audit_pipe.c revision 184508
1/*- 2 * Copyright (c) 2006 Robert N. M. Watson 3 * Copyright (c) 2008 Apple, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD: head/sys/security/audit/audit_pipe.c 184508 2008-10-31 14:40:21Z rwatson $"); 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/eventhandler.h> 37#include <sys/filio.h> 38#include <sys/kernel.h> 39#include <sys/lock.h> 40#include <sys/malloc.h> 41#include <sys/mutex.h> 42#include <sys/poll.h> 43#include <sys/proc.h> 44#include <sys/queue.h> 45#include <sys/rwlock.h> 46#include <sys/selinfo.h> 47#include <sys/sigio.h> 48#include <sys/signal.h> 49#include <sys/signalvar.h> 50#include <sys/sx.h> 51#include <sys/systm.h> 52#include <sys/uio.h> 53 54#include <security/audit/audit.h> 55#include <security/audit/audit_ioctl.h> 56#include <security/audit/audit_private.h> 57 58/* 59 * Implementation of a clonable special device providing a live stream of BSM 60 * audit data. This is a "tee" of the data going to the file. It provides 61 * unreliable but timely access to audit events. Consumers of this interface 62 * should be very careful to avoid introducing event cycles. Consumers may 63 * express interest via a set of preselection ioctls. 64 */ 65 66/* 67 * Memory types. 68 */ 69static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes"); 70static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent", 71 "Audit pipe entries and buffers"); 72static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel", 73 "Audit pipe preselection structure"); 74 75/* 76 * Audit pipe buffer parameters. 77 */ 78#define AUDIT_PIPE_QLIMIT_DEFAULT (128) 79#define AUDIT_PIPE_QLIMIT_MIN (0) 80#define AUDIT_PIPE_QLIMIT_MAX (1024) 81 82/* 83 * Description of an entry in an audit_pipe. 84 */ 85struct audit_pipe_entry { 86 void *ape_record; 87 u_int ape_record_len; 88 u_int ape_record_offset; 89 TAILQ_ENTRY(audit_pipe_entry) ape_queue; 90}; 91 92/* 93 * Audit pipes allow processes to express "interest" in the set of records 94 * that are delivered via the pipe. They do this in a similar manner to the 95 * mechanism for audit trail configuration, by expressing two global masks, 96 * and optionally expressing per-auid masks. The following data structure is 97 * the per-auid mask description. The global state is stored in the audit 98 * pipe data structure. 99 * 100 * We may want to consider a more space/time-efficient data structure once 101 * usage patterns for per-auid specifications are clear. 102 */ 103struct audit_pipe_preselect { 104 au_id_t app_auid; 105 au_mask_t app_mask; 106 TAILQ_ENTRY(audit_pipe_preselect) app_list; 107}; 108 109/* 110 * Description of an individual audit_pipe. Consists largely of a bounded 111 * length queue. 112 */ 113#define AUDIT_PIPE_ASYNC 0x00000001 114#define AUDIT_PIPE_NBIO 0x00000002 115struct audit_pipe { 116 int ap_open; /* Device open? */ 117 u_int ap_flags; 118 119 struct selinfo ap_selinfo; 120 struct sigio *ap_sigio; 121 122 /* 123 * Per-pipe mutex protecting most fields in this data structure. 124 */ 125 struct mtx ap_mtx; 126 127 /* 128 * Per-pipe sleep lock serializing user-generated reads and flushes. 129 * uiomove() is called to copy out the current head record's data 130 * while the record remains in the queue, so we prevent other threads 131 * from removing it using this lock. 132 */ 133 struct sx ap_sx; 134 135 /* 136 * Condition variable to signal when data has been delivered to a 137 * pipe. 138 */ 139 struct cv ap_cv; 140 141 u_int ap_qlen; 142 u_int ap_qlimit; 143 144 u_int64_t ap_inserts; /* Records added. */ 145 u_int64_t ap_reads; /* Records read. */ 146 u_int64_t ap_drops; /* Records dropped. */ 147 u_int64_t ap_truncates; /* Records too long. */ 148 149 /* 150 * Fields relating to pipe interest: global masks for unmatched 151 * processes (attributable, non-attributable), and a list of specific 152 * interest