audit_pipe.c revision 181053
1254721Semaste/*- 2254721Semaste * Copyright (c) 2006 Robert N. M. Watson 3254721Semaste * All rights reserved. 4254721Semaste * 5254721Semaste * This software was developed by Robert Watson for the TrustedBSD Project. 6254721Semaste * 7254721Semaste * Redistribution and use in source and binary forms, with or without 8254721Semaste * modification, are permitted provided that the following conditions 9254721Semaste * are met: 10254721Semaste * 1. Redistributions of source code must retain the above copyright 11254721Semaste * notice, this list of conditions and the following disclaimer. 12254721Semaste * 2. Redistributions in binary form must reproduce the above copyright 13254721Semaste * notice, this list of conditions and the following disclaimer in the 14254721Semaste * documentation and/or other materials provided with the distribution. 15254721Semaste * 16254721Semaste * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17254721Semaste * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18254721Semaste * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19254721Semaste * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20254721Semaste * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21254721Semaste * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22254721Semaste * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23254721Semaste * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24254721Semaste * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25254721Semaste * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26254721Semaste * SUCH DAMAGE. 27254721Semaste */ 28254721Semaste 29254721Semaste#include <sys/cdefs.h> 30254721Semaste__FBSDID("$FreeBSD: head/sys/security/audit/audit_pipe.c 181053 2008-07-31 09:54:35Z rwatson $"); 31254721Semaste 32254721Semaste#include <sys/param.h> 33254721Semaste#include <sys/condvar.h> 34254721Semaste#include <sys/conf.h> 35254721Semaste#include <sys/eventhandler.h> 36254721Semaste#include <sys/filio.h> 37254721Semaste#include <sys/kernel.h> 38254721Semaste#include <sys/lock.h> 39254721Semaste#include <sys/malloc.h> 40254721Semaste#include <sys/mutex.h> 41254721Semaste#include <sys/poll.h> 42254721Semaste#include <sys/proc.h> 43254721Semaste#include <sys/queue.h> 44254721Semaste#include <sys/selinfo.h> 45254721Semaste#include <sys/sigio.h> 46254721Semaste#include <sys/signal.h> 47254721Semaste#include <sys/signalvar.h> 48254721Semaste#include <sys/systm.h> 49254721Semaste#include <sys/uio.h> 50254721Semaste 51254721Semaste#include <security/audit/audit.h> 52254721Semaste#include <security/audit/audit_ioctl.h> 53254721Semaste#include <security/audit/audit_private.h> 54254721Semaste 55254721Semaste/* 56254721Semaste * Implementation of a clonable special device providing a live stream of BSM 57254721Semaste * audit data. This is a "tee" of the data going to the file. It provides 58254721Semaste * unreliable but timely access to audit events. Consumers of this interface 59254721Semaste * should be very careful to avoid introducing event cycles. Consumers may 60254721Semaste * express interest via a set of preselection ioctls. 61254721Semaste */ 62254721Semaste 63254721Semaste/* 64254721Semaste * Memory types. 65254721Semaste */ 66254721Semastestatic MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes"); 67254721Semastestatic MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent", 68254721Semaste "Audit pipe entries and buffers"); 69254721Semastestatic MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel", 70254721Semaste "Audit pipe preselection structure"); 71254721Semaste 72254721Semaste/* 73254721Semaste * Audit pipe buffer parameters. 