1 /*-
2 * Copyright (c) 2006 Robert N. M. Watson
3 * Copyright (c) 2008-2009 Apple, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32
33 #include <sys/param.h>
34 #include <sys/condvar.h>
35 #include <sys/conf.h>
36 #include <sys/eventhandler.h>
37 #include <sys/filio.h>
38 #include <sys/kernel.h>
39 #include <sys/lock.h>
40 #include <sys/malloc.h>
41 #include <sys/mutex.h>
42 #include <sys/poll.h>
43 #include <sys/proc.h>
44 #include <sys/queue.h>
45 #include <sys/rwlock.h>
46 #include <sys/selinfo.h>
47 #include <sys/sigio.h>
48 #include <sys/signal.h>
49 #include <sys/signalvar.h>
50 #include <sys/sx.h>
51 #include <sys/systm.h>
52 #include <sys/uio.h>
53
54 #include <security/audit/audit.h>
55 #include <security/audit/audit_ioctl.h>
56 #include <security/audit/audit_private.h>
57
58 /*
59 * Implementation of a clonable special device providing a live stream of BSM
60 * audit data. Consumers receive a "tee" of the system audit trail by
61 * default, but may also define alternative event selections using ioctls.
62 * This interface provides unreliable but timely access to audit events.
63 * Consumers should be very careful to avoid introducing event cycles.
64 */
65
66 /*
67 * Memory types.
68 */
69 static MALLOC_DEFINE(M_AUDIT_PIPE, "audit_pipe", "Audit pipes");
70 static MALLOC_DEFINE(M_AUDIT_PIPE_ENTRY, "audit_pipeent",
71 "Audit pipe entries and buffers");
72 static MALLOC_DEFINE(M_AUDIT_PIPE_PRESELECT, "audit_pipe_presel",
73 "Audit pipe preselection structure");
74
75 /*
76 * Audit pipe buffer parameters.
77 */
78 #define AUDIT_PIPE_QLIMIT_DEFAULT (128)
79 #define AUDIT_PIPE_QLIMIT_MIN (1)
80 #define AUDIT_PIPE_QLIMIT_MAX (1024)
81
82 /*
83 * Description of an entry in an audit_pipe.
84 */
85 struct audit_pipe_entry {
86 void *ape_record;
87 u_int ape_record_len;
88 TAILQ_ENTRY(audit_pipe_entry) ape_queue;
89 };
90
91 /*
92 * Audit pipes allow processes to express "interest" in the set of records
93 * that are delivered via the pipe. They do this in a similar manner to the
94 * mechanism for audit trail configuration, by expressing two global masks,
95 * and optionally expressing per-auid masks. The following data structure is
96 * the per-auid mask description. The global state is stored in the audit
97 * pipe data structure.
98 *
99 * We may want to consider a more space/time-efficient data structure once
100 * usage patterns for per-auid specifications are clear.
101 */
102 struct audit_pipe_preselect {
103 au_id_t app_auid;
104 au_mask_t app_mask;
105 TAILQ_ENTRY(audit_pipe_preselect) app_list;
106 };
107
108 /*
109 * Description of an individual audit_pipe. Consists largely of a bounded
110 * length queue.
111 */
112 #define AUDIT_PIPE_ASYNC 0x00000001
113 #define AUDIT_PIPE_NBIO 0x00000002
114 struct audit_pipe {
115 u_int ap_flags;
116
117 struct selinfo ap_selinfo;
118 struct sigio *ap_sigio;
119
120 /*
121 * Per-pipe mutex protecting most fields in this data structure.
122 */
123 struct mtx ap_mtx;
124
125 /*
126 * Per-pipe sleep lock serializing user-generated reads and flushes.
127 * uiomove() is called to copy out the current head record's data
128 * while the record remains in the queue, so we prevent other threads
129 * from removing it using this lock.
130 */
131 struct sx ap_sx;
132
133 /*
134 * Condition variable to signal when data has been delivered to a
135 * pipe.
136 */
137 struct cv ap_cv;
138
139 /*
140 * Various queue-reated variables: qlen and qlimit are a count of
141 * records in the queue; qbyteslen is the number of bytes of data
142 * across all records, and qoffset is the amount read so far of the
143 * first record in the queue. The number of bytes available for
144 * reading in the queue is qbyteslen - qoffset.
145 */
146 u_int ap_qlen;
147 u_int ap_qlimit;
148 u_int ap_qbyteslen;
149 u_int ap_qoffset;
150
151 /*
152 * Per-pipe operation statistics.
153 */
154 u_int64_t ap_inserts; /* Records added. */
155 u_int64_t ap_reads; /* Records read. */
156 u_int64_t ap_drops; /* Records dropped. */
157
158 /*
159 * Fields relating to pipe interest: global masks for unmatched
160 * processes (attributable, non-attributable), and a list of specific
161 * interest specifications by auid.
