1 /*-
2 * Copyright (c) 2011, David E. O'Brien.
3 * Copyright (c) 2009-2011, Juniper Networks, Inc.
4 * Copyright (c) 2015-2016, EMC Corp.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD: releng/11.2/sys/dev/filemon/filemon.c 331722 2018-03-29 02:50:57Z eadler $");
31
32 #include "opt_compat.h"
33
34 #include <sys/param.h>
35 #include <sys/file.h>
36 #include <sys/systm.h>
37 #include <sys/buf.h>
38 #include <sys/capsicum.h>
39 #include <sys/condvar.h>
40 #include <sys/conf.h>
41 #include <sys/fcntl.h>
42 #include <sys/ioccom.h>
43 #include <sys/kernel.h>
44 #include <sys/lock.h>
45 #include <sys/malloc.h>
46 #include <sys/module.h>
47 #include <sys/poll.h>
48 #include <sys/proc.h>
49 #include <sys/sx.h>
50 #include <sys/syscall.h>
51 #include <sys/sysent.h>
52 #include <sys/sysproto.h>
53 #include <sys/uio.h>
54
55 #include "filemon.h"
56
57 #if defined(COMPAT_FREEBSD32)
58 #include <compat/freebsd32/freebsd32_syscall.h>
59 #include <compat/freebsd32/freebsd32_proto.h>
60 #include <compat/freebsd32/freebsd32_util.h>
61 #endif
62
63 static d_close_t filemon_close;
64 static d_ioctl_t filemon_ioctl;
65 static d_open_t filemon_open;
66
67 static struct cdevsw filemon_cdevsw = {
68 .d_version = D_VERSION,
69 .d_close = filemon_close,
70 .d_ioctl = filemon_ioctl,
71 .d_open = filemon_open,
72 .d_name = "filemon",
73 };
74
75 MALLOC_DECLARE(M_FILEMON);
76 MALLOC_DEFINE(M_FILEMON, "filemon", "File access monitor");
77
78 /*
79 * The filemon->lock protects several things currently:
80 * - fname1/fname2/msgbufr are pre-allocated and used per syscall
81 * for logging and copyins rather than stack variables.
82 * - Serializing the filemon's log output.
83 * - Preventing inheritance or removal of the filemon into proc.p_filemon.
84 */
85 struct filemon {
86 struct sx lock; /* Lock for this filemon. */
87 struct file *fp; /* Output file pointer. */
88 struct ucred *cred; /* Credential of tracer. */
89 char fname1[MAXPATHLEN]; /* Temporary filename buffer. */
90 char fname2[MAXPATHLEN]; /* Temporary filename buffer. */
91 char msgbufr[1024]; /* Output message buffer. */
92 int error; /* Log write error, returned on close(2). */
93 u_int refcnt; /* Pointer reference count. */
94 u_int proccnt; /* Process count. */
95 };
96
97 static struct cdev *filemon_dev;
98 static void filemon_output(struct filemon *filemon, char *msg, size_t len);
99
100 static __inline struct filemon *
101 filemon_acquire(struct filemon *filemon)
102 {
103
104 if (filemon != NULL)
105 refcount_acquire(&filemon->refcnt);
106 return (filemon);
107 }
108
109 /*
110 * Release a reference and free on the last one.
111 */
112 static void
113 filemon_release(struct filemon *filemon)
114 {
115
116 if (refcount_release(&filemon->refcnt) == 0)
117 return;
118 /*
119 * There are valid cases of releasing while locked, such as in
120 * filemon_untrack_processes, but none which are done where there
121 * is not at least 1 reference remaining.
122 */
123 sx_assert(&filemon->lock, SA_UNLOCKED);
124
125 if (filemon->cred != NULL)
126 crfree(filemon->cred);
127 sx_destroy(&filemon->lock);
128 free(filemon, M_FILEMON);
129 }
130
131 /*
132 * Acquire the proc's p_filemon reference and lock the filemon.
133 * The proc's p_filemon may not match this filemon on return.
134 */
135 static struct filemon *
136 filemon_proc_get(struct proc *p)
137 {
138 struct filemon *filemon;
139
140 if (p->p_filemon == NULL)
141 return (NULL);
142 PROC_LOCK(p);
143 filemon = filemon_acquire(p->p_filemon);
144 PROC_UNLOCK(p);
145
146 if (filemon == NULL)
147 return (NULL);
148 /*
149 * The p->p_filemon may have changed by now. That case is handled
150 * by the exit and fork hooks and filemon_attach_proc specially.
151 */
152 sx_xlock(&filemon->lock);
153 return (filemon);
154 }
155
156 /* Remove and release the filemon on the given process. */
157 static void
158 filemon_proc_drop(struct proc *p)
159 {
160 struct filemon *filemon;
161
162 KASSERT(p->p_filemon != NULL, ("%s: proc %p NULL p_filemon",
163 __func__, p));
164 sx_assert(&p->p_filemon->lock, SA_XLOCKED);
165 PROC_LOCK(p);
166 filemon = p->p_filemon;
167 p->p_filemon = NULL;
168 --filemon->proccnt;
169 PROC_UNLOCK(p);
170 /*
171 * This should not be the last reference yet. filemon_release()
172 * cannot be called with filemon locked, which the caller expects
173 * will stay locked.