74254721Semaste */ 75254721Semaste#define AUDIT_PIPE_QLIMIT_DEFAULT (128) 76254721Semaste#define AUDIT_PIPE_QLIMIT_MIN (0) 77254721Semaste#define AUDIT_PIPE_QLIMIT_MAX (1024) 78254721Semaste 79254721Semaste/* 80254721Semaste * Description of an entry in an audit_pipe. 81254721Semaste */ 82254721Semastestruct audit_pipe_entry { 83254721Semaste void *ape_record; 84254721Semaste u_int ape_record_len; 85254721Semaste TAILQ_ENTRY(audit_pipe_entry) ape_queue; 86254721Semaste}; 87254721Semaste 88254721Semaste/* 89254721Semaste * Audit pipes allow processes to express "interest" in the set of records 90254721Semaste * that are delivered via the pipe. They do this in a similar manner to the 91254721Semaste * mechanism for audit trail configuration, by expressing two global masks, 92254721Semaste * and optionally expressing per-auid masks. The following data structure is 93254721Semaste * the per-auid mask description. The global state is stored in the audit 94254721Semaste * pipe data structure. 95254721Semaste * 96254721Semaste * We may want to consider a more space/time-efficient data structure once 97254721Semaste * usage patterns for per-auid specifications are clear. 98254721Semaste */ 99254721Semastestruct audit_pipe_preselect { 100254721Semaste au_id_t app_auid; 101254721Semaste au_mask_t app_mask; 102254721Semaste TAILQ_ENTRY(audit_pipe_preselect) app_list; 103254721Semaste}; 104254721Semaste 105254721Semaste/* 106254721Semaste * Description of an individual audit_pipe. Consists largely of a bounded 107254721Semaste * length queue. 108254721Semaste */ 109254721Semaste#define AUDIT_PIPE_ASYNC 0x00000001 110254721Semaste#define AUDIT_PIPE_NBIO 0x00000002 111254721Semastestruct audit_pipe { 112254721Semaste int ap_open; /* Device open? */ 113254721Semaste u_int ap_flags; 114254721Semaste 115254721Semaste struct selinfo ap_selinfo; 116254721Semaste struct sigio *ap_sigio; 117254721Semaste 118254721Semaste u_int ap_qlen; 119254721Semaste u_int ap_qlimit; 120254721Semaste 121254721Semaste u_int64_t ap_inserts; /* Records added. */ 122254721Semaste u_int64_t ap_reads; /* Records read. */ 123254721Semaste u_int64_t ap_drops; /* Records dropped. */ 124254721Semaste u_int64_t ap_truncates; /* Records too long. */ 125254721Semaste 126254721Semaste /* 127254721Semaste * Fields relating to pipe interest: global masks for unmatched 128254721Semaste * processes (attributable, non-attributable), and a list of specific 129254721Semaste * interest specifications by auid. 130254721Semaste */ 131254721Semaste int ap_preselect_mode; 132254721Semaste au_mask_t ap_preselect_flags; 133254721Semaste au_mask_t ap_preselect_naflags; 134254721Semaste TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list; 135254721Semaste 136254721Semaste /* 137254721Semaste * Current pending record list. 138254721Semaste */ 139254721Semaste TAILQ_HEAD(, audit_pipe_entry) ap_queue; 140254721Semaste 141254721Semaste /* 142254721Semaste * Global pipe list. 143254721Semaste */ 144254721Semaste TAILQ_ENTRY(audit_pipe) ap_list; 145254721Semaste}; 146254721Semaste 147254721Semaste/* 148254721Semaste * Global list of audit pipes, mutex to protect it and the pipes. Finer 149254721Semaste * grained locking may be desirable at some point. 150254721Semaste */ 151254721Semastestatic TAILQ_HEAD(, audit_pipe) audit_pipe_list; 152254721Semastestatic struct mtx audit_pipe_mtx; 153254721Semaste 154254721Semaste/* 155254721Semaste * This CV is used to wakeup on an audit record write. Eventually, it might 156254721Semaste * be per-pipe to avoid unnecessary wakeups when several pipes with different 157254721Semaste * preselection masks are present. 158254721Semaste */ 159254721Semastestatic struct cv audit_pipe_cv; 160254721Semaste 161254721Semaste/* 162254721Semaste * Cloning related variables and constants. 163 */ 164#define AUDIT_PIPE_NAME "auditpipe" 165static eventhandler_tag audit_pipe_eh_tag; 166static struct clonedevs *audit_pipe_clones; 167 168/* 169 * Special device methods and definition. 