specifications by auid. 153 */ 154 int ap_preselect_mode; 155 au_mask_t ap_preselect_flags; 156 au_mask_t ap_preselect_naflags; 157 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list; 158 159 /* 160 * Current pending record list. Protected by a combination of ap_mtx 161 * and ap_sx. Note particularly that *both* locks are required to 162 * remove a record from the head of the queue, as an in-progress read * may sleep while copying and therefore cannot hold ap_mtx. 163 */ 164 TAILQ_HEAD(, audit_pipe_entry) ap_queue; 165 166 /* 167 * Global pipe list. 168 */ 169 TAILQ_ENTRY(audit_pipe) ap_list; 170}; 171 172#define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx) 173#define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED) 174#define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx) 175#define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \ 176 "audit_pipe_mtx", NULL, MTX_DEF) 177#define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx) 178#define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx) 179 180#define AUDIT_PIPE_SX_LOCK_DESTROY(ap) sx_destroy(&(ap)->ap_sx) 181#define AUDIT_PIPE_SX_LOCK_INIT(ap) sx_init(&(ap)->ap_sx, "audit_pipe_sx") 182#define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) sx_assert(&(ap)->ap_sx, SA_XLOCKED) 183#define AUDIT_PIPE_SX_XLOCK_SIG(ap) sx_xlock_sig(&(ap)->ap_sx) 184#define AUDIT_PIPE_SX_XUNLOCK(ap) sx_xunlock(&(ap)->ap_sx) 185 186/* 187 * Global list of audit pipes, rwlock to protect it. Individual record 188 * queues on pipes are protected by per-pipe locks; these locks synchronize 189 * between threads walking the list to deliver to individual pipes and add/ 190 * remove of pipes, and are mostly acquired for read. 191 */ 192static TAILQ_HEAD(, audit_pipe) audit_pipe_list; 193static struct rwlock audit_pipe_lock; 194 195#define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \ 196 "audit_pipe_list_lock") 197#define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock) 198#define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock) 199#define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock) 200#define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \ 201 RA_WLOCKED) 202#define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock) 203 204/* 205 * Cloning related variables and constants. 206 */ 207#define AUDIT_PIPE_NAME "auditpipe" 208static eventhandler_tag audit_pipe_eh_tag; 209static struct clonedevs *audit_pipe_clones; 210 211/* 212 * Special device methods and definition. 213 */ 214static d_open_t audit_pipe_open; 215static d_close_t audit_pipe_close; 216static d_read_t audit_pipe_read; 217static d_ioctl_t audit_pipe_ioctl; 218static d_poll_t audit_pipe_poll; 219static d_kqfilter_t audit_pipe_kqfilter; 220 221static struct cdevsw audit_pipe_cdevsw = { 222 .d_version = D_VERSION, 223 .d_flags = D_PSEUDO | D_NEEDGIANT | D_NEEDMINOR, 224 .d_open = audit_pipe_open, 225 .d_close = audit_pipe_close, 226 .d_read = audit_pipe_read, 227 .d_ioctl = audit_pipe_ioctl, 228 .d_poll = audit_pipe_poll, 229 .d_kqfilter = audit_pipe_kqfilter, 230 .d_name = AUDIT_PIPE_NAME, 231}; 232 233static int audit_pipe_kqread(struct knote *note, long hint); 234static void audit_pipe_kqdetach(struct knote *note); 235 236static struct filterops audit_pipe_read_filterops = { 237 .f_isfd = 1, 238 .f_attach = NULL, 239 .f_detach = audit_pipe_kqdetach, 240 .f_event = audit_pipe_kqread, 241}; 242 243/* 244 * Some global statistics on audit pipes. 245 */ 246static int audit_pipe_count; /* Current number of pipes. */ 247static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */ 248static u_int64_t audit_pipe_records; /* Records seen. */ 249static u_int64_t audit_pipe_drops; /* Global record drop count. */ 250 251/* 252 * Free an audit pipe entry. 