162 */
163 int ap_preselect_mode;
164 au_mask_t ap_preselect_flags;
165 au_mask_t ap_preselect_naflags;
166 TAILQ_HEAD(, audit_pipe_preselect) ap_preselect_list;
167
168 /*
169 * Current pending record list. Protected by a combination of ap_mtx
170 * and ap_sx. Note particularly that *both* locks are required to
171 * remove a record from the head of the queue, as an in-progress read
172 * may sleep while copying and therefore cannot hold ap_mtx.
173 */
174 TAILQ_HEAD(, audit_pipe_entry) ap_queue;
175
176 /*
177 * Global pipe list.
178 */
179 TAILQ_ENTRY(audit_pipe) ap_list;
180 };
181
182 #define AUDIT_PIPE_LOCK(ap) mtx_lock(&(ap)->ap_mtx)
183 #define AUDIT_PIPE_LOCK_ASSERT(ap) mtx_assert(&(ap)->ap_mtx, MA_OWNED)
184 #define AUDIT_PIPE_LOCK_DESTROY(ap) mtx_destroy(&(ap)->ap_mtx)
185 #define AUDIT_PIPE_LOCK_INIT(ap) mtx_init(&(ap)->ap_mtx, \
186 "audit_pipe_mtx", NULL, MTX_DEF)
187 #define AUDIT_PIPE_UNLOCK(ap) mtx_unlock(&(ap)->ap_mtx)
188 #define AUDIT_PIPE_MTX(ap) (&(ap)->ap_mtx)
189
190 #define AUDIT_PIPE_SX_LOCK_DESTROY(ap) sx_destroy(&(ap)->ap_sx)
191 #define AUDIT_PIPE_SX_LOCK_INIT(ap) sx_init(&(ap)->ap_sx, "audit_pipe_sx")
192 #define AUDIT_PIPE_SX_XLOCK_ASSERT(ap) sx_assert(&(ap)->ap_sx, SA_XLOCKED)
193 #define AUDIT_PIPE_SX_XLOCK_SIG(ap) sx_xlock_sig(&(ap)->ap_sx)
194 #define AUDIT_PIPE_SX_XUNLOCK(ap) sx_xunlock(&(ap)->ap_sx)
195
196 /*
197 * Global list of audit pipes, rwlock to protect it. Individual record
198 * queues on pipes are protected by per-pipe locks; these locks synchronize
199 * between threads walking the list to deliver to individual pipes and add/
200 * remove of pipes, and are mostly acquired for read.
201 */
202 static TAILQ_HEAD(, audit_pipe) audit_pipe_list;
203 static struct rwlock audit_pipe_lock;
204
205 #define AUDIT_PIPE_LIST_LOCK_INIT() rw_init(&audit_pipe_lock, \
206 "audit_pipe_list_lock")
207 #define AUDIT_PIPE_LIST_LOCK_DESTROY() rw_destroy(&audit_pipe_lock)
208 #define AUDIT_PIPE_LIST_RLOCK() rw_rlock(&audit_pipe_lock)
209 #define AUDIT_PIPE_LIST_RUNLOCK() rw_runlock(&audit_pipe_lock)
210 #define AUDIT_PIPE_LIST_WLOCK() rw_wlock(&audit_pipe_lock)
211 #define AUDIT_PIPE_LIST_WLOCK_ASSERT() rw_assert(&audit_pipe_lock, \
212 RA_WLOCKED)
213 #define AUDIT_PIPE_LIST_WUNLOCK() rw_wunlock(&audit_pipe_lock)
214
215 /*
216 * Audit pipe device.
217 */
218 static struct cdev *audit_pipe_dev;
219
220 #define AUDIT_PIPE_NAME "auditpipe"
221
222 /*
223 * Special device methods and definition.
224 */
225 static d_open_t audit_pipe_open;
226 static d_read_t audit_pipe_read;
227 static d_ioctl_t audit_pipe_ioctl;
228 static d_poll_t audit_pipe_poll;
229 static d_kqfilter_t audit_pipe_kqfilter;
230
231 static struct cdevsw audit_pipe_cdevsw = {
232 .d_version = D_VERSION,
233 .d_open = audit_pipe_open,
234 .d_read = audit_pipe_read,
235 .d_ioctl = audit_pipe_ioctl,
236 .d_poll = audit_pipe_poll,
237 .d_kqfilter = audit_pipe_kqfilter,
238 .d_name = AUDIT_PIPE_NAME,
239 };
240
241 static int audit_pipe_kqread(struct knote *note, long hint);
242 static void audit_pipe_kqdetach(struct knote *note);
243
244 static struct filterops audit_pipe_read_filterops = {
245 .f_isfd = 1,
246 .f_attach = NULL,
247 .f_detach = audit_pipe_kqdetach,
248 .f_event = audit_pipe_kqread,
249 };
250
251 /*
252 * Some global statistics on audit pipes.
253 */
254 static int audit_pipe_count; /* Current number of pipes. */
255 static u_int64_t audit_pipe_ever; /* Pipes ever allocated. */
256 static u_int64_t audit_pipe_records; /* Records seen. */
257 static u_int64_t audit_pipe_drops; /* Global record drop count. */
258
259 /*
260 * Free an audit pipe entry.
