audit_pipe.c revision 184489
150471Speter/*- 21556Srgrimes * Copyright (c) 2006 Robert N. M. Watson 31556Srgrimes * Copyright (c) 2008 Apple, Inc. 4298107Sgjb * All rights reserved. 51556Srgrimes * 6105831Srwatson * This software was developed by Robert Watson for the TrustedBSD Project. 7140903Sdelphij * 831552Sdyson * Redistribution and use in source and binary forms, with or without 931552Sdyson * modification, are permitted provided that the following conditions 1031552Sdyson * are met: 1131552Sdyson * 1. Redistributions of source code must retain the above copyright 1231552Sdyson * notice, this list of conditions and the following disclaimer. 1331552Sdyson * 2. Redistributions in binary form must reproduce the above copyright 1476812Sru * notice, this list of conditions and the following disclaimer in the 15289490Sngie * documentation and/or other materials provided with the distribution. 161556Srgrimes * 171556Srgrimes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: head/sys/security/audit/audit_pipe.c 184489 2008-10-30 23:09:19Z rwatson $"); 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/eventhandler.h> 37#include <sys/filio.h> 38#include <sys/kernel.h> 39#include <sys/lock.h> 40#include <sys/malloc.h> 41#include <sys/mutex.h> 42#include <sys/poll.h> 43#include <sys/proc.h> 44#include <sys/queue.h> 45#include <sys/rwlock.h> 46#include <sys/selinfo.h> 47#include <sys/sigio.h> 48#include <sys/signal.h> 49#include <sys/signalvar.h> 50#include <sys/systm.h> 51#include <sys/uio.h> 52 53#include <security/audit/audit.h> 54#include <security/audit/audit_ioctl.h> 55#include <security/audit/audit_private.h> 56 57/* 58 * Implementation of a clonable special device providing a live stream of BSM 59 * audit data. This is a "tee" of the data going to the file. It provides 60 * unreliable but timely access to audit events. Consumers of this interface 61 * should be very careful to avoid introducing event cycles. Consumers may 62 * express interest via a set of preselection ioctls. 63 */ 64 65/* 66 * Memory types. 67 */ 68static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes"); 69static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent", 70 "Audit pipe entries and buffers"); 71static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel", 72 "Audit pipe preselection structure"); 73 74/* 75 * Audit pipe buffer parameters. 76 */ 77#define AUDIT_PIPE_QLIMIT_DEFAULT (128) 78#define AUDIT_PIPE_QLIMIT_MIN (0) 79#define AUDIT_PIPE_QLIMIT_MAX (1024) 80 81/* 82 * Description of an entry in an audit_pipe. 83 */ 84struct audit_pipe_entry { 85 void *ape_record; 86 u_int ape_record_len; 87 TAILQ_ENTRY(audit_pipe_entry) ape_queue; 88}; 89 90/* 91 * Audit pipes allow processes to express "interest" in the set of records 92 * that are delivered via the pipe. They do this in a similar manner to the 93 * mechanism for audit trail configuration, by expressing two global masks, 94 * and optionally expressing per-auid masks. The following data structure is 95 * the per-auid mask description. The global state is stored in the audit 96 * pipe data structure. 97 * 98 * We may want to consider a more space/time-efficient data structure once 99 * usage patterns for per-auid specifications are clear. 100 */ 101struct audit_pipe_preselect { 102 au_id_t app_auid; 103 au_mask_t app_mask; 104 TAILQ_ENTRY(audit_pipe_preselect) app_list; 105}; 106 107/* 108 * Description of an individual audit_pipe. Consists largely of a bounded 109 * length queue. 110 */ 111#define AUDIT_PIPE_ASYNC 0x00000001 112#define AUDIT_PIPE_NBIO 0x00000002 113struct audit_pipe { 114 int ap_open; /* Device open? */ 115 u_int ap_flags; 116 117 struct selinfo ap_selinfo; 118 struct sigio *ap_sigio; 119 120 /* 121 * Per-pipe mutex protecting most fields in this data structure. 