253 */ 254static void 255audit_pipe_entry_free(struct audit_pipe_entry *ape) 256{ 257 258 free(ape->ape_record, M_AUDIT_PIPE_ENTRY); 259 free(ape, M_AUDIT_PIPE_ENTRY); 260} 261 262/* 263 * Find an audit pipe preselection specification for an auid, if any. 264 */ 265static struct audit_pipe_preselect * 266audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid) 267{ 268 struct audit_pipe_preselect *app; 269 270 AUDIT_PIPE_LOCK_ASSERT(ap); 271 272 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) { 273 if (app->app_auid == auid) 274 return (app); 275 } 276 return (NULL); 277} 278 279/* 280 * Query the per-pipe mask for a specific auid. 281 */ 282static int 283audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid, 284 au_mask_t *maskp) 285{ 286 struct audit_pipe_preselect *app; 287 int error; 288 289 AUDIT_PIPE_LOCK(ap); 290 app = audit_pipe_preselect_find(ap, auid); 291 if (app != NULL) { 292 *maskp = app->app_mask; 293 error = 0; 294 } else 295 error = ENOENT; 296 AUDIT_PIPE_UNLOCK(ap); 297 return (error); 298} 299 300/* 301 * Set the per-pipe mask for a specific auid. Add a new entry if needed; 302 * otherwise, update the current entry. 303 */ 304static void 305audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask) 306{ 307 struct audit_pipe_preselect *app, *app_new; 308 309 /* 310 * Pessimistically assume that the auid doesn't already have a mask 311 * set, and allocate. We will free it if it is unneeded. 312 */ 313 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK); 314 AUDIT_PIPE_LOCK(ap); 315 app = audit_pipe_preselect_find(ap, auid); 316 if (app == NULL) { 317 app = app_new; 318 app_new = NULL; 319 app->app_auid = auid; 320 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list); 321 } 322 app->app_mask = mask; 323 AUDIT_PIPE_UNLOCK(ap); 324 if (app_new != NULL) 325 free(app_new, M_AUDIT_PIPE_PRESELECT); 326} 327 328/* 329 * Delete a per-auid mask on an audit pipe. 330 */ 331static int 332audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid) 333{ 334 struct audit_pipe_preselect *app; 335 int error; 336 337 AUDIT_PIPE_LOCK(ap); 338 app = audit_pipe_preselect_find(ap, auid); 339 if (app != NULL) { 340 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 341 error = 0; 342 } else 343 error = ENOENT; 344 AUDIT_PIPE_UNLOCK(ap); 345 if (app != NULL) 346 free(app, M_AUDIT_PIPE_PRESELECT); 347 return (error); 348} 349 350/* 351 * Delete all per-auid masks on an audit pipe. 352 */ 353static void 354audit_pipe_preselect_flush_locked(struct audit_pipe *ap) 355{ 356 struct audit_pipe_preselect *app; 357 358 AUDIT_PIPE_LOCK_ASSERT(ap); 359 360 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) { 361 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list); 362 free(app, M_AUDIT_PIPE_PRESELECT); 363 } 364} 365 366static void 367audit_pipe_preselect_flush(struct audit_pipe *ap) 368{ 369 370 AUDIT_PIPE_LOCK(ap); 371 audit_pipe_preselect_flush_locked(ap); 372 AUDIT_PIPE_UNLOCK(ap); 373} 374 375/*- 376 * Determine whether a specific audit pipe matches a record with these 377 * properties. Algorithm is as follows: 378 * 379 * - If the pipe is configured to track the default trail configuration, then 380 * use the results of global preselection matching. 381 * - If not, search for a specifically configured auid entry matching the 382 * event. If an entry is found, use that. 383 * - Otherwise, use the default flags or naflags configured for the pipe. 384 */ 385static int 386audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid, 387 au_event_t event, au_class_t class, int sorf, int trail_preselect) 388{ 389 struct audit_pipe_preselect *app; 390 391 AUDIT_PIPE_LOCK_ASSERT(ap); 392 393 switch (ap->ap_preselect_mode) { 394 case AUDITPIPE_PRESELECT_MODE_TRAIL: 395 return (trail_preselect); 396 397 case AUDITPIPE_PRESELECT_MODE_LOCAL: 398 app = audit_pipe_preselect_find(ap, auid); 399 if (app == NULL) { 400 if (auid == AU_DEFAUDITID) 401 return (au_preselect(event, class, 402 &ap->ap_preselect_naflags, sorf)); 403 else 404 return (au_preselect(event, class, 405 &ap->ap_preselect_flags, sorf)); 406 } else 407 return (au_preselect(event, class, &app->app_mask, 408 sorf)); 409 410 default: 411 panic("audit_pipe_preselect_check: mode %d", 412 ap->ap_preselect_mode); 413 } 414 415 return (0); 416} 417 418/* 419 * Determine whether there exists a pipe interested in a record with specific 420 * properties. 