audit_worker.c revision 162508
1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * Copyright (c) 2006 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 22 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 26 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 27 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 * 30 * $FreeBSD: head/sys/security/audit/audit_worker.c 162508 2006-09-21 07:27:02Z rwatson $ 31 */ 32 33#include <sys/param.h> 34#include <sys/condvar.h> 35#include <sys/conf.h> 36#include <sys/file.h> 37#include <sys/filedesc.h> 38#include <sys/fcntl.h> 39#include <sys/ipc.h> 40#include <sys/kernel.h> 41#include <sys/kthread.h> 42#include <sys/malloc.h> 43#include <sys/mount.h> 44#include <sys/namei.h> 45#include <sys/proc.h> 46#include <sys/queue.h> 47#include <sys/socket.h> 48#include <sys/socketvar.h> 49#include <sys/protosw.h> 50#include <sys/domain.h> 51#include <sys/sysproto.h> 52#include <sys/sysent.h> 53#include <sys/systm.h> 54#include <sys/ucred.h> 55#include <sys/uio.h> 56#include <sys/un.h> 57#include <sys/unistd.h> 58#include <sys/vnode.h> 59 60#include <bsm/audit.h> 61#include <bsm/audit_internal.h> 62#include <bsm/audit_kevents.h> 63 64#include <netinet/in.h> 65#include <netinet/in_pcb.h> 66 67#include <security/audit/audit.h> 68#include <security/audit/audit_private.h> 69 70#include <vm/uma.h> 71 72/* 73 * Worker thread that will schedule disk I/O, etc. 74 */ 75static struct proc *audit_thread; 76 77/* 78 * When an audit log is rotated, the actual rotation must be performed by the 79 * audit worker thread, as it may have outstanding writes on the current 80 * audit log. audit_replacement_vp holds the vnode replacing the current 81 * vnode. We can't let more than one replacement occur at a time, so if more 82 * than one thread requests a replacement, only one can have the replacement 83 * "in progress" at any given moment. If a thread tries to replace the audit 84 * vnode and discovers a replacement is already in progress (i.e., 85 * audit_replacement_flag != 0), then it will sleep on audit_replacement_cv 86 * waiting its turn to perform a replacement. When a replacement is 87 * completed, this cv is signalled by the worker thread so a waiting thread 88 * can start another replacement. We also store a credential to perform 89 * audit log write operations with. 90 * 91 * The current credential and vnode are thread-local to audit_worker. 92 */ 93static struct cv audit_replacement_cv; 94 95static int audit_replacement_flag; 96static struct vnode *audit_replacement_vp; 97static struct ucred *audit_replacement_cred; 98 99/* 100 * Flags related to Kernel->user-space communication. 101 */ 102static int audit_file_rotate_wait; 103 104/* 105 * XXXAUDIT: Should adjust comments below to make it clear that we get to 106 * this point only if we believe we have storage, so not having space here is 107 * a violation of invariants derived from administrative procedures. I.e., 108 * someone else has written to the audit partition, leaving less space than 109 * we accounted for. 110 */ 111static int 112audit_record_write(struct vnode *vp, struct ucred *cred, struct thread *td, 113 void *data, size_t len) 114{ 115 int ret; 116 long temp; 117 struct vattr vattr; 118 struct statfs *mnt_stat; 119 int vfslocked; 120 121 if (vp == NULL) 122 return (0); 123 124 mnt_stat = &vp->v_mount->mnt_stat; 125 vfslocked = VFS_LOCK_GIANT(vp->v_mount); 126 127 /* 128 * First, gather statistics on the audit log file and file system so 129 * that we know how we're doing on space. In both cases, if we're 130 * unable to perform the operation, we drop the record and return. 