261 */
262 static void
263 audit_pipe_entry_free(struct audit_pipe_entry *ape)
264 {
265
266 free(ape->ape_record, M_AUDIT_PIPE_ENTRY);
267 free(ape, M_AUDIT_PIPE_ENTRY);
268 }
269
270 /*
271 * Find an audit pipe preselection specification for an auid, if any.
272 */
273 static struct audit_pipe_preselect *
274 audit_pipe_preselect_find(struct audit_pipe *ap, au_id_t auid)
275 {
276 struct audit_pipe_preselect *app;
277
278 AUDIT_PIPE_LOCK_ASSERT(ap);
279
280 TAILQ_FOREACH(app, &ap->ap_preselect_list, app_list) {
281 if (app->app_auid == auid)
282 return (app);
283 }
284 return (NULL);
285 }
286
287 /*
288 * Query the per-pipe mask for a specific auid.
289 */
290 static int
291 audit_pipe_preselect_get(struct audit_pipe *ap, au_id_t auid,
292 au_mask_t *maskp)
293 {
294 struct audit_pipe_preselect *app;
295 int error;
296
297 AUDIT_PIPE_LOCK(ap);
298 app = audit_pipe_preselect_find(ap, auid);
299 if (app != NULL) {
300 *maskp = app->app_mask;
301 error = 0;
302 } else
303 error = ENOENT;
304 AUDIT_PIPE_UNLOCK(ap);
305 return (error);
306 }
307
308 /*
309 * Set the per-pipe mask for a specific auid. Add a new entry if needed;
310 * otherwise, update the current entry.
311 */
312 static void
313 audit_pipe_preselect_set(struct audit_pipe *ap, au_id_t auid, au_mask_t mask)
314 {
315 struct audit_pipe_preselect *app, *app_new;
316
317 /*
318 * Pessimistically assume that the auid doesn't already have a mask
319 * set, and allocate. We will free it if it is unneeded.
320 */
321 app_new = malloc(sizeof(*app_new), M_AUDIT_PIPE_PRESELECT, M_WAITOK);
322 AUDIT_PIPE_LOCK(ap);
323 app = audit_pipe_preselect_find(ap, auid);
324 if (app == NULL) {
325 app = app_new;
326 app_new = NULL;
327 app->app_auid = auid;
328 TAILQ_INSERT_TAIL(&ap->ap_preselect_list, app, app_list);
329 }
330 app->app_mask = mask;
331 AUDIT_PIPE_UNLOCK(ap);
332 if (app_new != NULL)
333 free(app_new, M_AUDIT_PIPE_PRESELECT);
334 }
335
336 /*
337 * Delete a per-auid mask on an audit pipe.
338 */
339 static int
340 audit_pipe_preselect_delete(struct audit_pipe *ap, au_id_t auid)
341 {
342 struct audit_pipe_preselect *app;
343 int error;
344
345 AUDIT_PIPE_LOCK(ap);
346 app = audit_pipe_preselect_find(ap, auid);
347 if (app != NULL) {
348 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
349 error = 0;
350 } else
351 error = ENOENT;
352 AUDIT_PIPE_UNLOCK(ap);
353 if (app != NULL)
354 free(app, M_AUDIT_PIPE_PRESELECT);
355 return (error);
356 }
357
358 /*
359 * Delete all per-auid masks on an audit pipe.
360 */
361 static void
362 audit_pipe_preselect_flush_locked(struct audit_pipe *ap)
363 {
364 struct audit_pipe_preselect *app;
365
366 AUDIT_PIPE_LOCK_ASSERT(ap);
367
368 while ((app = TAILQ_FIRST(&ap->ap_preselect_list)) != NULL) {
369 TAILQ_REMOVE(&ap->ap_preselect_list, app, app_list);
370 free(app, M_AUDIT_PIPE_PRESELECT);
371 }
372 }
373
374 static void
375 audit_pipe_preselect_flush(struct audit_pipe *ap)
376 {
377
378 AUDIT_PIPE_LOCK(ap);
379 audit_pipe_preselect_flush_locked(ap);
380 AUDIT_PIPE_UNLOCK(ap);
381 }
382
383 /*-
384 * Determine whether a specific audit pipe matches a record with these
385 * properties. Algorithm is as follows:
386 *
387 * - If the pipe is configured to track the default trail configuration, then
388 * use the results of global preselection matching.
389 * - If not, search for a specifically configured auid entry matching the
390 * event. If an entry is found, use that.
391 * - Otherwise, use the default flags or naflags configured for the pipe.