421 */ 422int 423audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class, 424 int sorf, int trail_preselect) 425{ 426 struct audit_pipe *ap; 427 428 AUDIT_PIPE_LIST_RLOCK(); 429 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 430 AUDIT_PIPE_LOCK(ap); 431 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 432 trail_preselect)) { 433 AUDIT_PIPE_UNLOCK(ap); 434 AUDIT_PIPE_LIST_RUNLOCK(); 435 return (1); 436 } 437 AUDIT_PIPE_UNLOCK(ap); 438 } 439 AUDIT_PIPE_LIST_RUNLOCK(); 440 return (0); 441} 442 443/* 444 * Append individual record to a queue -- allocate queue-local buffer, and 445 * add to the queue. If the queue is full or we can't allocate memory, drop 446 * the newest record. 447 */ 448static void 449audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len) 450{ 451 struct audit_pipe_entry *ape; 452 453 AUDIT_PIPE_LOCK_ASSERT(ap); 454 455 if (ap->ap_qlen >= ap->ap_qlimit) { 456 ap->ap_drops++; 457 audit_pipe_drops++; 458 return; 459 } 460 461 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO); 462 if (ape == NULL) { 463 ap->ap_drops++; 464 audit_pipe_drops++; 465 return; 466 } 467 468 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT); 469 if (ape->ape_record == NULL) { 470 free(ape, M_AUDIT_PIPE_ENTRY); 471 ap->ap_drops++; 472 audit_pipe_drops++; 473 return; 474 } 475 476 bcopy(record, ape->ape_record, record_len); 477 ape->ape_record_len = record_len; 478 ape->ape_record_offset = 0; 479 480 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue); 481 ap->ap_inserts++; 482 ap->ap_qlen++; 483 selwakeuppri(&ap->ap_selinfo, PSOCK); 484 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0); 485 if (ap->ap_flags & AUDIT_PIPE_ASYNC) 486 pgsigio(&ap->ap_sigio, SIGIO, 0); 487 cv_broadcast(&ap->ap_cv); 488} 489 490/* 491 * audit_pipe_submit(): audit_worker submits audit records via this 492 * interface, which arranges for them to be delivered to pipe queues. 493 */ 494void 495audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf, 496 int trail_select, void *record, u_int record_len) 497{ 498 struct audit_pipe *ap; 499 500 /* 501 * Lockless read to avoid lock overhead if pipes are not in use. 502 */ 503 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 504 return; 505 506 AUDIT_PIPE_LIST_RLOCK(); 507 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 508 AUDIT_PIPE_LOCK(ap); 509 if (audit_pipe_preselect_check(ap, auid, event, class, sorf, 510 trail_select)) 511 audit_pipe_append(ap, record, record_len); 512 AUDIT_PIPE_UNLOCK(ap); 513 } 514 AUDIT_PIPE_LIST_RUNLOCK(); 515 516 /* Unlocked increment. */ 517 audit_pipe_records++; 518} 519 520/* 521 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that 522 * since we don't currently have selection information available, it is 523 * delivered to the pipe unconditionally. 524 * 525 * XXXRW: This is a bug. The BSM check routine for submitting a user record 526 * should parse that information and return it. 527 */ 528void 529audit_pipe_submit_user(void *record, u_int record_len) 530{ 531 struct audit_pipe *ap; 532 533 /* 534 * Lockless read to avoid lock overhead if pipes are not in use. 535 */ 536 if (TAILQ_FIRST(&audit_pipe_list) == NULL) 537 return; 538 539 AUDIT_PIPE_LIST_RLOCK(); 540 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) { 541 AUDIT_PIPE_LOCK(ap); 542 audit_pipe_append(ap, record, record_len); 543 AUDIT_PIPE_UNLOCK(ap); 544 } 545 AUDIT_PIPE_LIST_RUNLOCK(); 546 547 /* Unlocked increment. */ 548 audit_pipe_records++; 549} 550 551/* 552 * Allocate a new audit pipe. Connects the pipe, on success, to the global 553 * list and updates statistics. 