170 */ 171static d_open_t audit_pipe_open; 172static d_close_t audit_pipe_close; 173static d_read_t audit_pipe_read; 174static d_ioctl_t audit_pipe_ioctl; 175static d_poll_t audit_pipe_poll; 176static d_kqfilter_t audit_pipe_kqfilter; 177 178static struct cdevsw audit_pipe_cdevsw = { 179 .d_version = D_VERSION, 180 .d_flags = D_PSEUDO | D_NEEDGIANT | D_NEEDMINOR, 181 .d_open = audit_pipe_open, 182 .d_close = audit_pipe_close, 183 .d_read = audit_pipe_read, 184 .d_ioctl = audit_pipe_ioctl, 185 .d_poll = audit_pipe_poll, 186 .d_kqfilter = audit_pipe_kqfilter, 187 .d_name = AUDIT_PIPE_NAME, 188}; 189 190static int audit_pipe_kqread(struct knote *note, long hint); 191static void audit_pipe_kqdetach(struct knote *note); 192 193static struct filterops audit_pipe_read_filterops = { 194 .f_isfd = 1, 195 .f_attach = NULL, 196 .f_detach = audit_pipe_kqdetach, 197 .f_event = audit_pipe_kqread, 198}; 199 200/* 201 * Some global statistics on audit pipes. 202 */ 203static int audit_pipe_count; /* Current number of pipes. */ 204static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */ 205static u_int64_t audit_pipe_records; /* Records seen. */ 206static u_int64_t audit_pipe_drops; /* Global record drop count. */ 207 208/* 209 * Free an audit pipe entry. 210 */ 211static void 212audit_pipe_entry_free(struct audit_pipe_entry *ape) 213{ 214 215 free(ape->ape_record, M_AUDIT_PIPE_ENTRY); 216 free(ape, M_AUDIT_PIPE_ENTRY); 217} 218 219/* 220 * Find an audit pipe preselection specification for an auid, if any. 221 */ 222static struct audit_pipe_preselect * 223audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid) 224{ 225 struct audit_pipe_preselect *app; 226 227 mtx_assert(&audit_pipe_mtx, MA_OWNED); 228 229 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { 230 if (app->app_auid == auid) 231 return (app); 232 } 233 return (NULL); 234} 235 236/* 237 * Query the per-pipe mask for a specific auid. 238 */ 239static int 240audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid, 241 au_mask_t *maskp) 242{ 243 struct audit_pipe_preselect *app; 244 int error; 245 246 mtx_lock(&audit_pipe_mtx); 247 app = audit_pipe_preselect_find(ap, auid); 248 if (app != NULL) { 249 *maskp = app->app_mask; 250 error = 0; 251 } else 252 error = ENOENT; 253 mtx_unlock(&audit_pipe_mtx); 254 return (error); 255} 256 257/* 258 * Set the per-pipe mask for a specific auid. Add a new entry if needed; 259 * otherwise, update the current entry. 260 */ 261static void 262audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask) 263{ 264 struct audit_pipe_preselect *app, *app_new; 265 266 /* 267 * Pessimistically assume that the auid doesn't already have a mask 268 * set, and allocate. We will free it if it is unneeded. 269 */ 270 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK); 271 mtx_lock(&audit_pipe_mtx); 272 app = audit_pipe_preselect_find(ap, auid); 273 if (app == NULL) { 274 app = app_new; 275 app_new = NULL; 276 app->app_auid = auid; 277 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list); 278 } 279 app->app_mask = mask; 280 mtx_unlock(&audit_pipe_mtx); 281 if (app_new != NULL) 282 free(app_new, M_AUDIT_PIPE_PRESELECT); 283} 284 285/* 286 * Delete a per-auid mask on an audit pipe. 287 */ 288static int 289audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid) 290{ 291 struct audit_pipe_preselect *app; 292 int error; 293 294 mtx_lock(&audit_pipe_mtx); 295 app = audit_pipe_preselect_find(ap, auid); 296 if (app != NULL) { 297 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 298 error = 0; 299 } else 300 error = ENOENT; 301 mtx_unlock(&audit_pipe_mtx); 302 if (app != NULL) 303 free(app, M_AUDIT_PIPE_PRESELECT); 304 return (error); 305} 306 307/* 308 * Delete all per-auid masks on an audit pipe. 309 */ 310static void 311audit_pipe_preselect_flush_locked(struct audit_pipe *ap) 312{ 313 struct audit_pipe_preselect *app; 314 315 mtx_assert(&audit_pipe_mtx, MA_OWNED); 316 317 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) { 318 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 319 free(app, M_AUDIT_PIPE_PRESELECT); 320 } 321} 322 323static void 324audit_pipe_preselect_flush(struct audit_pipe *ap) 325{ 326 327 mtx_lock(&audit_pipe_mtx); 328 audit_pipe_preselect_flush_locked(ap); 329 mtx_unlock(&audit_pipe_mtx); 330} 331 332/*- 333 * Determine whether a specific audit pipe matches a record with these 334 * properties. Algorithm is as follows: 335 * 336 * - If the pipe is configured to track the default trail configuration, then 337 * use the results of global preselection matching. 