174 */
175 KASSERT(filemon->refcnt > 1, ("%s: proc %p dropping filemon %p "
176 "with last reference", __func__, p, filemon));
177 filemon_release(filemon);
178 }
179
180 /* Unlock and release the filemon. */
181 static __inline void
182 filemon_drop(struct filemon *filemon)
183 {
184
185 sx_xunlock(&filemon->lock);
186 filemon_release(filemon);
187 }
188
189 #include "filemon_wrapper.c"
190
191 static void
192 filemon_write_header(struct filemon *filemon)
193 {
194 int len;
195 struct timeval now;
196
197 getmicrotime(&now);
198
199 len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr),
200 "# filemon version %d\n# Target pid %d\n# Start %ju.%06ju\nV %d\n",
201 FILEMON_VERSION, curproc->p_pid, (uintmax_t)now.tv_sec,
202 (uintmax_t)now.tv_usec, FILEMON_VERSION);
203
204 filemon_output(filemon, filemon->msgbufr, len);
205 }
206
207 /*
208 * Invalidate the passed filemon in all processes.
209 */
210 static void
211 filemon_untrack_processes(struct filemon *filemon)
212 {
213 struct proc *p;
214
215 sx_assert(&filemon->lock, SA_XLOCKED);
216
217 /* Avoid allproc loop if there is no need. */
218 if (filemon->proccnt == 0)
219 return;
220
221 /*
222 * Processes in this list won't go away while here since
223 * filemon_event_process_exit() will lock on filemon->lock
224 * which we hold.
225 */
226 sx_slock(&allproc_lock);
227 FOREACH_PROC_IN_SYSTEM(p) {
228 /*
229 * No PROC_LOCK is needed to compare here since it is
230 * guaranteed to not change since we have its filemon
231 * locked. Everything that changes this p_filemon will
232 * be locked on it.
233 */
234 if (p->p_filemon == filemon)
235 filemon_proc_drop(p);
236 }
237 sx_sunlock(&allproc_lock);
238
239 /*
240 * It's possible some references were acquired but will be
241 * dropped shortly as they are restricted from being
242 * inherited. There is at least the reference in cdevpriv remaining.
243 */
244 KASSERT(filemon->refcnt > 0, ("%s: filemon %p should have "
245 "references still.", __func__, filemon));
246 KASSERT(filemon->proccnt == 0, ("%s: filemon %p should not have "
247 "attached procs still.", __func__, filemon));
248 }
249
250 /*
251 * Close out the log.
252 */
253 static void
254 filemon_close_log(struct filemon *filemon)
255 {
256 struct file *fp;
257 struct timeval now;
258 size_t len;
259
260 sx_assert(&filemon->lock, SA_XLOCKED);
261 if (filemon->fp == NULL)
262 return;
263
264 getmicrotime(&now);
265
266 len = snprintf(filemon->msgbufr,
267 sizeof(filemon->msgbufr),
268 "# Stop %ju.%06ju\n# Bye bye\n",
269 (uintmax_t)now.tv_sec, (uintmax_t)now.tv_usec);
270
271 filemon_output(filemon, filemon->msgbufr, len);
272 fp = filemon->fp;
273 filemon->fp = NULL;
274
275 sx_xunlock(&filemon->lock);
276 fdrop(fp, curthread);
277 sx_xlock(&filemon->lock);
278 }
279
280 /*
281 * The devfs file is being closed. Untrace all processes. It is possible
282 * filemon_close/close(2) was not called.
283 */
284 static void
285 filemon_dtr(void *data)
286 {
287 struct filemon *filemon = data;
288
289 if (filemon == NULL)
290 return;
291
292 sx_xlock(&filemon->lock);
293 /*
294 * Detach the filemon. It cannot be inherited after this.
295 */
296 filemon_untrack_processes(filemon);
297 filemon_close_log(filemon);
298 filemon_drop(filemon);
299 }
300
301 /* Attach the filemon to the process. */
302 static int
303 filemon_attach_proc(struct filemon *filemon, struct proc *p)
304 {
305 struct filemon *filemon2;
306
307 sx_assert(&filemon->lock, SA_XLOCKED);
308 PROC_LOCK_ASSERT(p, MA_OWNED);
309 KASSERT((p->p_flag & P_WEXIT) == 0,
310 ("%s: filemon %p attaching to exiting process %p",
311 __func__, filemon, p));
312 KASSERT((p->p_flag & P_INEXEC) == 0,
313 ("%s: filemon %p attaching to execing process %p",
314 __func__, filemon, p));
315
316 if (p->p_filemon == filemon)
317 return (0);
318 /*
319 * Don't allow truncating other process traces. It is
320 * not really intended to trace procs other than curproc
321 * anyhow.
322 */
323 if (p->p_filemon != NULL && p != curproc)
324 return (EBUSY);
325 /*
326 * Historic behavior of filemon has been to let a child initiate
327 * tracing on itself and cease existing tracing. Bmake
328 * .META + .MAKE relies on this. It is only relevant for attaching to
329 * curproc.