554 */ 555static struct audit_pipe * 556audit_pipe_alloc(void) 557{ 558 struct audit_pipe *ap; 559 560 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 561 562 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO); 563 if (ap == NULL) 564 return (NULL); 565 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT; 566 TAILQ_INIT(&ap->ap_queue); 567 knlist_init(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap), NULL, NULL, 568 NULL); 569 AUDIT_PIPE_LOCK_INIT(ap); 570 AUDIT_PIPE_SX_LOCK_INIT(ap); 571 cv_init(&ap->ap_cv, "audit_pipe"); 572 573 /* 574 * Default flags, naflags, and auid-specific preselection settings to 575 * 0. Initialize the mode to the global trail so that if praudit(1) 576 * is run on /dev/auditpipe, it sees events associated with the 577 * default trail. Pipe-aware application can clear the flag, set 578 * custom masks, and flush the pipe as needed. 579 */ 580 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags)); 581 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags)); 582 TAILQ_INIT(&ap->ap_preselect_list); 583 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL; 584 585 /* 586 * Add to global list and update global statistics. 587 */ 588 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list); 589 audit_pipe_count++; 590 audit_pipe_ever++; 591 592 return (ap); 593} 594 595/* 596 * Flush all records currently present in an audit pipe; assume mutex is held. 597 */ 598static void 599audit_pipe_flush(struct audit_pipe *ap) 600{ 601 struct audit_pipe_entry *ape; 602 603 AUDIT_PIPE_LOCK_ASSERT(ap); 604 605 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) { 606 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 607 audit_pipe_entry_free(ape); 608 ap->ap_qlen--; 609 } 610 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qlen")); 611} 612 613/* 614 * Free an audit pipe; this means freeing all preselection state and all 615 * records in the pipe. Assumes global write lock and pipe mutex are held to 616 * prevent any new records from being inserted during the free, and that the 617 * audit pipe is still on the global list. 618 */ 619static void 620audit_pipe_free(struct audit_pipe *ap) 621{ 622 623 AUDIT_PIPE_LIST_WLOCK_ASSERT(); 624 AUDIT_PIPE_LOCK_ASSERT(ap); 625 626 audit_pipe_preselect_flush_locked(ap); 627 audit_pipe_flush(ap); 628 cv_destroy(&ap->ap_cv); 629 AUDIT_PIPE_SX_LOCK_DESTROY(ap); 630 AUDIT_PIPE_LOCK_DESTROY(ap); 631 knlist_destroy(&ap->ap_selinfo.si_note); 632 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list); 633 free(ap, M_AUDIT_PIPE); 634 audit_pipe_count--; 635} 636 637/* 638 * Audit pipe clone routine -- provide specific requested audit pipe, or a 639 * fresh one if a specific one is not requested. 640 */ 641static void 642audit_pipe_clone(void *arg, struct ucred *cred, char *name, int namelen, 643 struct cdev **dev) 644{ 645 int i, u; 646 647 if (*dev != NULL) 648 return; 649 650 if (strcmp(name, AUDIT_PIPE_NAME) == 0) 651 u = -1; 652 else if (dev_stdclone(name, NULL, AUDIT_PIPE_NAME, &u) != 1) 653 return; 654 655 i = clone_create(&audit_pipe_clones, &audit_pipe_cdevsw, &u, dev, 0); 656 if (i) { 657 *dev = make_dev(&audit_pipe_cdevsw, u, UID_ROOT, 658 GID_WHEEL, 0600, "%s%d", AUDIT_PIPE_NAME, u); 659 if (*dev != NULL) { 660 dev_ref(*dev); 661 (*dev)->si_flags |= SI_CHEAPCLONE; 662 } 663 } 664} 665 666/* 667 * Audit pipe open method. Explicit privilege check isn't used as this 668 * allows file permissions on the special device to be used to grant audit 669 * review access. Those file permissions should be managed carefully. 