338 * - If not, search for a specifically configured auid entry matching the 339 * event. If an entry is found, use that. 340 * - Otherwise, use the default flags or naflags configured for the pipe. 341 */ 342static int 343audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, 344 au_event_t event, au_class_t class, int sorf, int trail_preselect) 345{ 346 struct audit_pipe_preselect *app; 347 348 mtx_assert(&audit_pipe_mtx, MA_OWNED); 349 350 switch (ap->ap_preselect_mode) { 351 case AUDITPIPE_PRESELECT_MODE_TRAIL: 352 return (trail_preselect); 353 354 case AUDITPIPE_PRESELECT_MODE_LOCAL: 355 app = audit_pipe_preselect_find(ap, auid); 356 if (app == NULL) { 357 if (auid == AU_DEFAUDITID) 358 return (au_preselect(event, class, 359 &ap->ap_preselect_naflags, sorf)); 360 else 361 return (au_preselect(event, class, 362 &ap->ap_preselect_flags, sorf)); 363 } else 364 return (au_preselect(event, class, &app->app_mask, 365 sorf)); 366 367 default: 368 panic("audit_pipe_preselect_check: mode %d", 369 ap->ap_preselect_mode); 370 } 371 372 return (0); 373} 374 375/* 376 * Determine whether there exists a pipe interested in a record with specific 377 * properties. 378 */ 379int 380audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, 381 int sorf, int trail_preselect) 382{ 383 struct audit_pipe *ap; 384 385 mtx_lock(&audit_pipe_mtx); 386 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 387 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 388 trail_preselect)) { 389 mtx_unlock(&audit_pipe_mtx); 390 return (1); 391 } 392 } 393 mtx_unlock(&audit_pipe_mtx); 394 return (0); 395} 396 397/* 398 * Append individual record to a queue -- allocate queue-local buffer, and 399 * add to the queue. We try to drop from the head of the queue so that more 400 * recent events take precedence over older ones, but if allocation fails we 401 * do drop the new event. 402 */ 403static void 404audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) 405{ 406 struct audit_pipe_entry *ape, *ape_remove; 407 408 mtx_assert(&audit_pipe_mtx, MA_OWNED); 409 410 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO); 411 if (ape == NULL) { 412 ap->ap_drops++; 413 audit_pipe_drops++; 414 return; 415 } 416 417 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT); 418 if (ape->ape_record == NULL) { 419 free(ape, M_AUDIT_PIPE_ENTRY); 420 ap->ap_drops++; 421 audit_pipe_drops++; 422 return; 423 } 424 425 bcopy(record, ape->ape_record, record_len); 426 ape->ape_record_len = record_len; 427 428 if (ap->ap_qlen >= ap->ap_qlimit) { 429 ape_remove = TAILQ_FIRST(&ap->ap_queue); 430 TAILQ_REMOVE(&ap->ap_queue, ape_remove, ape_queue); 431 audit_pipe_entry_free(ape_remove); 432 ap->ap_qlen--; 433 ap->ap_drops++; 434 audit_pipe_drops++; 435 } 436 437 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); 438 ap->ap_inserts++; 439 ap->ap_qlen++; 440 selwakeuppri(&ap->ap_selinfo, PSOCK); 441 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0); 442 if (ap->ap_flags & AUDIT_PIPE_ASYNC) 443 pgsigio(&ap->ap_sigio, SIGIO, 0); 444} 445 446/* 447 * audit_pipe_submit(): audit_worker submits audit records via this 448 * interface, which arranges for them to be delivered to pipe queues. 449 */ 450void 451audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, 452 int trail_select, void *record, u_int record_len) 453{ 454 struct audit_pipe *ap; 455 456 /* 457 * Lockless read to avoid mutex overhead if pipes are not in use. 458 */ 459 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 460 return; 461 462 mtx_lock(&audit_pipe_mtx); 463 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 464 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 465 trail_select)) 466 audit_pipe_append(ap, record, record_len); 467 } 468 audit_pipe_records++; 469 mtx_unlock(&audit_pipe_mtx); 470 cv_broadcastpri(&audit_pipe_cv, PSOCK); 471} 472 473/* 474 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that 475 * since we don't currently have selection information available, it is 476 * delivered to the pipe unconditionally. 