122 */ 123 struct mtx ap_lock; 124 125 /* 126 * Condition variable to signal when data has been delivered to a 127 * pipe. 128 */ 129 struct cv ap_cv; 130 131 u_int ap_qlen; 132 u_int ap_qlimit; 133 134 u_int64_t ap_inserts; /* Records added. */ 135 u_int64_t ap_reads; /* Records read. */ 136 u_int64_t ap_drops; /* Records dropped. */ 137 u_int64_t ap_truncates; /* Records too long. */ 138 139 /* 140 * Fields relating to pipe interest: global masks for unmatched 141 * processes (attributable, non-attributable), and a list of specific 142 * interest specifications by auid. 143 */ 144 int ap_preselect_mode; 145 au_mask_t ap_preselect_flags; 146 au_mask_t ap_preselect_naflags; 147 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list; 148 149 /* 150 * Current pending record list. 151 */ 152 TAILQ_HEAD(, audit_pipe_entry) ap_queue; 153 154 /* 155 * Global pipe list. 156 */ 157 TAILQ_ENTRY(audit_pipe) ap_list; 158}; 159 160#define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_lock) 161#define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_lock, MA_OWNED) 162#define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_lock) 163#define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_lock, \ 164 "audit_pipe_lock", NULL, MTX_DEF) 165#define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_lock) 166#define AUDIT_PIPE_MTX(ap) (&(ap)->ap_lock) 167 168/* 169 * Global list of audit pipes, rwlock to protect it. Individual record 170 * queues on pipes are protected by per-pipe locks; these locks synchronize 171 * between threads walking the list to deliver to individual pipes and add/ 172 * remove of pipes, and are mostly acquired for read. 173 */ 174static TAILQ_HEAD(, audit_pipe) audit_pipe_list; 175static struct rwlock audit_pipe_lock; 176 177#define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \ 178 "audit_pipe_list_lock") 179#define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock) 180#define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock) 181#define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock) 182#define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \ 183 RA_WLOCKED) 184#define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock) 185 186/* 187 * Cloning related variables and constants. 188 */ 189#define AUDIT_PIPE_NAME "auditpipe" 190static eventhandler_tag audit_pipe_eh_tag; 191static struct clonedevs *audit_pipe_clones; 192 193/* 194 * Special device methods and definition. 195 */ 196static d_open_t audit_pipe_open; 197static d_close_t audit_pipe_close; 198static d_read_t audit_pipe_read; 199static d_ioctl_t audit_pipe_ioctl; 200static d_poll_t audit_pipe_poll; 201static d_kqfilter_t audit_pipe_kqfilter; 202 203static struct cdevsw audit_pipe_cdevsw = { 204 .d_version = D_VERSION, 205 .d_flags = D_PSEUDO | D_NEEDGIANT | D_NEEDMINOR, 206 .d_open = audit_pipe_open, 207 .d_close = audit_pipe_close, 208 .d_read = audit_pipe_read, 209 .d_ioctl = audit_pipe_ioctl, 210 .d_poll = audit_pipe_poll, 211 .d_kqfilter = audit_pipe_kqfilter, 212 .d_name = AUDIT_PIPE_NAME, 213}; 214 215static int audit_pipe_kqread(struct knote *note, long hint); 216static void audit_pipe_kqdetach(struct knote *note); 217 218static struct filterops audit_pipe_read_filterops = { 219 .f_isfd = 1, 220 .f_attach = NULL, 221 .f_detach = audit_pipe_kqdetach, 222 .f_event = audit_pipe_kqread, 223}; 224 225/* 226 * Some global statistics on audit pipes. 227 */ 228static int audit_pipe_count; /* Current number of pipes. */ 229static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */ 230static u_int64_t audit_pipe_records; /* Records seen. */ 231static u_int64_t audit_pipe_drops; /* Global record drop count. */ 232 233/* 234 * Free an audit pipe entry. 