131 * However, this is arguably an assertion failure. 132 * XXX Need a FreeBSD equivalent. 133 */ 134 ret = VFS_STATFS(vp->v_mount, mnt_stat, td); 135 if (ret) 136 goto out; 137 138 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 139 ret = VOP_GETATTR(vp, &vattr, cred, td); 140 VOP_UNLOCK(vp, 0, td); 141 if (ret) 142 goto out; 143 144 /* update the global stats struct */ 145 audit_fstat.af_currsz = vattr.va_size; 146 147 /* 148 * XXX Need to decide what to do if the trigger to the audit daemon 149 * fails. 150 */ 151 152 /* 153 * If we fall below minimum free blocks (hard limit), tell the audit 154 * daemon to force a rotation off of the file system. We also stop 155 * writing, which means this audit record is probably lost. If we 156 * fall below the minimum percent free blocks (soft limit), then 157 * kindly suggest to the audit daemon to do something. 158 */ 159 if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) { 160 (void)send_trigger(AUDIT_TRIGGER_NO_SPACE); 161 /* 162 * Hopefully userspace did something about all the previous 163 * triggers that were sent prior to this critical condition. 164 * If fail-stop is set, then we're done; goodnight Gracie. 165 */ 166 if (audit_fail_stop) 167 panic("Audit log space exhausted and fail-stop set."); 168 else { 169 audit_suspended = 1; 170 ret = ENOSPC; 171 goto out; 172 } 173 } else 174 /* 175 * Send a message to the audit daemon that disk space is 176 * getting low. 177 * 178 * XXXAUDIT: Check math and block size calculation here. 179 */ 180 if (audit_qctrl.aq_minfree != 0) { 181 temp = mnt_stat->f_blocks / (100 / 182 audit_qctrl.aq_minfree); 183 if (mnt_stat->f_bfree < temp) 184 (void)send_trigger(AUDIT_TRIGGER_LOW_SPACE); 185 } 186 187 /* 188 * Check if the current log file is full; if so, call for a log 189 * rotate. This is not an exact comparison; we may write some records 190 * over the limit. If that's not acceptable, then add a fudge factor 191 * here. 192 */ 193 if ((audit_fstat.af_filesz != 0) && 194 (audit_file_rotate_wait == 0) && 195 (vattr.va_size >= audit_fstat.af_filesz)) { 196 audit_file_rotate_wait = 1; 197 (void)send_trigger(AUDIT_TRIGGER_ROTATE_KERNEL); 198 } 199 200 /* 201 * If the estimated amount of audit data in the audit event queue 202 * (plus records allocated but not yet queued) has reached the amount 203 * of free space on the disk, then we need to go into an audit fail 204 * stop state, in which we do not permit the allocation/committing of 205 * any new audit records. We continue to process packets but don't 206 * allow any activities that might generate new records. In the 207 * future, we might want to detect when space is available again and 208 * allow operation to continue, but this behavior is sufficient to 209 * meet fail stop requirements in CAPP. 210 */ 211 if (audit_fail_stop && 212 (unsigned long) 213 ((audit_q_len + audit_pre_q_len + 1) * MAX_AUDIT_RECORD_SIZE) / 214 mnt_stat->f_bsize >= (unsigned long)(mnt_stat->f_bfree)) { 215 printf("audit_record_write: free space below size of audit " 216 "queue, failing stop\n"); 217 audit_in_failure = 1; 218 } 219 220 ret = vn_rdwr(UIO_WRITE, vp, data, len, (off_t)0, UIO_SYSSPACE, 221 IO_APPEND|IO_UNIT, cred, NULL, NULL, td); 222 223out: 224 /* 225 * When we're done processing the current record, we have to check to 226 * see if we're in a failure mode, and if so, whether this was the 227 * last record left to be drained. If we're done draining, then we 228 * fsync the vnode and panic. 