477 * 478 * XXXRW: This is a bug. The BSM check routine for submitting a user record 479 * should parse that information and return it. 480 */ 481void 482audit_pipe_submit_user(void *record, u_int record_len) 483{ 484 struct audit_pipe *ap; 485 486 /* 487 * Lockless read to avoid mutex overhead if pipes are not in use. 488 */ 489 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 490 return; 491 492 mtx_lock(&audit_pipe_mtx); 493 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) 494 audit_pipe_append(ap, record, record_len); 495 audit_pipe_records++; 496 mtx_unlock(&audit_pipe_mtx); 497 cv_broadcastpri(&audit_pipe_cv, PSOCK); 498} 499 500/* 501 * Pop the next record off of an audit pipe. 502 */ 503static struct audit_pipe_entry * 504audit_pipe_pop(struct audit_pipe *ap) 505{ 506 struct audit_pipe_entry *ape; 507 508 mtx_assert(&audit_pipe_mtx, MA_OWNED); 509 510 ape = TAILQ_FIRST(&ap->ap_queue); 511 KASSERT((ape == NULL && ap->ap_qlen == 0) || 512 (ape != NULL && ap->ap_qlen != 0), ("audit_pipe_pop: qlen")); 513 if (ape == NULL) 514 return (NULL); 515 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 516 ap->ap_qlen--; 517 return (ape); 518} 519 520/* 521 * Allocate a new audit pipe. Connects the pipe, on success, to the global 522 * list and updates statistics. 523 */ 524static struct audit_pipe * 525audit_pipe_alloc(void) 526{ 527 struct audit_pipe *ap; 528 529 mtx_assert(&audit_pipe_mtx, MA_OWNED); 530 531 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO); 532 if (ap == NULL) 533 return (NULL); 534 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT; 535 TAILQ_INIT(&ap->ap_queue); 536 knlist_init(&ap->ap_selinfo.si_note, &audit_pipe_mtx, NULL, NULL, 537 NULL); 538 539 /* 540 * Default flags, naflags, and auid-specific preselection settings to 541 * 0. Initialize the mode to the global trail so that if praudit(1) 542 * is run on /dev/auditpipe, it sees events associated with the 543 * default trail. Pipe-aware application can clear the flag, set 544 * custom masks, and flush the pipe as needed. 545 */ 546 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags)); 547 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags)); 548 TAILQ_INIT(&ap->ap_preselect_list); 549 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL; 550 551 /* 552 * Add to global list and update global statistics. 553 */ 554 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); 555 audit_pipe_count++; 556 audit_pipe_ever++; 557 558 return (ap); 559} 560 561/* 562 * Flush all records currently present in an audit pipe; assume mutex is held. 563 */ 564static void 565audit_pipe_flush(struct audit_pipe *ap) 566{ 567 struct audit_pipe_entry *ape; 568 569 mtx_assert(&audit_pipe_mtx, MA_OWNED); 570 571 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) { 572 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 573 audit_pipe_entry_free(ape); 574 ap->ap_qlen--; 575 } 576 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qlen")); 577} 578 579/* 580 * Free an audit pipe; this means freeing all preselection state and all 581 * records in the pipe. Assumes mutex is held to prevent any new records 582 * from being inserted during the free, and that the audit pipe is still on 583 * the global list. 584 */ 585static void 586audit_pipe_free(struct audit_pipe *ap) 587{ 588 589 mtx_assert(&audit_pipe_mtx, MA_OWNED); 590 591 audit_pipe_preselect_flush_locked(ap); 592 audit_pipe_flush(ap); 593 knlist_destroy(&ap->ap_selinfo.si_note); 594 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list); 595 free(ap, M_AUDIT_PIPE); 596 audit_pipe_count--; 597} 598 599/* 600 * Audit pipe clone routine -- provide specific requested audit pipe, or a 601 * fresh one if a specific one is not requested. 