235 */ 236static void 237audit_pipe_entry_free(struct audit_pipe_entry *ape) 238{ 239 240 free(ape->ape_record, M_AUDIT_PIPE_ENTRY); 241 free(ape, M_AUDIT_PIPE_ENTRY); 242} 243 244/* 245 * Find an audit pipe preselection specification for an auid, if any. 246 */ 247static struct audit_pipe_preselect * 248audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid) 249{ 250 struct audit_pipe_preselect *app; 251 252 AUDIT_PIPE_LOCK_ASSERT(ap); 253 254 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { 255 if (app->app_auid == auid) 256 return (app); 257 } 258 return (NULL); 259} 260 261/* 262 * Query the per-pipe mask for a specific auid. 263 */ 264static int 265audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid, 266 au_mask_t *maskp) 267{ 268 struct audit_pipe_preselect *app; 269 int error; 270 271 AUDIT_PIPE_LOCK(ap); 272 app = audit_pipe_preselect_find(ap, auid); 273 if (app != NULL) { 274 *maskp = app->app_mask; 275 error = 0; 276 } else 277 error = ENOENT; 278 AUDIT_PIPE_UNLOCK(ap); 279 return (error); 280} 281 282/* 283 * Set the per-pipe mask for a specific auid. Add a new entry if needed; 284 * otherwise, update the current entry. 285 */ 286static void 287audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask) 288{ 289 struct audit_pipe_preselect *app, *app_new; 290 291 /* 292 * Pessimistically assume that the auid doesn't already have a mask 293 * set, and allocate. We will free it if it is unneeded. 294 */ 295 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK); 296 AUDIT_PIPE_LOCK(ap); 297 app = audit_pipe_preselect_find(ap, auid); 298 if (app == NULL) { 299 app = app_new; 300 app_new = NULL; 301 app->app_auid = auid; 302 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list); 303 } 304 app->app_mask = mask; 305 AUDIT_PIPE_UNLOCK(ap); 306 if (app_new != NULL) 307 free(app_new, M_AUDIT_PIPE_PRESELECT); 308} 309 310/* 311 * Delete a per-auid mask on an audit pipe. 312 */ 313static int 314audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid) 315{ 316 struct audit_pipe_preselect *app; 317 int error; 318 319 AUDIT_PIPE_LOCK(ap); 320 app = audit_pipe_preselect_find(ap, auid); 321 if (app != NULL) { 322 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 323 error = 0; 324 } else 325 error = ENOENT; 326 AUDIT_PIPE_UNLOCK(ap); 327 if (app != NULL) 328 free(app, M_AUDIT_PIPE_PRESELECT); 329 return (error); 330} 331 332/* 333 * Delete all per-auid masks on an audit pipe. 334 */ 335static void 336audit_pipe_preselect_flush_locked(struct audit_pipe *ap) 337{ 338 struct audit_pipe_preselect *app; 339 340 AUDIT_PIPE_LOCK_ASSERT(ap); 341 342 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) { 343 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 344 free(app, M_AUDIT_PIPE_PRESELECT); 345 } 346} 347 348static void 349audit_pipe_preselect_flush(struct audit_pipe *ap) 350{ 351 352 AUDIT_PIPE_LOCK(ap); 353 audit_pipe_preselect_flush_locked(ap); 354 AUDIT_PIPE_UNLOCK(ap); 355} 356 357/*- 358 * Determine whether a specific audit pipe matches a record with these 359 * properties. Algorithm is as follows: 360 * 361 * - If the pipe is configured to track the default trail configuration, then 362 * use the results of global preselection matching. 363 * - If not, search for a specifically configured auid entry matching the 364 * event. If an entry is found, use that. 365 * - Otherwise, use the default flags or naflags configured for the pipe. 366 */ 367static int 368audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, 369 au_event_t event, au_class_t class, int sorf, int trail_preselect) 370{ 371 struct audit_pipe_preselect *app; 372 373 AUDIT_PIPE_LOCK_ASSERT(ap); 374 375 switch (ap->ap_preselect_mode) { 376 case AUDITPIPE_PRESELECT_MODE_TRAIL: 377 return (trail_preselect); 378 379 case AUDITPIPE_PRESELECT_MODE_LOCAL: 380 app = audit_pipe_preselect_find(ap, auid); 381 if (app == NULL) { 382 if (auid == AU_DEFAUDITID) 383 return (au_preselect(event, class, 384 &ap->ap_preselect_naflags, sorf)); 385 else 386 return (au_preselect(event, class, 387 &ap->ap_preselect_flags, sorf)); 388 } else 389 return (au_preselect(event, class, &app->app_mask, 390 sorf)); 391 392 default: 393 panic("audit_pipe_preselect_check: mode %d", 394 ap->ap_preselect_mode); 395 } 396 397 return (0); 398} 399 400/* 401 * Determine whether there exists a pipe interested in a record with specific 402 * properties. 