670 */ 671static int 672audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td) 673{ 674 struct audit_pipe *ap; 675 676 AUDIT_PIPE_LIST_WLOCK(); 677 ap = dev->si_drv1; 678 if (ap == NULL) { 679 ap = audit_pipe_alloc(); 680 if (ap == NULL) { 681 AUDIT_PIPE_LIST_WUNLOCK(); 682 return (ENOMEM); 683 } 684 dev->si_drv1 = ap; 685 } else { 686 KASSERT(ap->ap_open, ("audit_pipe_open: ap && !ap_open")); 687 AUDIT_PIPE_LIST_WUNLOCK(); 688 return (EBUSY); 689 } 690 ap->ap_open = 1; /* No lock required yet. */ 691 AUDIT_PIPE_LIST_WUNLOCK(); 692 fsetown(td->td_proc->p_pid, &ap->ap_sigio); 693 return (0); 694} 695 696/* 697 * Close audit pipe, tear down all records, etc. 698 */ 699static int 700audit_pipe_close(struct cdev *dev, int fflag, int devtype, struct thread *td) 701{ 702 struct audit_pipe *ap; 703 704 ap = dev->si_drv1; 705 KASSERT(ap != NULL, ("audit_pipe_close: ap == NULL")); 706 KASSERT(ap->ap_open, ("audit_pipe_close: !ap_open")); 707 708 funsetown(&ap->ap_sigio); 709 AUDIT_PIPE_LIST_WLOCK(); 710 AUDIT_PIPE_LOCK(ap); 711 ap->ap_open = 0; 712 audit_pipe_free(ap); 713 dev->si_drv1 = NULL; 714 AUDIT_PIPE_LIST_WUNLOCK(); 715 return (0); 716} 717 718/* 719 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer 720 * commands. 721 * 722 * Would be desirable to support filtering, although perhaps something simple 723 * like an event mask, as opposed to something complicated like BPF. 724 */ 725static int 726audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, 727 struct thread *td) 728{ 729 struct auditpipe_ioctl_preselect *aip; 730 struct audit_pipe *ap; 731 au_mask_t *maskp; 732 int error, mode; 733 au_id_t auid; 734 735 ap = dev->si_drv1; 736 KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); 737 738 /* 739 * Audit pipe ioctls: first come standard device node ioctls, then 740 * manipulation of pipe settings, and finally, statistics query 741 * ioctls. 742 */ 743 switch (cmd) { 744 case FIONBIO: 745 AUDIT_PIPE_LOCK(ap); 746 if (*(int *)data) 747 ap->ap_flags |= AUDIT_PIPE_NBIO; 748 else 749 ap->ap_flags &= ~AUDIT_PIPE_NBIO; 750 AUDIT_PIPE_UNLOCK(ap); 751 error = 0; 752 break; 753 754 case FIONREAD: 755 AUDIT_PIPE_LOCK(ap); 756 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 757 *(int *)data = 758 TAILQ_FIRST(&ap->ap_queue)->ape_record_len - 759 TAILQ_FIRST(&ap->ap_queue)->ape_record_offset; 760 else 761 *(int *)data = 0; 762 AUDIT_PIPE_UNLOCK(ap); 763 error = 0; 764 break; 765 766 case FIOASYNC: 767 AUDIT_PIPE_LOCK(ap); 768 if (*(int *)data) 769 ap->ap_flags |= AUDIT_PIPE_ASYNC; 770 else 771 ap->ap_flags &= ~AUDIT_PIPE_ASYNC; 772 AUDIT_PIPE_UNLOCK(ap); 773 error = 0; 774 break; 775 776 case FIOSETOWN: 777 error = fsetown(*(int *)data, &ap->ap_sigio); 778 break; 779 780 case FIOGETOWN: 781 *(int *)data = fgetown(&ap->ap_sigio); 782 error = 0; 783 break; 784 785 case AUDITPIPE_GET_QLEN: 786 *(u_int *)data = ap->ap_qlen; 787 error = 0; 788 break; 789 790 case AUDITPIPE_GET_QLIMIT: 791 *(u_int *)data = ap->ap_qlimit; 792 error = 0; 793 break; 794 795 case AUDITPIPE_SET_QLIMIT: 796 /* Lockless integer write. */ 797 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN || 798 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) { 799 ap->ap_qlimit = *(u_int *)data; 800 error = 0; 801 } else 802 error = EINVAL; 803 break; 804 805 case AUDITPIPE_GET_QLIMIT_MIN: 806 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN; 807 error = 0; 808 break; 809 810 case AUDITPIPE_GET_QLIMIT_MAX: 811 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX; 812 error = 0; 813 break; 814 815 case AUDITPIPE_GET_PRESELECT_FLAGS: 816 AUDIT_PIPE_LOCK(ap); 817 maskp = (au_mask_t *)data; 818 *maskp = ap->ap_preselect_flags; 819 AUDIT_PIPE_UNLOCK(ap); 820 error = 0; 821 break; 822 823 case AUDITPIPE_SET_PRESELECT_FLAGS: 824 AUDIT_PIPE_LOCK(ap); 825 maskp = (au_mask_t *)data; 826 ap->ap_preselect_flags = *maskp; 827 AUDIT_PIPE_UNLOCK(ap); 828 error = 0; 829 break; 830 831 case AUDITPIPE_GET_PRESELECT_NAFLAGS: 832 AUDIT_PIPE_LOCK(ap); 833 maskp = (au_mask_t *)data; 834 *maskp = ap->ap_preselect_naflags; 835 AUDIT_PIPE_UNLOCK(ap); 836 error = 0; 837 break; 838 839 case AUDITPIPE_SET_PRESELECT_NAFLAGS: 840 AUDIT_PIPE_LOCK(ap); 841 maskp = (au_mask_t *)data; 842 ap->ap_preselect_naflags = *maskp; 843 AUDIT_PIPE_UNLOCK(ap); 844 error = 0; 845 break; 846 847 case AUDITPIPE_GET_PRESELECT_AUID: 848 aip = (struct auditpipe_ioctl_preselect *)data; 849 error = audit_pipe_preselect_get(ap, aip->aip_auid, 850 &aip->aip_mask); 851 break; 852 853 case AUDITPIPE_SET_PRESELECT_AUID: 854 aip = (struct auditpipe_ioctl_preselect *)data; 855 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask); 856 error = 0; 857 break; 858 859 case AUDITPIPE_DELETE_PRESELECT_AUID: 860 auid = *(au_id_t *)data; 861 error = audit_pipe_preselect_delete(ap, auid); 862 break; 863 864 case AUDITPIPE_FLUSH_PRESELECT_AUID: 865 audit_pipe_preselect_flush(ap); 866 error = 0; 867 break; 868 869 case AUDITPIPE_GET_PRESELECT_MODE: 870 AUDIT_PIPE_LOCK(ap); 871 *(int *)data = ap->ap_preselect_mode; 872 AUDIT_PIPE_UNLOCK(ap); 873 error = 0; 874 break; 875 876 case AUDITPIPE_SET_PRESELECT_MODE: 877 mode = *(int *)data; 878 switch (mode) { 879 case AUDITPIPE_PRESELECT_MODE_TRAIL: 880 case AUDITPIPE_PRESELECT_MODE_LOCAL: 881 AUDIT_PIPE_LOCK(ap); 882 ap->ap_preselect_mode = mode; 883 AUDIT_PIPE_UNLOCK(ap); 884 error = 0; 885 break; 886 887 default: 888 error = EINVAL; 889 } 890 break; 891 892 case AUDITPIPE_FLUSH: 893 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 894 return (EINTR); 895 AUDIT_PIPE_LOCK(ap); 896 audit_pipe_flush(ap); 897 AUDIT_PIPE_UNLOCK(ap); 898 AUDIT_PIPE_SX_XUNLOCK(ap); 899 error = 0; 900 break; 901 902 case AUDITPIPE_GET_MAXAUDITDATA: 903 *(u_int *)data = MAXAUDITDATA; 904 error = 0; 905 break; 906 907 case AUDITPIPE_GET_INSERTS: 908 *(u_int *)data = ap->ap_inserts; 909 error = 0; 910 break; 911 912 case AUDITPIPE_GET_READS: 913 *(u_int *)data = ap->ap_reads; 914 error = 0; 915 break; 916 917 case AUDITPIPE_GET_DROPS: 918 *(u_int *)data = ap->ap_drops; 919 error = 0; 920 break; 921 922 case AUDITPIPE_GET_TRUNCATES: 923 *(u_int *)data = ap->ap_truncates; 924 error = 0; 925 break; 926 927 default: 928 error = ENOTTY; 929 } 930 return (error); 931} 932 933/* 934 * Audit pipe read. Pull one record off the queue and copy to user space. 935 * On error, the record is dropped. 936 * 937 * Providing more sophisticated behavior, such as partial reads, is tricky 938 * due to the potential for parallel I/O. If partial read support is 939 * required, it will require a per-pipe "current record being read" along 940 * with an offset into that trecord which has already been read. Threads 941 * performing partial reads will need to allocate per-thread copies of the 942 * data so that if another thread completes the read of the record, it can be 943 * freed without adding reference count logic. If this is added, a flag to 944 * indicate that only atomic record reads are desired would be useful, as if 945 * different threads are all waiting for records on the pipe, they will want 946 * independent record reads, which is currently the behavior. 947 */ 948static int 949audit_pipe_read(struct cdev *dev, struct uio *uio, int flag) 950{ 951 struct audit_pipe_entry *ape; 952 struct audit_pipe *ap; 953 u_int toread; 954 int error; 955 956 ap = dev->si_drv1; 957 KASSERT(ap != NULL, ("audit_pipe_read: ap == NULL")); 958 959 /* 960 * We hold an sx(9) lock over read and flush because we rely on the 961 * stability of a record in the queue during uiomove(9). 