392 */
393 static int
394 audit_pipe_preselect_check(struct audit_pipe *ap, au_id_t auid,
395 au_event_t event, au_class_t class, int sorf, int trail_preselect)
396 {
397 struct audit_pipe_preselect *app;
398
399 AUDIT_PIPE_LOCK_ASSERT(ap);
400
401 switch (ap->ap_preselect_mode) {
402 case AUDITPIPE_PRESELECT_MODE_TRAIL:
403 return (trail_preselect);
404
405 case AUDITPIPE_PRESELECT_MODE_LOCAL:
406 app = audit_pipe_preselect_find(ap, auid);
407 if (app == NULL) {
408 if (auid == AU_DEFAUDITID)
409 return (au_preselect(event, class,
410 &ap->ap_preselect_naflags, sorf));
411 else
412 return (au_preselect(event, class,
413 &ap->ap_preselect_flags, sorf));
414 } else
415 return (au_preselect(event, class, &app->app_mask,
416 sorf));
417
418 default:
419 panic("audit_pipe_preselect_check: mode %d",
420 ap->ap_preselect_mode);
421 }
422
423 return (0);
424 }
425
426 /*
427 * Determine whether there exists a pipe interested in a record with specific
428 * properties.
429 */
430 int
431 audit_pipe_preselect(au_id_t auid, au_event_t event, au_class_t class,
432 int sorf, int trail_preselect)
433 {
434 struct audit_pipe *ap;
435
436 /* Lockless read to avoid acquiring the global lock if not needed. */
437 if (TAILQ_EMPTY(&audit_pipe_list))
438 return (0);
439
440 AUDIT_PIPE_LIST_RLOCK();
441 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
442 AUDIT_PIPE_LOCK(ap);
443 if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
444 trail_preselect)) {
445 AUDIT_PIPE_UNLOCK(ap);
446 AUDIT_PIPE_LIST_RUNLOCK();
447 return (1);
448 }
449 AUDIT_PIPE_UNLOCK(ap);
450 }
451 AUDIT_PIPE_LIST_RUNLOCK();
452 return (0);
453 }
454
455 /*
456 * Append individual record to a queue -- allocate queue-local buffer, and
457 * add to the queue. If the queue is full or we can't allocate memory, drop
458 * the newest record.
459 */
460 static void
461 audit_pipe_append(struct audit_pipe *ap, void *record, u_int record_len)
462 {
463 struct audit_pipe_entry *ape;
464
465 AUDIT_PIPE_LOCK_ASSERT(ap);
466
467 if (ap->ap_qlen >= ap->ap_qlimit) {
468 ap->ap_drops++;
469 audit_pipe_drops++;
470 return;
471 }
472
473 ape = malloc(sizeof(*ape), M_AUDIT_PIPE_ENTRY, M_NOWAIT | M_ZERO);
474 if (ape == NULL) {
475 ap->ap_drops++;
476 audit_pipe_drops++;
477 return;
478 }
479
480 ape->ape_record = malloc(record_len, M_AUDIT_PIPE_ENTRY, M_NOWAIT);
481 if (ape->ape_record == NULL) {
482 free(ape, M_AUDIT_PIPE_ENTRY);
483 ap->ap_drops++;
484 audit_pipe_drops++;
485 return;
486 }
487
488 bcopy(record, ape->ape_record, record_len);
489 ape->ape_record_len = record_len;
490
491 TAILQ_INSERT_TAIL(&ap->ap_queue, ape, ape_queue);
492 ap->ap_inserts++;
493 ap->ap_qlen++;
494 ap->ap_qbyteslen += ape->ape_record_len;
495 selwakeuppri(&ap->ap_selinfo, PSOCK);
496 KNOTE_LOCKED(&ap->ap_selinfo.si_note, 0);
497 if (ap->ap_flags & AUDIT_PIPE_ASYNC)
498 pgsigio(&ap->ap_sigio, SIGIO, 0);
499 cv_broadcast(&ap->ap_cv);
500 }
501
502 /*
503 * audit_pipe_submit(): audit_worker submits audit records via this
504 * interface, which arranges for them to be delivered to pipe queues.
505 */
506 void
507 audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, int sorf,
508 int trail_select, void *record, u_int record_len)
509 {
510 struct audit_pipe *ap;
511
512 /*
513 * Lockless read to avoid lock overhead if pipes are not in use.
514 */
515 if (TAILQ_FIRST(&audit_pipe_list) == NULL)
516 return;
517
518 AUDIT_PIPE_LIST_RLOCK();
519 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
520 AUDIT_PIPE_LOCK(ap);
521 if (audit_pipe_preselect_check(ap, auid, event, class, sorf,
522 trail_select))
523 audit_pipe_append(ap, record, record_len);
524 AUDIT_PIPE_UNLOCK(ap);
525 }
526 AUDIT_PIPE_LIST_RUNLOCK();
527
528 /* Unlocked increment. */
529 audit_pipe_records++;
530 }
531
532 /*
533 * audit_pipe_submit_user(): the same as audit_pipe_submit(), except that
534 * since we don't currently have selection information available, it is
535 * delivered to the pipe unconditionally.
536 *
537 * XXXRW: This is a bug. The BSM check routine for submitting a user record
538 * should parse that information and return it.
539 */
540 void
541 audit_pipe_submit_user(void *record, u_int record_len)
542 {
543 struct audit_pipe *ap;
544
545 /*
546 * Lockless read to avoid lock overhead if pipes are not in use.