403 */ 404int 405audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, 406 int sorf, int trail_preselect) 407{ 408 struct audit_pipe *ap; 409 410 AUDIT_PIPE_LIST_RLOCK(); 411 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 412 AUDIT_PIPE_LOCK(ap); 413 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 414 trail_preselect)) { 415 AUDIT_PIPE_UNLOCK(ap); 416 AUDIT_PIPE_LIST_RUNLOCK(); 417 return (1); 418 } 419 AUDIT_PIPE_UNLOCK(ap); 420 } 421 AUDIT_PIPE_LIST_RUNLOCK(); 422 return (0); 423} 424 425/* 426 * Append individual record to a queue -- allocate queue-local buffer, and 427 * add to the queue. If the queue is full or we can't allocate memory, drop 428 * the newest record. 429 */ 430static void 431audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) 432{ 433 struct audit_pipe_entry *ape; 434 435 AUDIT_PIPE_LOCK_ASSERT(ap); 436 437 if (ap->ap_qlen >= ap->ap_qlimit) { 438 ap->ap_drops++; 439 audit_pipe_drops++; 440 return; 441 } 442 443 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO); 444 if (ape == NULL) { 445 ap->ap_drops++; 446 audit_pipe_drops++; 447 return; 448 } 449 450 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT); 451 if (ape->ape_record == NULL) { 452 free(ape, M_AUDIT_PIPE_ENTRY); 453 ap->ap_drops++; 454 audit_pipe_drops++; 455 return; 456 } 457 458 bcopy(record, ape->ape_record, record_len); 459 ape->ape_record_len = record_len; 460 461 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); 462 ap->ap_inserts++; 463 ap->ap_qlen++; 464 selwakeuppri(&ap->ap_selinfo, PSOCK); 465 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0); 466 if (ap->ap_flags & AUDIT_PIPE_ASYNC) 467 pgsigio(&ap->ap_sigio, SIGIO, 0); 468 cv_broadcast(&ap->ap_cv); 469} 470 471/* 472 * audit_pipe_submit(): audit_worker submits audit records via this 473 * interface, which arranges for them to be delivered to pipe queues. 474 */ 475void 476audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, 477 int trail_select, void *record, u_int record_len) 478{ 479 struct audit_pipe *ap; 480 481 /* 482 * Lockless read to avoid lock overhead if pipes are not in use. 483 */ 484 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 485 return; 486 487 AUDIT_PIPE_LIST_RLOCK(); 488 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 489 AUDIT_PIPE_LOCK(ap); 490 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 491 trail_select)) 492 audit_pipe_append(ap, record, record_len); 493 AUDIT_PIPE_UNLOCK(ap); 494 } 495 AUDIT_PIPE_LIST_RUNLOCK(); 496 497 /* Unlocked increment. */ 498 audit_pipe_records++; 499} 500 501/* 502 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that 503 * since we don't currently have selection information available, it is 504 * delivered to the pipe unconditionally. 