(p, MA_OWNED); 309 KASSERT((p->p_flag & P_WEXIT) == 0, 310 ("%s: filemon %p attaching to exiting process %p", 311 __func__, filemon, p)); 312 KASSERT((p->p_flag & P_INEXEC) == 0, 313 ("%s: filemon %p attaching to execing process %p", 314 __func__, filemon, p)); 315 316 if (p->p_filemon == filemon) 317 return (0); 318 /* 319 * Don't allow truncating other process traces. It is 320 * not really intended to trace procs other than curproc 321 * anyhow. 322 */ 323 if (p->p_filemon != NULL && p != curproc) 324 return (EBUSY); 325 /* 326 * Historic behavior of filemon has been to let a child initiate 327 * tracing on itself and cease existing tracing. Bmake 328 * .META + .MAKE relies on this. It is only relevant for attaching to 329 * curproc. 330 */ 331 while (p->p_filemon != NULL) { 332 PROC_UNLOCK(p); 333 sx_xunlock(&filemon->lock); 334 while ((filemon2 = filemon_proc_get(p)) != NULL) { 335 /* It may have changed. */ 336 if (p->p_filemon == filemon2) 337 filemon_proc_drop(p); 338 filemon_drop(filemon2); 339 } 340 sx_xlock(&filemon->lock); 341 PROC_LOCK(p); 342 /* 343 * It may have been attached to, though unlikely. 344 * Try again if needed. 345 */ 346 } 347 348 KASSERT(p->p_filemon == NULL, 349 ("%s: proc %p didn't detach filemon %p", __func__, p, 350 p->p_filemon)); 351 p->p_filemon = filemon_acquire(filemon); 352 ++filemon->proccnt; 353 354 return (0); 355} 356 357static int 358filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused, 359 struct thread *td) 360{ 361 int error = 0; 362 struct filemon *filemon; 363 struct proc *p; 364 cap_rights_t rights; 365 366 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) 367 return (error); 368 369 sx_xlock(&filemon->lock); 370 371 switch (cmd) { 372 /* Set the output file descriptor. */ 373 case FILEMON_SET_FD: 374 if (filemon->fp != NULL) { 375 error = EEXIST; 376 break; 377 } 378 379 error = fget_write(td, *(int *)data, 380 cap_rights_init(&rights, CAP_PWRITE), 381 &filemon->fp); 382 if (error == 0) 383 /* Write the file header. */ 384 filemon_write_header(filemon); 385 break; 386 387 /* Set the monitored process ID. */ 388 case FILEMON_SET_PID: 389 /* Invalidate any existing processes already set. */ 390 filemon_untrack_processes(filemon); 391 392 error = pget(*((pid_t *)data), 393 PGET_CANDEBUG | PGET_NOTWEXIT | PGET_NOTINEXEC, &p); 394 if (error == 0) { 395 KASSERT(p->p_filemon != filemon, 396 ("%s: proc %p didn't untrack filemon %p", 397 __func__, p, filemon)); 398 error = filemon_attach_proc(filemon, p); 399 PROC_UNLOCK(p); 400 } 401 break; 402 403 default: 404 error = EINVAL; 405 break; 406 } 407 408 sx_xunlock(&filemon->lock); 409 return (error); 410} 411 412static int 413filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused, 414 struct thread *td) 415{ 416 int error; 417 struct filemon *filemon; 418 419 filemon = malloc(sizeof(*filemon), M_FILEMON, 420 M_WAITOK | M_ZERO); 421 sx_init(&filemon->lock, "filemon"); 422 refcount_init(&filemon->refcnt, 1); 423 filemon->cred = crhold(td->td_ucred); 424 425 error = devfs_set_cdevpriv(filemon, filemon_dtr); 426 if (error != 0) 427 filemon_release(filemon); 428 429 return (error); 430} 431 432/* Called on close of last devfs file handle, before filemon_dtr(). */ 433static int 434filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused, 435 struct thread *td __unused) 436{ 437 struct filemon *filemon; 438 int error; 439 440 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) 441 return (error); 442 443 sx_xlock(&filemon->lock); 444 filemon_close_log(filemon); 445 error = filemon->error; 446 sx_xunlock(&filemon->lock); 447 /* 448 * Processes are still being traced but won't log anything 449 * now. After this call returns filemon_dtr() is called which 450 * will detach processes. 451 */ 452 453 return (error); 454} 455 456static void 457filemon_load(void *dummy __unused) 458{ 459 460 /* Install the syscall wrappers. */ 461 filemon_wrapper_install(); 462 463 filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666, 464 "filemon"); 465} 466 467static int 468filemon_unload(void) 469{ 470 471 destroy_dev(filemon_dev); 472 filemon_wrapper_deinstall(); 473 474 return (0); 475} 476 477static int 478filemon_modevent(module_t mod __unused, int type, void *data) 479{ 480 int error = 0; 481 482 switch (type) { 483 case MOD_LOAD: 484 filemon_load(data); 485 break; 486 487 case MOD_UNLOAD: 488 error = filemon_unload(); 489 break; 490 491 case MOD_QUIESCE: 492 /* 493 * The wrapper implementation is unsafe for reliable unload. 494 * Require forcing an unload. 495 */ 496 error = EBUSY; 497 break; 498 499 case MOD_SHUTDOWN: 500 break; 501 502 default: 503 error = EOPNOTSUPP; 504 break; 505 506 } 507 508 return (error); 509} 510 511DEV_MODULE(filemon, filemon_modevent, NULL); 512MODULE_VERSION(filemon, 1); 513