547 */
548 if (TAILQ_FIRST(&audit_pipe_list) == NULL)
549 return;
550
551 AUDIT_PIPE_LIST_RLOCK();
552 TAILQ_FOREACH(ap, &audit_pipe_list, ap_list) {
553 AUDIT_PIPE_LOCK(ap);
554 audit_pipe_append(ap, record, record_len);
555 AUDIT_PIPE_UNLOCK(ap);
556 }
557 AUDIT_PIPE_LIST_RUNLOCK();
558
559 /* Unlocked increment. */
560 audit_pipe_records++;
561 }
562
563 /*
564 * Allocate a new audit pipe. Connects the pipe, on success, to the global
565 * list and updates statistics.
566 */
567 static struct audit_pipe *
568 audit_pipe_alloc(void)
569 {
570 struct audit_pipe *ap;
571
572 ap = malloc(sizeof(*ap), M_AUDIT_PIPE, M_NOWAIT | M_ZERO);
573 if (ap == NULL)
574 return (NULL);
575 ap->ap_qlimit = AUDIT_PIPE_QLIMIT_DEFAULT;
576 TAILQ_INIT(&ap->ap_queue);
577 knlist_init_mtx(&ap->ap_selinfo.si_note, AUDIT_PIPE_MTX(ap));
578 AUDIT_PIPE_LOCK_INIT(ap);
579 AUDIT_PIPE_SX_LOCK_INIT(ap);
580 cv_init(&ap->ap_cv, "audit_pipe");
581
582 /*
583 * Default flags, naflags, and auid-specific preselection settings to
584 * 0. Initialize the mode to the global trail so that if praudit(1)
585 * is run on /dev/auditpipe, it sees events associated with the
586 * default trail. Pipe-aware application can clear the flag, set
587 * custom masks, and flush the pipe as needed.
588 */
589 bzero(&ap->ap_preselect_flags, sizeof(ap->ap_preselect_flags));
590 bzero(&ap->ap_preselect_naflags, sizeof(ap->ap_preselect_naflags));
591 TAILQ_INIT(&ap->ap_preselect_list);
592 ap->ap_preselect_mode = AUDITPIPE_PRESELECT_MODE_TRAIL;
593
594 /*
595 * Add to global list and update global statistics.
596 */
597 AUDIT_PIPE_LIST_WLOCK();
598 TAILQ_INSERT_HEAD(&audit_pipe_list, ap, ap_list);
599 audit_pipe_count++;
600 audit_pipe_ever++;
601 AUDIT_PIPE_LIST_WUNLOCK();
602
603 return (ap);
604 }
605
606 /*
607 * Flush all records currently present in an audit pipe; assume mutex is held.
608 */
609 static void
610 audit_pipe_flush(struct audit_pipe *ap)
611 {
612 struct audit_pipe_entry *ape;
613
614 AUDIT_PIPE_LOCK_ASSERT(ap);
615
616 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL) {
617 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
618 ap->ap_qbyteslen -= ape->ape_record_len;
619 audit_pipe_entry_free(ape);
620 ap->ap_qlen--;
621 }
622 ap->ap_qoffset = 0;
623
624 KASSERT(ap->ap_qlen == 0, ("audit_pipe_free: ap_qbyteslen"));
625 KASSERT(ap->ap_qbyteslen == 0, ("audit_pipe_flush: ap_qbyteslen"));
626 }
627
628 /*
629 * Free an audit pipe; this means freeing all preselection state and all
630 * records in the pipe. Assumes global write lock and pipe mutex are held to
631 * prevent any new records from being inserted during the free, and that the
632 * audit pipe is still on the global list.
633 */
634 static void
635 audit_pipe_free(struct audit_pipe *ap)
636 {
637
638 AUDIT_PIPE_LIST_WLOCK_ASSERT();
639 AUDIT_PIPE_LOCK_ASSERT(ap);
640
641 audit_pipe_preselect_flush_locked(ap);
642 audit_pipe_flush(ap);
643 cv_destroy(&ap->ap_cv);
644 AUDIT_PIPE_SX_LOCK_DESTROY(ap);
645 AUDIT_PIPE_LOCK_DESTROY(ap);
646 seldrain(&ap->ap_selinfo);
647 knlist_destroy(&ap->ap_selinfo.si_note);
648 TAILQ_REMOVE(&audit_pipe_list, ap, ap_list);
649 free(ap, M_AUDIT_PIPE);
650 audit_pipe_count--;
651 }
652
653 static void
654 audit_pipe_dtor(void *arg)
655 {
656 struct audit_pipe *ap;
657
658 ap = arg;
659 funsetown(&ap->ap_sigio);
660 AUDIT_PIPE_LIST_WLOCK();
661 AUDIT_PIPE_LOCK(ap);
662 audit_pipe_free(ap);
663 AUDIT_PIPE_LIST_WUNLOCK();
664 }
665
666 /*
667 * Audit pipe open method. Explicit privilege check isn't used as this
668 * allows file permissions on the special device to be used to grant audit
669 * review access. Those file permissions should be managed carefully.