505 * 506 * XXXRW: This is a bug. The BSM check routine for submitting a user record 507 * should parse that information and return it. 508 */ 509void 510audit_pipe_submit_user(void *record, u_int record_len) 511{ 512 struct audit_pipe *ap; 513 514 /* 515 * Lockless read to avoid lock overhead if pipes are not in use. 516 */ 517 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 518 return; 519 520 AUDIT_PIPE_LIST_RLOCK(); 521 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 522 AUDIT_PIPE_LOCK(ap); 523 audit_pipe_append(ap, record, record_len); 524 AUDIT_PIPE_UNLOCK(ap); 525 } 526 AUDIT_PIPE_LIST_RUNLOCK(); 527 528 /* Unlocked increment. */ 529 audit_pipe_records++; 530} 531 532/* 533 * Pop the next record off of an audit pipe. 534 */ 535static struct audit_pipe_entry * 536audit_pipe_pop(struct audit_pipe *ap) 537{ 538 struct audit_pipe_entry *ape; 539 540 AUDIT_PIPE_LOCK_ASSERT(ap); 541 542 ape = TAILQ_FIRST(&ap->ap_queue); 543 KASSERT((ape == NULL && ap->ap_qlen == 0) || 544 (ape != NULL && ap->ap_qlen != 0), ("audit_pipe_pop: qlen")); 545 if (ape == NULL) 546 return (NULL); 547 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 548 ap->ap_qlen--; 549 return (ape); 550} 551 552/* 553 * Allocate a new audit pipe. Connects the pipe, on success, to the global 554 * list and updates statistics. 555 */ 556static struct audit_pipe * 557audit_pipe_alloc(void) 558{ 559 struct audit_pipe *ap; 560 561 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 562 563 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO); 564 if (ap == NULL) 565 return (NULL); 566 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT; 567 TAILQ_INIT(&ap->ap_queue); 568 knlist_init(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap), NULL, NULL, 569 NULL); 570 AUDIT_PIPE_LOCK_INIT(ap); 571 cv_init(&ap->ap_cv, "audit_pipe"); 572 573 /* 574 * Default flags, naflags, and auid-specific preselection settings to 575 * 0. Initialize the mode to the global trail so that if praudit(1) 576 * is run on /dev/auditpipe, it sees events associated with the 577 * default trail. Pipe-aware application can clear the flag, set 578 * custom masks, and flush the pipe as needed. 579 */ 580 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags)); 581 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags)); 582 TAILQ_INIT(&ap->ap_preselect_list); 583 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL; 584 585 /* 586 * Add to global list and update global statistics. 587 */ 588 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); 589 audit_pipe_count++; 590 audit_pipe_ever++; 591 592 return (ap); 593} 594 595/* 596 * Flush all records currently present in an audit pipe; assume mutex is held. 597 */ 598static void 599audit_pipe_flush(struct audit_pipe *ap) 600{ 601 struct audit_pipe_entry *ape; 602 603 AUDIT_PIPE_LOCK_ASSERT(ap); 604 605 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) { 606 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 607 audit_pipe_entry_free(ape); 608 ap->ap_qlen--; 609 } 610 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qlen")); 611} 612 613/* 614 * Free an audit pipe; this means freeing all preselection state and all 615 * records in the pipe. Assumes global write lock and pipe mutex are held to 616 * prevent any new records from being inserted during the free, and that the 617 * audit pipe is still on the global list. 618 */ 619static void 620audit_pipe_free(struct audit_pipe *ap) 621{ 622 623 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 624 AUDIT_PIPE_LOCK_ASSERT(ap); 625 626 audit_pipe_preselect_flush_locked(ap); 627 audit_pipe_flush(ap); 628 cv_destroy(&ap->ap_cv); 629 AUDIT_PIPE_LOCK_DESTROY(ap); 630 knlist_destroy(&ap->ap_selinfo.si_note); 631 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list); 632 free(ap, M_AUDIT_PIPE); 633 audit_pipe_count--; 634} 635 636/* 637 * Audit pipe clone routine -- provide specific requested audit pipe, or a 638 * fresh one if a specific one is not requested. 