602 */ 603static void 604audit_pipe_clone(void *arg, struct ucred *cred, char *name, int namelen, 605 struct cdev **dev) 606{ 607 int i, u; 608 609 if (*dev != NULL) 610 return; 611 612 if (strcmp(name, AUDIT_PIPE_NAME) == 0) 613 u = -1; 614 else if (dev_stdclone(name, NULL, AUDIT_PIPE_NAME, &u) != 1) 615 return; 616 617 i = clone_create(&audit_pipe_clones, &audit_pipe_cdevsw, &u, dev, 0); 618 if (i) { 619 *dev = make_dev(&audit_pipe_cdevsw, unit2minor(u), UID_ROOT, 620 GID_WHEEL, 0600, "%s%d", AUDIT_PIPE_NAME, u); 621 if (*dev != NULL) { 622 dev_ref(*dev); 623 (*dev)->si_flags |= SI_CHEAPCLONE; 624 } 625 } 626} 627 628/* 629 * Audit pipe open method. Explicit privilege check isn't used as this 630 * allows file permissions on the special device to be used to grant audit 631 * review access. Those file permissions should be managed carefully. 632 */ 633static int 634audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td) 635{ 636 struct audit_pipe *ap; 637 638 mtx_lock(&audit_pipe_mtx); 639 ap = dev->si_drv1; 640 if (ap == NULL) { 641 ap = audit_pipe_alloc(); 642 if (ap == NULL) { 643 mtx_unlock(&audit_pipe_mtx); 644 return (ENOMEM); 645 } 646 dev->si_drv1 = ap; 647 } else { 648 KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open")); 649 mtx_unlock(&audit_pipe_mtx); 650 return (EBUSY); 651 } 652 ap->ap_open = 1; 653 mtx_unlock(&audit_pipe_mtx); 654 fsetown(td->td_proc->p_pid, &ap->ap_sigio); 655 return (0); 656} 657 658/* 659 * Close audit pipe, tear down all records, etc. 660 */ 661static int 662audit_pipe_close(struct cdev *dev, int fflag, int devtype, struct thread *td) 663{ 664 struct audit_pipe *ap; 665 666 ap = dev->si_drv1; 667 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL")); 668 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open")); 669 funsetown(&ap->ap_sigio); 670 mtx_lock(&audit_pipe_mtx); 671 ap->ap_open = 0; 672 audit_pipe_free(ap); 673 dev->si_drv1 = NULL; 674 mtx_unlock(&audit_pipe_mtx); 675 return (0); 676} 677 678/* 679 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer 680 * commands. 681 * 682 * Would be desirable to support filtering, although perhaps something simple 683 * like an event mask, as opposed to something complicated like BPF. 684 */ 685static int 686audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, 687 struct thread *td) 688{ 689 struct auditpipe_ioctl_preselect *aip; 690 struct audit_pipe *ap; 691 au_mask_t *maskp; 692 int error, mode; 693 au_id_t auid; 694 695 ap = dev->si_drv1; 696 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); 697 698 /* 699 * Audit pipe ioctls: first come standard device node ioctls, then 700 * manipulation of pipe settings, and finally, statistics query 701 * ioctls. 702 */ 703 switch (cmd) { 704 case FIONBIO: 705 mtx_lock(&audit_pipe_mtx); 706 if (*(int *)data) 707 ap->ap_flags |= AUDIT_PIPE_NBIO; 708 else 709 ap->ap_flags &= ~AUDIT_PIPE_NBIO; 710 mtx_unlock(&audit_pipe_mtx); 711 error = 0; 712 break; 713 714 case FIONREAD: 715 mtx_lock(&audit_pipe_mtx); 716 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 717 *(int *)data = 718 TAILQ_FIRST(&ap->ap_queue)->ape_record_len; 719 else 720 *(int *)data = 0; 721 mtx_unlock(&audit_pipe_mtx); 722 error = 0; 723 break; 724 725 case FIOASYNC: 726 mtx_lock(&audit_pipe_mtx); 727 if (*(int *)data) 728 ap->ap_flags |= AUDIT_PIPE_ASYNC; 729 else 730 ap->ap_flags &= ~AUDIT_PIPE_ASYNC; 731 mtx_unlock(&audit_pipe_mtx); 732 error = 0; 733 break; 734 735 case FIOSETOWN: 736 error = fsetown(*(int *)data, &ap->ap_sigio); 737 break; 738 739 case FIOGETOWN: 740 *(int *)data = fgetown(&ap->ap_sigio); 741 error = 0; 742 break; 743 744 case AUDITPIPE_GET_QLEN: 745 *(u_int *)data = ap->ap_qlen; 746 error = 0; 747 break; 748 749 case AUDITPIPE_GET_QLIMIT: 750 *(u_int *)data = ap->ap_qlimit; 751 error = 0; 752 break; 753 754 case AUDITPIPE_SET_QLIMIT: 755 /* Lockless integer write. */ 756 