670 */
671 static int
672 audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td)
673 {
674 struct audit_pipe *ap;
675 int error;
676
677 ap = audit_pipe_alloc();
678 if (ap == NULL)
679 return (ENOMEM);
680 fsetown(td->td_proc->p_pid, &ap->ap_sigio);
681 error = devfs_set_cdevpriv(ap, audit_pipe_dtor);
682 if (error != 0)
683 audit_pipe_dtor(ap);
684 return (error);
685 }
686
687 /*
688 * Audit pipe ioctl() routine. Handle file descriptor and audit pipe layer
689 * commands.
690 */
691 static int
692 audit_pipe_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag,
693 struct thread *td)
694 {
695 struct auditpipe_ioctl_preselect *aip;
696 struct audit_pipe *ap;
697 au_mask_t *maskp;
698 int error, mode;
699 au_id_t auid;
700
701 error = devfs_get_cdevpriv((void **)&ap);
702 if (error != 0)
703 return (error);
704
705 /*
706 * Audit pipe ioctls: first come standard device node ioctls, then
707 * manipulation of pipe settings, and finally, statistics query
708 * ioctls.
709 */
710 switch (cmd) {
711 case FIONBIO:
712 AUDIT_PIPE_LOCK(ap);
713 if (*(int *)data)
714 ap->ap_flags |= AUDIT_PIPE_NBIO;
715 else
716 ap->ap_flags &= ~AUDIT_PIPE_NBIO;
717 AUDIT_PIPE_UNLOCK(ap);
718 error = 0;
719 break;
720
721 case FIONREAD:
722 AUDIT_PIPE_LOCK(ap);
723 *(int *)data = ap->ap_qbyteslen - ap->ap_qoffset;
724 AUDIT_PIPE_UNLOCK(ap);
725 error = 0;
726 break;
727
728 case FIOASYNC:
729 AUDIT_PIPE_LOCK(ap);
730 if (*(int *)data)
731 ap->ap_flags |= AUDIT_PIPE_ASYNC;
732 else
733 ap->ap_flags &= ~AUDIT_PIPE_ASYNC;
734 AUDIT_PIPE_UNLOCK(ap);
735 error = 0;
736 break;
737
738 case FIOSETOWN:
739 error = fsetown(*(int *)data, &ap->ap_sigio);
740 break;
741
742 case FIOGETOWN:
743 *(int *)data = fgetown(&ap->ap_sigio);
744 error = 0;
745 break;
746
747 case AUDITPIPE_GET_QLEN:
748 *(u_int *)data = ap->ap_qlen;
749 error = 0;
750 break;
751
752 case AUDITPIPE_GET_QLIMIT:
753 *(u_int *)data = ap->ap_qlimit;
754 error = 0;
755 break;
756
757 case AUDITPIPE_SET_QLIMIT:
758 /* Lockless integer write. */
759 if (*(u_int *)data >= AUDIT_PIPE_QLIMIT_MIN &&
760 *(u_int *)data <= AUDIT_PIPE_QLIMIT_MAX) {
761 ap->ap_qlimit = *(u_int *)data;
762 error = 0;
763 } else
764 error = EINVAL;
765 break;
766
767 case AUDITPIPE_GET_QLIMIT_MIN:
768 *(u_int *)data = AUDIT_PIPE_QLIMIT_MIN;
769 error = 0;
770 break;
771
772 case AUDITPIPE_GET_QLIMIT_MAX:
773 *(u_int *)data = AUDIT_PIPE_QLIMIT_MAX;
774 error = 0;
775 break;
776
777 case AUDITPIPE_GET_PRESELECT_FLAGS:
778 AUDIT_PIPE_LOCK(ap);
779 maskp = (au_mask_t *)data;
780 *maskp = ap->ap_preselect_flags;
781 AUDIT_PIPE_UNLOCK(ap);
782 error = 0;
783 break;
784
785 case AUDITPIPE_SET_PRESELECT_FLAGS:
786 AUDIT_PIPE_LOCK(ap);
787 maskp = (au_mask_t *)data;
788 ap->ap_preselect_flags = *maskp;
789 AUDIT_PIPE_UNLOCK(ap);
790 error = 0;
791 break;
792
793 case AUDITPIPE_GET_PRESELECT_NAFLAGS:
794 AUDIT_PIPE_LOCK(ap);
795 maskp = (au_mask_t *)data;
796 *maskp = ap->ap_preselect_naflags;
797 AUDIT_PIPE_UNLOCK(ap);
798 error = 0;
799 break;
800
801 case AUDITPIPE_SET_PRESELECT_NAFLAGS:
802 AUDIT_PIPE_LOCK(ap);
803 maskp = (au_mask_t *)data;
804 ap->ap_preselect_naflags = *maskp;
805 AUDIT_PIPE_UNLOCK(ap);
806 error = 0;
807 break;
808
809 case AUDITPIPE_GET_PRESELECT_AUID:
810 aip = (struct auditpipe_ioctl_preselect *)data;
811 error = audit_pipe_preselect_get(ap, aip->aip_auid,
812 &aip->aip_mask);
813 break;
814
815 case AUDITPIPE_SET_PRESELECT_AUID:
816 aip = (struct auditpipe_ioctl_preselect *)data;