229 */ 230 if (audit_in_failure && audit_q_len == 0 && audit_pre_q_len == 0) { 231 VOP_LOCK(vp, LK_DRAIN | LK_INTERLOCK, td); 232 (void)VOP_FSYNC(vp, MNT_WAIT, td); 233 VOP_UNLOCK(vp, 0, td); 234 panic("Audit store overflow; record queue drained."); 235 } 236 237 VFS_UNLOCK_GIANT(vfslocked); 238 239 return (ret); 240} 241 242/* 243 * If an appropriate signal has been received rotate the audit log based on 244 * the global replacement variables. Signal consumers as needed that the 245 * rotation has taken place. 246 * 247 * XXXRW: The global variables and CVs used to signal the audit_worker to 248 * perform a rotation are essentially a message queue of depth 1. It would 249 * be much nicer to actually use a message queue. 250 */ 251static void 252audit_worker_rotate(struct ucred **audit_credp, struct vnode **audit_vpp, 253 struct thread *audit_td) 254{ 255 int do_replacement_signal, vfslocked; 256 struct ucred *old_cred; 257 struct vnode *old_vp; 258 259 mtx_assert(&audit_mtx, MA_OWNED); 260 261 do_replacement_signal = 0; 262 while (audit_replacement_flag != 0) { 263 old_cred = *audit_credp; 264 old_vp = *audit_vpp; 265 *audit_credp = audit_replacement_cred; 266 *audit_vpp = audit_replacement_vp; 267 audit_replacement_cred = NULL; 268 audit_replacement_vp = NULL; 269 audit_replacement_flag = 0; 270 271 audit_enabled = (*audit_vpp != NULL); 272 273 /* 274 * XXX: What to do about write failures here? 275 */ 276 if (old_vp != NULL) { 277 AUDIT_PRINTF(("Closing old audit file\n")); 278 mtx_unlock(&audit_mtx); 279 vfslocked = VFS_LOCK_GIANT(old_vp->v_mount); 280 vn_close(old_vp, AUDIT_CLOSE_FLAGS, old_cred, 281 audit_td); 282 VFS_UNLOCK_GIANT(vfslocked); 283 crfree(old_cred); 284 mtx_lock(&audit_mtx); 285 old_cred = NULL; 286 old_vp = NULL; 287 AUDIT_PRINTF(("Audit file closed\n")); 288 } 289 if (*audit_vpp != NULL) { 290 AUDIT_PRINTF(("Opening new audit file\n")); 291 } 292 do_replacement_signal = 1; 293 } 294 295 /* 296 * Signal that replacement have occurred to wake up and 297 * start any other replacements started in parallel. We can 298 * continue about our business in the mean time. We 299 * broadcast so that both new replacements can be inserted, 300 * but also so that the source(s) of replacement can return 301 * successfully. 302 */ 303 if (do_replacement_signal) 304 cv_broadcast(&audit_replacement_cv); 305} 306 307/* 308 * Given a kernel audit record, process as required. Kernel audit records 309 * are converted to one, or possibly two, BSM records, depending on whether 310 * there is a user audit record present also. Kernel records need be 311 * converted to BSM before they can be written out. Both types will be 312 * written to disk, and audit pipes. 