639 */ 640static void 641audit_pipe_clone(void *arg, struct ucred *cred, char *name, int namelen, 642 struct cdev **dev) 643{ 644 int i, u; 645 646 if (*dev != NULL) 647 return; 648 649 if (strcmp(name, AUDIT_PIPE_NAME) == 0) 650 u = -1; 651 else if (dev_stdclone(name, NULL, AUDIT_PIPE_NAME, &u) != 1) 652 return; 653 654 i = clone_create(&audit_pipe_clones, &audit_pipe_cdevsw, &u, dev, 0); 655 if (i) { 656 *dev = make_dev(&audit_pipe_cdevsw, u, UID_ROOT, 657 GID_WHEEL, 0600, "%s%d", AUDIT_PIPE_NAME, u); 658 if (*dev != NULL) { 659 dev_ref(*dev); 660 (*dev)->si_flags |= SI_CHEAPCLONE; 661 } 662 } 663} 664 665/* 666 * Audit pipe open method. Explicit privilege check isn't used as this 667 * allows file permissions on the special device to be used to grant audit 668 * review access. Those file permissions should be managed carefully. 669 */ 670static int 671audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td) 672{ 673 struct audit_pipe *ap; 674 675 AUDIT_PIPE_LIST_WLOCK(); 676 ap = dev->si_drv1; 677 if (ap == NULL) { 678 ap = audit_pipe_alloc(); 679 if (ap == NULL) { 680 AUDIT_PIPE_LIST_WUNLOCK(); 681 return (ENOMEM); 682 } 683 dev->si_drv1 = ap; 684 } else { 685 KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open")); 686 AUDIT_PIPE_LIST_WUNLOCK(); 687 return (EBUSY); 688 } 689 ap->ap_open = 1; /* No lock required yet. */ 690 AUDIT_PIPE_LIST_WUNLOCK(); 691 fsetown(td->td_proc->p_pid, &ap->ap_sigio); 692 return (0); 693} 694 695/* 696 * Close audit pipe, tear down all records, etc. 697 */ 698static int 699audit_pipe_close(struct cdev *dev, int fflag, int devtype, struct thread *td) 700{ 701 struct audit_pipe *ap; 702 703 ap = dev->si_drv1; 704 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL")); 705 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open")); 706 707 funsetown(&ap->ap_sigio); 708 AUDIT_PIPE_LIST_WLOCK(); 709 AUDIT_PIPE_LOCK(ap); 710 ap->ap_open = 0; 711 audit_pipe_free(ap); 712 dev->si_drv1 = NULL; 713 AUDIT_PIPE_LIST_WUNLOCK(); 714 return (0); 715} 716 717/* 718 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer 719 * commands. 720 * 721 * Would be desirable to support filtering, although perhaps something simple 722 * like an event mask, as opposed to something complicated like BPF. 723 */ 724static int 725audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, 726 struct thread *td) 727{ 728 struct auditpipe_ioctl_preselect *aip; 729 struct audit_pipe *ap; 730 au_mask_t *maskp; 731 int error, mode; 732 au_id_t auid; 733 734 ap = dev->si_drv1; 735 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); 736 737 /* 738 * Audit pipe ioctls: first come standard device node ioctls, then 739 * manipulation of pipe settings, and finally, statistics query 740 * ioctls. 741 */ 742 switch (cmd) { 743 case FIONBIO: 744 AUDIT_PIPE_LOCK(ap); 745 if (*(int *)data) 746 ap->ap_flags |= AUDIT_PIPE_NBIO; 747 else 748 ap->ap_flags &= ~AUDIT_PIPE_NBIO; 749 AUDIT_PIPE_UNLOCK(ap); 750 error = 0; 751 break; 752 753 case FIONREAD: 754 AUDIT_PIPE_LOCK(ap); 755 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 756 *(int *)data = 757 TAILQ_FIRST(&ap->ap_queue)->ape_record_len; 758 else 759 *(int *)data = 0; 760 AUDIT_PIPE_UNLOCK(ap); 761 error = 0; 762 break; 763 764 case FIOASYNC: 765 AUDIT_PIPE_LOCK(ap); 766 if (*(int *)data) 767 ap->ap_flags |= AUDIT_PIPE_ASYNC; 768 else 769 ap->ap_flags &= ~AUDIT_PIPE_ASYNC; 770 AUDIT_PIPE_UNLOCK(ap); 771 error = 0; 772 break; 773 774 case FIOSETOWN: 775 error = fsetown(*(int *)data, &ap->ap_sigio); 776 break; 777 778 case FIOGETOWN: 779 *(int *)data = fgetown(&ap->ap_sigio); 780 error = 0; 781 break; 782 783 case AUDITPIPE_GET_QLEN: 784 *(u_int *)data = ap->ap_qlen; 785 error = 0; 786 break; 787 788 case AUDITPIPE_GET_QLIMIT: 789 *(u_int *)data = ap->ap_qlimit; 790 error = 0; 791 break; 792 793 case AUDITPIPE_SET_QLIMIT: 794 /* Lockless integer write. */ 795 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN || 796 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { 797 ap->ap_qlimit = *(u_int *)data; 798 error = 0; 799 } else 800 error = EINVAL; 801 break; 802 803 case