962 */ 963 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0) 964 return (EINTR); 965 AUDIT_PIPE_LOCK(ap); 966 while (TAILQ_EMPTY(&ap->ap_queue)) { 967 if (ap->ap_flags & AUDIT_PIPE_NBIO) { 968 AUDIT_PIPE_UNLOCK(ap); 969 AUDIT_PIPE_SX_XUNLOCK(ap); 970 return (EAGAIN); 971 } 972 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap)); 973 if (error) { 974 AUDIT_PIPE_UNLOCK(ap); 975 AUDIT_PIPE_SX_XUNLOCK(ap); 976 return (error); 977 } 978 } 979 980 /* 981 * Copy as many remaining bytes from the current record to userspace 982 * as we can. 983 * 984 * Note: we rely on the SX lock to maintain ape's stability here. 985 */ 986 ap->ap_reads++; 987 ape = TAILQ_FIRST(&ap->ap_queue); 988 toread = MIN(ape->ape_record_len - ape->ape_record_offset, 989 uio->uio_resid); 990 AUDIT_PIPE_UNLOCK(ap); 991 error = uiomove((char *)ape->ape_record + ape->ape_record_offset, 992 toread, uio); 993 if (error) { 994 AUDIT_PIPE_SX_XUNLOCK(ap); 995 return (error); 996 } 997 998 /* 999 * If the copy succeeded, update book-keeping, and if no bytes remain 1000 * in the current record, free it. 1001 */ 1002 AUDIT_PIPE_LOCK(ap); 1003 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape, 1004 ("audit_pipe_read: queue out of sync after uiomove")); 1005 ape->ape_record_offset += toread; 1006 if (ape->ape_record_offset == ape->ape_record_len) { 1007 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue); 1008 ap->ap_qlen--; 1009 } else 1010 ape = NULL; 1011 AUDIT_PIPE_UNLOCK(ap); 1012 AUDIT_PIPE_SX_XUNLOCK(ap); 1013 if (ape != NULL) 1014 audit_pipe_entry_free(ape); 1015 return (error); 1016} 1017 1018/* 1019 * Audit pipe poll. 1020 */ 1021static int 1022audit_pipe_poll(struct cdev *dev, int events, struct thread *td) 1023{ 1024 struct audit_pipe *ap; 1025 int revents; 1026 1027 revents = 0; 1028 ap = dev->si_drv1; 1029 KASSERT(ap != NULL, ("audit_pipe_poll: ap == NULL")); 1030 1031 if (events & (POLLIN | POLLRDNORM)) { 1032 AUDIT_PIPE_LOCK(ap); 1033 if (TAILQ_FIRST(&ap->ap_queue) != NULL) 1034 revents |= events & (POLLIN | POLLRDNORM); 1035 else 1036 selrecord(td, &ap->ap_selinfo); 1037 AUDIT_PIPE_UNLOCK(ap); 1038 } 1039 return (revents); 1040} 1041 1042/* 1043 * Audit pipe kqfilter. 1044 */ 1045static int 1046audit_pipe_kqfilter(struct cdev *dev, struct knote *kn) 1047{ 1048 struct audit_pipe *ap; 1049 1050 ap = dev->si_drv1; 1051 KASSERT(ap != NULL, ("audit_pipe_kqfilter: ap == NULL")); 1052 1053 if (kn->kn_filter != EVFILT_READ) 1054 return (EINVAL); 1055 1056 kn->kn_fop = &audit_pipe_read_filterops; 1057 kn->kn_hook = ap; 1058 1059 AUDIT_PIPE_LOCK(ap); 1060 knlist_add(&ap->ap_selinfo.si_note, kn, 1); 1061 AUDIT_PIPE_UNLOCK(ap); 1062 return (0); 1063} 1064 1065/* 1066 * Return true if there are records available for reading on the pipe. 1067 */ 1068static int 1069audit_pipe_kqread(struct knote *kn, long hint) 1070{ 1071 struct audit_pipe_entry *ape; 1072 struct audit_pipe *ap; 1073 1074 ap = (struct audit_pipe *)kn->kn_hook; 1075 KASSERT(ap != NULL, ("audit_pipe_kqread: ap == NULL")); 1076 1077 AUDIT_PIPE_LOCK_ASSERT(ap); 1078 1079 if (ap->ap_qlen != 0) { 1080 ape = TAILQ_FIRST(&ap->ap_queue); 1081 KASSERT(ape != NULL, ("audit_pipe_kqread: ape == NULL")); 1082 1083 kn->kn_data = ape->ape_record_len - ape->ape_record_offset; 1084 return (1); 1085 } else { 1086 kn->kn_data = 0; 1087 return (0); 1088 } 1089} 1090 1091/* 1092 * Detach kqueue state from audit pipe. 1093 */ 1094static void 1095audit_pipe_kqdetach(struct knote *kn) 1096{ 1097 struct audit_pipe *ap; 1098 1099 ap = (struct audit_pipe *)kn->kn_hook; 1100 KASSERT(ap != NULL, ("audit_pipe_kqdetach: ap == NULL")); 1101 1102 AUDIT_PIPE_LOCK(ap); 1103 knlist_remove(&ap->ap_selinfo.si_note, kn, 1); 1104 AUDIT_PIPE_UNLOCK(ap); 1105} 1106 1107/* 1108 * Initialize the audit pipe system. 1109 */ 1110static void 1111audit_pipe_init(void *unused) 1112{ 1113 1114 TAILQ_INIT(&audit_pipe_list); 1115 AUDIT_PIPE_LIST_LOCK_INIT(); 1116 1117 clone_setup(&audit_pipe_clones); 1118 audit_pipe_eh_tag = EVENTHANDLER_REGISTER(dev_clone, 1119 audit_pipe_clone, 0, 1000); 1120 if (audit_pipe_eh_tag == NULL) 1121 panic("audit_pipe_init: EVENTHANDLER_REGISTER"); 1122} 1123 1124SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init, 1125 NULL); 1126