313 */ 314static void 315audit_worker_process_record(struct vnode *audit_vp, struct ucred *audit_cred, 316 struct thread *audit_td, struct kaudit_record *ar) 317{ 318 struct au_record *bsm; 319 au_class_t class; 320 au_event_t event; 321 int error, ret; 322 au_id_t auid; 323 int sorf; 324 325 if ((ar->k_ar_commit & AR_COMMIT_USER) && 326 (ar->k_ar_commit & AR_PRESELECT_USER_TRAIL)) { 327 error = audit_record_write(audit_vp, audit_cred, audit_td, 328 ar->k_udata, ar->k_ulen); 329 if (error && audit_panic_on_write_fail) 330 panic("audit_worker: write error %d\n", error); 331 else if (error) 332 printf("audit_worker: write error %d\n", error); 333 } 334 335 if ((ar->k_ar_commit & AR_COMMIT_USER) && 336 (ar->k_ar_commit & AR_PRESELECT_USER_PIPE)) 337 audit_pipe_submit_user(ar->k_udata, ar->k_ulen); 338 339 if (!(ar->k_ar_commit & AR_COMMIT_KERNEL) || 340 ((ar->k_ar_commit & AR_PRESELECT_PIPE) == 0 && 341 (ar->k_ar_commit & AR_PRESELECT_TRAIL) == 0)) 342 return; 343 344 auid = ar->k_ar.ar_subj_auid; 345 event = ar->k_ar.ar_event; 346 class = au_event_class(event); 347 if (ar->k_ar.ar_errno == 0) 348 sorf = AU_PRS_SUCCESS; 349 else 350 sorf = AU_PRS_FAILURE; 351 352 ret = kaudit_to_bsm(ar, &bsm); 353 switch (ret) { 354 case BSM_NOAUDIT: 355 return; 356 357 case BSM_FAILURE: 358 printf("audit_worker_process_record: BSM_FAILURE\n"); 359 return; 360 361 case BSM_SUCCESS: 362 break; 363 364 default: 365 panic("kaudit_to_bsm returned %d", ret); 366 } 367 368 if (ar->k_ar_commit & AR_PRESELECT_TRAIL) { 369 error = audit_record_write(audit_vp, audit_cred, 370 audit_td, bsm->data, bsm->len); 371 if (error && audit_panic_on_write_fail) 372 panic("audit_worker: write error %d\n", 373 error); 374 else if (error) 375 printf("audit_worker: write error %d\n", 376 error); 377 } 378 379 if (ar->k_ar_commit & AR_PRESELECT_PIPE) 380 audit_pipe_submit(auid, event, class, sorf, 381 ar->k_ar_commit & AR_PRESELECT_TRAIL, bsm->data, 382 bsm->len); 383 kau_free(bsm); 384} 385 386/* 387 * The audit_worker thread is responsible for watching the event queue, 388 * dequeueing records, converting them to BSM format, and committing them to 389 * disk. In order to minimize lock thrashing, records are dequeued in sets 390 * to a thread-local work queue. In addition, the audit_work performs the 391 * actual exchange of audit log vnode pointer, as audit_vp is a thread-local 392 * variable. 393 */ 394static void 395audit_worker(void *arg) 396{ 397 struct kaudit_queue ar_worklist; 398 struct kaudit_record *ar; 399 struct ucred *audit_cred; 400 struct thread *audit_td; 401 struct vnode *audit_vp; 402 int lowater_signal; 403 404 AUDIT_PRINTF(("audit_worker starting\n")); 405 406 /* 407 * These are thread-local variables requiring no synchronization. 408 */ 409 TAILQ_INIT(&ar_worklist); 410 audit_cred = NULL; 411 audit_td = curthread; 412 audit_vp = NULL; 413 414 mtx_lock(&audit_mtx); 415 while (1) { 416 mtx_assert(&audit_mtx, MA_OWNED); 417 418 /* 419 * Wait for record or rotation events. 420 */ 421 while (!audit_replacement_flag && TAILQ_EMPTY(&audit_q)) { 422 AUDIT_PRINTF(("audit_worker waiting\n")); 423 cv_wait(&audit_worker_cv, &audit_mtx); 424 AUDIT_PRINTF(("audit_worker woken up\n")); 425 AUDIT_PRINTF(("audit_worker: new vp = %p; value of " 426 "flag %d\n", audit_replacement_vp, 427 audit_replacement_flag)); 428 } 429 430 /* 431 * First priority: replace the audit log target if requested. 432 */ 433 audit_worker_rotate(&audit_cred, &audit_vp, audit_td); 434 435 /* 436 * If there are records in the global audit record queue, 437 * transfer them to a thread-local queue and process them 438 * one by one. If we cross the low watermark threshold, 439 * signal any waiting processes that they may wake up and 440 * continue generating records. 