AUDITPIPE_GET_QLIMIT_MIN: 804 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN; 805 error = 0; 806 break; 807 808 case AUDITPIPE_GET_QLIMIT_MAX: 809 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX; 810 error = 0; 811 break; 812 813 case AUDITPIPE_GET_PRESELECT_FLAGS: 814 AUDIT_PIPE_LOCK(ap); 815 maskp = (au_mask_t *)data; 816 *maskp = ap->ap_preselect_flags; 817 AUDIT_PIPE_UNLOCK(ap); 818 error = 0; 819 break; 820 821 case AUDITPIPE_SET_PRESELECT_FLAGS: 822 AUDIT_PIPE_LOCK(ap); 823 maskp = (au_mask_t *)data; 824 ap->ap_preselect_flags = *maskp; 825 AUDIT_PIPE_UNLOCK(ap); 826 error = 0; 827 break; 828 829 case AUDITPIPE_GET_PRESELECT_NAFLAGS: 830 AUDIT_PIPE_LOCK(ap); 831 maskp = (au_mask_t *)data; 832 *maskp = ap->ap_preselect_naflags; 833 AUDIT_PIPE_UNLOCK(ap); 834 error = 0; 835 break; 836 837 case AUDITPIPE_SET_PRESELECT_NAFLAGS: 838 AUDIT_PIPE_LOCK(ap); 839 maskp = (au_mask_t *)data; 840 ap->ap_preselect_naflags = *maskp; 841 AUDIT_PIPE_UNLOCK(ap); 842 error = 0; 843 break; 844 845 case AUDITPIPE_GET_PRESELECT_AUID: 846 aip = (struct auditpipe_ioctl_preselect *)data; 847 error = audit_pipe_preselect_get(ap, aip->aip_auid, 848 &aip->aip_mask); 849 break; 850 851 case AUDITPIPE_SET_PRESELECT_AUID: 852 aip = (struct auditpipe_ioctl_preselect *)data; 853 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask); 854 error = 0; 855 break; 856 857 case AUDITPIPE_DELETE_PRESELECT_AUID: 858 auid = *(au_id_t *)data; 859 error = audit_pipe_preselect_delete(ap, auid); 860 break; 861 862 case AUDITPIPE_FLUSH_PRESELECT_AUID: 863 audit_pipe_preselect_flush(ap); 864 error = 0; 865 break; 866 867 case AUDITPIPE_GET_PRESELECT_MODE: 868 AUDIT_PIPE_LOCK(ap); 869 *(int *)data = ap->ap_preselect_mode; 870 AUDIT_PIPE_UNLOCK(ap); 871 error = 0; 872 break; 873 874 case AUDITPIPE_SET_PRESELECT_MODE: 875 mode = *(int *)data; 876 switch (mode) { 877 case AUDITPIPE_PRESELECT_MODE_TRAIL: 878 case AUDITPIPE_PRESELECT_MODE_LOCAL: 879 AUDIT_PIPE_LOCK(ap); 880 ap->ap_preselect_mode = mode; 881 AUDIT_PIPE_UNLOCK(ap); 882 error = 0; 883 break; 884 885 default: 886 error = EINVAL; 887 } 888 break; 889 890 case AUDITPIPE_FLUSH: 891 AUDIT_PIPE_LOCK(ap); 892 audit_pipe_flush(ap); 893 AUDIT_PIPE_UNLOCK(ap); 894 error = 0; 895 break; 896 897 case AUDITPIPE_GET_MAXAUDITDATA: 898 *(u_int *)data = MAXAUDITDATA; 899 error = 0; 900 break; 901 902 case AUDITPIPE_GET_INSERTS: 903 *(u_int *)data = ap->ap_inserts; 904 error = 0; 905 break; 906 907 case AUDITPIPE_GET_READS: 908 *(u_int *)data = ap->ap_reads; 909 error = 0; 910 break; 911 912 case AUDITPIPE_GET_DROPS: 913 *(u_int *)data = ap->ap_drops; 914 error = 0; 915 break; 916 917 case AUDITPIPE_GET_TRUNCATES: 918 *(u_int *)data = ap->ap_truncates; 919 error = 0; 920 break; 921 922 default: 923 error = ENOTTY; 924 } 925 return (error); 926} 927 928/* 929 * Audit pipe read. Pull one record off the queue and copy to user space. 930 * On error, the record is dropped. 931 * 932 * Providing more sophisticated behavior, such as partial reads, is tricky 933 * due to the potential for parallel I/O. If partial read support is 934 * required, it will require a per-pipe "current record being read" along 935 * with an offset into that trecord which has already been read. Threads 936 * performing partial reads will need to allocate per-thread copies of the 937 * data so that if another thread completes the read of the record, it can be 938 * freed without adding reference count logic. If this is added, a flag to 939 * indicate that only atomic record reads are desired would be useful, as if 940 * different threads are all waiting for records on the pipe, they will want 941 * independent record reads, which is currently the behavior. 