817 audit_pipe_preselect_set(ap, aip->aip_auid, aip->aip_mask);
818 error = 0;
819 break;
820
821 case AUDITPIPE_DELETE_PRESELECT_AUID:
822 auid = *(au_id_t *)data;
823 error = audit_pipe_preselect_delete(ap, auid);
824 break;
825
826 case AUDITPIPE_FLUSH_PRESELECT_AUID:
827 audit_pipe_preselect_flush(ap);
828 error = 0;
829 break;
830
831 case AUDITPIPE_GET_PRESELECT_MODE:
832 AUDIT_PIPE_LOCK(ap);
833 *(int *)data = ap->ap_preselect_mode;
834 AUDIT_PIPE_UNLOCK(ap);
835 error = 0;
836 break;
837
838 case AUDITPIPE_SET_PRESELECT_MODE:
839 mode = *(int *)data;
840 switch (mode) {
841 case AUDITPIPE_PRESELECT_MODE_TRAIL:
842 case AUDITPIPE_PRESELECT_MODE_LOCAL:
843 AUDIT_PIPE_LOCK(ap);
844 ap->ap_preselect_mode = mode;
845 AUDIT_PIPE_UNLOCK(ap);
846 error = 0;
847 break;
848
849 default:
850 error = EINVAL;
851 }
852 break;
853
854 case AUDITPIPE_FLUSH:
855 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
856 return (EINTR);
857 AUDIT_PIPE_LOCK(ap);
858 audit_pipe_flush(ap);
859 AUDIT_PIPE_UNLOCK(ap);
860 AUDIT_PIPE_SX_XUNLOCK(ap);
861 error = 0;
862 break;
863
864 case AUDITPIPE_GET_MAXAUDITDATA:
865 *(u_int *)data = MAXAUDITDATA;
866 error = 0;
867 break;
868
869 case AUDITPIPE_GET_INSERTS:
870 *(u_int *)data = ap->ap_inserts;
871 error = 0;
872 break;
873
874 case AUDITPIPE_GET_READS:
875 *(u_int *)data = ap->ap_reads;
876 error = 0;
877 break;
878
879 case AUDITPIPE_GET_DROPS:
880 *(u_int *)data = ap->ap_drops;
881 error = 0;
882 break;
883
884 case AUDITPIPE_GET_TRUNCATES:
885 *(u_int *)data = 0;
886 error = 0;
887 break;
888
889 default:
890 error = ENOTTY;
891 }
892 return (error);
893 }
894
895 /*
896 * Audit pipe read. Read one or more partial or complete records to user
897 * memory.
898 */
899 static int
900 audit_pipe_read(struct cdev *dev, struct uio *uio, int flag)
901 {
902 struct audit_pipe_entry *ape;
903 struct audit_pipe *ap;
904 u_int toread;
905 int error;
906
907 error = devfs_get_cdevpriv((void **)&ap);
908 if (error != 0)
909 return (error);
910
911 /*
912 * We hold an sx(9) lock over read and flush because we rely on the
913 * stability of a record in the queue during uiomove(9).
914 */
915 if (AUDIT_PIPE_SX_XLOCK_SIG(ap) != 0)
916 return (EINTR);
917 AUDIT_PIPE_LOCK(ap);
918 while (TAILQ_EMPTY(&ap->ap_queue)) {
919 if (ap->ap_flags & AUDIT_PIPE_NBIO) {
920 AUDIT_PIPE_UNLOCK(ap);
921 AUDIT_PIPE_SX_XUNLOCK(ap);
922 return (EAGAIN);
923 }
924 error = cv_wait_sig(&ap->ap_cv, AUDIT_PIPE_MTX(ap));
925 if (error) {
926 AUDIT_PIPE_UNLOCK(ap);
927 AUDIT_PIPE_SX_XUNLOCK(ap);
928 return (error);
929 }
930 }
931
932 /*
933 * Copy as many remaining bytes from the current record to userspace
934 * as we can. Keep processing records until we run out of records in
935 * the queue, or until the user buffer runs out of space.
936 *
937 * Note: we rely on the SX lock to maintain ape's stability here.
938 */
939 ap->ap_reads++;
940 while ((ape = TAILQ_FIRST(&ap->ap_queue)) != NULL &&
941 uio->uio_resid > 0) {
942 AUDIT_PIPE_LOCK_ASSERT(ap);
943
944 KASSERT(ape->ape_record_len > ap->ap_qoffset,
945 ("audit_pipe_read: record_len > qoffset (1)"));
946 toread = MIN(ape->ape_record_len - ap->ap_qoffset,
947 uio->uio_resid);
948 AUDIT_PIPE_UNLOCK(ap);
949 error = uiomove((char *)ape->ape_record + ap->ap_qoffset,
950 toread, uio);
951 if (error) {
952 AUDIT_PIPE_SX_XUNLOCK(ap);
953 return (error);
954 }
955
956 /*
957 * If the copy succeeded, update book-keeping, and if no
958 * bytes remain in the current record, free it.