441 */ 442 lowater_signal = 0; 443 while ((ar = TAILQ_FIRST(&audit_q))) { 444 TAILQ_REMOVE(&audit_q, ar, k_q); 445 audit_q_len--; 446 if (audit_q_len == audit_qctrl.aq_lowater) 447 lowater_signal++; 448 TAILQ_INSERT_TAIL(&ar_worklist, ar, k_q); 449 } 450 if (lowater_signal) 451 cv_broadcast(&audit_watermark_cv); 452 453 mtx_unlock(&audit_mtx); 454 while ((ar = TAILQ_FIRST(&ar_worklist))) { 455 TAILQ_REMOVE(&ar_worklist, ar, k_q); 456 audit_worker_process_record(audit_vp, audit_cred, 457 audit_td, ar); 458 audit_free(ar); 459 } 460 mtx_lock(&audit_mtx); 461 } 462} 463 464/* 465 * audit_rotate_vnode() is called by a user or kernel thread to configure or 466 * de-configure auditing on a vnode. The arguments are the replacement 467 * credential and vnode to substitute for the current credential and vnode, 468 * if any. If either is set to NULL, both should be NULL, and this is used 469 * to indicate that audit is being disabled. The real work is done in the 470 * audit_worker thread, but audit_rotate_vnode() waits synchronously for that 471 * to complete. 472 * 473 * The vnode should be referenced and opened by the caller. The credential 474 * should be referenced. audit_rotate_vnode() will own both references as of 475 * this call, so the caller should not release either. 476 * 477 * XXXAUDIT: Review synchronize communication logic. Really, this is a 478 * message queue of depth 1. 479 * 480 * XXXAUDIT: Enhance the comments below to indicate that we are basically 481 * acquiring ownership of the communications queue, inserting our message, 482 * and waiting for an acknowledgement. 483 */ 484void 485audit_rotate_vnode(struct ucred *cred, struct vnode *vp) 486{ 487 488 /* 489 * If other parallel log replacements have been requested, we wait 490 * until they've finished before continuing. 491 */ 492 mtx_lock(&audit_mtx); 493 while (audit_replacement_flag != 0) { 494 AUDIT_PRINTF(("audit_rotate_vnode: sleeping to wait for " 495 "flag\n")); 496 cv_wait(&audit_replacement_cv, &audit_mtx); 497 AUDIT_PRINTF(("audit_rotate_vnode: woken up (flag %d)\n", 498 audit_replacement_flag)); 499 } 500 audit_replacement_cred = cred; 501 audit_replacement_flag = 1; 502 audit_replacement_vp = vp; 503 504 /* 505 * Wake up the audit worker to perform the exchange once we 506 * release the mutex. 507 */ 508 cv_signal(&audit_worker_cv); 509 510 /* 511 * Wait for the audit_worker to broadcast that a replacement has 512 * taken place; we know that once this has happened, our vnode 513 * has been replaced in, so we can return successfully. 514 */ 515 AUDIT_PRINTF(("audit_rotate_vnode: waiting for news of " 516 "replacement\n")); 517 cv_wait(&audit_replacement_cv, &audit_mtx); 518 AUDIT_PRINTF(("audit_rotate_vnode: change acknowledged by " 519 "audit_worker (flag " "now %d)\n", audit_replacement_flag)); 520 mtx_unlock(&audit_mtx); 521 522 audit_file_rotate_wait = 0; /* We can now request another rotation */ 523} 524 525void 526audit_worker_init(void) 527{ 528 int error; 529 530 cv_init(&audit_replacement_cv, "audit_replacement_cv"); 531 error = kthread_create(audit_worker, NULL, &audit_thread, RFHIGHPID, 532 0, "audit_worker"); 533 if (error) 534 panic("audit_worker_init: kthread_create returned %d", error); 535} 536