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN || 757 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { 758 ap->ap_qlimit = *(u_int *)data; 759 error = 0; 760 } else 761 error = EINVAL; 762 break; 763 764 case AUDITPIPE_GET_QLIMIT_MIN: 765 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN; 766 error = 0; 767 break; 768 769 case AUDITPIPE_GET_QLIMIT_MAX: 770 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX; 771 error = 0; 772 break; 773 774 case AUDITPIPE_GET_PRESELECT_FLAGS: 775 mtx_lock(&audit_pipe_mtx); 776 maskp = (au_mask_t *)data; 777 *maskp = ap->ap_preselect_flags; 778 mtx_unlock(&audit_pipe_mtx); 779 error = 0; 780 break; 781 782 case AUDITPIPE_SET_PRESELECT_FLAGS: 783 mtx_lock(&audit_pipe_mtx); 784 maskp = (au_mask_t *)data; 785 ap->ap_preselect_flags = *maskp; 786 mtx_unlock(&audit_pipe_mtx); 787 error = 0; 788 break; 789 790 case AUDITPIPE_GET_PRESELECT_NAFLAGS: 791 mtx_lock(&audit_pipe_mtx); 792 maskp = (au_mask_t *)data; 793 *maskp = ap->ap_preselect_naflags; 794 mtx_unlock(&audit_pipe_mtx); 795 error = 0; 796 break; 797 798 case AUDITPIPE_SET_PRESELECT_NAFLAGS: 799 mtx_lock(&audit_pipe_mtx); 800 maskp = (au_mask_t *)data; 801 ap->ap_preselect_naflags = *maskp; 802 mtx_unlock(&audit_pipe_mtx); 803 error = 0; 804 break; 805 806 case AUDITPIPE_GET_PRESELECT_AUID: 807 aip = (struct auditpipe_ioctl_preselect *)data; 808 error = audit_pipe_preselect_get(ap, aip->aip_auid, 809 &aip->aip_mask); 810 break; 811 812 case AUDITPIPE_SET_PRESELECT_AUID: 813 aip = (struct auditpipe_ioctl_preselect *)data; 814 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask); 815 error = 0; 816 break; 817 818 case AUDITPIPE_DELETE_PRESELECT_AUID: 819 auid = *(au_id_t *)data; 820 error = audit_pipe_preselect_delete(ap, auid); 821 break; 822 823 case AUDITPIPE_FLUSH_PRESELECT_AUID: 824 audit_pipe_preselect_flush(ap); 825 error = 0; 826 break; 827 828 case AUDITPIPE_GET_PRESELECT_MODE: 829 mtx_lock(&audit_pipe_mtx); 830 *(int *)data = ap->ap_preselect_mode; 831 mtx_unlock(&audit_pipe_mtx); 832 error = 0; 833 break; 834 835 case AUDITPIPE_SET_PRESELECT_MODE: 836 mode = *(int *)data; 837 switch (mode) { 838 case AUDITPIPE_PRESELECT_MODE_TRAIL: 839 case AUDITPIPE_PRESELECT_MODE_LOCAL: 840 mtx_lock(&audit_pipe_mtx); 841 ap->ap_preselect_mode = mode; 842 mtx_unlock(&audit_pipe_mtx); 843 error = 0; 844 break; 845 846 default: 847 error = EINVAL; 848 } 849 break; 850 851 case AUDITPIPE_FLUSH: 852 mtx_lock(&audit_pipe_mtx); 853 audit_pipe_flush(ap); 854 mtx_unlock(&audit_pipe_mtx); 855 error = 0; 856 break; 857 858 case AUDITPIPE_GET_MAXAUDITDATA: 859 *(u_int *)data = MAXAUDITDATA; 860 error = 0; 861 break; 862 863 case AUDITPIPE_GET_INSERTS: 864 *(u_int *)data = ap->ap_inserts; 865 error = 0; 866 break; 867 868 case AUDITPIPE_GET_READS: 869 *(u_int *)data = ap->ap_reads; 870 error = 0; 871 break; 872 873 case AUDITPIPE_GET_DROPS: 874 *(u_int *)data = ap->ap_drops; 875 error = 0; 876 break; 877 878 case AUDITPIPE_GET_TRUNCATES: 879 *(u_int *)data = ap->ap_truncates; 880 error = 0; 881 break; 882 883 default: 884 error = ENOTTY; 885 } 886 return (error); 887} 888 889/* 890 * Audit pipe read. Pull one record off the queue and copy to user space. 891 * On error, the record is dropped. 892 * 893 * Providing more sophisticated behavior, such as partial reads, is tricky 894 * due to the potential for parallel I/O. If partial read support is 895 * required, it will require a per-pipe "current record being read" along 896 * with an offset into that trecord which has already been read. Threads 897 * performing partial reads will need to allocate per-thread copies of the 898 * data so that if another thread completes the read of the record, it can be 899 * freed without adding reference count logic. If this is added, a flag to 900 * indicate that only atomic record reads are desired would be useful, as if 901 * different threads are all waiting for records on the pipe, they will want 902 * independent record reads, which is currently the behavior. 