959 */
960 AUDIT_PIPE_LOCK(ap);
961 KASSERT(TAILQ_FIRST(&ap->ap_queue) == ape,
962 ("audit_pipe_read: queue out of sync after uiomove"));
963 ap->ap_qoffset += toread;
964 KASSERT(ape->ape_record_len >= ap->ap_qoffset,
965 ("audit_pipe_read: record_len >= qoffset (2)"));
966 if (ap->ap_qoffset == ape->ape_record_len) {
967 TAILQ_REMOVE(&ap->ap_queue, ape, ape_queue);
968 ap->ap_qbyteslen -= ape->ape_record_len;
969 audit_pipe_entry_free(ape);
970 ap->ap_qlen--;
971 ap->ap_qoffset = 0;
972 }
973 }
974 AUDIT_PIPE_UNLOCK(ap);
975 AUDIT_PIPE_SX_XUNLOCK(ap);
976 return (0);
977 }
978
979 /*
980 * Audit pipe poll.
981 */
982 static int
983 audit_pipe_poll(struct cdev *dev, int events, struct thread *td)
984 {
985 struct audit_pipe *ap;
986 int error, revents;
987
988 revents = 0;
989 error = devfs_get_cdevpriv((void **)&ap);
990 if (error != 0)
991 return (error);
992 if (events & (POLLIN | POLLRDNORM)) {
993 AUDIT_PIPE_LOCK(ap);
994 if (TAILQ_FIRST(&ap->ap_queue) != NULL)
995 revents |= events & (POLLIN | POLLRDNORM);
996 else
997 selrecord(td, &ap->ap_selinfo);
998 AUDIT_PIPE_UNLOCK(ap);
999 }
1000 return (revents);
1001 }
1002
1003 /*
1004 * Audit pipe kqfilter.
1005 */
1006 static int
1007 audit_pipe_kqfilter(struct cdev *dev, struct knote *kn)
1008 {
1009 struct audit_pipe *ap;
1010 int error;
1011
1012 error = devfs_get_cdevpriv((void **)&ap);
1013 if (error != 0)
1014 return (error);
1015 if (kn->kn_filter != EVFILT_READ)
1016 return (EINVAL);
1017
1018 kn->kn_fop = &audit_pipe_read_filterops;
1019 kn->kn_hook = ap;
1020
1021 AUDIT_PIPE_LOCK(ap);
1022 knlist_add(&ap->ap_selinfo.si_note, kn, 1);
1023 AUDIT_PIPE_UNLOCK(ap);
1024 return (0);
1025 }
1026
1027 /*
1028 * Return true if there are records available for reading on the pipe.
1029 */
1030 static int
1031 audit_pipe_kqread(struct knote *kn, long hint)
1032 {
1033 struct audit_pipe *ap;
1034
1035 ap = (struct audit_pipe *)kn->kn_hook;
1036 AUDIT_PIPE_LOCK_ASSERT(ap);
1037
1038 if (ap->ap_qlen != 0) {
1039 kn->kn_data = ap->ap_qbyteslen - ap->ap_qoffset;
1040 return (1);
1041 } else {
1042 kn->kn_data = 0;
1043 return (0);
1044 }
1045 }
1046
1047 /*
1048 * Detach kqueue state from audit pipe.
1049 */
1050 static void
1051 audit_pipe_kqdetach(struct knote *kn)
1052 {
1053 struct audit_pipe *ap;
1054
1055 ap = (struct audit_pipe *)kn->kn_hook;
1056 AUDIT_PIPE_LOCK(ap);
1057 knlist_remove(&ap->ap_selinfo.si_note, kn, 1);
1058 AUDIT_PIPE_UNLOCK(ap);
1059 }
1060
1061 /*
1062 * Initialize the audit pipe system.
1063 */
1064 static void
1065 audit_pipe_init(void *unused)
1066 {
1067
1068 TAILQ_INIT(&audit_pipe_list);
1069 AUDIT_PIPE_LIST_LOCK_INIT();
1070 audit_pipe_dev = make_dev(&audit_pipe_cdevsw, 0, UID_ROOT,
1071 GID_WHEEL, 0600, "%s", AUDIT_PIPE_NAME);
1072 if (audit_pipe_dev == NULL) {
1073 AUDIT_PIPE_LIST_LOCK_DESTROY();
1074 panic("Can't initialize audit pipe subsystem");
1075 }
1076 }
1077
1078 SYSINIT(audit_pipe_init, SI_SUB_DRIVERS, SI_ORDER_MIDDLE, audit_pipe_init,
1079 NULL);
Cache object: 51c6b01dbbb42c3eec9cc9837a0216c7
|