942 */ 943static int 944audit_pipe_read(struct cdev *dev, struct uio *uio, int flag) 945{ 946 struct audit_pipe_entry *ape; 947 struct audit_pipe *ap; 948 int error; 949 950 ap = dev->si_drv1; 951 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL")); 952 953 AUDIT_PIPE_LOCK(ap); 954 do { 955 /* 956 * Wait for a record that fits into the read buffer, dropping 957 * records that would be truncated if actually passed to the 958 * process. This helps maintain the discreet record read 959 * interface. 960 */ 961 while ((ape = audit_pipe_pop(ap)) == NULL) { 962 if (ap->ap_flags & AUDIT_PIPE_NBIO) { 963 AUDIT_PIPE_UNLOCK(ap); 964 return (EAGAIN); 965 } 966 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap)); 967 if (error) { 968 AUDIT_PIPE_UNLOCK(ap); 969 return (error); 970 } 971 } 972 if (ape->ape_record_len <= uio->uio_resid) 973 break; 974 audit_pipe_entry_free(ape); 975 ap->ap_truncates++; 976 } while (1); 977 ap->ap_reads++; 978 AUDIT_PIPE_UNLOCK(ap); 979 980 /* 981 * Now read record to user space memory. Even if the read is short, 982 * we abandon the remainder of the record, supporting only discreet 983 * record reads. 984 */ 985 error = uiomove(ape->ape_record, ape->ape_record_len, uio); 986 audit_pipe_entry_free(ape); 987 return (error); 988} 989 990/* 991 * Audit pipe poll. 992 */ 993static int 994audit_pipe_poll(struct cdev *dev, int events, struct thread *td) 995{ 996 struct audit_pipe *ap; 997 int revents; 998 999 revents = 0; 1000 ap = dev->si_drv1; 1001 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL")); 1002 1003 if (events & (POLLIN | POLLRDNORM)) { 1004 AUDIT_PIPE_LOCK(ap); 1005 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 1006 revents |= events & (POLLIN | POLLRDNORM); 1007 else 1008 selrecord(td, &ap->ap_selinfo); 1009 AUDIT_PIPE_UNLOCK(ap); 1010 } 1011 return (revents); 1012} 1013 1014/* 1015 * Audit pipe kqfilter. 1016 */ 1017static int 1018audit_pipe_kqfilter(struct cdev *dev, struct knote *kn) 1019{ 1020 struct audit_pipe *ap; 1021 1022 ap = dev->si_drv1; 1023 KASSERT(ap != NULL, ("audit_pipe_kqfilter: ap == NULL")); 1024 1025 if (kn->kn_filter != EVFILT_READ) 1026 return (EINVAL); 1027 1028 kn->kn_fop = &audit_pipe_read_filterops; 1029 kn->kn_hook = ap; 1030 1031 AUDIT_PIPE_LOCK(ap); 1032 knlist_add(&ap->ap_selinfo.si_note, kn, 1); 1033 AUDIT_PIPE_UNLOCK(ap); 1034 return (0); 1035} 1036 1037/* 1038 * Return true if there are records available for reading on the pipe. 1039 */ 1040static int 1041audit_pipe_kqread(struct knote *kn, long hint) 1042{ 1043 struct audit_pipe_entry *ape; 1044 struct audit_pipe *ap; 1045 1046 ap = (struct audit_pipe *)kn->kn_hook; 1047 KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL")); 1048 1049 AUDIT_PIPE_LOCK_ASSERT(ap); 1050 1051 if (ap->ap_qlen != 0) { 1052 ape = TAILQ_FIRST(&ap->ap_queue); 1053 KASSERT(ape != NULL, ("audit_pipe_kqread: ape == NULL")); 1054 1055 kn->kn_data = ape->ape_record_len; 1056 return (1); 1057 } else { 1058 kn->kn_data = 0; 1059 return (0); 1060 } 1061} 1062 1063/* 1064 * Detach kqueue state from audit pipe. 1065 */ 1066static void 1067audit_pipe_kqdetach(struct knote *kn) 1068{ 1069 struct audit_pipe *ap; 1070 1071 ap = (struct audit_pipe *)kn->kn_hook; 1072 KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL")); 1073 1074 AUDIT_PIPE_LOCK(ap); 1075 knlist_remove(&ap->ap_selinfo.si_note, kn, 1); 1076 AUDIT_PIPE_UNLOCK(ap); 1077} 1078 1079/* 1080 * Initialize the audit pipe system. 1081 */ 1082static void 1083audit_pipe_init(void *unused) 1084{ 1085 1086 TAILQ_INIT(&audit_pipe_list); 1087 AUDIT_PIPE_LIST_LOCK_INIT(); 1088 1089 clone_setup(&audit_pipe_clones); 1090 audit_pipe_eh_tag = EVENTHANDLER_REGISTER(dev_clone, 1091 audit_pipe_clone, 0, 1000); 1092 if (audit_pipe_eh_tag == NULL) 1093 panic("audit_pipe_init: EVENTHANDLER_REGISTER"); 1094} 1095 1096SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init, 1097 NULL); 1098