903 */ 904static int 905audit_pipe_read(struct cdev *dev, struct uio *uio, int flag) 906{ 907 struct audit_pipe_entry *ape; 908 struct audit_pipe *ap; 909 int error; 910 911 ap = dev->si_drv1; 912 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL")); 913 mtx_lock(&audit_pipe_mtx); 914 do { 915 /* 916 * Wait for a record that fits into the read buffer, dropping 917 * records that would be truncated if actually passed to the 918 * process. This helps maintain the discreet record read 919 * interface. 920 */ 921 while ((ape = audit_pipe_pop(ap)) == NULL) { 922 if (ap->ap_flags & AUDIT_PIPE_NBIO) { 923 mtx_unlock(&audit_pipe_mtx); 924 return (EAGAIN); 925 } 926 error = cv_wait_sig(&audit_pipe_cv, &audit_pipe_mtx); 927 if (error) { 928 mtx_unlock(&audit_pipe_mtx); 929 return (error); 930 } 931 } 932 if (ape->ape_record_len <= uio->uio_resid) 933 break; 934 audit_pipe_entry_free(ape); 935 ap->ap_truncates++; 936 } while (1); 937 ap->ap_reads++; 938 mtx_unlock(&audit_pipe_mtx); 939 940 /* 941 * Now read record to user space memory. Even if the read is short, 942 * we abandon the remainder of the record, supporting only discreet 943 * record reads. 944 */ 945 error = uiomove(ape->ape_record, ape->ape_record_len, uio); 946 audit_pipe_entry_free(ape); 947 return (error); 948} 949 950/* 951 * Audit pipe poll. 952 */ 953static int 954audit_pipe_poll(struct cdev *dev, int events, struct thread *td) 955{ 956 struct audit_pipe *ap; 957 int revents; 958 959 revents = 0; 960 ap = dev->si_drv1; 961 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL")); 962 if (events & (POLLIN | POLLRDNORM)) { 963 mtx_lock(&audit_pipe_mtx); 964 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 965 revents |= events & (POLLIN | POLLRDNORM); 966 else 967 selrecord(td, &ap->ap_selinfo); 968 mtx_unlock(&audit_pipe_mtx); 969 } 970 return (revents); 971} 972 973/* 974 * Audit pipe kqfilter. 975 */ 976static int 977audit_pipe_kqfilter(struct cdev *dev, struct knote *kn) 978{ 979 struct audit_pipe *ap; 980 981 ap = dev->si_drv1; 982 KASSERT(ap != NULL, ("audit_pipe_kqfilter: ap == NULL")); 983 984 if (kn->kn_filter != EVFILT_READ) 985 return (EINVAL); 986 987 kn->kn_fop = &audit_pipe_read_filterops; 988 kn->kn_hook = ap; 989 990 mtx_lock(&audit_pipe_mtx); 991 knlist_add(&ap->ap_selinfo.si_note, kn, 1); 992 mtx_unlock(&audit_pipe_mtx); 993 return (0); 994} 995 996/* 997 * Return true if there are records available for reading on the pipe. 998 */ 999static int 1000audit_pipe_kqread(struct knote *kn, long hint) 1001{ 1002 struct audit_pipe_entry *ape; 1003 struct audit_pipe *ap; 1004 1005 mtx_assert(&audit_pipe_mtx, MA_OWNED); 1006 1007 ap = (struct audit_pipe *)kn->kn_hook; 1008 KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL")); 1009 1010 if (ap->ap_qlen != 0) { 1011 ape = TAILQ_FIRST(&ap->ap_queue); 1012 KASSERT(ape != NULL, ("audit_pipe_kqread: ape == NULL")); 1013 1014 kn->kn_data = ape->ape_record_len; 1015 return (1); 1016 } else { 1017 kn->kn_data = 0; 1018 return (0); 1019 } 1020} 1021 1022/* 1023 * Detach kqueue state from audit pipe. 1024 */ 1025static void 1026audit_pipe_kqdetach(struct knote *kn) 1027{ 1028 struct audit_pipe *ap; 1029 1030 ap = (struct audit_pipe *)kn->kn_hook; 1031 KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL")); 1032 1033 mtx_lock(&audit_pipe_mtx); 1034 knlist_remove(&ap->ap_selinfo.si_note, kn, 1); 1035 mtx_unlock(&audit_pipe_mtx); 1036} 1037 1038/* 1039 * Initialize the audit pipe system. 1040 */ 1041static void 1042audit_pipe_init(void *unused) 1043{ 1044 1045 TAILQ_INIT(&audit_pipe_list); 1046 mtx_init(&audit_pipe_mtx, "audit_pipe_mtx", NULL, MTX_DEF); 1047 cv_init(&audit_pipe_cv, "audit_pipe_cv"); 1048 1049 clone_setup(&audit_pipe_clones); 1050 audit_pipe_eh_tag = EVENTHANDLER_REGISTER(dev_clone, 1051 audit_pipe_clone, 0, 1000); 1052 if (audit_pipe_eh_tag == NULL) 1053 panic("audit_pipe_init: EVENTHANDLER_REGISTER"); 1054} 1055 1056SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init, 1057 NULL); 1058