330 */
331 while (p->p_filemon != NULL) {
332 PROC_UNLOCK(p);
333 sx_xunlock(&filemon->lock);
334 while ((filemon2 = filemon_proc_get(p)) != NULL) {
335 /* It may have changed. */
336 if (p->p_filemon == filemon2)
337 filemon_proc_drop(p);
338 filemon_drop(filemon2);
339 }
340 sx_xlock(&filemon->lock);
341 PROC_LOCK(p);
342 /*
343 * It may have been attached to, though unlikely.
344 * Try again if needed.
345 */
346 }
347
348 KASSERT(p->p_filemon == NULL,
349 ("%s: proc %p didn't detach filemon %p", __func__, p,
350 p->p_filemon));
351 p->p_filemon = filemon_acquire(filemon);
352 ++filemon->proccnt;
353
354 return (0);
355 }
356
357 static int
358 filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused,
359 struct thread *td)
360 {
361 int error = 0;
362 struct filemon *filemon;
363 struct proc *p;
364 cap_rights_t rights;
365
366 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0)
367 return (error);
368
369 sx_xlock(&filemon->lock);
370
371 switch (cmd) {
372 /* Set the output file descriptor. */
373 case FILEMON_SET_FD:
374 if (filemon->fp != NULL) {
375 error = EEXIST;
376 break;
377 }
378
379 error = fget_write(td, *(int *)data,
380 cap_rights_init(&rights, CAP_PWRITE),
381 &filemon->fp);
382 if (error == 0)
383 /* Write the file header. */
384 filemon_write_header(filemon);
385 break;
386
387 /* Set the monitored process ID. */
388 case FILEMON_SET_PID:
389 /* Invalidate any existing processes already set. */
390 filemon_untrack_processes(filemon);
391
392 error = pget(*((pid_t *)data),
393 PGET_CANDEBUG | PGET_NOTWEXIT | PGET_NOTINEXEC, &p);
394 if (error == 0) {
395 KASSERT(p->p_filemon != filemon,
396 ("%s: proc %p didn't untrack filemon %p",
397 __func__, p, filemon));
398 error = filemon_attach_proc(filemon, p);
399 PROC_UNLOCK(p);
400 }
401 break;
402
403 default:
404 error = EINVAL;
405 break;
406 }
407
408 sx_xunlock(&filemon->lock);
409 return (error);
410 }
411
412 static int
413 filemon_open(struct cdev *dev, int oflags __unused, int devtype __unused,
414 struct thread *td)
415 {
416 int error;
417 struct filemon *filemon;
418
419 filemon = malloc(sizeof(*filemon), M_FILEMON,
420 M_WAITOK | M_ZERO);
421 sx_init(&filemon->lock, "filemon");
422 refcount_init(&filemon->refcnt, 1);
423 filemon->cred = crhold(td->td_ucred);
424
425 error = devfs_set_cdevpriv(filemon, filemon_dtr);
426 if (error != 0)
427 filemon_release(filemon);
428
429 return (error);
430 }
431
432 /* Called on close of last devfs file handle, before filemon_dtr(). */
433 static int
434 filemon_close(struct cdev *dev __unused, int flag __unused, int fmt __unused,
435 struct thread *td __unused)
436 {
437 struct filemon *filemon;
438 int error;
439
440 if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0)
441 return (error);
442
443 sx_xlock(&filemon->lock);
444 filemon_close_log(filemon);
445 error = filemon->error;
446 sx_xunlock(&filemon->lock);
447 /*
448 * Processes are still being traced but won't log anything
449 * now. After this call returns filemon_dtr() is called which
450 * will detach processes.
451 */
452
453 return (error);
454 }
455
456 static void
457 filemon_load(void *dummy __unused)
458 {
459
460 /* Install the syscall wrappers. */
461 filemon_wrapper_install();
462
463 filemon_dev = make_dev(&filemon_cdevsw, 0, UID_ROOT, GID_WHEEL, 0666,
464 "filemon");
465 }
466
467 static int
468 filemon_unload(void)
469 {
470
471 destroy_dev(filemon_dev);
472 filemon_wrapper_deinstall();
473
474 return (0);
475 }
476
477 static int
478 filemon_modevent(module_t mod __unused, int type, void *data)
479 {
480 int error = 0;
481
482 switch (type) {
483 case MOD_LOAD:
484 filemon_load(data);
485 break;
486
487 case MOD_UNLOAD:
488 error = filemon_unload();
489 break;
490
491 case MOD_QUIESCE:
492 /*
493 * The wrapper implementation is unsafe for reliable unload.
494 * Require forcing an unload.
495 */
496 error = EBUSY;
497 break;
498
499 case MOD_SHUTDOWN:
500 break;
501
502 default:
503 error = EOPNOTSUPP;
504 break;
505
506 }
507
508 return (error);
509 }
510
511 DEV_MODULE(filemon, filemon_modevent, NULL);
512 MODULE_VERSION(filemon, 1);
Cache object: f5e49209b81303d8070e7d0d4a1a2b97
|